Woo–Lam

From HandWiki

In cryptography, Woo–Lam refers to various computer network authentication protocols designed by Simon S. Lam and Thomas Woo.[1][2] The protocols enable two communicating parties to authenticate each other's identity and to exchange session keys, and involve the use of a trusted key distribution center (KDC) to negotiate between the parties. Both symmetric-key and public-key variants have been described. However, the protocols suffer from various security flaws, and in part have been described as being inefficient compared to alternative authentication protocols.[3]

Public-key protocol

Notation

The following notation is used to describe the algorithm:

[math]\displaystyle{ A,B }[/math] - network nodes.
[math]\displaystyle{ KU_x }[/math] - public key of node [math]\displaystyle{ x }[/math].
[math]\displaystyle{ KR_x }[/math] - private key of [math]\displaystyle{ x }[/math].
[math]\displaystyle{ N_x }[/math] - nonce chosen by [math]\displaystyle{ x }[/math].
[math]\displaystyle{ ID_x }[/math] - unique identifier of [math]\displaystyle{ x }[/math].
[math]\displaystyle{ E_k }[/math] - public-key encryption using key [math]\displaystyle{ k }[/math].
[math]\displaystyle{ S_k }[/math] - digital signature using key [math]\displaystyle{ k }[/math].
[math]\displaystyle{ K }[/math] - random session key chosen by the KDC.
[math]\displaystyle{ || }[/math] - concatenation.

It is assumed that all parties know the KDC's public key.

Message exchange

[math]\displaystyle{ 1) A \rightarrow KDC : ID_A || ID_B }[/math]
[math]\displaystyle{ 2) KDC \rightarrow A : S_{KR_{KDC}}[ID_B||KU_B] }[/math]
[math]\displaystyle{ 3) A \rightarrow B : E_{KU_B}[N_A||ID_A] }[/math]
[math]\displaystyle{ 4) B \rightarrow KDC: ID_B||ID_A||E_{KU_{KDC}}[N_A] }[/math]
[math]\displaystyle{ 5) KDC \rightarrow B : S_{KR_{KDC}}[ID_A||KU_A]||E_{KU_B}[S_{KR_{KDC}}[N_A||K||ID_B||ID_A]] }[/math]
[math]\displaystyle{ 6) B \rightarrow A : E_{KU_A}[S_{KR_{KDC}}[N_A || K ] || N_B] }[/math]
[math]\displaystyle{ 7) A \rightarrow B : E_{K}[N_B] }[/math]

The original version of the protocol[4] had the identifier [math]\displaystyle{ ID_A }[/math] omitted from lines 5 and 6, which did not account for the fact that [math]\displaystyle{ N_A }[/math] is unique only among nonces generated by A and not by other parties. The protocol was revised after the authors themselves spotted a flaw in the algorithm.[1][3]

See also

References

  1. 1.0 1.1 T.Y.C. Woo; S.S. Lam (March 1992). "Authentication Revisited". Computer 25 (3): 10. doi:10.1109/2.121502. 
  2. Colin Boyd; Anish Mathuria (2003). Protocols for authentication and key establishment. Springer. p. 78 and 99. ISBN 978-3-540-43107-7. https://archive.org/details/protocolsforauth00boyd. 
  3. 3.0 3.1 Stallings, William (2005). Cryptography and Network Security Principles and Practices, Fourth Edition. Prentice Hall. p. 387. ISBN 978-0-13-187316-2. 
  4. Thomas Y.C. Woo; Simon S. Lam (January 1992). "Authentication for Distributed Systems". Computer 25 (1): 39–52. doi:10.1109/2.108052.