Otway-Rees protocol
Encyclopedia
The Otway–Rees protocol is a computer network
authentication
protocol
designed for use on insecure networks (eg. the Internet
). It allows individuals communicating over such a network to prove their identity to each other while also preventing eavesdropping
or replay attack
s and allowing for the detection of modification.
The protocol can be specified as follows in security protocol notation
, where Alice is authenticating herself to Bob using a server S (M is a session-identifier, NA and NB are nonce
s):
Note: The above steps do not authenticate B to A.
One problem with this protocol is that a malicious intruder can arrange for A and B to end up with different keys. Here is how: after A and B execute the first three messages, B has received the key
. The intruder then intercepts the fourth message. He resends message 2, which results in S generating a new key 
, subsequently sent to B. The intruder intercepts this message too, but sends to A the part of it that B would have sent to A. So now A has finally received the expected fourth message, but with 
instead of 
.
Another problem is that although the server tells B that A used a nonce, B doesn't know if this was a replay of an old message. Specifically, an intruder could discover an older nonce. The older nonce could be reused to authenticate against B.
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
protocol
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...
designed for use on insecure networks (eg. the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
). It allows individuals communicating over such a network to prove their identity to each other while also preventing eavesdropping
Eavesdropping
Eavesdropping is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary...
or replay attack
Replay attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet...
s and allowing for the detection of modification.
The protocol can be specified as follows in security protocol notation
Security protocol notation
In cryptography, security protocol notation is a way of expressing a protocol of correspondence between entities of a dynamic system, such as a computer network...
, where Alice is authenticating herself to Bob using a server S (M is a session-identifier, NA and NB are nonce
Cryptographic nonce
In security engineering, nonce is an arbitrary number used only once to sign a cryptographic communication. It is similar in spirit to a nonce word, hence the name. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused...
s):
Note: The above steps do not authenticate B to A.
Attacks on the protocol
There are a variety of attacks on this protocol currently published.One problem with this protocol is that a malicious intruder can arrange for A and B to end up with different keys. Here is how: after A and B execute the first three messages, B has received the key
. The intruder then intercepts the fourth message. He resends message 2, which results in S generating a new key , subsequently sent to B. The intruder intercepts this message too, but sends to A the part of it that B would have sent to A. So now A has finally received the expected fourth message, but with instead of .Another problem is that although the server tells B that A used a nonce, B doesn't know if this was a replay of an old message. Specifically, an intruder could discover an older nonce. The older nonce could be reused to authenticate against B.
See also
- Kerberos (protocol)
- Needham–Schroeder protocol
- Yahalom (protocol)Yahalom (protocol)Yahalom is an authentication and secure key-sharing protocol designed for use on an insecure network such as the Internet. Yahalom uses a trusted arbitrator to distribute a shared key between two people...
- Wide Mouth Frog protocolWide Mouth Frog protocolThe Wide-Mouth Frog protocol is a computer network authentication protocol designed for use on insecure networks . It allows individuals communicating over a network to prove their identity to each other while also preventing eavesdropping or replay attacks, and provides for detection of...