Score:0

mutual authentication in STS protocol

de flag

STS Protocol is like this:

  1. $A \rightarrow B:~ g^x$
  2. $A \leftarrow B:~ g^y, E_K(S_B(g^y, g^x))$
  3. $A \rightarrow B:~ E_K(S_A(g^x, g^y))$

My question is why do we say in STS we have mutual authentication? For example:

  1. $A \rightarrow C: g^x$
  2. $C \rightarrow B: g^x$
  3. $C \leftarrow B: g^y, E_K(S_B(g^y, g^x))$
  4. $A \leftarrow C: g^y, E_K(S_B(g^y, g^x))$

so A will authenticate C instead of B!

kelalaka avatar
in flag
Certificates??? From wiki `They must also be verified by Bob to prevent an active attacker from inserting weak parameters (and thus a weak key K). Diffie, van Oorschot & Wiener (1992) recommend against special checks to prevent this and instead suggest including the group parameters in Alice's certificate.`
Score:0
de flag

The main problem in this question is the role of C.
Here C is not doing anything other than transferring the data. so it somehow acts like a wire. so it won't be counted in the protocol.

Score:0
br flag

The question (with the specific "attack") has been answered in detail in Sec 1.5.6, Attack/ Figure 1.6 .

Essentially, it depends on the specific definition of "mutual authentication", or more generally, authentication goals. In the cited work, the definition of "mutual authentication" (Def. 14 below) is reached, since both parties can verify that the messages originate from the respective party. For example, A knows that the message $g^y, E_K(S_B(g^y, g^x))$ come from B by verifying $S_B$, and thus that B has knowledge of the content.

However, the definition of "strong entity authentication" (see Def. 13 below) is not met, since "A would be wrong to conclude, after a successful run, that B wishes to communicate with her." Sec 1.5.6

"Definition 13. Strong entity authentication of A to B is provided if B has a fresh assurance that A has knowledge of B as her peer entity" Def 13., Strong Entity Authentication

"Definition 14. Mutual authentication occurs if both entities are authenticated to each other in the same protocol. Unilateral authentication (sometimes called one-way au- thentication) occurs if only one entity is authenticated to the other." Def 14., Mutual Authentication

Score:0
sd flag

Let’s say servent, In a server-client model both sides must be identified. During the authentication phase of the key with authentication, the client Ci is identified with the evaluation of MACk (IDCi, TCi, R, R), while the server with the evaluation of MACk = (IDCi, TCi, L), respectively. An attacker can not create a valid session if he does not know the real identity of the client, and calculate the commonly calculated value R and the correct k = H3 (IDCi, TCi, R, R).

Resistance to de-synchronized attack,

Creating a new AID requires a modern calculation for both sides. If the client does not receive the message from the server, it may not be able to connect to it. So it's a reasonable assumption that mutual authentication with a key exchange protocol is just the beginning of the session, followed by a secure message exchange. During this exchange, an important process for the protocol takes place. If the server does not receive a message after the mutual authentication, the server will know that the client may not receive the messages and stop updating the AID with a new value.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.