Woo–Lam

In cryptography, Woo–Lam refers to various computer network authentication protocols designed by Simon S. Lam and Thomas Woo.^{[1] [2]} The protocols enable two communicating parties to authenticate each other's identity and to exchange session keys, and involve the use of a trusted key distribution center (KDC) to negotiate between the parties. Both symmetric-key and public-key variants have been described. However, the protocols suffer from various security flaws, and in part have been described as being inefficient compared to alternative authentication protocols.^[3]

The following notation is used to describe the algorithm:

${\displaystyle A,B}${\displaystyle A,B} - network nodes.

${\displaystyle KU_{x}}${\displaystyle KU_{x}} - public key of node ${\displaystyle x}${\displaystyle x}.

${\displaystyle KR_{x}}${\displaystyle KR_{x}} - private key of ${\displaystyle x}${\displaystyle x}.

${\displaystyle N_{x}}${\displaystyle N_{x}} - nonce chosen by ${\displaystyle x}${\displaystyle x}.

${\displaystyle ID_{x}}${\displaystyle ID_{x}} - unique identifier of ${\displaystyle x}${\displaystyle x}.

${\displaystyle E_{k}}${\displaystyle E_{k}} - public-key encryption using key ${\displaystyle k}${\displaystyle k}.

${\displaystyle S_{k}}${\displaystyle S_{k}} - digital signature using key ${\displaystyle k}${\displaystyle k}.

${\displaystyle K}${\displaystyle K} - random session key chosen by the KDC.

${\displaystyle ||}${\displaystyle ||} - concatenation.

It is assumed that all parties know the KDC's public key.

${\displaystyle 1)A\rightarrow KDC:ID_{A}||ID_{B}}${\displaystyle 1)A\rightarrow KDC:ID_{A}||ID_{B}}

${\displaystyle 2)KDC\rightarrow A:S_{KR_{KDC}}[ID_{B}||KU_{B}]}${\displaystyle 2)KDC\rightarrow A:S_{KR_{KDC}}[ID_{B}||KU_{B}]}

${\displaystyle 3)A\rightarrow B:E_{KU_{B}}[N_{A}||ID_{A}]}${\displaystyle 3)A\rightarrow B:E_{KU_{B}}[N_{A}||ID_{A}]}

${\displaystyle 4)B\rightarrow KDC:ID_{B}||ID_{A}||E_{KU_{KDC}}[N_{A}]}${\displaystyle 4)B\rightarrow KDC:ID_{B}||ID_{A}||E_{KU_{KDC}}[N_{A}]}

${\displaystyle 5)KDC\rightarrow B:S_{KR_{KDC}}[ID_{A}||KU_{A}]||E_{KU_{B}}[S_{KR_{KDC}}[N_{A}||K||ID_{B}||ID_{A}]]}${\displaystyle 5)KDC\rightarrow B:S_{KR_{KDC}}[ID_{A}||KU_{A}]||E_{KU_{B}}[S_{KR_{KDC}}[N_{A}||K||ID_{B}||ID_{A}]]}

${\displaystyle 6)B\rightarrow A:E_{KU_{A}}[S_{KR_{KDC}}[N_{A}||K]||N_{B}]}${\displaystyle 6)B\rightarrow A:E_{KU_{A}}[S_{KR_{KDC}}[N_{A}||K]||N_{B}]}

${\displaystyle 7)A\rightarrow B:E_{K}[N_{B}]}${\displaystyle 7)A\rightarrow B:E_{K}[N_{B}]}

The original version of the protocol^[4] had the identifier ${\displaystyle ID_{A}}${\displaystyle ID_{A}} omitted from lines 5 and 6, which did not account for the fact that ${\displaystyle N_{A}}${\displaystyle N_{A}} is unique only among nonces generated by A and not by other parties. The protocol was revised after the authors themselves spotted a flaw in the algorithm.^{[1] [3]}

• Kerberos
• Needham–Schroeder protocol
• Otway–Rees protocol

• Computer network security
• Authentication methods
• Cryptography stubs

• All stub articles