03-06.html

Applied Cryptography

	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Applied Cryptography, Second Edition: Protocols,  Algorthms, and Source Code in C (cloth)</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Bruce Schneier
<BR>
ISBN: 0471128457
<BR>
Publication Date: 01/01/96
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471128457/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471128457//-->
<!--TITLE=APPLIED CRYPTOGRAPHY, SECOND EDITION: Protocols, Algorithms, and Source Code in C//-->
<!--AUTHOR=Bruce Schneier//-->
<!--PUBLISHER=Wiley Computer Publishing//-->
<!--CHAPTER=03//-->
<!--PAGES=059-061//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="03-05.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="03-07.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P>The major security hole in this protocol is that old session keys are valuable. If Mallory gets access to an old <I>K</I>, he can launch a successful attack [461]. All he has to do is record Alice&#146;s messages to Bob in step (3). Then, once he has <I>K</I>, he can pretend to be Alice:</P>
<DL>
<DD><B>(1)</B>&nbsp;&nbsp;Mallory sends Bob the following message:
<DL>
<DD><I>E</I><SUB>B</SUB>(<I>K,A</I>)
</DL>
<DD><B>(2)</B>&nbsp;&nbsp;Bob extracts <I>K</I>, generates <I>R</I><SUB>B</SUB>, and sends Alice:
<DL>
<DD><I>E</I><SUB>K</SUB>(<I>R</I><SUB>B</SUB>)
</DL>
<DD><B>(3)</B>&nbsp;&nbsp;Mallory intercepts the message, decrypts it with <I>K</I>, and sends Bob:
<DL>
<DD><I>E</I><SUB>K</SUB>(<I>R</I><SUB>B</SUB> - 1)
</DL>
<DD><B>(4)</B>&nbsp;&nbsp;Bob verifies that &#147;Alice&#146;s&#148; message is <I>R</I><SUB>B</SUB> - 1.
</DL>
<P>Now, Mallory has Bob convinced that he is Alice.
</P>
<P>A stronger protocol, using timestamps, can defeat this attack [461,456]. A time-stamp is added to Trent&#146;s message in step (2) encrypted with Bob&#146;s key: <I>E</I><SUB>B</SUB>(<I>K,A,T</I>). Timestamps require a secure and accurate system clock&#151;not a trivial problem in itself.</P>
<P>If the key Trent shares with Alice is ever compromised, the consequences are drastic. Mallory can use it to obtain session keys to talk with Bob (or anyone else he wishes to talk to). Even worse, Mallory can continue to do this even after Alice changes her key [90].</P>
<P>Needham and Schroeder attempted to correct these problems in a modified version of their protocol [1160]. Their new protocol is essentially the same as the Otway-Rees protocol, published in the same issue of the same journal.</P>
<P><FONT SIZE="+1"><B><I>Otway-Rees</I></B></FONT></P>
<P>This protocol also uses symmetric cryptography [1224].
</P>
<DL>
<DD><B>(1)</B>&nbsp;&nbsp;Alice generates a message consisting of an index number, her name, Bob&#146;s name, and a random number, all encrypted in the key she shares with Trent. She sends this message to Bob along with the index number, her name, and his name:
<DL>
<DD><I>I,A,B,E</I><SUB>A</SUB>(<I>R</I><SUB>A</SUB>,I,A,B)
</DL>
<DD><B>(2)</B>&nbsp;&nbsp;Bob generates a message consisting of a new random number, the index number, Alice&#146;s name, and Bob&#146;s name, all encrypted in the key he shares with Trent. He sends it to Trent, along with Alice&#146;s encrypted message, the index number, her name, and his name:
<DL>
<DD><I>I,A,B,E</I><SUB>A</SUB>(<I>R</I><SUB>A</SUB>,I,A,B),<I>E</I><SUB>B</SUB>(<I>R</I><SUB>B</SUB>,I,A,B)
</DL>
<DD><B>(3)</B>&nbsp;&nbsp;Trent generates a random session key. Then he creates two messages. One is Alice&#146;s random number and the session key, encrypted in the key he shares with Alice. The other is Bob&#146;s random number and the session key, encrypted in the key he shares with Bob. He sends these two messages, along with the index number, to Bob:
<DL>
<DD><I>I,E</I><SUB>A</SUB>(<I>R</I><SUB>A</SUB>,<I>K</I>),<I>E</I><SUB>B</SUB>(<I>R</I><SUB>B</SUB>,K)
</DL>
<DD><B>(4)</B>&nbsp;&nbsp;Bob sends Alice the message encrypted in her key, along with the index number:
<DL>
<DD><I>I,E</I><SUB>A</SUB>(<I>R</I><SUB>A</SUB>,K)
</DL>
<DD><B>(5)</B>&nbsp;&nbsp;Alice decrypts the message to recover her key and random number. She then confirms that both have not changed in the protocol.
</DL>
<P>Assuming that all the random numbers match, and the index number hasn&#146;t changed along the way, Alice and Bob are now convinced of each other&#146;s identity, and they have a secret key with which to communicate.
</P>
<P><FONT SIZE="+1"><B><I>Kerberos</I></B></FONT></P>
<P>Kerberos is a variant of Needham-Schroeder and is discussed in detail in Section 24.5. In the basic Kerberos Version 5 protocol, Alice and Bob each share keys with Trent. Alice wants to generate a session key for a conversation with Bob.
</P>
<DL>
<DD><B>(1)</B>&nbsp;&nbsp;Alice sends a message to Trent with her identity and Bob&#146;s identity.
<DL>
<DD><I>A,B</I>
</DL>
<DD><B>(2)</B>&nbsp;&nbsp;Trent generates a message with a timestamp, a lifetime, <I>L</I>, a random session key, and Alice&#146;s identity. He encrypts this in the key he shares with Bob. Then he takes the timestamp, the lifetime, the session key, and Bob&#146;s identity, and encrypts these in the key he shares with Alice. He sends both encrypted messages to Alice.
<DL>
<DD><I>EA</I>(<I>T,L,K,B</I>),<I>EB</I>(<I>T,L,K,A</I>)
</DL>
<DD><B>(3)</B>&nbsp;&nbsp;Alice generates a message with her identity and the timestamp, encrypts it in <I>K</I>, and sends it to Bob. Alice also sends Bob the message encrypted in Bob&#146;s key from Trent.
<DL>
<DD><I>E</I><SUB>K</SUB>(<I>A,T</I>),<I>E</I><SUB>B</SUB>(<I>T,L,K,A</I>)
</DL>
<DD><B>(4)</B>&nbsp;&nbsp;Bob creates a message consisting of the timestamp plus one, encrypts it in <I>K</I>, and sends it to Alice.
<DL>
<DD><I>E</I><SUB>K</SUB>(<I>T</I> &#43; 1)
</DL>
</DL>
<P>This protocol works, but it assumes that everyone&#146;s clocks are synchronized with Trent&#146;s clock. In practice, the effect is obtained by synchronizing clocks to within a few minutes of a secure time server and detecting replays within the time interval.
</P>
<P><FONT SIZE="+1"><B><I>Neuman-Stubblebine</I></B></FONT></P>
<P>Whether by system faults or by sabotage, clocks can become unsynchronized. If the clocks get out of sync, there is a possible attack against most of these protocols [644]. If the sender&#146;s clock is ahead of the receiver&#146;s clock, Mallory can intercept a message from the sender and replay it later when the timestamp becomes current at the receiver&#146;s site. This attack is called <B>suppress-replay</B> and can have irritating consequences.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="03-05.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="03-07.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>

[an error occurred while processing this directive]
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->