Figure 2.1 A Simplified Pictorial Description of a Cryptographic System
2.5 Security Properties for Authenticated Key Establishment
All protocols to be described in this chapter are of a kind: they achieve authenticated key- establishment. The precise meaning of this security service can be elaborated by the following three properties.
Let K denote a shared secret key to be established between Alice and Bob, the protocols to be designed in this chapter should achieve a security service with the following three properties: At the end of the protocol run:
Only Alice and Bob (or perhaps a principal who is trusted by them) should know K.
1.
Alice and Bob should know that the other principal knows K.
2.
Alice and Bob should know that K is newly generated.
3.
The first property follows the most basic meaning of authentication: identifying the principal who is the intended object of communication. Alice (respectively, Bob) should be assured that the other end of the communication, if "padlocked" by the key K, can only be Bob (respectively, Alice). If the key establishment service is achieved with the help of Trent, then Trent is trusted that he will not impersonate these two principals.
The second property extends authentication service to an additional dimension, that is, entity authentication, or the liveness of an identified principal who is the intended object of the communication. Alice (respectively, Bob) should be assured that Bob (respectively, Alice) is alive and responsive to the communications in the current protocol run. We shall see later that this property is necessary in order to thwart an attacking scenario based on replaying of old messages.
The need for the third property follows a long established key management principle in cryptography. That principle stipulates that a secret cryptographic key should have a short lifetime if it is a shared key and is used for bulk data encryption. Such a key usage is rather different from that of a "key-encryption key" or a long-term key which we have described at the end of §2.4. There are two reasons behind this key management principle. First, if a key for data encryption is a shared one, then even if one of the sharing party, say, Alice, is very careful in her key management and disposal, compromise of the shared key by the other sharing party, say, Bob, due to Bob's carelessness which is totally out of Alice's control, will still result in Alice's security being compromised. Secondly, most data in confidential communications usually contain (possibly a large volume of) known or predictable information or structure. For example, a piece of computer program contains a large quantity of known texts such as "begin," "end," "class," "int," "if," "then," "else," "++," etc. Such data are said to contain a large quantity of
redundancy (definition see §3.8). Encryption of such data makes the key a target for
cryptanalysis which aims for finding the key or the plaintext. Prolonged such use of a key for encryption of such data may ease the difficulty of cryptanalysis. We should also consider that Malice has unlimited time to spend on finding an old data-encryption key and then reusing it as though it were new. The well established and widely accepted principle for key management thus stipulates that a shared data-encryption key should be used for one communication session only. Hence, such a key is also referred to as a session key and a short-term key. The third
property of authenticated key establishment service assures Alice and Bob that the session key K established is one that has been newly generated.
• Table of Contents
Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company
Publisher: Prentice Hall PTR Pub Date: July 25, 2003
ISBN: 0-13-066943-1 Pages: 648
Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.
• Table of Contents
Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company
Publisher: Prentice Hall PTR Pub Date: July 25, 2003
ISBN: 0-13-066943-1 Pages: 648
Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.