一种基于令牌的认证密钥交换协议

对称密钥系统较之非对称密钥系统具有惊人的速度优势,但是管理对称密钥系统的密钥却是需要解决的一个难题。Diffie-Hellman密钥交换是一个可以使通信双方在不可信信道上一同建立共享密钥,并使之应用于后继对称密钥通信系统的一种密码协议。应当注意到,Diffie-Hellman密钥交换协议不支持对所建立的密钥的认证。处于两个通信参与者Alice和Bob之间的一个恶意的攻击者Mallary可以主动操纵协议运行过程的信息并成功实施所谓的中间人攻击(man-in-the-middleattack)。因此为了能够真正在两个通信参与者Alice和Bob之间协商一个密钥就必须确保他们在协议运行过程中收到的信息的确是来自真实的对方。本文就是给出一种基于令牌的认证密钥交换协议以对Diffie-Hellman密钥交换协议进行改进。这对于电子商务等等很多网络应用而言是至关重要的。本文也给出了这种协议的安全性分析,并描述了基于JAVA的实现。

A Token-based Authenticated Key Exchange Protocol

The symmetric key systems compared with asymmetric key systems have astounding speed benefits, but managing their keys has always been difficult problem to be solved. Diffie-Hellman key exchange is a cryptographic protocol which allows two parties to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. It should be noted that the Diffie-Hellman key exchange protocol does not support the authenticity of the key agreed. An adversary Mallory in the middle of the communications between two principals Alice and Bob can manipulate the protocol messages to succeed an active attack called man-in-the-middle attack. In order to agree on a key which is exclusively shared between Alice and Bob, these principals must make sure that the messages they receive in a protocol run are indeed from the intended principals. In this paper we propose a protocol to modify the Diffie-Hellman key exchange. This protocol can provide authentication based on tokens. This is critical for many network applications such as e-business etc. Security analysis of this modified protocol is given and its implementation based on JAVA is also presented.