Otway-Rees Protocol
The protocol specification in "Alice-Bob" notation is as follows.
- A -> B : M , A,B , E(Kas:Na,M,A,B)
- B -> S : M , A , B , E(Kas:Na,M,A,B) , E(Kbs:Nb,M,A,B)
- S ->B : M,E(Kas:Na,Kab),E(Kbs:Nb,Kab)
- B -> A : M,E(Kas:Na,Kab)
For this protocol we considered the following executions:
- A regular execution of the protocol (denoted by attack-state(0)).
- An execution in which the intruder finds out the Session key generated by the server (denoted by attack-state(2)).
After the analysis of this protocol in Maude-NPA, the tool found an initial state corresponding to attack-state(0), which shows an attack in which the intruder impersonates the server and, thus, the protocol is insecure. The specification of this attack in "Alice-Bob" notation is as follows:
- A -> B : Na' , A , B , E(Kas:Na,Na',A,B)
- B -> Z(S) : Na', A, B , E(Kbs,Na,Na',A,B), E(Kbs,Nb,Na',A,B)
- Z(S) -> B : Na' , E(Kas,Na,Kab) , E(Kbs,Nb,Kab)
- B -> A : Na' , E(Kas,Na,Kab)
Maude-NPA also found an initial state for attack-state(2) and, therefore, the protocol is insecure. The specification of the attack in "Alice-Bob" notation is as follows:
- A -> B Z(B) : Na',A,B,E(Kas:Na,Na',A,B)
- Z(B) -> Z(S) : Na' , A , B , E(Kbs,Na,Na',A,B) , E(Kbs,Nb,Na',A,B)
- Z(S) -> Z(B) : Na' , E(Kas,Na,Kab) , E(Kbs,Nb,Kab)
- Z(B) -> Z(S) : E(Kas,Na,Kab) , E(Kbs,Nb,Kab)
- Z(S) -> Z(B) : E(Kas,Na,Kab),
- Z(S) -> Z(B) : Na'
- Z(B) -> A : Na' , E(Kas,Na,Kab)
To download the complete protocol specification in Maude-NPA syntax and the outputs, click HERE