AUTHENTICATION

In [45], G. Lowe introduces four reasonable meanings of the word “authentication.” They are, from the weakest to the strongest, aliveness, weak agreement, Non-injective agreement and agreement. In this paper, we prove that the proposed protocol satisfies the strongest definition: agreement.

Definition 3 (Agreement [45]): A protocol guarantees to an initiatorAagreement with a responderBon a set of data items if, wheneverA completes a run of the protocol,

apparently with B, which apparently has previously been running the protocol withAas a responder. If the two agents agreed on the data values corresponding to all the variables in the data items, and each such run ofAcorresponds to a unique run ofB.

Query, RID1, RID2

A,B,C Initiator Responder Retrieve rnd1, rnd2 Calculate C’ IDS D If C=C’ Update K, IDS Calculate D Calculate D’ Generate rnd1,rnd2 Calculate ABC If D=D’ Update K, IDS

Figure 3.1. Strand space representation of the proposed protocol.

It should be noticed that this definition only guarantees to an initiator agreement with a responder. To complete the proof of the authentication, it is also necessary to prove that the protocol guarantees to a responder agreement with an initiator. We will start with the proof of the latter one. Additionally, since the first two data exchanges{RID₁RID₂,IDS}

are broadcasted in the form of cleartext and do not contain any secrets, we will not include them in the following analysis.

Proposition 1: Suppose

1)  is a S_OT strand space,is a bundle in , ands is a responder strand insResp[ ]

2) 1 1 1 1 1

1 , 2 , , 1 , 2

A A B C C

K  K  K  K  K  and 1

D

K  are unknown to all the principals. KKey_P.

3) rnd1 andrnd2 originate uniquely in .

If all the variables agree (CC'and DD'), then contains a unique initiator’s strandtInit[ ] .

This proposition is illustrated in Figure 3.2. We will use two lemmas to prove this proposition. Throughout the remainder of this section, we will fix an arbitrary  and let 

, s , 1 1 1 1 1

1 , 2 , , 1 , 2

A A B C C

K  K  K  K  K  , 1

D

K  , rnd1 and rnd2 satisfy the hypotheses of

Proposition 1.

Lemma 1: Letn be the node from which rnd1 andrnd2uniquely originate in. If

'

CC , then nbelongs to Init[ ] and term n( ) {ABC}. In addition, to distinguish, we will later designate this particular node nasn_i1.

Proof: Letn be the node that proceeds n_r1 immediately. (n may be a penetrator doing replay attack.) Thenterm n( ) {ABC}. From (3) together with the assumption that

1 1 C K  and 1 2 C

K  are unknown, we have rnd rnd1, 2,andK {ABC}and thus

1, 2, ( )

rnd rnd Kterm n (5)

Now if we can show “Kterm n( )” then we are able to conclude thatnInit[ ] . This is because 1) KKey_Pwhich implies thatnP; 2) AlthoughKKey_R, rnd1 and

2

rnd do not originate from Resp[ ] according to (5). Based on the definition of noden, it follows thatnResp[ ] . Therefore, the problem becomes to proveKterm n( ).

Now we assumeKterm n( ); from (5) we knowKterm n( ), then there exists at least one node n' that proceeds n from which K uniquely originates and hence

( ')

Kterm n . SinceKKey_P, it follows thatn' lies either in the responder’s or the initiator’s strand. However, according to the definition of S_OT strand space, the form ofK

is either 1 2 1 { , ID1}KA { , ID2}KA rnd  K R  K R or ₂ { , 1} B K

rnd  K rnd where rnd1 andrnd2are

fresh. In other words, rnd1 andrnd2also originate fromn', which contradicts with the fact thatrnd1 andrnd2originate fromn. Therefore, we haveKterm n( )and hencenInit[ ] .

A,B,C Initiator Responder Retrieve rnd1, rnd2 Calculate C’ D If C=C’ Update K, IDS Calculate D Calculate D’ If D=D’ Update K, IDS A,B,C ... ni1 ni2 D ... n+ nr2 nr3 nr1

Figure 3.2. Illustration of Lemma 1 and 2.

Moreover, “rnd1 andrnd2originate fromn” also gives the conclusion that the sign

ofterm n( ) is positive (Lemma 2.8 in [44]). Together with nInit[ ] and the structure of

OT

Lemma 2: Upon receivingD if the nodenis able to update KandIDS,then n

belongs toInit[ ] and n_i1(defined in Lemma 1) proceeds noden. In addition, we designate this particular node nasn_i2

Proof: If the nodenin Init[ ] is able to update KandIDS , thenDD'. Since

* * { , } D K D K IDS where 1 D

K  is unknown to all principals, it follows that nodenmust have

*

K andIDS*in the form of cleartext. Then there are two possibilities:

1) rnd rnd1, 2,Kterm n( )in the form of cleartext. Nodencomputes K and* IDS*by itself.

2) Node n receives the cleartext *

K and IDS* from another node n' . Then

* *

( ') { , }

term n   K IDS . From the form, we can tell that n' does not belong to a regular

strand, hence n'P . Therefore we have KKey_P which contradicts with the

assumption.

Therefore, only case i) holds and thusnInit[ ] . From rnd rnd1, 2term n( ) together with the fact thatrnd1andrnd2originates uniquely from noden_i1, it follows that

1

i

n proceedsn. Proposition 1 now follows immediately from Lemmas 1 and 2. Note that the uniqueness is also proved by the conclusion of “n_i1proceeds noden” because n_i1is the

node that rnd1andrnd2uniquely originate from. Next we will prove the other side of the authentication: agreement property for the S_OTinitiator.

Proposition 2: Suppose

1)  is a SOT strand space,is a bundle in , ands is a initiator strand insInit[ ]

2) 1 1 1 1 1

1 , 2 , , 1 , 2

A A B C C

K  K  K  K  K  and 1

D

3) _rnd1 and_rnd2 originate uniquely in .

If the all the variables agree (CC' andDD'), then contains a unique responder’s strandtResp[ ] .

Similarly, we will use two lemmas to prove Proposition 2.

Lemma 3: Letn be the node in which D originates from in. If DD'for the node n (defined in Lemma 2), then i2 nbelongs toResp[ ] . In addition, we designate this particular node nas n r3

Proof: The proof of this lemma is almost identical to the proof for Lemma 2.

Basically we will show that {K IDS*, *}term n( )in the form of cleartext. Then it follows thatKterm n( ). Thus we eliminates the case thatnP. Again since the sign of term n( ) is positive, together with the form of SOTwe are able to conclude that nbelongs toResp[ ].

Lemma 4: There exists a unique node nin Resp[ ] proceedingn , such thatr3

( ) { }

term n   ABC , where ABC is given in Lemma 1. In addition, we designate this particular node nas n . r1

Proof: In Lemma 3 we have shown that{rnd rnd1, 2, }K term n( r3). Letnbe the

minimal member of noden inr3 Resp[ ] . Then by the definition of minimal[44], we have

{rnd rnd1, 2, }K term n( ). Sincernd1 and rnd2uniquely originate infrom node ni1 which is proven in Lemma 1, then we have this relationship

1 { 1, 2, } i rnd rnd K n   n (6)

Therefore the sign ofterm n( ) is negative. Given thatnResp[ ], exploring all the forms of responder strands, we haveterm n( ) {ABC}. Since {ABC}is computed directly based on rnd1 andrnd2, it follows that {ABC}also originates uniquely from noden . i1 Hence {ABC} in term n( ) is the same term that originated fromn . i1

Proposition 2 follows directly from Lemma 3 and 4. And together with Proposition 1, we have completed the proof of authentication.