Professional Documents
Culture Documents
Abstract
This paper describes a protocol for efficient mutual authentication
(via a mutually trusted third party) that assures both principal
parties of the timeliness of the interaction without the use of clocks or
double encipherment. The protocol requires a total of only four
messages to be exchanged between the three parties concerned.
? SecondedfromMarconiInstrumentsLtd. ~:SecondedfromRacalInformationTechnologyDevelopmentsLtd.
8
Protocol 2) The second party generates its own specific
c h a l l e n g e R2 a n d m a t c h i n g r e q u e s t
A successful mutual authentication consists of
{R2CP1P2}K2, i n c l u d i n g t h e c o m m o n
t h e f o l l o w i n g s e q u e n c e of m e s s a g e s
challenge C. It then sends the message
(illustrated in figure 1), where {X}K means
CP1P2 {RICP1Ps}K1 {RsCP1P2}K2 to the
plaintext X enciphered in key K:
authentication service.
1) T h e f i r s t p a r t y s e n d s t h e m e s s a g e
3) The authentication service looks up K1 and
CP1P2 {R1CP1P2}K1 to the second party. C
K2 using P1 and P2, then deciphers both
is both a conversation identifier and a
requests and verifies t h a t they form a
common challenge generated by the first
matching pair (i.e. both contain CP1P2). If
party and which must be enciphered by so, it chooses a conversation key K C and
both parties. R1 is the first party's specific
returns the reply C{R1Kc}KI{R2Kc}K2,
challenge and {R1CP1P2}K1 is an enciphered containing a matching pair of enciphered
request for the mutual authentication of P1 a u t h e n t i c a t o r s , identified by C, to the
and P2.
second party.
C must be in clear to allow the second party
4) The second p a r t y deciphers the second
to encipher it. It may also be used to authenticator {R2Kc}K2 using its private
associate all the messages in the same
key K2 to obtain its own challenge R2 and
authentication sequence and may be an
the conversation key KC, then forwards the
identifier used in the underlying protocol
reply C{RIKc}K1, c o n t a i n i n g the first
layer.
authenticator, identified by C, to the first
PIP2 m u s t be in clear to i d e n t i f y the party,
p r i n c i p a l s to t h e o t h e r p a r t i e s , in The first p a r t y d e c i p h e r s the first
particular, the authentication service needs
authenticator {R1Kc}K1 using its private
them to look up the corresponding private
key K1 to obtain its own challenge R1 and
keys.
the conversation key K C.
P1 KI P2 K2 P1 K1
P2 P2 K2
C RI
C PIP2 {RICPIP2}KI
CP1
R2
~CP1P2 {RICPIP2}KI{R2CPIP2}K2L---~
KC
C {RIKc}KI {R2KC}K2
KC
C {RIKc }K1
KC
Figure 1
9
Subsequent knowledge and beliefs Discussion
The authentication service is able to decipher The authentication requests and replies are
both authentication requests (R1CPIP2~K1 and s y m m e t r i c a l w i t h r e s p e c t to t h e two
(R2CP1P2~K2 using the private keys of the principals. This property enables either party
alleged principals. If they match (i.e. both to subsequently initiate a re-authentication
contain CP1P2), then it knows that each was and change of conversation key.
generated by some party which knew the
The authentication reply messages are not
private key of the corresponding principal and
re-usable because they would no longer be
that both parties wished to converse with each
timely; therefore the full protocol must be used
other (because of P1P2) at some coincident
when restarting a conversation after one of the
time (because of C). The a u t h e n t i c a t i o n
parties has discarded the conversation key.
service does not know whether a malicious
The small n u m b e r of messages r e q u i r e d
replay of the whole message has taken place, it
makes this acceptable, especially since both
simply issues information that is of no value to
parties are assured of the timeliness of the
anyone but the two genuine parties.
new authenticators and the new key.
When the second p a r t y has decoded its
The authentication service is not obliged to
authenticator (R2Kc}K°~ using its private key
keep state relating to active conversations and
K2, it knows that if R2 matches its original
can therefore avoid the scaling problems that
challenge then the reply is timely and was
this would cause. However, it is able to detect
g e n e r a t e d by the a u t h e n t i c a t i o n service.
and log fraudulently constructed requests.
Because it trusts the authentication service
only to issue a matching pair of authenticators The first and last messages of this protocol can
if the original pair of requests were genuine be piggy-backed onto the opening exchange of
and matched, it accepts P1 as the first party's a connection-oriented conversation, as can the
principal and KC as the secret conversation exchange of a cipher initialization vector.
key.
Known plaintext CPtP2 being enciphered in
W h e n the f i r s t p a r t y h a s d e c o d e d its the private keys Kt,K2 is no longer a problem
authenticator and verified RI then it also with modern stream ciphers, especially if it is
knows the reply is timely and was generated always preceded by a random number.
by the authentication service. Because it has
the same beliefs about the a u t h e n t i c a t i o n
service as the second party it accepts P2 as the
Acknowledgment
second party's principal and K c as the secret We would like to thank Roger Needham for
conversation key. his helpful analysis and guidance.
Because the first party chose the common
challenge C, it knows that the second party's References
request m u s t have been t i m e l y for the
1. NEEDHAM, R. M., and SCHROEDER, M. D.
authentication service to verify that the two
Using encryption for a u t h e n t i c a t i o n in
requests matched, but the second party still
large networks of computers. Commun.
has no assurance that the original request
ACM 21, 12 (Dec. 1978), 993-999.
from the f i r s t p a r t y was not a r e p l a y .
However, both parties should now be in 2. BIRRELL, A. D. Secure c o m m u n i c a t i o n
possession of the secret conversation key KC, using remote procedure calls. ACM Trans.
and the prompt receipt of a message correctly Computer Systems 3, 1 (Feb 1985), 1-14.
enciphered in KC assures the second party
3. DENNING, D. E., a n d SACCO, G. M.
that the first party really is in possession of Kt
Timestamps in key distribution protocols.
and must therefore be affiliated to P1.
Commun. ACM24, 8 (Aug. 1981), 533-536.
10