Cryptography Reference
In-Depth Information
PROTOCOL ASSUMPTIONS
As can be seen from Figure 9.3, Protocol 2 is very similar to Protocol 1. In fact, it
is in the protocol assumptions that the main differences lie:
Bob has access to a source of randomness . As for Protocol 1.
Alice has been issued with a signature key and Bob has access to a verification
key corresponding to Alice's signature key . This is the digital signature
scheme equivalent of the second assumption for Protocol 1.
Alice and Bob agree on the use of a strong digital signature scheme .
PROTOCOL DESCRIPTION
The description of Protocol 2 is exactly as for Protocol 1, except that:
• Instead of computing a MAC on the reply text, Alice digitally signs the reply text
using her signature key.
• Instead of computing and comparing the received MAC on the reply text, Bob
verifies Alice's digital signature on the reply text using her verification key.
PROTOCOL ANALYSIS
The analysis of Protocol 2 is exactly as for Protocol 1, except for:
Data origin authentication of Alice's reply . Under our second assumption, the
only entity who can compute the correct digital signature on the reply text
is Alice. Thus, given that her digital signature is verified, the received digital
signature must have been computed by Alice. Thus Bob indeed has assurance
that the reply (and by implication the reply text) was generated by Alice.
We therefore deduce that Protocol 2 also meets the three security goals.
REMARKS
Protocol 2 can be thought of as a public-key analogue of Protocol 1. So which one
is better?
• It could be argued that, especially in resource-constrained environments,
Protocol 1 has an advantage in that it is more computationally efficient, since
computingMACs generally involves less computation than signing and verifying
digital signatures.
• However, it could also be argued that Protocol 2 has the advantage that it could
be run between an Alice and Bob who have not pre-shared a key, so long as
Bob has access to Alice's verification key.
The real differences between these two protocols are primarily in the key
management issues that arise from the different assumptions. We will discuss
these in much greater detail in Chapters 10 and 11. It suffices to note that
this is such an application-dependent issue that many cryptographic protocols
come in two different 'flavours', along the lines of Protocol 1 and Protocol 2.
Search WWH ::




Custom Search