Cryptography Reference
In-Depth Information
Analysis
The checks byAlice in step 3 and Bob in step 4, that their unique random
number choices match, are intended to thwart replayattacks. The built-in
challenge-response protocol is given as follows. Alice's challenge number
r
A
is
sent to Bob, who responds with his signature aKxed to it, therebyverifing
himself to her. Bob then sends his challenge
r
B
to Alice, who responds with her
signature aKxed, therebyverifing her identityto him. The protocol gets its
name from the fact that three messages
m
1
,m
2
,m
3
are exchanged, sometimes
called the
three-pass authentication and key-agreement protocol
. This is similar
to what is called the X-509 strong three-wayauthentication protocol (see Section
7.4).
We have seen keyestablishment, keyagreement, and entityauthentication
schemes based strictlyon SKC and strictlyon PKC. An example of a hybrid key
agreement and authentication protocol, called
Encrypted Key Exchange
(EKE),
was introduced byBellovin and Merritt [17] in 1992, with a patent granted to
the inventors in 1993 (see [18]). For a full description and analysis of EKE,
see [170, pages 169-171]. Since the inception of EKE, it has evolved into a
familyof protocols most of which are stronger than the original. For instance,
in 1996, the
Simple Password Exponential Key Exchange
(SPEKE) was devel-
oped (see [129]). Both EKE and SPEKE allow use of a small password to
provide authentication and keyagreement over an unsecured channel. However,
password-based protocols are subject to
password sni
)
ng
, which is an attack
in which an adversarylistens to data traKc that includes secret passwords in
order to capture and use them at a later time. To give an example from the
Internet, we need to define
TCP/IP
, which is the acronym for
Transmission
Control Protocol/Internet Protocol
, the set of communications protocols used to
connect hosts on the Internet.
Hosts
are those computers that provide services
to other computers and to users on a network (such as the Internet). The In-
ternet itself is the globallyinterconnected network of computers using, mainl,
the set of Internet protocols. TCP/IP uses several protocols, the two main ones
being TCP and IP. TCP/IP is used bythe Internet, and is considered to be the
de facto
standard for transmitting data over networks. We will discuss these
protocols in Section 5.7. Now we return to the issue of password sniKng.
Eavesdropping on a TCP/IP network can easilybe accomplished against
protocols that transmit passwords in the clear. In addition, if password pro-
tocols require the passwords to be stored in the host, usuallyhashed, then for
it to be revealed would compromise security. The biggest problem with the
EKE familyis that theyrequire what is called
plaintext-equivalence
meaning
that both the client and the server/host are required to have access to the same
secret password or hash thereof. There are versions such as
Augmented
EKE
A-EKE
(see [19]) making EKE a
verifier-based
protocol. We will use the pass-
word/verifier terminologyto mean the same as the private/public keypairs in
PKC
with the modification
that the verifier is stored and kept secret bythe
server/host. The verifier is similar to the public keyin that it can easilybe
computed from the password, but it is computationallyinfeasible to compute
Search WWH ::
Custom Search