Abstract
We investigate protocols for authenticated exchange of messages between two parties in a communication network. Secure authenticated exchange is essential for network security. It is not difficult to design simple and seemingly correct solutions for it, however, many such ‘solutions’ can be broken. We give some examples of such protocols and we show a useful methodology which can be used to break many protocols. In particular, we break a protocol that is being standardized by the ISO.
We present a new authenticated exchange protocol which is both provably secure and highly efficient and practical. The security of the protocol is proven, based on an assumption about the the cryptosystem employed (namely, that it is secure when used in CBC mode on a certain message space). We think that this assumption is quite reasonable for many cryptosystems, and furthermore it is often assumed in practical use of the DES cryptosystem. Our protocol cannot be broken using the methodology we present (which was strong enough to catch all protocol flaws we found). The reduction to the security of the encryption mode, indeed captures the non-existence of the exposures that the methodology catches (specialized to the actual use of encryption in our protocol). Furthermore, the protocol prevents chosen plaintext or ciphertext attacks on the cryptosystem.
The proposed protocol is efficient and practical in several aspects. First, it uses only conventional cryptography (like the DES, or any privately-shared one-way function) and no public-key. Second, the protocol does not require synchronized clocks or counter management. Third, only a small number of encryption operations is needed (we use no decryption), all with a single shared key. In addition, only three messages are exchanged during the protocol, and the size of these messages is minimal. These properties are similar to existing and proposed actual protocols. This is essential for integration of the proposed protocol into existing systems and embedding it in existing communication protocols.
R. Bird is with IBM Networkins Systems, I. Gopal, A. Heraberg, S. Kutten and M. Yung are with IBM T. J. Watson Research Center, P. Janson and R. Molva are with IBM Zurich Research Laboratory.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
M. Abadi and M. Tuttle, A semantics for a logic of authentication, PODC 1991, pp. 201–216
R. K. Bauer, T. A. Berson and R. J. Freiertag, A key distribution protocol using event markers. ACM TOCS 13 (1983) pp. 249–255.
S. M. Bellovin and M. Merritt, Limitations of the Kerberos Authentication System. ACM Computer Communication Review 30,5 (1990) 119–132.
E. Biham and A. Shamir, Differential cryptanalysis of des-like cryptosystems. Crypto-90.
M. Burrows, M. Abadi and R. M. Needham, A logic of authentication. Proc. 12th ACM SOSP, ACM OSR 235 (Dec.89) 1 13. (Also in ACM TOCS).
P-C Cheng and V. Gligor, On the formal specification and verification of a multiparty session protocol. IEEE Sym. on Research in Security and Privacy (1990), pp. 216–233.
D. Coppersmith, Another birthday attack. Crypto-85, pp. 14–17.
D. E. R. Denning, Cryptography and Data Security. Addison-Wesley, Reading, MA, 1982.
D. E. Denning and G. M. Sacco, Timestamps in key distribution systems. CACM 248 (Aug.81) 533–536.
A. Fiat and A. Shamir, How to Prove Yourself: practical solutions to identification and signature problems. Proc. of Crypto-86, Springer-Verlag LNCS 263, (1987) pp. 186–194.
Z. Galil, S. Haber, and M. Yung, Symmetric Public-Key Cryptography. Crypto 85, pp. 128–137.
O. Goldreich, A. Herzberg and Y. Mansour, Source to Destination Communication in the Presence of Faults. PODC 1989, pp. 85–102.
Data Encryption Standard, FIPS 46, NBS (Jan. 77)..
S. Goldwasser and S. Micali, Probabilistic encryption. J. Comp. Systems Sci. 28 (1984), pp. 270–299.
L. Gong, R. Needham and R. Yahalom, Reasoning about belief in cryptographic protocols. IEEE Sym. on Research in Security and Privacy (1990), pp. 234–248.
Working Draft: Entity Authentication Using Symmetric Techniques. ISO Project JTCI.27.02.2(20.03.1.2) 06/21/1990.
Banking-Key management (wholesale). ISO 8732, Geneva (1988).
OSI Directory-Part 8: Authentication Framework. ISO 9594-8, Geneva (1988).
J. J. Jueneman, S. M. Matyas, and C. H. Meyer, Message Authentication. IEEE Communication Magazine, pp. 29–40, 1985.
M. J. Merritt, Cryptographic protocols. Ph.D. dissertation GIT-ICS-83/06, The Georgia Institute of Technology, Atlanta, Ga., 1983
C. H. Meyer and S. M. Matyas, Cryptography: a new dimension in computer data security. Willey, New York, 1982
M. Naor and M. Yung, Universal one-way hash functions and their cryptographic applications. ACM annual Symp. on Theory of Computing, 1989.
R. M. Needham, M. D. Schroeder, Using encryption for authentication in large networks of computers. CACM 2112 (1978) 993–998.
D. Otway, O. Rees, Efficient and timely mutual authentication. ACM OSR 211 (Jan.87) 8–10.
M. O. Rabin, Digital signature and public-key functions as intractable as factoring. MIT Tech. reprt TM-212 Lab. for Comp. Sci. (1979).
R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key crypto-systems. CACM 212 (1978) 120–126 (and CACM 26 1 (1983) 96–99).
D.D. Sidhu, Authentication Protocols for Computer Networks: I. Computer Networks and ISDN Systems, 11, pages 297–310, 1986.
J. G. Steiner, et al., Kerberos: an authentication server for open network systems. Proc. Usenix Conf. (Winter 88).
V.L. Voydoc and S.T. Kent, Security Mechanisms in High Level Network Protocols. Computing Surveys. 15 (1983).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1992 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bird, R. et al. (1992). Systematic Design of Two-Party Authentication Protocols. In: Feigenbaum, J. (eds) Advances in Cryptology — CRYPTO ’91. CRYPTO 1991. Lecture Notes in Computer Science, vol 576. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46766-1_3
Download citation
DOI: https://doi.org/10.1007/3-540-46766-1_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-55188-1
Online ISBN: 978-3-540-46766-3
eBook Packages: Springer Book Archive