Authentication and Key Establishment Protocols

The security goals of our simple protocol were rather basic, making it hard to justify the need for such a protocol in a real application. However, the dissection of the simple protocol variants has demonstrated the type of analytical skills required to examine more complex cryptographic protocols with more realistic collections of security goals.

We now reconsider AKE protocols (authentication and key establishment). There are hundreds of proposed AKE protocols since an AKE protocol often has to be tailored to the precise needs of the application for which it is designed. However, the two main security objectives of an AKE protocol are always:

• Mutual entity authentication: This is occasionally just unilateral entity authentication.

• Establish a common symmetric key: This is regardless of whether symmetric or public-key techniques are used to do this.

It shouldn’t be surprising that these two objectives are required together in one protocol:

• The need to authenticate key holders: Key establishment makes little sense without entity authentication. It’s hard to imagine any applications in which we would want to establish a common symmetric key between two parties without at least one party being sure of the other’s identity.

  Indeed, in many applications, mutual entity authentication is required. The only argument for not incorporating entity authentication in a key establishment protocol is for applications in which the authentication has already been conducted before running the key establishment protocol.

• Prolonging authentication: The result of entity authentication can be prolonged by simultaneously establishing a symmetric key. Recall that a problem with entity authentication is that it is achieved only for an instant in time. In practice, we often desire this achievement to be extended over a longer period (a session).

  One way of doing this is to bind the establishment of a symmetric key to the entity authentication process. In this way, later use of the key during a session provides confidence that the communication is being conducted between the parties who were authenticated at the instant in time the key was established.

  So at least for a while, we can maintain the security context achieved during entity authentication. Of course, exactly how long this can be maintained is a subjective and application-dependent issue.