Cryptography Reference
In-Depth Information
concatenated to his identifier
Bob
and a meaningful response to his query
(in this case,
Yes, I'm OK
).
(b) Bob computes a MAC on the received reply text with key
K
(which he
shares with Alice) and checks to see if it matches the received MAC.
(c) If both of these checks are satisfactory then Bob accepts the reply and
ends the protocol. We say that the protocol successfully
completes
if this
is the case.
PROTOCOL ANALYSIS
We now check whether, if it successfully completes, Protocol 1 meets the required
goals:
Data origin authentication of Alice's reply
. Under our second assumption, the
only entity other than Bob who can compute the correct MAC on the reply
text is Alice. Thus, given that the received MAC is correct, the received MAC
must have been computed by Alice. Thus Bob indeed has assurance that the
reply (and by implication the reply text) was generated by Alice.
Freshness of Alice's reply
. The reply text includes the nonce
r
B
, which Bob
generated at the start of the protocol. Thus, by the principles discussed in
Section 8.2.3, the reply is fresh.
Assurance that Alice's reply corresponds to Bob's request
. There are two pieces
of evidence in the reply that provide this:
1. Firstly, and most importantly, the reply contains the nonce
r
B
, which Bob
generated for this run of the protocol. By our first protocol assumption, this
nonce is very unlikely to ever be used for another protocol run, thus the
appearance of
r
B
in the replymakes it almost certain that the reply corresponds
to his request.
2. The reply contains the identifier
Bob
.
It will not be immediately obvious why both of these pieces of data are needed
(the first might seem enough). However, in Protocol 3 we will discuss what
might happen if the identifier
Bob
is removed from this protocol.
Thus we deduce that Protocol 1 does indeed meet the three security goals for
our simple application. Note that all four of the components of a cryptographic
protocol that we identified in Section 9.1.3 play a critical role in Protocol 1:
The protocol assumptions
. If the protocol assumptions do not hold then, even
when the protocol successfully completes, the security goals are not met.
For example, if a third entity Charlie also knows the MAC key
K
then Bob
cannot be sure that the reply comes from Alice, since it could have come from
Charlie.
The protocol flow
. Clearly the two messages in this protocol must occur in
the specified order, since the reply cannot be formed until the request is
received.
