Designing Entity Authentication Protocols

It was observed in section 2 that authors have generally found it easy to give extensional goals for key establishment, but that for entity authentication only intensional goals are usually found. It may be more than a coincidence that the majority of recent attacks on protocols seem to have been concerned with authentication rather than key establishment [1,14,17]. A clear view of what it means to achieve key establishment has allowed protocol designers to more systematically incorporate the correct mechanisms.

An informal, but successful, method to design new key establishment protocols has been to use the extensional properties of key freshness and exclusivity in combination with abstract notions of secure channels [9]. The purpose of this section is to suggest that a similar process can be done for entity authentication using the extensional properties established in section 3. The two properties that are of interest are liveness and entity authentication.

An abstract version of protocols intended to achieve liveness is as follows, where $A \stackrel{a}{\longrightarrow}B$ denotes an abstract authentication channel which provides authenticity of everything received by B [9]. $N_B$ is any value which can be verified by B as fresh.

$$A \stackrel{a}{\longrightarrow}B: N_B$$

This can be made concrete in a variety of ways. Mutual liveness between A and B who share a key $K_{AB}$ can be achieved in the following protocol.

1.

$A \longrightarrow B: N_A$

2.

$B \longrightarrow A: MAC_{K_{AB}}(B,N_A),N_B$

3.

$A \longrightarrow B: MAC_{K_{AB}}(A,N_B)$

The inclusion of the identifiers in messages 2 and 3 ensure that messages of each entity can be recognised by themselves (which is merely a way of saying that the authentication channels are correctly implemented). The intended semantics of, say, message 2 is `I am B and I am alive'.

To extend this to provide entity authentication it is necessary to convey the semantics: `I am B and I wish to speak with A '. This can be achieved by adding the intended partner to the abstract protocol.

$$A \stackrel{a}{\longrightarrow}B: B,N_B$$

Again, for the concrete version the name of the sender must be included to secure the authentication channel.

1.

$A \longrightarrow B: N_A$

2.

$B \longrightarrow A: MAC_{K_{AB}}(B,A,N_A),N_B$

3.

$A \longrightarrow B: MAC_{K_{AB}}(A,B,N_B)$

Protocols similar to this one have been published in the literature (although it is not known whether this exact one has been suggested before). An attack on the above protocol is possible which is very similar to some previously published attacks [6,12]. In this attack A is used as an `oracle' by the attacker C .

1.

$C_A \longrightarrow B: N_C$

2.

$B \longrightarrow C_A: MAC_{K_{AB}}(B,A,N_A),N_B$

1'.

$C_B \longrightarrow A: N_B$

2'.

$A \longrightarrow C_B: MAC_{K_{AB}}(A,B,N_B), N_A$

3.

$C_A \longrightarrow B: MAC_{K_{AB}}(A,B,N_B)$

Such an attack certainly violates the canonical intensional specification (as well as many other intensional ones) since B accepts but the protocol has not run correctly. On the other hand has the extensional specification failed? B believes that A is prepared to communicate with him, and indeed we see that A was sent a challenge by someone purporting to be B and indeed replied with a message to the effect that she was prepared to communicate with B . Thus B has not been deceived and the extensional goal is not violated.

Protocols using public key signatures may also be derived by similar arguments, as can ones using confidentiality. Consider the following which uses signatures of A and B in place of the MAC s used above.

1.

$A \longrightarrow B: N_A$

2.

$B \longrightarrow A: S_A(\{B,A,N_A\}),N_B$

3.

$A \longrightarrow B: S_B(\{A,B,N_B\})$

In order to illustrate the ease with which new protocols may be designed using extensional goals, consider the following conference authentication protocol. The idea of such a protocol would be that all users $U_i$ in a set $\cal U$ should have confidence that all other users are ready to participate in a conference now. So far as is known, no such protocol is published previously to solve this problem.

Each user needs to authenticate a message to each other user with the semantics: `I am $U_i$ and I want to communicate with the group $\cal U$'. This is most easily accomplished using a digital signature so that all users may authenticate the same message. Each user, $U_i, 1 \leq i \leq n$, choose a fresh random value $N_i$. In the following, $X \longrightarrow*$ denotes that the user X broadcasts the message to all users, while the function h is any one-way hash function. The protocol consists of two phases, in each of which each user broadcasts one message.

1.

$U_i \longrightarrow*: N_i$

2.

$U_i \longrightarrow*: Sig_{U_i}({\cal U},h(N_1\vert N_2\vert\ldots\vert N_n))$

Each user on receipt of the second set of messages verifies the signature. The protocol ensures to each user that the signature is fresh because the input to h is fresh and hence the value $h(N_1\vert N_2\vert\ldots\vert N_n)$ is fresh.