[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RFC2409 (Chess Tournament)

To: "'HORMAN@novell.com'" <HORMAN@novell.com>
Subject: RE: RFC2409 (Chess Tournament)
From: Ivars Suba <IvarsS@bank.lv>
Date: Wed, 16 Jun 1999 14:12:48 +0300
Cc: "'hugo@ee.technion.ac.il'" <hugo@ee.technion.ac.il>, "'svan@trustworks.com'" <svan@trustworks.com>, "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

I apologize, here is mistake. For correct version, please look below.
Ivars 
< -----Original Message-----
< From: Hilarie Orman [mailto:HORMAN@novell.com]
< Sent: Tuesday, June 15, 1999 7:41 PM
< To: hugo@ee.technion.ac.il; svan@trustworks.com
< Cc: IvarsS@bank.lv; ipsec@lists.tislabs.com
< Subject: Re: RFC2409
< 
< 
< I suppose you could call it a feature ... if you want a protocol
< that uses C as a trusted relay.  C is trusted to start the
< game, to relay the messages, and not to read them.  Later, I and
< R can get together and verify that they were using the proper
< shared key for their messages, and that is reason to believe
< that C behaved properly.  So, if you want anonymous chess tournaments
< with verifiable results, this is your protocol.  So let's change
< C's name to T, the Tournament Director.  And I and R should be
< F and S (who could have hardly been anonymous to each other).
< 
< Hilarie
 It is good idea exploit C as moderator in anonymous chess tournament. One
of above idea implementation are described below. I nicknamed this protocol
as post - authentication protocol.

  N    A large safe prime (N = 2q+1, where q is prime)
       All arithmetic is done modulo N.
  g    A generator modulo N
  s1, s2    I and R salt respectively
  p1, p2    I and R cleartext Passwords
  H()  One-way hash function
  ^    (Modular) Exponentiation
  *    (Modular) Multiplication
  t    Security parameter
  u1, u2    I and R random t -bit scrambling parameter
  a,b  Secret ephemeral values
  A,B, S1, S2  Public ephemeral values
  x, y    I and R long term private keys (derived from p and s)
  v, z   I and R password verifiers

The I and R stores passwords using the following formula: 
  x = H(s1, p1)  	
  y = H(s2, p2)              (s1and s2 are chosen randomly)
 I -> C :  v = g^x                   
 R -> C : z = g^y		(computes password verifier, long term)

 The post - authentication protocol itself goes as follows: 
I -> C  :   A = g^a , u1,                  
R -> C :   B = g^b, u2,            

C -> I : u1, S1 = B * z^u2
I : S = S1 ^ (a + u1*x)     
I : K =H(S)	(computes session key)

C -> R :  u2, S2 = A*v^u1 
R : S = S2^ (b+u2*y)              
R : K = H(S)		(computes session key)

Now the two parties I and R have a shared, strong session key K. To complete
post - authentication and to be sure that C don't fake, they need to prove
to each other that their keys match. One possible way: 

I  -> C -> R : M =H(H(N) xor H(g), u1, u2, K)
R -> C -> I : H( M, u2, u1, K)

After chess game I and R must reveal identity  to each other:

I -> C ->R : M1 = H(IDi, K), IDi
R -> C -> I : M2 = H(IDi, IDr, K), IDr

Ivars

Prev by Date: Re: issues from the bakeoff
Next by Date: Re: Comments about draft-ietf-ipsec-ike-01.txt
Prev by thread: RE: RFC2409 (Chess Tournament)
Next by thread: draft-ietf-ipsec-notifymsg-00.txt
Index(es):
- Main
- Thread