authentication and secret key establishment - 未名空间MITBBS历史存档

国际科技财经博客移民网络热点娱乐民生时事公众号

Redian新闻

>未名空间

>Security - 系统安全

authentication and secret key establishment

authentication and secret key establishment# Security - 系统安全

c*o2000-07-31 07:07

1 楼

I have a client/server application need to communicate securely. The client
needs to input username/passwd to access the server and the client knows the
public key of the server (Ku). My two-way authentication and secret key
establishment protocol is as follows:
1. The client sends Ku(username||passwd||N1) to the server. N1 is a random
number generated by the client in this session.
2. The server decrypts the message using the private key and verify the
username/passwd by consulting a database.

c*a2000-07-31 07:07

2 楼

What about a replay attack?
N1 seems redundant and insecure here. U may refer to Kerberos for session key
and ticket issueing.

【在 c*****o 的大作中提到】

: I have a client/server application need to communicate securely. The client
: needs to input username/passwd to access the server and the client knows the
: public key of the server (Ku). My two-way authentication and secret key
: establishment protocol is as follows:
: 1. The client sends Ku(username||passwd||N1) to the server. N1 is a random
: number generated by the client in this session.
: 2. The server decrypts the message using the private key and verify the
: username/passwd by consulting a database.

c*o2000-07-31 07:07

3 楼

N1 is against replay attack because it's a random number each time. Also it's
used to authenticate the server since only the server can decrypt the first
package containing N1.
Kerberos is too complex for this simple case, that's why I disign this
protocol.

【在 c*****a 的大作中提到】

: What about a replay attack?
: N1 seems redundant and insecure here. U may refer to Kerberos for session key
: and ticket issueing.