Provably secure session key distribution: the three party case

We study session key distribution in the three-party setting of Needham and Schroeder. (This is the trust model assumed by the popular Kerberos authentication system.) Such protocols are basic building blocks for contemporary distributed systems|yet the underlying problem has, up until now, lacked a de nition or provably-good solution. One consequence is that incorrect protocols have proliferated. This paper provides the rst treatment of this problem in the complexity-theoretic framework of modern cryptography. We present a de nition, protocol, and a proof that the protocol satis es the de nition, assuming the (minimal) assumption of a pseudorandom function. When this assumption is appropriately instantiated, our protocols are simple and e cient.

[1]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[2]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[3]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[4]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[5]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[6]  Moti Yung,et al.  Perfectly Secure Key Distribution for Dynamic Conferences , 1992, Inf. Comput..

[7]  Johan Hstad,et al.  Construction of a pseudo-random generator from any one-way function , 1989 .

[8]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[9]  Rolf Blom,et al.  An Optimal Class of Symmetric Key Generation Systems , 1985, EUROCRYPT.

[10]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[11]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[12]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[13]  Moti Yung,et al.  The KryptoKnight family of light-weight protocols for authentication and key distribution , 1995, TNET.

[14]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[15]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[16]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[17]  Yacov Yacobi,et al.  On Key Distribution Systems , 1989, CRYPTO.

[18]  Silvio Micali,et al.  Secret-Key Agreement without Public-Key Cryptography , 1993, CRYPTO.

[19]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[20]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[21]  Silvio Micali,et al.  Secret-key agreement without public-key , 1994, CRYPTO 1994.

[22]  D SchroederMichael,et al.  Using encryption for authentication in large networks of computers , 1978 .

[23]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[24]  Roger M. Needham,et al.  Authentication revisited , 1987, OPSR.