A review of attacks found and fixed

Alexander Marsalek
University of Technology Graz, Institute for Applied Information Processing and
Communications, Graz, Austria
amarsalek@student.tugraz.at
Selected Topics in Design & Verification - ExerciseTwo

Abstract. Security protocols should offer properties like integrity, authentication and secrecy. But it is very hard to prove the correctness
of such protocols. There are two way so show that a protocol is secure,
test it with formal methods or show that it is secure against all known
attacks types. Many protocol in the literature claimed to be secure, but
contained errors. We want to find out how useful are formal methods.
Keywords: Security protocol, Automated checks, Model checker, Protocol attacks, Needham-Schroeder Protocol, BAN simplified version of
Yahalom, Diffie-Hellman key exchange, Multi-Protocol Attacks

Introduction

Security protocols are very important in everyday life. We use them for various
things like key agreement, key exchange or authentication. The problem is, it
is very hard to prove the correctness of such protocols. Basically there are two
ways to show that a protocol is secure. The first way is to explain why the
protocol is secure against all known attacks and attack types and the second
way is to prove the properties of the protocol with formal methods. But can we
trust such proves? Many attacks have been found on protocol in the literature that claimed to be secure - some by hand and some by tools. In section 3 we will
present some selected security protocols from the literature. We will show some
famous attacks on them and a corrected version of the protocols. We will also
show some attacks on protocols that are claimed to be secure by formal methods.
In section 4 we present an 3-protocol attack that was found by a tool[3]. With
this attack we want to show some of the advantages of automated tools, it would
be very hard to find that attacks by hand.

Related Work

There are many papers that present the benefits of formal methods, like Realising the Benefits of Formal Methods [7] [6] from Anthony Hall or Getting
the best from formal methods [16] from John B. Wordsworth or Application
and benefits of formal methods in software development [14] from C. Meadows.
But we didnt found papers that make a review of previously unknown attacks
that were found with formal methods.

Alexander Marsalek

Selected Protocol Attacks

In this section we will present some attacks on the Needham-Schroeder Protocol

[13], on the BAN simplified version of Yahalom[2] and on the Diffie-Hellman key
exchange [5].
3.1

Needham-Schroeder Protocol

The Needham-Schroeder Protocol was proposed by Roger M. Needham and

Michael D. Schroeder in 1978 [13]. There are two protocol versions, one version uses Public-key algorithms (see section 3.1.2) and the other version uses
symmetric-key algorithms (see section 3.1.1).
3.1.1
Symmetric Key Protocol
The symmetric Needham-Schroeder Protocol aims to distribute a shared symmetric key between two parties.
Protocol specification:
A, B, S :
Na, Nb :
Kas, Kbs, Kab :
1.
2.
3.
4.
5.

Principal
Nonce
Key

A S : A, B, N a
S A : {N a, B, Kab, {Kab, A}Kbs }Kas
A B : {Kab, A}Kbs
B A : {N b}Kab
A B : {N b 1}Kab

Attack:
If an attacker knows an old key Kab she can replay the third message I(A)
B : {Kab, A}Kbs . Now B thinks A wants to communicate with him and will
response with message four B I(A) : {N b}Kab . The attacker intercepts the
message and responds with message five I(A) B : {N b 1}Kab . B thinks
he has a secure connection to A but is communicating with the attacker. This
attack was found by Dorothy E. Denning and Giovanni Maria Sacco. They paper
was called Timestamps in key distribution protocols [4] and was published in
1981. Dorothy E. Denning and Giovanni Maria Sacco tried to fix this attack
with timestamps:
A, B, S :
T :
Kas, Kbs, Kab :

Principal
Timestamp
Key

1. A S : A, B
2. S A : {B, Kab, T, {Kab, A, T }Kbs }Kas

A review of attacks found and fixed

3. A B : {Kab, A, T }Kbs
The protocol is called Denning-Sacco shared key, but it is not secure. The
attack was found by Lowe and is explained in A Family of Attacks upon Authentication Protocols [11]:
Session 1:
1. A S : A, B
2. S A : {B, Kab, T, {Kab, A, T }Kbs }Kas
3. A B : {Kab, A, T }Kbs

Session 2:
4. I(A) B : {Kab, A, T }Kbs

In this attack B thinks, that A is trying to set up a second session. Lowe presented a fixed version the Lowe modified Denning-Sacco shared key:
A, B, S :
Nb :
Kas, Kbs, Kab :
T :
1.
2.
3.
4.
5.

principal
nonce
key
timestamp

A S : A, B
S A : {B, Kab, T, {Kab, A, T }Kbs }Kas
A B : {Kab, A, T }Kbs
B A : {N b}Kab
A B : {N b + 1}Kab

3.1.2 Needham-Schroeder Public-Key Protocol

The Needham-Schroeder Public-Key Protocol aims to provide mutual authentication between two parties, communicating over an insecure network, using
public key cryptography.
Protocol specification:
A, B, S :
Na, Nb :
KPa, KPb, KPs, KSa, KSb, KSs :
KPa, KSa :
KPb, KSb :
KPs, KSs :
Full version:
1.
2.
3.
4.
5.

A S : A, B
S A : {KP b, B}KSs
A B : {N a, A}KP b
B S : B, A
S B : {KP a, A}KSs

Principal
Nonce
Key
is a key pair
is a key pair
is a key pair

Alexander Marsalek

6. B A : {N a, N b}KP a
7. A B : {N b}KP b
Reduced version:
If we assume, that both agents know the others public key it is possible to use
the reduced version of the protocol:
1. A B : A, B, {N a, A}KP b
2. B A : B, A, {N a, N b}KP a
3. A B : A, B, {N b}KP b
Attack on the full version:
This attack was found by Lowe and is described in the paper An attack on the
Needham-Schroeder public-key authentication protocol [8].
Session 1:
1.
2.
3.
4.
5.
6.
7.

Session 2:

A S : A, I
S A : {KP i, I}KSa
A I : {N a, A}KP i
I S : I, A
S I : {KP a, A}KSa
I A : {N a, N b}KP a
A I : {N b}KP i

1.
2.
3.
4.
5.
6.
7.

I S : I, B
S I : {KP b, B}KSi
I(A) B : {N a, A}KP b
B S : B, A
S B : {KP a, A}KSb
B I(A) : {N a, N b}KP a
I(A) B : {N b}KP b

Corrected version:
Lowe presented a fix, he suggests to change the sixth message to:
6. B A : {B, N a, N b}KP a
Attack on the reduced version:
This attack was found by Lowe [9] [10] using a Failures Divergences Refinement
Checker (FDR), a model checker for CSP:
Session 1:
Session 2:
1. A I : A, I, {N a, A}KP i
2. I A : I, A, {N a, N b}KP a
3. A I : A, I, {N b}KP i

1. I(A) B : A, B, {N a, A}KP b
2. B I(A) : B, A, {N a, N b}KP a
3. I(A) B : A, B, {N b}KP b

Corrected version:
Lowe presented a corrected version by simply adding an identity to the encrypted
part of message two:
1. A B : A, B, {N a, A}KP b
2. B A : B, A, {N a, N b, B}KP a
3. A B : A, B, {N b}KP b
3.2

BAN simplified version of Yahalom

This protocol is described in A logic of authentication [2] and was invented by

Michael Burrows, Martin Abadi and Roger Needham. The authors modified the

A review of attacks found and fixed

original version of Yahalom to strength the protocol and simplify the analysis at
the same time [2].

Protocol specification:
A, B, S :
principal
Na, Nb :
number fresh
Kas, Kbs, Kab : key
A knows :
B knows :
S knows :
1.
2.
3.
4.

A, B, S, Kas
B, S, Kbs
S, A, B, Kas, Kbs

A B : A, N a
B S : B, N b, {A, N a}Kbs
S A : N b, {B, Kab, N a}Kas , {A, Kab, N b}Kbs
A B : {A, Kab, N b}Kbs , {N b}Kab

Paul Syverson, the author of A taxonomy of replay attacks [15] found two
attacks:
Attack 1:
Session 1:
1.
2.
5.
6.

A B : A, N a
B S : B, N b, {A, N a}Kbs
S A : Omitted
I(A) B : {A, N a, N b}Kbs , {N b}Kab

Session 2:
3. I(A) B : A, {N a, N b}
4. B I(S) : B, N b, {A, N a, N b}Kbs

Attack 2:
1.
2.
3.
4.
5.
6.
7.
8.
9.

i.1.
A I(B) : A, N a
ii.1. I(B) A : B, N a
ii.2. A I(S) : A, N 0 a, {B, N a}Kas
iii.1. Omitted
iii.2. I(A) S : A, N a, {B, N a}Kas
iii.3. S I(B) : N a, {A, Kab, N a}Kbs , {B, Kab, N a}Kas
i.2.
Omitted
i.3.
I(S) A : N i, {B, Kab, N a}Kas , {A, Kab, N a}Kbs
i.4.
A I(B) : {A, Kab, N a}Kbs , {N i}Kab

Corrected version:
To prevent this attacks Paulson adds the name B in the third and fourth message.

1.
2.
3.
4.

Alexander Marsalek

A B : A, N a
B S : B, N b, {A, N a}Kbs
S A : N b, {B, Kab, N a}Kas , {A, B, Kab, N b}Kbs
A B : {A, B, Kab, N b}Kbs , {N b}Kab

This protocol is called Paulsons strengthened version of Yahalom.

3.3

Diffie-Hellman key exchange

This algorithm allows to exchange a key between two parties over an insecure
communication channel. It was invented by Whitfield Diffie and Martin E. Hellman and is described in New Directions in Cryptography [5]. This protocol
was checked by a protocol verifier and claimed as secure [1].
A, B :
p,g, Xa, Xb :
a,b :
s :
1.
2.
3.
4.
5.
6.
7.

principal
number
secret numbers
secret key

A B : p,g
A chooses a and calculates Xa = g a mod p
A B : Xa
B chooses b and calculates Xb = g b mod p
B A : Xb
A calculates s = B a mod p
B calculates s = Ab mod p

Attack:
This protocol is not secure against a man-in-the-middle attack (Fig. 1):
The protocol does not provide authentication. To secure this protocol against
man-in-the-middle attacks it is necessary to use message authentication codes
or signatures.

Multi-Protocol Attacks

The authors of Verification of multi-protocol attacks [3] used automated tools

to search for Multi-Protocol attacks. They showed that even protocols that are
secure when used in isolation can contain security flaws when they are used
together with other protocols in the same environment. They analyzed 30 protocols from literature and found out, that 23 are vulnerable to multi-protocol
attacks.
The authors demonstrated a 3-protocol attack on Yahalom-Lowe [12], Yahalom
BAN [2] and Denning-Sacco [4] (Fig. 2):

A review of attacks found and fixed

Fig. 1. Man-in-the-middle attack on Diffie-Hellman key exchange (taken from

Wikipedia, Author: Stefan Birkner)

Summary

We reviewed several attacks on security protocols. Most of the attacks were found
by hand. Formal methods have some disadvantages, much knowledge is necessary
to specify the protocol with formal methods and it is very easy to make errors
or to prove something other than wanted. Another disadvantage is, that most
formal methods assume isolation. But formal methods have some advantages,
as an example, the author is required to specify the goals in detail. Another big
advantage of formal methods is shown by the 3-protocol-attack. Computers are
good at finding subtle faults, that are very hard to find for humans. For me it
looks like most of the previously unknown attacks were found by hand and at
some time later someone shows that it is also possible to find this attack with
formal methods. But the tools are getting better and better I think in future
most of the previously unknown attacks will be found by tools.

References
1. Bruno Blanchet, Inria Rocquencourt, and Le Chesnay Cedex. An efficient cryptographic protocol verifier based on prolog rules. In In 14th IEEE Computer Security
Foundations Workshop (CSFW-14, pages 8296. IEEE Computer Society Press,
2001.
2. Michael Burrows, Martin Abadi, and Roger Needham. A logic of authentication.
ACM Trans. Comput. Syst., 8:1836, February 1990.
3. Cjf Cremers. Verification of multi-protocol attacks. pages 112, 2004.
4. Dorothy E. Denning and Giovanni Maria Sacco. Timestamps in key distribution
protocols. Commun. ACM, 24:533536, August 1981.
5. Whitfield Diffie and Martin E. Hellman. New directions in cryptography, 1976.

Alexander Marsalek

Fig. 2. 3-protocol attack on Yahalom-Lowe, Yahalom BAN and Denning-Sacco (taken

from [3])

A review of attacks found and fixed

6. A. Hall. Realising the benefits of formal methods. Journal of Universal Computer

Science, 13(5):669678, 2007.
7. Anthony Hall. Realising the benefits of formal methods. In Kung-Kiu Lau and
Richard Banach, editors, Formal Methods and Software Engineering, volume 3785
of Lecture Notes in Computer Science, pages 14. Springer Berlin / Heidelberg,
2005. 10.1007/11576280 1.
8. Gavin Lowe. An attack on the needham-schroeder public-key authentication protocol. Information Processing Letters, 56(3):131 133, 1995.
9. Gavin Lowe. Breaking and fixing the needham-schroeder public-key protocol using
fdr. Software - Concepts and Tools, 17(3):93102, 1996.
10. Gavin Lowe. Breaking and fixing the needham-schroeder public-key protocol using fdr. In Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems, pages 147166, London, UK,
1996. Springer-Verlag.
11. Gavin Lowe. A family of attacks upon authentication protocols. Technical report,
1997.
12. Gavin Lowe. Towards a completeness result for model checking of security protocols. In Journal of Computer Security, pages 96105. Society Press, 1999.
13. Roger Michael Needham and Michael D. Schroeder. Using encryption for authentication in large networks of computers. Commun. ACM, 21:993999, December
1978.
14. N. Plat, J. van Katwijk, and H. Toetenel. Application and benefits of formal
methods in software development. Software Engineering Journal, 7(5):335 346,
sep 1992.
15. P. Syverson. A taxonomy of replay attacks [cryptographic protocols]. In Computer
Security Foundations Workshop VII, 1994. CSFW 7. Proceedings, pages 187 191,
jun 1994.
16. John B. Wordsworth. Getting the best from formal methods. Information and
Software Technology, 41(14):1027 1032, 1999.