Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR

  • Gavin Lowe
Regular Sessions Session 4: Security
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1055)


In this paper we analyse the well known Needham-Schroeder Public-Key Protocol using FDR, a refinement checker for CSP. We use FDR to discover an attack upon the protocol, which allows an intruder to impersonate another agent. We adapt the protocol, and then use FDR to show that the new protocol is secure, at least for a small system. Finally we prove a result which tells us that if this small system is secure, then so is a system of arbitrary size.


Small System Security Protocol Arbitrary Size Cipher Block Chain Honest Agent 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    Colin Boyd. Hidden assumptions in cryptographic protocols. Proceedings of the IEE, 137, Part E(6):433–436, November 1990.Google Scholar
  2. [2]
    Michael Burrows, Martín Abadi, and Roger Needham. A logic of authentication. Proceedings of the Royal Society of London A, 426:233–271, 1989. A preliminary version appeared as Digital Equipment Corporation Systems Research Center report No. 39, 1989.Google Scholar
  3. [3]
    Dorothy E. Denning and Giovanni Maria Sacco. Timestamps in key distribution protocols. Communications of the ACM, 24(8):533–536, 1981.Google Scholar
  4. [4]
    W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22:644–654, 1976.Google Scholar
  5. [5]
    Formal Systems (Europe) Ltd. Failures Divergence Refinement—User Manual and Tutorial, 1993. Version 1.3.Google Scholar
  6. [6]
    C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985.Google Scholar
  7. [7]
    Gavin Lowe. An attack on the Needham-Schroeder public-key authentication protocol. Information Processing Letters, 56:131–133, 1995.Google Scholar
  8. [8]
    Roger Needham and Michael Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993–999, 1978.Google Scholar
  9. [9]
    R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.Google Scholar
  10. [10]
    A. W. Roscoe. Developing and verifying protocols in CSP. In Proceedings of Mierlo workshop on protocols. TU Eindhoven, 1993.Google Scholar
  11. [11]
    A. W. Roscoe. Model-checking CSP. In A Classical Mind, Essays in Honour of C. A. R. Hoare. Prentice-Hall, 1994.Google Scholar
  12. [12]
    A. W. Roscoe and Helen MacCarthy. Verifying a replicated database: A case study in model-checking CSP. Submitted for publication.Google Scholar
  13. [13]
    Steve Schneider. Security properties and CSP. In preparation, 1995.Google Scholar
  14. [14]
    Bruce Schneier. Applied Cryptography. Wiley, 1994.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Gavin Lowe
    • 1
  1. 1.Oxford University Computing LaboratoryOxfordUK

Personalised recommendations