Yahalom (protocol)

Yahalom is an authentication and secure key-sharing protocol designed for use on an insecure network such as the Internet. Yahalom uses a trusted arbitrator to distribute a shared key between two people. This protocol can be considered as an improved version of Wide Mouth Frog protocol (with additional protection against man-in-the-middle attack), but less secure than the Needham–Schroeder protocol.

Protocol description

If Alice (A) initiates the communication to Bob (B) with S is a server trusted by both parties, the protocol can be specified as follows using security protocol notation:

  • A and B are identities of Alice and Bob respectively
  • K A S {\displaystyle K_{AS}} is a symmetric key known only to A and S
  • K B S {\displaystyle K_{BS}} is a symmetric key known only to B and S
  • N A {\displaystyle N_{A}} and N B {\displaystyle N_{B}} are nonces generated by A and B respectively
  • K A B {\displaystyle K_{AB}} is a symmetric, generated key, which will be the session key of the session between A and B

A B : A , N A {\displaystyle A\rightarrow B:A,N_{A}}

Alice sends a message to Bob requesting communication.

B S : B , { A , N A , N B } K B S {\displaystyle B\rightarrow S:B,\{A,N_{A},N_{B}\}_{K_{BS}}}

Bob sends a message to the Server encrypted under K B S {\displaystyle K_{BS}} .

S A : { B , K A B , N A , N B } K A S , { A , K A B } K B S {\displaystyle S\rightarrow A:\{B,K_{AB},N_{A},N_{B}\}_{K_{AS}},\{A,K_{AB}\}_{K_{BS}}}

The Server sends to Alice a message containing the generated session key K A B {\displaystyle K_{AB}} and a message to be forwarded to Bob.

A B : { A , K A B } K B S , { N B } K A B {\displaystyle A\rightarrow B:\{A,K_{AB}\}_{K_{BS}},\{N_{B}\}_{K_{AB}}}

Alice forwards the message to Bob and verifies N A {\displaystyle N_{A}} has not changed. Bob will verify N B {\displaystyle N_{B}} has not changed when he receives the message.

BAN-Yahalom

Burrows􏰂, Abadi􏰂 and Needham proposed a variant of this protocol in their 1989 paper as follows:[1]

A B : A , N A {\displaystyle A\rightarrow B:A,N_{A}}
B S : B , N B , { A , N A } K B S {\displaystyle B\rightarrow S:B,N_{B},\{A,N_{A}\}_{K_{BS}}}
S A : N B , { B , K A B , N A } K A S , { A , K A B , N B } K B S {\displaystyle S\rightarrow A:N_{B},\{B,K_{AB},N_{A}\}_{K_{AS}},\{A,K_{AB},N_{B}\}_{K_{BS}}}
A B : { A , K A B , N B } K B S , { N B } K A B {\displaystyle A\rightarrow B:\{A,K_{AB},N_{B}\}_{K_{BS}},\{N_{B}\}_{K_{AB}}}

In 1994, Paul Syverson demonstrated two attacks on this protocol.[1]

See also

References

  1. ^ a b Paul Syverson. A taxonomy of replay attacks. In Proceedings of the 7th IEEE Computer Security Foundations Workshop, pages 131􏰀–136. IEEE Computer Society Press, 1994.
  • Schneier, Bruce (1996). Applied Cryptography. John Wiley & Sons. pp. 57–58. ISBN 0-471-12845-7.
  • M. Burrows, M. Abadi, R. Needham A Logic of Authentication, Research Report 39, Digital Equipment Corp. Systems Research Center, Feb. 1989
  • M. Burrows, M. Abadi, R. Needham A Logic of Authentication. ACM Transactions on Computer Systems, v. 8, n. 1, Feb. 1990, pp. 18—36
  • v
  • t
  • e