Information Technology Reference
In-Depth Information
Notations used:
IDA: Username of A
N1 & N2: Nonce
k: Shared secret key between A(user) & S(server)
F: Transformation function
E K : Encryption using key k
H[pwd]: Hash of the password
6
ZK-PAP with PKE
This section briefs about the other version of the ZK-PAP protocol described above.
This version of the protocol makes use of public key encryption[4] in order to give an
added level of security and also enable two-way authentication ie. the verifier(server)
can authenticate the prover(client) and vice versa.
Here it is assumed that all the users have (or can get) the public key of the server
and the server has or can receive public keys of all the users. The protocol works as
follows:
The user, say A sends his username and a nonce to the server after encrypting it
with server's public key.
The server decrypts the message with his private key and extracts the value of the
nonce N1.
The server then generates a nonce N2 and a random session key k, concatenates
N1, k & N2 , encrypts them with hash of the password of user A, then with public
key of the user A and sends the encrypted data to A.
User A then decrypts the received encrypted data with his private key, then with
the hash of his password and extracts the values of N1, N2 & k. He then matches
the value of received nonce N1 & the generated value of N1.
If match occurs, then A extracts the value of k & nonce N2, applies the
transformation function F on N2 and encrypts the transformed value first with the
session key k, then with public key of the server and sends the encrypted message
to the server.
The server decrypts the received value with its private key & then with the shared
session key.
The user A is allowed to login if the server receives the expected value else access
is denied.
As it can be seen from the above steps, only server will be able to extract the correct
value of nonce N1 as it was encrypted with server's public key. Thus, if the client
receives correct value of the nonce N1 from the server, it knows that the message was
sent by the server itself and not by some intruder. Thus, use of public key encryption
also allows the client to authenticate the server thus enabling mutual authentication.
Also, a series of challenge can be exchanged between the server and client to
ensure that only an authorized person is logged in. This will also solve the problem of
logged-in but unattended systems or workstations.
Search WWH ::




Custom Search