Woo–Lam

In cryptography, Woo–Lam refers to various computer network authentication protocols designed by Simon S. Lam and Thomas Woo.[1][2] The protocols enable two communicating parties to authenticate each other's identity and to exchange session keys, and involve the use of a trusted key distribution center (KDC) to negotiate between the parties. Both symmetric-key and public-key variants have been described. However, the protocols suffer from various security flaws, and in part have been described as being inefficient compared to alternative authentication protocols.[3]

Public-key protocol

Notation

The following notation is used to describe the algorithm:

A , B {\displaystyle A,B} - network nodes.
K U x {\displaystyle KU_{x}} - public key of node x {\displaystyle x} .
K R x {\displaystyle KR_{x}} - private key of x {\displaystyle x} .
N x {\displaystyle N_{x}} - nonce chosen by x {\displaystyle x} .
I D x {\displaystyle ID_{x}} - unique identifier of x {\displaystyle x} .
E k {\displaystyle E_{k}} - public-key encryption using key k {\displaystyle k} .
S k {\displaystyle S_{k}} - digital signature using key k {\displaystyle k} .
K {\displaystyle K} - random session key chosen by the KDC.
| | {\displaystyle ||} - concatenation.

It is assumed that all parties know the KDC's public key.

Message exchange

1 ) A K D C : I D A | | I D B {\displaystyle 1)A\rightarrow KDC:ID_{A}||ID_{B}}
2 ) K D C A : S K R K D C [ I D B | | K U B ] {\displaystyle 2)KDC\rightarrow A:S_{KR_{KDC}}[ID_{B}||KU_{B}]}
3 ) A B : E K U B [ N A | | I D A ] {\displaystyle 3)A\rightarrow B:E_{KU_{B}}[N_{A}||ID_{A}]}
4 ) B K D C : I D B | | I D A | | E K U K D C [ N A ] {\displaystyle 4)B\rightarrow KDC:ID_{B}||ID_{A}||E_{KU_{KDC}}[N_{A}]}
5 ) K D C B : S K R K D C [ I D A | | K U A ] | | E K U B [ S K R K D C [ N A | | K | | I D B | | I D A ] ] {\displaystyle 5)KDC\rightarrow B:S_{KR_{KDC}}[ID_{A}||KU_{A}]||E_{KU_{B}}[S_{KR_{KDC}}[N_{A}||K||ID_{B}||ID_{A}]]}
6 ) B A : E K U A [ S K R K D C [ N A | | K ] | | N B ] {\displaystyle 6)B\rightarrow A:E_{KU_{A}}[S_{KR_{KDC}}[N_{A}||K]||N_{B}]}
7 ) A B : E K [ N B ] {\displaystyle 7)A\rightarrow B:E_{K}[N_{B}]}

The original version of the protocol[4] had the identifier I D A {\displaystyle ID_{A}} omitted from lines 5 and 6, which did not account for the fact that N A {\displaystyle N_{A}} is unique only among nonces generated by A and not by other parties. The protocol was revised after the authors themselves spotted a flaw in the algorithm.[1][3]

See also

References

  1. ^ a b T.Y.C. Woo; S.S. Lam (March 1992). "Authentication Revisited". Computer. 25 (3): 10. doi:10.1109/2.121502.
  2. ^ Colin Boyd; Anish Mathuria (2003). Protocols for authentication and key establishment. Springer. p. 78 and 99. ISBN 978-3-540-43107-7.
  3. ^ a b Stallings, William (2005). Cryptography and Network Security Principles and Practices, Fourth Edition. Prentice Hall. p. 387. ISBN 978-0-13-187316-2.
  4. ^ Thomas Y.C. Woo; Simon S. Lam (January 1992). "Authentication for Distributed Systems". Computer. 25 (1): 39–52. CiteSeerX 10.1.1.38.9374. doi:10.1109/2.108052.
  • v
  • t
  • e
Authentication
Authentication
APIs
Authentication
protocols
  • Category
  • Commons


Stub icon

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

  • v
  • t
  • e