Adding mutual authentication Double challenge-response in 3 rounds (4 if include initial “hello” message) Variant in which user sends nonce first? –Insecure… –To improve security, make protocol asymmetric –No such attack on previous protocol Security principle: let initiator prove its identity first –Also vulnerable to off-line password guessing without eavesdropping
Public-key based Ex 6: Double challenge-response Issues: –How does each party learn the other party’s public key? –How does a party obtain its own secret key (i.e., if logging-in remotely) Can download information, protected by a password
Using timestamps? Ex 7: User sends MAC(time), server responds with MAC(time+1) Vulnerabilities? –Symmetric protocol…
Establishing a session key One-way Challenge-response; compute session key as F K (R+1) –Secure if F is a pseudorandom permutation…? –(Potential attack…)
Public-key based… Include E pk (session-key) in protocol? Encrypt session-key and sign the result? –No forward secrecy… –Potentially vulnerable to replay attacks User sends E(R 1 ); server sends E(R 2 ); session key is R 1 +R 2 –Reasonable…
Authenticated Diffie-Hellman Add signatures/MACs and nonces to Diffie- Hellman protocol –Note: achieves forward secrecy –What if we had used encryption instead?