Otway–Rees protocol

The Otway–Rees protocol is a computer network authentication protocol designed for use on insecure networks (e.g. the Internet). It allows individuals communicating over such a network to prove their identity to each other while also preventing eavesdropping or replay attacks and allowing for the detection of modification.

The protocol can be specified as follows in security protocol notation, where Alice is authenticating herself to Bob using a server S (M is a session-identifier, NA and NB are nonces):


 * 1) $$A \rightarrow B: M,A,B,\{N_A,M,A,B\}_{K_{AS}}$$
 * 2) $$B \rightarrow S: M,A,B,\{N_A,M,A,B\}_{K_{AS}},\{N_B, M,A,B\}_{K_{BS}}$$
 * 3) $$S \rightarrow B: M,\{N_A,K_{AB}\}_{K_{AS}},\{N_B,K_{AB}\}_{K_{BS}}$$
 * 4) $$B \rightarrow A: M,\{N_A,K_{AB}\}_{K_{AS}}$$

Note: The above steps do not authenticate B to A.

This is one of the protocols analysed by Burrows, Abadi and Needham in the paper that introduced an early version of Burrows–Abadi–Needham logic.

Attacks on the protocol
There are a variety of attacks on this protocol currently published.

Interception attacks
These attacks leave the intruder with the session key and may exclude one of the parties from the conversation.

Boyd and Mao observe that the original description does not require that S check the plaintext A and B to be the same as the A and B in the two ciphertexts. This allows an intruder masquerading as B to intercept the first message, then send the second message to S constructing the second ciphertext using its own key and naming itself in the plaintext. The protocol ends with A sharing a session key with the intruder rather than B.

Gürgens and Peralta describe another attack which they name an arity attack. In this attack the intruder intercepts the second message and replies to B using the two ciphertexts from message 2 in message 3. In the absence of any check to prevent it, M (or perhaps M,A,B) becomes the session key between A and B and is known to the intruder.

Cole describes both the Gürgens and Peralta arity attack and another attack in his book Hackers Beware. In this the intruder intercepts the first message, removes the plaintext A,B and uses that as message 4 omitting messages 2 and 3. This leaves A communicating with the intruder using M (or M,A,B) as the session key.

Disruptive attacks
This attack allows the intruder to disrupt the communication but does not allow the intruder to gain access to it.

One problem with this protocol is that a malicious intruder can arrange for A and B to end up with different keys. Here is how: after A and B execute the first three messages, B has received the key $$K_{AB}$$. The intruder then intercepts the fourth message. He resends message 2, which results in S generating a new key $$K'_{AB}$$, subsequently sent to B. The intruder intercepts this message too, but sends to A the part of it that B would have sent to A. So now A has finally received the expected fourth message, but with $$K'_{AB}$$ instead of $$K_{AB}$$.