14. Needham-Schroeder
Protocol
Original third-party key distribution
protocol for session between A and
BmediatedbyKDC
Protocoloverviewis:
1.A->KDC :IDA||IDB||N₁
2.KDC->A :EKa[Ks||IDB||
N₁||EKb[Ks||IDA]]
3.A->B :EKb[Ks||IDA]
4.B->A :EKs[N₂]
5.A->B :EKs[f(N₂)]
17. T is a timestamp that assures A and B that the session key has only just been generated. Thus, both A and B
knowthatthekeydistributionisafreshexchange.
AandBcanverifytimelinessbycheckingthat
|ClockT|<Dt₁+Dt₂
where Dt₁ is the estimated normal discrepancy between the KDC's clock and the local clock (at A or B) and
Dt₂istheexpectednetworkdelaytime.
Each node can set its clock against some standard reference source. Because the timestamp T is encrypted
using the secure master keys, an opponent, even with knowledge of an old session key, cannot succeed
becauseareplayofstep3willbedetectedbyBasuntimely.
The Denning protocol provide increased degree of security compared to the Needham/Schroeder protocol
butrequiresrelianceonclocksthataresynchronizedthroughoutthenetwork.
The problem occurs when a sender's clock is ahead of the intended recipient's clock. In this case, an
opponent can intercept a message from the sender and replay it later when the timestamp in the message
becomescurrentattherecipient'ssite.Thisreplay(SupressReplay)couldcauseunexpectedresult
DenningsApproach