CA2076252C - Cryptographic protocol for secure communications - Google Patents
Cryptographic protocol for secure communicationsInfo
- Publication number
- CA2076252C CA2076252C CA002076252A CA2076252A CA2076252C CA 2076252 C CA2076252 C CA 2076252C CA 002076252 A CA002076252 A CA 002076252A CA 2076252 A CA2076252 A CA 2076252A CA 2076252 C CA2076252 C CA 2076252C
- Authority
- CA
- Canada
- Prior art keywords
- key
- signal
- cryptosystem
- bob
- alice
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000004891 communication Methods 0.000 title abstract description 13
- 230000004044 response Effects 0.000 claims description 51
- 238000000034 method Methods 0.000 claims description 39
- 230000005284 excitation Effects 0.000 claims description 21
- 238000010200 validation analysis Methods 0.000 description 7
- 238000005192 partition Methods 0.000 description 6
- 230000002146 bilateral effect Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- GWUSZQUVEVMBPI-UHFFFAOYSA-N nimetazepam Chemical compound N=1CC(=O)N(C)C2=CC=C([N+]([O-])=O)C=C2C=1C1=CC=CC=C1 GWUSZQUVEVMBPI-UHFFFAOYSA-N 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 2
- BSFODEXXVBBYOC-UHFFFAOYSA-N 8-[4-(dimethylamino)butan-2-ylamino]quinolin-6-ol Chemical compound C1=CN=C2C(NC(CCN(C)C)C)=CC(O)=CC2=C1 BSFODEXXVBBYOC-UHFFFAOYSA-N 0.000 description 1
- 241000531897 Loma Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013478 data encryption standard Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 150000002500 ions Chemical class 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000010561 standard procedure Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
Abstract
A cryptographic communication system. The system, which employs a novel combination of public and private key cryptography, allows two parties, who share only a relatively insecure password, to bootstrap a computationally securecryptographic system over an insecure network. The system is secure against active and passive attacks, and has the property that the password is protected againstoff-line "dictionary" attacks. If Alice and Bob are two parties who share the password P
one embodiment of the system involves the following steps: (1) Alice generates arandom public key E, encrypts it with P and sends P(E) to Bob; (2) Bob decrypts to get E, encrypts a random secret key R with E and sends E(R) to Alice; (3) Alice decrypts to get R, generates a random challenge CA and sends R (CA) to Bob; (4) Bob decrypts to get CA, generates a random challenge CB and sends R (CA ,CB) to Alice; (5) Alice decrypts to get (CA ,CB), compares the first against the challenge and sends R(CB) to Bob if they are equal; (6) Bob decrypts and compares with theearlier challenge; and (7) Alice and Bob can use R as a shared secret key to protect the session.
one embodiment of the system involves the following steps: (1) Alice generates arandom public key E, encrypts it with P and sends P(E) to Bob; (2) Bob decrypts to get E, encrypts a random secret key R with E and sends E(R) to Alice; (3) Alice decrypts to get R, generates a random challenge CA and sends R (CA) to Bob; (4) Bob decrypts to get CA, generates a random challenge CB and sends R (CA ,CB) to Alice; (5) Alice decrypts to get (CA ,CB), compares the first against the challenge and sends R(CB) to Bob if they are equal; (6) Bob decrypts and compares with theearlier challenge; and (7) Alice and Bob can use R as a shared secret key to protect the session.
Description
~gr~ ?
A CRYPTOGRAPHIC PROTOCOL FOR SECURE COMMUNICATIONS
Back~round of the Invention Field of the Invention This invention relates to cryptographic co~ ications in general and, s more particularly, to methods and systems for establishing authenticated and/or private communications between parties who initially share only a relatively insecure secret.
Description of the Related Art Parties often wish to conduct private and authenti~;tte~l co"".,lu-i~atirns.
10 While privacy can be sought through physical means it is often more efficient and effective to employ cryptographic means. And while authentication can be sought through physically secure and dedicated facilities, it too can be accomplished more easily with cryptographic techniques.
Using classical cryptographic techniques, a party authenticates himself 5 or herself to another party by revealing hnowledge of a secret (e.g., a password) that is known only by the respective parties. When the secret is revealed, especially if it is collllllunicated over a physically insecure co--~ ni~ation channel, it is susceptible to eavesdropping. This permits the eavesdropper to learn the secret and to subsequently impersonate one of the parties.
The Kerberos authentication system of MIT's Project Athena atlelllpts to solve this problem in the context of com~uLer networks. R.M. Nee-lh~m and M.D. Schroeder, "Using Encryption for Authentication in Large Netwolhs of Colllpu~el~," Co,..,..~.~-ic~tions f the ACM, Vol. 21, No. 12, 993-999 (Dec. 1978);
and J. Steiner, C. Neumann, and J.I. Schiller, "An Authentication Service for Open 2s Network Systems," Proc. Winter USENIX Conference, Dallas, 1988. According to the Kerberos system, each Kerberos system user is given a non-secret unique login ID and is allowed to choose a secret password. The password is conveyed by the user to the Kerberos system and is held in confidence by both parties. Because the password is kept a secret it may be used by the user to authenticate himself to the 30 Kerberos system.
When a Kerberos system user desires access to a Kerberos colll~uter, the user sends his or her login ID to the Kerberos coll,pu~er with a request for access.
While authentication could be accomplished by requiring that the user sends his or her password along with his or her ID, that technique has the serious disadvantage 2~
that an eavesdlupper could readily ascertain the ID and corresponding password of the user.
To avoid this problem, the Kerberos system authenticates the identity of the user by creating a puzzle that can probably be solved only by the bona fide user.
s The puzzle can be thought of as a locked box, containing a message, that is secured with a combination lock. The puzzle is constructed by the Kerberos system so that the combination to the combination lock is the secret password known by the bonafide user associated with the received ID. The bona fide user, knowing his or her own password, can use the password to open the lock and recover the message lo inside. When the combination to the combination lock is randomly selected from a large number of possibilities it is infeasible for an impersonator to "pick" the lock.
The mech:~ni~m used to create the puzzle typically uses several steps.
First, the Kerberos system generates a random number as the message to be conveyed to the user. Next, the Kerberos system makes a puzzle (containing the random number) such that the user's password is the key to solving the puzzle and recovering the message. For example, suppose that according to one class of puzzles each puzzle is equal to a random number plus a number ~p~senting the user's password. When the user's password is 3049 and the random number is 5294 the puzzle is 8343.
The puzzle is tr~n~mi~t~d to the user by the Kerberos system.
Continuing with the example, the user, knowing his or her own password, solves the puzzle and recovers the m~ss~ge by subtracting his or her password (3049) from the puzzle (8343) to recover the message (5294). An eavesdropper knowing the puzzle (8343) but not knowing the password is unlikely to discover the mes~ge 25 According to the Kerberos system all cu-,-"-~nications between the user and the Kerberos system after the first puzzle is sent are also in the form of puzzles. But the key to solving the subsequent puzzles is the random number contained in the first puzzle which the Kerberos system and a bona fide user would know. Authenticationoccurs implicitly when the user and the compuler are able to Collllll~ i(-att' 30 meaningfully. And because all of the co"-"-l"-ic~tions are encrypted privacy is achieved.
A discussion on the nomenclature of cryptology is appr~,iate at this time. A class of puzzles is known as a "cryptographic system" or "cryptosystem."The process of making a puzzle is known as "encryption" and the process of solving 35 a puzzle to recover the message inside is known as "decryption." The puzzle is called "ciphertext" and the message within the puzzle is called "plaintext." The members of a cryptosystem are distinguished by a cryptographic key or key.
According to the scheme of a particular cryptosystem, a key is used to lock plaintext into ciphertext and is also used to unlock the ciphertext to recover the plaintext.
The key to making a specific puzzle (i.e., locking plaintext in ciphertext) 5 is known as an "encryption key" and the key to solving a puzzle (i.e,. recovering the plaintext from the ciphertext) is known as a "decryption key." When, according to the design of a particular cryptosystem, the encryption key and the decryption key are identical, the cryptosystem is known as a "symmetric cryptosystem." The cryptosystem illustrated above is a symmetric cryptosystem because the number 10 3049 is the key to both creating the puzzle and to solving it.
A cryptosystem that has an encryption key E and a different decryption key D such that it is computationally infeasible to determine D from E is known as an "asymmetric key cryptosystem" or a "public key cryptosystem." An asymmetric key cryptosystem is not a symmetric cryptosystem and is therefore useful for S initi~ting secure co~-"--~ ic~tions between parties who typically have not previously commllnic~ted nor share a common secret key to a symmetric cryptosystem. In contradistinction to an asymmetric key cryptosystem, a public key distrib7ltion system permits two remote users to exchange messages back and forth until they arrive at a common key to a symmetric key cryptosystem. The fundamental 20 requirement of an asymmetric key cryptosystem is that an eavesdropper knowing all of the messages must find it computationally infeasible to compute the common key.
Returning to the Kerberos system, an eavesdropper on a commllnications channel utilizing the Kerberos system sees only the person's login ID tr~nsmitted in the clear: something that is already public knowledge. The ;~5 person's password is never explicitly transmitted and the key and subsequentmessages are encrypted and hence ostensibly secure. The Kerberos system, however, has a number of limitations and some weaknesses. S.M. Bellovin and M. Merritt, "Limitations of the Kerberos Authentication System," Proc. Winter USENIX Conference, Dallas, (1991). People pick bad passwords, and either forget,30 write down, or resent good ones. This allows an eavesdropper to passively record , . . .
~b ~ "
z~
encrypted messages, and to run a modified brute force attack on a password by decrypting encrypted messages with c~ndil1~te passwords until intelligible plaintext is created. Kerberos has additional flaws, but illustrates a we~kness common to all classical two-party key exchange protocols: the cryptographic passwords are s susceptible to off-line, brute-force attacks. Nevertheless, such key exchange protocols may be apployliate when the passwords are long randomly selected strings, but pose considerable difficulty when the passwords are chosen by naiveusers.
Other attempts at avoiding the problem of off-line password guessing 10 attacks include that described by T.M.A. Lomas, L. Gong, J.H. Saltzer, and R.M. Needh~m in "Reducing Risks from Poorly Chosen Keys," Proceedings f the Twelfth ACM Symposium on Operating System Principles, SIGOPS, 14-18 (Dec.
1989); and L. Gong, "Verifiable-text Attacks in Cryptographic Protocols," Proc. f t_ T F F F. INFOCOM - The Conf. on Colll,uutel C~ ir~tions, (1990). Lomas 5 et al. teach a protocol that frustrates most cryptanalytic attacks but requires, for purposes of ~uthentic~tion, that each party know, in addition to their respective passwords a password, a public key to an asymmetric key cryptosystem. If the public key is to provide any reasonable level of security it cannot be easily memori7~d S--mmqry of the Invention The present invention provides a mech~ni~m for establishing private and ~uthrntir~teA co~ nir~tions between parties who share only a relatively insecuresecret by using an approach different from the prior art, and while avoiding many of the costs and restrictions of prior cryptographic protocols. The ~n,--"---"ir~tinns 2s conducted pursuant to the present invention are more secure than those established with the prior art and protect the shared secret (e.g., a password) from being revealed to an eavesdropper.
These results are obtained in an illustrative embodiment of the present invention in which a portion of one or more of the messages of a public key 30 distribution system are encrypted with the shared secret as the encryption key. In this regard the illustrative embodiment is similar to the Kerberos system but issubstantially different in that the ciphertext is not merely a random number, but a portion of a m~ss~ge of a public key distribution system.
Because an asymmetric key cryptosystem provides a superset of the functionality of a public key distribution system, public key distribution systems are construed to include asymmetric key cryptosystems which are utilized to provide the commensurate functionality of public key distribution 5 systems.
- According to one aspect of the invention there is provided a method for generating a cryptographic key to a first symmetric key cryptosystem,said method comprising the steps of: forming an excitation signal of a public key-distribution system based on a private first signal, RA; transmitting said 10 excitation signal to a party; receiving a response signal Q of a public key-distribution system in response to said excitation signal, said response signal containing further information that is essential for generating said cryptographic key; and generating said cryptographic key based on said first signal and on said response signal; characterized by the step of: encrypting at least a portion of 15 said excitation signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available tosaid party.
According to another aspect of the invention there is provided a method for generating a cryptographic key to a first symmetric key cryptosystem,20 said method comprising the steps of: forming an excitation signal of a publickey-distribution system based on a private first signal, RA; transmitting said excitation signal; receiving a response signal Q of a public key-distribution system from a party in response to said excitation signal, said response signal containing further information that is essential for generating said cryptographic 25 key; and generating said cryptographic key based on said first signal and on said response signal; characterized by the step of: decrypting at least a portion of said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available tosaid party.
Brief Description of the Drawin~
FIG. I presents a sequence of messages used in an illustrative embodiment of the invention that utilizes an asymmetric key cryptosystem and where the first two messages are encrypted with a password.
-Sa-FIG. 2 presents a sequence of messages used in an illustrative embodiment of the invention that provides protection against attacks on the passwords when a session key has been recovered by an attacker.
FIG. 3 presents a sequence of messages used in an illustrative 5 embodiment of the invenetion where only a portion of the initial message is encrypted with the password.
FIG. 4 presents a sequence of messages used in an illustrative embodiment of the invention where only a portion of the reply message is encrypted with the password.
FIG. 5 presents a sequence of messages used in an illustrative embodiment of the invention that utilizes a public key distribution system.
FIG. 6 presents an apparatus that utilizes an asymmetric key cryptosystem and where the first two messages are encrypted.
Detailed Description I S 1. NOTATION
The following notation is used throughout:
A,B The parties desiring to communicate (Alice and Bob respectively).
P The password: a shared secret, often used as a key.
Pn A key: typically either P or derived from P.
P(X) The secret key encryption of an argument "X" with key P.
P-l(X) The secret key decryption of an argument "X" with key P.
EA(X) The asymmetric key encryption of an argument "X" with public key EA
DA(X) The asymmetric key decryption of an argument "X" with private key DA.
challengeA A random challenge generated by Alice.
challenge B A random challenge generated by Bob.
R A session key or a number from which a session key may be derived.
p, q Prime numbers.
s A symmetric key cryptosystem is a conventional cryptosystem as knownup until the 1970's; such symmetric key cryptosystems use secret keys. In contradistinction, an asymmetric key cryptosystem uses public encryption and private decryption keys.
As used in the following description and claims, "secure 0 communications" means communications which are authenticated and/or private.
Embodiments of the invention are presented which utilize both public key distribution systems and asymmetric key cryptosystems. As used in the following description and claims, "public key distribution systems" includes asymmetric key cryptosystems providing the functionality of a public key distribution system.
15 2. EMBODIMENTS THAT USE ASYMMETRIC KEY CRYPTOSYSTEMS
The messages exchanged in an illustrative embodiment of the invention are presented in Fig. 1. That typical embodiment uses an asymmetric key cryptosystem. Alice 101 and Bob 103 are entities who desire to establish private and authenticated commllni~ations over a channel. The messages shown may be 20 conveyed by public or private communications paths, e.g., telephone links. In this embodiment, and in each embodiment in the detailed description, Alice and Bob are deemed, prior to the beginning of the message exchange, to share knowledge of the secret P. Additionally, in this embodiment, and in each embodiment in the detailed description, Alice is the calling party and Bob is the called party. Referring to Fig. 1:
1. Alice generates a random public key/private key pair, EA and DA, and encrypts EA. or a portion thereof, in a symmetric key cryptosystem illustratively of the type described in Data Encryption Standard, Federal Information Processing Standards Publication 46, National Bureau of Standards, U.S. Dept. of Commerce, January 1977, with password P as the key, yielding P (EA ). Alice sends P (EA ) (msg. 109) to Bob as shown at 109. This message may include other information such as the identity of the sender, or the remainder of the public key when a portion of - 7 - ~ ?
it is not encrypted.
2. BOb, knowing P, decrypts msg. 109 to obtain p- 1 (P (EA ) ) = EA . Bob then generates a random secret key R, and encrypts it in the asymmetric key cryptosystem with key EA to produce EA (R ). This string is further encrypted with P. BOb sends P(EA (R)) (msg.115) to Alice as shown at 115.
3. Alice, knowing P andDA, uses them to obtain DA (p-l (P(EA (R))))=R.
Thereafter, R, or numbers derived from R, can be used as a key in further commllnic~tions between Alice and BOb.
2.1. Key Validation Techniques Once the parties have agreed to a key R, it may, in certain cir~ nces, be appropriate for the parties to take steps to make sure that the key has not been tampered with during tr~n~mi~sion. As used in this 5 description, such steps are known as key validation techniques.
2.1.1. Guarding Against Replay Attacks The illustrative embodiment outlined in Section 2 above may not be suitable for all applications because it may not adequately guard against replayattacks. A replay attack is an attempt by an eavesdropper, who has control of the 20 co"""~ ic~ti~ ns channel, to insert old, stale, messages in the cr,,,,,,~l-ic~tion channel in an attempt to impersonate either party. Where the possibility of a replay attack exists, a ~ ;fell~d embodiment of the invention incorporates a mechanism to thwart such an attack. Thus, again referring to Fig. 1 this embodiment comprises the messages:
25 1. As before, the message exchange begins when Alice 101 sends P (EA ) (mSg. 109) to BOb 103.
2. Again as before, BOb, responds by sending P(EA (R)) (msg.115) to Alice.
2~ 5~
3. Upon receipt of msg.115 the challenge-response mechanism begins. Alice decrypts msg. 115 to obtain R, generates a random string challengeA and encrypts it with R to produce R(challengeA ). She sends R(challengeA ) (msg.121) to Bob as shown at 121.
A CRYPTOGRAPHIC PROTOCOL FOR SECURE COMMUNICATIONS
Back~round of the Invention Field of the Invention This invention relates to cryptographic co~ ications in general and, s more particularly, to methods and systems for establishing authenticated and/or private communications between parties who initially share only a relatively insecure secret.
Description of the Related Art Parties often wish to conduct private and authenti~;tte~l co"".,lu-i~atirns.
10 While privacy can be sought through physical means it is often more efficient and effective to employ cryptographic means. And while authentication can be sought through physically secure and dedicated facilities, it too can be accomplished more easily with cryptographic techniques.
Using classical cryptographic techniques, a party authenticates himself 5 or herself to another party by revealing hnowledge of a secret (e.g., a password) that is known only by the respective parties. When the secret is revealed, especially if it is collllllunicated over a physically insecure co--~ ni~ation channel, it is susceptible to eavesdropping. This permits the eavesdropper to learn the secret and to subsequently impersonate one of the parties.
The Kerberos authentication system of MIT's Project Athena atlelllpts to solve this problem in the context of com~uLer networks. R.M. Nee-lh~m and M.D. Schroeder, "Using Encryption for Authentication in Large Netwolhs of Colllpu~el~," Co,..,..~.~-ic~tions f the ACM, Vol. 21, No. 12, 993-999 (Dec. 1978);
and J. Steiner, C. Neumann, and J.I. Schiller, "An Authentication Service for Open 2s Network Systems," Proc. Winter USENIX Conference, Dallas, 1988. According to the Kerberos system, each Kerberos system user is given a non-secret unique login ID and is allowed to choose a secret password. The password is conveyed by the user to the Kerberos system and is held in confidence by both parties. Because the password is kept a secret it may be used by the user to authenticate himself to the 30 Kerberos system.
When a Kerberos system user desires access to a Kerberos colll~uter, the user sends his or her login ID to the Kerberos coll,pu~er with a request for access.
While authentication could be accomplished by requiring that the user sends his or her password along with his or her ID, that technique has the serious disadvantage 2~
that an eavesdlupper could readily ascertain the ID and corresponding password of the user.
To avoid this problem, the Kerberos system authenticates the identity of the user by creating a puzzle that can probably be solved only by the bona fide user.
s The puzzle can be thought of as a locked box, containing a message, that is secured with a combination lock. The puzzle is constructed by the Kerberos system so that the combination to the combination lock is the secret password known by the bonafide user associated with the received ID. The bona fide user, knowing his or her own password, can use the password to open the lock and recover the message lo inside. When the combination to the combination lock is randomly selected from a large number of possibilities it is infeasible for an impersonator to "pick" the lock.
The mech:~ni~m used to create the puzzle typically uses several steps.
First, the Kerberos system generates a random number as the message to be conveyed to the user. Next, the Kerberos system makes a puzzle (containing the random number) such that the user's password is the key to solving the puzzle and recovering the message. For example, suppose that according to one class of puzzles each puzzle is equal to a random number plus a number ~p~senting the user's password. When the user's password is 3049 and the random number is 5294 the puzzle is 8343.
The puzzle is tr~n~mi~t~d to the user by the Kerberos system.
Continuing with the example, the user, knowing his or her own password, solves the puzzle and recovers the m~ss~ge by subtracting his or her password (3049) from the puzzle (8343) to recover the message (5294). An eavesdropper knowing the puzzle (8343) but not knowing the password is unlikely to discover the mes~ge 25 According to the Kerberos system all cu-,-"-~nications between the user and the Kerberos system after the first puzzle is sent are also in the form of puzzles. But the key to solving the subsequent puzzles is the random number contained in the first puzzle which the Kerberos system and a bona fide user would know. Authenticationoccurs implicitly when the user and the compuler are able to Collllll~ i(-att' 30 meaningfully. And because all of the co"-"-l"-ic~tions are encrypted privacy is achieved.
A discussion on the nomenclature of cryptology is appr~,iate at this time. A class of puzzles is known as a "cryptographic system" or "cryptosystem."The process of making a puzzle is known as "encryption" and the process of solving 35 a puzzle to recover the message inside is known as "decryption." The puzzle is called "ciphertext" and the message within the puzzle is called "plaintext." The members of a cryptosystem are distinguished by a cryptographic key or key.
According to the scheme of a particular cryptosystem, a key is used to lock plaintext into ciphertext and is also used to unlock the ciphertext to recover the plaintext.
The key to making a specific puzzle (i.e., locking plaintext in ciphertext) 5 is known as an "encryption key" and the key to solving a puzzle (i.e,. recovering the plaintext from the ciphertext) is known as a "decryption key." When, according to the design of a particular cryptosystem, the encryption key and the decryption key are identical, the cryptosystem is known as a "symmetric cryptosystem." The cryptosystem illustrated above is a symmetric cryptosystem because the number 10 3049 is the key to both creating the puzzle and to solving it.
A cryptosystem that has an encryption key E and a different decryption key D such that it is computationally infeasible to determine D from E is known as an "asymmetric key cryptosystem" or a "public key cryptosystem." An asymmetric key cryptosystem is not a symmetric cryptosystem and is therefore useful for S initi~ting secure co~-"--~ ic~tions between parties who typically have not previously commllnic~ted nor share a common secret key to a symmetric cryptosystem. In contradistinction to an asymmetric key cryptosystem, a public key distrib7ltion system permits two remote users to exchange messages back and forth until they arrive at a common key to a symmetric key cryptosystem. The fundamental 20 requirement of an asymmetric key cryptosystem is that an eavesdropper knowing all of the messages must find it computationally infeasible to compute the common key.
Returning to the Kerberos system, an eavesdropper on a commllnications channel utilizing the Kerberos system sees only the person's login ID tr~nsmitted in the clear: something that is already public knowledge. The ;~5 person's password is never explicitly transmitted and the key and subsequentmessages are encrypted and hence ostensibly secure. The Kerberos system, however, has a number of limitations and some weaknesses. S.M. Bellovin and M. Merritt, "Limitations of the Kerberos Authentication System," Proc. Winter USENIX Conference, Dallas, (1991). People pick bad passwords, and either forget,30 write down, or resent good ones. This allows an eavesdropper to passively record , . . .
~b ~ "
z~
encrypted messages, and to run a modified brute force attack on a password by decrypting encrypted messages with c~ndil1~te passwords until intelligible plaintext is created. Kerberos has additional flaws, but illustrates a we~kness common to all classical two-party key exchange protocols: the cryptographic passwords are s susceptible to off-line, brute-force attacks. Nevertheless, such key exchange protocols may be apployliate when the passwords are long randomly selected strings, but pose considerable difficulty when the passwords are chosen by naiveusers.
Other attempts at avoiding the problem of off-line password guessing 10 attacks include that described by T.M.A. Lomas, L. Gong, J.H. Saltzer, and R.M. Needh~m in "Reducing Risks from Poorly Chosen Keys," Proceedings f the Twelfth ACM Symposium on Operating System Principles, SIGOPS, 14-18 (Dec.
1989); and L. Gong, "Verifiable-text Attacks in Cryptographic Protocols," Proc. f t_ T F F F. INFOCOM - The Conf. on Colll,uutel C~ ir~tions, (1990). Lomas 5 et al. teach a protocol that frustrates most cryptanalytic attacks but requires, for purposes of ~uthentic~tion, that each party know, in addition to their respective passwords a password, a public key to an asymmetric key cryptosystem. If the public key is to provide any reasonable level of security it cannot be easily memori7~d S--mmqry of the Invention The present invention provides a mech~ni~m for establishing private and ~uthrntir~teA co~ nir~tions between parties who share only a relatively insecuresecret by using an approach different from the prior art, and while avoiding many of the costs and restrictions of prior cryptographic protocols. The ~n,--"---"ir~tinns 2s conducted pursuant to the present invention are more secure than those established with the prior art and protect the shared secret (e.g., a password) from being revealed to an eavesdropper.
These results are obtained in an illustrative embodiment of the present invention in which a portion of one or more of the messages of a public key 30 distribution system are encrypted with the shared secret as the encryption key. In this regard the illustrative embodiment is similar to the Kerberos system but issubstantially different in that the ciphertext is not merely a random number, but a portion of a m~ss~ge of a public key distribution system.
Because an asymmetric key cryptosystem provides a superset of the functionality of a public key distribution system, public key distribution systems are construed to include asymmetric key cryptosystems which are utilized to provide the commensurate functionality of public key distribution 5 systems.
- According to one aspect of the invention there is provided a method for generating a cryptographic key to a first symmetric key cryptosystem,said method comprising the steps of: forming an excitation signal of a public key-distribution system based on a private first signal, RA; transmitting said 10 excitation signal to a party; receiving a response signal Q of a public key-distribution system in response to said excitation signal, said response signal containing further information that is essential for generating said cryptographic key; and generating said cryptographic key based on said first signal and on said response signal; characterized by the step of: encrypting at least a portion of 15 said excitation signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available tosaid party.
According to another aspect of the invention there is provided a method for generating a cryptographic key to a first symmetric key cryptosystem,20 said method comprising the steps of: forming an excitation signal of a publickey-distribution system based on a private first signal, RA; transmitting said excitation signal; receiving a response signal Q of a public key-distribution system from a party in response to said excitation signal, said response signal containing further information that is essential for generating said cryptographic 25 key; and generating said cryptographic key based on said first signal and on said response signal; characterized by the step of: decrypting at least a portion of said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available tosaid party.
Brief Description of the Drawin~
FIG. I presents a sequence of messages used in an illustrative embodiment of the invention that utilizes an asymmetric key cryptosystem and where the first two messages are encrypted with a password.
-Sa-FIG. 2 presents a sequence of messages used in an illustrative embodiment of the invention that provides protection against attacks on the passwords when a session key has been recovered by an attacker.
FIG. 3 presents a sequence of messages used in an illustrative 5 embodiment of the invenetion where only a portion of the initial message is encrypted with the password.
FIG. 4 presents a sequence of messages used in an illustrative embodiment of the invention where only a portion of the reply message is encrypted with the password.
FIG. 5 presents a sequence of messages used in an illustrative embodiment of the invention that utilizes a public key distribution system.
FIG. 6 presents an apparatus that utilizes an asymmetric key cryptosystem and where the first two messages are encrypted.
Detailed Description I S 1. NOTATION
The following notation is used throughout:
A,B The parties desiring to communicate (Alice and Bob respectively).
P The password: a shared secret, often used as a key.
Pn A key: typically either P or derived from P.
P(X) The secret key encryption of an argument "X" with key P.
P-l(X) The secret key decryption of an argument "X" with key P.
EA(X) The asymmetric key encryption of an argument "X" with public key EA
DA(X) The asymmetric key decryption of an argument "X" with private key DA.
challengeA A random challenge generated by Alice.
challenge B A random challenge generated by Bob.
R A session key or a number from which a session key may be derived.
p, q Prime numbers.
s A symmetric key cryptosystem is a conventional cryptosystem as knownup until the 1970's; such symmetric key cryptosystems use secret keys. In contradistinction, an asymmetric key cryptosystem uses public encryption and private decryption keys.
As used in the following description and claims, "secure 0 communications" means communications which are authenticated and/or private.
Embodiments of the invention are presented which utilize both public key distribution systems and asymmetric key cryptosystems. As used in the following description and claims, "public key distribution systems" includes asymmetric key cryptosystems providing the functionality of a public key distribution system.
15 2. EMBODIMENTS THAT USE ASYMMETRIC KEY CRYPTOSYSTEMS
The messages exchanged in an illustrative embodiment of the invention are presented in Fig. 1. That typical embodiment uses an asymmetric key cryptosystem. Alice 101 and Bob 103 are entities who desire to establish private and authenticated commllni~ations over a channel. The messages shown may be 20 conveyed by public or private communications paths, e.g., telephone links. In this embodiment, and in each embodiment in the detailed description, Alice and Bob are deemed, prior to the beginning of the message exchange, to share knowledge of the secret P. Additionally, in this embodiment, and in each embodiment in the detailed description, Alice is the calling party and Bob is the called party. Referring to Fig. 1:
1. Alice generates a random public key/private key pair, EA and DA, and encrypts EA. or a portion thereof, in a symmetric key cryptosystem illustratively of the type described in Data Encryption Standard, Federal Information Processing Standards Publication 46, National Bureau of Standards, U.S. Dept. of Commerce, January 1977, with password P as the key, yielding P (EA ). Alice sends P (EA ) (msg. 109) to Bob as shown at 109. This message may include other information such as the identity of the sender, or the remainder of the public key when a portion of - 7 - ~ ?
it is not encrypted.
2. BOb, knowing P, decrypts msg. 109 to obtain p- 1 (P (EA ) ) = EA . Bob then generates a random secret key R, and encrypts it in the asymmetric key cryptosystem with key EA to produce EA (R ). This string is further encrypted with P. BOb sends P(EA (R)) (msg.115) to Alice as shown at 115.
3. Alice, knowing P andDA, uses them to obtain DA (p-l (P(EA (R))))=R.
Thereafter, R, or numbers derived from R, can be used as a key in further commllnic~tions between Alice and BOb.
2.1. Key Validation Techniques Once the parties have agreed to a key R, it may, in certain cir~ nces, be appropriate for the parties to take steps to make sure that the key has not been tampered with during tr~n~mi~sion. As used in this 5 description, such steps are known as key validation techniques.
2.1.1. Guarding Against Replay Attacks The illustrative embodiment outlined in Section 2 above may not be suitable for all applications because it may not adequately guard against replayattacks. A replay attack is an attempt by an eavesdropper, who has control of the 20 co"""~ ic~ti~ ns channel, to insert old, stale, messages in the cr,,,,,,~l-ic~tion channel in an attempt to impersonate either party. Where the possibility of a replay attack exists, a ~ ;fell~d embodiment of the invention incorporates a mechanism to thwart such an attack. Thus, again referring to Fig. 1 this embodiment comprises the messages:
25 1. As before, the message exchange begins when Alice 101 sends P (EA ) (mSg. 109) to BOb 103.
2. Again as before, BOb, responds by sending P(EA (R)) (msg.115) to Alice.
2~ 5~
3. Upon receipt of msg.115 the challenge-response mechanism begins. Alice decrypts msg. 115 to obtain R, generates a random string challengeA and encrypts it with R to produce R(challengeA ). She sends R(challengeA ) (msg.121) to Bob as shown at 121.
4. Bob decrypts msg.121 to obtain challengeA, generates a random string challengeB, encrypts the two challenges with the secret key R and sends R ( challengeA ~challengeB ) (msg.127) to Alice as shown at 127.
o 5. Alice decrypts msg.127 to obtain challengeA and challengeB, and compares the former against her earlier challenge. When it matches, she encrypts challengeB with R and sends R (challengeB ) (msg.133) to Bob as shown in 133.
15 6. Upon receipt of msg.133 Bob decrypts to obtain challengeB and compares against the earlier challenge. When it matches, the challenge-response m~ch~ni~m is successful and the parties may use R, or a string derived from R, as a session key in further co~ nic~tinns.
The challenge-response portion of the embodiment above could be 20 replaced by other mech~niim~ for validating R. For example, the time could beexchanged encrypted by R, under the security-critical assumption that clocks aremonotonic and, to some extent, synchronized.
2.1.2 Guarding Against Recovered Session Keys When a cryptanalyst recovers a session key R he can use R as a clue to 2s attack P and EA . Fig. 2 presents the messages exchanged in an illustrative embodiment of the invention that hinders an attack on P or EA when R is known.
When there is a chance that a unauthorized cryptanalyst might recover a session key another plcrell~,d embodiment of the invention incorporates a mPch~ni~m to hinder such an attack. Referring to Fig. 2:
1. As before, the message exchange begins when Alice 201 sends P (EA ) (mSg.209) to Bob 203.
2. Again as before, Bob, responds by sending P(EA (R)) (msg.215) to Alice as shown at 215.
3. Alice decrypts msg.215 to obtain R, randomly generates a unique challenge challengeA and a random subkey SA, encrypts the challenge and the subkey with R and sends R(challengeA7sA) (msg.221) to Bob as shown at 221.
4. Upon receipt of msg.221, Bob decrypts it to obtain challengeA and SA, generates a unique challenge challengeB, and a random subkey SB and encrypts the two challenges and his subkey with the secret key R and sends R(challengeA ,challenges ,SB ) (msg-227) to Alice as shown at 227.
o 5. Alice decrypts msg.127 to obtain challengeA and challengeB, and compares the former against her earlier challenge. When it matches, she encrypts challengeB with R and sends R (challengeB ) (msg.133) to Bob as shown in 133.
15 6. Upon receipt of msg.133 Bob decrypts to obtain challengeB and compares against the earlier challenge. When it matches, the challenge-response m~ch~ni~m is successful and the parties may use R, or a string derived from R, as a session key in further co~ nic~tinns.
The challenge-response portion of the embodiment above could be 20 replaced by other mech~niim~ for validating R. For example, the time could beexchanged encrypted by R, under the security-critical assumption that clocks aremonotonic and, to some extent, synchronized.
2.1.2 Guarding Against Recovered Session Keys When a cryptanalyst recovers a session key R he can use R as a clue to 2s attack P and EA . Fig. 2 presents the messages exchanged in an illustrative embodiment of the invention that hinders an attack on P or EA when R is known.
When there is a chance that a unauthorized cryptanalyst might recover a session key another plcrell~,d embodiment of the invention incorporates a mPch~ni~m to hinder such an attack. Referring to Fig. 2:
1. As before, the message exchange begins when Alice 201 sends P (EA ) (mSg.209) to Bob 203.
2. Again as before, Bob, responds by sending P(EA (R)) (msg.215) to Alice as shown at 215.
3. Alice decrypts msg.215 to obtain R, randomly generates a unique challenge challengeA and a random subkey SA, encrypts the challenge and the subkey with R and sends R(challengeA7sA) (msg.221) to Bob as shown at 221.
4. Upon receipt of msg.221, Bob decrypts it to obtain challengeA and SA, generates a unique challenge challengeB, and a random subkey SB and encrypts the two challenges and his subkey with the secret key R and sends R(challengeA ,challenges ,SB ) (msg-227) to Alice as shown at 227.
5. Upon receipt of msg.227 Alice decrypts it to obtain challengeA and challengeB, and colllpal~,s the former against her earlier challenge. When it matches, she encrypts challengeB withR to obtainR(challengeB). Alice sends R(challengeB ) (msg.233) to Bob as shown in 233.
6. Upon receipt of msg.233, Bob decrypts it to obtain challengeB and compares itto challengeB of msg.227. When it matches, the two parties calculate a key, S =f(SA ,SB ) for some jointly known functionf. S is used as the secret key to encrypt all subsequent exchanges and R is reduced to the role of a key exchange key.
J.~?.
Conceivably, a sophisticated cryptanalyst might be able to use the presence of challenges and responses in different messages to attack R. When such an attack is of concern, the responses can be modified to contain a one-way function of the challenges, rather than the challenges themselves. Thus, msg.227 could s become R(g(challengeA ) ,challenges ~SA ) and a similar change would be made to msg.233.
2.2 Bilateral Versus Unilateral Encryption When a portion of both of the first two messages are encrypted with the 0 password, as are msg. 109 and msg. l l5 in the embodiment presented above, theembodiment incorporates what is called bilateral encryption. In other illustrative emb~imPnts, however, bilateral encryption is not necessary. When only one of thefirst two messages is encrypted it is called unilateral encryption. Note that there are two types of unilateral encryption: (1) when the first messages is encrypted, and (2) 5 when the second mess~ge is encrypted. Section 2.2.1. shows an illustrative embodiment of the invention where only the first m.oss~ge is encrypted with the password and section 2.2.2 presents an illustrative embodiment where only the second message is encrypted.
2.2.1. An Illustrative Embodiment Using The RSA Asymmetric Key 20 Cryptosystem An illustrative embodiment of the invention uses the asymmetric key cryptosystem known as "RSA" and taught by R.L. Rivest, A. Shamir, and L. Adleman in U.S. Patent No. 4,405,829, issued Sept. 20, 1983, and in "A Methodof Obtaining Digital Signatures and Public Key Cryptosystems," Co,."".~nications f 2s the ACM, Vol. 21, No. 2, 120-26 (Feb. 1978). An overview of RSA is given before the illustrative embodiment is presented.
2.2.1.1. An Overview of RSA
The public key EA for the RSA cryptosystem consists of a pair of natural numbers < e, n >, where n is the product of two primes p and q, and e is30 relatively prime to ~(n)=~ (q)=(p - l )(q -1) where ~p(n) is the Euler Totient function. It is plefelled thatp and q be of the form 2p '+ 1 and 2q'+ 1, respectively, where p' and q' are primes. The private decryption ~'t~
key d is calculated such that ed_l(mod(p - l)(q-1)).
A message m is encrypted by calculating:
c-me (modn);
5 the ciphertext c is decrypted by macd (modn).
2.2.1.1. An Illustrative Embodiment Using RSA
Fig. 3 presents the messages exchanged in an illustrative embodiment of the invention that uses the RSA asymmetric key cryptosystem. Referring to Fig. 3:
o 1. The message exchange begins when Alice 301 generates a random public key/private key pair, EA and D A . EA comprises the numbers < e, n >.
Because n is a prime number it is distinguishable from a random number and must be sent in the clear. To encrypt e, Alice begins with the binary encoding of e and encrypts all of the bits comprising e except the least signifi~nt bit in a ~y~ ellic cryptosystem with password P. Alice sends P(e), n (msg.309) to Bob as shown at 309.
2. Bob, knowing P, decrypts msg.309 to obtain p- 1 (P (e) ) = e, generates a random secret key R, and encrypts it in the asymmetric key cryptosystem with key EA to produce EA (R). In other illustrative embodiments EA (R) may be encrypted with P, but in the preferred embodiment using RSA, it is not. Bob sends EA (R) (msg.315) to Alice as shown at 315.
2s 3. Upon receipt of msg.315 Alice decrypts it to obtain R. Thereafter, R, or numbers derived from R, can be used as a session key. At this point a key validation technique, such as the challenge-response mech~ni~m may be implemented.
One caveat about sending n in the clear is worth noting; it exposes the password P to the risk of cryptanalysis. More precisely, when n is available to an attacker, it can be factored and then R would be disclosed and P would be exposed to attack.
5 2.2.2. An Illustrative Embodiment Using the El Gamal Asymmetric Key Cryptosystem The El Gamal cryptosystem, T. El Gamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Log~ithm~," T F F F.. Transactions on Information Theory, Vol. 31, 469-72 (July 1985), is used in an illustrative 10 embodiment of the invention as shown in Fig. 4. Unlike the embodiment incorporating RSA, under certain cil-;ulll~nces, an embodiment incorporating theEl Gamal cryptosystem must encrypt the second message, rather than the first.
2.2.2.2. An Overview of the El Gamal Asymmetric Key Cryptosystem When Bob desires to send an encrypted message (e.g., the key R) to S Alice, Bob must notify that he desires to do so. When Alice agrees to receive the encrypted message Alice and Bob then agree on a common base a and modulus ~.
Alice then picks a random number RA in the interval [0, ~ - 1 ] and computes aRA (mod~). Next Alice sends aRA (mod~) in the clear to Bob who also picks a random number R,~ in the interval [0"~ -1 ] and computes c 1 3a (mod~), K3(a A (mod,B)) B (mod,B) 3a A B (mod,~) and C23 R ~ K(mod,~) The encrypted message that Bob sends to Alice consists of the pair < c 1 ,c 2 >-Alice, knowing RA and aRB (mod~) decrypts the message to recover R
by calculating K3(a B (mod,B)) A (mod,~) 3a A B (mod,~) and then dividing c2 by K
2.2.2.3. An Illustrative Embodiment Using the El Gamal Cryptosystem z~
The messages exchanged in an illustrative embodiment of the invention that uses the El Gamal asymmetric key cryptosystem is presented in Fig. 4. Prior to the first message Alice and Bob are deemed to have agreed to values for base a and modulus ,~. Referring to Fig. 4:
s 1. Alice 401 generates a random number RA and computes aRA (mod,l~).
Although Alice may encrypt a A (mod~) it is not encrypted in the pl~;felled embodiment. Alice sends aRA (mod~) (msg.409) to Bob 403 as shown at 409. This message may include other information o such as the identity of the sender.
2. When Bob receives msg.409 he generates a random number RB such that aRB (mod,B) is randomly selected from the interval [0,~- 1]. Bob also generates a random session key R and computes PaRARB (modl3). Bob sends P(aRB (mod,13) R aRARB (mod,B)) (7nsg.415) to Alice as shown at 415.
3. Alice, knowing P recovers aRA (modl3) and consequently R. After receipt of msg.415, one of the key v~ tion techniques may be begun. Thereafter, R, numbers derived from R, or a number derived from a validation technique can be used as a session key.
20 2.5 Security Considerations 2.S.l Partition Attacks The principal constraint on any embodiment is that encryptions using P
must leak no information. For some cryptosystems this is difficult. For example, the public keys in RSA are always odd. When no special precautions are taken, an 2s attacker could rule out half of the c In(li~te values P' when P' (P(e)) is an even number. Upon first inspection, this is an ullilllpol ~nt reduction in the key space;
however, when left uncorrected, it can colllpl~ se the security of the embodiment.
As used in this description, the term "key space" is the range of possible cryptographic keys. When the key space is large an nn~lthorized cryptanalyst 30 attempts to "reduce the key space" or elimin~te impossible cryptographic keys. By the process of elimin~ion the cryptanalyst can, when given sufficient clues such as the one shown above, reduce the key space down to reveal the actual key.
Recall that each session uses a different public key, independent of all others previously used. Thus, trial decryptions resulting in illegal values of e ' exclude different values of P' each time. In other words, each time a session key is 5 negotiated an attacker can partition the rem~ining c~n~li(l~te key space into two approximately-equal halves. The keyspace is thus log~rithmic~lly reduced;
comparatively few intercepted conversations will suffice to reject all invalid guesses at P. This attack is called a partition attack.
For some cryptosystems, a minim~l partition may be acceptable.
0 Consider a situation where integers modulo some prime p must be encrypted with P.
When n bits are used to encode p, trial decryptions yielding values in the range[p, 2n _ 1 ] can be used to partition the password space. However, when p is close to 2n, perhaps even 2n _ 1, few c~n(li~te passwords are excluded by each session.
Consequently, p equal to 2n _ 1 is plefe~ d while conversely values of p far from 5 2n _ 1 are not plcfe.l~d.
Another danger comes from trying to encrypt a number with a cryptosystem that demands a blocksize larger than the number. The blocksi~ of a cryptosystem is the amount of plaintext that the cryptosystem can encrypt in a single encryption. The number should be padded with random data to bring the total string 20 up to the blocksize of the cryptosystem.
Note that both problems may be elimin~te~l in one operation. Again, assume that one is encrypting integers modulo p. Further assume that the desiredinput encryption block size is m bits where 2m >p. Let _ 2m P
The value q is the number of times p fits into the encryption block size.
Therefore choose a random value j~ [O, q - 1 ] and add jp to the input value using non-modulo arithmetic (when the input value is less than 2m _ qp, use the interval [O, q] instead). The recipient, knowing the modulus, recovers the decrypted value to the proper range by dividing the input plus jp by ,B and taking the rem~in~ler.
30 3. ILLUSTRATIVE EMBODIMENTS THAT USE PUBLIC KEY
DISTRIBUTION SYSTEMS
An illustrative embodiment of the invention uses the public key distribution system known as "Diffie-Hellman" and taught by M.E. Hellman, W. Diffie and R.C. Merkle in U.S. Patent No. 4,200,770, April 29, 1980, and in 1S- 2~
W. Diffie and M.E. Hellman, "New Directions in Cryptography," T F F. FTransactions on Info. Theory, Vol. 22, No. 6 (Nov. 1976).
3.1. An Overview of Diffie-Hellman Diffie-Hellman is not a cryptosystem. It is, however, a mechanism for s publicly generating a secure key (e.g., a session key) for a symmetric cryptosystem.
Briefly, Alice and Bob each pick random exponents RA and RB. Assuming they agree on a common base a and modulus ,B, Alice computes aRA (mod~) and Bob computes a 8 (mod,~). Each party transmits their computed quantity in the clear to the other party. Alice, knowing RA and aRB (mod ,B), computes R--(a B (mod,B)) (mod,~)--a (mod~).
Similarly, Bob, knowing RB and aRA (mod,B) computes R_(a A (mod,~)) B (mod~)--a (mod,~).
The quantity R can then be used as the key in further co"~ "-ic~tions between Alice and Bob. An intruder, knowing only aRA (mod~) and aRB (modl3), cannot pelro 5 the same calculation. It should be noted, however, that Diffie-~ellm~n does not provide ;~llthentication and is therefore vulnerable to active wiretaps.
3.2. An Illustrative Embodiment Using Diffie-Hellman Fig. S presents the mPss;~gçs exchanged in an embodiment of the invention as used in connection with the Diffie-Hellman public key distribution 20 system. Referring to Fig. 5:
1. Assuming that Alice 501 and Bob 503 agree on a common base a and modulus ,B, Alice generates a random number RA and colllpules aRA (mod~B).
aRA (mod,B) is encrypted in a symmetric key cryptosystem with the password P as the key and Alice sends 2s P(a A(mod,B)) (msg.509) to Bob as shown at 509. Note that if RA is random, aRA (mod~) is random and guesses at P will yield no useful information.
2. Similarly, Bob generates a random number R B and sends P(aR~ (mod,B)) (msg.515) to Alice as shown at 515. At this point both Alice and Bob know both Z~$J'~S~
aRA (mod~B) and aR~ (mod,B) and can therefore calculate a session key as shown in Section 3.1. Additionally, one of the key validation techniques may be commenced once a common value is computed by both Alice and Bob.
3.3. Bilateral Versus Unilateral Encryption s Typically both messages of the Diffie-Hellman public key distribution system are not encrypted. Unilateral encryption, the encryption of a portion of at least one of the messages of the Diffie-Hellman public key distribution system, will assure privacy and authentication. Therefore, referring to Fig. S it is possible to omit the encryption of either one, but not both, of the messages in Fig. 5. For example, 0 rnsg.S09 can be replaced by a A (mod~) Alternatively msg.SlS can be replaced by a B (mod~ ) That unilateral encryption preserves the security of the system means 5 that one pair of encryptions and decryptions can be omitted. Since encryption and decryption can require substantial colllpuling resources and time those resources can be omitted and time can be saved.
3.4 Choosing a and ,~
a and ,B can be chosen from among different values, each of which 20 choices reflects a tradeoff between cost and security. Although there are a number of possible choices for the modulus, large prime values of ~ are more secure.
Furthermore, it is desirable that a be a primitive root of the field GF(~). When ,B is chosen such that ,B=2p+1 2s for some primep, there are (~-1)/2=P such values; hence, they are easy to find.
Assume those restrictions in the discussion that follows.
It is somewhat problematic for Alice and Bob to agree to common values for a and ,~ without revealing information to an ~tt~skçr. P(,~) cannot be tr~n~mittefl because testing a random number for primality is too easy. In one 30 emb~limçnt~ a and ,B are fixed and made public. This embodiment has the advantage that there is no risk of information leakage or partition attacks. Thedisadvantage is that implementation become less flexible, as all parties must agree 2~ ~?
on such values. A further disadvantage to making ,B public is that to m~int~in security"B must be large which in turn makes the exponentiation operations expensive.
Some col~ ull~ise in the length of the modulus is possible, however.
5 Because in the embodiment the password P is used to superencrypt such values; it is not possible to essay a discrete logarithm calculation except for all possible guesses of P. The goal then is to select a size for ~ sufficient to make guessing attacks far too expensive. Using 200 bits, for which discrete logarithm solutions are estimated to take several minutes even after the tables are built, might suffice.
0 Another consideration inclines one towards larger moduli, however.
When the user's password is co~llprolllised, recorded exponentials will be available to the attacker; these, when solved, will permit reading of old conversations. When a large modulus value is chosen, all such conversations would remain secure.
Size requirements for ~ are derived from a desire to prevent calculations 5 of discrete logarithms in the field GF(~). The current best algolithllls for such calculations require large amounts of precalculation. When a different ,~ is used each time, an attacker cannot build tables in advance; thus, a much smaller, and hence cheaper, modulus can be used. Therefore, in the preferred embodiment Alice generates random values of ,~ and a, and transmits them in cleartext during the initial 20 exchange. There is little security risk associated with an ~tt~cker knowing these values; the only problem would be with cut-and-paste attacks. And even this risk is minim~l when Bob pelr(jlllls certain checks to guard against easily-solvable choices:
that ~ is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that ,B- 1 have at least one large prime factor, and that a is 25 a primitive root of GF(~). The latter two conditions are related; the factori7:~tion of ,B - 1 must be known in order to validate a. When ,~ is of the form kp + 1, where p is prime and k a very small integer, both conditions are satisfied.
Thus far, nothing has been said about choosing a. But when a suitable value of ~ is chosen, a is chosen as a primitive root of ,~. There is no reason not to 30 examine the integers starting with 2; the density of primitive roots guarantees that one will be found quite quickly.
4. THE CRYPTOSYSTEMS
4.1. Sele.li-,g a Symmetric Key Cryptosystem 2~$~
Symmetric key encryption is used three times in various embodiments:
to encrypt the initial asymmetric key exchange, to trade challenges and responses, and to protect the ensuing application session. In general, the same symmetric key cryptosystem can be used at all three points.
In the initial exchange (e.g., msg.109 andmsg.ll5), there are severe constraints on the plaintext. The messages advantageously should not use any other form of tagged data representation.
In all preferred embodiments, the original plaintext message should not contain any non-random padding to match the encryption blocksize, nor any form of 10 error-detecting checksum. Protection against co"""~ ic~tions errors is typically provided by lower-layer protocols. While cipher block chaining or some similar scheme may be employed to tie together multiple blocks and hinder cryptanalytic attacks, such mech~ni~m~ are not typically important because the tr~n~mittçd bits are random and hence cannot profitably be manipulated by an att~cker. The 15 challenge/response mechanism provides the necessary defense against such manipulation of the mt-ss~ges.
In one embodiment, the encryption algorithm may be as simple an operation as the bit-wise boolean XOR-ing of the password with the public key.
Similarly, the key validation messages typically do not need to be 20 protected by a strong cipher system. However, it has been tacitly assumed that it is not feasible for an att~k~r to perform useful cut-and-paste operations on encrypted messages. For example, when it is said that Alice sends R ( ChaIIengeA, ChaIIengeB ) to Bob, and that Bob replies with R(challengeA ), one might conclude that the ~tt~cker could snip out R(challengeA ) from the first m~ss~ge, and simply echo it in 2s the second. In all preferred embodiments this advantageously should be prevented, of course. Thus, when necessary in the particular cryptosystem being used, standard techniques such as cipher block chaining should be employed. Cipher block chaining should prevent such "snip and echo" or "cut and paste" attacks.
Alternatively, Alice and Bob could use R to derive distinct subkeys RA and R B, each 30 used in only one direction. Other alternative include employing message typing or adding m~ss~ge authentication codes; however, these may introduce redllnfl~ncy undesirable in the face of a cryptanalytic attack. In such ~itu~tinn~, the one-way functions mentioned in Section 2.1.2. may be preferable.
Finally, the use of R in the ensuing login session must not reveal useful 3s information about R. When the system is cryptanalyzed and when R is recovered, the ~tt~cker can then mount a password-guessing attack on the message exchange.
Furthrrm( re, since this protocol is applicable to protecting arbitrary sessionsbetween parties, it is best to be cautious, and examine the particular symmetricsystem under the assumption that the adversary may mount chosen-ciphertext attacks against the session. When there is any doubt, the separate data key exchange key5 embodiment is preferred.
4.2 Selecting an Public Key Distribution System In principle, any public key distribution system can be used including Merkle's Puzzles, R.C. Merkle, "Secure Commllnications Over Insecure Channels,"
Co" ~ icatirJns f the ACM, Vol. 21, 294-99 (Apr. 1978). In practice, some 10 systems may be ruled out on practical grounds. For example, a system that used many large primes might be infeasible in some applications. RSA uses at least two such primes; dynamic key generation might prove too complex and therefore too expensive for some hardware systems.
A second consideration is whether or not a particular system's public 5 keys can be encoded as a random-seeming bit string. It has already been demonstrated how this can be an issue with RSA.
It is tempting to finesse the issue by instead transmitting the seed of the random number generator used to produce the public key. Unfortunately, that may not be applicable in many cases. Apart from the expense involved--both sides 20 would have to go through the time-consuming process of generating the keys--the random seed will yield both the public and private keys. And that in turn would allow an ~tt~rk~r to validate a c~n(li~i~te password by retrieving the session key.
The option of tr~n~mitting the seed of a random number generator works with exponential key exchange. Since the prime modulus may be public anyway, 25 there is nothing to be concealed. Unfortunately, the option necessitates both parties to go through the step of generating large prime numbers, albeit while saving on the size mo~hll~ls required. The tradeoff may be worth reconsidering when very fast solutions to the discrete logarithm problem are found.
5. THE APPARATUS TO CARRY OUT THE MESSAGE EXCHANGE
Fig. 6 presents an illustrative embodiment of an apparatus which can carry out the mrss~ge exchange described in Section 2. This embodiment can be easily modified by a person having ordinary skill in the art to perform any embodiment of the invention.
o.~ ?J
Alice 601 and Bob 603 are two computers, or other standard processing and communications stations or equipment, who share a secret P, which may be stored in a register or the like 600, and desire to establish a private and authenticated communication channel 629. The secret P is stored in a register or the like in both S Alice and Bob. Alice comprises a tr~n~mitter 602, a receiver 612, an key validator 619 and a session comml-nic~tion unit 625. The tr~n~mitter 602 accepts as input the secret P. The tr~n~mitter 602 contains an asymmetric key generator 605which generates a public key and a private key. The public key is passed to a symmetric key encryptor 607. The symmetric key encryptor 607 also accepts as 0 input the secret P and encrypts the public key, or a portion thereof, with the secret P
as the key to form an initi~ting message. The initiating message is passed from the symmetric key encryptor 607 to a commllnic~tions channel 609 where it is tr~n~mitte~l to a receiver 610 in Bob.
The receiver 610 comprises a symmetric key decryptor 611. The 5 symmetric key decryptor 611 accepts as input the ini~i~ting m~-ss~ge and the secret P
and decrypts the initi~ting mess~ge to recover the public key. The public key ispassed to the tr:~n~mitter 620. The tr~n~mitter 620 comprises a symmetric key encryptor 616, an asymmetric key encryptor 617 and a symmetric key generator 618.
The symmetric key generator 618 generates a random symmetric key which is 20 passed to the asymmetric key encryptor 617. The asymmetric key encryptor 617 also accepts as input the public key from the receiver 610 and encrypts the symmetric key with the public key to form an encrypted key. The encrypted key ispassed to the symmetric key encryptor 616, which also accepts as input the secret P, where the encrypted key is further encrypted with the secret P to form a response 2s message. The response message is passed from the symmetric key encryptor 616 to a co" "-,~"-ic~tion~ channel 615 where it is tr~n~mittecl to a receiver 612 in Alice.
The receiver 612 comprises a symmetric key decryptor 614 and an a~y- lel-ic key decryptor 613. The ~ylllme~lic key decryptor 614 accepts as input the secret P and the response mess~ge, decrypts the response message to recover the 30 encrypted key and passes it to the asymmetric key decryptor 613. The asymmetric key decryptor 613 also accepts as input the private key passed from the asymmetric key generator 605 and uses it to decrypt the encrypted key to recover the symmetric key. The symmetric key is passed from the asymmetric key decryptor 613 to the key validator 619. Analogously, in Bob, the key generator 618 passes the symmetric key 35 to Bob's key validator 623. Alice's key generator 619 and Bob's key generator 623 comm-lnic~te with each other via a commllni~tions channel 621 to validate the -21 - 2(~ 7 62 52 symmetric key. The purpose of validating the key is to assure that neither Alice nor Bob are being impersonated by an unauthorized eavesdropper who may have discovered the secret P.
Upon validation, Alice's key validator 619 passes the symmetric key to 5 the session commllnication unit 625 which uses the key in further comml1ni~ations with Bob over communications channel 629. While the communications channels 609, 615, 621 and 629 are shown for simplicity of exposition as separate channels, it should be understood that in practice two or more of these channels may be the same physical channel suitably multiplexed in accordance with well known principles and 10 practice. Analogously, Bob's key validator 623 passes the symmetric key to a session communication unit 627 which uses the key in further commnnications withAlice over communications channel 629.
6. APPLICATIONS
Embodiments of the invention can be used for secure public telephones.
5 When someone wishes to use a secure public telephone, some keying information will typically be provided. Conventional solutions require that the caller possess a physical key. Embodiments of the invention permits use of a short, keypad-entered password, but uses a much longer session key for the call.
Embodiments of the present invention can be used with cellular 20 telephones. Fraud has been a problem in the cellular industry; embodiments of then can defend against fraud (and ensure the privacy of the call) by rendering a telephone useless when a PIN or other key has not been entered. Since the PIN or other key is not stored within the telephone, it is not possible to retrieve one from a stolen unit.
Embodiments of the invention also provide a replacement for Rivest and 2s Shamir's Interlock Protocol, R.L. Rivest and A. Shamir, "How to Expose an Eavesdropper," Communications of the ACM, Vol. 27, No. 4, 393-95 (1984).
~i
J.~?.
Conceivably, a sophisticated cryptanalyst might be able to use the presence of challenges and responses in different messages to attack R. When such an attack is of concern, the responses can be modified to contain a one-way function of the challenges, rather than the challenges themselves. Thus, msg.227 could s become R(g(challengeA ) ,challenges ~SA ) and a similar change would be made to msg.233.
2.2 Bilateral Versus Unilateral Encryption When a portion of both of the first two messages are encrypted with the 0 password, as are msg. 109 and msg. l l5 in the embodiment presented above, theembodiment incorporates what is called bilateral encryption. In other illustrative emb~imPnts, however, bilateral encryption is not necessary. When only one of thefirst two messages is encrypted it is called unilateral encryption. Note that there are two types of unilateral encryption: (1) when the first messages is encrypted, and (2) 5 when the second mess~ge is encrypted. Section 2.2.1. shows an illustrative embodiment of the invention where only the first m.oss~ge is encrypted with the password and section 2.2.2 presents an illustrative embodiment where only the second message is encrypted.
2.2.1. An Illustrative Embodiment Using The RSA Asymmetric Key 20 Cryptosystem An illustrative embodiment of the invention uses the asymmetric key cryptosystem known as "RSA" and taught by R.L. Rivest, A. Shamir, and L. Adleman in U.S. Patent No. 4,405,829, issued Sept. 20, 1983, and in "A Methodof Obtaining Digital Signatures and Public Key Cryptosystems," Co,."".~nications f 2s the ACM, Vol. 21, No. 2, 120-26 (Feb. 1978). An overview of RSA is given before the illustrative embodiment is presented.
2.2.1.1. An Overview of RSA
The public key EA for the RSA cryptosystem consists of a pair of natural numbers < e, n >, where n is the product of two primes p and q, and e is30 relatively prime to ~(n)=~ (q)=(p - l )(q -1) where ~p(n) is the Euler Totient function. It is plefelled thatp and q be of the form 2p '+ 1 and 2q'+ 1, respectively, where p' and q' are primes. The private decryption ~'t~
key d is calculated such that ed_l(mod(p - l)(q-1)).
A message m is encrypted by calculating:
c-me (modn);
5 the ciphertext c is decrypted by macd (modn).
2.2.1.1. An Illustrative Embodiment Using RSA
Fig. 3 presents the messages exchanged in an illustrative embodiment of the invention that uses the RSA asymmetric key cryptosystem. Referring to Fig. 3:
o 1. The message exchange begins when Alice 301 generates a random public key/private key pair, EA and D A . EA comprises the numbers < e, n >.
Because n is a prime number it is distinguishable from a random number and must be sent in the clear. To encrypt e, Alice begins with the binary encoding of e and encrypts all of the bits comprising e except the least signifi~nt bit in a ~y~ ellic cryptosystem with password P. Alice sends P(e), n (msg.309) to Bob as shown at 309.
2. Bob, knowing P, decrypts msg.309 to obtain p- 1 (P (e) ) = e, generates a random secret key R, and encrypts it in the asymmetric key cryptosystem with key EA to produce EA (R). In other illustrative embodiments EA (R) may be encrypted with P, but in the preferred embodiment using RSA, it is not. Bob sends EA (R) (msg.315) to Alice as shown at 315.
2s 3. Upon receipt of msg.315 Alice decrypts it to obtain R. Thereafter, R, or numbers derived from R, can be used as a session key. At this point a key validation technique, such as the challenge-response mech~ni~m may be implemented.
One caveat about sending n in the clear is worth noting; it exposes the password P to the risk of cryptanalysis. More precisely, when n is available to an attacker, it can be factored and then R would be disclosed and P would be exposed to attack.
5 2.2.2. An Illustrative Embodiment Using the El Gamal Asymmetric Key Cryptosystem The El Gamal cryptosystem, T. El Gamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Log~ithm~," T F F F.. Transactions on Information Theory, Vol. 31, 469-72 (July 1985), is used in an illustrative 10 embodiment of the invention as shown in Fig. 4. Unlike the embodiment incorporating RSA, under certain cil-;ulll~nces, an embodiment incorporating theEl Gamal cryptosystem must encrypt the second message, rather than the first.
2.2.2.2. An Overview of the El Gamal Asymmetric Key Cryptosystem When Bob desires to send an encrypted message (e.g., the key R) to S Alice, Bob must notify that he desires to do so. When Alice agrees to receive the encrypted message Alice and Bob then agree on a common base a and modulus ~.
Alice then picks a random number RA in the interval [0, ~ - 1 ] and computes aRA (mod~). Next Alice sends aRA (mod~) in the clear to Bob who also picks a random number R,~ in the interval [0"~ -1 ] and computes c 1 3a (mod~), K3(a A (mod,B)) B (mod,B) 3a A B (mod,~) and C23 R ~ K(mod,~) The encrypted message that Bob sends to Alice consists of the pair < c 1 ,c 2 >-Alice, knowing RA and aRB (mod~) decrypts the message to recover R
by calculating K3(a B (mod,B)) A (mod,~) 3a A B (mod,~) and then dividing c2 by K
2.2.2.3. An Illustrative Embodiment Using the El Gamal Cryptosystem z~
The messages exchanged in an illustrative embodiment of the invention that uses the El Gamal asymmetric key cryptosystem is presented in Fig. 4. Prior to the first message Alice and Bob are deemed to have agreed to values for base a and modulus ,~. Referring to Fig. 4:
s 1. Alice 401 generates a random number RA and computes aRA (mod,l~).
Although Alice may encrypt a A (mod~) it is not encrypted in the pl~;felled embodiment. Alice sends aRA (mod~) (msg.409) to Bob 403 as shown at 409. This message may include other information o such as the identity of the sender.
2. When Bob receives msg.409 he generates a random number RB such that aRB (mod,B) is randomly selected from the interval [0,~- 1]. Bob also generates a random session key R and computes PaRARB (modl3). Bob sends P(aRB (mod,13) R aRARB (mod,B)) (7nsg.415) to Alice as shown at 415.
3. Alice, knowing P recovers aRA (modl3) and consequently R. After receipt of msg.415, one of the key v~ tion techniques may be begun. Thereafter, R, numbers derived from R, or a number derived from a validation technique can be used as a session key.
20 2.5 Security Considerations 2.S.l Partition Attacks The principal constraint on any embodiment is that encryptions using P
must leak no information. For some cryptosystems this is difficult. For example, the public keys in RSA are always odd. When no special precautions are taken, an 2s attacker could rule out half of the c In(li~te values P' when P' (P(e)) is an even number. Upon first inspection, this is an ullilllpol ~nt reduction in the key space;
however, when left uncorrected, it can colllpl~ se the security of the embodiment.
As used in this description, the term "key space" is the range of possible cryptographic keys. When the key space is large an nn~lthorized cryptanalyst 30 attempts to "reduce the key space" or elimin~te impossible cryptographic keys. By the process of elimin~ion the cryptanalyst can, when given sufficient clues such as the one shown above, reduce the key space down to reveal the actual key.
Recall that each session uses a different public key, independent of all others previously used. Thus, trial decryptions resulting in illegal values of e ' exclude different values of P' each time. In other words, each time a session key is 5 negotiated an attacker can partition the rem~ining c~n~li(l~te key space into two approximately-equal halves. The keyspace is thus log~rithmic~lly reduced;
comparatively few intercepted conversations will suffice to reject all invalid guesses at P. This attack is called a partition attack.
For some cryptosystems, a minim~l partition may be acceptable.
0 Consider a situation where integers modulo some prime p must be encrypted with P.
When n bits are used to encode p, trial decryptions yielding values in the range[p, 2n _ 1 ] can be used to partition the password space. However, when p is close to 2n, perhaps even 2n _ 1, few c~n(li~te passwords are excluded by each session.
Consequently, p equal to 2n _ 1 is plefe~ d while conversely values of p far from 5 2n _ 1 are not plcfe.l~d.
Another danger comes from trying to encrypt a number with a cryptosystem that demands a blocksize larger than the number. The blocksi~ of a cryptosystem is the amount of plaintext that the cryptosystem can encrypt in a single encryption. The number should be padded with random data to bring the total string 20 up to the blocksize of the cryptosystem.
Note that both problems may be elimin~te~l in one operation. Again, assume that one is encrypting integers modulo p. Further assume that the desiredinput encryption block size is m bits where 2m >p. Let _ 2m P
The value q is the number of times p fits into the encryption block size.
Therefore choose a random value j~ [O, q - 1 ] and add jp to the input value using non-modulo arithmetic (when the input value is less than 2m _ qp, use the interval [O, q] instead). The recipient, knowing the modulus, recovers the decrypted value to the proper range by dividing the input plus jp by ,B and taking the rem~in~ler.
30 3. ILLUSTRATIVE EMBODIMENTS THAT USE PUBLIC KEY
DISTRIBUTION SYSTEMS
An illustrative embodiment of the invention uses the public key distribution system known as "Diffie-Hellman" and taught by M.E. Hellman, W. Diffie and R.C. Merkle in U.S. Patent No. 4,200,770, April 29, 1980, and in 1S- 2~
W. Diffie and M.E. Hellman, "New Directions in Cryptography," T F F. FTransactions on Info. Theory, Vol. 22, No. 6 (Nov. 1976).
3.1. An Overview of Diffie-Hellman Diffie-Hellman is not a cryptosystem. It is, however, a mechanism for s publicly generating a secure key (e.g., a session key) for a symmetric cryptosystem.
Briefly, Alice and Bob each pick random exponents RA and RB. Assuming they agree on a common base a and modulus ,B, Alice computes aRA (mod~) and Bob computes a 8 (mod,~). Each party transmits their computed quantity in the clear to the other party. Alice, knowing RA and aRB (mod ,B), computes R--(a B (mod,B)) (mod,~)--a (mod~).
Similarly, Bob, knowing RB and aRA (mod,B) computes R_(a A (mod,~)) B (mod~)--a (mod,~).
The quantity R can then be used as the key in further co"~ "-ic~tions between Alice and Bob. An intruder, knowing only aRA (mod~) and aRB (modl3), cannot pelro 5 the same calculation. It should be noted, however, that Diffie-~ellm~n does not provide ;~llthentication and is therefore vulnerable to active wiretaps.
3.2. An Illustrative Embodiment Using Diffie-Hellman Fig. S presents the mPss;~gçs exchanged in an embodiment of the invention as used in connection with the Diffie-Hellman public key distribution 20 system. Referring to Fig. 5:
1. Assuming that Alice 501 and Bob 503 agree on a common base a and modulus ,B, Alice generates a random number RA and colllpules aRA (mod~B).
aRA (mod,B) is encrypted in a symmetric key cryptosystem with the password P as the key and Alice sends 2s P(a A(mod,B)) (msg.509) to Bob as shown at 509. Note that if RA is random, aRA (mod~) is random and guesses at P will yield no useful information.
2. Similarly, Bob generates a random number R B and sends P(aR~ (mod,B)) (msg.515) to Alice as shown at 515. At this point both Alice and Bob know both Z~$J'~S~
aRA (mod~B) and aR~ (mod,B) and can therefore calculate a session key as shown in Section 3.1. Additionally, one of the key validation techniques may be commenced once a common value is computed by both Alice and Bob.
3.3. Bilateral Versus Unilateral Encryption s Typically both messages of the Diffie-Hellman public key distribution system are not encrypted. Unilateral encryption, the encryption of a portion of at least one of the messages of the Diffie-Hellman public key distribution system, will assure privacy and authentication. Therefore, referring to Fig. S it is possible to omit the encryption of either one, but not both, of the messages in Fig. 5. For example, 0 rnsg.S09 can be replaced by a A (mod~) Alternatively msg.SlS can be replaced by a B (mod~ ) That unilateral encryption preserves the security of the system means 5 that one pair of encryptions and decryptions can be omitted. Since encryption and decryption can require substantial colllpuling resources and time those resources can be omitted and time can be saved.
3.4 Choosing a and ,~
a and ,B can be chosen from among different values, each of which 20 choices reflects a tradeoff between cost and security. Although there are a number of possible choices for the modulus, large prime values of ~ are more secure.
Furthermore, it is desirable that a be a primitive root of the field GF(~). When ,B is chosen such that ,B=2p+1 2s for some primep, there are (~-1)/2=P such values; hence, they are easy to find.
Assume those restrictions in the discussion that follows.
It is somewhat problematic for Alice and Bob to agree to common values for a and ,~ without revealing information to an ~tt~skçr. P(,~) cannot be tr~n~mittefl because testing a random number for primality is too easy. In one 30 emb~limçnt~ a and ,B are fixed and made public. This embodiment has the advantage that there is no risk of information leakage or partition attacks. Thedisadvantage is that implementation become less flexible, as all parties must agree 2~ ~?
on such values. A further disadvantage to making ,B public is that to m~int~in security"B must be large which in turn makes the exponentiation operations expensive.
Some col~ ull~ise in the length of the modulus is possible, however.
5 Because in the embodiment the password P is used to superencrypt such values; it is not possible to essay a discrete logarithm calculation except for all possible guesses of P. The goal then is to select a size for ~ sufficient to make guessing attacks far too expensive. Using 200 bits, for which discrete logarithm solutions are estimated to take several minutes even after the tables are built, might suffice.
0 Another consideration inclines one towards larger moduli, however.
When the user's password is co~llprolllised, recorded exponentials will be available to the attacker; these, when solved, will permit reading of old conversations. When a large modulus value is chosen, all such conversations would remain secure.
Size requirements for ~ are derived from a desire to prevent calculations 5 of discrete logarithms in the field GF(~). The current best algolithllls for such calculations require large amounts of precalculation. When a different ,~ is used each time, an attacker cannot build tables in advance; thus, a much smaller, and hence cheaper, modulus can be used. Therefore, in the preferred embodiment Alice generates random values of ,~ and a, and transmits them in cleartext during the initial 20 exchange. There is little security risk associated with an ~tt~cker knowing these values; the only problem would be with cut-and-paste attacks. And even this risk is minim~l when Bob pelr(jlllls certain checks to guard against easily-solvable choices:
that ~ is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that ,B- 1 have at least one large prime factor, and that a is 25 a primitive root of GF(~). The latter two conditions are related; the factori7:~tion of ,B - 1 must be known in order to validate a. When ,~ is of the form kp + 1, where p is prime and k a very small integer, both conditions are satisfied.
Thus far, nothing has been said about choosing a. But when a suitable value of ~ is chosen, a is chosen as a primitive root of ,~. There is no reason not to 30 examine the integers starting with 2; the density of primitive roots guarantees that one will be found quite quickly.
4. THE CRYPTOSYSTEMS
4.1. Sele.li-,g a Symmetric Key Cryptosystem 2~$~
Symmetric key encryption is used three times in various embodiments:
to encrypt the initial asymmetric key exchange, to trade challenges and responses, and to protect the ensuing application session. In general, the same symmetric key cryptosystem can be used at all three points.
In the initial exchange (e.g., msg.109 andmsg.ll5), there are severe constraints on the plaintext. The messages advantageously should not use any other form of tagged data representation.
In all preferred embodiments, the original plaintext message should not contain any non-random padding to match the encryption blocksize, nor any form of 10 error-detecting checksum. Protection against co"""~ ic~tions errors is typically provided by lower-layer protocols. While cipher block chaining or some similar scheme may be employed to tie together multiple blocks and hinder cryptanalytic attacks, such mech~ni~m~ are not typically important because the tr~n~mittçd bits are random and hence cannot profitably be manipulated by an att~cker. The 15 challenge/response mechanism provides the necessary defense against such manipulation of the mt-ss~ges.
In one embodiment, the encryption algorithm may be as simple an operation as the bit-wise boolean XOR-ing of the password with the public key.
Similarly, the key validation messages typically do not need to be 20 protected by a strong cipher system. However, it has been tacitly assumed that it is not feasible for an att~k~r to perform useful cut-and-paste operations on encrypted messages. For example, when it is said that Alice sends R ( ChaIIengeA, ChaIIengeB ) to Bob, and that Bob replies with R(challengeA ), one might conclude that the ~tt~cker could snip out R(challengeA ) from the first m~ss~ge, and simply echo it in 2s the second. In all preferred embodiments this advantageously should be prevented, of course. Thus, when necessary in the particular cryptosystem being used, standard techniques such as cipher block chaining should be employed. Cipher block chaining should prevent such "snip and echo" or "cut and paste" attacks.
Alternatively, Alice and Bob could use R to derive distinct subkeys RA and R B, each 30 used in only one direction. Other alternative include employing message typing or adding m~ss~ge authentication codes; however, these may introduce redllnfl~ncy undesirable in the face of a cryptanalytic attack. In such ~itu~tinn~, the one-way functions mentioned in Section 2.1.2. may be preferable.
Finally, the use of R in the ensuing login session must not reveal useful 3s information about R. When the system is cryptanalyzed and when R is recovered, the ~tt~cker can then mount a password-guessing attack on the message exchange.
Furthrrm( re, since this protocol is applicable to protecting arbitrary sessionsbetween parties, it is best to be cautious, and examine the particular symmetricsystem under the assumption that the adversary may mount chosen-ciphertext attacks against the session. When there is any doubt, the separate data key exchange key5 embodiment is preferred.
4.2 Selecting an Public Key Distribution System In principle, any public key distribution system can be used including Merkle's Puzzles, R.C. Merkle, "Secure Commllnications Over Insecure Channels,"
Co" ~ icatirJns f the ACM, Vol. 21, 294-99 (Apr. 1978). In practice, some 10 systems may be ruled out on practical grounds. For example, a system that used many large primes might be infeasible in some applications. RSA uses at least two such primes; dynamic key generation might prove too complex and therefore too expensive for some hardware systems.
A second consideration is whether or not a particular system's public 5 keys can be encoded as a random-seeming bit string. It has already been demonstrated how this can be an issue with RSA.
It is tempting to finesse the issue by instead transmitting the seed of the random number generator used to produce the public key. Unfortunately, that may not be applicable in many cases. Apart from the expense involved--both sides 20 would have to go through the time-consuming process of generating the keys--the random seed will yield both the public and private keys. And that in turn would allow an ~tt~rk~r to validate a c~n(li~i~te password by retrieving the session key.
The option of tr~n~mitting the seed of a random number generator works with exponential key exchange. Since the prime modulus may be public anyway, 25 there is nothing to be concealed. Unfortunately, the option necessitates both parties to go through the step of generating large prime numbers, albeit while saving on the size mo~hll~ls required. The tradeoff may be worth reconsidering when very fast solutions to the discrete logarithm problem are found.
5. THE APPARATUS TO CARRY OUT THE MESSAGE EXCHANGE
Fig. 6 presents an illustrative embodiment of an apparatus which can carry out the mrss~ge exchange described in Section 2. This embodiment can be easily modified by a person having ordinary skill in the art to perform any embodiment of the invention.
o.~ ?J
Alice 601 and Bob 603 are two computers, or other standard processing and communications stations or equipment, who share a secret P, which may be stored in a register or the like 600, and desire to establish a private and authenticated communication channel 629. The secret P is stored in a register or the like in both S Alice and Bob. Alice comprises a tr~n~mitter 602, a receiver 612, an key validator 619 and a session comml-nic~tion unit 625. The tr~n~mitter 602 accepts as input the secret P. The tr~n~mitter 602 contains an asymmetric key generator 605which generates a public key and a private key. The public key is passed to a symmetric key encryptor 607. The symmetric key encryptor 607 also accepts as 0 input the secret P and encrypts the public key, or a portion thereof, with the secret P
as the key to form an initi~ting message. The initiating message is passed from the symmetric key encryptor 607 to a commllnic~tions channel 609 where it is tr~n~mitte~l to a receiver 610 in Bob.
The receiver 610 comprises a symmetric key decryptor 611. The 5 symmetric key decryptor 611 accepts as input the ini~i~ting m~-ss~ge and the secret P
and decrypts the initi~ting mess~ge to recover the public key. The public key ispassed to the tr:~n~mitter 620. The tr~n~mitter 620 comprises a symmetric key encryptor 616, an asymmetric key encryptor 617 and a symmetric key generator 618.
The symmetric key generator 618 generates a random symmetric key which is 20 passed to the asymmetric key encryptor 617. The asymmetric key encryptor 617 also accepts as input the public key from the receiver 610 and encrypts the symmetric key with the public key to form an encrypted key. The encrypted key ispassed to the symmetric key encryptor 616, which also accepts as input the secret P, where the encrypted key is further encrypted with the secret P to form a response 2s message. The response message is passed from the symmetric key encryptor 616 to a co" "-,~"-ic~tion~ channel 615 where it is tr~n~mittecl to a receiver 612 in Alice.
The receiver 612 comprises a symmetric key decryptor 614 and an a~y- lel-ic key decryptor 613. The ~ylllme~lic key decryptor 614 accepts as input the secret P and the response mess~ge, decrypts the response message to recover the 30 encrypted key and passes it to the asymmetric key decryptor 613. The asymmetric key decryptor 613 also accepts as input the private key passed from the asymmetric key generator 605 and uses it to decrypt the encrypted key to recover the symmetric key. The symmetric key is passed from the asymmetric key decryptor 613 to the key validator 619. Analogously, in Bob, the key generator 618 passes the symmetric key 35 to Bob's key validator 623. Alice's key generator 619 and Bob's key generator 623 comm-lnic~te with each other via a commllni~tions channel 621 to validate the -21 - 2(~ 7 62 52 symmetric key. The purpose of validating the key is to assure that neither Alice nor Bob are being impersonated by an unauthorized eavesdropper who may have discovered the secret P.
Upon validation, Alice's key validator 619 passes the symmetric key to 5 the session commllnication unit 625 which uses the key in further comml1ni~ations with Bob over communications channel 629. While the communications channels 609, 615, 621 and 629 are shown for simplicity of exposition as separate channels, it should be understood that in practice two or more of these channels may be the same physical channel suitably multiplexed in accordance with well known principles and 10 practice. Analogously, Bob's key validator 623 passes the symmetric key to a session communication unit 627 which uses the key in further commnnications withAlice over communications channel 629.
6. APPLICATIONS
Embodiments of the invention can be used for secure public telephones.
5 When someone wishes to use a secure public telephone, some keying information will typically be provided. Conventional solutions require that the caller possess a physical key. Embodiments of the invention permits use of a short, keypad-entered password, but uses a much longer session key for the call.
Embodiments of the present invention can be used with cellular 20 telephones. Fraud has been a problem in the cellular industry; embodiments of then can defend against fraud (and ensure the privacy of the call) by rendering a telephone useless when a PIN or other key has not been entered. Since the PIN or other key is not stored within the telephone, it is not possible to retrieve one from a stolen unit.
Embodiments of the invention also provide a replacement for Rivest and 2s Shamir's Interlock Protocol, R.L. Rivest and A. Shamir, "How to Expose an Eavesdropper," Communications of the ACM, Vol. 27, No. 4, 393-95 (1984).
~i
Claims (13)
1. A method for generating a cryptographic key to a first symmetric key cryptosystem, said method comprising the steps of:
forming an excitation signal of a public key-distribution system based on a private first signal,RA;
transmitting said excitation signal to a party;
receiving a response signal Q of a public key-distribution system in response to said excitation signal, said response signal containing further information that is essential for generating said cryptographic key; and generating said cryptographic key based on said first signal and on said response signal;
CHARACTERIZED BY the step of:
encrypting at least a portion of said excitation signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party.
forming an excitation signal of a public key-distribution system based on a private first signal,RA;
transmitting said excitation signal to a party;
receiving a response signal Q of a public key-distribution system in response to said excitation signal, said response signal containing further information that is essential for generating said cryptographic key; and generating said cryptographic key based on said first signal and on said response signal;
CHARACTERIZED BY the step of:
encrypting at least a portion of said excitation signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party.
2. A method for generating a cryptographic key to a first symmetric key cryptosystem, said method comprising the steps of:
forming an excitation signal of a public key-distribution system based on a private first signal, RA;
transmitting said excitation signal;
receiving a response signal Q of a public key-distribution system from a party in response to said excitation signal, said response signal containing further information that is essential for generating said cryptographic key; and generating said cryptographic key based on said first signal and on said response signal;
CHARACTERIZED BY the step of:
decrypting at least a portion of said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party.
forming an excitation signal of a public key-distribution system based on a private first signal, RA;
transmitting said excitation signal;
receiving a response signal Q of a public key-distribution system from a party in response to said excitation signal, said response signal containing further information that is essential for generating said cryptographic key; and generating said cryptographic key based on said first signal and on said response signal;
CHARACTERIZED BY the step of:
decrypting at least a portion of said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party.
3. The method of claim 1 or 2 wherein said step of forming an excitation signal comprises the step of setting said excitation signal to .alpha.RA mod.beta., where .alpha. and .beta. are numbers.
4. The method of claim 3 wherein said step of generating said cryptographic key comprises the step of setting said cryptographic key to QRA mod.beta..
5. A method for generating a cryptographic key to a first symmetric key cryptosystem, said method comprising the steps of:
receiving an excitation signal S of a public key-distribution system from a party;
forming a response signal of a public key-distribution system based on a private first signal, RB, said response signal containing further information that is essential for generating said cryptographic key;
transmitting said response signal; and generating said cryptographic key based on said excitation signal and on said first signal;
CHARACTERIZED BY the step of:
decrypting said excitation signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party.
receiving an excitation signal S of a public key-distribution system from a party;
forming a response signal of a public key-distribution system based on a private first signal, RB, said response signal containing further information that is essential for generating said cryptographic key;
transmitting said response signal; and generating said cryptographic key based on said excitation signal and on said first signal;
CHARACTERIZED BY the step of:
decrypting said excitation signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party.
6. A method for generating a cryptographic key to a first symmetric key cryptosystem, said method comprising the steps of:
receiving an excitation signal S of a public key-distribution system;
forming a response signal of a public key-distribution system based on a private first signal, RB. said response signal containing further information that is essential for generating said cryptographic key;
transmitting said response signal to a party; and generating said cryptographic key based on said excitation signal and on said first signal;
CHARACTERIZED BY the step of:
encrypting said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party.
receiving an excitation signal S of a public key-distribution system;
forming a response signal of a public key-distribution system based on a private first signal, RB. said response signal containing further information that is essential for generating said cryptographic key;
transmitting said response signal to a party; and generating said cryptographic key based on said excitation signal and on said first signal;
CHARACTERIZED BY the step of:
encrypting said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party.
7. The method of claim 5 or 6 wherein said step of forming a response signal comprises the step of setting said response signal to .alpha.RB mod.beta., where .alpha. and .beta.
are numbers.
are numbers.
8. The method of claim 7 wherein said step of generating said cryptographic key comprises the step of setting said cryptographic key to SRB mod.beta..
9. A method for generating a cryptographic key to a first symmetric key cryptosystem, said method comprising the steps of:
generating a public key and a private key to a public key cryptosystem;
transmitting said public key to a party;
receiving a response signal in response to said public key; and decrypting said response signal with said private key;
CHARACTERIZED BY the step of:
encrypting at least a portion of said public key with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party before the step of generating public and private keys.
generating a public key and a private key to a public key cryptosystem;
transmitting said public key to a party;
receiving a response signal in response to said public key; and decrypting said response signal with said private key;
CHARACTERIZED BY the step of:
encrypting at least a portion of said public key with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party before the step of generating public and private keys.
10. A method for generating a cryptographic key to a first symmetric key cryptosystem, said method comprising the steps of:
generating a public key and a private key to a public key cryptosystem;
transmitting said public key;
receiving a response signal from a party in response to said public key;
and decrypting said response signal with said private key;
CHARACTERIZED BY the step of:
decrypting at least a portion of said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party before the step of generating public and private keys.
generating a public key and a private key to a public key cryptosystem;
transmitting said public key;
receiving a response signal from a party in response to said public key;
and decrypting said response signal with said private key;
CHARACTERIZED BY the step of:
decrypting at least a portion of said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party before the step of generating public and private keys.
11. A method for generating a cryptographic key to a first symmetric key cryptosystem, said method comprising the steps of:
receiving from a party a public key to a public key cryptosystem;
encrypting a response signal with said public key in accordance with said public key cryptosystem; and transmitting said response signal;
CHARACTERIZED BY the step of:
decrypting at least a portion of said public key with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party before the step of receiving a public key.
receiving from a party a public key to a public key cryptosystem;
encrypting a response signal with said public key in accordance with said public key cryptosystem; and transmitting said response signal;
CHARACTERIZED BY the step of:
decrypting at least a portion of said public key with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party before the step of receiving a public key.
12. A method for generating a cryptographic key to a first symmetric key cryptosystem, said method comprising the steps of:
receiving a public key to a public key cryptosystem;
encrypting a response signal with said public key in accordance with said public key cryptosystem; and transmitting said response signal to a party;
CHARACTERIZED BY the step of:
encrypting at least a portion of said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party before the step of receiving a public key.
receiving a public key to a public key cryptosystem;
encrypting a response signal with said public key in accordance with said public key cryptosystem; and transmitting said response signal to a party;
CHARACTERIZED BY the step of:
encrypting at least a portion of said response signal with a second symmetric key cryptosystem using a key based on an authentication signal, said authentication signal being available to said party before the step of receiving a public key.
13. The method of claim 1, 2, 5, 6, 9, 10, 11, or 12 wherein said first symmetric key cryptosystem and said second symmetric key cryptosystem are identical.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US07/770,064 US5241599A (en) | 1991-10-02 | 1991-10-02 | Cryptographic protocol for secure communications |
| US770,064 | 1991-10-02 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2076252A1 CA2076252A1 (en) | 1993-04-03 |
| CA2076252C true CA2076252C (en) | 1998-08-25 |
Family
ID=25087362
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002076252A Expired - Lifetime CA2076252C (en) | 1991-10-02 | 1992-08-17 | Cryptographic protocol for secure communications |
Country Status (7)
| Country | Link |
|---|---|
| US (1) | US5241599A (en) |
| EP (2) | EP0535863B1 (en) |
| JP (1) | JP2599871B2 (en) |
| AU (1) | AU648433B2 (en) |
| CA (1) | CA2076252C (en) |
| DE (2) | DE69232369T2 (en) |
| NO (1) | NO923740L (en) |
Families Citing this family (233)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5241599A (en) | 1991-10-02 | 1993-08-31 | At&T Bell Laboratories | Cryptographic protocol for secure communications |
| FR2699300B1 (en) * | 1992-12-15 | 1995-03-10 | Mireille Campana | Method of authenticating a computer assembly by another computer assembly. |
| US5351293A (en) * | 1993-02-01 | 1994-09-27 | Wave Systems Corp. | System method and apparatus for authenticating an encrypted signal |
| WO1995005712A2 (en) * | 1993-08-13 | 1995-02-23 | Frank Thomson Leighton | Secret key exchange |
| US5440635A (en) * | 1993-08-23 | 1995-08-08 | At&T Corp. | Cryptographic protocol for remote authentication |
| US5483595A (en) * | 1993-09-20 | 1996-01-09 | Seiko Communications Holding N.V. | Paging device including password accessed stored cryptographic keys |
| US5371794A (en) * | 1993-11-02 | 1994-12-06 | Sun Microsystems, Inc. | Method and apparatus for privacy and authentication in wireless networks |
| CA2149744C (en) * | 1993-11-08 | 1999-03-16 | Erwin W. Bathrick | Protected distribution protocol for keying and certificate material |
| US5835726A (en) * | 1993-12-15 | 1998-11-10 | Check Point Software Technologies Ltd. | System for securing the flow of and selectively modifying packets in a computer network |
| US5491750A (en) * | 1993-12-30 | 1996-02-13 | International Business Machines Corporation | Method and apparatus for three-party entity authentication and key distribution using message authentication codes |
| US5398285A (en) * | 1993-12-30 | 1995-03-14 | Motorola, Inc. | Method for generating a password using public key cryptography |
| US5491749A (en) * | 1993-12-30 | 1996-02-13 | International Business Machines Corporation | Method and apparatus for entity authentication and key distribution secure against off-line adversarial attacks |
| US5434919A (en) * | 1994-01-11 | 1995-07-18 | Chaum; David | Compact endorsement signature systems |
| US5787172A (en) * | 1994-02-24 | 1998-07-28 | The Merdan Group, Inc. | Apparatus and method for establishing a cryptographic link between elements of a system |
| ATE189570T1 (en) | 1994-02-24 | 2000-02-15 | Merdan Group Inc | METHOD AND DEVICE FOR ESTABLISHING A CRYPTOGRAPHIC CONNECTION BETWEEN ELEMENTS OF A SYSTEM |
| US5469507A (en) * | 1994-03-01 | 1995-11-21 | International Business Machines Corporation | Secure communication and computation in an insecure environment |
| US5425103A (en) * | 1994-03-14 | 1995-06-13 | Shaw; William Y. | Variable-key cryptography system |
| US5509071A (en) * | 1994-04-01 | 1996-04-16 | Microelectronics And Computer Technology Corporation | Electronic proof of receipt |
| US5481613A (en) * | 1994-04-15 | 1996-01-02 | Northern Telecom Limited | Computer network cryptographic key distribution system |
| US5511122A (en) * | 1994-06-03 | 1996-04-23 | The United States Of America As Represented By The Secretary Of The Navy | Intermediate network authentication |
| EP0693836A1 (en) * | 1994-06-10 | 1996-01-24 | Sun Microsystems, Inc. | Method and apparatus for a key-management scheme for internet protocols. |
| US5588060A (en) * | 1994-06-10 | 1996-12-24 | Sun Microsystems, Inc. | Method and apparatus for a key-management scheme for internet protocols |
| DE69534757T2 (en) * | 1994-09-15 | 2006-08-31 | International Business Machines Corp. | System and method for secure storage and distribution of data using digital signatures |
| US5602917A (en) * | 1994-12-30 | 1997-02-11 | Lucent Technologies Inc. | Method for secure session key generation |
| US8639625B1 (en) | 1995-02-13 | 2014-01-28 | Intertrust Technologies Corporation | Systems and methods for secure transaction management and electronic rights protection |
| US5892900A (en) | 1996-08-30 | 1999-04-06 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
| US5594797A (en) * | 1995-02-22 | 1997-01-14 | Nokia Mobile Phones | Variable security level encryption |
| US5812666A (en) * | 1995-03-31 | 1998-09-22 | Pitney Bowes Inc. | Cryptographic key management and validation system |
| US5661803A (en) * | 1995-03-31 | 1997-08-26 | Pitney Bowes Inc. | Method of token verification in a key management system |
| US5680456A (en) * | 1995-03-31 | 1997-10-21 | Pitney Bowes Inc. | Method of manufacturing generic meters in a key management system |
| US5742682A (en) * | 1995-03-31 | 1998-04-21 | Pitney Bowes Inc. | Method of manufacturing secure boxes in a key management system |
| GB9507885D0 (en) * | 1995-04-18 | 1995-05-31 | Hewlett Packard Co | Methods and apparatus for authenticating an originator of a message |
| US5737422A (en) * | 1995-04-26 | 1998-04-07 | Billings; Roger E. | Distributed data processing network |
| GB9510035D0 (en) * | 1995-05-18 | 1995-08-02 | Cryptech Systems Inc | Strengthened public key protocols |
| CN1160955C (en) * | 1995-10-09 | 2004-08-04 | 松下电器产业株式会社 | Data transmitter, data transmitting method, data receiver, information processor, and information recording medium |
| US5638448A (en) * | 1995-10-24 | 1997-06-10 | Nguyen; Minhtam C. | Network with secure communications sessions |
| US5689566A (en) * | 1995-10-24 | 1997-11-18 | Nguyen; Minhtam C. | Network with secure communications sessions |
| US5862323A (en) * | 1995-11-13 | 1999-01-19 | International Business Machines Corporation | Retrieving plain-text passwords from a main registry by a plurality of foreign registries |
| US5838903A (en) * | 1995-11-13 | 1998-11-17 | International Business Machines Corporation | Configurable password integrity servers for use in a shared resource environment |
| US5832211A (en) * | 1995-11-13 | 1998-11-03 | International Business Machines Corporation | Propagating plain-text passwords from a main registry to a plurality of foreign registries |
| US5764772A (en) * | 1995-12-15 | 1998-06-09 | Lotus Development Coporation | Differential work factor cryptography method and system |
| US5940510A (en) * | 1996-01-31 | 1999-08-17 | Dallas Semiconductor Corporation | Transfer of valuable information between a secure module and another module |
| US6226383B1 (en) * | 1996-04-17 | 2001-05-01 | Integrity Sciences, Inc. | Cryptographic methods for remote authentication |
| US5838790A (en) * | 1996-04-19 | 1998-11-17 | Juno Online Services, L.P. | Advertisement authentication system in which advertisements are downloaded for off-line display |
| US7567669B2 (en) | 1996-05-17 | 2009-07-28 | Certicom Corp. | Strengthened public key protocol |
| US6058476A (en) * | 1996-05-22 | 2000-05-02 | Matsushita Electric Industrial Co., Inc. | Encryption apparatus for ensuring security in communication between devices |
| US6041123A (en) * | 1996-07-01 | 2000-03-21 | Allsoft Distributing Incorporated | Centralized secure communications system |
| US5841872A (en) * | 1996-07-01 | 1998-11-24 | Allsoft Distributing Incorporated | Encryption enhancement system |
| US6292896B1 (en) | 1997-01-22 | 2001-09-18 | International Business Machines Corporation | Method and apparatus for entity authentication and session key generation |
| US6144743A (en) * | 1997-02-07 | 2000-11-07 | Kabushiki Kaisha Toshiba | Information recording medium, recording apparatus, information transmission system, and decryption apparatus |
| US5953424A (en) * | 1997-03-18 | 1999-09-14 | Hitachi Data Systems Corporation | Cryptographic system and protocol for establishing secure authenticated remote access |
| US5987130A (en) * | 1997-03-31 | 1999-11-16 | Chang; Chung Nan | Simiplified secure swift cryptographic key exchange |
| US6539479B1 (en) * | 1997-07-15 | 2003-03-25 | The Board Of Trustees Of The Leland Stanford Junior University | System and method for securely logging onto a remotely located computer |
| FI113119B (en) * | 1997-09-15 | 2004-02-27 | Nokia Corp | A method for securing communications over telecommunications networks |
| WO1999020020A1 (en) | 1997-10-14 | 1999-04-22 | Certicom Corp. | Key validation scheme |
| US6541606B2 (en) | 1997-12-31 | 2003-04-01 | Altus Biologics Inc. | Stabilized protein crystals formulations containing them and methods of making them |
| NL1008044C2 (en) * | 1998-01-16 | 1999-07-19 | Koninkl Kpn Nv | Key management system. |
| GB9802152D0 (en) * | 1998-01-30 | 1998-04-01 | Certicom Corp | Secure one way authentication communication system |
| US6393127B2 (en) * | 1998-03-02 | 2002-05-21 | Motorola, Inc. | Method for transferring an encryption key |
| US6848050B1 (en) | 1998-04-16 | 2005-01-25 | Citicorp Development Center, Inc. | System and method for alternative encryption techniques |
| EP0952564A3 (en) * | 1998-04-16 | 2003-09-17 | Citicorp Development Center, Inc. | System and method for alternative encryption techniques |
| US6141687A (en) * | 1998-05-08 | 2000-10-31 | Cisco Technology, Inc. | Using an authentication server to obtain dial-out information on a network |
| IL125222A0 (en) * | 1998-07-06 | 1999-03-12 | L P K Information Integrity Lt | A key-agreement system and method |
| US6173400B1 (en) | 1998-07-31 | 2001-01-09 | Sun Microsystems, Inc. | Methods and systems for establishing a shared secret using an authentication token |
| US6192474B1 (en) * | 1998-07-31 | 2001-02-20 | Lucent Technologies Inc. | Method for establishing a key using over-the-air communication and password protocol and password protocol |
| US6966004B1 (en) | 1998-08-03 | 2005-11-15 | Cisco Technology, Inc. | Method for providing single step log-on access to a differentiated computer network |
| US6311275B1 (en) | 1998-08-03 | 2001-10-30 | Cisco Technology, Inc. | Method for providing single step log-on access to a differentiated computer network |
| US6502192B1 (en) | 1998-09-03 | 2002-12-31 | Cisco Technology, Inc. | Security between client and server in a computer network |
| US6212561B1 (en) | 1998-10-08 | 2001-04-03 | Cisco Technology, Inc. | Forced sequential access to specified domains in a computer network |
| US7215773B1 (en) * | 1998-10-14 | 2007-05-08 | Certicom.Corp. | Key validation scheme |
| US6178506B1 (en) * | 1998-10-23 | 2001-01-23 | Qualcomm Inc. | Wireless subscription portability |
| US6263369B1 (en) | 1998-10-30 | 2001-07-17 | Cisco Technology, Inc. | Distributed architecture allowing local user authentication and authorization |
| DE19850665A1 (en) * | 1998-11-03 | 2000-05-04 | Siemens Ag | Method and arrangement for authentication of a first instance and a second instance |
| US6253327B1 (en) | 1998-12-02 | 2001-06-26 | Cisco Technology, Inc. | Single step network logon based on point to point protocol |
| US6298383B1 (en) | 1999-01-04 | 2001-10-02 | Cisco Technology, Inc. | Integration of authentication authorization and accounting service and proxy service |
| US7171000B1 (en) | 1999-06-10 | 2007-01-30 | Message Secure Corp. | Simplified addressing for private communications |
| US7065210B1 (en) * | 1999-01-25 | 2006-06-20 | Murata Kikai Kabushiki Kaisha | Secret key generation method, encryption method, cryptographic communications method, common key generator, cryptographic communications system, and recording media |
| MY131509A (en) * | 1999-03-15 | 2007-08-30 | Sony Corp | Data processing method, apparatus and system for encrypted- data transfer |
| US6321095B1 (en) * | 1999-03-26 | 2001-11-20 | Sherman Gavette | Wireless communications approach |
| US7249377B1 (en) * | 1999-03-31 | 2007-07-24 | International Business Machines Corporation | Method for client delegation of security to a proxy |
| US7644439B2 (en) * | 1999-05-03 | 2010-01-05 | Cisco Technology, Inc. | Timing attacks against user logon and network I/O |
| US6466977B1 (en) | 1999-05-06 | 2002-10-15 | Cisco Technology, Inc. | Proxy on demand |
| US7499551B1 (en) * | 1999-05-14 | 2009-03-03 | Dell Products L.P. | Public key infrastructure utilizing master key encryption |
| US20020101998A1 (en) * | 1999-06-10 | 2002-08-01 | Chee-Hong Wong | Fast escrow delivery |
| US6988199B2 (en) | 2000-07-07 | 2006-01-17 | Message Secure | Secure and reliable document delivery |
| US20020019932A1 (en) * | 1999-06-10 | 2002-02-14 | Eng-Whatt Toh | Cryptographically secure network |
| US7707420B1 (en) | 1999-06-23 | 2010-04-27 | Research In Motion Limited | Public key encryption with digital signature scheme |
| US6757825B1 (en) | 1999-07-13 | 2004-06-29 | Lucent Technologies Inc. | Secure mutual network authentication protocol |
| DE19938198A1 (en) | 1999-08-12 | 2001-03-01 | Deutsche Telekom Ag | Procedure for establishing a common key for a group of at least three participants |
| US6742126B1 (en) | 1999-10-07 | 2004-05-25 | Cisco Technology, Inc. | Method and apparatus for identifying a data communications session |
| US7043553B2 (en) * | 1999-10-07 | 2006-05-09 | Cisco Technology, Inc. | Method and apparatus for securing information access |
| US6918044B1 (en) | 1999-10-15 | 2005-07-12 | Cisco Technology, Inc. | Password protection for high reliability computer systems |
| US6467049B1 (en) | 1999-10-15 | 2002-10-15 | Cisco Technology, Inc. | Method and apparatus for configuration in multi processing engine computer systems |
| US6718467B1 (en) | 1999-10-28 | 2004-04-06 | Cisco Technology, Inc. | Password based protocol for secure communications |
| TW548940B (en) * | 1999-11-29 | 2003-08-21 | Gen Instrument Corp | Generation of a mathematically constrained key using a one-way function |
| US6970941B1 (en) | 1999-12-10 | 2005-11-29 | Sun Microsystems, Inc. | System and method for separating addresses from the delivery scheme in a virtual private network |
| US7336790B1 (en) | 1999-12-10 | 2008-02-26 | Sun Microsystems Inc. | Decoupling access control from key management in a network |
| US7765581B1 (en) | 1999-12-10 | 2010-07-27 | Oracle America, Inc. | System and method for enabling scalable security in a virtual private network |
| US6977929B1 (en) | 1999-12-10 | 2005-12-20 | Sun Microsystems, Inc. | Method and system for facilitating relocation of devices on a network |
| US6938169B1 (en) | 1999-12-10 | 2005-08-30 | Sun Microsystems, Inc. | Channel-specific file system views in a private network using a public-network infrastructure |
| US6944765B1 (en) * | 1999-12-21 | 2005-09-13 | Qualcomm, Inc. | Method of authentication anonymous users while reducing potential for “middleman” fraud |
| US6895434B1 (en) * | 2000-01-03 | 2005-05-17 | Cisco Technology, Inc. | Sharing of NAS information between PoPs |
| KR100363253B1 (en) * | 2000-01-07 | 2002-11-30 | 삼성전자 주식회사 | Method for generating a secret key in communication and apparatus thereof |
| US7020778B1 (en) * | 2000-01-21 | 2006-03-28 | Sonera Smarttrust Oy | Method for issuing an electronic identity |
| US6915272B1 (en) | 2000-02-23 | 2005-07-05 | Nokia Corporation | System and method of secure payment and delivery of goods and services |
| US7359507B2 (en) | 2000-03-10 | 2008-04-15 | Rsa Security Inc. | Server-assisted regeneration of a strong secret from a weak secret |
| US7716484B1 (en) * | 2000-03-10 | 2010-05-11 | Rsa Security Inc. | System and method for increasing the security of encrypted secrets and authentication |
| US7047408B1 (en) | 2000-03-17 | 2006-05-16 | Lucent Technologies Inc. | Secure mutual network authentication and key exchange protocol |
| WO2001076136A1 (en) * | 2000-03-30 | 2001-10-11 | Sanyo Electric Co., Ltd. | Content data storage |
| US6910133B1 (en) | 2000-04-11 | 2005-06-21 | Cisco Technology, Inc. | Reflected interrupt for hardware-based encryption |
| US7251728B2 (en) | 2000-07-07 | 2007-07-31 | Message Secure Corporation | Secure and reliable document delivery using routing lists |
| US7412524B1 (en) | 2000-07-27 | 2008-08-12 | International Business Machines Corporation | Method and system for authentication when certification authority public and private keys expire |
| US7373507B2 (en) * | 2000-08-10 | 2008-05-13 | Plethora Technology, Inc. | System and method for establishing secure communication |
| EP1325586A2 (en) | 2000-10-05 | 2003-07-09 | Certicom Corp. | A method for providing information security for wireless transmissions |
| US20020048372A1 (en) * | 2000-10-19 | 2002-04-25 | Eng-Whatt Toh | Universal signature object for digital data |
| JP2004513585A (en) * | 2000-10-20 | 2004-04-30 | ウェイヴ システムズ コーポレイション | System and method for managing trust between client and server |
| US7149310B2 (en) * | 2000-12-19 | 2006-12-12 | Tricipher, Inc. | Method and system for authorizing generation of asymmetric crypto-keys |
| US7076656B2 (en) * | 2001-04-05 | 2006-07-11 | Lucent Technologies Inc. | Methods and apparatus for providing efficient password-authenticated key exchange |
| US6981144B2 (en) * | 2001-04-06 | 2005-12-27 | International Business Machines Corporation | System console device authentication in a network environment |
| US7516325B2 (en) | 2001-04-06 | 2009-04-07 | Certicom Corp. | Device authentication in a PKI |
| US20020154635A1 (en) * | 2001-04-23 | 2002-10-24 | Sun Microsystems, Inc. | System and method for extending private networks onto public infrastructure using supernets |
| US7975139B2 (en) * | 2001-05-01 | 2011-07-05 | Vasco Data Security, Inc. | Use and generation of a session key in a secure socket layer connection |
| FI114062B (en) | 2001-06-08 | 2004-07-30 | Nokia Corp | Method for ensuring the security of the communication, the communication system and the communication device |
| US7424615B1 (en) * | 2001-07-30 | 2008-09-09 | Apple Inc. | Mutually authenticated secure key exchange (MASKE) |
| US7136484B1 (en) * | 2001-10-01 | 2006-11-14 | Silicon Image, Inc. | Cryptosystems using commuting pairs in a monoid |
| US7688975B2 (en) * | 2001-10-26 | 2010-03-30 | Authenex, Inc. | Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure |
| US7203317B2 (en) * | 2001-10-31 | 2007-04-10 | Hewlett-Packard Development Company, L.P. | System for enabling lazy-revocation through recursive key generation |
| US7243853B1 (en) | 2001-12-04 | 2007-07-17 | Visa U.S.A. Inc. | Method and system for facilitating memory and application management on a secured token |
| US7194765B2 (en) * | 2002-06-12 | 2007-03-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Challenge-response user authentication |
| US7370111B2 (en) * | 2002-03-27 | 2008-05-06 | Intel Corporation | System, protocol and related methods for providing secure manageability |
| US20030204724A1 (en) * | 2002-04-30 | 2003-10-30 | Microsoft Corporation | Methods for remotely changing a communications password |
| JP2003348070A (en) * | 2002-05-29 | 2003-12-05 | Hitachi Ltd | Secured communication method and node device used for same |
| FR2841070B1 (en) * | 2002-06-17 | 2005-02-04 | Cryptolog | INTERFACE METHOD AND DEVICE FOR PROTECTED EXCHANGING ONLINE CONTENT DATA |
| US7142674B2 (en) * | 2002-06-18 | 2006-11-28 | Intel Corporation | Method of confirming a secure key exchange |
| KR100888472B1 (en) * | 2002-07-06 | 2009-03-12 | 삼성전자주식회사 | Cryptographic method using dual encryption keys and wireless local area network system therefor |
| EP2270700A1 (en) * | 2002-07-26 | 2011-01-05 | Koninklijke Philips Electronics N.V. | Secure authenticated distance measurement |
| US7191344B2 (en) * | 2002-08-08 | 2007-03-13 | Authenex, Inc. | Method and system for controlling access to data stored on a data storage device |
| US20040059914A1 (en) * | 2002-09-12 | 2004-03-25 | Broadcom Corporation | Using signal-generated location information to identify and authenticate available devices |
| US20040139021A1 (en) | 2002-10-07 | 2004-07-15 | Visa International Service Association | Method and system for facilitating data access and management on a secure token |
| GB2397676A (en) * | 2003-01-23 | 2004-07-28 | Sema Uk Ltd | Privacy enhanced system using fact assertion language |
| GB2397677A (en) * | 2003-01-23 | 2004-07-28 | Sema Uk Ltd | Customer identification using an identification key that is unique to a customer and an organization |
| GB2397678A (en) * | 2003-01-23 | 2004-07-28 | Sema Uk Ltd | A secure terminal for use with a smart card based loyalty scheme |
| US20040168081A1 (en) * | 2003-02-20 | 2004-08-26 | Microsoft Corporation | Apparatus and method simplifying an encrypted network |
| KR100520116B1 (en) * | 2003-05-16 | 2005-10-10 | 삼성전자주식회사 | A method for discributing the key to mutual nodes to code a key on mobile ad-hoc network and network device using thereof |
| US6975092B2 (en) * | 2003-07-03 | 2005-12-13 | Dell Products L.P. | Encrypted response smart battery |
| US7581100B2 (en) * | 2003-09-02 | 2009-08-25 | Authernative, Inc. | Key generation method for communication session encryption and authentication system |
| US7506161B2 (en) * | 2003-09-02 | 2009-03-17 | Authernative, Inc. | Communication session encryption and authentication system |
| US7299356B2 (en) * | 2003-09-02 | 2007-11-20 | Authernative, Inc. | Key conversion method for communication session encryption and authentication system |
| US7596704B2 (en) * | 2003-10-10 | 2009-09-29 | Jing-Jang Hwang | Partition and recovery of a verifiable digital secret |
| US20050157874A1 (en) * | 2003-12-01 | 2005-07-21 | The Regents Of The University Of California | Cryptography for secure dynamic group communications |
| US8031865B2 (en) * | 2004-01-08 | 2011-10-04 | Encryption Solutions, Inc. | Multiple level security system and method for encrypting data within documents |
| US7526643B2 (en) * | 2004-01-08 | 2009-04-28 | Encryption Solutions, Inc. | System for transmitting encrypted data |
| US7752453B2 (en) | 2004-01-08 | 2010-07-06 | Encryption Solutions, Inc. | Method of encrypting and transmitting data and system for transmitting encrypted data |
| US7660993B2 (en) * | 2004-03-22 | 2010-02-09 | Microsoft Corporation | Cryptographic puzzle cancellation service for deterring bulk electronic mail messages |
| CN100563153C (en) * | 2004-04-07 | 2009-11-25 | 华为技术有限公司 | A kind of in end-to-end wireless encryption communication system the user register the method for authentication |
| US20050273609A1 (en) * | 2004-06-04 | 2005-12-08 | Nokia Corporation | Setting up a short-range wireless data transmission connection between devices |
| DE102004032057A1 (en) * | 2004-07-01 | 2006-01-26 | Francotyp-Postalia Ag & Co. Kg | Method and device for generating a secret session key |
| US7886345B2 (en) * | 2004-07-02 | 2011-02-08 | Emc Corporation | Password-protection module |
| US7660419B1 (en) * | 2004-08-13 | 2010-02-09 | Texas Instruments Incorporated | System and method for security association between communication devices within a wireless personal and local area network |
| WO2006064410A1 (en) * | 2004-12-17 | 2006-06-22 | Koninklijke Philips Electronics N.V. | Method and device for securing handover between wwan and wlan |
| JP4768637B2 (en) * | 2005-01-21 | 2011-09-07 | 三菱電機株式会社 | Key storage device, key storage method, and program |
| US7814320B2 (en) * | 2005-07-19 | 2010-10-12 | Ntt Docomo, Inc. | Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks |
| US7783041B2 (en) | 2005-10-03 | 2010-08-24 | Nokia Corporation | System, method and computer program product for authenticating a data agreement between network entities |
| US8874477B2 (en) | 2005-10-04 | 2014-10-28 | Steven Mark Hoffberg | Multifactorial optimization system and method |
| US20070136587A1 (en) * | 2005-12-08 | 2007-06-14 | Freescale Semiconductor, Inc. | Method for device authentication |
| DE102006000930A1 (en) * | 2006-01-05 | 2007-07-12 | Infineon Technologies Ag | Memory device, memory devices, methods for moving data from a first memory device to a second memory device and computer program elements |
| EP1873960B1 (en) * | 2006-06-29 | 2013-06-05 | Incard SA | Method for session key derivation in a IC card |
| US8345871B2 (en) * | 2007-03-15 | 2013-01-01 | Palo Alto Research Center Incorporated | Fast authentication over slow channels |
| US20080285628A1 (en) * | 2007-05-17 | 2008-11-20 | Gizis Alexander C | Communications systems and methods for remotely controlled vehicles |
| US8060750B2 (en) * | 2007-06-29 | 2011-11-15 | Emc Corporation | Secure seed provisioning |
| US20090031139A1 (en) * | 2007-07-27 | 2009-01-29 | Mohammed Alawi Geoffrey | System and Method for Electronic Certification and Authentification |
| KR101009871B1 (en) * | 2007-08-09 | 2011-01-19 | 한국과학기술원 | Authentication method in a communication system |
| JP4995667B2 (en) * | 2007-08-28 | 2012-08-08 | 富士通株式会社 | Information processing apparatus, server apparatus, information processing program, and method |
| US8059814B1 (en) | 2007-09-28 | 2011-11-15 | Emc Corporation | Techniques for carrying out seed or key derivation |
| DE102007000587A1 (en) * | 2007-10-29 | 2009-04-30 | Bundesdruckerei Gmbh | Method for activating a chip card function by means of remote verification |
| DE102007000589B9 (en) * | 2007-10-29 | 2010-01-28 | Bundesdruckerei Gmbh | Method for protecting a chip card against unauthorized use, chip card and chip card terminal |
| US20090119475A1 (en) * | 2007-11-01 | 2009-05-07 | Microsoft Corporation | Time based priority modulus for security challenges |
| DE102008000348B4 (en) | 2008-02-19 | 2011-04-07 | Compugroup Holding Ag | Method for signing a medical data object |
| US8307210B1 (en) | 2008-05-02 | 2012-11-06 | Emc Corporation | Method and apparatus for secure validation of tokens |
| US7522723B1 (en) | 2008-05-29 | 2009-04-21 | Cheman Shaik | Password self encryption method and system and encryption by keys generated from personal secret information |
| JP2009296190A (en) * | 2008-06-04 | 2009-12-17 | Panasonic Corp | Confidential communication method |
| JP5390844B2 (en) * | 2008-12-05 | 2014-01-15 | パナソニック株式会社 | Key distribution system and key distribution method |
| DE102009000404A1 (en) | 2009-01-26 | 2010-07-29 | Bundesdruckerei Gmbh | Method for activating a chip card function, reader for a chip card and chip card |
| DE102009000408A1 (en) | 2009-01-26 | 2010-09-16 | Bundesdruckerei Gmbh | Reader for a chip card and computer system |
| US20100199095A1 (en) * | 2009-01-30 | 2010-08-05 | Texas Instruments Inc. | Password-Authenticated Association Based on Public Key Scrambling |
| US8510558B2 (en) | 2009-02-17 | 2013-08-13 | Alcatel Lucent | Identity based authenticated key agreement protocol |
| DE102009042284A1 (en) * | 2009-09-22 | 2011-03-31 | Giesecke & Devrient Gmbh | Method for establishing a secure communication channel |
| JPWO2011040023A1 (en) * | 2009-09-29 | 2013-02-21 | パナソニック株式会社 | Encryption device, decryption device, encryption method, decryption method, and encryption / decryption system |
| EP2437194A1 (en) * | 2010-10-01 | 2012-04-04 | Nagravision S.A. | System and method to prevent manipulation of video data transmitted on an HDMI link. |
| US8656484B2 (en) | 2010-12-28 | 2014-02-18 | Authernative, Inc. | System and method for mutually authenticated cryptographic key exchange using matrices |
| US8621227B2 (en) | 2010-12-28 | 2013-12-31 | Authernative, Inc. | System and method for cryptographic key exchange using matrices |
| DE102011079441A1 (en) | 2011-07-19 | 2013-01-24 | Bundesdruckerei Gmbh | Method for protecting a chip card terminal against unauthorized use |
| NL1039066C2 (en) * | 2011-09-23 | 2013-05-06 | Anna Maria Johanna Vreede | INTERNET TRANSACTION SECURITY. |
| US9203610B2 (en) * | 2011-12-13 | 2015-12-01 | Zyad Azzouz | Systems and methods for secure peer-to-peer communications |
| US8799675B2 (en) | 2012-01-05 | 2014-08-05 | House Of Development Llc | System and method for electronic certification and authentication of data |
| US8494165B1 (en) * | 2012-01-18 | 2013-07-23 | Square, Inc. | Secure communications between devices using a trusted server |
| JP5981761B2 (en) * | 2012-05-01 | 2016-08-31 | キヤノン株式会社 | Communication device, control method, program |
| US8868919B2 (en) | 2012-10-23 | 2014-10-21 | Authernative, Inc. | Authentication method of field contents based challenge and enumerated pattern of field positions based response in random partial digitized path recognition system |
| US8955074B2 (en) | 2012-10-23 | 2015-02-10 | Authernative, Inc. | Authentication method of enumerated pattern of field positions based challenge and enumerated pattern of field positions based response through interaction between two credentials in random partial digitized path recognition system |
| US9215072B1 (en) | 2012-10-23 | 2015-12-15 | Authernative, Inc. | Back-end matching method supporting front-end knowledge-based probabilistic authentication systems for enhanced credential security |
| US8887260B2 (en) | 2012-10-25 | 2014-11-11 | Facebook, Inc. | Token-based access control |
| DE102013203257A1 (en) | 2013-02-27 | 2014-08-28 | Bundesdruckerei Gmbh | Reading an attribute from an ID token |
| US9690931B1 (en) | 2013-03-11 | 2017-06-27 | Facebook, Inc. | Database attack detection tool |
| CN103879157B (en) * | 2014-01-20 | 2016-10-05 | 珠海艾派克微电子有限公司 | Parameter sending method, storage chip and the imaging cartridge of imaging cartridge storage chip |
| CN104980928B (en) | 2014-04-03 | 2018-12-07 | 华为终端(东莞)有限公司 | It is a kind of for establishing the method, equipment and system of secure connection |
| US9628273B2 (en) * | 2014-04-30 | 2017-04-18 | Thamir Alshammari | Cryptographic method and system for secure authentication and key exchange |
| US8990121B1 (en) | 2014-05-08 | 2015-03-24 | Square, Inc. | Establishment of a secure session between a card reader and a mobile device |
| US10438187B2 (en) | 2014-05-08 | 2019-10-08 | Square, Inc. | Establishment of a secure session between a card reader and a mobile device |
| US9703979B1 (en) * | 2014-06-13 | 2017-07-11 | BicDroid Inc. | Methods and computer program products for encryption key generation and management |
| GB201414302D0 (en) * | 2014-08-12 | 2014-09-24 | Jewel Aviat And Technology Ltd | Data security system and method |
| US9130744B1 (en) | 2014-09-22 | 2015-09-08 | Envelope, Llc | Sending an encrypted key pair and a secret shared by two devices to a trusted intermediary |
| US10333696B2 (en) | 2015-01-12 | 2019-06-25 | X-Prime, Inc. | Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency |
| DE102015200313A1 (en) | 2015-01-13 | 2016-07-14 | Bundesdruckerei Gmbh | Method for reading attributes from an ID token |
| DE102015017060A1 (en) | 2015-01-13 | 2016-07-14 | Bundesdruckerei Gmbh | Method for reading attributes from an ID token |
| DE102015017061A1 (en) | 2015-01-13 | 2016-07-28 | Bundesdruckerei Gmbh | Method for reading attributes from an ID token |
| DE102015204828A1 (en) | 2015-03-17 | 2016-09-22 | Bundesdruckerei Gmbh | A method for generating a certificate for a security token |
| DE102015207064A1 (en) | 2015-04-17 | 2016-10-20 | Bundesdruckerei Gmbh | Electronic system for generating a certificate |
| DE102015207690A1 (en) | 2015-04-27 | 2016-10-27 | Bundesdruckerei Gmbh | ID token, system and method for generating an electronic signature |
| DE102015209073B4 (en) | 2015-05-18 | 2019-02-07 | Bundesdruckerei Gmbh | Method for reading attributes from an ID token |
| DE102015214340A1 (en) | 2015-07-29 | 2017-02-02 | Bundesdruckerei Gmbh | Lock service for a certificate generated by an ID token |
| US11593780B1 (en) | 2015-12-10 | 2023-02-28 | Block, Inc. | Creation and validation of a secure list of security certificates |
| DE102016208040A1 (en) | 2016-05-10 | 2017-11-16 | Bundesdruckerei Gmbh | Method for reading attributes from an ID token |
| DE102016208038A1 (en) | 2016-05-10 | 2017-11-16 | Bundesdruckerei Gmbh | Method for reading attributes from an ID token |
| US10104055B2 (en) * | 2016-05-27 | 2018-10-16 | David Joseph Ponder | System and process of protecting client side information in electronic transactions |
| US10803461B2 (en) | 2016-09-30 | 2020-10-13 | Square, Inc. | Fraud detection in portable payment readers |
| US9940612B1 (en) | 2016-09-30 | 2018-04-10 | Square, Inc. | Fraud detection in portable payment readers |
| DE102016222170A1 (en) | 2016-11-11 | 2018-05-17 | Bundesdruckerei Gmbh | Method for reading attributes from an ID token |
| WO2018170341A1 (en) | 2017-03-15 | 2018-09-20 | NuID, Inc. | Methods and systems for universal storage and access to user-owned credentials for trans-institutional digital authentication |
| WO2018229129A1 (en) * | 2017-06-15 | 2018-12-20 | Gambro Lundia Ab | A dialysis machine, external medical equipment and methods for establishing secure communication between a dialysis machine and external medical equipment |
| EP4271018A3 (en) * | 2017-06-15 | 2024-02-14 | Baxter Healthcare Sa | A dialysis machine, external medical equipment and methods for establishing secure communication between a dialysis machine and external medical equipment |
| US10990687B2 (en) * | 2017-08-01 | 2021-04-27 | Dell Products L.P. | System and method for user managed encryption recovery using blockchain for data at rest |
| WO2020120742A1 (en) * | 2018-12-14 | 2020-06-18 | Gambro Lundia Ab | Pairing a dialysis machine and external medical equipment and methods for establishing secure communication between a dialysis machine and external medical equipment |
| US20200304306A1 (en) * | 2018-12-21 | 2020-09-24 | 01 Communique Laboratory Inc. | Cryptographic System and Method |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4193131A (en) * | 1977-12-05 | 1980-03-11 | International Business Machines Corporation | Cryptographic verification of operational keys used in communication networks |
| SE7714587L (en) * | 1977-12-21 | 1979-06-22 | Brendstrom Hugo | COMMUNICATION SYSTEM |
| DE3003998A1 (en) * | 1980-02-04 | 1981-09-24 | Licentia Patent-Verwaltungs-Gmbh, 6000 Frankfurt | DATA ENCRYPTION AND DECRYLING SYSTEM |
| DE3870558D1 (en) * | 1987-09-04 | 1992-06-04 | Ascom Radiocom Ag | METHOD FOR PRODUCING AND DISTRIBUTING SECRET KEYS. |
| JPH0334640A (en) * | 1989-06-30 | 1991-02-14 | Kokusai Denshin Denwa Co Ltd <Kdd> | Method and device for confidential facsimile communication |
| JP3114991B2 (en) * | 1990-11-30 | 2000-12-04 | 株式会社東芝 | Data communication system |
| US5241599A (en) | 1991-10-02 | 1993-08-31 | At&T Bell Laboratories | Cryptographic protocol for secure communications |
-
1991
- 1991-10-02 US US07/770,064 patent/US5241599A/en not_active Expired - Lifetime
-
1992
- 1992-08-17 CA CA002076252A patent/CA2076252C/en not_active Expired - Lifetime
- 1992-09-10 AU AU23513/92A patent/AU648433B2/en not_active Expired
- 1992-09-24 DE DE69232369T patent/DE69232369T2/en not_active Expired - Lifetime
- 1992-09-24 EP EP92308695A patent/EP0535863B1/en not_active Expired - Lifetime
- 1992-09-24 DE DE69233613T patent/DE69233613T2/en not_active Expired - Lifetime
- 1992-09-24 EP EP01105250A patent/EP1104959B1/en not_active Expired - Lifetime
- 1992-09-25 NO NO92923740A patent/NO923740L/en not_active Application Discontinuation
- 1992-10-01 JP JP4284901A patent/JP2599871B2/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| EP1104959B1 (en) | 2006-04-05 |
| EP1104959A3 (en) | 2003-06-04 |
| EP0535863B1 (en) | 2002-01-23 |
| DE69233613T2 (en) | 2007-04-05 |
| JP2599871B2 (en) | 1997-04-16 |
| DE69232369D1 (en) | 2002-03-14 |
| JPH06169306A (en) | 1994-06-14 |
| DE69233613D1 (en) | 2006-05-18 |
| NO923740L (en) | 1993-04-05 |
| AU2351392A (en) | 1993-04-08 |
| NO923740D0 (en) | 1992-09-25 |
| AU648433B2 (en) | 1994-04-21 |
| US5241599A (en) | 1993-08-31 |
| EP0535863A3 (en) | 1993-12-22 |
| EP0535863A2 (en) | 1993-04-07 |
| CA2076252A1 (en) | 1993-04-03 |
| EP1104959A2 (en) | 2001-06-06 |
| DE69232369T2 (en) | 2003-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2076252C (en) | Cryptographic protocol for secure communications | |
| US5124117A (en) | Cryptographic key distribution method and system | |
| Tatebayashi et al. | Key distribution protocol for digital mobile communication systems | |
| Jablon | Strong password-only authenticated key exchange | |
| Patel | Number theoretic attacks on secure password schemes | |
| US5136642A (en) | Cryptographic communication method and cryptographic communication device | |
| Steiner et al. | Refinement and extension of encrypted key exchange | |
| US5406628A (en) | Public key authentication and key agreement for low-cost terminals | |
| US5515441A (en) | Secure communication method and apparatus | |
| US5313521A (en) | Key distribution protocol for file transfer in the local area network | |
| US5222140A (en) | Cryptographic method for key agreement and user authentication | |
| US5796833A (en) | Public key sterilization | |
| US4956863A (en) | Cryptographic method and apparatus for public key exchange with authentication | |
| US5588061A (en) | System and method for identity verification, forming joint signatures and session key agreement in an RSA public cryptosystem | |
| US6047072A (en) | Method for secure key distribution over a nonsecure communications network | |
| KR20110076992A (en) | Method and system for deriving an encryption key using joint randomness not shared by others | |
| US9130744B1 (en) | Sending an encrypted key pair and a secret shared by two devices to a trusted intermediary | |
| Bellovin et al. | An attack on the interlock protocol when used for authentication | |
| Boyd | Modern data encryption | |
| Chalkias et al. | Two types of key-compromise impersonation attacks against one-pass key establishment protocols | |
| JPH07175411A (en) | Cipher system | |
| Tseng et al. | An efficient anonymous key agreement protocol based on chaotic maps | |
| Zhu et al. | A secure non-interactive chaotic maps-based deniable authentication scheme with privacy protection in standard model | |
| Fionov et al. | Eliminating Broadband Covert Channels in DSA-Like Signatures | |
| Lin | Integrated authentications based on identities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |