Cryptography Reference
In-Depth Information
Mutual key confirmation
. Alice and Bob should have some evidence that they
both end up with the same key.
Unbiased key control
. Alice and Bob should be satisfied that neither party can
unduly influence the generation of the established key
The motivation for the first five of these security goals should be self-evident. The
last two goals are more subtle and not always required.
The goal of mutual key establishment is that Alice and Bob do end up with
the same key. In many AKE protocols it suffices that key confirmation is
implicit
,
with Alice and Bob assuming that they have established the same key because they
believe that the protocol completed successfully. Mutual key confirmation goes
one step further by requiring
evidence
that the same key has been established. This
evidence is usually a cryptographic computation made using the established key.
Mutual key establishment does not impose any requirements on how the
established key is generated. Hence, in many cases it may be acceptable that
Alice (say) generates a symmetric key and transfers it to Bob during the AKE
protocol, in which case Alice has full control of the choice of key. Unbiased key
control is required in applications where Alice and Bob do not trust each other
to generate a key. Alice may, for example, believe that Bob might, accidentally or
deliberately, choose a key that was used on some prior occasion. Unbiased key
control is normally achieved either by:
• Generating the key using a component of 'randomness' from each of Alice and
Bob, so that the resulting key is not predictable by either of them. This is often
termed
joint key control
.
• Using a trusted third party to generate the key.
We choose to distinguish between two families of AKE protocols. We will say that
an AKE protocol is based on:
Key agreement
, if the the key is established from information that is contributed by
each of Alice and Bob; we will discuss an AKE protocol based on key agreement
in Section 9.4.2;
Key distribution
, if the key is generated by one entity (which could be a trusted
third party) and then distributed to Alice and Bob; we will discuss an AKE
protocol based on key distribution in Section 9.4.3.
9.4.2
Diffie-Hellman key agreement protocol
The
Diffie-Hellman key agreement protocol
, which we will henceforth refer to
simply as the
Diffie-Hellman protocol
, is one of the most influential cryptographic
protocols. Not only does it predate the public discovery of RSA, but it remains
the basis for the vast majority of modern AKE protocols based on key agreement.
We will explain the idea behind the Diffie-Hellman protocol and then examine
an example of an AKE protocol that is based on it.
