Talk:Needham–Schroeder protocol

What about this "other Needham-Schroeder protocol"
Look at sec. 10.2 http://www.daimi.au.dk/~ivan/dSik/dSikw4.pdf, material for a course on security on Aarhus University, Denmark, written by Ivan Damgård. It describes another protocol suggested by Needham and Schroeder, which assumes that both users have a public key for the other, does not involve a server and is indeed insecure. And aparently the two concepts were both developed in 1978. How do these relate?

Velle 13:53, 27 August 2006 (UTC)


 * Good point. There are two different protocols suggested in the same paper. I've written them both up here - arguably the entry could be split in two, if you can be bothered with the resulting disambiguation page.
 * --IanHarvey 12:13, 8 September 2006 (UTC)

"Needham-Schroeder Symmetric Key Protocol, also known as the Needham-Schroeder Symmetric Key Protocol," That sentence seems a bit redundant. I would assume the "x" is also known as "x". :)

Fixing the attack seems to be imprecise for the symmetric protocol
I read the paper in the ref, and after what I understood, it seems that the explanation in the paper and in the wikipedia article are not the same. Something like this seems to be more correct to me: The inclusion of this new nonce prevents the replaying of a compromised version of  $$\{K_{AB}, A,\mathbf{N_B'}\}_{K_{BS}}$$, because the nonce $$\mathbf{N_B'}$$ is maintained by B, and accept it at most once before $$B \rightarrow A: \{N_B\}_{K_{AB}}$$.

Could someone look into this?


 * I think you are right. You can change the description. Alexei Kopylov (talk) 09:22, 9 October 2015 (UTC)

Asymmetric protocol complexity
Seems to me that any available public-key scheme can be used for both signing and encryption, thus the asymmetric protocol is unnecessarily complex.

smurfix (talk) 13:25, 28 March 2018 (UTC)