Key transport using PK encryption without signatures

One-pass key transport by public-key encryption

One-pass protocols are appropriate for one-way communications and store-and-forward applications such as electronic mail and fax. Basic key transport using public-key encryption can be achieved in a one-pass protocol, assuming the originator A possesses a priori an authentic copy of the encryption public key of the intended recipient B. Using B’s public encryption key, A encrypts a randomly generated key k, and sends the result Рв{к) to B. Public-key encryption schemes Pb of practical interest here include RSA encryption, Rabin encryption, and ElGarnal encryption (see Chapter 8).

The originator A obtains no entity authentication of the intended recipient В (and indeed, does not know if В even receives the message), but is assured of implicit key authentication - no one aside from В could possibly recover the key. On the other hand, В has no assurances regarding the soirrce of the key, which remains true even hr the case

A -»■ В : Рв{к, A). A timeliness guarantee may be provided using timestamps, for example, AВ : Рв{к, Та)- This is necessary if security against known-key attacks is required, as this technique is otherwise vulnerable to message replay (cf. Remark 12.18).

Maintaining the restriction of using public-key encryption alone (i.e., without signatures), assurances in addition to unilateral key authentication, namely, mutual entity authentication, and mutual key authentication, may be obtained through additional messages as illustrated by Protocol 12.38 below.

Needham-Schroeder public-key protocol

The Needham-Schroeder public-key protocol provides mutual entity authentication and mutual key transport {A and В each transfer a symmetric key to the other). The transported keys may serve both as nonces for entity authentication and secret keys for further use. Combination of the resulting shared keys allows computation of a joint key to which both parties contribute.

12.38 Protocol Needham-Schroeder public-key protocol SUMMARY: A and В exchange 3 messages.

RESULT: entity authentication, key authentication, and key transport (all mutual).

  • 1. Notation. Px(Y) denotes public-key encryption (e.g., RSA) of data Y using party X’s public key; Px{Y ■ Y-i) denotes the encryption of the concatenation of Y and Yj. кь k-2 are secret symmetric session keys chosen by A, B, respectively.
  • 2. One-time setup. Assume A, В possess each other’s authentic public-key. (If this is not the case, but each party has a certificate carrying its own public key, then one additional message is required for certificate transport.)
  • 3. Protocol messages.

  • 4. Protocol actions.
  • (a) A sends В message (1).
  • (b) В recovers кл upon receiving message (1), and returns to A message (2).
  • (c) Upon decrypting message (2), A checks the key kt recovered agrees with that sent in message (1). (Provided k has never been previously used, this gives A both entity authentication of В and assurance that В knows this key.) A sends В message (3).
  • (d) Upon decrypting message (3), В checks the key A-2 recovered agrees with that sent in message (2). The session key may be computed as f(ki, k-2) using an appropriate publicly known non-reversible function /.

12.39 Note (modification of Needliam-Schroeder protocol) Protocol 12.38 may be modified to eliminate encryption in the thud message. Let r and r2 be random numbers generated respectively by A and B. Then, with checks analogous to those in the basic protocol, the messages in the modified protocol are:

< Prev   CONTENTS   Source   Next >