The Otway–Rees protocol is a computer network authentication protocol designed for use on insecure networks (e.g. the Internet). It allows individuals communicating over such a network to prove their identity to each other while also preventing eavesdropping or replay attacks and allowing for the detection of modification.
The protocol can be specified as follows in security protocol notation, where Alice is authenticating herself to Bob using a server S (M is a session-identifier, NA and NB are nonces):
-
A → B : M , A , B , { N A , M , A , B } K A S -
B → S : M , A , B , { N A , M , A , B } K A S , { N B , M , A , B } K B S -
S → B : M , { N A , K A B } K A S , { N B , K A B } K B S -
B → A : M , { N A , K A B } K A S
Note: The above steps do not authenticate B to A.
Attacks on the protocol
There are a variety of attacks on this protocol currently published.
One problem with this protocol is that a malicious intruder can arrange for A and B to end up with different keys. Here is how: after A and B execute the first three messages, B has received the key
Another problem is that although the server tells B that A used a nonce, B doesn't know if this was a replay of an old message. Specifically, an intruder could discover an older nonce. The older nonce could be reused to authenticate against B.