The Denning Sacco Attack on the NS Scheme

Introduction

Authentication is the need of an hour. Today we need authentication to authenticate that the communications and the message are sent to the right user. 

In this blog, we will learn about the attack on the NS scheme, specially designed for authentication between two users. In this, we will learn about the Denning-Sacco attack, which is the vulnerability of the NS scheme. The attack discussed the issue in the NS scheme.

Denning-Sacco Attack on the NS Scheme

In 1981 Denning and Sacco discovered this attack and named it the Denning-Sacco attack after three years of the proposed Needham-Schroeder scheme. The attack discusses the issue and the replay attack on the NS scheme. 

• The attack states that if the session key gets distributed to a third party in the first three sessions, the other sessions will be disturbed.
   
• This attack resolves this issue by using the timestamp. It states that the One-Two minute is sufficient if all nodes set their clock manually regarding the standard clock.
   
• There are two ways of key distribution. 
   
• The first is the public key used to prevent copying of the key, and the next is the communication key. The timestamps are used to avoid and stop outside attacks on the session.
  
  Alice and Bob's wanted to have a conversation between themselves; for this, they required a session key. The session key was transferred between them in the first three sessions. The session was conducted through TA(trusted authority), and authentication was done. It was performed so that the message was sent to the right user. 

The Needham Schroeder Scheme discusses the thorough discussion of Alice and Bob.  In the first three sessions, there is now an interruption. The interruption is done by oscar. Oscar got the session key when there was a transfer of the key between Alice and Bob. Now he can get the message sent by Bob. This is the replay attack. 

Oscar records the session between Alice and Bob. Oscar records the session S between Alice and Bob, and he obtains the session key K. This attack is called a known session key attack.

As we know that the first three sessions in the NS are the authentication session. In the third step, Oscar sends the session key to Bob using the previously used ticket tBob. 

Now Bob replies to the message sent by Oscar with eK(NB'). Oscar can easily decrypt this message using K and subtract 1 to get the actual message. The following message is sent to bob in the value eK(NB − 1). This is the last session, and Bob decrypts this message and, in the last, accepts it.

Here A represents Alice's Identifier, and B represents Bob's Identifier. K represents the key, and NB represents the nonce.  

In the following sequence, we can easily understand the consequences of this session. Session Bob thinks it is going with Alice without him knowing that the communication is happening between him and Oscar. In the last session S' Bob believes that the new session is created and shared with Alice because, in the ticket tBob , the ID shown is in the name of Alice(IDA). On the other hand, Alice is also unaware that another person is using the Key(K) in the session because she believes that the session S key(K) is destroyed. 

So there are two ways by which this attack has deceived Bob. 

1. The key(K) in session S' is shared, and Bob's peer is unaware of that. 
    
2. The key(K) in the session S' is known to someone other than Bob and his peer.