Remote User Authentication using Asymmetric Encryption
Mutual Authentication: Remote User Authentication
- This Remote User Authentication protocol assumes that each of the two parties is in possession of the current public key of the other.
- A protocol using timestamps is:
- 𝐴 → 𝐴𝑆: 𝐼𝐷𝐴||𝐼𝐷𝐵
- 𝐴𝑆 → 𝐴: 𝐸(𝑃𝑅𝑎𝑠, [𝐼𝐷𝐴||𝑃𝑈𝑎||𝑇])||𝐸(𝑃𝑅𝑎𝑠, [𝐼𝐷𝐵||𝑃𝑈𝑏||𝑇])
- 𝐴 → 𝑏: 𝐸(𝑃𝑅𝑎𝑠, [𝐼𝐷𝐴||𝑃𝑈𝑎||𝑇])||𝐸(𝑃𝑅𝑎𝑠, [𝐼𝐷𝐵||𝑃𝑈𝑏||𝑇])||𝐸(𝑃𝑈𝑏, 𝐸(𝑃𝑅𝑎, [𝐾𝑠||𝑇]))
- In this case, the central system is referred to as an authentication server (AS), because it is not actually responsible for secret-key distribution.
- AS provides public-key certificates.
- The session key is chosen and encrypted by A; hence, there is no risk of exposure by the AS.
- The timestamps protect against replays of compromised keys.
- This protocol is compact but, as before, requires the synchronization of clocks.
- Another approach, proposed by Woo and Lam, makes use of nonces. The protocol consists of the following steps.
𝐴 → 𝐾𝐷𝐶: 𝐼𝐷𝐴||𝐼𝐷𝐵
𝐾𝐷𝐶 → 𝐴: 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ[𝐼𝐷𝐵||𝑃𝑈𝑏])
𝐴 → 𝐵: 𝐸(𝑃𝑈𝑏, [𝑁𝑎||𝐼𝐷𝐴])
𝐵 → 𝐾𝐷𝐶: 𝐼𝐷𝐴||𝐼𝐷𝐵||𝐸(𝑃𝑈𝑎𝑢𝑡ℎ, 𝑁𝑎)
𝐾𝐷𝐶 → 𝐵: 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ, [𝐼𝐷𝐴||𝑃𝑈𝑎])||𝐸(𝑃𝑈𝑏, 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ, [𝑁𝑎||𝐾𝑠||𝐼𝐷𝐵]))
𝐵 → 𝐴: 𝐸(𝑃𝑈𝑎, [𝐸(𝑃𝑅𝑎𝑢𝑡ℎ, [ 𝑁𝑎||𝐾𝑠||𝐼𝐷𝐵])||𝑁𝑏])
𝐴 → 𝐵: 𝐸(𝐾𝑠, 𝑁𝑏)
- This seems to be a secure protocol that takes into account the various attacks.
- However, the authors themselves spotted a flaw and submitted a revised version of the algorithm:
- 𝐴 → 𝐾𝐷𝐶: 𝐼𝐷𝐴||𝐼𝐷𝐵
- 𝐾𝐷𝐶 → 𝐴: 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ[𝐼𝐷𝐵||𝑃𝑈𝑏])
- 𝐴 → 𝐵: 𝐸(𝑃𝑈𝑏, [𝑁𝑎||𝐼𝐷𝐴])
- 𝐵 → 𝐾𝐷𝐶: 𝐼𝐷𝐴||𝐼𝐷𝐵||𝐸(𝑃𝑈𝑎𝑢𝑡ℎ, 𝑁𝑎)
- 𝐾𝐷𝐶 → 𝐵: 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ, [𝐼𝐷𝐴||𝑃𝑈𝑎])||𝐸(𝑃𝑈𝑏, 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ, [𝑁𝑎||𝐾𝑠||𝐼𝐷𝐴||𝐼𝐷𝐵]))
- 𝐵 → 𝐴: 𝐸(𝑃𝑈𝑎, [𝐸(𝑃𝑅𝑎𝑢𝑡ℎ, [ 𝑁𝑎||𝐾𝑠||𝐼𝐷𝐴||𝐼𝐷𝐵])||𝑁𝑏])
- 𝐴 → 𝐵: 𝐸(𝐾𝑠, 𝑁𝑏)
- The identifier of A, IDA, is added to the set of items encrypted with the KDC’s private key in steps 5 and 6.
- This binds the session key to the identities of the two parties that will be engaged in the session.
- This inclusion of accounts for the fact that the nonce value is considered unique only among all nonces generated by A, not among all nonces generated by all parties.
One-Way Authentication: Remote User Authentication
- We have already presented public-key encryption approaches that are suited to electronic mail.
- These approaches require that either the sender know the recipient’s public key (confidentiality), the recipient knows the sender’s public key (authentication), or both (confidentiality plus authentication).
- In addition, the public-key algorithm must be applied once or twice to what may be a long message.
- If confidentiality is the primary concern, then the following may be more efficient:
𝐴 → 𝐵: 𝐸(𝑃𝑈𝑏, 𝐾𝑠)||𝐸(𝐾𝑠, 𝑀)
- In this case, the message is encrypted with a one-time secret key.
- An also encrypts this one-time key with B’s public key.
- Only B will be able to use the corresponding private key to recover the one-time key and then use that key to decrypt the message.
- This scheme is more efficient than simply encrypting the entire message with B’s public key.
- If authentication is the primary concern, then a digital signature may suffice:
𝐴 → 𝐵: 𝑀||𝐸(𝑃𝑅𝑎, 𝐻(𝑀))
- This method guarantees that A cannot later deny having sent the message.
- However, this technique is not provided confidentiality.
- To counter such a problem, both the message and signature can be encrypted with the recipient’s public key:
𝐴 → 𝐵: 𝐸(𝑃𝑈𝑏 , [𝑀||𝐸(𝑃𝑅𝑎, 𝐻(𝑀))])
- The latter two schemes require that B know A’s public key and be convinced that it is timely.
- An effective way to provide this assurance is the digital certificate. Now we have
𝐴 → 𝐵: 𝑀||𝐸(𝑃𝑅𝑎, 𝐻(𝑀))||𝐸(𝑃𝑅𝑎𝑠, [𝑇||𝐼𝐷𝐴||𝑃𝑈𝑎])