Needham-Schroeder

Needham-Schroeder is a computer network authentication protocol designed for use on insecure networks (the Internet for example), invented by Roger Needham and Michael Schroeder (1978). It allows individuals communicating over a network to prove their identity to each other while also preventing evesdropping or replay attacks, and provides for detection of modification and the prevention of unauthorized reading.

Related Topics:
Computer network - Authentication - Protocol - Internet - Roger Needham - Michael Schroeder - Replay attack

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

The protocol can be specified as follows in security protocol notation, where Alice (A) is authenticating herself to Bob (B) using a server (S):

Related Topics:
Security protocol notation - Alice

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

A ightarrow S: A,B,N_A

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

:Alice tells the server she wants to communicate with Bob.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

S ightarrow A: {N_A, K_{AB}, B, {K_{AB}, A}_{K_{BS}}}_{K_{AS}}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

:The server generates {K_{AB}} and sends a copy encrypted under {K_{BS}} for Alice to forward to Bob and also a copy for Alice. The nonce assures Alice that the message is fresh.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

A ightarrow B: {K_{AB}, A}_{K_{BS}}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

:Alice forwards the key to Bob.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

B ightarrow A: {N_B}_{K_{AB}}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

:Bob sends Alice a nonce encrypted under {K_{AB}} to show that he has the key.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

A ightarrow B: {N_B-1}_{K_{AB}}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

:Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive and that she holds the key.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

This protocol is no longer considered secure as Bob does not know if the key is fresh. If someone obtains an old key they can perform a replay attack and convince Bob that the key they hold is Alice's current key.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~