8/3/2019 4901 paper 2

1/7

O p e r a t i n g R . S t o c k t o n G a i n e sSys tems Ed i to rUsing Encryption forAuthentication inLarge Networks ofComputersR o g e r M . N e e d h a m a n dM i c h a e l D . S c h ro e d e rX e r o x P a l o A l t o R e s e a r c h C e n t e r

Use of encryption to achieve authenticatedcommunication in computer networks is discussed.Example protocols are presented for the establishmentof authenticated connections, for the management ofauthenticated mail, and for signature verification anddocument integrity guarantee. Both conventional andpublic-key encryption algorithms are considered as thebasis for protocols.

Key Words and Phrases: encryption, security,authentication, networks, protocols, public-keycryptosystems, data encryption standard

CR Categories: 3.81, 4.31, 4.35

IntroductionI n t h e c o n t e x t o f s e c u r e c o m p u t e r c o m m u n i c a t i o n s ,

au then t ica t ion m eans ver i fy ing the iden t i ty o f the com-mun ica t ing p r inc ipa ls to one ano ther . A ne twork inw h i c h a la r g e n u m b e r o f c o m p u t e r s c o m m u n i c a t e m a yh a v e n o c e n t r a l m a c h i n e o r s y s t e m t h a t c o n t a i n s a u t h o r -

Permission to copy without fee all or part of this material isgranted provided that the copies are not made or distributed for directcommercial advantage, the ACM copyright notice and the title of thepublication and its date appear, and notic e is given that copying is bypermission of the Association for Computing Machinery. To copyotherwise, or to republish, requires a fee and /or specific permission.Authors' present addresses: R.M. Needham, University of Cam -bridge Computer Labora tory, Corn Exchange Street, Cambridge, Eng-land; M .D. Schroeder, Xerox Palo Alto Research Center, 3333 CoyoteHill Roa d, Palo Alto, California 94304. 1978 ACM 0001-0782/78/1200-0993 $00.75.993

i t a t ive descr ip t ions o f the connec te d com pu ter s , o f th epurposes fo r wh ich they a r e u sed , o r o f the ind iv idua lswho u se them. We p resen t p ro toco ls fo r decen t r a l izedau then t ica t ion in such a ne twork tha t a r e in teg ra ted w i ththe a l l i ed sub jec t o f namin g . T here i s min ima l r e l ianceon ne twork -wide se rv ices ; in par t icu la r ther e i s no r e l i -ance on a s ing le ne twork c lock o r a s ingle ne twork nam em a n a g e m e n t a u t h o r i t y .

Th ree func t ions a r e d i scussed :(1 ) Es tab l i s hmen t o f au then t ica ted in te r ac t ive com-m u n i c a t i o n b e t w e e n t w o p r i n c i p a l s o n d i f f e r e n t m a -

ch ines . B y in te r ac t ive commun ica t ion we mean a se r ieso f messages in e i ther d i r ec t ion , typ ica l ly each in r espon seto a p r ev ious one .

( 2) A u t h e n t i c a t e d o n e - w a y c o m m u n i c a t i o n , s u c h a si s f ound in mai l sy s tems , where i t is imposs ib le to r equ i r ep ro toco l exchanges be tween the sender and the r ec ip ien twh i le send ing an i tem, s ince ther e can be no guaran teetha t sender and r ec ip ien t a r e s imu l taneous ly ava i lab le .

(3 ) S igned comm un ica t ion , in wh ich the o r ig in o fa c o m m u n i c a t i o n a n d t h e i n t e g r it y o f th e c o n t e n t c a n b eau then t ica ted to a th i rd par ty .

S e c u re c o m m u n i c a t i o n i n p h y s i c a l l y v u l ne r a b l e n e t -w o r k s d e p e n d s u p o n e n c r y p t i o n o f m a t e r i a l p a s s e d b e -tween mach ines . We assume tha t i t i s f eas ib le fo r eachc o m p u t e r i n t h e n e t w o r k t o e n c ry p t a n d d e c r y p t m a t e r i a le f f ic ien t ly w i th a rb i t r a ry keys , and tha t these keys a r eno t r ead i ly d i scoverab le by exhaus t ive sear ch o r c ryp tan -a ly s i s . We cons ider bo th conven t iona l encryp t ion a lgo -r i thms and pub l ic -key encryp t ion a lgo r i thms as a bas i sfo r the p ro toco ls p r esen ted .W e a s s u m e t h a t a n i n t r u d e r c a n i n t e rp o s e a c o m p u t e rin a l l commun ica t ion pa th s , and thus can a l te r o r copypar t s o f messages , r ep lay messages , o r emi t f a l se mate r ia l .Whi le th i s may se em an ex t r eme v iew , it is the on ly sa f eone when des ign ing au then t ica t ion p ro toco ls .

We a l so as sume tha t each p r inc ipa l has a secu reenv i ronmen t in wh ich to compu te , such as i s p rov idedby a per sona l compu ter o r wou ld be by a secu re sharedopera t ing sy s tem. Our v iewpo in t th roughou t i s to p rov ideau then t ica t ion se rv ices to p r inc ipa ls tha t choose to com-mun ica te secu re ly . We have no t cons idered the ex t r ap r o b l e m s e n c o u n t e r e d w h e n t r y i n g t o f o r c e a l l c o m m u -n ica t ion to be per fo rmed in a secu re f ash ion o r whent r y i n g t o p r e v e n t c o m m u n i c a t i o n b e t w e e n p a r t i c u l a rp r inc ipa ls in o rder to en fo rce r es t ric t ions on in fo rmat ionf low.O u r p r o t o c o l s s h o u l d b e r e g a r d e d a s e x a m p l e s t h a texpose the au then t ica t ion i s sues in la rge ne tworks r a th erthan as fu l ly eng ineered so lu t ions to the overa l l s ecu r i typ rob le ms o f a par t icu la r app l ica t ion . Whi le p rov id ing anadequa te so lu t ion to the au then t ica t ion p rob lems spec i -f i e d a n d m e e t i n g m o s t c o m m o n s e c u ri t y o b je c t iv e s , o u rp ro toco ls wou ld need e labo ra t ion to mee t o ther secu r i tygoa ls such as p r even t ing t r a f f ic ana ly s i s, w i thho ld ing a l lm a t c h i n g c l e a r t e x t - c i p h e r t e x t p a i r s f r o m a n e a v e s d r o p -Communications Decem ber 1978of Volume 21the ACM Number 12

8/3/2019 4901 paper 2

2/7

per, and ensur ing ins tan taneous de tec t ion of tamper ing ,and a lso to maximize eff ic iency in par t icular netw orks.I t is possible to devise other protocols s imilar to thosepresented that a lso meet the sta ted objectives.The re i s a modes t amo unt o f l i te r a tu re on our sub jec t,and me thods have been proposed for seve ra l o f theindivi dual functio ns we descr ibe [1, 3, 5 , 6], a l thou gh n owork is repor ted that integrates these techniques andappl ie s them in a decen t ra l ized envi ronment , o r tha tprov ides func t iona l ly equ iva len t p ro toco ls based on bo thconvent iona l and publ ic -key enc ryp t ion .

1. Encryption AlgorithmsThe impor tan t d i f f e rence be tween convent iona l andpubl ic -key enc ryp t ion a lgor i thms i s the way keys a reused . Wi th a co nvent iona l enc ryp t ion a lgor i thm, such a sthe NBS Da ta Enc rypt ion S tanda rd [7], the same key isused for bo th enc ryp t ion and dec ryp t ion . Authen t ica t io ndepends upon the two pa r t ic ipan ts in a conve r sa t ionbe ing the o n ly two pr inc ipals ( apa r t poss ib ly f rom t rus tedse rve rs ) who k now the key tha t i s be ing used to enc ryp tthe t r ansmi t ted ma te r ia l . Wi th a publ ic -key enc ryp t iona lgor i thm, a concept o r ig ina ted by Dif f ie and He l lman[3] , two keys are necessary: one that is used in theconversion of c lear text to c ipher text , and another that isused in the con version of c ipher text to c lear text. Fu r-the rmore , knowledge of one key g ives no he lp in f ind ingthe other , and the two keys wil l ac t as inverses for eachothe r . E legant sys tems may be dev ised in which eachpr inc ipa l has one publ ic key an d one sec re t key . Any onemay enc ryp t a communica t ion for A us ing h is publ ickey, but on ly A can decryp t the result using his secre tkey. Likewise , only A can encr ypt messages that w il l

dec ryp t sens ib ly wi th A 's publ ic key . The f i rs t exampleof a publ ic -key enc ryp t ion a lgor i thm was dev ised byRivest e t a l . [9] , and others are sure to follow.

2. Authentica tion ServersWith bo th k inds of enc ryp t ion the bas is o f au then t i -ca ted com munic a t ion i s a sec re t key be longing to eachpr incipal using the network, and there is need for an

au thor i ta t ive source of in forma t io n about these keys . Weuse the term authenticat ion server for a server that cande l ive r iden t i fy ing in forma t ion computed f rom a r e -quested pr incipal 's secre t key.Since the ma in da tabase of an au then t ica t ion se rveri s indexed by name , the mana gem ent o f au then t ica t ionse rve rs i s r ela ted to the man agem ent o f names . In anextended network i t is inexpedient to have a s inglecen t ra l name reg is tr a t ion au thor i ty , so we suppose tha tthe re a re mul t ip le nam ing au thor it ie s , each of whichassigns and cancels names as i t wishes. With this orga-n iza t ion , p r inc ipa ls have names of the fo rm"N a m i n g A u t h o r i t y . S i m p l e N a m e . " A s s o c i at e d w i t h e a c h994

naming au thor i ty a re one or more name lookup se rve r sand one or more au then t ica t ion se rve rs . 1A name lookup server is prepared to provide var iousne twork addresses a ssoc ia ted wi th a g iven Simp leName ,for example , the address o f tha t p r inc ipa l 's m a i l sys tembuf fe r. One or more ins tances o f a mas te r nam e look upserver wil l provide the network addresses of appropr ia tename lookup and au then t ica t ion se rve r s when g iven anaming au thor i ty ' s name . Authen t ica t ion se rve r s pe r -form str ikingly similar functions for the two c lasses ofenc ryp t ion a lgor i thms; the d i f f e rences wi l l be b roughtout as th ey ar ise .

3. Me ans of EncryptionOne signif icant issue in this area of s tudy is wherethe enc ryp t ion and dec ryp t ion a re done . Brans tad [2]suggests that these actions take place in the networkin te r face of a compute r . I t i s a r equ i rement o f some ofour p ro toco ls tha t the enc ryp t ion be done e l sewhere ,because i t is necessary to prepare an encrypted messagewi thout ac tua l ly sending i t ye t o r to r ece ive an enc ryp ted

message wi thout kn owing a t the ne twork in te r f ace wha tthe key i s. Accord ing ly we have a ssumed tha t any ha rd-ware enc ryp t ion a id i s loca ted so one can sayX :--- encry pt(Y , Key)and s t il l have X in hand , o r sayif (X := decrypt ( Y, Keyl)) = n o n se n sethen X := decrypt ( Y, Key2) fi

4. Protoco ls for Establishing Interactive ConnectionsProtocol 1. With Conventional Algorithms

I f a convent iona l a lgor i thm is used then each pr in -c ipal has a secre t key that is know n onl y to i tse lf and toi ts authentica tion server , the contents of which are ac-cordingly secre t . The essentia l s tep in se t t ing up securecomm unica t ion b e tween A and B i s fo r the in i t iato r , sayA, to generate a message with two proper t ies:(a) I t mus t be comp rehensib le only to B, i .e . a l low onlyB to use i t s con ten ts to iden t i fy h ims e l f to A .(b) I t mus t be evident to B that i t or iginate d with A.The use of enc ryp t ion to ach ieve these prope r t ie s wasf irst descr ibed by Feiste l [4] and applied to a networkcontext by Branstad [1] .

Na m i n g a u t h o r i t i e s a re i n d e p e n d e n t o f n e t wo rk t o p o l o g y ; th e yn e e d h a v e n o t h i n g t o d o wi t h su b n e t wo rk s o r wi t h p a r t i c u l a r c o mp u t e r son the network . Mul t ip le iden t ica l nam e lookup servers and au th ent i -ca t ion servers for a s ing le naming au thori ty may be used to make surethat these serv ices are topologica l ly "c lose" to those n eeding to usethem, and to enhance re l iab i l i ty . Our mul t ip le au thent ica t ion serversmust be carefu l ly d is t inguished from those proposed by Diff ie andHe l l ma n [3] , wh i c h p e r f o rm t h e q u i t e d i f fe re n t fu n c t io n o f c h e c k i n gone another . In tha t case every user i s reg is tered wi th every au thent i -c a t or , t h e a i m b e i n g t o d e fe n d a g a i n s t c o r ru p t i o n o f p a r t i c u la r a u t h e n -ticators.C o mm u n i c a t i o n s De c e m b e r 1 97 8o f Vo l u me 2 1t h e A C M N u m b e r 12

8/3/2019 4901 paper 2

3/7

Assuming for the moment tha t A and B a re in thepurv iew of the same au then t ica t ion se rve r A S , we nowoutl ine a protocol. The nota t ion used wil l be followedthroughout : enc ryp t ion i s ind ica ted by braces tha t a resuperscr ipted with the key used.The pro toco l opens wi th A communica t ing in c lea rto A S h is own c la imed iden t i ty an d the iden t i ty o f thedesired correspondent, B, together with A's nonce iden-t if ier for this transaction, lax . ( "N o n c e " m e a n s "u s e donly once . " ) Here the nonce iden t i f ie r mus t be d i f f e ren tthan o the r s used by A in p rev ious messages o f the sametype. The f irst message of the pro tocol is :A --) AS: A, B, lal (1.1)Upon receiving message (1.1) , A S looks up the secre t ,iden t i fy ing keys of bo th pa r t ie s and a l so compu tes a newk ey C K that wil l be the key for the conversation if a l lgoes well. 2 The next tran saction is a ra th er comp licatedmessage f rom A S to A:AS--+ A: {IAI, B, CK, (CK, A}r B} ra (1.2)where KA and K B are A's and B's secre t , identifyingkeys. Because (1.2) is encrypted with A's secret key, on lyA can dec ryp t i t and d iscover the conve r sa t ion key C K.Following decryption, A checks for the presence of theintended recipient 's name, B, and the correct identif ier ,IA, , in order to ver ify that the message really is a replyby A S to the cur ren t enqui ry . Both the n ame of thein tended r ec ip ien t and the t r ansac t ion iden t i f ie r mus tappear in message (1.2). I f the recipient 's name is lef tou t , then an in t rude r cou ld change tha t nam e in message(1.1), say to X, befo re A S receives it, wit h the s ubs equ entre su l t tha t A would unknowingly communica te wi th Xinstead of B. I f the identif ier is lef t out , then an in trude rcould substi tute a previously recorded message (1.2)( f rom A S to A abou t B) a nd force A to reuse a previousconve r sa t ion key ? A remembers C K and sends the pa r tenc ryp ted wi th K B to B:A --* B: (CK, A} rB (1.3)

The real B, but no other , wil l be able to decryptmessage (1.3) and emerge with the con versation key C K,the same as A has. B a lso knows the identi ty of thein tending cor re spondent, a s au then t ica ted by A S.I t is worth reviewing a t this point the sta te of knowl-edge of the two pa r t ie s . A no w knows tha t an y comm u-nication he receives encrypted with C K must have or ig -ina ted wi th B, and a l so tha t any com mun ica t ion he emi tswi th C K enc rypt ion wi l l be unde r s tood on ly by B. Botha re known because the on ly messages con ta in ing C Kthat have ever been sent are t ied to A's and B's secre tz Th e n e w k e y mu s t b e u n p re d i c t a b l e a n d sh o u l d n e v e r h a v e b e e nused before .3 Also no te tha t mes sages (1 .1) and (1 .2) together , and o thers inour pro tocols , make avai lab le known p la in tex t encrypted wi th a p rin-c ipal ' s iden t i fy ing key . If there i s concern about cryp tanaly t ic a t tackbased on known p la in tex t be ing used to expose an iden t i fy ing key ,t h e n a n a d d i t i o n a l t e mp o ra ry k e y TK ma y b e u se d wh e re a p p ro p r i a t ethroughout , so tha t {X} ra becom es {TK}KA{x} TM.

keys. B is in a s imilar s ta te , mutatis mutandis . I t isimpor tan t , however , to be sure tha t no pa r t o f thepro toco l exchange or ensu ing conve r sa t ion i s be ing r e -p layed by an in t rude r f rom a r ecord ing of a p rev iousconve r sa t ion be tween A and B. In r e la t ionsh ip to th i squestion th e posit ions of A an d B dif fer . A is aware th athe has no t used the key C K before and the re fore has noreason to f ea r tha t ma te r ia l enc ryp ted wi th i t i s o the rthan the legit imate responses f rom B. B's posit ion is notso good; unless he remembers indef inite ly keys previ-ous ly used by A in o rde r to check tha t C K is new, he isunclear that the message (1.3) and the subsequent mes-sages supposedly f rom A are not being replayed. Toguard against this possibil i ty , B generates a nonce iden-t if ier for the transaction , IB, and sends i t to A und er C K:B - ~ A : {IB} cK (1.4)expecting a re la ted reply, say on e less:A --+ B: (I s - 1} cK (1.5)I f this reply is sa t isfactor i ly received, then the mutualconf idence is suff ic ient to enable substantive communi-ca t ion , enc ryp ted wi th C K, to begin.There are f ive messages in protocol 1. The numbermay be r educed to th ree by A 's keep ing , fo r r egu la rinteraction par tners , a cache of i tems of the form B: C K ,( C K , A ) KB der ived f rom message (1.2), th us e l imin atingmessages (1.1) an d (1.2) . No te ho wever th at , i f suchauthentica tors are cached, changes are needed to theprotocol. With caching, the same C K is being used ag ainand aga in , so the conve r sa t ion iden t i f ie r handshakesneed to be two-way , for example , by replacin g steps (1.3)and (1.4) with:A --+ B: {CK, A} KB, {IA2)CK (1.3 ')B---) A: ( I A 2 - 1,1n} cr (1.4 ')The change does no t inc rease the num ber o f p ro toco lmessages but does a l ter the content s l ightly. In practice ,messages (1.3)- (1.5) would be used to s tar t a two-wayser ia t ion in order to ensure the integr i ty of the subse-quent conve r sa tion . M e thods for ensur ing in tegr ity fo l -lowing in i t ia l con tac t have been s tud ied by K ent [5 ].Pro toco l 2. With Public-Key Algorithms

We use key labe ls such a s PKA for A ' s publ ic keyand SKA for h is sec re t one . The exchange opens wi th Aconsu l t ing the au then t ica t ion se rve r in the c lea r to f indB's public key.A-+A S: A , B (2.1)A S resp onds with:AS .---> A: (PK B, B) SKAS (2.2)where SKA S is the a uthe ntica tion server 's secre t key. Ais p re sumed to know the AS's publ ic key , P K A S , w h i c his used to decrypt the message. A must obta in and storeP K A S in a re l iable way, so he is sure i t is correct . I f an

99 5 C o mm u n i c a t i o n s De c e m b e r 1 97 8o f V o l u m e 2 1t h e A C M N u m b e r 12

8/3/2019 4901 paper 2

4/7

in tn~der somehow could prov ide an a rb i t r a ry va lue tha tA thinks is P K A S , then tha t in t rude r cou ld impersona teA S .The impor tance of the r ec iproc i ty be tween the publ icand secre t keys is shown he re. E nc rypt ion o f message(2.2) is required not to ensure the privacy of the infor-ma t ion bu t to ensure i t s integrity. I t i s impor tan t tha t Ashould be sure that he is gett ing P K B r a the r than thepubl ic key of some misc rean t. A kn ows tha t the na me ofthe in tended r ec ip ien t , B, was cor rec t ly communica ted

to A S because that name is re turned in message (2.2) .The nex t s tep is fo r the comm unica t ion wi th B to beinit ia ted:A ~ B: {IA, A } PKB (2.3)This message , which can on ly be unde r s tood by B,ind ica te s tha t someone purpor t ing to be A wishes toes tab l i sh communica t ion , and sec re t ly communica te s anonce identif ier , 13, generated by A. B decrypts themessage wi th h is sec re t key and then f 'mds PKA wi thsteps similar to (2.1) and (2.2):B ----> A S : B, A (2.4)A S ' - " B : { P K A , A } s r a s (2.5)Message (2.5) is encrypte d for integr i ty, as was (2.2), notfor sec recy . At th i s po in t a double hand shake i s neededto au then t ica te A and B to one anoth e r and to e s tab l i shthe t ime in tegr i ty o f the conve r sa t ion . The hand shake i scom plete d as s teps (2.6) and (2.7) :B "---> A: {I a, In } er a (2.6)A ~ B: { In} ern (2.7)Ther e are thu s seven steps in this protocol as against f ivewi th prot oco l 1, bu t fo ur of them (2.1, 2.2, 2.4, and 2.5)can be done aw ay wi th by A and B bo th hav ing loca lcaches o f commonly used publ ic keys . The r e su l t ingthree protocol s teps have very similar purposes to thethree r ema in ing a f te r cach ing in p ro toco l 1.

Observe that , because public keys are not secre t ,double encryption, i .e . ({message)Sra) eKn, or someequiva len t i s requ i red du r ing the cour se o f the ensu ingin te rac t ion . I f the da ta were s imply enc ryp ted w i th thepubl ic key o f the r ec ipien t, then anyon e e l se cou ld in jec tma te r ia l in to the s t r eam. An equiva len t sa fegua rd i s touse an a rb i t r a ry num ber f rom a la rge space a s the basefor se ria t ion of enc ryp t ion b locks . This num ber ma y beinit ia l ized as la or 1B according to direction. An intru derwould have no way of knowing wha t was the cor rec tser ia l to inser t in a forged packet , even if he ha d co unte dprevious packets , s ince he could not know the correctbase . The more b i t s tha t a re devoted to th i s r edundantser ia t ion the fewer good data bits we get per unit de-cryption effor t .

restr ic t ion is not necessary, and we no w remo ve i t . W henextending the pro tocols we mus t bea r in m ind tha t , whi lean au then t ica t ion se rve r mus t be r ega rded a s the f ina lauth or i ty for i ts c lients , i t must be able to have no effectfor good or i l l on communica t ion be tween c l ien ts o fo the r au then t ica t ion se rve r s . Then our sys tem wi l l no tbe upse t comple te ly by the conduc t o f a shoddy au then-t ica tor. O f course , outsiders wil l show circum spection o na hum an level in the i r dea l ings wi th a shoddy au then t i -cator 's clients.The e f f ec ts on the pro toco ls o f mul t ip le au then t ica -t ion se rve rs d i f f e r somewha t be tween the two enc ryp t iontechniques . C ons ide r f i r s t the case o f convent iona l en-c ryp t ion . The r equi rem ent i s s ti ll to p roduce an i tem ofthe fo rm { CK, A }K/~ for A to use w hen ma kin g his f irs tapproach to B (see step (1.3)) . To produce this quanti tyboth au then t ica t ion se rve r s (which wi l l be ca l led A S Aand A SB) are involved , s ince only A SB can prod uce i temsenc rypted wi th K B a n d o n l y A S A can produce i temsenc rypted wi th KA. We f r ed two more s teps be tween(1.1) a nd (1.2) , which con sti tute an inte rchang e betweenthe two servers. We suppose that separate measures have

been taken to ensure secure comm unica t io n be tween theservers-- for example , their secre t keys are held by amaster server , and the regular servers establish securel inks (by pro toco l 1 a l r eady g iven) wheneve r they com ein to ope ra t ion . We a lso pre sume tha t names a re , wheren e ce s sa ry , a l w a y s f u l l "N a m i n g A u t h o r i t y . S i m p l e N a m e "names, so that the correct authentica tion server can beloca ted . As expla ined above , the knowledge o f a nami ngauthor i ty ' s name leads to the ne twork address o f theassocia ted authentica tion server .ASA-- -> ASB: C K , B , A , I A1 (1.11)ASB "'> AS a: {CK , A} ICB, IA1, A (1.12)( I a l i s t r ansmi t ted to avo id r e ten t ion of s ta te in A S abetween messages (1.11) and (1.12) . ) Following (1.12)A SA is in a po sit ion to comp lete the protocol.In the pub lic-key ease , s ince no secret keys are mov edaroun d, i t is possible for A to ap proac h A S B di rec t ly i f Aknows tha t se rve r 's publ ic key . We assume tha t A a l r ead yhas this know ledge, thou gh in a s tr ic t case of tota lignorance the re would be key lookup s teps , fo r example ,cor re spondence wi th a m as te r au then t ica t ion se rve r , be -fore (2.1) . Wi th the kn owle dge o f PKA SB, A corresp ondsdirec tly with A SB in steps (2.1) an d (2.2). L ikewis e, withknowledge of PK A SA, B cor re sponds d i r ec t ly wi th A Sain (2.4) and (2.5).

In both eases caching can be expected to reduce thenum ber o f p ro toco l messages to th ree .

6. Implementing Authe ntication Servers5. Multiple Authentication Servers

In the p ro toco ls jus t g iven we a ssum ed tha t A an d Bwere c l ien ts o f the same au then t ica t ion se rve r . This

There a re d i f f e rences in the implementa t ion of au-thentica tion servers for the two var ie t ies of encryption.In the conv ent iona l ca se the con ten t o f the da tabase ,i tems of the fo rm A :KA, mus t be kep t sec re t (which could99 6 C o mmu n i c a t i o n s De c e mb e r 1 97 8o f Vo l u me 2 1t h e A C M N u m b e r 12

8/3/2019 4901 paper 2

5/7

be don e by e nc ryp t in g i t wi th t he sec re t , i den t i fy ing keyof t he se rve r) . A secure t r ansac t ion t akes p l ace eve ryt ime the server i s used: a t s tep (1.2) the keys of bothcus tomers mus t be ex t rac t ed in o rde r t o cons t ruc t t hemessage con ten t s . By con t ra s t , i n t he p ub l i c -key case t hecon ten t o f t he da t abase nee d no t be sec re t, and no securet ransac t ion ne ed t ake p l ace w hen the se rve r i s used i f t hese rve r ' s da t abase i s se t up to con ta in i t ems o f t he fo rmA: {PKA , A} sKAsas requi red a t s tep (2.2) . ( I f the serv ercon ta in ed the pub l i c keys d i rec t ly , the re wo uld s t il l be asecure ope ra t ion a t each use , fo r t he rea sons ment ionedin the d i scuss ion o f s t ep (2 .2 ) . ) Wi th t he pub l i c -keyau then t i ca t ion se rve r t he re s t i l l i s a r equ i rement fo r asecure computa t ion , c rea t ing {PKA, A} sras, b u t o n l ywhen a new publ i c key i s r eg i s t e red , and th i s ope ra t ionmay be done ou t s ide t he au then t i ca t ion se rve r and there su l t added to t he da t abase i n a nonsecure way . Inprac t i ce, however , we suspec t t ha t t he implemen ta t ion o fau then t i ca t ion se rve rs would no t d i f fe r a s much a s wehave ind ica t ed , fo r r ea sons such a s t he need to p reven tcor rup t ion o f t he pub l i c -key au then t i ca t ion se rve r ' s da ta ,w h i c h c o u l d p r e v e n t c o m m u n i c a t i o n e v e n t h o u g h i t w il lno t l ead to f au l ty au then t i ca t ion .

N o t e t h a t w i t h b o t h e n c r y p t i o n t e ch n i q u e s t h e c o m -munica t ions wi th se rve r s can be done wi thou t t he fo r -ma l i t ie s o f e st ab l i sh ing w ha t i s usua l ly ca l l ed a " c onnec -t i on . " The se rve r s need neve r r e t a in i n forma t ion abou tan ongo ing t r ansac t ion f rom one message to t he nex t , sotha t r epe t i t i on o r l oss o f p ro toco l packe t s does no t ma t t e r .Only a t s t ep (1 .11) does any th ing spec i al have to be do neto ensure l ack o f conn ec t ion s t a t e. I f t h is s impl i c i t y werelos t , t hen the t o t a l cos t o f p ro toco l exchanges wouldbecome h ighe r .

7. One-W ay Comm unicationIn a compute r i zed ma i l sys t em i t i s imposs ib l e t o

d e p e n d u p o n i n t e r a c t i o n b e t w e e n t h e s e n d e r a n d t h erece ive r i n t he course o f each de l ive ry . The ma i l i s pu ti n t o t h e h a n d s o f a tr a n s p o r t m e c h a n i s m a n d m a y b ede l ive red l a t e r when the sende r i s no longe r ava i l ab l e .O n t h e o t h e r h a n d , t w o - w a y a u t h e n t i c a t i o n o f s e n d e rand receive r i s as desi rable for mai l as i t i s for interact ivec o m m u n i c a t i o n . G o o d d e s ig n o f a m a i l s y s te m w o u l dsuggest t ha t the ma i l t r anspor t mech an i sm no t be pa r t o fthe secur i t y sys t em, and the p roposa l s he re mee t t ha tgoal.With Conventional Algor i thms

W e a s s u m e t h a t t h e s u b s e q u e n t i n d i v i d u a l b l o c k s o f t h ema i l a re secure ly se r i a t ed in , fo r example , t he m ann e r o fKe nt . Th e v e ry fac t o f de l ay , howev er , causes spec i als t eps t o be nee ded to ensure t he t ime in t egr i t y o f ma i l ,i . e . t ha t i t ha s no t been recorded by an in t rude r f rom anea r l i e r t r ansmiss ion and repea t ed . We have avo idedpropos ing the use o f time-s t amps e l sewhere , because i tp re supposes a ne tw ork-wide re l i ab l e source o f t ime . Herethe re seems l i tt l e a l t e rna t ive t o t he use o f t ime-s t amps;bu t i t i s poss ib l e t o use t hem he re wi thou t r equ i r ing auniversa l c lock. A sui table technique is as fol lows. Eachmessage has i n i t s body a t ime-s t amp ind ica t ing the t imeof send ing . (Such a t ime-s t amp i s a norm a l pa r t o f mos tm a i l a n y w a y . ) T h e r e s o l u t i o n n e e d s t o b e f r e e e n o u g htha t no two messages f rom the sam e source wi l l have thesame s t amp. An y rec ip i en t , say B , ma in t a ins a r eg i s t e r inw h i c h a n e n t r y o f t h e f o r m {source, time-stamp} i s s toredfor each mai l i tem received. A t ime interval T is associ -a t ed wi th B . T i s t aken a s an uppe r bound on c locka s y n c h r o n y i n t h e n e t w o r k a n d t h e i n t e rv a l b e t w e e n t h et ime the ma i l was sen t and the t ime of i ts a r r iva l wi th inB ' s secur i t y con t ro l , a f t e r which t ime the m a i l canno t bediver ted. A mai l i tem is re jec te d i f e i ther i t s {source,time-stamp} i s on the reg i s t e r o r it s t ime-s t amp preda t e sthe cur ren t t ime by more than T . The reg i s t e r i s kep tsma l l by d i sca rd ing en t r i e s o lde r t han T . T may va rydepe nden t on B ' s ac t iv i ty i f a message may on ly a r r ivein h i s secur i t y con t ro l when he i s p re sen t .With Public-Key Algorithms

Th e mean s o f ensur ing t ime in t egr i ty a re i den t i ca l i nth i s ca se and wi l l no t be repea t ed . We have two a l t e r -nat ive courses. With the f i rst a header i s sent that iden-t if i es A to B wi thou t us ing a hand shake :.4 ---, B: {.4, L {B}S~}pKB

H e r e A d e n o t e s t h e s e n d e r a n d {B} srA enab le s au-then t i ca t ion by B o f t he i den t i t y o f the send e r us ingpro toco l t r ansac t ions a s a t (2 .4 ) and (2 .5 ) (which m ay o fcourse be shor t -cu t by cach ing) . I i s a nonce iden t i f i e rtha t i s used to connec t t he heade r wi th t he ensu ingmessage t ex t sen t unde r t he p ro t ec t ion o f PKB, wi th at ime-s t amp as above and wi th a secure se r i a t i on a sd i scussed ea r l i e r . The connec t ion be tween heade r andmessage p rov ided exp l i c i t l y by I i n t h i s p ro toco l i sp rov ided impl i c i t ly by C K i n t he ca se o f a conven t io na lenc ryp t ion a lgor i t hm.The o the r way to hand le ma i l us ing the pub l i c -keysys t em ach ieves t he add i t i ona l func t ion o f s igna tu re andis descr ibed in the next sect ion.

Cons ide r a message used in a p rev ious p ro toco l :A ~ B: {CK, A} Kn (1.3)Thi s message has t he p rope r ty t ha t i f it be pu t a t t heh e a d o f m a i l e n c r y p t e d w i th CK, then the whole i s se l f-au then t i ca t ing bo th a s t o r ec ip i en t and o r ig ina to r eventhoug h B p l ayed no pa r t a t a l l i n t he se t t i ng-up p ro toco l .

8. Digital SignaturesThe prev ious p ro toco l s a re des igned to au then t i ca t eeach com mu nican t t o t he o the r . It is some t imes necessa ryto prov ide ev idence to a t h i rd pa r ty t ha t a pa r t i cu l a rcommunica t ion i s exac t ly a s r ece ived f rom a pa r t i cu l a r

99 7 C o m m u n i c a t i o n s D e c e m b e r 1 97 8o f V o l u m e 2 1t h e A C M N u m b e r 1 2

8/3/2019 4901 paper 2

6/7

sender . This requirement is met by signatures on paperdocuments . A common example i s ins t ruc t ions f rom asuper ior to do something; the recipient needs to re ta inthem as evidence that his ac t ions were proper . To pro-duce the ana log of s igned docum ents wi th messages , i t i sneo,~ssary that the recipient could not alter a signed textunde tec ted and tha t the sende r canno t c red ib ly d isc la imit . The ab il i ty to provide digita l s ignatures depend s up onthe re be ing someth ing the or ig ina tor can do which therecipient cannot.Protocol 3. Signatures with Conventional Encryptionand a Little Help.One m e thod uses a c h a r a c t e r i s t i c f u n c t i o n of the c lear textmessage that is to be signed. The character is t ic functionmu st have the pro per ty that , given the c lear text message,the function, and the result ing character is t ic value , i t isha rd to f ind anothe r sens ib le c lea r tex t message tha tproduces the same character is t ic value . I t a lso is usefulif the character is t ic value is noticeably smaller tha n thec lea rtex t message. H ard- to - inve r t t r ansform a t ions o f thesor t used to protect passwords [8] is a class of function swith the required proper t ies .While sending the text , say using the interactive ormail protocols descr ibed ear l ier , A computes the char-acter is t ic value C S . He then r eques ts a s i g n a t u r e b l o c kf rom the au then t ica t ion se rver :A ~ AS: A , {CS}K'a (3.1)which the server supplies:AS ~ A : {A , CS} Kas (3.2)

Message 3.2 is encry pted wi th A S's ke y and thereforeis accessible only to A S. No te th at A ca nno t valida te themessage, but if i t has been interfered with, then Bsubsequent ly wi l l be unable to va l ida te the s igna ture ,which he l ike ly wi l l do anyway be fore ac t ing on themessage i f i t con ta ins ins t ruc t ions wor thy of s igna ture . Asends the signature bloc k to B following the text to besigned.On receipt B f irs t decrypts the text and computes i tscharacter is t ic value , C S C . B t h e n c o m m u n i c a t e s t h es igna ture b lock to the au then t ica t ion se rve r fo r dec ryp-t ion:

B---~ AS: B, {A, CS} rAs (3.3)The server decrypts the signature block and re turns i tscontents to B:A S ~ B: {A, CS} KB (3.4)I f the r e tu rned C S matches C S C , then the pr inc ipa lnam ed in (3.4) is the sender of the signed text . C S C n o tm a t c h i n g C S could m ean that a ny o f the steps (3.1)- (3.3) ,o r the a ssoc ia t ion of the s igna ture b lock wi th the s ignedtext , has been interfered with. Ear l ier detectio n of cer ta intypes of interference is possible by usin g nonc e identif iersin transaction s (3.1)-(3.2) and (3.3)- (3.4). I f B wishes tore ta in the text as evidence, a l l he has to do is to re ta in998

the signature block and the text i tse lf . In response to acha l lenge B would produce the tex t and the s igna tureb lock for an a rb i te r who would go th rough the commu-nication of steps (3.3) and (3.4).The ex tens ion of p ro toco l 3 to the case o f mul t ip leauthentica tion servers is s tra ightforward.

Signatures with Public-Key EncryptionI t is possible to provide signed text with a public-k eysystem using a character is t ic function as above. Thepubl ic key sys tem, however , p rov ides ano the r , moree legant , me thod tha t was f i r s t desc r ibed by Dif f ie andHellm an. T he f irs t s teps are for A to t 'md out B's publickey f ro m cache or server , as before . The successive blocksof text , ser ia ted for t ime integr i ty, are doubly encrypted:

A --> B: {{text-blo ck}SK a} PrBB can ca r ry ou t the f i rs t dec ryp t ion because o f knowingS K B , and the second because of be ing ab le to f ind ou tPKA by pro toco l exchange or f rom a cache . The re i s aneed for heade r in forma t ion to convey secure ly theiden t i ty o f the o r ig ina tor so tha t PKA can be cor rec t lysought. B is in no posit io n to a l ter the content , s ince SKAis no t ava i lab le to h im. When cha l lenged , B s implype r forms the ou te r dec ryp t ion on the whole tex t andpasses the result to the arbiter who c an use PKA to f inishthe job . No te tha t the ab i l i ty o f an a rb i te r to pe r form h isfunc t ion seems to depend on A not changing h is keypair . Since such changes must be a l lowed as the onlyresponse to a key being compromised, i t is necessary forthe au then t ica t ion se rve r to r e ta in a r ecord of the o ldpubl ic keys of i ts p r inc ipa ls and the t ime of the change ,and for s igned tex ts to con ta in the t ime tha t they weres igned . An ad vantage of the s igna ture p ro toco l fo r con-vent iona l enc ryp t ion a lgor i thms i s tha t an au then t ica t ionserver only need re ta in a record of changes to i ts ownkey to guarantee correct future arbitra t ion.

9. CommentaryWe conc lude f rom th is s tudy tha t p ro toco ls us ingpubl ic -key c ryp tosys tems and us ing convent iona l en-c ryp t ion a lgor i thms a re s t r ik ing ly s imi la r . The numberof p ro toco l messages exchanged i s ve ry comparab le , thepubl ic -key sys tem having a no t iceab le adv antage o n ly inthe case o f signed communica t ions . As in ma ny ne tw ork

appl ica tions o f compute r s , cach ing i s impor tan t to r educetransactions with lookup servers; this is par t icular ly sowi th the publ ic -key sys tem. In tha t sys tem we no t iceda lso tha t the re was a r equ i rem ent fo r enc ryp t ion of publ icda ta ( the au then t ica t ion se rve r ' s da tabase ) in o rde r toensure i ts integr i ty. A consequence of the similar i ty ofpro toco ls i s tha t a ny h e lpfu l t r icks fo r the conv ent iona lsys tem have ana logs in the publ ic -key sys tem, thoughthey may no t be needed . Because of th i s , the re may bescope for hybr id sys tems in which a p ubl ic -key me tho dComm unications December 1978of Volume 21the ACM Num ber 12

8/3/2019 4901 paper 2

7/7

may be used to e s t ab l i sh an au then t i ca t ed connec t ion tobe used conven t iona l ly . The in t r i ns i c secur i t y r equ i re -ment s o f a pub l i c -key au then t i ca t ion se rve r a re ea s i e r t omee t t han those o f a conv en t iona l one , bu t a comple t eeva lua t ion o f the sys t em prob lems in impleme nt ing sucha server in a rea l system, and the need to re ta in a securerecord o f o ld pub l i c keys t o gua ran tee fu tu re cor rec ta rb i t r a t i on o f o ld s igna tu re s ma y min imize th i s advan-t age. We co nc lude tha t t he cho ice o f t echn ique shou ldb e b a s e d o n t h e e c o n o m y a n d c r y p t o g r a p h i c s tr e n g t h o fthe enc ryp t ion t echn iques t hemse lves , r a the r t han fo rthe i r e f fec t s on p ro toco l com plex i ty .

F ina l ly , p ro toco l s such a s t hose deve loped he re a reprone to ex t reme ly sub t l e e r ro r s t ha t a re un l ike ly t o bede tec t ed in norma l ope ra t ion . The need fo r t echn iquesto ve r i fy t he cor rec tness o f such p ro toco l s i s g rea t, a ndwe encourage those i n t e re s t ed in such p rob lems to con-sider this area .

Acknowledgments. W e a r e i n d e b t e d t o a n u m b e r o fp e o p l e w h o h a v e r e a d d r a f t s o f th i s p a p e r a n d m a d eca re fu l and he lp fu l comment s , no t ab ly : Pe t e r Denning ,S t o c k t o n G a i n e s , J i m G r a y , S t e v e K e n t , G e r r y P o p e k ,Ron Rives t , J e r ry Sa l t ze r , and Robin Walke r .Received September 1977; revised April 1978; final revision May 1978References! . Branstad, D. Securi ty aspects of computer ne tworks , Proc . AIAACom ptr. Ne twor k Syst. Conf., April 1973, pap er 73-427.2. Branstad, D. Encryption protec t ion in computer da tacommunicat ions . Proc . Fourth Data Communicat ions Symp. , Oct .1975, pp. 8.1-8.7 (available from ACM, New York).3. DiMe, W., and Hellman, M. Mult iuser Cryptog raphicTechniques , Proc AFIPS 1976 NCC, AFIPS Press , Montv ale , N.J . ,pp. 109-112.4. Feis te l , H. Cryptographic coding for da ta ban k pr ivacy. Res .Rep. RC2827, IBM T.J . Watson Res . Ctr . , Yorktown Heights, N.Y. ,March 1970.5. Kent , S. Encryptio n-based protec t ion protocols for interac t iveuser-computer communicat ion , M.S. Th. , EECS Dept. , M.I .T. , 1976;also available as Tech. Rep. 162, Lab. for Co mptr. Sci., M.I.T.,Cambridge, Mass., 1976.6. Kent , S. Encryption -based protec t ion for interac t ive user /c om pute r c om m unic a t ion . Proc . F i f th Da ta Com m un ic a t ion Sym p.,Sept. 1977, pp. 5-7-5 -13 (available f rom ACM, New York) .7. Nation al Bureau of Standards . Data Encryption Standard. Fed.Inform. Process ing Standards Pub . 46, NBS, Washington, D.C. , Jan.1977.8. Pohlig, S. Algebra ic and comb inator ic aspects of cryptography.Tech. Rep. No. 6602-1, Stanford Electron. Labs., Stanford, Calif. ,Oct. 1977.9. Rivest, R.L. , e t a l . A method for obta ining digi ta l signatures andpublic-key cryptosystems. C o m m . A C M 2 1, 2 (Feb. 1978), 120-126.

99 9

P r o g r a m m i n g S . L . G r a h a mT e c h n i q u e s E d i t o rA Linear SieveAlgorithm for FindingPrime NumbersDavid Gr ie sCornel l Universi tyJayadev MisraUniversi ty of Texas a t Aust in

A new algorithm is presented for f inding aH primesbetween 2 and n. The algorithm executes in t imeproportional to n (assuming that multipl ication ofintegers not larger than n can be performed in unitt im e) . T he m ethod has the s am e arithmetic complexityas the algorithm presented by Mairson [6] ; however,our vers ion is perhaps s impler and more e legant. I t isalso eas i ly extended to f ind the prime factorization ofa/ / integers between 2 and n in t ime proportional to n.

Key Words and Phrases: primes , algorithms, datastructures

CR Categories: 5.25, 5.24, 5.29

I . IntroductionAn a lgor i t hm i s p re sen ted fo r fmding a l l p r imes

be tween 2 and n , fo r n _ 4 , tha t execu te s i n t imepropo r t iona l t o n . L ike the s i eve o f E ra tos thenes , i t worksb y r e m o v i n g n o n p r i m e s f r o m t h e s e t { 2 . . . . n } . U n l i k ethe s i eve o f E ra tos thenes , no a t t empt i s eve r made toremo ve a nonpr ime tha t was rem oved ea r l i e r; t hi s a l lowsus to deve lop a l i nea r a lgor i t hm.

The a lgor i t hm dea l s wi th se t s S sa t i s fy ing S C{2 . . . . n} . Two op e ra t ions wi l l be requ i red o n such se ts :Permiss ion to copy without fee a l l or par t of this mater ia l isgranted prov ided tha t the copies are not made or dis tr ibuted for direc tcommercia l advantage , the ACM copyright notice and the t i t le of thepublica t ion and i ts da te appear , an d no tice is given tha t copying is bypermiss ion of the Associa t ion for Computing Machinery. To copyotherwise , or to republish, requires a fee and/or specif ic permiss ion.This research was par t ia l ly supported by the National ScienceFounda t ion un de r Gra nt s DCR75-09842 a nd MCS76-22360.Authors ' addresses : D. Gries , Computer Science Department,Cornell Univers i ty, I thaca , NY 14853; J . Misra , Computer ScienceDepartmen t, Univers i ty of Texas a t Austin, Austin, TX 78712. 1978 ACM 0001-0782/78/12(10-0999 $00.75

Com m unic a t ions De c e m be r 1978of Volum e 21t h e A C M N u m b e r 1 2