Volume 4 - Issue 3
Revisiting the BAN-Modified Andrew Secure RPC Protocol
- Alberto Gugel
University of Portsmouth, Portsmouth, United Kingdom
alberto.gugel@port.ac.uk
- Benjamin Aziz
University of Portsmouth, Portsmouth, United Kingdom
benjamin.aziz@port.ac.uk
- Geoff Hamilton
Dublin City University, Dublin, Ireland
geoff.hamilton@computing.dcu.ie
Keywords: protocol verification, internet protocols, static analysis, internet security
Abstract
We have analysed the well-known BAN modified Andrew Secure RPC authentication protocol by
means of the AVISPA Web tool considering all the available back-ends and with the basic configurations
of sessions. The protocol has been found vulnerable to a replay/mutation attack based on
homomorphism by one of the back-ends. In order to fix it, we integrated into the protocol a common
solution, including a new addition to the original protocol and the solution proposed by Liu, Ma
and Yang, who earlier found a man-in-the-middle attack by means of a different model checker instantiated
with different session compositions. When we tested this solution in AVISPA, under both
conditions, we discovered that AVISPA considers it safe, while it can be demonstrated that it suffers
from the same mutation attack as in the original protocol.