CA2059172C - Authentication protocols in communication networks - Google Patents
Authentication protocols in communication networksInfo
- Publication number
- CA2059172C CA2059172C CA002059172A CA2059172A CA2059172C CA 2059172 C CA2059172 C CA 2059172C CA 002059172 A CA002059172 A CA 002059172A CA 2059172 A CA2059172 A CA 2059172A CA 2059172 C CA2059172 C CA 2059172C
- Authority
- CA
- Canada
- Prior art keywords
- user
- response
- challenge
- arrangement
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2103—Challenge-response
Abstract
A arrangement of authenticating communications network users and means for carrying out the arrangement: A first challenge N1 is transmitted from a first user A to a second user B. In response to the first challenge, B generates and transmits a first response to the challenge and second challenge N2 to A. A verifies that the first response is correct. A then generates and transmits a second response to the second challenge to B, where the second response is verified. The first response must be of a minimum form S1 and S2 are shared secrets between A and B. S1 may or may not equal to S2. In addition, f() and g() are selected such that the equation f'(S1,N1'....) = g(S2.N2) cannot be solved for N1' without knowledge of S1 and S2.
f'() and N1' represent expressions on a second reference connection. Preferably, the function f() may include the direction D1 of flow of the message containing f(), as in f(S1, N1, D1,...). In such a case, f() is selected such that the equation f'(S, N1',D1',...) = f(S, N2, D1,...) cannot be solved for N1' without knowledge of S1 and S2. In this equation, D1' is the flow direction indicator of the message containing f'() on the reference connection.
Specific protocols satisfying this condition are protected from so-called intercept attacks.
f'() and N1' represent expressions on a second reference connection. Preferably, the function f() may include the direction D1 of flow of the message containing f(), as in f(S1, N1, D1,...). In such a case, f() is selected such that the equation f'(S, N1',D1',...) = f(S, N2, D1,...) cannot be solved for N1' without knowledge of S1 and S2. In this equation, D1' is the flow direction indicator of the message containing f'() on the reference connection.
Specific protocols satisfying this condition are protected from so-called intercept attacks.
Description
~ RA990030 2 0 5 9 ~ 7 2 Page 1 AUTHENTICATION PROTOCOLS IN COMMUNICATION NETWORKS
TECHNICAL FIELD
The invention generally relates to methods for maint~ining security against unauthorized network users or other network entities, such as a program.In particular, it relates to methods for authenticating that a user attempting to establish c- ications with another network user or node is, in fact, the user that it represents itself to be.
BACKGROUND OF THE INVENTION
Authentication of users in a network allows a pair of users who wish to cc licate to prove their identities to each other. There are many variations of authentication protocols that are discussed in the literature. Some require the use of a shared secret, such as a secret digital key or a secret mathematical function, that is applied to a suitable parameter or parameters; others use public-key types of protocols. This invention is concerned primarily with authentication protocols using shared secrets, although it can be easily adaptedfor use in public-key systems With respect to the prior art, U. S. patent 4,890,323, Data Communication Systems and Methods, issued on Dec. 26, 1989 to Beker, describes a file and sender authentication method in which an encrypted check-sum is computed on the contents of a message using a first private ke~. This check-sum is issued as '~C 1 ?0~1 7~
a "challenge" to a user who computes a result using a second private key. The result is appended to the response as an authentication code before return transmission. A recipient of the response equipped with the same first and second cryptographic keys can therefore check both the contents of the message and the identity of the sender by computing an expected authentication code fromthe received response and comparing it with the code received.
U.S. patent 4,919,545, "Distributed Security Procedure for Intelligent Networks", which issued on April 24, 1990 to C. Yu~ discloses a file authentication method. An execution node transmits a capability and a signature to an invocation node. The capability includes an identifier of and access rights to a file. The signature is formed at the execution node by encryption of the capability with a key that is unique to the invocation node and is stored- only in the execution node. A request for access to the file is transmitted with the capability and the signature from the invocation node to the execution node. At the execution node, the request is authenticated by encryption of the capability with the encryption key that is associated with the invocation node.
Access to the file is authorized only when the signature generated by the exe-cution node matches the signature received from the invocation node.
U.S. patent 4,193,131, entitled Cryptographic Verification of Operational . Keys Used in Communication Networks , issued on March 11, 1980 to R. Lennon et. al. This patent discloses an encryption key distribution and user authentication method using a shared private key A first station encrypts a first verification number using the key to provide first station ciphertext for transmission to the second station. At the second station, the first station ciphertext is further encrypted using the key to provide second station ciphertext for transmission back to the first station. The first station RAg90030 2 05 9 1 7 2 Page ~
reencrypts the first verification cipertext and compares it the received second station ciphertext to verify that the second station is the source of the secondstation ciphertext. This authentication is possible only if the operational keys of the two stations are identical.
U. S. patent 4,386,233, "Cryptographic ~ey ~otarization Methods and Appa-ratus", issued on May 31, 1983 to M. E. Smid et. al., also discloses a key distribution system and user authentication method in which cryptographic keys are notarized by encrypting the keys using a notarizing key derived from iden-tifiers associated with the users in question and an interchange key accessible only to authorized users of the cryptographic function. The identity of a user of the cryptographic function is authenticated as a condition to access to an interchange key. This authentication is accomplished by comparing a password designation supplied by the user with a prestored version of the password which has been notarized by having been encrypted ~i~h the cryptographic function using a notarizing cryptographic key deri~ed from the identifier of the corre-sponding authorized user and an interchange key.
- U.S. patent 4,218,738, "Method for Authenticating the Identity of a User of an Information System", issued to S. ~2. Matyas et.al. on August 19, 1980 discloses yet another method of attempting to authenticate users in a networ~.
A user verification number is.a function of the user s identity, a separately entered password associated with the user, and a stored test pattern. The test pattern for a user is generated under ph~sical security of a central computer using a variation of a host computer master key.
U.S. patent 4,549,075, "Method of Certifying the Origin of at Least One Item of Information Stored in the Memory of a First Electronic Device and Transmitted to a Second Electronic Device, and System for Carrying Out the RA990030 Pa~e ~
~lethod", issued to Charles Saada October-~, 1985-. This patent discloses a shared secret type of authentication protocol~ ~hich is said to overcome certainproblems in the prior art authentication method summarized therein. In this prior art method, a user B authenticates a user A. Both A and B share an item of information 1, a secret S and a function f(). To begin an authentication~
A sends I to B. B responds with a random number, a nonce, Nb. Both A and B
compute f(I,Nb,S). A sends its computed response to B and B compares this re-sponse with its calculation. It is said that A can authenticate B in a similar manner. Saada does not point out that this prior art protocol can be easily broken in a general networ~ environment. Ratller, Saada attempts to solve the problem posed by the prior art method wllen A and B do not share an item of in-formation I, but rather have their own individual items of information Ia and - Ib. Saada applies the summarized prior art method to this new scenario and concludes that resulting protocol can easily be broken.
Thus, Saada's invention is to allow the users to authenticate each other when each has different information units Ia and Ib. Again, A and B share a function f() and a secret S- A has an item of information Ia; B has an item of information Ib. A sends Ia and a nonce Na to B. B returns item Ib and an- .
other nonce Nb to A. A calculates Rl = f(Na,S,p(Ia,Ib) and Kl . f(Nb,S,p(Ia,Ib)) and sends ~l to B- p() is a symmetric function known both to A and B. The symmetry means that p(Ia~Ib) = p(Ib,Ia). B calculates ~2 =
f(Na,S,p(Ib,Ia)) and R2 = f(Nb,S,p~Ib,Ia?) and sends ~2 to A. A compares ~2 with its result Rl to authenticate B and B compares ~1 with its result R2 to authenticate A. It is said that this protocol insures that A and B are part of the same group, because of the secret S, and that A and B are who they say they are, because the items Ia and Ib are authenticated one-to-the-other via 2059 1 ~2 the symmetric function p().- It is seen that Saada's algorithm requires a min-imum of four message flows. It is the fourth flo~ that prevents this method from being broken by methods that are described briefly below.
In yet another known authentication method, user A first sends to user B
a challenge Na in the form of a nonce (message 1!. B returns an encrypted value of the nonce using a private shared key to perform the encryption, plus a secondnonce Nb in clear text (message 2). A then returns an encrypted value of the second nonce to B (message 3) who verifies that this response was properly en-crypted with the shared key. This protocol requires three messages. However, as will be shown, this protocol can also be easily broken.
As seen by the above summarized art, existing authentication methods use various forms of shared secrets and encryption of data by the users, using a - shared key, to assure that the users are ~ho they say they are. However, the existing methods suffer from a number of problems. In theory, each user authenticates the other because the proper encryptions and/or decryptions can-not be generated by a user that does not know the shared secret. In practice however, these authentication methods either require too many message flows, or too many encryption or decryption operations, or are subject to a variety of successful attacks.
Using the last mentioned authentication method for example, in a first successful type of attack, an intruder ~, pretending to be A, initiates the attack by sending the first challenge Na to B (message 1). B returns the en-crypted value of the first chalienge E(Na), plus the second challenge Nb (mes-sage 2). X, who does not know the secret key, obtains the correct encryption of Nb by initiating another connection (called a reference connection throughoutthe description) with the real A, or some other user C who knows the key, and ~ RA990030 2 0 5 9 1 7 2 Page 6 transmits Nb as the first challenge of the reference connection. A, or C, re-turns E(Nb) to X as a response. X then sends E(Nb! to B as the answer to the second challenge of the initial attack connection.
In a second type of attack as another example, ~ intercepts the first message containing Na from A intended for B. X, pretending to be B, initiates a reference connection with A (or C) and sends Na in message 1 of the reference connection. A (or C) responds with E(Na) and a second nonce Nb. X then ter-minates the reference connection and sends E(Na) in the second message to A on the attack connection.
There are a number of variations of the above initiate and intercept at-tacks. In all of these attacks, however, the intruder X, not knowing the secret shared by legitimate users, gleans information from other connections and uses - this information to derive the necessary responses to challenges offered by the attacked user. The connections from which the gleaned information is obtained may or may not be with the attacked user. As far as can be determined, all of the known prior art methods that involve only three message flows can be broken,or are inefficient and unnecessarily complex to use or evaluate. Other known methods involving more than three flows may or may not be secure. However, even for the secure methods, the increased number of message flows that are required can place a heavy traffic burden on a network. This additional burden is oth-erwise unproductive and limits the capacity of the network from the users point of view.
Thus, there exists a clear need to establish an authentication protocol and method that is immune from otherwise successful attacks by intruders that have no knowledge of the authentication secret. Furthermore, it is important in any practical implementation of a protocol that the number of message flows required to carry out-the authentication be-kept -as small as~ possible~ prefer-abl,v three, at the risk of otherwise overburdening the network.
SU~IARY OF THE INVENrTION
One embodlment of the invention involvcs the metllod and means of authenticating a user on a communications connection in a network. A first user A transmits a-challenge N1 to a second user B. User B returns a response to - the challenge to user A, which verifies that the response is correct. The re-sponse is of the minimum form f(S1, N1, D1.. ), wherein S1 is a shared secret between the users~ Dl is an indication of the direction of flow of the message containing f(! and f() is a function selected such that f'(S1, Nl',D1',...) = f(Sl~ N1, Dl~...) cannot be solved for Nl' without knowledge of Sl. f'(), Nl' and D1' represent expressions on a reference connection. A protocol designed in accordance with the above invention is secure against so-called intercept attacks. Intercept attacks are those in which an intruder lies in wait and intercepts a message containing a challenge from a user A. The intruder then initiates a reference . connection with another user-other than the intended recipient of the inter-cepted challenge and attempts to glean information on the reference connection to generate the correct response to the intercepted challenge.
A second embodiment of the invention is a method and means of mutually authenticating users. A first challenge Nl is transmitted from a first user A
to a second user B. In response to the first challenge, B generates and transmits a first response to the challenge and second challenge N2 to A. A
t ~A990030 Page ~
verifies that-*he first response is-correct. A thell generates and transmits a second response to the second challenge to B~ wilere the second response is verified. The first response must be of a minimum form f(S1, N1~...)~
and the second response must be o~ the minimum form g(S~, ~2,...).
Sl and S2 are shared secrets between A and B. In addition, f(! and g() are selected such that the equation f'(Sl, N1',...) = g(S2~ ~2,...) cannot be solved for ~'1' witllout kllohledge of Sl alld S~. f (! and ~-1' represent expressions on another reference connectioll which an intruder uses ~o gain in-formation in an attempt to break the protocol on an attack connection.
- A specific authentication protocol desiglled in accordance with the second embodiment is secure from so-called initiate attacks. Initiate attac~s are those in which an intruder first initiates d connection ~ith a user by sending it the first challenge and, after receivillg the response and second challenge, the intruder initiates a second reference connection with a user to gain in-formation to aid in its response to the second challellge.
In some protocols that meet the above summarized requirements, the secrets ' may reside in the specific functions f() and g() that are used. In other pro-tocols, data encryption can be used, hitll the secret residing in the specific encryption key or keys that are used.
The two embodiments of the invention ma~ be combined into one protocol.
In this event, the function f() will include some indication of the direction Dl of flow of the message containing f(), as in f~S1, ~1, 7~1,... ). Such pro-tocols that satisfy all of the above conditions of the combined embodiments are ,, RA990030 2 0 5 9 1 72 Page 9 as secure from both initiate~and intercept types of attacks as is the underl~ingsecret or secret shared by authorized users. It should be noted that S1 can equal S2, if desired. ~loreover~ the secret or secrets can be of t-irtually any type whatsoever. Thus, a secret might be the particular ~ey or ke~s that are used to perform encryption of data. Alternatively~ the secrets might be the particular functions f() and g() that are used between authorized users. Or, the secret might be the particular algorithm or algorithms that are used to encrypt or decrypt data, etc.
DESCRIPTION OF THE DRAhrING
In the drawing, Fig. 1 shows a general layout of all illustrative data communication system in which the invention may be practiced;
Fig. ~ shows the general form of protocols in accordance with the invention that protect against initiate attacks by intruders;
Fig. 3 shows the details of an initiate attack by an intruder;
Figs. 4 and 5 show an e~ample of a protocol that is vulnerable to an ini-tiate attack;
Fig. 6 shows a specific protocol that is secure against initiate, but in-' secure against intercept attac~s;
Fig. 7 shows the details of an intercept attack;
Fig. 8 shows the general form of protocols that are secure against inter-cept attacks;
Fig. 9 shows an illustrative protocol that is insecure against both in-tercept and initiate attacks;
~ Figs. 10 and 11 show an illustrative protocol that-is~secure against-~in-tercept attacks~ but insecure against initiate attac~s;
Fig. 12 shows an illustrative protocol that is secure against both initiate and intercept attac~s;
5Fig. 13 shows an alternative representation of a general form of protocol in accordance with the invention that is secure from initiate and intercept attacks;
Figs. 14 through 16 sho~ illustrative specific protocols that are secure and which fit the general forms of Fig. 13, 8 and 2; and 10Figs. 17 through 21 sho~ illustrative flowcharts of programs that can be used in a general or special purpose computer to perform the inventive method.
DETAILED DESCRIPTI0~
Fig. 1 shows a general layout of an illustrative data communication system in which the invention may be practiced. This illustrative system includes a 15number of data processing users 100, 102 and 104. Each user includes or has access to a computer or data processing unit, such as 106, and appropriate pe-ripheral units 108 for communicating with other users of the system via channelssuch a 110. A computer at a user may be any type of general or special purpose computer capable of being programmed in accordance with the principles disclosed 20herein. In the preferred embodiment, such computers include System 370 com-puters marketed by the IB?~ Company.
In Fig. 1, if a user 100, wishes to establish a logical connection with another user 102, it is required that both users share knowledge of a secret S, and that the users authenticate each other by means of an appropriate 2059 1 7~
authentication protocol before meaningful communication is allowed over the logical connection.
Fig. 2 shows the general form of a famil~ of protocols that may be secure against attack by an intruder ~. A user A initiating a connection sends a message 1 containing a challenge Nl to the user B wit11 wllich communication is to be established. N1, and all cllallenges are Preferably random numbers~ or nonces. In any event, challenges should be freshly generated so there can be no possibilit,~ of use by intruders based on historical events. B re~urns a message 2 to A of the form f(~ 2), N''; where 1 ( ) is a function ~hicil is the response to the challenge N'l, S reprcsents a secret shared by legitimate users A and B that is required to gencratc thc response and ~q is a challenge from B to A. The variables S and Nl in f() are ShOWIl in bold in Fig. 2 to - indicate that these variables must be present in some form in function f().
The remaining variables Nq and X~ may or may not be present. Xq is a general variable used here to represen~ any desired constant or expression that might be included in f(). For example~ Xq might include access information~ names, time stamps, etc. It is assumed that nothing contained in X2 is part of the secret S. In other words, it is assumed that an intruder X knows X2. User A
then returns message 3 containing the response g(S, N2, Nl and ~3) to the ' challenge N2. The variables.S and ~2 in g() are similarly shown in bold to indicate that they must be present in some form within function g(). X3 is similar to X2 in that it represents any desired constant or expression that might be included in g(). It is assumed that X knows ~3. In addition, for the protocol to be secure against attacks in wllich an intruder X attempts to ini-tiate connections, f() must satisfy a first condition that an intruder cannot choose a first challenge Nl' on a reference connection such that f'() = g(), .~ .
RA990030 Page 1~
where f'() represents f~) on a reference connection. If this condition is satisfied, then the resulting protocol is as secure from initiating atlac~s as is the underlying secret S.
The meaning of the primed notation ( ' ) above will become more apparent with respect to Fig. 3 which shows the use of a reference connection b~ an in-truder to gather information to attack a real connection. In Fig. 3~ the in-truder X initiates a connection with user A b~- sending the first challenge ~1 in message 1 of the attack connection. A returns its response f() to tlle challenge and a challenge N2 to ~ at message 2 of the attack connection. X does not know the secret S required to generate the response to ~2. In an attempt to get such information, X initiates a reference connection by sending another first challenge N1' to a user at 300. This secondary user ma~ be A or some other- user B or C. It doesn't matter as long as the selected other user knows the secret S. User 300 responds to the challenge N1' h~ith the response Eq. 1 f'() = (S, Nl', N2', X~'!
X now attempts to manipulate the information received from 300 to generate the response g() on message 3 of the attac~ connection. Thus, a necessary conditionto prevent this attack is C1: X cannot choose N1' such that f'() = g(). `-Fig. 4 shows a specific protocol which appears to be secure, but which in fact can be broken easily because it does not satisfy condition C1. The func-tion f() in message 2 of Fig. 4 is I
RA990030 20 5 9 1 7 2 Page 1~
Eq. 2 f() = E[-Nll + N2, where E represents encryption witll a secret key ~. The + operator in the equation~ by way of example, is the boolean operation E~CL~SI~E-OR. Thus~ f~) satisfies the requirements that it be a function of.\l and S (S being encr~ptionE with key K). To test the protocol, we matllematicall~ apply condition Cl:
Condition Cl:
Eq. 3 f'() = g(), or Eq. 4 E[Nl'] + N'2' = El.~].
- Fig. 5 shows an attack connection and a reference connection that intruder X might use to attempt to break the protocol. Notice that the response in message 2 of the reference connection is E[Nl'] + N2', which is exactly the same format as equation O above. Thus, by merely picking ~ . Nl' = N2, which is known from message 2 of the attack connection, X receives on message 2 of the reference connection E[N2] + N2', N2'.
N2' is a new challenge on the reference connection and does not equal N2.
Nevertheless, X now knows E[N2] + N2'. Since N2 is also known because it is Z`059 1 72 RA990030 Page 1~
received as the clear te~t challenge in the same message 2 of the reference connection, ~ merely derives E[N2] ~y E~CL~SI~TE-ORing N2' ~ith E[~'] + N~', Eq. 5 E[N2] + N2 + N~ = E[~l and returns this value as the response in message 3 of the attac~ connection.
S Fig. 6 shows an illustrative protocol that is secure against initiating attacks. In this protocol, Eq. 6 f() = E~Nl + EINl]~, and Eq. 7 g() = E~N2].
f() satisfies the conditions that it is a function of the challenge N1 and a secret S and that g() is a function of challenge N~ and secret S. Now we test condition C1 to determine if the protocol is really secure against initiate attacks.
Condition Cl:
Eq. 8 f'() = g(), or ~ Eq. 9 E[Nl' + E[N1']] = ElN2].
Inspection of equation 9 reveals that there is no knoh~n value of N1 that can be substituted that will result in ElN2¦, without ~nowing the encryption key K. ~loreover, removing the encryption applied to both sides of the equation yields .2Q5~ 1 72 Eq. 10 N1' + E[Nl'~ , or Eq. ll - Nl' = E[Nl'] + ~2.
Since ~ does not know E, there is no wa~- that ~ Call derive 1~l'. Therefore~ this particular protocol is secure against initiate attacks.
There is~ however, a second mode of attac~ that Call render even protocols that are secure against initiate attacks also vulnerable. We refer to tllis modeof attack as intercept attacks. Fig. , SllOhS such all attack in terms of an attack connection and a reference conllectioll. In this type of attack, ~ lies in wait and eventually intercepts an initi31 challenge from user A destined for another user B. ~ then initiates a reference connection with a third user.
The third user can be A or C. It is worth noting, for analysis purposes, that - the reference user can't be the original intended recipient B. Intercept at-tacks where an intruder merely intercepts messages from A and forwards them on to their intended destination B are equivalent to the intruder ~ merely watchingthe data flow by from A to B. These attacks can never be defended against with user authentication protocols. If one is concerned about such attacks because, for example, their data lines can t be physicall~ secured from taps, then one must protect subsequent connection data flow with additional measures, such as ' data encryption. -h~ith reference to Fig. 7, it is seen that to be successful in the intercept attack connection, ~ must derive the response to the challenge Nl in message 1 of the attack connection. To attempt to do so, ~ sends a challenge ~1' to a third user A or C as the first message of a reference connection. ~ receives f'(S, N'l',...) as the response to its challenge and a second challenge ~'2' in t 205~ 1 72 RA~90030 Page 16 the second message of the reference connection. Thus~ ~ needs to solve the equation Eq. 12 f'(S~ Nl',...) = f(S, Nl....).
Therefore, a necessary condition C2 that would render a protocol secure against intercept attacks is that ~ not be able to choose a challenge N1' such that Eq. 13 f'() = f()-But~ mere inspection of equation 13 reveals that this can always be done in the protocol format of Fig. 7. Thus, brea~ing of the protocol of Fig. 6 is trivial - with the use of an intercept attac~. All an intruder need do is to pick Nl' =
Nl.
To solve this problem, a necessar~ requirement to prevent the intercept type of attack is that an indicator D be includcd in f() that represents the direction of message flow, as shown in Fig. 8. This is shown as f(S,Nl,D,...) in message 2, where D is the flow direction indicator- It doesn t matter what form D takes, so long as it is unique to a particular direction. For example, D might be equal to the sending users identification, which is B in Fig. 8.
Alternatively, if A and B are the users in question, A could use B for its di-rection indicator and B could use A- All that is required is that on a given connection, the flow indicator be unique for any direction of flow of a message.It is necessary that D be included in f() as demonstrated above. However, it is not sufficient. It is still necessary mathematically to test the condi-tion C2, as will be illustrated.
RA990030 2 0 5 ~ 1 7 2 Page 1/
Let's take the e~ample of Fig. 9~ in which f() is taken to be E[~'l + Dl, D = A for flow from A to B and D = B for flow from B to A. For purposes of analysis, it should be realized that the values of A and B, etc. are known to an intruder X. It is assumed that the intruder X establishes a reference connection with A. Applying condition C~, Eq. 14 f'() = f(), Eq. 15 E[Nl' + A'l = E[Nl + Bl.
It must be realized that the primed notation in A in cquations 1~ and 1;, and similar notation elsewhere, means only that the variable e.~ists on a reference connection. In other words, A' = A. Equation 1; can t be solved without knowing the encryption key ~, because A' and B are differcnt and encoded into the data.
By removing the encryption operator E from both sides of the equa~ion, we obtain Eq. 16- Nl' + A' = Nl + B, or Eq. 17 Nl' = Nl + B + A'.
Since X knows both B and A , X need only set Nl in message 1 of the reference connection to Nl + B + A , where .\1 is obtained from message 1 of the attack connection. X will receive Eq. 18 E[Nl + B + A' + A'] = E[Nl + B
RA990030 Page lS
on message 2 of the reference connection. This~ of course~ is the response needed in message 2 of the attac~ connection. Thus~ this protocol is insecure for intercept types of attac~s. As an aside~ this protocol is also insecure for initiate attacks. This can be easil~ erified b~ testing condition Cl [f'() = g()] discussed earlier.
Fig. 10 shows an e~ample of a protocol that passes condi~ion C2. That is~
it is secure from intercept attac~s. However~ i~ hill be seen that the protocol is insecure against initiate attac~s. In this protocol~
Eq. 19 f() = E[D + EINl]l~ and Eq. 20 g() = E[D + El~]l~
where D is the flow direction indicator. Remembcr that D is different for f() and g() because the flow direction is different for each of these functions.
intercepts message 1 from user A intended for B. ~ then initiates a reference connection with C to glean information. Appl~-ing condition C2 to Fig. 10, Eq. 21 f'() = f() Eq. 22 E[C' + E[Nl 1] = ElB + E[N1]], or Eq. 23 C' + E[Nl'] = B + ElNll.
Equation 23 can be split into two different equations in an attempt to solve it. Thus, Eq. 24 C' = B, and Eq. 25 E[~l ] = El~'l]
`- 2û59 1 72 Since it is impossible for C' to equal B, this protocol is secure from interceptattacks. However, the protocol is still insecure against initiate attacks.
Fig. 11 shows the initiate attack for this protocol. Remember that ~ is impersonating B, so the direction indicator in message 3 of the attack con-nection is B. Applying condition Cl:
Eq. 26 f'() = g() Eq. 27 E[B' + E[Nl ]] = E[B + E[~2]]~ or Eq. 28 B' + E[Nl'] = B + E[~
Splitting equation 8 yields Eq. 29 B' = B, (whicll is always true) and Eq. 30 E[Nl'l = E~N2], or Eq. 31 Nl' = N2.
Thus, X can successfull~ initiate an attac~ against this protocol by merely setting Nl' in message 1 of the reference connection equal to N2, ~hich is re-ceived from A in message 2 of the attack connection.
Fig. 12 shows a specific~protocol that is secure against both initiate and intercept attacks. In this protocol~
Eq. 32 f() = E[B + E[Nl]~, and Eq. 33 g() - E[N2].
Notice that the protocol is very similar to that of Fig. 11, which was shown to be insecure against intercept attaci;s. This illustrates very well the ne-cessity of testing conditions Cl and C2 for any specific protocol, even though the protocol fits the other requirements enumerated. Appl~ing Cl (and assuming that the reference comlection is held witll A):
Eq. 34 f () = g().
Eq. 3; E[A' + E[.Nl'll = E[~'~]~
Eq. 36 A' + E[~l ] =
Eq. 37 E[Nl'l = ~'2 + A'.
Although an intruder ~ can derive EINl I before initiating the reference con-- nection~ ~ still cannot derive Nl' for the initial challenge on the reference connection without i;nowledge of the ~ey i;. There~ore Cl is met.
Applying condition C~:
Eq. 38 f'(~ = f(), Eq. 39 E[A' + E[Nl']l = E[B + E[Nll].
Removing the E operator from both sides of the last equation and splitting the result into two parts yields Eq, 40 A' = B and Eq. 41 Nl' = ~1.
However, A' can never equal B. Thus, C2 is satisfied and the protocol is secure...
RA990030 Page 2i The abo~re anal~ses are sufficient now to allo~ an)- s~illed art ~or~er to design and analyze families of protocols for complete authentication security.
The conditions for complete securit~- against both initiate and intercept attac~s may be succinctl,~ stated as follohs:
l. The response to a first challellge from .~ to B m~lst be a secret ~unction of the challenge, . The response to a second challcnge from B to ~ must be a secret function of the second challenge~
TECHNICAL FIELD
The invention generally relates to methods for maint~ining security against unauthorized network users or other network entities, such as a program.In particular, it relates to methods for authenticating that a user attempting to establish c- ications with another network user or node is, in fact, the user that it represents itself to be.
BACKGROUND OF THE INVENTION
Authentication of users in a network allows a pair of users who wish to cc licate to prove their identities to each other. There are many variations of authentication protocols that are discussed in the literature. Some require the use of a shared secret, such as a secret digital key or a secret mathematical function, that is applied to a suitable parameter or parameters; others use public-key types of protocols. This invention is concerned primarily with authentication protocols using shared secrets, although it can be easily adaptedfor use in public-key systems With respect to the prior art, U. S. patent 4,890,323, Data Communication Systems and Methods, issued on Dec. 26, 1989 to Beker, describes a file and sender authentication method in which an encrypted check-sum is computed on the contents of a message using a first private ke~. This check-sum is issued as '~C 1 ?0~1 7~
a "challenge" to a user who computes a result using a second private key. The result is appended to the response as an authentication code before return transmission. A recipient of the response equipped with the same first and second cryptographic keys can therefore check both the contents of the message and the identity of the sender by computing an expected authentication code fromthe received response and comparing it with the code received.
U.S. patent 4,919,545, "Distributed Security Procedure for Intelligent Networks", which issued on April 24, 1990 to C. Yu~ discloses a file authentication method. An execution node transmits a capability and a signature to an invocation node. The capability includes an identifier of and access rights to a file. The signature is formed at the execution node by encryption of the capability with a key that is unique to the invocation node and is stored- only in the execution node. A request for access to the file is transmitted with the capability and the signature from the invocation node to the execution node. At the execution node, the request is authenticated by encryption of the capability with the encryption key that is associated with the invocation node.
Access to the file is authorized only when the signature generated by the exe-cution node matches the signature received from the invocation node.
U.S. patent 4,193,131, entitled Cryptographic Verification of Operational . Keys Used in Communication Networks , issued on March 11, 1980 to R. Lennon et. al. This patent discloses an encryption key distribution and user authentication method using a shared private key A first station encrypts a first verification number using the key to provide first station ciphertext for transmission to the second station. At the second station, the first station ciphertext is further encrypted using the key to provide second station ciphertext for transmission back to the first station. The first station RAg90030 2 05 9 1 7 2 Page ~
reencrypts the first verification cipertext and compares it the received second station ciphertext to verify that the second station is the source of the secondstation ciphertext. This authentication is possible only if the operational keys of the two stations are identical.
U. S. patent 4,386,233, "Cryptographic ~ey ~otarization Methods and Appa-ratus", issued on May 31, 1983 to M. E. Smid et. al., also discloses a key distribution system and user authentication method in which cryptographic keys are notarized by encrypting the keys using a notarizing key derived from iden-tifiers associated with the users in question and an interchange key accessible only to authorized users of the cryptographic function. The identity of a user of the cryptographic function is authenticated as a condition to access to an interchange key. This authentication is accomplished by comparing a password designation supplied by the user with a prestored version of the password which has been notarized by having been encrypted ~i~h the cryptographic function using a notarizing cryptographic key deri~ed from the identifier of the corre-sponding authorized user and an interchange key.
- U.S. patent 4,218,738, "Method for Authenticating the Identity of a User of an Information System", issued to S. ~2. Matyas et.al. on August 19, 1980 discloses yet another method of attempting to authenticate users in a networ~.
A user verification number is.a function of the user s identity, a separately entered password associated with the user, and a stored test pattern. The test pattern for a user is generated under ph~sical security of a central computer using a variation of a host computer master key.
U.S. patent 4,549,075, "Method of Certifying the Origin of at Least One Item of Information Stored in the Memory of a First Electronic Device and Transmitted to a Second Electronic Device, and System for Carrying Out the RA990030 Pa~e ~
~lethod", issued to Charles Saada October-~, 1985-. This patent discloses a shared secret type of authentication protocol~ ~hich is said to overcome certainproblems in the prior art authentication method summarized therein. In this prior art method, a user B authenticates a user A. Both A and B share an item of information 1, a secret S and a function f(). To begin an authentication~
A sends I to B. B responds with a random number, a nonce, Nb. Both A and B
compute f(I,Nb,S). A sends its computed response to B and B compares this re-sponse with its calculation. It is said that A can authenticate B in a similar manner. Saada does not point out that this prior art protocol can be easily broken in a general networ~ environment. Ratller, Saada attempts to solve the problem posed by the prior art method wllen A and B do not share an item of in-formation I, but rather have their own individual items of information Ia and - Ib. Saada applies the summarized prior art method to this new scenario and concludes that resulting protocol can easily be broken.
Thus, Saada's invention is to allow the users to authenticate each other when each has different information units Ia and Ib. Again, A and B share a function f() and a secret S- A has an item of information Ia; B has an item of information Ib. A sends Ia and a nonce Na to B. B returns item Ib and an- .
other nonce Nb to A. A calculates Rl = f(Na,S,p(Ia,Ib) and Kl . f(Nb,S,p(Ia,Ib)) and sends ~l to B- p() is a symmetric function known both to A and B. The symmetry means that p(Ia~Ib) = p(Ib,Ia). B calculates ~2 =
f(Na,S,p(Ib,Ia)) and R2 = f(Nb,S,p~Ib,Ia?) and sends ~2 to A. A compares ~2 with its result Rl to authenticate B and B compares ~1 with its result R2 to authenticate A. It is said that this protocol insures that A and B are part of the same group, because of the secret S, and that A and B are who they say they are, because the items Ia and Ib are authenticated one-to-the-other via 2059 1 ~2 the symmetric function p().- It is seen that Saada's algorithm requires a min-imum of four message flows. It is the fourth flo~ that prevents this method from being broken by methods that are described briefly below.
In yet another known authentication method, user A first sends to user B
a challenge Na in the form of a nonce (message 1!. B returns an encrypted value of the nonce using a private shared key to perform the encryption, plus a secondnonce Nb in clear text (message 2). A then returns an encrypted value of the second nonce to B (message 3) who verifies that this response was properly en-crypted with the shared key. This protocol requires three messages. However, as will be shown, this protocol can also be easily broken.
As seen by the above summarized art, existing authentication methods use various forms of shared secrets and encryption of data by the users, using a - shared key, to assure that the users are ~ho they say they are. However, the existing methods suffer from a number of problems. In theory, each user authenticates the other because the proper encryptions and/or decryptions can-not be generated by a user that does not know the shared secret. In practice however, these authentication methods either require too many message flows, or too many encryption or decryption operations, or are subject to a variety of successful attacks.
Using the last mentioned authentication method for example, in a first successful type of attack, an intruder ~, pretending to be A, initiates the attack by sending the first challenge Na to B (message 1). B returns the en-crypted value of the first chalienge E(Na), plus the second challenge Nb (mes-sage 2). X, who does not know the secret key, obtains the correct encryption of Nb by initiating another connection (called a reference connection throughoutthe description) with the real A, or some other user C who knows the key, and ~ RA990030 2 0 5 9 1 7 2 Page 6 transmits Nb as the first challenge of the reference connection. A, or C, re-turns E(Nb) to X as a response. X then sends E(Nb! to B as the answer to the second challenge of the initial attack connection.
In a second type of attack as another example, ~ intercepts the first message containing Na from A intended for B. X, pretending to be B, initiates a reference connection with A (or C) and sends Na in message 1 of the reference connection. A (or C) responds with E(Na) and a second nonce Nb. X then ter-minates the reference connection and sends E(Na) in the second message to A on the attack connection.
There are a number of variations of the above initiate and intercept at-tacks. In all of these attacks, however, the intruder X, not knowing the secret shared by legitimate users, gleans information from other connections and uses - this information to derive the necessary responses to challenges offered by the attacked user. The connections from which the gleaned information is obtained may or may not be with the attacked user. As far as can be determined, all of the known prior art methods that involve only three message flows can be broken,or are inefficient and unnecessarily complex to use or evaluate. Other known methods involving more than three flows may or may not be secure. However, even for the secure methods, the increased number of message flows that are required can place a heavy traffic burden on a network. This additional burden is oth-erwise unproductive and limits the capacity of the network from the users point of view.
Thus, there exists a clear need to establish an authentication protocol and method that is immune from otherwise successful attacks by intruders that have no knowledge of the authentication secret. Furthermore, it is important in any practical implementation of a protocol that the number of message flows required to carry out-the authentication be-kept -as small as~ possible~ prefer-abl,v three, at the risk of otherwise overburdening the network.
SU~IARY OF THE INVENrTION
One embodlment of the invention involvcs the metllod and means of authenticating a user on a communications connection in a network. A first user A transmits a-challenge N1 to a second user B. User B returns a response to - the challenge to user A, which verifies that the response is correct. The re-sponse is of the minimum form f(S1, N1, D1.. ), wherein S1 is a shared secret between the users~ Dl is an indication of the direction of flow of the message containing f(! and f() is a function selected such that f'(S1, Nl',D1',...) = f(Sl~ N1, Dl~...) cannot be solved for Nl' without knowledge of Sl. f'(), Nl' and D1' represent expressions on a reference connection. A protocol designed in accordance with the above invention is secure against so-called intercept attacks. Intercept attacks are those in which an intruder lies in wait and intercepts a message containing a challenge from a user A. The intruder then initiates a reference . connection with another user-other than the intended recipient of the inter-cepted challenge and attempts to glean information on the reference connection to generate the correct response to the intercepted challenge.
A second embodiment of the invention is a method and means of mutually authenticating users. A first challenge Nl is transmitted from a first user A
to a second user B. In response to the first challenge, B generates and transmits a first response to the challenge and second challenge N2 to A. A
t ~A990030 Page ~
verifies that-*he first response is-correct. A thell generates and transmits a second response to the second challenge to B~ wilere the second response is verified. The first response must be of a minimum form f(S1, N1~...)~
and the second response must be o~ the minimum form g(S~, ~2,...).
Sl and S2 are shared secrets between A and B. In addition, f(! and g() are selected such that the equation f'(Sl, N1',...) = g(S2~ ~2,...) cannot be solved for ~'1' witllout kllohledge of Sl alld S~. f (! and ~-1' represent expressions on another reference connectioll which an intruder uses ~o gain in-formation in an attempt to break the protocol on an attack connection.
- A specific authentication protocol desiglled in accordance with the second embodiment is secure from so-called initiate attacks. Initiate attac~s are those in which an intruder first initiates d connection ~ith a user by sending it the first challenge and, after receivillg the response and second challenge, the intruder initiates a second reference connection with a user to gain in-formation to aid in its response to the second challellge.
In some protocols that meet the above summarized requirements, the secrets ' may reside in the specific functions f() and g() that are used. In other pro-tocols, data encryption can be used, hitll the secret residing in the specific encryption key or keys that are used.
The two embodiments of the invention ma~ be combined into one protocol.
In this event, the function f() will include some indication of the direction Dl of flow of the message containing f(), as in f~S1, ~1, 7~1,... ). Such pro-tocols that satisfy all of the above conditions of the combined embodiments are ,, RA990030 2 0 5 9 1 72 Page 9 as secure from both initiate~and intercept types of attacks as is the underl~ingsecret or secret shared by authorized users. It should be noted that S1 can equal S2, if desired. ~loreover~ the secret or secrets can be of t-irtually any type whatsoever. Thus, a secret might be the particular ~ey or ke~s that are used to perform encryption of data. Alternatively~ the secrets might be the particular functions f() and g() that are used between authorized users. Or, the secret might be the particular algorithm or algorithms that are used to encrypt or decrypt data, etc.
DESCRIPTION OF THE DRAhrING
In the drawing, Fig. 1 shows a general layout of all illustrative data communication system in which the invention may be practiced;
Fig. ~ shows the general form of protocols in accordance with the invention that protect against initiate attacks by intruders;
Fig. 3 shows the details of an initiate attack by an intruder;
Figs. 4 and 5 show an e~ample of a protocol that is vulnerable to an ini-tiate attack;
Fig. 6 shows a specific protocol that is secure against initiate, but in-' secure against intercept attac~s;
Fig. 7 shows the details of an intercept attack;
Fig. 8 shows the general form of protocols that are secure against inter-cept attacks;
Fig. 9 shows an illustrative protocol that is insecure against both in-tercept and initiate attacks;
~ Figs. 10 and 11 show an illustrative protocol that-is~secure against-~in-tercept attacks~ but insecure against initiate attac~s;
Fig. 12 shows an illustrative protocol that is secure against both initiate and intercept attac~s;
5Fig. 13 shows an alternative representation of a general form of protocol in accordance with the invention that is secure from initiate and intercept attacks;
Figs. 14 through 16 sho~ illustrative specific protocols that are secure and which fit the general forms of Fig. 13, 8 and 2; and 10Figs. 17 through 21 sho~ illustrative flowcharts of programs that can be used in a general or special purpose computer to perform the inventive method.
DETAILED DESCRIPTI0~
Fig. 1 shows a general layout of an illustrative data communication system in which the invention may be practiced. This illustrative system includes a 15number of data processing users 100, 102 and 104. Each user includes or has access to a computer or data processing unit, such as 106, and appropriate pe-ripheral units 108 for communicating with other users of the system via channelssuch a 110. A computer at a user may be any type of general or special purpose computer capable of being programmed in accordance with the principles disclosed 20herein. In the preferred embodiment, such computers include System 370 com-puters marketed by the IB?~ Company.
In Fig. 1, if a user 100, wishes to establish a logical connection with another user 102, it is required that both users share knowledge of a secret S, and that the users authenticate each other by means of an appropriate 2059 1 7~
authentication protocol before meaningful communication is allowed over the logical connection.
Fig. 2 shows the general form of a famil~ of protocols that may be secure against attack by an intruder ~. A user A initiating a connection sends a message 1 containing a challenge Nl to the user B wit11 wllich communication is to be established. N1, and all cllallenges are Preferably random numbers~ or nonces. In any event, challenges should be freshly generated so there can be no possibilit,~ of use by intruders based on historical events. B re~urns a message 2 to A of the form f(~ 2), N''; where 1 ( ) is a function ~hicil is the response to the challenge N'l, S reprcsents a secret shared by legitimate users A and B that is required to gencratc thc response and ~q is a challenge from B to A. The variables S and Nl in f() are ShOWIl in bold in Fig. 2 to - indicate that these variables must be present in some form in function f().
The remaining variables Nq and X~ may or may not be present. Xq is a general variable used here to represen~ any desired constant or expression that might be included in f(). For example~ Xq might include access information~ names, time stamps, etc. It is assumed that nothing contained in X2 is part of the secret S. In other words, it is assumed that an intruder X knows X2. User A
then returns message 3 containing the response g(S, N2, Nl and ~3) to the ' challenge N2. The variables.S and ~2 in g() are similarly shown in bold to indicate that they must be present in some form within function g(). X3 is similar to X2 in that it represents any desired constant or expression that might be included in g(). It is assumed that X knows ~3. In addition, for the protocol to be secure against attacks in wllich an intruder X attempts to ini-tiate connections, f() must satisfy a first condition that an intruder cannot choose a first challenge Nl' on a reference connection such that f'() = g(), .~ .
RA990030 Page 1~
where f'() represents f~) on a reference connection. If this condition is satisfied, then the resulting protocol is as secure from initiating atlac~s as is the underlying secret S.
The meaning of the primed notation ( ' ) above will become more apparent with respect to Fig. 3 which shows the use of a reference connection b~ an in-truder to gather information to attack a real connection. In Fig. 3~ the in-truder X initiates a connection with user A b~- sending the first challenge ~1 in message 1 of the attack connection. A returns its response f() to tlle challenge and a challenge N2 to ~ at message 2 of the attack connection. X does not know the secret S required to generate the response to ~2. In an attempt to get such information, X initiates a reference connection by sending another first challenge N1' to a user at 300. This secondary user ma~ be A or some other- user B or C. It doesn't matter as long as the selected other user knows the secret S. User 300 responds to the challenge N1' h~ith the response Eq. 1 f'() = (S, Nl', N2', X~'!
X now attempts to manipulate the information received from 300 to generate the response g() on message 3 of the attac~ connection. Thus, a necessary conditionto prevent this attack is C1: X cannot choose N1' such that f'() = g(). `-Fig. 4 shows a specific protocol which appears to be secure, but which in fact can be broken easily because it does not satisfy condition C1. The func-tion f() in message 2 of Fig. 4 is I
RA990030 20 5 9 1 7 2 Page 1~
Eq. 2 f() = E[-Nll + N2, where E represents encryption witll a secret key ~. The + operator in the equation~ by way of example, is the boolean operation E~CL~SI~E-OR. Thus~ f~) satisfies the requirements that it be a function of.\l and S (S being encr~ptionE with key K). To test the protocol, we matllematicall~ apply condition Cl:
Condition Cl:
Eq. 3 f'() = g(), or Eq. 4 E[Nl'] + N'2' = El.~].
- Fig. 5 shows an attack connection and a reference connection that intruder X might use to attempt to break the protocol. Notice that the response in message 2 of the reference connection is E[Nl'] + N2', which is exactly the same format as equation O above. Thus, by merely picking ~ . Nl' = N2, which is known from message 2 of the attack connection, X receives on message 2 of the reference connection E[N2] + N2', N2'.
N2' is a new challenge on the reference connection and does not equal N2.
Nevertheless, X now knows E[N2] + N2'. Since N2 is also known because it is Z`059 1 72 RA990030 Page 1~
received as the clear te~t challenge in the same message 2 of the reference connection, ~ merely derives E[N2] ~y E~CL~SI~TE-ORing N2' ~ith E[~'] + N~', Eq. 5 E[N2] + N2 + N~ = E[~l and returns this value as the response in message 3 of the attac~ connection.
S Fig. 6 shows an illustrative protocol that is secure against initiating attacks. In this protocol, Eq. 6 f() = E~Nl + EINl]~, and Eq. 7 g() = E~N2].
f() satisfies the conditions that it is a function of the challenge N1 and a secret S and that g() is a function of challenge N~ and secret S. Now we test condition C1 to determine if the protocol is really secure against initiate attacks.
Condition Cl:
Eq. 8 f'() = g(), or ~ Eq. 9 E[Nl' + E[N1']] = ElN2].
Inspection of equation 9 reveals that there is no knoh~n value of N1 that can be substituted that will result in ElN2¦, without ~nowing the encryption key K. ~loreover, removing the encryption applied to both sides of the equation yields .2Q5~ 1 72 Eq. 10 N1' + E[Nl'~ , or Eq. ll - Nl' = E[Nl'] + ~2.
Since ~ does not know E, there is no wa~- that ~ Call derive 1~l'. Therefore~ this particular protocol is secure against initiate attacks.
There is~ however, a second mode of attac~ that Call render even protocols that are secure against initiate attacks also vulnerable. We refer to tllis modeof attack as intercept attacks. Fig. , SllOhS such all attack in terms of an attack connection and a reference conllectioll. In this type of attack, ~ lies in wait and eventually intercepts an initi31 challenge from user A destined for another user B. ~ then initiates a reference connection with a third user.
The third user can be A or C. It is worth noting, for analysis purposes, that - the reference user can't be the original intended recipient B. Intercept at-tacks where an intruder merely intercepts messages from A and forwards them on to their intended destination B are equivalent to the intruder ~ merely watchingthe data flow by from A to B. These attacks can never be defended against with user authentication protocols. If one is concerned about such attacks because, for example, their data lines can t be physicall~ secured from taps, then one must protect subsequent connection data flow with additional measures, such as ' data encryption. -h~ith reference to Fig. 7, it is seen that to be successful in the intercept attack connection, ~ must derive the response to the challenge Nl in message 1 of the attack connection. To attempt to do so, ~ sends a challenge ~1' to a third user A or C as the first message of a reference connection. ~ receives f'(S, N'l',...) as the response to its challenge and a second challenge ~'2' in t 205~ 1 72 RA~90030 Page 16 the second message of the reference connection. Thus~ ~ needs to solve the equation Eq. 12 f'(S~ Nl',...) = f(S, Nl....).
Therefore, a necessary condition C2 that would render a protocol secure against intercept attacks is that ~ not be able to choose a challenge N1' such that Eq. 13 f'() = f()-But~ mere inspection of equation 13 reveals that this can always be done in the protocol format of Fig. 7. Thus, brea~ing of the protocol of Fig. 6 is trivial - with the use of an intercept attac~. All an intruder need do is to pick Nl' =
Nl.
To solve this problem, a necessar~ requirement to prevent the intercept type of attack is that an indicator D be includcd in f() that represents the direction of message flow, as shown in Fig. 8. This is shown as f(S,Nl,D,...) in message 2, where D is the flow direction indicator- It doesn t matter what form D takes, so long as it is unique to a particular direction. For example, D might be equal to the sending users identification, which is B in Fig. 8.
Alternatively, if A and B are the users in question, A could use B for its di-rection indicator and B could use A- All that is required is that on a given connection, the flow indicator be unique for any direction of flow of a message.It is necessary that D be included in f() as demonstrated above. However, it is not sufficient. It is still necessary mathematically to test the condi-tion C2, as will be illustrated.
RA990030 2 0 5 ~ 1 7 2 Page 1/
Let's take the e~ample of Fig. 9~ in which f() is taken to be E[~'l + Dl, D = A for flow from A to B and D = B for flow from B to A. For purposes of analysis, it should be realized that the values of A and B, etc. are known to an intruder X. It is assumed that the intruder X establishes a reference connection with A. Applying condition C~, Eq. 14 f'() = f(), Eq. 15 E[Nl' + A'l = E[Nl + Bl.
It must be realized that the primed notation in A in cquations 1~ and 1;, and similar notation elsewhere, means only that the variable e.~ists on a reference connection. In other words, A' = A. Equation 1; can t be solved without knowing the encryption key ~, because A' and B are differcnt and encoded into the data.
By removing the encryption operator E from both sides of the equa~ion, we obtain Eq. 16- Nl' + A' = Nl + B, or Eq. 17 Nl' = Nl + B + A'.
Since X knows both B and A , X need only set Nl in message 1 of the reference connection to Nl + B + A , where .\1 is obtained from message 1 of the attack connection. X will receive Eq. 18 E[Nl + B + A' + A'] = E[Nl + B
RA990030 Page lS
on message 2 of the reference connection. This~ of course~ is the response needed in message 2 of the attac~ connection. Thus~ this protocol is insecure for intercept types of attac~s. As an aside~ this protocol is also insecure for initiate attacks. This can be easil~ erified b~ testing condition Cl [f'() = g()] discussed earlier.
Fig. 10 shows an e~ample of a protocol that passes condi~ion C2. That is~
it is secure from intercept attac~s. However~ i~ hill be seen that the protocol is insecure against initiate attac~s. In this protocol~
Eq. 19 f() = E[D + EINl]l~ and Eq. 20 g() = E[D + El~]l~
where D is the flow direction indicator. Remembcr that D is different for f() and g() because the flow direction is different for each of these functions.
intercepts message 1 from user A intended for B. ~ then initiates a reference connection with C to glean information. Appl~-ing condition C2 to Fig. 10, Eq. 21 f'() = f() Eq. 22 E[C' + E[Nl 1] = ElB + E[N1]], or Eq. 23 C' + E[Nl'] = B + ElNll.
Equation 23 can be split into two different equations in an attempt to solve it. Thus, Eq. 24 C' = B, and Eq. 25 E[~l ] = El~'l]
`- 2û59 1 72 Since it is impossible for C' to equal B, this protocol is secure from interceptattacks. However, the protocol is still insecure against initiate attacks.
Fig. 11 shows the initiate attack for this protocol. Remember that ~ is impersonating B, so the direction indicator in message 3 of the attack con-nection is B. Applying condition Cl:
Eq. 26 f'() = g() Eq. 27 E[B' + E[Nl ]] = E[B + E[~2]]~ or Eq. 28 B' + E[Nl'] = B + E[~
Splitting equation 8 yields Eq. 29 B' = B, (whicll is always true) and Eq. 30 E[Nl'l = E~N2], or Eq. 31 Nl' = N2.
Thus, X can successfull~ initiate an attac~ against this protocol by merely setting Nl' in message 1 of the reference connection equal to N2, ~hich is re-ceived from A in message 2 of the attack connection.
Fig. 12 shows a specific~protocol that is secure against both initiate and intercept attacks. In this protocol~
Eq. 32 f() = E[B + E[Nl]~, and Eq. 33 g() - E[N2].
Notice that the protocol is very similar to that of Fig. 11, which was shown to be insecure against intercept attaci;s. This illustrates very well the ne-cessity of testing conditions Cl and C2 for any specific protocol, even though the protocol fits the other requirements enumerated. Appl~ing Cl (and assuming that the reference comlection is held witll A):
Eq. 34 f () = g().
Eq. 3; E[A' + E[.Nl'll = E[~'~]~
Eq. 36 A' + E[~l ] =
Eq. 37 E[Nl'l = ~'2 + A'.
Although an intruder ~ can derive EINl I before initiating the reference con-- nection~ ~ still cannot derive Nl' for the initial challenge on the reference connection without i;nowledge of the ~ey i;. There~ore Cl is met.
Applying condition C~:
Eq. 38 f'(~ = f(), Eq. 39 E[A' + E[Nl']l = E[B + E[Nll].
Removing the E operator from both sides of the last equation and splitting the result into two parts yields Eq, 40 A' = B and Eq. 41 Nl' = ~1.
However, A' can never equal B. Thus, C2 is satisfied and the protocol is secure...
RA990030 Page 2i The abo~re anal~ses are sufficient now to allo~ an)- s~illed art ~or~er to design and analyze families of protocols for complete authentication security.
The conditions for complete securit~- against both initiate and intercept attac~s may be succinctl,~ stated as follohs:
l. The response to a first challellge from .~ to B m~lst be a secret ~unction of the challenge, . The response to a second challcnge from B to ~ must be a secret function of the second challenge~
3. The response to the first chal1ellge from ~ to B must contain ~n indi-cation of the direction of flow of the respol-se. and 4. Both conditions Cl and C must be met.
Fig. 13 shows the general format of a famil,~ of protocols that fit the four requirements outlined abo~e for securit~-. Some of the specific protocols that fit this general form are secure and some are not. The conditions C1 and C2 must be tested for an,~- specific protocol. The response to the first challenge Nl is of the form -E[q op Elr]~.
The response to the second challenge N2 is of the form E~t~.
In one family defined by this general form~
Eq. 42 q = q(Nl~...), Eq. 43 r = r(D,...), and Eq. 44 t = t(N2,...).
In another family, Eq. 45 q = q(D,---), Eq. 46 r = r(Nl,...... ), and Eq. 47 t = t(N2,...... ).
We now examine some illustrative protocols that meet one or the other of these two general formats and further meet conditions Cl and C2.
Using an analysis similar to that used for Fig. 12, it can be shown that the dual of the protocol of Fig. 12, namely, Eq. 48 f() = E[Nl + E~D] and Eq. 49 g() = E[N2~
is also completely secure. The ~ey to these last two protocols and a myriad of related protocols that can be shown to be secure is the encryption of the direction indicator (or first challenge), coupled with the nested encryption of the first challenge (or direction indicator).
Fig. 14 shows a preferred embodiment of a protocol according to the in-vention. In this preferred embodiment, Eq. 50 f(~ = E[j() + k()], and Eq. 51 g() = k() + E[Nl], where ~ t Eq. 52 j() = ~1 + B, and . ~3 k() = [~T~ +E~ ]l-The following gi~res the rationale for the specific elements of functions f() and g(). The first element Nl of i(! is not strictly required by the conditions as set forth above. However. this element adds additional r~ndomness to the overall expression f(). The element can be omitted and the protocol ~ill still wor~ satisfactorily. Adding randomness ~o f~) increases the cryptographic strength of the protocol and ma~es it harder for an intruder to break the en-coding algorithm itself using ~noh-n ~ey brea~in~ techlliques.
The inclusion of element B (the name of the callcd user) in j() is required by condition C2 and prevents intercept attacks.
The element N2 in ~() adds additional ralldomness to the response to message 2. This element could also be eliminated and the protocol hill operate satis-factorily. The element E~.\l) in k() is required by condition Cl. It is es-sential to have user A's cllallenge in user B's response. hhile it is not essential that this element be encrypted, doing so adds additional strength to the protocol.
A final example of a family of protocols th3t meet the general format and the conditions outlined above is now presented. This family incorporates the message flow direction indicator into the secret ~ey that is used for en-cryption, rather than e~plicitly incorporating it into the data that is en-crypted. One member of the family is illustrated in Fig. 16. Both users A and B know a secret key ~. B prepares its response in message 2 ~o A s challenge N1 by encrypting it with ~ + B, where B represents B's identity. The ~+' op-erator is again taken as the boolean E~CL~SI~E-OR operation, although it can be any other t~pe of boolean or mathematical operation. A encr~-pts its responseto B's challenge N2 by encrypting it using the unmodified value of ~. As re-quired by the invention, B's response to the challenge N1 is a secret function of the challenge Nl. Likewise, A's response to the challenge N2 is a secret function of N2. The direction of flow of a message is incorporated into the responses, in a way that both A and B can derive, by use of different encryptionkeys used to encode the responses. ~ow let's test the result according to conditions Cl and C2.
C 1 :
Eq. 54 f'() = g(), or Eq. 55 Eb[Nl'] = E[~'2], where E = encryption with secret key ~ and Eb = encryption with ~ + B.
Writing of the condition answers itself. There is no way to mathematically cancel out terms to derive the needed N1', because the encryption keys on both sides of the equation are different and unknown to an intruder. One who does not know ~ cannot solve the equation.
C2:
Eq. 56 f'() = f(), or Eq. 57 Eb[N1'] = Ea~N1].
~otice that the right side of the equation is encrypted with key Ea. This re-presents user A or any other user, e~cept B, that an intruder might go to in a reference connection to glean information. But Ea is different from Eb used !
~4 2059 i 72 to encode the left side of the equation. If the reference connection is hith A~ then-~a = ~ + A. Thus, without ~nowledge of the ~ey ~, the equation cannot be solved for Nl . Thus, it is completei secure.
Illustrative flowcharts or the authenti~atioll process are shown in Figs.
17 through ~1. These particular flo~-cllart e~amples are based on the protocol sho~n in Fig. 15 and the use of an encryptioll ~e (~ab! shared between A and B. Each of these processes in Figs. l~ tllrough ~l ar~ present at each user and is e~ecuted at the appropriate time depellding oll the particular role of the user, primar~- ~user A) or secondarr (user B!~ and the point within the protocole~change. Fig. 17 is e~ecuted by A attemptillg to initiate communications witll B. Step 1700 generates a nonce Nl as the cll311enge to B. Step 1,02 sends the challenge Nl to B and the process terminates waiting for the arrival of the response to Nl and a new challenge N~.
Fig. 18 is e~ecuted b B ~.hen it receives an initial challenge ~1. Step 1800 first generates a challellge ,\2 to be used as a ne~ challenge to A. Step 1804 executes the subroutine ENCODE, slloh-ll in Fi~. 21, passing to it the vari-ables Nl, N2 and the appropriate ~ey ~ab that is shared with user A, to prepare the response to the challenge Nl. I~/itil reference to Fig. 21, step .100 or subroutine ENCODE first encrypts the value of Nl, using the ~ey ~ab and~
illustratively. the DES algorithm. The encr~ipted result is temporarily stored in variable Sl. Step 2102 E~CLUSIVE-ORs N2 witll Sl and temporarily stores the result in variable S2. Step 2104 E~CLUSIVE-ORs Nl with the identity of this user (B) and then E~CLUSIVE-ORs that result with S2 to obtain an encrypted valueR, which is returned to the callin~ process in Fig. 18. Step 1806 of Fig. I8 assigns the returned encrypted value R to var~iable Rl and returns Rl along withthe new challenge N2 to user A at step 1808.
2059 ~ 72 The process in Fig. 19 is executed at A in response to receipt of Rl and challenge N2. Nl, ~7 and the shared ~ey ~ab are then passed to subroutine E~-CODE. As discussed above, E-\CODE computes the correct response to the initial challenge N1 and returns the answer in variable R. ~tep 190', compares the correct response in R to the response Rl received from user B. rf R is not e~ualto Rl, the authentication fails and step 190~ tcrminates this communication immediately. If R e~uals Rl, however, then B has properly authenticated itself to A.
A must now authenticate itself to B. Step 190, assigns the value of S2 from the subroutine E~CODE to the response R' to be sent to B as the third message flow. As shown in Fig. 1~, this response is - E[N2 + E~
The value of R2 = E[~l2 + E¦~l]] is obtained from the variable S2, without per-forming another encryption step and is sent to B by step 1908.
Fig. 20 shows the steps performed by user B when it receives message 3, the response from user A to the challenge ~2 from user B. Recall that in this .
embodiment, this response is of the form g~), where message 2 is of the form f() = j() + &()- The value-of g() = E[~ E[~l]l is available in variable S2 at user B, where it was generated earlier by the execution of the steps in Fig.
18. In Fig. 70, step 2000 compares the variable S2 with the response R2 from A. If this comparison does not match exactly, then A has not properly authenticated itself to B. In this case~ step ~00~ immediately terminates the communication. If the values match, then A is properly authenticated. In this 2~ 1 7~
case, the process in Fig. 20 merel~- e~its to allow the users IO communica~e further.
It is to be understood that the abo~e described arrangements are merel~
illustrative of the application of principles of the invention and that other arrangements ma,~ be de~ised b~orkers s~illed in the art without departing from the spirit and scope of the in~ention.
Fig. 13 shows the general format of a famil,~ of protocols that fit the four requirements outlined abo~e for securit~-. Some of the specific protocols that fit this general form are secure and some are not. The conditions C1 and C2 must be tested for an,~- specific protocol. The response to the first challenge Nl is of the form -E[q op Elr]~.
The response to the second challenge N2 is of the form E~t~.
In one family defined by this general form~
Eq. 42 q = q(Nl~...), Eq. 43 r = r(D,...), and Eq. 44 t = t(N2,...).
In another family, Eq. 45 q = q(D,---), Eq. 46 r = r(Nl,...... ), and Eq. 47 t = t(N2,...... ).
We now examine some illustrative protocols that meet one or the other of these two general formats and further meet conditions Cl and C2.
Using an analysis similar to that used for Fig. 12, it can be shown that the dual of the protocol of Fig. 12, namely, Eq. 48 f() = E[Nl + E~D] and Eq. 49 g() = E[N2~
is also completely secure. The ~ey to these last two protocols and a myriad of related protocols that can be shown to be secure is the encryption of the direction indicator (or first challenge), coupled with the nested encryption of the first challenge (or direction indicator).
Fig. 14 shows a preferred embodiment of a protocol according to the in-vention. In this preferred embodiment, Eq. 50 f(~ = E[j() + k()], and Eq. 51 g() = k() + E[Nl], where ~ t Eq. 52 j() = ~1 + B, and . ~3 k() = [~T~ +E~ ]l-The following gi~res the rationale for the specific elements of functions f() and g(). The first element Nl of i(! is not strictly required by the conditions as set forth above. However. this element adds additional r~ndomness to the overall expression f(). The element can be omitted and the protocol ~ill still wor~ satisfactorily. Adding randomness ~o f~) increases the cryptographic strength of the protocol and ma~es it harder for an intruder to break the en-coding algorithm itself using ~noh-n ~ey brea~in~ techlliques.
The inclusion of element B (the name of the callcd user) in j() is required by condition C2 and prevents intercept attacks.
The element N2 in ~() adds additional ralldomness to the response to message 2. This element could also be eliminated and the protocol hill operate satis-factorily. The element E~.\l) in k() is required by condition Cl. It is es-sential to have user A's cllallenge in user B's response. hhile it is not essential that this element be encrypted, doing so adds additional strength to the protocol.
A final example of a family of protocols th3t meet the general format and the conditions outlined above is now presented. This family incorporates the message flow direction indicator into the secret ~ey that is used for en-cryption, rather than e~plicitly incorporating it into the data that is en-crypted. One member of the family is illustrated in Fig. 16. Both users A and B know a secret key ~. B prepares its response in message 2 ~o A s challenge N1 by encrypting it with ~ + B, where B represents B's identity. The ~+' op-erator is again taken as the boolean E~CL~SI~E-OR operation, although it can be any other t~pe of boolean or mathematical operation. A encr~-pts its responseto B's challenge N2 by encrypting it using the unmodified value of ~. As re-quired by the invention, B's response to the challenge N1 is a secret function of the challenge Nl. Likewise, A's response to the challenge N2 is a secret function of N2. The direction of flow of a message is incorporated into the responses, in a way that both A and B can derive, by use of different encryptionkeys used to encode the responses. ~ow let's test the result according to conditions Cl and C2.
C 1 :
Eq. 54 f'() = g(), or Eq. 55 Eb[Nl'] = E[~'2], where E = encryption with secret key ~ and Eb = encryption with ~ + B.
Writing of the condition answers itself. There is no way to mathematically cancel out terms to derive the needed N1', because the encryption keys on both sides of the equation are different and unknown to an intruder. One who does not know ~ cannot solve the equation.
C2:
Eq. 56 f'() = f(), or Eq. 57 Eb[N1'] = Ea~N1].
~otice that the right side of the equation is encrypted with key Ea. This re-presents user A or any other user, e~cept B, that an intruder might go to in a reference connection to glean information. But Ea is different from Eb used !
~4 2059 i 72 to encode the left side of the equation. If the reference connection is hith A~ then-~a = ~ + A. Thus, without ~nowledge of the ~ey ~, the equation cannot be solved for Nl . Thus, it is completei secure.
Illustrative flowcharts or the authenti~atioll process are shown in Figs.
17 through ~1. These particular flo~-cllart e~amples are based on the protocol sho~n in Fig. 15 and the use of an encryptioll ~e (~ab! shared between A and B. Each of these processes in Figs. l~ tllrough ~l ar~ present at each user and is e~ecuted at the appropriate time depellding oll the particular role of the user, primar~- ~user A) or secondarr (user B!~ and the point within the protocole~change. Fig. 17 is e~ecuted by A attemptillg to initiate communications witll B. Step 1700 generates a nonce Nl as the cll311enge to B. Step 1,02 sends the challenge Nl to B and the process terminates waiting for the arrival of the response to Nl and a new challenge N~.
Fig. 18 is e~ecuted b B ~.hen it receives an initial challenge ~1. Step 1800 first generates a challellge ,\2 to be used as a ne~ challenge to A. Step 1804 executes the subroutine ENCODE, slloh-ll in Fi~. 21, passing to it the vari-ables Nl, N2 and the appropriate ~ey ~ab that is shared with user A, to prepare the response to the challenge Nl. I~/itil reference to Fig. 21, step .100 or subroutine ENCODE first encrypts the value of Nl, using the ~ey ~ab and~
illustratively. the DES algorithm. The encr~ipted result is temporarily stored in variable Sl. Step 2102 E~CLUSIVE-ORs N2 witll Sl and temporarily stores the result in variable S2. Step 2104 E~CLUSIVE-ORs Nl with the identity of this user (B) and then E~CLUSIVE-ORs that result with S2 to obtain an encrypted valueR, which is returned to the callin~ process in Fig. 18. Step 1806 of Fig. I8 assigns the returned encrypted value R to var~iable Rl and returns Rl along withthe new challenge N2 to user A at step 1808.
2059 ~ 72 The process in Fig. 19 is executed at A in response to receipt of Rl and challenge N2. Nl, ~7 and the shared ~ey ~ab are then passed to subroutine E~-CODE. As discussed above, E-\CODE computes the correct response to the initial challenge N1 and returns the answer in variable R. ~tep 190', compares the correct response in R to the response Rl received from user B. rf R is not e~ualto Rl, the authentication fails and step 190~ tcrminates this communication immediately. If R e~uals Rl, however, then B has properly authenticated itself to A.
A must now authenticate itself to B. Step 190, assigns the value of S2 from the subroutine E~CODE to the response R' to be sent to B as the third message flow. As shown in Fig. 1~, this response is - E[N2 + E~
The value of R2 = E[~l2 + E¦~l]] is obtained from the variable S2, without per-forming another encryption step and is sent to B by step 1908.
Fig. 20 shows the steps performed by user B when it receives message 3, the response from user A to the challenge ~2 from user B. Recall that in this .
embodiment, this response is of the form g~), where message 2 is of the form f() = j() + &()- The value-of g() = E[~ E[~l]l is available in variable S2 at user B, where it was generated earlier by the execution of the steps in Fig.
18. In Fig. 70, step 2000 compares the variable S2 with the response R2 from A. If this comparison does not match exactly, then A has not properly authenticated itself to B. In this case~ step ~00~ immediately terminates the communication. If the values match, then A is properly authenticated. In this 2~ 1 7~
case, the process in Fig. 20 merel~- e~its to allow the users IO communica~e further.
It is to be understood that the abo~e described arrangements are merel~
illustrative of the application of principles of the invention and that other arrangements ma,~ be de~ised b~orkers s~illed in the art without departing from the spirit and scope of the in~ention.
Claims (28)
1. A method of authenticating a user on a communications connection in a network, comprising the steps of transmitting a first challenge N1 from a first user A to a second user B, transmitting a first response to the first challenge from the second user to the first user, verifying at the first user that the first response is correct, said first response being of the minimum form f(S1, N1, D1...), wherein S1 is a shared secret between the first and second users, D1 is an in-dication of the direction of flow of the message containing f() and f() is a function selected such that f'(S1, N1',D1',...) = f(S1, N1, D1,...) cannot be solved for N1' without knowledge of S1, wherein f'(), N1' and D1' represent expressions on a reference connection.
2. The method of claim 1 wherein the secret S is the mathematical function f().
3. The method of claim 2 wherein S1 is a data encryption key
4. A method of authenticating users on a communications connection in a network, comprising the steps of transmitting a first challenge N1 from a first user A to a second user B.
transmitting a first response to the first challenge and second challenge N2 from the second user to the first user, verifying at the first user that the first response is correct, transmitting a second response to the second challenge from the first user to the second user, and verifying at the second user that the second response is correct, said first response being of the minimum form f(S1, N1,...), and said second response being of the minimum form g(S2, N2,.. ), where S1 and S2 are shared secrets between the first and second users and f() and g() are functions selected such that f'(S1, N1',...) = g(S2, N2) cannot be solved for N1' without knowledge of S1 and S2, wherein f'() and N1' represent expressions on a reference connection.
transmitting a first response to the first challenge and second challenge N2 from the second user to the first user, verifying at the first user that the first response is correct, transmitting a second response to the second challenge from the first user to the second user, and verifying at the second user that the second response is correct, said first response being of the minimum form f(S1, N1,...), and said second response being of the minimum form g(S2, N2,.. ), where S1 and S2 are shared secrets between the first and second users and f() and g() are functions selected such that f'(S1, N1',...) = g(S2, N2) cannot be solved for N1' without knowledge of S1 and S2, wherein f'() and N1' represent expressions on a reference connection.
5. The method of claim 4 wherein the secret S1 is the mathematical func-tion f() and S2 is the mathematical function g().
6. The method of claim 4 wherein S1 = S2 = S.
7. The method of claim 6 wherein S is a data encryption key.
8. The method of claim 4 wherein f() further includes an indication of the direction D1 of flow of the message containing f(), as in f(S1, N1, D1,...) and f() is selected such that f'(S, N1',D1',...) = f(S, .N2, D1,...) cannot be solved for N1' without knowledge of S1 and S2, wherein D1' is the flow direction indicator of the message containing f () on the reference connection.
9. The method of claim 8 wherein f() = E[q op E[r]], and g() = E[t], wherein op is a mathematical or boolean operation, q = q(N1, ..,), r = r(D1, ...), t = t(N2, ...), E = data encryption with an encryption key.
10. The method of claim 8 wherein f() = E[q op E[r]], and g() = E[t], wherein op is a mathematical or boolean operation.
q = q(D1, ...), r = r(N1, ...), t = t(N2, ...), E = data encryption with an encryption key.
q = q(D1, ...), r = r(N1, ...), t = t(N2, ...), E = data encryption with an encryption key.
11. The method of claim 10 wherein f() = E[D1 op E[N1]] and g() = E[N2].
12. The method of claim 10 whereinf() = E[N1 op E[D1]] and.
g() = E[N2].
g() = E[N2].
13. The method of claim 10 wherein f() = E[N1 op D1 op E[N2 op E[N1]] and g() = E[N2 op E[N1]] op E[N1].
14. The method of claim 10 wherein f() = E[N1 op D1 op E[N2 op E[S1]] and g() = E[N2 op E[N1]].
15. The method of claim 10 wherein f() = Eb[N1] and g() = E[N2], where Eb = encryption with data encryption key K op D1.
16. An arrangement at a network node for authenticating a network user, comprising means for transmitting a challenge N1 to a user.
means for receiving a response to the challenge from the user. and means for verifying the response.
said response being of the minimum form f(S1, N1, D1...).
wherein S1 is a shared secret between the first and second users, D1 is an indication of the direction of flow of the message containing f() and f() is a function selected such that f'(S1, N1',D1',...) = f(S1, N1, D1,...) cannot be solved for N1' without knowledge of S1, wherein f'(), N1' and D1' represent expressions on a reference connection.
means for receiving a response to the challenge from the user. and means for verifying the response.
said response being of the minimum form f(S1, N1, D1...).
wherein S1 is a shared secret between the first and second users, D1 is an indication of the direction of flow of the message containing f() and f() is a function selected such that f'(S1, N1',D1',...) = f(S1, N1, D1,...) cannot be solved for N1' without knowledge of S1, wherein f'(), N1' and D1' represent expressions on a reference connection.
17. An arrangement at a network node for authenticating network users, comprising means for transmitting a first challenge N1 to a user, means for receiving a first response to the first challenge and a second challenge N2 from the user, means for verifying the first response, means for transmitting a second response to the second challenge, and means for verifying a second response, said first response being of the minimum form f(S1, N1,...), and said second response being of the minimum form g(S2, N2,...), where S1 and S2 are shared secrets between authorized users and f() and g() are functions selected such that f'(S1, N1',...) = g(S2, N2) cannot be solved for N1' without knowledge of S1 and S2, wherein f'() and N1' represent expressions on a reference connection.
18, The arrangement of claim 17 wherein the secret S1 is the mathematical function f() and S2 is the mathematical function g().
19. The arrangement of claim 17 wherein S1 = S2 = S.
20. The arrangement of claim 19 wherein S is a data encryption key.
21. The arrangement of claim 18 wherein f() further includes an indication of the direction D1 of flow of the message containing f(), as in f(S1, N1, D1,...) and f() is selected such that f'(S, N1',D1',...) = f(S, N2, D1,...) cannot be solved for N1' without knowledge of S1 and S2, wherein f'() indicates the reference connection and D1' is the flow direction indicator of the message containing f'() on the reference connection.
22. The arrangement of claim 21 wherein f() = E[q op E[r]], and g() = E[t], wherein op is a mathematical or boolean operation, q = q(N1, ...), r = r(D1, ...), t = t(N2, ...), E = data encryption with an encryption key.
23. The arrangement of claim 21 wherein f() = E[q op E[r]], and g() = E[t], wherein op is a mathematical or boolean operation, q = q(D1, ...).
r = r(N1, ...), t = t(N2, ...), E = data encryption with an encryption key.
r = r(N1, ...), t = t(N2, ...), E = data encryption with an encryption key.
24. The arrangement of claim 23 wherein f() = E[D1 op E[N1]] and g() = E[N2].
25. The arrangement of claim 23 wherein f() = E[N1 op E[D1]] and g() = E[N2].
26. The arrangement of claim 23 wherein f() = E[N1 op D1 op E[N2 op E[N1]] and g() = E[N2 op E[N1]] op E[N1].
27. The arrangement of claim 23 wherein f() = E[N1 op D1 op E[N2 op E[N1]] and g() = E[N2 op E[N1]].
28. The arrangement of claim 23 wherein f() = Eb[N1] and g() = E[N2], where Eb = encryption with data encryption key K op D1.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US07/672,226 US5148479A (en) | 1991-03-20 | 1991-03-20 | Authentication protocols in communication networks |
| US672,226 | 1991-03-20 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2059172A1 CA2059172A1 (en) | 1992-09-21 |
| CA2059172C true CA2059172C (en) | 1996-01-16 |
Family
ID=24697681
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002059172A Expired - Fee Related CA2059172C (en) | 1991-03-20 | 1992-01-10 | Authentication protocols in communication networks |
Country Status (5)
| Country | Link |
|---|---|
| US (1) | US5148479A (en) |
| EP (1) | EP0505302B1 (en) |
| JP (1) | JP2823103B2 (en) |
| CA (1) | CA2059172C (en) |
| DE (1) | DE69213062T2 (en) |
Families Citing this family (61)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| NL9101796A (en) * | 1991-10-25 | 1993-05-17 | Nederland Ptt | METHOD FOR AUTHENTICATING COMMUNICATION PARTICIPANTS, METHOD FOR USING THE METHOD AND FIRST COMMUNICATION PARTICIPANT AND SECOND COMMUNICATION PARTICIPANT FOR USE IN THE SYSTEM. |
| US5276735A (en) * | 1992-04-17 | 1994-01-04 | Secure Computing Corporation | Data enclave and trusted path system |
| US5369705A (en) * | 1992-06-03 | 1994-11-29 | International Business Machines Corporation | Multi-party secure session/conference |
| US5596718A (en) * | 1992-07-10 | 1997-01-21 | Secure Computing Corporation | Secure computer network using trusted path subsystem which encrypts/decrypts and communicates with user through local workstation user I/O devices without utilizing workstation processor |
| US5311596A (en) * | 1992-08-31 | 1994-05-10 | At&T Bell Laboratories | Continuous authentication using an in-band or out-of-band side channel |
| US5491752A (en) * | 1993-03-18 | 1996-02-13 | Digital Equipment Corporation, Patent Law Group | System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens |
| US5351295A (en) * | 1993-07-01 | 1994-09-27 | Digital Equipment Corporation | Secure method of neighbor discovery over a multiaccess medium |
| US5475763A (en) * | 1993-07-01 | 1995-12-12 | Digital Equipment Corp., Patent Law Group | Method of deriving a per-message signature for a DSS or El Gamal encryption system |
| US5483598A (en) * | 1993-07-01 | 1996-01-09 | Digital Equipment Corp., Patent Law Group | Message encryption using a hash function |
| US5544246A (en) * | 1993-09-17 | 1996-08-06 | At&T Corp. | Smartcard adapted for a plurality of service providers and for remote installation of same |
| DE69312328T2 (en) * | 1993-09-20 | 1998-01-08 | Ibm | SYSTEM AND METHOD FOR CHANGING THE KEY OR PASSWORD IN A COMMUNICATION NETWORK WITH KEY DISTRIBUTION |
| US5381480A (en) * | 1993-09-20 | 1995-01-10 | International Business Machines Corporation | System for translating encrypted data |
| EP0656708A1 (en) * | 1993-12-03 | 1995-06-07 | International Business Machines Corporation | System and method for the transmission and validation of an updated encryption key between two users |
| US5594921A (en) * | 1993-12-17 | 1997-01-14 | Object Technology Licensing Corp. | Authentication of users with dynamically configurable protocol stack |
| US5491750A (en) * | 1993-12-30 | 1996-02-13 | International Business Machines Corporation | Method and apparatus for three-party entity authentication and key distribution using message authentication codes |
| US5491749A (en) * | 1993-12-30 | 1996-02-13 | International Business Machines Corporation | Method and apparatus for entity authentication and key distribution secure against off-line adversarial attacks |
| USRE38898E1 (en) | 1994-05-24 | 2005-11-29 | Sony Corporation | Video data bus communication system and method |
| DE69516577T2 (en) * | 1994-05-24 | 2001-01-04 | Sony Corp | Data bus communication |
| EP0693836A1 (en) * | 1994-06-10 | 1996-01-24 | Sun Microsystems, Inc. | Method and apparatus for a key-management scheme for internet protocols. |
| GB9422389D0 (en) * | 1994-11-05 | 1995-01-04 | Int Computers Ltd | Authenticating access control for sensitive functions |
| US5822431A (en) * | 1996-01-19 | 1998-10-13 | General Instrument Corporation Of Delaware | Virtual authentication network for secure processors |
| GB9606593D0 (en) * | 1996-03-29 | 1996-06-05 | Symmetricom Inc | An antenna system |
| US20060195595A1 (en) | 2003-12-19 | 2006-08-31 | Mendez Daniel J | System and method for globally and securely accessing unified information in a computer network |
| US20020133412A1 (en) * | 1997-03-07 | 2002-09-19 | David M. Oliver | System for management of transactions on networks |
| US7324972B1 (en) | 1997-03-07 | 2008-01-29 | Clickshare Service Corporation | Managing transactions on a network: four or more parties |
| US5953424A (en) * | 1997-03-18 | 1999-09-14 | Hitachi Data Systems Corporation | Cryptographic system and protocol for establishing secure authenticated remote access |
| JP3864401B2 (en) * | 1997-04-23 | 2006-12-27 | ソニー株式会社 | Authentication system, electronic device, authentication method, and recording medium |
| US6591291B1 (en) * | 1997-08-28 | 2003-07-08 | Lucent Technologies Inc. | System and method for providing anonymous remailing and filtering of electronic mail |
| US6263446B1 (en) * | 1997-12-23 | 2001-07-17 | Arcot Systems, Inc. | Method and apparatus for secure distribution of authentication credentials to roaming users |
| US7328350B2 (en) * | 2001-03-29 | 2008-02-05 | Arcot Systems, Inc. | Method and apparatus for secure cryptographic key generation, certification and use |
| US6151676A (en) * | 1997-12-24 | 2000-11-21 | Philips Electronics North America Corporation | Administration and utilization of secret fresh random numbers in a networked environment |
| US6243811B1 (en) * | 1998-07-31 | 2001-06-05 | Lucent Technologies Inc. | Method for updating secret shared data in a wireless communication system |
| US6941454B1 (en) | 1998-10-14 | 2005-09-06 | Lynn Spraggs | System and method of sending and receiving secure data with a shared key |
| ATE456103T1 (en) * | 1998-10-14 | 2010-02-15 | Aegis Systems Inc | METHOD FOR SENDING AND RECEIVING SECURE DATA USING A DISTRIBUTED KEY |
| US6349338B1 (en) * | 1999-03-02 | 2002-02-19 | International Business Machines Corporation | Trust negotiation in a client/server data processing network using automatic incremental credential disclosure |
| US6507908B1 (en) | 1999-03-04 | 2003-01-14 | Sun Microsystems, Inc. | Secure communication with mobile hosts |
| US6424953B1 (en) * | 1999-03-19 | 2002-07-23 | Compaq Computer Corp. | Encrypting secrets in a file for an electronic micro-commerce system |
| US7549056B2 (en) | 1999-03-19 | 2009-06-16 | Broadcom Corporation | System and method for processing and protecting content |
| US7257554B1 (en) | 1999-03-19 | 2007-08-14 | Hewlett-Packard Development Company, L.P. | Anonymous purchases while allowing verifiable identities for refunds returned along the paths taken to make the purchases |
| US7810152B2 (en) * | 2002-05-08 | 2010-10-05 | Broadcom Corporation | System and method for securely controlling access to device functions |
| US6826686B1 (en) * | 2000-04-14 | 2004-11-30 | International Business Machines Corporation | Method and apparatus for secure password transmission and password changes |
| US7870599B2 (en) * | 2000-09-05 | 2011-01-11 | Netlabs.Com, Inc. | Multichannel device utilizing a centralized out-of-band authentication system (COBAS) |
| US7596223B1 (en) | 2000-09-12 | 2009-09-29 | Apple Inc. | User control of a secure wireless computer network |
| US6769060B1 (en) | 2000-10-25 | 2004-07-27 | Ericsson Inc. | Method of bilateral identity authentication |
| JP4149126B2 (en) | 2000-12-05 | 2008-09-10 | ジーイー・メディカル・システムズ・グローバル・テクノロジー・カンパニー・エルエルシー | Image processing method, image processing apparatus, and image photographing apparatus |
| US7116668B2 (en) * | 2001-10-09 | 2006-10-03 | Telefunaktiebolaget Lm Ericsson (Publ) | Method for time stamp-based replay protection and PDSN synchronization at a PCF |
| EP1351480B1 (en) * | 2002-04-05 | 2008-10-29 | Abb Research Ltd. | Methods for remote controlling of a system |
| US7293284B1 (en) | 2002-12-31 | 2007-11-06 | Colligo Networks, Inc. | Codeword-enhanced peer-to-peer authentication |
| US8108429B2 (en) | 2004-05-07 | 2012-01-31 | Quest Software, Inc. | System for moving real-time data events across a plurality of devices in a network for simultaneous data protection, replication, and access services |
| US7565661B2 (en) | 2004-05-10 | 2009-07-21 | Siew Yong Sim-Tang | Method and system for real-time event journaling to provide enterprise data services |
| US7680834B1 (en) | 2004-06-08 | 2010-03-16 | Bakbone Software, Inc. | Method and system for no downtime resychronization for real-time, continuous data protection |
| US7979404B2 (en) | 2004-09-17 | 2011-07-12 | Quest Software, Inc. | Extracting data changes and storing data history to allow for instantaneous access to and reconstruction of any point-in-time data |
| US7904913B2 (en) | 2004-11-02 | 2011-03-08 | Bakbone Software, Inc. | Management interface for a system that provides automated, real-time, continuous data protection |
| KR100848541B1 (en) * | 2005-05-13 | 2008-07-25 | 삼성전자주식회사 | Method for preventting replay attack in mobile ipv6 |
| US7689602B1 (en) | 2005-07-20 | 2010-03-30 | Bakbone Software, Inc. | Method of creating hierarchical indices for a distributed object system |
| US7788521B1 (en) | 2005-07-20 | 2010-08-31 | Bakbone Software, Inc. | Method and system for virtual on-demand recovery for real-time, continuous data protection |
| US8059819B2 (en) | 2007-01-17 | 2011-11-15 | Panasonic Electric Works Co., Ltd. | Systems and methods for distributing updates for a key at a maximum rekey rate |
| US8131723B2 (en) | 2007-03-30 | 2012-03-06 | Quest Software, Inc. | Recovering a file system to any point-in-time in the past with guaranteed structure, content consistency and integrity |
| US8364648B1 (en) | 2007-04-09 | 2013-01-29 | Quest Software, Inc. | Recovering a database to any point-in-time in the past with guaranteed data consistency |
| CN101447872B (en) * | 2007-11-27 | 2011-09-28 | 阿里巴巴集团控股有限公司 | User identity authentication method, system thereof and identifying code generating maintenance subsystem |
| KR20090067551A (en) * | 2007-12-21 | 2009-06-25 | 삼성전자주식회사 | Method and apparatus for using and limiting cluster-based contents, method and apparatus for authenticating access right of contents, and computer readable medium thereof |
Family Cites Families (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4193131A (en) * | 1977-12-05 | 1980-03-11 | International Business Machines Corporation | Cryptographic verification of operational keys used in communication networks |
| US4218738A (en) * | 1978-05-05 | 1980-08-19 | International Business Machines Corporation | Method for authenticating the identity of a user of an information system |
| US4386233A (en) * | 1980-09-29 | 1983-05-31 | Smid Miles E | Crytographic key notarization methods and apparatus |
| FR2530053B1 (en) * | 1982-07-08 | 1986-04-25 | Bull Sa | METHOD FOR CERTIFYING THE SOURCE OF AT LEAST ONE INFORMATION RECORDED IN A MEMORY OF A FIRST ELECTRONIC DEVICE AND TRANSMITTED TO A SECOND ELECTRONIC DEVICE, AND SYSTEM FOR IMPLEMENTING SUCH A METHOD |
| US4723284A (en) * | 1983-02-14 | 1988-02-02 | Prime Computer, Inc. | Authentication system |
| US4926480A (en) * | 1983-08-22 | 1990-05-15 | David Chaum | Card-computer moderated systems |
| JPS619052A (en) * | 1984-06-25 | 1986-01-16 | Toshiba Corp | Communication network system |
| US4649233A (en) * | 1985-04-11 | 1987-03-10 | International Business Machines Corporation | Method for establishing user authenication with composite session keys among cryptographically communicating nodes |
| LU86203A1 (en) * | 1985-12-11 | 1987-07-24 | Cen Centre Energie Nucleaire | METHOD AND APPARATUS FOR VERIFYING THE AUTHENTICITY OF DOCUMENTS LINKED TO A PERSON AND THE IDENTITY OF THEIR CARRIERS |
| DE3763872D1 (en) * | 1986-03-05 | 1990-08-30 | Holger Sedlak | CRYPTOGRAPHY METHOD AND CRYPTOGRAPHY PROCESSOR FOR IMPLEMENTING THE METHOD. |
| JPS62210791A (en) * | 1986-03-12 | 1987-09-16 | Pioneer Electronic Corp | Furtive glance preventing system for catv system |
| EP0246823A3 (en) * | 1986-05-22 | 1989-10-04 | Racal-Guardata Limited | Data communication systems and methods |
| US4748668A (en) * | 1986-07-09 | 1988-05-31 | Yeda Research And Development Company Limited | Method, apparatus and article for identification and signature |
| GB2194415B (en) * | 1986-08-20 | 1990-10-17 | Plessey Co Plc | Improvements in or relating to methods of achieving key variable exchange with mutual authentication of participants |
| US4850017A (en) * | 1987-05-29 | 1989-07-18 | International Business Machines Corp. | Controlled use of cryptographic keys via generating station established control values |
| US4933970A (en) * | 1988-01-19 | 1990-06-12 | Yeda Research And Development Company Limited | Variants of the fiat-shamir identification and signature scheme |
| JP2521785B2 (en) * | 1988-02-08 | 1996-08-07 | 日本電信電話株式会社 | Terminal authentication processing system |
| ATE197656T1 (en) * | 1988-03-16 | 2000-12-15 | Digicash Inc | BLIND SIGNATURE SYSTEMS WITH A SINGLE TEMPLATE |
| EP0374225B1 (en) * | 1988-05-19 | 1993-01-20 | Ncr International Inc. | Method and device for authentication |
| IL87549A0 (en) * | 1988-08-24 | 1989-01-31 | Amos Fiat | Rsa computation method for efficient batch processing |
| JPH082051B2 (en) * | 1988-08-31 | 1996-01-10 | 日本電信電話株式会社 | Credential authentication method |
| US4919545A (en) * | 1988-12-22 | 1990-04-24 | Gte Laboratories Incorporated | Distributed security procedure for intelligent networks |
| US4932056A (en) * | 1989-03-16 | 1990-06-05 | Yeda Research And Development Company Limited | Method and apparatus for user identification based on permuted kernels |
| DE69019593T2 (en) * | 1989-04-27 | 1996-01-25 | Ibm | Safe handling of keys using control vectors with reusable monitoring. |
-
1991
- 1991-03-20 US US07/672,226 patent/US5148479A/en not_active Expired - Fee Related
-
1992
- 1992-01-10 CA CA002059172A patent/CA2059172C/en not_active Expired - Fee Related
- 1992-02-11 EP EP92480018A patent/EP0505302B1/en not_active Expired - Lifetime
- 1992-02-11 DE DE69213062T patent/DE69213062T2/en not_active Expired - Fee Related
- 1992-03-17 JP JP4060593A patent/JP2823103B2/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| JPH07170257A (en) | 1995-07-04 |
| CA2059172A1 (en) | 1992-09-21 |
| US5148479A (en) | 1992-09-15 |
| EP0505302A1 (en) | 1992-09-23 |
| DE69213062D1 (en) | 1996-10-02 |
| EP0505302B1 (en) | 1996-08-28 |
| JP2823103B2 (en) | 1998-11-11 |
| DE69213062T2 (en) | 1997-03-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2059172C (en) | Authentication protocols in communication networks | |
| CN100580657C (en) | Distributed single sign-on service | |
| US5345506A (en) | Mutual authentication/cipher key distribution system | |
| CN106161402B (en) | Encryption equipment key injected system, method and device based on cloud environment | |
| US6092200A (en) | Method and apparatus for providing a virtual private network | |
| US5418854A (en) | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system | |
| US5440635A (en) | Cryptographic protocol for remote authentication | |
| CA2423636C (en) | Methods for authenticating potential members invited to join a group | |
| US8239676B2 (en) | Secure proximity verification of a node on a network | |
| US20050193199A1 (en) | Accessing protected data on network storage from multiple devices | |
| CN101515319B (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
| CN101543004A (en) | Secure network architecture | |
| CN107820239A (en) | Information processing method and device | |
| EP1090478B1 (en) | A method for preventing key share attacks | |
| CN104820807A (en) | Smart card data processing method | |
| JP3983561B2 (en) | Secret management key management system, verification center, communication terminal, verification center program, communication terminal program, and secret management key management method | |
| CN112035820A (en) | Data analysis method used in Kerberos encryption environment | |
| TWI811178B (en) | Cybersecurity method and system based on multiparty and multifactor dynamic strong encryption authentication | |
| CN115580403B (en) | PKI-based computing node access control method | |
| Wahaballa et al. | Oblivious transfer with hidden access control and outsourced decryption from deterministic finite automata‐based functional encryption for an in‐vehicle sensor database system | |
| JP2850391B2 (en) | Confidential communication relay system | |
| Kirsal et al. | Improving kerberos security through the combined use of the timed authentication protocol and frequent key renewal | |
| Kilic | TLS-handshake for Plug and Charge in vehicular communications | |
| Kumar | A secure remote user authentication scheme with smart cards | |
| Chen et al. | Authentication using minimally trusted servers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKLA | Lapsed |