Editing Key-agreement protocol (section)

== Symmetric key agreement ==

Symmetric key agreement (SKA) is a method of key agreement that uses solely [[Symmetric-key algorithm|symmetric cryptography]] and [[cryptographic hash function]]s as [[cryptographic primitive]]s. It is related to symmetric authenticated key exchange.<ref name="Boyd2021">{{cite book |last1=Boyd |first1=Colin |last2=Davies |first2=Gareth T. |last3=de Kock |first3=Bor |last4=Gellert |first4=Kai |last5=Jager |first5=Tibor |last6=Millerjord |first6=Lise |chapter=Symmetric Key Exchange with Full Forward Security and Robust Synchronization |series=Lecture Notes in Computer Science |title=Advances in Cryptology – ASIACRYPT 2021 |date=2021 |volume=13093 |pages=681–710 |doi=10.1007/978-3-030-92068-5_23 |chapter-url=https://hdl.handle.net/handle/11250/2989781 |publisher=Springer International Publishing |hdl=11250/2989781 |isbn=978-3-030-92067-8 |language=en}}</ref>

SKA may assume the use of initial [[shared secret|shared secrets]]<ref name="Boyd2021"/> or a [[trusted third party]] with whom the agreeing parties share a secret is assumed.<ref>{{cite journal |last1=Pagnia |first1=Henning |last2=Gaertner |first2=Felix |title=On the impossibility of fair exchange without a trusted third party |journal=Echnical Report TUD-BS-1999-02 |date=1999 |pages=1–15 |url=https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=208b22c7a094ada20736593afcc8c759c7d1b79c}}</ref> If no third party is present, then achieving SKA can be trivial: we tautologically assume that two parties that share an initial secret and have achieved SKA.  

SKA contrasts with key-agreement protocols that include techniques from [[Public-key cryptography|asymmetric cryptography]], such as [[key encapsulation mechanism]]s. 

The initial exchange of a shared key must be done in a manner that is private and integrity-assured. Historically, this was achieved by physical means, such as by using a trusted [[courier]].  

An example of a SKA protocol is the [[Needham–Schroeder protocol]]. It establishes a [[session key]] between two parties on the same [[computer network|network]], using a [[server (computing)|server]] as a trusted third party.  
The original Needham–Schroeder protocol is vulnerable to a replay attack. [[Timestamp]]s and [[cryptographic nonce|nonces]] are included to fix this attack. It forms the basis for the [[Kerberos (protocol)|Kerberos protocol]].

=== Types of key agreement ===

Boyd et al.<ref name="Boyd2020">{{cite book |last1=Boyd |first1=Colin |last2=Mathuria |first2=Anish |last3=Stebila |first3=Douglas |title=Protocols for Authentication and Key Establishment |series=Information Security and Cryptography |date=2020 |doi=10.1007/978-3-662-58146-9 |isbn=978-3-662-58145-2 |url=https://link.springer.com/book/10.1007/978-3-662-58146-9 |language=en}}</ref> classify two-party key agreement protocols according to two criteria as follows:
# whether a pre-shared key already exists or not
# the method of generating the [[session key]].

The pre-shared key may be shared between the two parties, or each party may share a key with a trusted third party. If there is no secure channel (as may be established via a pre-shared key), it is impossible to create an authenticated session key.<ref>{{cite journal |last1=Boyd |first1=C. |title=Security architectures using formal methods |journal=IEEE Journal on Selected Areas in Communications |date=June 1993 |volume=11 |issue=5 |pages=694–701 |doi=10.1109/49.223872 |url=https://gnusha.org/~nmz787/pdf/Security%20Architectures%20Using%20Formal%20Methods.pdf}}</ref>

The session key may be generated via: key transport, key agreement and hybrid. If there is no trusted third party, then the cases of key transport and hybrid session key generation are indistinguishable. SKA is concerned with protocols in which the session key is established using only symmetric primitives.