On key distribution protocols for repeated authentication

Abstract

In [KSL92], Kehne et al. present a protocol (KSL) for key distribution. Their protocol allows for repeated authentication by means of a ticket. They also give a proof in BAN logic [BAN89] that the protocol provides the principals with a reasonable degree of trust in the authentication and key distribution. They present an optimality result that their protocol contains a minimal number of messages. Nonetheless, in [NS93] Neuman and Stubblebine present a protocol (NS) as an explicit alternative to KSL that requires one less message in the initial authentication and key distribution. One goal of this paper is to examine some of the reasons for this discrepancy. Another goal is to demonstrate possible attacks on NS. Like any attacks on cryptographic protocols, these depend on assumptions about implementation details. But, when possible they are serious: a penetrator can initiate the protocol, masquerade as another principal, obtain the session key, and even generate the session key herself. ¹ We will set out implementation assumptions required for the attacks to take place and implementation assumptions that preclude such an attack. We will also look at other protocols, including one that is not subject to this form of attack and has the same number of messages as NS. Finally, we will briefly discuss the logical analysis of these repeat authentication protocols.