We will denote with and
the public and secret keys for a
generic user U ,
respectively. The protocol uses nonces which are random numbers
generated with the purpose of being used in a single run of the
protocol. In general,
will represent a nonce generated by A .
The protocol starts with A consulting the authentication server in order to obtain B 's public key:
where the notation
means that is sending the message Msg to
.
AS replies with:
where is the authentication server secret key. So the AS is
signing the public key of B and we assume that
A knows the AS 's public key
, which can be used to decrypt the
message.
The next step is to initiate the communication with B :
Since the message is encrypted with B 's public key, then only B can
decrypt it. The message means that someone who claims to be A wishes to
establish communication; is the nonce generated by A .
B decrypts the message and, similarly to A , asks for A 's public key to AS :
At this point a double handshake is needed to authenticate A and B one another:
In the first message B replies to A , sending the new nonce
and the one received from A (
),
both encrypted with A 's public key. When A receives the nonce
back, (s)he can conclude that is really talking with B since only B
could have decrypted the message sent by A containing
.In the second message A replies to B , sending back the
nonce. Following the same reasoning as above, B will conclude that is
indeed talking with A .
The protocol is composed by seven steps, but four of them can be avoided if A and B have local caches of commonly used public key.