refactoring crypto handshakes (SSL in 3 easy steps)

Nicolas Williams Nicolas.Williams at
Mon Nov 12 18:00:27 EST 2007

On Thu, Nov 08, 2007 at 01:49:30PM -0600, travis+ml-cryptography at wrote:
> Three messages is the proven minimum for mutual authentication.  Last
> two messages all depend on the previous message, so minimum handshake
> time is 1.5 RTTs.

Kerberos V manages in one round-trip.  And it could do one round-trip
without a replay cache if it used ephemeral-ephemeral DH to exchange
sub-session keys.  (OTOH, high performance, secure replay caches are
difficult to implement, ultimately being limited by the number of write
to persistent storage ops that the system can manage.)

I think you might want to say that "three messages is the minimum for
mutual authentication with neither a replay cache nor a trusted third
party negotiating a key for use during the authentication exchanges."
Or something along those lines.

Of course, you might claim that the TGS exchanges should be added to the
number of messages needed for AP exchanges, but if you re-authenticate
often then you amortize the cost of the TGS exchanges over many AP

I think first and foremost we need authentication protocols to be
secure, while at the same time being algorithm agile.  I think you can
generally manage that in 1.5 round-trips optimistically, more when
optimistic negotiation fails.  And you can do better if you have
something like a KDC that can do negotiation out of band.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list