# Woo–Lam

(Redirected from Woo Lam 92 (protocol))

In cryptography, Woo–Lam refers to various computer network authentication protocols designed by Simon S. Lam and Thomas Woo.[1][2] The protocols enable two communicating parties to authenticate each other's identity and to exchange session keys, and involve the use of a trusted key distribution center (KDC) to negotiate between the parties. Both symmetric-key and public-key variants have been described. However, the protocols suffer from various security flaws, and in part have been described as being inefficient compared to alternative authentication protocols.[3]

## Public-key protocol

### Notation

The following notation is used to describe the algorithm:

${\displaystyle A,B}$ - network nodes.
${\displaystyle KU_{x}}$ - public key of node ${\displaystyle x}$.
${\displaystyle KR_{x}}$ - private key of ${\displaystyle x}$.
${\displaystyle N_{x}}$ - nonce chosen by ${\displaystyle x}$.
${\displaystyle ID_{x}}$ - unique identifier of ${\displaystyle x}$.
${\displaystyle E_{k}}$ - public-key encryption using key ${\displaystyle k}$.
${\displaystyle S_{k}}$ - digital signature using key ${\displaystyle k}$.
${\displaystyle K}$ - random session key chosen by the KDC.
${\displaystyle ||}$ - concatenation.

It is assumed that all parties know the KDC's public key.

### Message exchange

${\displaystyle 1)A\rightarrow KDC:ID_{A}||ID_{B}}$
${\displaystyle 2)KDC\rightarrow A:S_{KR_{KDC}}[ID_{B}||KU_{B}]}$
${\displaystyle 3)A\rightarrow B:E_{KU_{B}}[N_{A}||ID_{A}]}$
${\displaystyle 4)B\rightarrow KDC:ID_{B}||ID_{A}||E_{KU_{KDC}}[N_{A}]}$
${\displaystyle 5)KDC\rightarrow B:S_{KR_{KDC}}[ID_{A}||KU_{A}]||E_{KU_{B}}[S_{KR_{KDC}}[N_{A}||K||ID_{B}||ID_{A}]]}$
${\displaystyle 6)B\rightarrow A:E_{KU_{A}}[S_{KR_{KDC}}[N_{A}||K]||N_{B}]}$
${\displaystyle 7)A\rightarrow B:E_{K}[N_{B}]}$

The original version of the protocol[4] had the identifier ${\displaystyle ID_{A}}$ omitted from lines 5 and 6, which did not account for the fact that ${\displaystyle N_{A}}$ is unique only among nonces generated by A and not by other parties. The protocol was revised after the authors themselves spotted a flaw in the algorithm.[1][3]