Revisiting the BAN-Modified Andrew Secure RPC Protocol – Journal of Internet Services and Information Security

Volume 4 - Issue 3

Revisiting the BAN-Modified Andrew Secure RPC Protocol

Alberto Gugel University of Portsmouth, Portsmouth, United Kingdom
alberto.gugel@port.ac.uk
Benjamin Aziz University of Portsmouth, Portsmouth, United Kingdom
benjamin.aziz@port.ac.uk
Geoff Hamilton Dublin City University, Dublin, Ireland
geoff.hamilton@computing.dcu.ie

DOI: 10.22667/JISIS.2014.08.31.082

Keywords: protocol verification, internet protocols, static analysis, internet security

Abstract

We have analysed the well-known BAN modified Andrew Secure RPC authentication protocol by means of the AVISPA Web tool considering all the available back-ends and with the basic configurations of sessions. The protocol has been found vulnerable to a replay/mutation attack based on homomorphism by one of the back-ends. In order to fix it, we integrated into the protocol a common solution, including a new addition to the original protocol and the solution proposed by Liu, Ma and Yang, who earlier found a man-in-the-middle attack by means of a different model checker instantiated with different session compositions. When we tested this solution in AVISPA, under both conditions, we discovered that AVISPA considers it safe, while it can be demonstrated that it suffers from the same mutation attack as in the original protocol.

Date

August 2014

Page Number

82-96