15 AUTHENTICATION PROTOCOLS Two types of authentication protocols are Mutual authentication One way authentication MUTUAL AUTHENTICATION Mutual authentication protocols enable communicating parties to satisfy themselves mutually about each other’s identity and exchange session keys.Problems faced by authenticated key exchange are o Confidentiality o Timeliness Following are the examples of replay attack Simple replay: The opponent simply copies a message and replays it later. Repetition that can be logged: An opponent can replay a time stamped message within the valid time window. Repetition that cannot be detected: This situation could arise because the original message could have been suppressed and thus did not arrive at its destination; only the replay message arrives. Backward replay without modification: This is a replay back to the message sender. This attack is possible if symmetric encryption is used and the sender cannot easily recognize the difference between messages sent and messages received on the basis of content. Countermeasures include Timestamps: Party A accepts a message as fresh only if the message contains a timestamp that, in A's judgment, is close enough to A's knowledge of current time. This approach requires that clocks among the various participants be synchronized. Challenge/response: Party A, expecting a fresh message from B, first sends B a nonce (challenge) and requires that the subsequent message (response) received from B contain the correct nonce value. USING SYMMETRIC ENCRYPTION Two-level hierarchy of symmetric key encryption can be used to provide confidentiality for the distribution of key. Here, a trusted Key Distribution Center (KDC) is used for the distribution of session key. Needham-Schroeder Protocol for Distribution of session key The purpose of this protocol is to distribute securely a session key Ks to A and B. Secret keys Ka and Kb are shared between A and KDC; and KDC and B respectively. 1.A→KDC: IDA|| IDB|| N12. KDC→A: EKa[Ks || IDB|| N1|| EKb[Ks||IDA] ] 3.A→B: EKb[Ks||IDA] 4.B→A: EKs[N2] 5.A→B: EKs[f(N2)] This protocol is vulnerable to a replay attack. Consider that opponent X has got the old session key that was used by A and B, Now, X can impersonate A and trick B using the old key, replay step3. To overcome this attack another protocol was proposed by Denning. Denning Protocol In this protocol a timestamp T was used that assures A and B that the session key has only just been generated. 1.A→KDC: IDA|| IDB2. KDC→A: EKa[Ks || IDB||T || EKb[Ks||IDA||T] ] 3.A→B: EKb[Ks||IDA||T] 4.B→A: EKs[N2] 5.A→B: EKs[f(N2)] USING PUBLIC-KEY ENCRYPTION Protocol 1:Denning AS Protocol Denning 81 presented the following: 1.A→AS: IDA|| IDB2.AS→A: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] 3.A→B: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] || EKUb[EKRas[Ks||T]] AS is an authentication server which provides the certificate.