Woo–Lam

In cryptography, Woo–Lam refers to various computer network authentication protocols designed by Simon S. Lam and Thomas Woo.^[1][2] The protocols enable two communicating parties to authenticate each other's identity and to exchange session keys, and involve the use of a trusted key distribution center (KDC) to negotiate between the parties. Both symmetric-key and public-key variants have been described. However, the protocols suffer from various security flaws, and in part have been described as being inefficient compared to alternative authentication protocols.^[3]

Public-key protocol

Notation

The following notation is used to describe the algorithm:

${\displaystyle A,B}$  - network nodes.

${\displaystyle KU_{x}}$  - public key of node ${\displaystyle x}$ .

${\displaystyle KR_{x}}$  - private key of ${\displaystyle x}$ .

${\displaystyle N_{x}}$  - nonce chosen by ${\displaystyle x}$ .

${\displaystyle ID_{x}}$  - unique identifier of ${\displaystyle x}$ .

${\displaystyle E_{k}}$  - public-key encryption using key ${\displaystyle k}$ .

${\displaystyle S_{k}}$  - digital signature using key ${\displaystyle k}$ .

${\displaystyle K}$  - random session key chosen by the KDC.

${\displaystyle ||}$  - concatenation.

It is assumed that all parties know the KDC's public key.

Message exchange

${\displaystyle 1)A\rightarrow KDC:ID_{A}||ID_{B}}$ 

${\displaystyle 2)KDC\rightarrow A:S_{KR_{KDC}}[ID_{B}||KU_{B}]}$ 

${\displaystyle 3)A\rightarrow B:E_{KU_{B}}[N_{A}||ID_{A}]}$ 

${\displaystyle 4)B\rightarrow KDC:ID_{B}||ID_{A}||E_{KU_{KDC}}[N_{A}]}$ 

${\displaystyle 5)KDC\rightarrow B:S_{KR_{KDC}}[ID_{A}||KU_{A}]||E_{KU_{B}}[S_{KR_{KDC}}[N_{A}||K||ID_{B}||ID_{A}]]}$ 

${\displaystyle 6)B\rightarrow A:E_{KU_{A}}[S_{KR_{KDC}}[N_{A}||K]||N_{B}]}$ 

${\displaystyle 7)A\rightarrow B:E_{K}[N_{B}]}$ 

The original version of the protocol^[4] had the identifier ${\displaystyle ID_{A}}$  omitted from lines 5 and 6, which did not account for the fact that ${\displaystyle N_{A}}$  is unique only among nonces generated by A and not by other parties. The protocol was revised after the authors themselves spotted a flaw in the algorithm.^[1][3]

See also

• Kerberos
• Needham–Schroeder protocol
• Otway–Rees protocol

References

1. T.Y.C. Woo; S.S. Lam (March 1992). "Authentication Revisited". Computer. 25 (3): 10. doi:10.1109/2.121502.
2. Colin Boyd; Anish Mathuria (2003). Protocols for authentication and key establishment. Springer. p. 78 and 99. ISBN 978-3-540-43107-7.
3. Stallings, William (2005). Cryptography and Network Security Principles and Practices, Fourth Edition. Prentice Hall. p. 387. ISBN 978-0-13-187316-2.
4. Thomas Y.C. Woo; Simon S. Lam (January 1992). "Authentication for Distributed Systems". Computer. 25 (1): 39–52. CiteSeerX 10.1.1.38.9374. doi:10.1109/2.108052.