Cryptography Reference
In-Depth Information
where seed is
s
and algorithm specifies on which algorithm
H
is based. The user
then cross-checks that the sequence integer is correct and sends
p
i
to the server. The
server rejects the user if
H
(
p
i
)
p
. Otherwise, the server accepts, replaces
p
by
p
i
,
and increments
i
. Note that the user can either recompute
p
i
from the seed and his
pass-phrase or keep a list of all
p
i
's .
=
5.4
Key Distribution
Access control is a typical example of security protocols which involve conventional
cryptography. Another important example is key agreement, key transmission, key
distribution, or more generally key establishment. In many security applications, we
need to share secret keys (as for conventional encryption, MAC, access control) over
an insecure channel. Sometimes, one party needs to transmit its key to the other in a
secure way. But sometimes, both parties only need to agree on a fresh common secret
key.
2
When two parties who do not share any common secret want to agree on a secret
key with conventional cryptography, they need to use services from a third party. Many
protocols require a
key distribution center
(KDC) which share a secret key with every
participant.
5.4.1 The Needham-Schroeder Authentication Protocol
In the Needham-Schroeder protocol, a client C wants to access a server S so S has to
be able to authenticate C (see Ref. [138]). The server does not have a database with all
potential clients though. They use an authentication server (AS),
3
which is assumed to
share a secret key with each individual. For instance, C and AS share a key
K
C
, S and
AS share a key
K
S
, etc.
When C wants to access S, he first sends a request for authentication with S to
AS in clear with a
nonce N
. A nonce is a random number which should be used once
(“nonce” is a contraction of “number” and “once”). Then, AS replies to C with a
message encrypted with
K
C
, which includes a fresh key
K
, the identity
I
S
of S, the
nonce
N
, and a
ticket C
K
S
(
K
,
I
C
) which includes
K
and the identity
I
C
of C. C can
then send the ticket
C
K
S
(
K
I
C
) to S. S can decrypt it, authenticate himself by sending
C
K
(
N
), and C authenticates himself by replying
C
K
(
N
,
+
1) (see Fig. 5.3).
Here, the fresh key
K
is generated by AS in order to secure the communication
between C and S. AS makes sure that only C and S are able to retrieve it by using the
encryption with
K
C
and
K
S
. The ticket sent by C to S must be generated by AS since
2
We refer to Boyd and Mathuria (Ref. [37]) for a complete treatment on authenticated key establishment
protocols.
3
Here, “authentication server” is another terminology for “key distribution center.”
Search WWH ::
Custom Search