Cryptography Reference
In-Depth Information
However, there is a problem. Bob does not know
T
A
. Even if they have perfectly
synchronised clocks, the time that Alice issues
T
A
will not be the same time that
Bob receives the message due to communication delays. Thus Bob does not know
all the reply text on which the MAC is computed, and hence cannot verify the
MAC to obtain data origin authentication. The only option is for Bob to check all
the possible timestamps
T
A
within a reasonable window and hope that he finds
one that matches. While this is inefficient, it is worth noting that this technique is
sometimes used in real applications to cope with time delays and clock drift (see
Section 8.2.1).
REMARKS
Protocol 7 is easily fixed by including
T
A
in both versions of the reply text, as is
done in Protocol 6. Nonetheless, this protocol flaw demonstrates how sensitive
cryptographic protocols are to even the slightest 'error' in their formulation.
9.3.9
Simple protocol summary
That is enough protocol variants for now! Hopefully the important points have
been highlighted as a result of this analysis:
There is no one correct way to design a cryptographic protocol
. Of the
seven variants that we studied, three provide all three security goals, despite
being different protocols. The choice of the most suitable protocol design
thus depends on what assumptions are most suitable for a given application
environment.
Designing cryptographic protocols is hard
. The deficiencies of several of these
protocol variants are very subtle. Given that this application is artificially
simple, the complexity of designing protocols for more intricate applications
should be clear.
The security goals of our simple protocol were rather basic, making it hard to
justify the need for such a protocol in a real application. However, the dissection
of the simple protocol variants has demonstrated the type of analytical skills
required to examine more complex cryptographic protocols with more realistic
collections of security goals.
We now reconsider
AKE protocols
(authentication and key establishment),
which were introduced at the end of Chapter 8. There are literally hundreds of
proposed AKE protocols, since an AKE protocol often has to be tailored to the
precise needs of the application for which it is designed. However, the two main
security objectives of an AKE protocol are always:
Mutual entity authentication
, occasionally just unilateral entity authentication.
