Some New Attacks Upon Security Protocols

Some New Attacks upon Security Protocols

Gavin Lowe Oxford University Computing Laboratory, Wolfson Building, Parks Road, Oxford, OX1 3QD, United Kingdom.

[email protected] 1 Abstract messages , etc. Some of the attacks we present are implementation- Many security protocols have appeared in the literature, dependent, and we will describe necessary conditions for the with aims such as agreeing upon a cryptographic key, or attacks to succeed. We believe that a protocol speci®cation achieving authentication. However, many of these have can be considered secure only if all its implementations are been shown to be ¯awed. In this paper we present a number secure: if the security of a protocol depends upon certain as- of new attacks upon security protocols, and discuss ways in sumptions about the way it is implemented, then those as- which we may avoid designing incorrect protocols in the fu- sumptions need to be clearly stated. ture. Further, we believe that it is a bad idea to base the security of a protocol upon an assumption that is very hard to imple- ment. For example, the original design for the Kerberos pro- 1. Introduction tocol [19, 27] stated that live authenticators should be stored to detect replay attacks. However, Bellovin and Merritt [3] report that this was never implemented, and point out that a Many security protocols have appeared in the literature; security feature is not very useful if it is too hard to imple- these have various aims, such as agreeing upon a crypto- ment. We believe that it is better to design a protocol in such graphic key, or achieving authentication, where each agent a way that its security does not depend upon such implemen- becomes assured of the other's identity. Unfortunately, a tation requirements. large proportion of these protocols are subject to attacks, In the next section we de®ne precisely what we mean leading to them not correctly achieving their goals. In this by the term authentication. In the following sections, we paper, we present a few more attacks upon such protocols. present attacks upon four different protocols. We close by The main point of this paper is to highlight the fact that, summing up, and suggesting ways of producing more reli- despite much research on the subject, many insecure pro- able protocols. tocols are still being produced. Further, most of the weak- nesses that allow the attacks are well known. Our hope is that by highlighting these errorsÐonce againÐprotocol de- 2. What is authentication? signers will avoid making the same mistakes in future. We will have more to say on this subject in the concluding sec- Most of the errors caused by the attacks in this paper are tion. errors of authentication, and so we make clear here what we

Our notation is very standard. The protocols are be- understand by the term ªauthenticationº.

B A

tween agents A and , sometimes with the help of a trusted We say that an agent accepts the identity of another

S N B

server . We denote nonces by a , etc.; the subscripts agent if it has completed enough of the protocol that it B

denote their origin. We denote a key shared between A should be assured of 's identity. This will normally be im-

B K m A

and by ab , etc. We denote message encrypted with mediately after the last message that is supposed to re-

k fmg m A

key by k . We denote message signed by agent ceive in the protocol; note that this may be before the ®nal

S (m) A

by A : we do not specify how this signing is imple- message of the protocol run, if, for example, then sends B

mented. We denote an attacker by I ; when the attack im- some acknowledgement back to .

A I

personates an agent to send a message, we denote this A ; We say that a protocol correctly achieves authentica- A

we use the same notation to denote I intercepting a message tion if whenever an agent accepts the identity of another

B B

intended for A. When a