# Wide–Mouth Frog (protocol)

## Introduction

The origin of the protocol name is not known. This is one of the simplest key-agreement protocols, that use the trusted third party. It was invented by M. Burrows, M. Abadi and R. Needham in 1989. Some modifications of this algorithm were invented later.

## Algorithm

### Setup

Users ${\displaystyle A}$ and ${\displaystyle B}$ who desire to start messaging, have to be familiar to ${\displaystyle KDC}$ (Key distribution center) and have shared secret keys with it. The generation of these keys is not a part of the protocols, they should be obtained earlier.

### Work

1. ${\displaystyle A}$ generates a random session key ${\displaystyle k}$, that will be used in communication with ${\displaystyle B}$. Then ${\displaystyle A}$ puts together a package for ${\displaystyle KDC}$: a timestamp ${\displaystyle T_{A}}$, ${\displaystyle B}$'s identificator and a session key are encrypted with the key, shared between ${\displaystyle A}$ and ${\displaystyle KDC}$ and sent to ${\displaystyle KDC}$ with ${\displaystyle A}$'s identificator.
${\displaystyle A: [A,E_{k_AC}(T_A, B,k)]\to KDC}$
2. ${\displaystyle KDC}$ chooses the corresponding key and decrypts the package. After that, he forms a package for ${\displaystyle B}$, that contains a new timestamp, ${\displaystyle A}$'s identificator and the session key ${\displaystyle k}$. He decrypts the package with the key, shared between ${\displaystyle KDC}$ and ${\displaystyle B}$ and sends it to ${\displaystyle B}$:
${\displaystyle KDC: [E_{k_{BC}}(T_C, A, k)]\to B}$
3. ${\displaystyle B}$ decrypts the package and gets the session key ${\displaystyle k}$ and also ID of the user, with whom the connection is established (${\displaystyle A}$).

## Modified version

### Description

During the investigations, some vulnerabilities of the protocol has been found. For example, malefactor can make ${\displaystyle B}$ to open more connections, than were requested, by simple repeating the messages from ${\displaystyle KDC}$. In the modified version, after the steps from the basic version, ${\displaystyle B}$ check the correctness of the established connection. It sends to ${\displaystyle A}$ a random number ${\displaystyle R_{B}}$ and waits to get from ${\displaystyle A}$ the same number, increased by ${\displaystyle 1}$.

### Setup

Initial conditions are the same as in the basic version.

### Work

1. ${\displaystyle A: [A,E_{k_AC}(T_A, B,k)]\to KDC}$
2. ${\displaystyle KDC: [E_{k_{BC}}(T_C, A, k)]\to B}$
3. ${\displaystyle B: E_k(R_B)\to A}$
4. ${\displaystyle A: E_k(R_B + 1)\to B}$

## References

M. Burrows, M. Abadi, R. Needham A Logic of Authentication. — Research Report 39, Digital Equipment Corp. Systems Research Center — Feb. 1989. — http://www.hpl.hp.com/techreports/Compaq-DEC/SRC-RR-39.pdf

Bruce Schneier Applied Cryptography. — Wiley, 1996. — pp. 56 et seq. — ISBN 978-0-471-11709-4.