Cryptography Reference
In-Depth Information
4. Bob uses Alice's verification key to verify the signed message that he has just
received. If he is satisfied with the result then Bob uses
g
a
and his private key
b
to compute (
g
a
)
b
.
With the exception of the first two, the extent to which the goals of Section 9.4.1
are met for the STS protocol are just as for the basic Diffie-Hellman protocol (in
other words, they are all met except for key confirmation). It remains to check
whether the first two authentication goals are now met:
Mutual entity authentication
. Since
a
and
b
are randomly chosen private keys,
g
a
and
g
b
are thus also effectively randomly generated values. Hence we can
consider
g
a
and
g
b
as being nonces (see Section 8.2.3). At the end of the
second STS protocol message, Alice receives a digital signature from Bob on
a message that includes her 'nonce'
g
a
. Similarly, at the end of the third STS
protocol message, Bob receives a digital signature from Alice on a message
that includes his 'nonce'
g
b
. Hence, by the principles that we discussed in
Section 8.2.3, mutual entity authentication is provided, since both Alice and
Bob each perform a cryptographic computation using a key only known to
them on a nonce generated by the other party.
Mutual data origin authentication
. This is provided, since the important data
that is exchanged in the main messages is digitally signed.
Thus, unlike the basic Diffie-Hellman protocol, the STS protocol meets the first
five typical AKE protocol goals of Section 9.3.1.
9.4.3
An AKE protocol based on key distribution
The STS protocol is an AKE protocol based on key agreement and the use of
public-key cryptography. We will now look at an AKE protocol based on key
distribution and the use of symmetric cryptography. This protocol is a simplified
version of one from ISO 9798-2. This protocol involves the use of a trusted third
party (denoted TTP).
PROTOCOL DESCRIPTION
The idea behind this AKE protocol is that Alice and Bob both trust the TTP. When
Alice and Bob wish to establish a shared key
K
AB
, they will ask the TTP to generate
one for them, which will then be securely distributed to them. The protocol
involves the following assumptions:
• Alice has already established a long-term shared symmetric key
K
AT
with
the TTP.
• Bob has already established a long-term shared symmetric key
K
BT
with
the TTP.
• Alice and Bob are both capable of randomly generating nonces.
