Wide Mouth Frog protocol
Encyclopedia
The Wide-Mouth Frog protocol is a computer network
authentication
protocol
designed for use on insecure networks (the Internet
for example). It allows individuals communicating over a network to prove their identity to each other while also preventing eavesdropping or replay attacks, and provides for detection of modification and the prevention of unauthorized reading. This can be proven using BAN logic.
The protocol was first described under the name "The Wide-mouthed-frog Protocol" in the paper "A Logic of Authentication" (1990), which introduced Burrows–Abadi–Needham logic, and in which it was an "unpublished protocol ... proposed by" coauthor Michael Burrows
. The paper gives no rationale for the protocol's whimsical name.
The protocol can be specified as follows in security protocol notation
:
Note that to prevent active attacks, some form of authenticated encryption (or message authentication) must be used.
The protocol has several problems:
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
protocol
Cryptographic protocol
A security protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.A protocol describes how the algorithms should be used...
designed for use on insecure networks (the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
for example). It allows individuals communicating over a network to prove their identity to each other while also preventing eavesdropping or replay attacks, and provides for detection of modification and the prevention of unauthorized reading. This can be proven using BAN logic.
The protocol was first described under the name "The Wide-mouthed-frog Protocol" in the paper "A Logic of Authentication" (1990), which introduced Burrows–Abadi–Needham logic, and in which it was an "unpublished protocol ... proposed by" coauthor Michael Burrows
Michael Burrows
Michael Burrows is widely known as the creator of the Burrows–Wheeler transform. He also was, with Louis Monier, one of the two main creators of AltaVista. He did his first degree in Electronic Engineering with Computer Science at University College London...
. The paper gives no rationale for the protocol's whimsical name.
The protocol can be specified as follows in security protocol notation
Security protocol notation
In cryptography, security protocol notation is a way of expressing a protocol of correspondence between entities of a dynamic system, such as a computer network...
:
- A, B, and S are identities of Alice, Bob, and the trusted server respectively
-
and 
are timestampTimestampA timestamp is a sequence of characters, denoting the date or time at which a certain event occurred. A timestamp is the time at which an event is recorded by a computer, not the time of the event itself...
s generated by A and S respectively -
is a symmetric key known only to A and S -
is a generated symmetric key, which will be the session keySession keyA session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is traffic encryption key or TEK, which refers to any key used to encrypt messages, as opposed to other uses, like encrypting other keys .Session keys can introduce...
of the session between A and B -
is a symmetric key known only to B and S
Note that to prevent active attacks, some form of authenticated encryption (or message authentication) must be used.
The protocol has several problems:
- a global clock is required.
- the server S has access to all keys.
- the value of the session key
is completely determined by A, who must be competent enough to generate good keys. - can replay messages within period when timestamp is valid.
- A is not assured that B exists.
- The protocol is stateful. This is usually undesired because it requires more functionality and capability from the server. For example, S must be able to deal with situations in which B is unavailable.
See also
- Alice and BobAlice and BobThe names Alice and Bob are commonly used placeholder names for archetypal characters in fields such as cryptography and physics. The names are used for convenience; for example, "Alice sends a message to Bob encrypted with his public key" is easier to follow than "Party A sends a message to Party...
- Kerberos (protocol)
- Needham-Schroeder
- Neuman–Stubblebine protocol
- Otway-Rees
- Yahalom (protocol)Yahalom (protocol)Yahalom is an authentication and secure key-sharing protocol designed for use on an insecure network such as the Internet. Yahalom uses a trusted arbitrator to distribute a shared key between two people...