Needham Schroeder

We now introduce a simplified version of the original symmetric key Needham-Schroeder protocol, which uses nonces and explicit identities for the sender and the recipient.

Knowledge: A:[s, KAS, A, B, NA], B:[KBS, A, B], S:[A, B, E, KAS, KBS, KES, K] E:[A, B, NE, KES, fake]
Steps:

A -> S: A, B, #NA
S -> A: {#NA, #K, B, {K, A}KBS}KAS
A -> B: {K, A}KBS, {#s}K

This protocol should resist against confidentiality attacks (i.e., E should not be able to learn the current session secret). However, this protocol is still vulnerable against integrity attacks (i.e., E is still able to send a fake message spoofing A).

A

Knows: s, KAS, A, B, NA

B

Knows: A, B, KBS

S

Knows: KES, KAS, KBS, A, B, E

E

Knows: E, A, B, NE, fake, KES

Network stack

Commands

Attacks

Can you find a sequence of commands such that E knows the session secret?
You can try all the attacks covered so far.

It should not be possible for E to know the session secret.

Can you find a sequence of commands such that B knows fake?

Are the conditions for the previous attack still there?
new_session(); transmit(0); transmit(1); intercept(2); new_session(); compromise(K_0); encrypt(fake, K_0); inject(A->B:{K_0, A}KBS, {fake}K_0); transmit(4);

Last modified February 16, 2020