词条 | Needham–Schroeder protocol |
释义 |
The Needham–Schroeder protocol is one of the two key transport protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder.[1] These are:
The symmetric protocolHere, Alice (A) initiates the communication to Bob (B). S is a server trusted by both parties. In the communication:
The protocol can be specified as follows in security protocol notation: Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate with Bob. The server generates and sends back to Alice a copy encrypted under for Alice to forward to Bob and also a copy for Alice. Since Alice may be requesting keys for several different people, the nonce assures Alice that the message is fresh and that the server is replying to that particular message and the inclusion of Bob's name tells Alice who she is to share this key with. Alice forwards the key to Bob who can decrypt it with the key he shares with the server, thus authenticating the data. Bob sends Alice a nonce encrypted under to show that he has the key. Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive and that she holds the key. Attacks on the protocolThe protocol is vulnerable to a replay attack (as identified by Denning and Sacco[2]). If an attacker uses an older, compromised value for KAB, he can then replay the message to Bob, who will accept it, being unable to tell that the key is not fresh. Fixing the attackThis flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. It can also be fixed with the use of nonces as described below.[3] At the beginning of the protocol: Alice sends to Bob a request. Bob responds with a nonce encrypted under his key with the Server. Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate with Bob. Note the inclusion of the nonce. The protocol then continues as described through the final three steps as described in the original protocol above. Note that is a different nonce from .The inclusion of this new nonce prevents the replaying of a compromised version of since such a message would need to be of the form which the attacker can't forge since she does not have . The public-key protocolThis assumes the use of a public-key encryption algorithm. Here, Alice (A) and Bob (B) use a trusted server (S) to distribute public keys on request. These keys are:
The protocol runs as follows: A requests B's public keys from S S responds with public key KPB alongside B's identity, signed by the server for authentication purposes. A chooses a random NA and sends it to B. B now knows A wants to communicate, so B requests A's public keys. Server responds. B chooses a random NB, and sends it to A along with NA to prove ability to decrypt with KSB. A confirms NB to B, to prove ability to decrypt with KSA At the end of the protocol, A and B know each other's identities, and know both NA and NB. These nonces are not known to eavesdroppers. An attack on the protocolUnfortunately, this protocol is vulnerable to a man-in-the-middle attack. If an impostor can persuade to initiate a session with him, he can relay the messages to and convince that he is communicating with . Ignoring the traffic to and from S, which is unchanged, the attack runs as follows: A sends NA to I, who decrypts the message with KSI I relays the message to B, pretending that A is communicating B sends NB I relays it to A A decrypts NB and confirms it to I, who learns it I re-encrypts NB, and convinces B that he's decrypted it At the end of the attack, B falsely believes that A is communicating with him, and that NA and NB are known only to A and B. Fixing the man-in-the-middle attackThe attack was first described in a 1995 paper by Gavin Lowe.[4] The paper also describes a fixed version of the scheme, referred to as the Needham–Schroeder–Lowe protocol. The fix involves the modification of message six to include the responder's identity, that is we replace: with the fixed version: and the intruder cannot successfully replay the message because A is expecting a message containing the identity of I whereas the message will have identity of B. See also
References1. ^{{Cite journal | last1=Needham | first1=Roger | last2=Schroeder | first2=Michael |title=Using encryption for authentication in large networks of computers. |journal=Communications of the ACM |volume=21 | issue=12 | date=December 1978 | pages=993–999 |doi=10.1145/359657.359659 | postscript=| citeseerx=10.1.1.357.4298 }} 2. ^{{cite journal |last=Denning |first=Dorothy E. | last2=Sacco | first2=Giovanni Maria |authorlink=Dorothy E. Denning |year=1981 |title=Timestamps in key distribution protocols |journal=Communications of the ACM |volume=24 |issue=8 |pages=533–535 |doi=10.1145/358722.358740 }} 3. ^{{cite journal |last=Needham |first=R. M. |authorlink=Roger Needham | last2=Schroeder | first2= M. D. | authorlink2=Michael Schroeder |year=1987 |title=Authentication revisited |journal=ACM SIGOPS Operating Systems Review |volume=21 |issue=1 |pages=7 |doi=10.1145/24592.24593 }} 4. ^{{Cite journal | last1=Lowe | first1=Gavin |title=An attack on the Needham-Schroeder public key authentication protocol. |journal=Information Processing Letters |volume=56 |issue=3 |pages=131–136 |date=November 1995 |url=http://web.comlab.ox.ac.uk/oucl/work/gavin.lowe/Security/Papers/NSPKP.ps |doi=10.1016/0020-0190(95)00144-2 |accessdate=2008-04-17 | postscript=| citeseerx=10.1.1.394.6094 }} External links{{commonscat}}
| url=http://www.lsv.fr/Software/spore/nspk.html | title=Needham-Schroeder Public Key | authors=Roger Needham and Michael Schroeder | date=1978 | publisher=Laboratoire Spécification et Vérification}}
| url=http://www.lsv.fr/Software/spore/nssk.html | title=Needham Schroeder Symmetric Key | authors=Roger Needham and Michael Schroeder | date=1978 | publisher=Laboratoire Spécification et Vérification}}
| url=http://www.lsv.fr/Software/spore/nspkLowe.html | title=Lowe's fixed version of Needham-Schroder Public Key | authors=Gavin Lowe | date=1995 | publisher=Laboratoire Spécification et Vérification}}{{DEFAULTSORT:Needham-Schroeder Protocol}} 4 : Authentication protocols|Key transport protocols|Symmetric-key cryptography|Computer access control protocols |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。