Browse Prior Art Database

Efficient Methods for Two Party Entity Authentication and Key Exchange in a High Speed Environment

IP.com Disclosure Number: IPCOM000115106D
Original Publication Date: 1995-Mar-01
Included in the Prior Art Database: 2005-Mar-30
Document File: 4 page(s) / 121K

Publishing Venue

IBM

Related People

Basturk, E: AUTHOR [+3]

Abstract

Parties A and B are communicating in the presence of an adversary who can not only eavesdrop but also inject messages on the line and, claiming to be one of the legitimate parties, request a connection with the other. A and B share a key K which is not known to the adversary and will be referred to henceforth as the Long-Lived (LL) key. We present protocols enabling the parties to authenticate each other while simultaneously coming into possession of a fresh session key.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 40% of the total text.

Efficient Methods for Two Party Entity Authentication and Key Exchange
in a High Speed Environment

      Parties A and B are communicating in the presence of an
adversary who can not only eavesdrop but also inject messages on the
line and, claiming to be one of the legitimate parties, request a
connection with the other.  A and B share a key K which is not known
to the adversary and will be referred to henceforth as the Long-Lived
(LL) key.  We present protocols enabling the parties to authenticate
each other while simultaneously coming into possession of a fresh
session key.

      Several such protocols have been proposed, both in the
literature and in IBM* disclosures (see references below).  The ones
presented here distinguish themselves in optimizing performance with
respect to a particular environment (namely, a high-speed network).
Specific features in this regard are discussed later.

      Denote by 'bin'(i) the binary representation of integer i ,
padded with leading zeroes to make it a string of length 64.  All
keys used will have length k bits.  L  will denote a bound on the
length of a string to be MACed, and  l  will denote the size of a
MAC.  Random challenges will have length 32 bits, and the "seed" for
session key derivation will have length 64 bits.

      For any k bit key b we let g sub b denote a pseudorandom
function (PRF) mapping {0,1} sup <64> to {0,1} sup <k>.  From any
given key b we can derive subkeys, called the derived keys.  The i-th
derived key is given by b(i)=g sub b ('bin'(i)) for each integer i
memberof {1, ellipsis, 2 sup <64>}.

      Fix a Message Authentication Code (MAC) in which each k bit key
a specifies a MACing function 'MAC' sub a.  This function takes a
string of length at most L bits and returns a tag of l bits.  MACing
will be done under the first derived key.  Thus for any k bit key s,
define the MAC under key s of a string x to be 'MAC' sub <s(1)>(x),
the MAC computed under the first derived key of s.  We let x] sub s=
(x, 'MAC' sub <s(1)>(x)) denote the signature of x under s.

      The first subkey K(1) of the LL-key will be used for MACing.
The second, K(2) will be used to implicitly define the session key as
{<R sub <'seed'>>} sub K = g sub <K sub 2>(R sub <'seed'>) where the
seed R sub <'seed'> is chosen randomly by one of the parties.

One-Pass, Unilateral Authentication and Key Exchange
  1.  A picks <R sub <'seed'>> memberof {0,1} sup <64> at random and
       derives the session key alpha = {<R sub <'seed'>>} sub <K>
       She sends to B the signed message A, B, T sub A, R sub
       <'seed'> , 'Text1'] sub K where T sub A is a timestamp or
       sequence number, and Text1 is an optional text string.
  2.  On receipt of this message, B checks the validity of the MAC,
and
       checks that the sequence number is appropriate or that the
       timestamp is timely.  If these checks are passed then B
accep...