Known key attack was first defined in my crypto'89, 90 papers. Recently Desmedt and Burmester used it (ACM'93, Crypto'94). KKA against authentication and key agreement protocols assumes that badguy has session keys and exchanged messages of some sessions other than the target session. It may be adaptive. Yacov ------- End of Forwarded Message