[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: RFC2409 (Chess Tournament)
< -----Original Message-----
< From: Hilarie Orman [mailto:HORMAN@novell.com]
< Sent: Tuesday, June 15, 1999 7:41 PM
< To: hugo@ee.technion.ac.il; svan@trustworks.com
< Cc: IvarsS@bank.lv; ipsec@lists.tislabs.com
< Subject: Re: RFC2409
<
<
< I suppose you could call it a feature ... if you want a protocol
< that uses C as a trusted relay. C is trusted to start the
< game, to relay the messages, and not to read them. Later, I and
< R can get together and verify that they were using the proper
< shared key for their messages, and that is reason to believe
< that C behaved properly. So, if you want anonymous chess tournaments
< with verifiable results, this is your protocol. So let's change
< C's name to T, the Tournament Director. And I and R should be
< F and S (who could have hardly been anonymous to each other).
<
< Hilarie
It is good idea exploit C as moderator in anonymous chess tournament. One
of above idea implementation are described below. I nicknamed this protocol
as post - authentication protocol.
N A large safe prime (N = 2q+1, where q is prime)
All arithmetic is done modulo N.
g A generator modulo N
s1, s2 I and R salt respectively
p1, p2 I and R cleartext Passwords
H() One-way hash function
^ (Modular) Exponentiation
* (Modular) Multiplication
t Security parameter
u1, u2 I and R random t -bit scrambling parameter
a,b Secret ephemeral values
A,B, S1, S2 Public ephemeral values
x, y I and R long term private keys (derived from p and s)
v, z I and R password verifiers
The I and R stores passwords using the following formula:
x = H(s1, p1)
y = H(s2, p2) (s1and s2 are chosen randomly)
I -> C : v = g^x
R -> C : z = g^y (computes password verifier, long term)
The post - authentication protocol itself goes as follows:
I -> C : A = g^a , u1,
R -> C : B = g^b, u2,
C -> R : u1, S1 = B * z^u2
R : S = S1 ^ (a + u1*x)
R : K =H(S) (computes session key)
C -> I : u2, S2 = A*v^u1
I : S = S2^ (b+u2*y)
I : K = H(S) (computes session key)
Now the two parties I and R have a shared, strong session key K. To complete
post - authentication and to be sure that C don't fake, they need to prove
to each other that their keys match. One possible way:
I -> C -> R : M =H(H(N) xor H(g), u1, u2, K)
R -> C -> I : H( M, u2, u1, K)
After chess game I and R must reveal identity to each other:
I -> C ->R : M1 = H(IDi, K), IDi
R -> C -> I : M2 = H(IDi, IDr, K), IDr
Ivars