We will denote with and the public and secret keys for a generic user U , respectively. The protocol uses nonces which are random numbers generated with the purpose of being used in a single run of the protocol. In general, will represent a nonce generated by A .
The protocol starts with A consulting the authentication server in order to obtain B 's public key:
where the notation
means that is sending the message Msg to .
AS replies with:
where is the authentication server secret key. So the AS is signing the public key of B and we assume that A knows the AS 's public key , which can be used to decrypt the message.
The next step is to initiate the communication with B :
Since the message is encrypted with B 's public key, then only B can decrypt it. The message means that someone who claims to be A wishes to establish communication; is the nonce generated by A .
B decrypts the message and, similarly to A , asks for A 's public key to AS :
At this point a double handshake is needed to authenticate A and B one another:
In the first message B replies to A , sending the new nonce and the one received from A (), both encrypted with A 's public key. When A receives the nonce back, (s)he can conclude that is really talking with B since only B could have decrypted the message sent by A containing .In the second message A replies to B , sending back the nonce. Following the same reasoning as above, B will conclude that is indeed talking with A .
The protocol is composed by seven steps, but four of them can be avoided if A and B have local caches of commonly used public key.