Yahalom (protocol)

Template:No footnotes Yahalom is an authentication and secure key-sharing protocol designed for use on an insecure network such as the Internet. Yahalom uses a trusted arbitrator to distribute a shared key between two people. This protocol can be considered as an improved version of Wide Mouth Frog protocol (with additional protection against man-in-the-middle attack), but less secure than the Needham–Schroeder protocol.

If Alice (A) initiates the communication to Bob (B) with S is a server trusted by both parties, the protocol can be specified as follows using security protocol notation:

• A and B are identities of Alice and Bob respectively
• ${\displaystyle K_{AS}}$ is a symmetric key known only to A and S
• ${\displaystyle K_{BS}}$ is a symmetric key known only to B and S
• ${\displaystyle N_A}$ and ${\displaystyle N_B}$ are nonces generated by A and B respectively
• ${\displaystyle K_{AB}}$ is a symmetric, generated key, which will be the session key of the session between A and B

${\displaystyle A\to B:A,N_A}$

Alice sends a message to Bob requesting communication.

${\displaystyle B\to S:B,\{A,N_A,N_B{\}}_{K_{BS}}}$

Bob sends a message to the Server encrypted under ${\displaystyle K_{BS}}$.

${\displaystyle S\to A:\{B,K_{AB},N_A,N_B{\}}_{K_{AS}},\{A,K_{AB}{\}}_{K_{BS}}}$

The Server sends to Alice a message containing the generated session key ${\displaystyle K_{AB}}$ and a message to be forwarded to Bob.

${\displaystyle A\to B:\{A,K_{AB}{\}}_{K_{BS}},\{N_B{\}}_{K_{AB}}}$

Alice forwards the message to Bob and verifies ${\displaystyle N_A}$ has not changed. Bob will verify ${\displaystyle N_B}$ has not changed when he receives the message.

Burrows􏰂, Abadi􏰂 and Needham proposed a variant of this protocol in their 1989 paper as follows:^[1]

${\displaystyle A\to B:A,N_A}$
${\displaystyle B\to S:B,N_B,\{A,N_A{\}}_{K_{BS}}}$
${\displaystyle S\to A:N_B,\{B,K_{AB},N_A{\}}_{K_{AS}},\{A,K_{AB},N_B{\}}_{K_{BS}}}$
${\displaystyle A\to B:\{A,K_{AB},N_B{\}}_{K_{BS}},\{N_B{\}}_{K_{AB}}}$

In 1994, Paul Syverson demonstrated two attacks on this protocol.^[1]

• Kerberos protocol
• Otway–Rees protocol
• Neuman–Stubblebine protocol

• Template:Cite book
• M. Burrows, M. Abadi, R. Needham A Logic of Authentication, Research Report 39, Digital Equipment Corp. Systems Research Center, Feb. 1989
• M. Burrows, M. Abadi, R. Needham A Logic of Authentication. ACM Transactions on Computer Systems, v. 8, n. 1, Feb. 1990, pp. 18—36

Template:Crypto-stub