Symetric key authetication protocol

views:

answers:

Symetric key authetication protocol

Does anybody know some simple authentication and data transfer protocol based on symmetric keys only? Due to memory constraints (kilobytes RAM and ROM) we cant afford asymmetric cryptography and due to closed environment asymmetric cryptography does not increase security of any way.
I am looking for simple symmetric cryptography protocol that can be kept in head and written on one paper sheet. I was looking in EAP-PSK http://tools.ietf.org/html/rfc4764#page-4 but still think that 2^6 pages is way to much for something simple and secure.

Does anybody know some useful url, paper or idea?

+1 A:

I think you're looking for the Diffie-Hellman key exchange: only requires bignum integer arithmetic (powers, multiplication, and modulus only, at that): http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange

Andrew McGregor 2010-01-13 09:29:56

I know Diffie-Hellman but as far as know it secures only against passive attacker and there is still need for some kind of authetication.

ralu 2010-01-13 12:03:08

Use DH to get a key, and a salted, hashed password transmitted under symmetric encryption for authentication. I think studying the designs of SSH and HIP http://www.ietf.org/html.charters/hip-charter.html would be a really good idea. Both protocols are a bit complicated, but the crypto design is what you're after.

Andrew McGregor 2010-01-13 20:14:02

Also Diffie-Hellman is a public key cryptosystem, which probably needs too many resources.

abc 2010-01-14 17:02:17

As far as I know using DH requires same CPU/RAM usage as AES. So at the end I could have both whit same RAM and double CPU resource

ralu 2010-01-14 19:43:57

Not double the CPU; one DH exchange can protect a lot of traffic if you can keep the key around. If you use a small group, DH doesn't use an awful lot of memory either; memory usage scales as the square of the key size.

Andrew McGregor 2010-01-14 21:10:12

+1 A:

For secrecy, use AES-CBC. For message authentication, use HMAC-SHA256. Use a different key for each.

In both cases, use an existing, validated, timing-attack-free implementation of the cryptographic primitives.

caf 2010-01-14 04:34:20

Just using HMAC alone for message authentication is of course not secure, since it allows replay attacks. Contrary, the protocol proposed by the OP does among other things protect against such attacks.

abc 2010-01-14 17:00:43

OK that is good idea. Both parties send each other some random token and then they send back HMAC(pass,token) as authentication. For data transfer AES-CBC. IV for CBC can be XORe of decrypted tokens. Did I missed something?

ralu 2010-01-14 19:14:24

To ensure message freshness you need to include a sequence number in the messages. If you use this method the "pass" really needs to be a full strength, randomly generated key (*not* a human-chosen password, because if you capture a message and the HMAC you can perform an offline dictionary attack).

caf 2010-01-14 22:18:18

Generating 256 random bits will not be problem. Passwords will not be in use/known by humans.

ralu 2010-01-15 08:31:16

ansaurus

tags:

views:

answers:

Symetric key authetication protocol

related questions