The Andrew secure RPC allows two parties, A and B (usually a client and a server), who already share a key Kab, to agree upon a new key K'ab. The protocol also performs an authentication handshake. There are four messages in the protocol exchange. The first three, A and B perform a handshake using a shared secret Kab. In the final message, B sends a new key K'ab to A. The protocol can be summarised as follows. Note that nonce Na is chosen by A and nonces N'b, Nb are chosen by B.
- A → B : {Na}Kab
- B → A : {Na + 1, Nb}Kab
- A → B : {Nb + 1}Kab
- B → A : {K'ab, N'b}Kab
Problems with the protocol:
- That is, there is nothing that can guarantee that K'ab is fresh.
- An intruder could record the second message and substitute it in place of the fourth. The result is that A would accept Na + 1 as a new key. However, for this attack to be successful, it depends on the property of the nonce Na, i.e., whether or not the nonce is predictable.