New authentication protocol, was Re: Tinc's response to "Linux's answer to MS-PPTP"
Matt Blaze
mab at crypto.com
Mon Sep 29 12:15:43 EDT 2003
EKR writes:
> I'm trying to figure out why you want to invent a new authentication
> protocol rather than just going back to the literature and ripping
> off one of the many skeletons that already exist (STS, JFK, IKE,
> SKEME, SIGMA, etc.). That would save people from the trouble
> of having to analyze the details of your new protoocl.
Indeed.
It's also worth pointing out that the standards for authentication /
key exchange / key agreement protocols (and the techniques for
attacking them) have improved over the last few years, to the point
that if you want your protocol to have any chance of being taken
seriously, you'd better have both a clear statement of why your
protocol is an improvement over those in the existing literature,
and some kind of proof of security under an appropriate model.
Key agreement turns out to be a surprisingly hard problem, especially
in any context that's to be used in a real protocol. (For evidence of
this, you need look no further than the fact that research papers on
the subject are still being written and published in competitive
conferences and journals). Even defining the security model under
which such protocols should be analyzed is a hard problem and the subject
of current research.
It is probably no longer acceptable, as it was just a few years ago,
to throw together an ad-hoc authentication or key agreement protocol
based on informal "obvious" security properties, without a strong
proof of security and a clear statement of the model under which the
security holds.
For some recent relevant papers, see the ACM-CCS '02 paper my colleagues
and I wrote on our JFK protocol (http://www.crypto.com/papers/jfk-ccs.ppt),
and Ran Canetti and Hugo Krawczyk's several recent papers on the design
and analysis of various IPSEC key exchange protocols (especially their
CRYPTO'02 paper).
-matt
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list