Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1998-05-01
2002-01-01
Chung, Phung M. (Department: 2767)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C380S044000, C380S277000
Reexamination Certificate
active
06336188
ABSTRACT:
This invention relates to cryptographic systems and in particular, to authenticated key agreement protocols used in the cryptographic systems.
A key agreement problem exists when two entities wish to agree on keying information in secret over a distributed network. Solutions to the key agreement problem whose security is based on a Diffie-Hellman problem in finite groups have been used extensively.
Suppose however, that entity i wishes to agree on secret keying information with entity j. Each party desires an assurance that no party, other tan i and j, can possibly compute the keying information agreed upon. This may be termed the authenticated key agreement (AK) problem. Clearly, this problem is harder than the key agreement problem in which i does not care which entity it is agreeing on a key with, for in this problem i stipulates that the key may be shared with j and no other entity.
Several techniques related to the Diffie-Hellman problem have been proposed to solve the AK problem. However, no practical solutions have been provably demonstrated to achieve this goal and this deficiency has led, in many cases, to the use of flawed protocols.
Since in the AK problem, i merely desires that only j can possibly compute the key and not that j has actually computed the key, solutions are often said to provide implicit (key) authentication. If i wants to make sure, in addition, that j really has computed the agreed key, then key confirmation is incorporated into the key agreement protocol leading to so-called explicit authentication. The resulting goal is called authenticated key agreement with key confirmation (AKC). It may be seen that key confirmation essentially adds the assurance that i really is communicating with j. Thus, the goal of key confirmation is similar to the goal of entity authentication as defined in Diffie-Hellman. More precisely however, the incorporation of entity authentication into the AKA protocol provides i the additional assurance that j can compute the key, rather than the stronger assurance that j has actually computed the key.
A number of distinct types of attacks have been proposed against previous schemes. There are two major attacks which a protocol should withstand. The first is a passive attack, where an adversary attempts to prevent a protocol from achieving its goal by merely observing honest entities carrying out the protocol. The second is an active attack where an adversary additionally subverts the communication themselves in any way possible by injecting messages, intercepting messages, replaying messages, altering messages and the like.
It is thus essential for any secure protocol to withstand both passive and active attacks since an adversary can reasonably be assumed to have these capabilities in a distributed network.
It is therefore desirable to provide a key agreement protocol that mitigates at least some of the above advantages.
SUMMARY OF THE INVENTION
A key agreement method between a pair of entities i and j in a digital data communication system, wherein each said entity has a private and corresponding public key pairs S
i
, P
i
and S
j
,P
j
respectively and the system, having global parameters for generating elements of a group, said method comprising the steps of:
(a) entity i selecting a random private session value R
i
;
(b) forwarding a public session value corresponding to said private session value R
i
to said entity j;
(c) entity j computing a long term shared secret key k′ derived from entity i's public key and j's private key utilizing a first function H
l
;
(d) said entity j utilizing entity j utilizing said key k′ and computing an authenticated message on entity identities i, j and entities public session keys and forwarding said authenticated message to entity i;
(e) said entity i verifying said received authenticated message;
(f) said entity i computing said long term shared secret key k′ derived from said entity j's public key and i's private key in accordance with said first function HI;
(g) said entity i utilizing said long term shared secret key k′ and computing an authenticated message on said entities i and j identity information and said entities public session keys and forwarding said authenticated message to said entity j;
(h) entity j verifying said received authenticated message; and
(i) upon both said entities i and j verifying said authenticated message, computing a short term shared secret key utilizing a respective entity's session public and private keys.
REFERENCES:
patent: 4956863 (1990-09-01), Goss
patent: 5142578 (1992-08-01), Matyas et al.
patent: 5588060 (1996-12-01), Aziz
patent: 5657390 (1997-08-01), Elgamal et al.
patent: 5889865 (1999-03-01), Vanstone et al.
patent: 5896455 (1999-04-01), Vanstone et al.
Schneier, Applied Cryptography 2nd Ed., pp. 513-522 and pp. 31-34, 1996.*
“New Directions in Cryptography”, IEEE Transactions on Information Theory, Nov. 1976.
Blake-Wilson Simon
Johnson Donald
Menezes Alfred
Certicom Corp.
Chung Phung M.
Kabakoff Steve
LandOfFree
Authenticated key agreement protocol does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Authenticated key agreement protocol, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Authenticated key agreement protocol will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2875077