Some New Attacks upon Security Protocols Gavin Lowe Oxford University Computing Laboratory, Wolfson Building, Parks Road, Oxford, OX1 3QD, United Kingdom. [email protected] 1 Abstract messages , etc. Some of the attacks we present are implementation- Many security protocols have appeared in the literature, dependent, and we will describe necessary conditions for the with aims such as agreeing upon a cryptographic key, or attacks to succeed. We believe that a protocol speci®cation achieving authentication. However, many of these have can be considered secure only if all its implementations are been shown to be ¯awed. In this paper we present a number secure: if the security of a protocol depends upon certain as- of new attacks upon security protocols, and discuss ways in sumptions about the way it is implemented, then those as- which we may avoid designing incorrect protocols in the fu- sumptions need to be clearly stated. ture. Further, we believe that it is a bad idea to base the security of a protocol upon an assumption that is very hard to imple- ment. For example, the original design for the Kerberos pro- 1. Introduction tocol [19, 27] stated that live authenticators should be stored to detect replay attacks. However, Bellovin and Merritt [3] report that this was never implemented, and point out that a Many security protocols have appeared in the literature; security feature is not very useful if it is too hard to imple- these have various aims, such as agreeing upon a crypto- ment. We believe that it is better to design a protocol in such graphic key, or achieving authentication, where each agent a way that its security does not depend upon such implemen- becomes assured of the other's identity. Unfortunately, a tation requirements. large proportion of these protocols are subject to attacks, In the next section we de®ne precisely what we mean leading to them not correctly achieving their goals. In this by the term authentication. In the following sections, we paper, we present a few more attacks upon such protocols. present attacks upon four different protocols. We close by The main point of this paper is to highlight the fact that, summing up, and suggesting ways of producing more reli- despite much research on the subject, many insecure pro- able protocols. tocols are still being produced. Further, most of the weak- nesses that allow the attacks are well known. Our hope is that by highlighting these errorsÐonce againÐprotocol de- 2. What is authentication? signers will avoid making the same mistakes in future. We will have more to say on this subject in the concluding sec- Most of the errors caused by the attacks in this paper are tion. errors of authentication, and so we make clear here what we Our notation is very standard. The protocols are be- understand by the term ªauthenticationº. B A tween agents A and , sometimes with the help of a trusted We say that an agent accepts the identity of another S N B server . We denote nonces by a , etc.; the subscripts agent if it has completed enough of the protocol that it B denote their origin. We denote a key shared between A should be assured of 's identity. This will normally be im- B K m A and by ab , etc. We denote message encrypted with mediately after the last message that is supposed to re- k fmg m A key by k . We denote message signed by agent ceive in the protocol; note that this may be before the ®nal S (m) A by A : we do not specify how this signing is imple- message of the protocol run, if, for example, then sends B mented. We denote an attacker by I ; when the attack im- some acknowledgement back to . A I personates an agent to send a message, we denote this A ; We say that a protocol correctly achieves authentica- A we use the same notation to denote I intercepting a message tion if whenever an agent accepts the identity of another B B intended for A. When an attack requires several runs of the agent , it must be the case then believes that he has been A protocol, we will denote the runs , , etc., and denote the running the protocol with , and the records of the messages sent and received at the two ends should match (and simi- server S . A B larly when B accepts 's identity). That is, if sent a mes- 1 A B : A N Msg a A A m sage m intended for , then received a message appar- 2 B A : B N Msg b ently from B , and vice versa. We further require that there 3 A B : fA B N N g b K Msg a as B is a one-one relationship between A's runs and those of , fA B N N g 4 B S : fA B N N g a b K b K Msg a as bs B so A does not believe he has completed two runs, when 5 S B : fB N N K g b ab K Msg a has carried out only a single run, for example. as fA N N K g a b ab K bs fN N g B A : fB N N K g This de®nition of authentication is Roscoe's intensional 6 a b K b ab K Msg a as ab A B : fN g speci®cation [23]. It is the same as Gollmann's speci®ca- 7 K Msg b ab tion G4 in [11]: B If A wants to establish a session with , he sends him a nonce (message 1). B responds by returning another nonce The origin of all messages in the protocol has to (message 2). A then prepares an encrypted message for the be authenticated. server, containing the two agents' identi®ers and the two B nonces, and sends it to B (message 3). forwards this mes- sage to the server, along with a similar message of his own Dif®e et al. [10] have a similar de®nition of authentica- creation (message 4). When the server receives this mes- B tion. They specify that if A accepts the identity of , then sage, he checks that the agent identities and nonces agree, B A B 's record of the run must match 's: every message that K and if so selects a new key ab to be used in the subsequent B sends or receives during the run must correspond to a mes- session between A and . The server creates two encrypted A B B sage received or sent by , and vice versa. This differs from components, one for each of A and , and returns both to B our de®nition in that may have been intending his mes- (message 5). B decrypts his component to obtain the key, C sages to be received by a third agent, say. The de®nitions and then forwards the other component to A, along with a A coincide if each message contains the identities of the (ap- K component encrypted with ab to convince that he knows parent) sender and the (intended) recipient, as will be the the key (message 6). Finally, A decrypts his component to case in most implementations. learn the key, and returns a message to B to convince him Our de®nition of authentication is quite strong, but we that he knows the key (message 7). believe that it is the right one. It essentially insists that all The attack we will present depends upon a couple of as- protocol runs are as the protocol designer intended. sumptions. We assume that nonces and keys are simply se- quences of bits, without any typing information; hence any Some de®nitions of authentication, such as Gollmann's such bit sequence of the right length will be accepted as a B speci®cation G3 [11], insist that if A accepts 's identity nonce or a key. Further, we assume that the bit sequences then B must mearly be present, rather than necessarily tak- representing agent identi®ers, nonces and keys are all of the ing part in a run matching A's. This weaker speci®cation same length, which means, for example, that a nonce may allows the case where B thinks he has been running the pro- be accepted as a key. A tocol with some other agent, and may never have heard of . 0 In the following, ªbit-stringº, ªbit-string º, etc. represent It also allows cases where B agrees that it has been running any sequences of bits that may be accepted as being of the the protocol with A, but the two agents disagree about some fA B N N g b k form a by an agent who does not possess the of the details; for example: (1) both agents may believe that key k Ðthat is, any bit sequences of the appropriate length; it was they who initiated the protocol run; or (2) the agents in the attack, no agent ever tries to decrypt these messages, may disagree over the value of some nonce exchanged dur- so any such sequences of bits will do. The attack can be de- ing the run. In these cases, it would be incorrect for either scribed as follows: agent to take some action in the resulting session that de- 1 I B : A B pended upon the exact form of the protocol run. Msg A 2 B I : B N b Msg A 3 I B : Msg A bit-string 4 B I : fA B B N g b K Msg S bit-string 3.