# Talk:Needham–Schroeder protocol

WikiProject Cryptography / Computer science  (Rated Start-class, Mid-importance)
This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start  This article has been rated as Start-Class on the quality scale.
Mid  This article has been rated as Mid-importance on the importance scale.
WikiProject Computing (Rated Start-class, Mid-importance)
This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start  This article has been rated as Start-Class on the project's quality scale.
Mid  This article has been rated as Mid-importance on the project's importance scale.

Look at sec. 10.2 http://www.daimi.au.dk/~ivan/dSik/dSikw4.pdf, material for a course on security on Aarhus University, Denmark, written by Ivan Damgård. It describes another protocol suggested by Needham and Schroeder, which assumes that both users have a public key for the other, does not involve a server and is indeed insecure. And aparently the two concepts were both developed in 1978. How do these relate?

Velle 13:53, 27 August 2006 (UTC)

Good point. There are two different protocols suggested in the same paper. I've written them both up here - arguably the entry could be split in two, if you can be bothered with the resulting disambiguation page.
--IanHarvey 12:13, 8 September 2006 (UTC)

"Needham-Schroeder Symmetric Key Protocol, also known as the Needham-Schroeder Symmetric Key Protocol," That sentence seems a bit redundant. I would assume the "x" is also known as "x". :)

## Fixing the attack seems to be imprecise for the symmetric protocol

I read the paper in the ref[1], and after what I understood, it seems that the explanation in the paper and in the wikipedia article are not the same. Something like this seems to be more correct to me: The inclusion of this new nonce prevents the replaying of a compromised version of ${\displaystyle \{K_{AB},A,\mathbf {N_{B}'} \}_{K_{BS}}}$, because the nonce ${\displaystyle \mathbf {N_{B}'} }$ is maintained by B, and accept it at most once before ${\displaystyle B\rightarrow A:\{N_{B}\}_{K_{AB}}}$.

Could someone look into this?

I think you are right. You can change the description. Alexei Kopylov (talk) 09:22, 9 October 2015 (UTC)