The Needham–Schroeder protocol is one of the two key transport protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder. These are:

Here, Alice ${\displaystyle (A)}$ initiates the communication to Bob ⁠${\displaystyle B}$⁠. ${\displaystyle S}$ is a server trusted by both parties. In the communication:

The protocol can be specified as follows in security protocol notation:

The protocol is vulnerable to a replay attack (as identified by Denning and Sacco). If an attacker uses an older, compromised value for ⁠${\displaystyle K_{AB}}$⁠, he can then replay the message ${\displaystyle \{K_{AB},A\}_{K_{BS}}}$ to Bob, who will accept it, being unable to tell that the key is not fresh.

This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. It can also be fixed with the use of nonces as described below. At the beginning of the protocol:

The protocol then continues as described through the final three steps as described in the original protocol above. Note that ${\displaystyle N_{B}'}$ is a different nonce from ⁠${\displaystyle N_{B}}$⁠. The inclusion of this new nonce prevents the replaying of a compromised version of ${\displaystyle \{K_{AB},A\}_{K_{BS}}}$ since such a message would need to be of the form ${\displaystyle \{K_{AB},A,N_{B}'\}_{K_{BS}}}$ which the attacker can't forge since she does not have ⁠${\displaystyle K_{BS}}$⁠.

This assumes the use of a public-key encryption algorithm.

Here, Alice ${\displaystyle (A)}$ and Bob ${\displaystyle (B)}$ use a trusted server ${\displaystyle (S)}$ to distribute public keys on request. These keys are: