Protocols for Authentication and Key Establishment

The newcomer to the subject of cryptographic protocols for authentication and key management is likely to be bemused by the sheer variety of techniques and technical background required. But even before this stage is reached a more fundamental question needs to be faced. What are these protocols there for at all? To answer this question it is necessary to provide an understanding of what sets cryptographic protocols apart from other types of protocols. Above all, what are the ‘rules of the game’ when designing or attacking a protocol, and why are techniques for design and analysis of ordinary (non-cryptographic) protocols not sufficient? This chapter provides necessary background material for those readers who are not already familiar with the topic of cryptographic protocols.

Any attack on a protocol is only valid if it violates some property that the protocol was intended to achieve. In other words all attacks must be consid­ered relative to the protocol goals. Experience has proven that many protocol problems result when designers are unclear about the protocol goals they are trying to achieve. This in turn leads to disputes about whether protocol at­tacks are valid, since designers may regard the goals differently from analysers. Gollmann [118] has recognised that it is a difficult matter to decide exactly what is meant by commonly used words such as ‘authentication’; even though everyone has a general idea of the meaning of such a word, the actual interpre­tation may vary with the protocol. It turns out that although most authors can agree on general definitions, their ideas diverge when precision is required.

The majority of protocols for key establishment and entity authentication that have been proposed in the literature concentrate on the case where there are exactly two users who wish to communicate or establish a session key. This is commonly referred to as the two-party case. In this chapter we discuss two-party key establishment and authentication protocols based on symmetric algorithms. The next chapter discusses two-party protocols using public key algorithms, while the multi-party case is covered in Chap. 6.

It is generally regarded that there are two main potential advantages of public key techniques over symmetric cryptography. The first is that public key systems allow the straightforward definition of digital signatures, thereby enabling the service of non-repudiation which is so useful in commercial applications. The second is the simplification of key management, because there is no requirement for the on-line third party that is part of typical protocols based on symmetric cryptography. The first of these advantages is not really our concern in this book since non-repudiation is of limited value in authentication and key establishment. However, the second advantage has led to a great variety of new key establishment protocols since the invention of public key cryptography. In the modern distributed communications environments exemplified by the Internet, public-key-based protocols have become far more important than protocols based on symmetric cryptography.

Key agreement, as the name implies, is a process in which principals cooperate in order to establish a session key. Amongst the class of public key protocols for key establishment without a server, key agreement has become much more popular than key transport in recent years. There is an intuitive feeling that key agreement is ‘fairer’ than key transport and can result in higher quality random keys than key transport. In addition, by basing key agreement on the Diffie—Hellman protocol, forward secrecy can often be achieved. We will consider these points further below. Notice that key agreement does not have to use public key cryptography but most examples do so. In this chapter we look only at key agreement based on public key cryptography; some examples of key agreement using symmetric cryptography are discussed in Chap. 3.

As electronic communications and information services become more sophisticated, many applications involving multiple entities become necessary. Since these applications will generally require secure communications it is necessary to design protocols that establish keys for groups of principals. There is a great variety of different practical requirements that may be appropriate in different applications, and the number of protocols is very large. In this chapter we will mainly restrict attention to ways in which the two-party protocols that have been explored in previous chapters can be generalised to the multi-party situation.

Cryptographic authentication relies on possession of a key by the party to be authenticated. Such a key is usually chosen randomly within its domain and can be of lengths from around 100 bits up to many thousands of bits, depending on the algorithm used and security level desired. Experience has shown [109, 333] that humans find it difficult to remember secrets in the form of passwords of even seven or eight characters. But if all upper and lower case letters are used together with the digits 0 to 9 then a random eight-character password represents less than 48 bits of randomness. Therefore we can conclude that even short random keys for cryptographic algorithms cannot be reliably remembered by humans. Another way to express this is that it can be assumed that a computer is able to search through all possible passwords in a short time.