Distributed-protocol authentication scheme
RFC 1004

Document Type RFC - Experimental (April 1987; No errata)
Last updated 2013-03-02
Stream Legacy
Formats plain text html pdf htmlized bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1004 (Experimental)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         D.L. Mills
Request for Comments:  1004                       University of Delaware
                                                              April 1987

              A Distributed-Protocol Authentication Scheme

Status of this Memo

   The purpose of this RFC is to focus discussion on authentication
   problems in the Internet and possible methods of solution.  The
   proposed solutions this document are not intended as standards for
   the Internet at this time.  Rather, it is hoped that a general
   consensus will emerge as to the appropriate solution to
   authentication problems, leading eventually to the adoption of
   standards.  Distribution of this memo is unlimited.

1. Introduction and Overview

   This document suggests mediated access-control and authentication
   procedures suitable for those cases when an association is to be set
   up between multiple users belonging to different trust environments,
   but running distributed protocols like the existing Exterior Gateway
   Protocol (EGP) [2], proposed Dissimilar Gateway Protocol (DGP) [3]
   and similar protocols. The proposed prcedures are evolved from those
   described by Needham and Shroeder [5], but specialized to the
   distributed, multiple-user model typical of these protocols.

   The trust model and threat environment are identical to that used by
   Kent and others [1]. An association is defined as the end-to-end
   network path between two users, where the users themselves are
   secured, but the path between them is not. The network may drop,
   duplicate or deliver messages with errors. In addition, it is
   possible that a hostile user (host or gateway) might intercept,
   modify and retransmit messages. An association is similar to the
   traditional connection, but without the usual connection requirements
   for error-free delivery.  The users of the association are sometimes
   called associates.

   The proposed procedures require each association to be assigned a
   random session key, which is provided by an authentication server
   called the Cookie Jar. The procedures are designed to permit only
   those associations sanctioned by the Cookie Jar while operating over
   arbitrary network topologies, including non-secured networks and
   broadcast-media networks, and in the presence of hostile attackers.
   However, it is not the intent of these procedures to hide the data

Mills                                                           [Page 1]
RFC 1004                                                      April 1987

   (except for private keys) transmitted via these networks, but only to
   authenticate messages to avoid spoofing and replay attacks.

   The procedures are intended for distributed systems where each user i
   runs a common protocol automaton using private state variables for
   each of possibly several associations simultaneously, one for each
   user j. An association is initiated by interrogating the Cookie Jar
   for a one-time key K(i,j), which is used to encrypt the checksum
   which authenticates messages exchanged between the users. The
   initiator then communicates the key to its associate as part of a
   connection establishment procedure such as described in [3].

   The information being exchanged in this protocol model is largely
   intended to converge a distributed data base to specified (as far as
   practical) contents, and does not ordinarily require a reliable
   distribution of event occurances, other than to speed the convergence
   process. Thus, the model is intrinsically resistant to message loss
   or duplication. Where important, sequence numbers are used to reduce
   the impact of message reordering. The model assumes that associations
   between peers, once having been sanctioned, are maintained
   indefinitely.  The exception when an association is broken may be due
   to a crash, loss of connectivity or administrative action such as
   reconfiguration or rekeying. Finally, the rate of information
   exchange is specifically designed to be much less than the nominal
   capabilities of the network, in order to keep overheads low.

2. Procedures

   Each user i is assigned a public address A(i) and private key K(i) by
   an out-of-band procedure beyond the scope of this discussion. The
   address can take many forms: an autonomous system identifier [2], an
   Internet address [6] or simply an arbitrary name. However, no matter
   what form it takes, every message is presumed to carry both the
   sender and receiver addresses in its header. Each address and its
   access-control list is presumed available in a public directory
   accessable to all users, but the private key is known only to the
   user and Cookie Jar and is not disclosed in messages exchanged
   between users or between users and the Cookie Jar.

   An association between i and j is identified by the bitstring
   consisting of the catenation of the addresses A(i) and A(j), together
Show full document text