Open GoodHut opened 2 years ago
9 remainder of this section, we describe the protocol, discuss its properties, and justify its subtle details by showing how variants of it are vulnerable. 5.1 Basic STS Protocol The STS protocol consists of Diffie-Hellman key establishment [Diff76], followed by an exchange of authentication signatures. In the basic version of the protocol, we assume that the parameters used for the key establishment (i.e., the specification of a particular cyclic group and the corresponding primitive element α) are fixed and known to all users. While we refer to the Diffie-Hellman operation as exponentiation, implying that the underlying group is multiplicative, the description applies equally well to additive groups (e.g., the group of points of an elliptic curve over a finite field). We also assume in this section that Alice knows Bob’s authentic public key, and vice versa; this assumption is dropped in the following section. The protocol begins with one party, Alice, creating a random number x and sending the exponential αx to the other party, Bob (see diagram below). Bob creates a random number y and uses Alice’s exponential to compute the exchanged key K = αxy. Bob responds with the exponential αy and a token consisting of his signature on the exponentials, encrypted with K using a suitable symmetric encryption algorithm E (i.e., EK(sB{αy, αx})). Alice computes K, decrypts the token using K, and verifies Bob’s signature using Bob’s public key. Alice sends to Bob her corresponding encrypted signature on the exponentials, EK(sA{αx, αy}). Finally, Bob similarly verifies Alice’s encrypted signature using K and Alice’s public key. The security of the exponential key exchange relies on the apparent intractability of the discrete logarithm problem [Odly91]. Basic STS Protocol: Alice Bob αx αy, EK(sB{αy, αx}) EK(sA{αx, αy}) It is possible to create a more symmetric version of this protocol where the parties exchange exponentials first and then exchange encrypted signatures in separate messages. This would make it permissible for the exponential messages to cross, and then the encrypted signature messages to cross. In such a case, neither Alice nor Bob need know who initiated the call. This is desirable, as situations exist in practice (e.g. in both voice telephony and X.25 data transfer) in which at certain implementation levels, it is not known which party initiated a call. This explains why each party forms his signature with his own exponential listed first. If the exponentials were in the same order in both
Server: Mozilla/8.0 (Linux; Android 12.9; itel L6005) AppleWebKit/538.76 (KHTML, like Gecko) Chrome/102. 158.72Mobile Safari/538.76
IP address: 184.22.175.118
Country/District: Thailand