Needham–Schroeder protocol
The Needham - Schroeder protocol is a protocol for secure data sharing in a decentralized network. It combines key exchange and authentication with the aim of a secure communication between two parties in a decentralized network to establish. It was developed in 1978 by Roger Needham and Michael Schroeder in the Xerox Palo Alto Research Center (MIT). The basis for the security of the protocol secure encryption algorithms with arbitrary keys that can neither be broken by cryptanalysis or by exhaustive search, with symmetric and asymmetric algorithms are considered.
Which is based on asymmetric cryptography variant of the Needham - Schroeder protocol contained an error that was only 17 years later ( 1995) by Gavin Lowe uncovered by a computer-guided analysis. Lowe also described how the error found by an additional information in a packet resolve.
The requirement for this protocol variant that have both A and B each have a secret key with the authentication server (AS):
- - Secret key between AS and A
- - Secret key between AS and B
By detecting that A and B has A and B authenticate the counterpart.
The protocol is started from A. In the first step (1) A sends an unencrypted message to the AS, in which one's own identity and that of the desired correspondents is included (A and B) and a nonce. The nonce may be never been used by A at this point.
In the next step (2), the AS uses the secret key of the two communication partner. It will send a response to A, which is complete with encrypted. It contains the nonce, to ensure that the response is not a recorded message of a previous protocol process, which would force the use of an old key. Next, it contains the identity of B. This is to prevent that in the message of the first protocol step simply the identity of B could be replaced by another without A 's knowledge. Then the session key follows.
The last part consists of a block which is encrypted, which is still located within the encrypted message to A. It also contains the session key and the identity of A. A is now in the possession of the session key. In the third step (3) A sends the part that was encrypted in the response from the AS, to B. Only B can decrypt this message and learns that A wants to perform a secure communication with the session key with him. Here both B and A have the session key to be used.
In addition, A knows that any message that has been encrypted with can only come from B, and that any message encrypted with A, can be read by B. Both are safe because the session key has been shipped only with secret keys and encrypted. For B, the same applies in the reverse direction. In addition, A knows that he has the session key never been used before, as the nonce in the first two steps protocol prevents replay attack. This security is not yet available at B.
The message protocol in Step 3 could be a recorded message that would force B to reuse an old session key. To prevent this, there are two other protocol steps. Next, B sends to A (4) provides its own nonce, encrypted with the session key, and B is the last protocol step (5) a standing to this nonce in response relationship of A, for example, which is also encrypted with is. There has never been previously used, only A can send an appropriate response, since only A knows the session key. B can now also assume that he is not subject to replay attack.
- ( 1) A AS
- ( 2) AS A
- (3) A B
- (4) A B
- ( 5) A B
Needham - Schroeder protocol for asymmetric encryption
The Needham - Schroeder protocol can also be modified so that it works with asymmetric encryption method. For this, a trustworthy entity T is again required. It is assumed that Alice, Bob, and any number of other partners, the public key of T is known. T also has the public keys of all involved (in this case of Alice and Bob).
Alice wants to establish a secure communication with Bob. For this purpose, it needs the public key of Bob to encrypt messages to him. Since this could be replaced by a man-in- the-middle attack, the trusted third party T must be involved, who knows the key already.
In the first step (1 ) Alice sends to T an unencrypted message that they want to talk to Bob.
T replies ( 2) with the public key (public key ) of B and signs it with his private key. This message can be verified using the public key of T, so by all partners who know t. The message is not secret, they should just make sure that the answer really depends on T and no attacker tries Alice foist a fake key.
Now ( 3) Alice to Bob can send a message that is encrypted with his public key and both a nonce and includes the sender Alice. However, Bob can not know whether the message is really from Alice, Bob also knows the public key of Alice may not have.
Bob uses the same procedure as Alice in the steps (1) and (2 ) to obtain Alice's public key. (Steps (4) and (5) )
Now Bob Alice responds by sending back its nonce and its own nonce append (6 ), this message is encrypted with Alice's public key. Alice responds with Bob's nonce, encrypted with Bob's public key (7). These last two steps represent the timeliness of messages safely. Since only A could decrypt the nonce and only B could decrypt the nonce, both parties can be sure with whom they are communicating.
If an attacker gains access to one of the private key of Alice, Bob or the trusted party get T, the process is not more secure since it depending on the stolen key, a can, taking the roles.
- ( 1) A T
- ( 2) T A
- (3) A B
- (4) B T
- ( 5) T B
- (6 ) A B
- ( 7) A B
Problems and solutions
There is no guarantee that the session key can not be cracked. Then the authentication is not ensured because an attacker can undermine the authenticity by restoring the third message containing the session key known to him. Bypassing can be the by timestamp integrated in the News ( Otway -Rees method ), with which one can then decide whether it is a re- recording or not. This procedure assumes synchronized clocks. It has been used for example in network authentication protocol Kerberos.