Yahalom (protocol)

Yahalom is an authentication and secure key-sharing protocol designed for use on an insecure network such as the Internet. Yahalom uses a trusted arbitrator to distribute a shared key between two people. This protocol can be considered as an improved version of Wide Mouth Frog protocol (with additional protection against man-in-the-middle attack), but less secure than the Needham–Schroeder protocol.

Protocol description
If Alice (A) initiates the communication to Bob (B) with S is a server trusted by both parties, the protocol can be specified as follows using security protocol notation:
 * A and B are identities of Alice and Bob respectively
 * $$K_{AS}$$ is a symmetric key known only to A and S
 * $$K_{BS}$$ is a symmetric key known only to B and S
 * $$N_A$$ and $$N_B$$ are nonces generated by A and B respectively
 * $$K_{AB}$$ is a symmetric, generated key, which will be the session key of the session between A and B

$$A \rightarrow B: A, N_A$$
 * Alice sends a message to Bob requesting communication.

$$B \rightarrow S: B,\{A, N_A, N_B\}_{K_{BS}}$$
 * Bob sends a message to the Server encrypted under $$K_{BS}$$.

$$S \rightarrow A: \{B, K_{AB}, N_A, N_B\}_{K_{AS}}, \{A, K_{AB}\}_{K_{BS}}$$
 * The Server sends to Alice a message containing the generated session key $$K_{AB}$$ and a message to be forwarded to Bob.

$$A \rightarrow B: \{A, K_{AB}\}_{K_{BS}}, \{N_B\}_{K_{AB}}$$
 * Alice forwards the message to Bob and verifies $$N_A$$ has not changed. Bob will verify $$N_B$$ has not changed when he receives the message.

BAN-Yahalom
Burrows􏰂, Abadi􏰂 and Needham proposed a variant of this protocol in their 1989 paper as follows:

$$A \rightarrow B: A, N_A$$ $$B \rightarrow S: B, N_B, \{A, N_A\}_{K_{BS}}$$ $$S \rightarrow A: N_B, \{B, K_{AB}, N_A\}_{K_{AS}}, \{A, K_{AB}, N_B\}_{K_{BS}}$$ $$A \rightarrow B: \{A, K_{AB}, N_B\}_{K_{BS}}, \{N_B\}_{K_{AB}}$$

In 1994, Paul Syverson demonstrated two attacks on this protocol.