Revisiting the BAN-Modified Andrew
Secure RPC Protocol 1University
of Portsmouth, Portsmouth, United Kingdom
2Dublin City University, Dublin, Ireland geoff.hamilton@computing.dcu.ie
Abstract We have analysed the well-known BAN modified Andrew
Secure RPC authentication protocol by means of the AVISPA Web tool
considering all the available back-ends and with the basic configurations of
sessions. The protocol has been found vulnerable to a replay/mutation attack
based on homomorphism by one of the back-ends. In order to fix it, we
integrated into the protocol a common solution, including a new addition to
the original protocol and the solution proposed by Liu, Ma and Yang, who
earlier found a man-in-the-middle attack by means of a different model
checker instantiated with different session compositions. When we tested this
solution in AVISPA, under both conditions, we discovered that AVISPA
considers it safe, while it can be demonstrated that it suffers from the same
mutation attack as in the original protocol. Keywords: protocol verification, internet
protocols, static analysis, internet security +: Corresponding author: Benjamin Aziz Web: http://azizb.myweb.port.ac.uk/
Journal of Internet Services and Information Security (JISIS), 4(3): 82-96, August 2014 [pdf] |