Revisiting the BAN-modified Andrew Secure RPC protocol

Alberto Gugel, Benjamin Aziz, Geoff Hamilton

Research output: Contribution to journalArticlepeer-review

156 Downloads (Pure)


We have analysed the well-known BAN modified Andrew Secure RPC authentication protocol by means of the AVISPA Web tool considering all the available back-ends and with the basic configurations of sessions. The protocol has been found vulnerable to a replay/mutation attack based on homomorphism by one of the back-ends. In order to fix it, we integrated into the protocol a common solution, including a new addition to the original protocol and the solution proposed by Liu, Ma and Yang, who earlier found a man-in-the-middle attack by means of a different model checker instantiated with different session compositions. When we tested this solution in AVISPA, under both conditions, we discovered that AVISPA considers it safe, while it can be demonstrated that it suffers from the same mutation attack as in the original protocol.
Original languageEnglish
Pages (from-to)82-96
JournalJournal of Internet Services and Information Security
Issue number3
Publication statusPublished - Aug 2014


  • Security Protocols
  • Formal specification
  • Formal Analysis


Dive into the research topics of 'Revisiting the BAN-modified Andrew Secure RPC protocol'. Together they form a unique fingerprint.

Cite this