Yahalom (protocol)

From HandWiki
Revision as of 15:08, 2 September 2021 by imported>TextAI2 (change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Yahalom is an authentication and secure key-sharing protocol designed for use on an insecure network such as the Internet. Yahalom uses a trusted arbitrator to distribute a shared key between two people. This protocol can be considered as an improved version of Wide Mouth Frog protocol (with additional protection against man-in-the-middle attack), but less secure than the Needham–Schroeder protocol.

Protocol description

If Alice (A) initiates the communication to Bob (B) with S is a server trusted by both parties, the protocol can be specified as follows using security protocol notation:

  • A and B are identities of Alice and Bob respectively
  • [math]\displaystyle{ K_{AS} }[/math] is a symmetric key known only to A and S
  • [math]\displaystyle{ K_{BS} }[/math] is a symmetric key known only to B and S
  • [math]\displaystyle{ N_A }[/math] and [math]\displaystyle{ N_B }[/math] are nonces generated by A and B respectively
  • [math]\displaystyle{ K_{AB} }[/math] is a symmetric, generated key, which will be the session key of the session between A and B

[math]\displaystyle{ A \rightarrow B: A, N_A }[/math]

Alice sends a message to Bob requesting communication.

[math]\displaystyle{ B \rightarrow S: B,\{A, N_A, N_B\}_{K_{BS}} }[/math]

Bob sends a message to the Server encrypted under [math]\displaystyle{ K_{BS} }[/math].

[math]\displaystyle{ S \rightarrow A: \{B, K_{AB}, N_A, N_B\}_{K_{AS}}, \{A, K_{AB}\}_{K_{BS}} }[/math]

The Server sends to Alice a message containing the generated session key [math]\displaystyle{ K_{AB} }[/math] and a message to be forwarded to Bob.

[math]\displaystyle{ A \rightarrow B: \{A, K_{AB}\}_{K_{BS}}, \{N_B\}_{K_{AB}} }[/math]

Alice forwards the message to Bob and verifies [math]\displaystyle{ N_A }[/math] has not changed. Bob will verify [math]\displaystyle{ N_B }[/math] has not changed when he receives the message.

BAN-Yahalom

Burrows􏰂, Abadi􏰂 and Needham proposed a variant of this protocol in their 1989 paper as follows:[1]

[math]\displaystyle{ A \rightarrow B: A, N_A }[/math]
[math]\displaystyle{ B \rightarrow S: B, N_B, \{A, N_A\}_{K_{BS}} }[/math]
[math]\displaystyle{ S \rightarrow A: N_B, \{B, K_{AB}, N_A\}_{K_{AS}}, \{A, K_{AB}, N_B\}_{K_{BS}} }[/math]
[math]\displaystyle{ A \rightarrow B: \{A, K_{AB}, N_B\}_{K_{BS}}, \{N_B\}_{K_{AB}} }[/math]

In 1994, Paul Syverson demonstrated two attacks on this protocol.[1]

See also

References

  1. 1.0 1.1 Paul Syverson. A taxonomy of replay attacks. In Proceedings of the 7th IEEE Computer Security Foundations Workshop, pages 131􏰀–136. IEEE Computer Society Press, 1994.



Retrieved from "https://handwiki.org/wiki/index.php?title=Yahalom_(protocol)&oldid=85633"