Needham–Schroeder (protocol)

From Bauman National Library
This page was last modified on 2 June 2016, at 21:41.


This name is used for both symmetrical (using a trusted third party) and asymmetrical schemes of authentication and session key generation. They were invented by M.Schroeder and R.Needham in 1978.

Symmetric version


This protocol is used for a mutual authentication and shared secret key generation for establishing a secure connection with the use of trusted third party. Later this protocol became a base for a range of symmetric authentication protocols, in particular Kerberos.


The protocol is used by two users and and a trusted party (Key Generator Center), which has shared symmetric keys with users ( and respectively).


  1. sends a plaintext information about the requested connection to the trusted party: his ID, 's ID and a random number :
  2. generates a session key and forms a package for , which contains the random , generated by , 's IS, session key and a package for : a session key and 's ID, encrypted with . KDC encrypt the whole package with a key, shared between him and and sends it to :
  3. decrypts the package and checks and 's ID. This makes impossible for malefactor to spoof or impersonate , by changing the recepient ID in 's first message. Then resends to his part of the package:
  4. Having decrypted the message, discovers the session key and interlocutor's ID. After that the checking happens: generates a random and sends it, encrypted with a session key, to :
  5. decrypts a message and sends to the confirmation of the successful session establishment: , decreased by 1 and encrypted with the session key:

Asymmetric version


This protocol version uses asymmetric cryptography, which means that shared secrets between users and a trusted third party are not needed. It allows users to discover each others's public keys and perform a mutual authentication of each other and the third party.


Two users participate the process: and also a trusted key generator center: . All of them have public/private key pairs: respectively. knows public keys of the users and users know 's public key.


  1. sends a request for establishing a secure messaging channel with :
  2. sends to a message with 's public key and 's ID, signed with his digital signature (encrypted with a secret key):
  3. verifies (by decrypting the message with 's public key) and gets public key. After that forms a package for : 's ID and a random number , encrypts it with 's public key and sends to :
  4. decrypts the package and finds out 's desire to start communication. Then makes a similar request for 's public key:
  5. sends to a signed 's public key:
  6. Now all the participants know public keys of each other. They need to authenticate and make sure that the connection is set up correctly. generates a random number and sends it and , he got earlier, to in encrypted form:
  7. decrypts 's package and checks . If everything is all right, encrypts with 's public key and sends back to :


В. Мао Современная криптография: теория и практика. — "Вильямс", 2005. — С.76-84 — ISBN 5-8459-0847-7

Roger M. Needham, Michael D. Schroeder Using encryption for authentication in large networks of computers. — Commun. ACM. — New York, NY, USA: ACM, 1978. — Vol. 21, fasc. 12. — P. 993—999.

Bruce Schneier Applied Cryptography. — Wiley, 1996. — pp. 47 et seq. — ISBN 978-0-471-11709-4.