authentication protocols

Joseph Ashwood ashwood at msn.com
Sun Mar 31 20:51:44 EST 2002 

----- Original Message -----
From: "John Saylor" <johns at worldwinner.com>
To: <cryptography at wasabisystems.com>
Sent: Monday, March 25, 2002 3:14 PM
Subject: authentication protocols

> I'd like to find an authentication protocol that fits my needs:
> 1. 2 [automated] parties
> 2. no trusted 3rd party intemediary ['Trent' in _Applied_Crypto_]

Depending on your exact requirements, there are many potential options.
Let's start with the most basic:

The parties securely exchange a verifier. There are many variations at this
point, but the basic version is (with details omitted for brevity):
A->B: I am A
B->A: If you are A then you can decrypt this E(K) and use K as our shared
key
A decrypts and now both A and B share a one time secret
This is generally done using symmetric keys

More sophisticated, and scaling much better requires a trust model of some
kind. This does however get very tricky. There has to be some verification
of the key by a 3rd party (which can typically be the same as one of the
first 2 parties). However it is possible to build something usable, as long
as on one occasion you can verify the identity of the other party. This type
of protocol works approximately as so:
B has a verified public key for A
A has a verified public key for B
A->B: S(I am A, our temporary key is E(K), the current time is T)
B verifies signature, and decrypts K, K is now the shared secret
There are of course variations where it is E(S(........K...)) instead of
S(...E(K)...)

There are many different variations on this, some patented, some
unencumbered, some that are secure down to the use a an ATM-like PIN, some
that require larger quantities of secret data, some that take 1 pass from A
to B, some that take 10 passes between them, some that have nice provable
reductions, some that don't. It all depends on what your needs are. But all
of these require some trust model, and initial verification of the key is
the problem.

Moving over to situations where you are not forced to perform an initial key
verification requires a trusted 3rd party, which is what you requested to
avoid so I won't introduce them.
                        Joe


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list