It was observed in section 2 that authors have generally found it easy to give extensional goals for key establishment, but that for entity authentication only intensional goals are usually found. It may be more than a coincidence that the majority of recent attacks on protocols seem to have been concerned with authentication rather than key establishment [1,14,17]. A clear view of what it means to achieve key establishment has allowed protocol designers to more systematically incorporate the correct mechanisms.
An informal, but successful, method to design new key establishment protocols has been to use the extensional properties of key freshness and exclusivity in combination with abstract notions of secure channels [9]. The purpose of this section is to suggest that a similar process can be done for entity authentication using the extensional properties established in section 3. The two properties that are of interest are liveness and entity authentication.
An abstract version of protocols intended to achieve
liveness is as follows, where denotes an abstract
authentication channel which provides authenticity of
everything received by B [9].
is any value which
can be verified by B as fresh.
This can be made concrete in a variety of ways. Mutual liveness
between A and B who share a key can be achieved
in the following protocol.
The inclusion of the identifiers in messages 2 and 3 ensure that messages of each entity can be recognised by themselves (which is merely a way of saying that the authentication channels are correctly implemented). The intended semantics of, say, message 2 is `I am B and I am alive'.
To extend this to provide entity authentication it is necessary to convey the semantics: `I am B and I wish to speak with A '. This can be achieved by adding the intended partner to the abstract protocol.
Again, for the concrete version the name of the sender must be included to secure the authentication channel.
Protocols similar to this one have been published in the
literature (although it is not known whether this exact one
has been suggested before).
An attack on the above protocol is
possible
which is
very similar to some previously published attacks
[6,12].
In this attack
A is used as an `oracle' by the attacker C .
Such an attack certainly violates the canonical intensional specification (as well as many other intensional ones) since B accepts but the protocol has not run correctly. On the other hand has the extensional specification failed? B believes that A is prepared to communicate with him, and indeed we see that A was sent a challenge by someone purporting to be B and indeed replied with a message to the effect that she was prepared to communicate with B . Thus B has not been deceived and the extensional goal is not violated.
Protocols using public key signatures may also be derived by similar arguments, as can ones using confidentiality. Consider the following which uses signatures of A and B in place of the MAC s used above.
In order to illustrate the ease with which
new protocols may be designed using extensional goals, consider
the following conference authentication protocol. The
idea of such a protocol would be that all users in a
set
should have confidence that all other users are
ready to participate in a conference now. So far as is known,
no such protocol is published previously to solve this problem.
Each user needs to authenticate a message to each other user
with the semantics: `I am and I want to communicate with
the group
'. This is most easily accomplished using a
digital signature so that all users may authenticate the same
message. Each user,
, choose a fresh
random value
. In the following,
denotes
that the user X broadcasts the message to all users, while
the function h is any one-way hash function. The protocol
consists of two phases, in each of which each user broadcasts
one message.
Each user on receipt of the second set of messages
verifies the signature. The protocol ensures to each user that
the signature is fresh because the input to h is fresh and
hence the value is fresh.