R.M. Needham & M.D. Schroeder, "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1., 1981.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....by using a secret key and then transmit it to the destination entities which know the key. Public key systems [2] are familiar in the secure communi cation among two entities. If the secret key is neither hidden nor inferred, the secrecy and the authenticity of secure communication are held. [12, 13] discuss how to distribute the secret key to only entities which would like to have secure communication by using a public key system and one to one communication. In the networks like local area networks (LANs) broadcast communication is provided by the media access control (MAC) layer [6] ....

Needham, R.M. and Schroeder, M.D., "Authentication Revisited," ACM Operating Systems Review, Vol.21, No.1, 1987, p.7.

....of the key by an undesired third party fully compromises the confidentiality of the system. Therefore, the keys used need to be distributed securely, either by courier or perhaps by use of a key distribution protocol, of which the best known is perhaps that proposed by Needham and Schroeder [NS78, NS87]. The widely used Data Encryption Standard (DES) algorithm, that has been standardized for use to protect unclassified civilian US Government information, is perhaps the best known symmetric encryption algorithm [NBS77] A well known system that addresses insecure open networks as a part of a ....

....a serious scaling problem with current published multicast key management techniques. Finally, key management mechanisms described in the public literature have a long history of subtle flaws. There is ample evidence of this, even for well known techniques such as the Needham Schroeder protocol [NS78, NS87]. In some cases, subtle flaws have only become known after formal methods techniques were used in an attempt to verify the protocol. Hence, it is highly desirable that key management mechanisms be kept separate from authentication or encryption mechanisms as much as is possible. For example, it is ....

Needham, R., and M. Schroeder, "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1, 1987.

.... number used to guarantee freshness of a response) Needham and Schroeder acknowledge this weakness in the protocol and introduce a minor modification inserting a timing mechanism into the protocol to prevent Chapter 1: A Formal Semantics for Evaluating Cryptographic Protocols 20 replay attacks in [NEED87]. In [OTWR87] Otway and Rees address the timing problem by slightly changing the sequence of messages and by including a session identifier in each message. Their protocol is given in Figure 1.2. Otway and Rees protect against replay attack by including a session identification value (C) in each ....

Needham, R.M. & Schroeder, M.D., "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1, January 1987.

....problem is NP hard. Cryptographic protocols are notoriously hard to design and their correctness is harder to prove (Simmons (1994) Numerous cryptographic protocols have been published and later found to contain security flaws, see, e.g. Needham and Schroeder (1978) Denning and Sacco (1981) Needham and Schroeder (1987), Tatebayashi, Matsuzaki and Newman (1989) Simmons (1985) Meadows (1991) Moore (1988) Burrows, Abadi and Needham (1990) These often subtle failures do not require eroding the integrity of the underlying cryptoalgorithm and hence are weaknesses of the protocols. They clearly demonstrate the ....

Needham, R. and Schroeder, M. (1987) Authentication revisited, ACM Operating System Review, 21(1):7--7.

....protocol scenarios is presented. Section 4 discusses the inter domain protocols and Section 5 concludes with auxiliary protocols. 2 Background and Preliminaries A number of schemes have been designed for authentication and key distribution services in distributed systems and networks, e.g. [Needham78, Denning81, Bauer83, Needham87, Otway87, Kehne92, Neuman93]. Some of these have lead to notable implementations or standards, e.g. the Kerberos [Steiner88] and ANSI X9.17 [ISO8732] schemes, which use DES technology, or the ISO CCITT X.509 Directory Authentication scheme [ISO9594 8] which relies on public key technology. Kerberos is the basis for the ....

R. M. Needham, M. D. Schroeder, "Authentication revisited", ACM OSR 21 1 (Jan.87) 7.

....from B, then he can conclude that the transaction has been performed. Such goals can normally be achieved by cryptographic means (such as encryption and decryption algorithms) which in turn rely on secrets held by, and sometimes shared between, different entities [22] As usual (e.g. [15, 16, 20]) we assume that A may work with many international brokers and B may work with many international clients so they would not necessarily possess a shared secret in advance, or even possess some information about each other s secrets (e.g. for verifying electronic signatures [19, 9] In such ....

R.M.Needham, M.D.Schroeder: "Authentication Revisited ", ACM Operating Systems Vol. 21, No. 1, January 1987, p. 7.

....she may corrupt players. A second definitional element is the partner function. 2 Insofar as there were no formal statements of what this protocol was supposed to do, it is not entirely fair to call it buggy; but the authors themselves regarded the protocol as having a problem worthy of fixing [18]. Our protocol s starting point, a pseudorandom function family, exists if one way functions exist [14, 11] Exploiting techniques of [15] we show (Theorem 7) that the existence of a secure three party session key distribution implies the existence of a one way function, and so our assumption is ....

R. Needham and M. Schroeder, "Authentication revisited," Operating Systems Review, Vol. 21, No. 1, p. 7, January 1987.

....too. User Server AS TGS 2 3 4 5 6 10 Client 1 Figure 1 Kerberos protocol. The Kerberos protocol is based on key distribution protocols that were originally proposed by Needham and Schroeder (Needham and Schroeder, 1978) and later modified to include timestamps (Denning and Sacco, 1981 and Needham and Schroeder, 1987). The protocol is illustrated in figure 1; it can be summarized as follows: 1 : C Gamma AS : U,TGS 2 : AS Gamma C : T c;tgs ; fTGS;K;T start ; T expire gK u 3 : C Gamma TGS : S; T c;tgs ; A c;tgs 4 : TGS Gamma C : T c;s ; fS; K 0 ; T 0 start ; T 0 expire gK 5 : C Gamma S : T c;s ....

Needham, R.M., and Schroeder, M.D. (1987) Authentication Revisited. ACM Operating Systems Review 21(1), 7.

.... Work on this paper was done while the authors were at the U. S. Naval Research Laboratory. Daniel L. McDonald is now at Sun Microsystems, and Randall J. Atkinson is now at cisco Systems. Reprinted from the Proceedings of the INET 96 Conference, Internet Society, Reston, VA, June 1996. deployed [NS87]. This paper presents an environment which allows implementations of key management strategies to exist outside the operating system kernel, where they can be implemented, debugged, and updated in a safe environment. The Internet Protocol suite has gained popularity largely because of its ....

Needham, R. M. and Schroeder, M. D., "Authentication Revisited," Operating Systems Review, vol. 21, num. 1, 1987 p. 7.

.... 8 A less obvious risk is that a fake authentication server can always reply no . This constitutes a denial of service attack. Defenses A server that wishes to rely on another host s idea of a user should use a more secure means of validation, such as the Needham Schroeder algorithm [20] 21][22] . TCP by itself is inadequate. 5. HERE BE DRAGONS Some protocols, while not inherently flawed, are nevertheless susceptible to abuse. A wise implementor would do well to take these problems into account when providing the service. 5.1 The Finger Service Many systems implement a finger ....

....level for more or less honest passers by, but will do little or nothing to deter anyone even slightly serious about gaining entry. Some form of cryptographic authentication is needed. There are several possible approaches. Perhaps the best known is the Needham Schroeder algorithm [20] 21][22] . It relies on each host sharing a key with an authentication server; a host wishing to establish a connection obtains a session key from the authentication server and passes a sealed version along to the destination. At the conclusion of the dialog, each side is convinced of the identity of the ....

Needham, R.M. and Schroeder, M.D. "Authentication Revisited", Operating Systems Review , vol. 21, no. 1, p. 7, January 1987.

....over the insecure network: how should session key information be distributed, and what transport mechanism should be used The two questions are related. First, we assume that the Greyer server will not have keys for each possible destination; rather, it will use something like Needham Schroeder [Need78, Denn81, Need87] or Kerberos [Stei88] to obtain a session key. It is therefore necessary to transmit this session key to the remote Greyer server. If TCP is used as the transport mechanism, the solution is obvious: send the session key at the start of each connection. If a key expires, the connection may be ....

R.M. Needham and M. Schroeder, "Authentication Revisited," Operating Systems Review 21(1), p. 7 (January 1987).

....machine. There are a number of ways that the Kuperee server can be employed, either as an authentication server or as a certification server, or both [9] In this current work we first employ Kuperee specifically as an authentication server, mimicking the actions of the Needham Schroeder protocol [10, 11] within the Kerberos authentication system [5, 7] That is, Kuperee will be used to deliver a pair of session keys to the principals that require secure and authentic communications. This is then followed by the description of a protocol in which the public keys within Kuperee are used directly by ....

R. M. Needham and M. D. Schroeder, "Authentication revisited," Operating Systems Review, vol. 21, no. 1, p. 7, 1987.

....identities are verified, agree upon an encryption key a session key for later use (e.g. within a user session) Thus an authentication protocol is sometimes also called a key distribution protocol. Let us now examine a protocol that is similar to the Needham Schroeder protocol [Needham 78, Needham 87] with messages packaged in the style of Otway Rees [Otway 87] Client A (or B) exclusively shares a secret key Ka (or Kb) with the trusted authentication server S. By executing the following protocol, A and B intend to establish a session key Kab. We use A B : m to denote that A sends message ....

....nb; x i g kbi 6. B A: fB; na; y i g kai ; fnagKab ; nb 7. A B: fnbg Kab Each participant generates a nonce (nsi for S i , na for A, and nb for B) which is later included in encrypted messages (3 though 7) addressed to the participant so that the freshness of the messages can be established [Needham 87] With messages 1 and 2, A obtains a nonce from each server. A chooses a candidate session key x and computes f t;n (x; i) for each server S i . Here f t;n ( is a threshold function [Kothari 84] that produces n shadows of x in such a way that it is easy to recover x from any t shadows, but less ....

R.M. Needham and M.D. Schroeder, "Authentication Revisited", ACM Operating Systems Review, Vol.21, No.1, January, 1987, p.7.

....B;A;K1;B;TsgKbs 4. B S: fB; S; B;K2;A;T bgKbs 5. S A: fS; A;B;K2;A;TsgKas 6. B A: fB; A; T bgK 7. A B: fA; B;TagK 3.7 Case 7: NB AO SO All cases from this point on are nonce based. We recall the principle that each party concerned with freshness needs to choose a nonce of its own [Needham 87] Messages. Each client has to choose a nonce and send it out, and each expects to receive a message from the server containing its nonce as well as the temporary key; therefore four messages is a lower bound. A protocol in the style of the Otway Rees protocol [Otway 87] i.e. 2 nested RPCs) ....

R.M. Needham and M.D. Schroeder, "Authentication Revisited," ACM Operating Systems Review, Vol.21, No.1, January 1987, p.7.

....over a period of time, then he can begin an erroneous communication session by intercepting a message from a current run of the protocol and replaying the corresponding message from a previous secure protocol run for which he has compromised the key. Needham and Schroeder acknowledge this weakness [NEED87] in the protocol and introduce a minor modification inserting a timing mechanism into the protocol to prevent replay attacks . In [NEED78] Needham and Schroeder conclude, cryptographic] protocols such as those developed here are prone to extremely subtle errors that are unlikely to be ....

Needham, R.M. & Schroeder, M.D., "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1, January 1987.

....final position. However some modifications enable the derivation of the much improved final position that was originally intended by the protocol authors. 7. 3 The Enhanced Needham Schroeder Protocol Recently, Needham and Schroeder suggested the following modification to their original protocol [7]: 1. P Q: P 2. Q P : fP; N q1 gKqs 3. P S: P; Q; N p , fP; N q1 gKqs 4. S P : fN p ; Q; K, fK; N q1 ; PgKqs gKps 5. P Q: fK; N q1 ; PgKqs 6. Q P : fN q gK 7. P Q: fN q Gamma 1gK Q believes his nonce N q1 to be fresh. The difference between the two versions is that the enhanced ....

R.M. Needham and M.D. Schroeder, "Authentication Revisited", Operating Systems Review, Vol.21, No.1, p.7, January, 1987.

....even after A s key has been changed (1983) It is comforting that the logical analysis makes explicit the assumption. Clearly, the problem is that B has no interaction with S that starts with B s initiative. It is possible to rectify this by starting with B rather than A, and this was done by Needham and Schroeder (1987). The note by Needham and Schroeder was published adjacent to the paper by Otway and Rees. Perhaps for the lack of a calculus to describe these protocols, none of the people involved realized that the proposals were essentially the same. The only significant difference is that the second ....

Needham, R.M. & Schroeder, M.D. 1987 Authentication Revisited. Operating Systems Review Vol. 21, No. 1, p. 7.

....is fresh, and it was pointed out by Denning and Sacco that compromise of a session key could allow an intruder to deceive B [6] Once the importance of freshness of K ab is recognized, a solution may be found by using timestamps, as suggested by Denning and Sacco. In another solution, described in [23], B sends a nonce to S, and then S includes it in its certificate. 2 Example 9.2 In [31] Varadharajan, Allen, and Black present several protocols for delegation in distributed systems. We take as an example the one for delegation in a Kerberos environment [31, p. 273] In this protocol, client ....

R.M. Needham and M.D. Schroeder. "Authentication Revisited". Operating Systems Review Vol. 21, No. 1, January 1987, p. 7.

....of the system that is in a position to react (as, for example, ATMs do [MasterCard 82] to an excessive number of tries, notice wrong guesses, log them, and raise an alarm. 1 To illustrate applications of our techniques, we construct Needham Schroeder style authentication protocols [Needham 78, Needham 87] in which any guessing attack must involve interaction with the authentication server and is thus open to detection by the server. We first give a protocol similar to that in the earlier paper [Lomas 89] that protocol was originally chosen for ease of discussion rather than for actual use. we ....

....values of the secret using off line calculations. A system is totally secure against such attacks only if t = 1=n. 4 Protection Techniques To introduce the basic techniques, we first examine a simple two message handshake transaction, which is often found in existing protocols [Needham 78, Needham 87, Voydock 83] This pair of messages may be considered two ways: as a message and its checksum or a single message with sufficient redundancy known to the attacker. In practice techniques such as checksums are often used to help guarantee message integrity; also the formats of messages are usually ....

R.M. Needham and M.D. Schroeder, "Authentication Revisited", ACM Operating Systems Review, Vol.21, No.1, January, 1987, p.7.

No context found.

R.M. Needham & M.D. Schroeder, "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1., 1981.

No context found.

R. M. Needham and M. D. Schroeder, "Authentication revisited," ACM Operating Systems Review, vol. 21, p. 7, Jan. 1987.

No context found.

Needham, R.M. & Schroeder, M.D., "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1, January 1987.

No context found.

Needham, R.M. & Schroeder, M.D., "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1, January 1987.

No context found.

Needham, R.M. & Schroeder, M.D., "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1, January 1987.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC