Score:1

Can a nonce be completely random on (simplified) Needham–Schroeder Protocol?

ng flag

From what I've read so far, nonces are random one-time values, which are sent in plaintext in addition to the ciphertext to verify identity of sender/receiver. Theoretically, if the nonce is random, an attacker E can intercept Alice's message which was designated to Bob, and impersonate as Bob by generating a random nonce, without ever communicating with Bob.

So if the request-response protocol is:

A → B : nA

B → A : {nA, nB}K

A → B : nB

with nA,nB being the nonces and K being a symmetric shared key between Alice and Bob.

  1. Can the attacker do a reflect attack back at Alice by just changing the nonce? This way A is fooled by thinking B is initiating communication with A and then she would share both their nonces encrypted with the key,
    in this case(modifying the 2nd line of the protocol):

B → A : {nA, nE}K

leading to a known-plaintext attack. The attacker has knowledge of both the plaintext and ciphertext in this scenario, so he can derive the secret key.

  1. Can this flaw in the protocol be fixed by:
  • applying k to the nonces?
  • including identifier of B (receiver) in the second ciphertext?

Fix Proposal

A → B : {nA}k

B → A : {B, nA}k

A → B : {nB}k

Score:0
ru flag

leading to a known-plaintext attack. The attacker has knowledge of both the plaintext and ciphertext in this scenario, so he can derive the secret key.

This is not feasible for any modern cipher design. Ciphers are designed so that even if the attacker has access to vast amounts of matched plaintext and ciphertext then the key is still infeasible to recover.

There is a reflection attack on your protocol if Alice allows sessions with Bob where she is both sender and receiver to be interleaved and uses the same key for both. It goes as follows:

  • Session 1: Alice generates and sends $n_A$ to Bob, but it is intercepted by Mallory
  • Session 2: Mallory reflects $n_A$ back to Alice pretending to be Bob
  • Session 2: Alice generates $n_B$ and sends $(n_A,n_B)_K$ to Bob, but it is intercepted by Mallory
  • Session 1: Mallory reflects $(n_A,n_B)_K$ back to Alice
  • Session 1: Alice decrypts $(n_A,n_B)_K$ and checks that the value of $n_A$ is the one she sent at the start of session 1. If so she sends $n_B$ to Bob, but it is intercepted by Mallory.
  • Session 2: Mallory reflects $n_B$ back to Alice.

In session 2, Alice receives back the $n_B$ value that she anticipates and in both sessions the protocol leads her to believe that she is communicating with Bob. This attack is not blocked by encrypting the initial nonce.

suigetsuh17 avatar
ng flag
Thanks for the answer, I see that my understanding of the communication between A & B was slightly wrong. If you can see on the 2nd bullet of question 2, can this reflection attack be fixed if B includes his identifier on the 2nd message?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.