Improved Otway Rees Protocol and Its Formal

Verification
Li Chen 1,2
1. Computer Centre, Henan University of Finance and Economics,
Zhengzhou, Henan 450002, China
2. Department of Network Engineering, Information Engineering University,
Zhengzhou, Henan 450002, China

Abstract- Authentication protocol is applied to implement the
identity authentication of two communicating entities and build
secure communication tunnel through exchanging keys. The
paper analyzes the security properties of the original Otway
Rees protocol and its existing improved version, it finds that the
protocol cannot meet the authentication goals. The paper
proposes a novel improved protocol, which eliminates
redundancy in the Otway Rees protocol messages and removes
the limitations that the Otway Rees protocol cannot resist
impersonation attack by modifying message format and adding
handshake message. The paper also verifies the security of the
improved Otway Rees protocol by utilizing formal method. The
analysis results show that the protocol satisfies the strong goals
of identity authentication and key distri bution.
I. INTRODUCTION
With the explosion of the Internet, electronic transactions
have become more and more common. However the
transactions' security is crucial to many applications, e.g.
electronic commerce, digital contract signing, electronic
voting, and so on. While issues such as confidentiality,
authentication, access control, etc. have been studied
intensively, most interest in authentication protocol has only
come in recent years.
Authentication protocols are not only used to implement
the identity authentication of two communicating entities, but
also used to build secure tunnel through exchanging keys
between two communicating entities. In fact, many
authentication protocols, such as Otway Rees protocol [1],
Kerberos protocol [2] and Internet Key Exchange protocol
(IKE) [3], are all designed to both of the above two
requirements. However it is very difficult to design the
protocols meeting the above requirements because the
potential security vulnerabilities are covert. For example,
Reference [4-5] found that the Otway Rees protocol could not
resist impersonation attack, etc.
Formal methods have been widely used to verify the
security of authentication protocols in recent years. Many
significant results have been achieved in the area since formal
methods began to apply to cryptographic protocol security
analysis. The SVO logic [6,7] used for authentication protocol
analysis is a many-sorted modal logic, which captures the
desirable properties of BAN-Like logic, such as BAN logic
[8], GNY logic [9], AT logic [10] and VO logic [11]. It has
not only better linguistic expressibility and logical derivability,
but also is easily extended and has more sound semantics than
BAN-like logic.
In the paper, we employ the SVO logic to verify the
security of the Otway Rees protocol and propose a new
improved protocol.
Rest of the paper is organized as follows -in the next
section we present the Otway Rees protocol and analyze
security of the protocol. In section 3, the improved Otway
Rees protocol is proposed and verified by using the SVO
logic. Section 4 concludes the paper.
II. THE OTWAY REES PROTOCOL AND ITS ANALYSIS
2.1. Otway Rees Protocol
The Otway Rees protocol is a key distribution protocol
and also guarantees authentication. It assumes a shared-key
cryptosystem, in which each participant shares a master key
with a trusted party, the Key Distribution Sever. The Otway
Rees protocol is described as follows.
(1) A-7B : M, A, B, [NA , M, A, B]KAS
(2) B-7S : M, A, B, [NA , M, A, B]KAS, [NB , M, A, B]KBS
(3) S-7B : M, [NA , KAB]KAS, [NB , KAB] KBS
(4) B-7A : AI, [NA , KAB]KAS
(3)M [NA. KAS]KAS'
[NB. KBs
(2) M. A. B, [NA. M. A,
[NB. M A. B]KBs
f;\ (I)M.A,H,{NA ,M.A.B]KAS
(4)M [NA.
Fig. 1. The Otway Rees protocol
In the Otway Rees protocol, initially, the protocol initiator
A and the other participant B share keys KAS and KBS with the
server S respectively. A firstly sends to B message M, her own
identifier A, B's identifier B and an encrypted chunk [NA , M,
A, B]KAS , where NA is A's nonce. In the second message, Bob
sends to the server S message M, A's identifier A, his own
identifier B and two encrypted chunks [NA , M, A, B]KAS , [NB ,

Research supported by the Key Technologies R&D Program of Henan

Province of China (No. 0524220044,0624260017,072102210029)

978-1-4244-2064-3/08/$25.00 ©2008 IEEE 498

Authorized licensed use limited to: Manchester Metropolitan University. Downloaded on November 30,2020 at 15:01:23 UTC from IEEE Xplore. Restrictions apply.
 M, A, BjKBs , where NB is B's nonce. In the third message, the (4) : M, [NA, B, KABjKAs, [NB, BjKAB
server S sends to B message M and two encrypted chunks [N.4.
KABjKAS, [NB, KARj KBS , where the first encrypted part is (5) : M, [NB-l,AjKAB
intended for A. The second encrypted part tells B that K AB is a In the IORP protocol, first, \ve modify the format of the
good session key for communicating with A. In the fourth messages (1) and (2) to eliminate the redundancy. Next, In
message, B sends message M and the encrypted part [NA • order to resist impersonation attack, we add the identifier B to
KABjKAS to A. A decrypts the encrypted part in the message to the first encrypted chunk, and add the identifier A to both the
get KAB . second encrypted chunk in the third message and the first
The nonces NA and NB in the protocol are fresh quantities encrypted chunk in the fourth message. The third
which have never been used before for their intended purpose. improvement is that the encrypted chunk [NB , Bj KAB is added
The aim of the Otway Rees protocol is to enable every to the fourth message. In addition, we also add the fifth
two agents to agree on a session key - key distribution - to message (5) to resist impersonation attack. B may
be used to ensure the secrecy of the subsequent acknowledge that A has obtained the good session key KAB
communication. It also guarantees each party that the other through final handshake message.
one has been involved in current run - authentication.
2.2. Security Analysis ofOtway Rees Protocol
C Boyd and W Mao [4] analyzed security of the Otway
(3)M. B. ..JS' [NB.
Rees protocol. They found that the protocol could not against A. KBS
the following impersonation attack. (2)M A. B. fN.+ M.
[NB. M. A]KBS
(1) : M, A, B, [NA, M, A, BjKAs
(2) : M, A, C, [NA, M, A, BjKAS. [Np, M, A, BjKps (l)M. A. M
A (4)M B. [NB. B] B
(3) P(B) : M, [NA, KABjKAS, [Np, KABj KBS (5)M [NB

(4) : M, [NA, KABjKAS Fig. 2. The improved Otway Rees protocol

It could result in the above attack, if S did not check

carefully every message, for example, after he decrypted two 3.2. SVO Logic
encrypted chunks [NA, M, A, BjKAs , [NB, M, A, BjKBS , he only The SVO logic is a modal logic, which includes two
checked whether two parts (M, A, B) in them are same, but inference rules and twenty axioms. Here we only describe the
compared the two parts with the plaint texts (M, A, B). In the inference rules, axioms and definitions to be used in our
above attack, the attacker P impersonated B successfully and verification later. Readers are referred to [6] for a complete
got the session key for communicating with A. set of the SVO logic axioms.
Reference [4] also gave an improved version of the Otway 1) Inference Rules
Rees protocol. It was described as follows. Modus Ponens (MP): From q> and q> 'l' infer 'l'
(1) : M, A, B, [NA, M, A, BjKAS Necessitation (Nec): From infer P believes q> )
(2) : M, A, B, [M, A, B, NAjKAs, [M, A, B, NBjKBs The SVO logic defines two formal languages, one for
messages and one for formulae. Only formulae can be true or
(3) : M, [A, NA, KABjKAS' [B, NB, KABj KBS
false or have a principal's belief attributed to them. In the
(4) : M, [A, NA, KABjKAS above inference rules, q> and 'l' are formulae, and P is
However, the authentication goals of the Otway Rees principal. means that q> is a theorem, i.e. derivable from
protocol cannot be archived because both A and B do not axioms alone.
believe that the other side participates in the communication. 2) SVO Logic Axioms
(1) believing axiom
III. VERIFICATION OF THE IMPROVED OTWAY REES PROTOCOL
A l P believes q> 1\ P believes (q> 'l') (P
In the section, we propose an improved Otway Rees believes'l')
protocol (IORP), and then verify the security of the protocol (2) source associations axiom
by utilizing the SVO logic. A3 (P Q 1\ R received {XJ }K)
3. 1. Improved Otway Rees Protocol (Q said X 1\ Q has K )
According to the analyses in section 2.2, we propose an (3) Receiving axioms
improved Otway Rees protocol (IORP). The IORP protocol is A7 P received (X], ... , Xn ) P received Xi
described as follows. (4) Seeing axiom
(1) : M, A, [NA, M, BjKAs AID PreceivedX PhasX
(5) Saying axiom
(2) : M, A, B, [NA, M, BjKAS, [NB, M, AjKBs
AI4 Psaid(X], ...,Xn ) P said Xi "PhasXi
(3) : M, [NA, B, KABjKAS, [NB, A, KABjKBS (6) Jurisdiction axioms

499
Authorized licensed use limited to: Manchester Metropolitan University. Downloaded on November 30,2020 at 15:01:23 UTC from IEEE Xplore. Restrictions apply.
 AI6 <t> PI4 B believes B received (M, A, <[NA, M, BjKAS >*B)
(7) Freshness axiom PI5 S believes S received (M, A, B, <[NA, M, BjKAS,
AI7 fresh fresh (Xl, ... , X n ) [NB, M, AjKBS>*s)
(8) Nonce-verification axiom PI6 B believes B received (M, <[NA, B, KAB]KAS>*B,
A 19 (fresh ( X) /\ P said X ) P says X [NB, A, <KAB>*BjKBS )
3) SVO Logic Definitions P 17 A believes A received (M, [NA, B, <KAB >*A]KAS,
P Q : K is a good key for P and Q regardless of [NB, Bj <KAB>*A)
whether either of them knows it. PI8 B believes B received (M, [NB-l, Aj <KAB>*B)
In addition, a common consequence can be inferred from 5) IORP Interpretation Assumptions
axiom A 1 and rule MP.
PI9 B believes B received (M, <[NA, B, KABjKAS>*B,
Al +MP P believes <t> /\ P believes (<t> tJ!) (P
believes \}l) [NB, A, <KAB>*BjKBS ) B believes B received
(M, <[NA, B, KABjKAS>*B, [NB, A, A
Because AO cannot be deduced from other axioms and it
( <KAB>*B ) BjK )
must be used in the analysis process later. We also need to BS
add the believing axiom AO to the SVO logic. P20 A believes A received (M, [NA, B, <KAB>*AjKAS,
AO (P believes <t> /\ P believes \}l) equivalent (P [NB, Bj <KAB>*A) A believes A received (M,
believes <t> /\ \}l) [NA, B, A ( <K..w>*A ) B,fresh«KAB>*AjKAs, [NB,
3. 3. Security Verification ofthe IORP Protocol Bj <KAB>*A)
Now we verify the security of the improved Otway Rees P2I A believes A received ([NB, B] <KAB>*A) /\ (A
protocol by utilizing the SVO logic. In every step of the believes A ( <K..w>*A ) B) A believes A
analysis process, we give the inference result, and then give
the inferences rules, axioms, definitions, assumptions and received ([<NB>*A, B, A ( <K.W>*A ) B] <KAB>*A)
formulae, which are required when we infer the result. P22 B believes B rece ived ([NB-l,A] <KAB >*B) /\ (B
1) IORP Goals believes A ( <KAS >*8 ) B ) B believes B
GI A believes A ( K A8 ) B received ([NB-l, A, A ( <K..W>*B ) B ]<KAB>*B)
G2 A believes fresh(KAB ) 6) IORP Derivation for A
G3 A believes B believes A ( K ..w ) B (1) A believes A received (M, [NA, B, A ( <K..w>*4 ) B,
G4 A believes B believes fresh(KAB ) fresh«KAB>*AjKAs, [NB, Bj <KAB>*A)
G5 B believes A ( KjR ) B By AO, MP, PI7, P20
G6 B believes fresh(KAB ) (2) A believes A received (M, [NA, B, A ( <KAB>*A ) B,
G7 B believes A believes A ( K AB ) B fresh (<KAB>*AjKAS )
G8 B believes A believes fresh(KAB ) By AI+MP, A7, (1)
2) IORP Initial Assumptions (3) A believes S said (M, [NA, B, A ( <K.W>*A ) B,
fresh (<KAB>*A])
PI A believes A ( K AS ) S
By AO, A3, PI, (2)
P2 B believes B ( K BS ) S (4) A believes Ssays (M, [NA, B, A ( <K..w>*A ) B,
P3 A believes S controls A B fresh (<KAB>*Aj)
By AO, A 17, AI9, P5, P7, (3)
P4 B believes S controls A B
(5) A believes A ( <KAB>*A ) B
P5 A believes S controls fresh(A ( K ..w ) B)
By AO, AI4, AI6, P3, (4)
P6 B believes S controls fresh(A ( K ..w ) B) (6) A believes fresh (<KAB>*A)
P7 A believes fresh(NA) By AO, AI7, AI9, P5, P7, (4)
P8 B believes fresh(NB ) (7) A believes A received ([NB, B] <KAB>*A)
By AI+MP, A7, (1)
3) IORP Received Message Assumptions
(8) A believes A received ([<NB>*A, B, A ( <K.w >*1 ) B]
P9 B received (M, A, [NA, B, M]KAs )
<KAB>*A)
PIO S received (M, A, B, [NA, M, B]KAS, [NB, M, A]KBS ) By Al +MP, P2I, (5), (7)
PI 1 B received (M, [NA, B, KAB]KAS, [NB, A, KAB]KBS ) (9) A believes B said ([<NB>*A, B, A ( <KAB>*A ) Bj)
PI2 A received (M, [NA, B, KABjKAS, [NB, BjKAB ) By AO, A3, P21, (5), (8)
PI3 B received (M, [NB-l, AjKAB ) (IO)A believes B has <KAB>*A
4) IORP Comprehension Assumptions By AO, Al+MP, A3, P21, (5)
(Il)A believes B says ([<NB>*A, B, A ( <KdR>*A ) Bj)

500
Authorized licensed use limited to: Manchester Metropolitan University. Downloaded on November 30,2020 at 15:01:23 UTC from IEEE Xplore. Restrictions apply.
 By AO, AI7, AI9, (9), (10) protocol meets the strong authentication goals.
(12) A believes B believes A ( <KAB>*A ) B IV. CONCLUSION
By AO, AI4, AI6, (11)
With the phenomenal growth of the Internet and open
(13) A believes B believesfresh(<KAB>*A) networks in general, security services, such as identifY
By AO, AI7, AI9, P7, (11) authentication and key distribution, become crucial to many
On the basis of the above analyses, we can conclude that applications. Authentication protocols are the important
the Otway Rees protocol satisfies the authentication goals for security protocols, and their security must be analyzed strictly
A. by using the formal methods. The SVO logic is an efficient
7) IORP Derivation for B formal method for analyzing authentication protocols. The
paper analyzes the security of the Otway Rees protocol. In
(1) B believes B received (M, <[NA, B, K AB]KAS>*B, [NB, addition, an improved protocol is proposed and its objective
A, A ( <K.W>*B ) B]KBs ) and security are formally verified.
By AO, MP, PI6, PI9
REFERENCES
(2) B believes B received ([NB, A, A ( <K,.W>*B ) B]KB:J
[1]D OTWAY, 0 REES. "Efficient and timely mutual authentication".
By AO, AI+MP, A7, (1) Operating Systems Review, 1987,21 (1): 8 - 10.
(3) B believes S said (NB, A, A ( <K..W>*B ) B ) [2] JT Kohl, BC Neuman. "The Kerberos Network Authentication Service".
RFC1510, 1993.
By AO, A3, P2, (2) [3] D Harkins, D Carrel. "The Internet Key Exchange (IKE)". RFC2.J09, 1998.
(4) B believes S says (NB, A, A ( <K.W>*B ) B) [4] C. Boyd, W. Mao, "Limitations of Logical Analysis of Cryptographic
Protocols", EUROCRYPr93.
By AO, AI7, AI9, P6, P8, (3) [5] M. Abadi, R. Needham. "Pmdent engineering practice for cryptographic
(5) B believes A ( <KAB>*B ) B protocols". Proceedings of 1994 IEEE Symposium on Research in Security
and Privacy, Oakland, California, May 1994, pp 122-136.
By AO, AI4, AI6, P4, (4) [6] F Paul. Syverson, C Paul. van Oorschot. "On Unifying Some
(6) B believes fresh( <KAB>*B ) Cryptographic Protocol Logics". Proceedings of the IEEE Computer
Society Symposium in Security and Privacy in Los Alamitos, 1994,
By AO, AI7, AI9, P6, and (4) pp.14-28.
(7) B believes B received ([NB-I,A] <KAB>*B) [7] 1. Wen, M. Zhang, X. Li. "The study on the application of SVO logic in
By AO, AI+MP, A7, PI8 formal analysis of authentication protocols". Proceedings of the 7th
(8) B believes B received ([NB-I, A, A international conference on J'}ectronic commerce.2005, Vol. 113,
pp.744-747
( <KAB>*B ) B ]<KAB>*B) [8] M. Burrows, M.Abadi, R. Needham. "A logic of authentication". ACM
By AI+MP, p22, (5), (7) Transactions on Computer Systems (lDeS), 1990, vol.8, no. 1, pp.I8-36.
[9] L Gong, R Needham, R Otway Rees. "Reasoning about belief in
(9) B believes A said (Ns-I, A, A ( ) B) cryptographic protocols". In: Proceedings of the IEEE Computer Society
By AO, A3, (5), (8) Symposium on Research in Security and Privacy. Los Alamitos: IEEl,-'
Computer Society Press, 1990, pp.234-248.
(10) B believes A says (NB-I, A, A ( <K.W>*B ) B) [10] M Abadi, MR Tuttle. "A semantics for a logic of authentication". In:
By AO, AI7, AI9, (8), (9) Proceedings of the 10th ACM Symposium on Principles of Distributed
Computing. ACM Press, 1991, pp. 201-216.
(11) BbelievesA believes A ( <KAB>*H )B [11] PC Van Oorschot. "Extending cryptographic logics of belief to key
By AO, AI4, AI6, (10) agreement protocols". In: Proceedings of the 1st ACM Conference on
Computer and Communications Security. ACM Press, 1993, pp. 233-243.
(12) B believes A believesfresh(<KAB>*B)
By AO, AI7, AI9, P8, (10)
The above analyses show that the improved Otway Rees

501
Authorized licensed use limited to: Manchester Metropolitan University. Downloaded on November 30,2020 at 15:01:23 UTC from IEEE Xplore. Restrictions apply.