RFC 1004 (rfc1004) - Page 2 of 8
Distributed-protocol authentication scheme
Alternative Format: Original Text Document
RFC 1004 April 1987
(except for private keys) transmitted via these networks, but only to
authenticate messages to avoid spoofing and replay attacks.
The procedures are intended for distributed systems where each user i
runs a common protocol automaton using private state variables for
each of possibly several associations simultaneously, one for each
user j. An association is initiated by interrogating the Cookie Jar
for a one-time key K(i,j), which is used to encrypt the checksum
which authenticates messages exchanged between the users. The
initiator then communicates the key to its associate as part of a
connection establishment procedure such as described in [3].
The information being exchanged in this protocol model is largely
intended to converge a distributed data base to specified (as far as
practical) contents, and does not ordinarily require a reliable
distribution of event occurances, other than to speed the convergence
process. Thus, the model is intrinsically resistant to message loss
or duplication. Where important, sequence numbers are used to reduce
the impact of message reordering. The model assumes that associations
between peers, once having been sanctioned, are maintained
indefinitely. The exception when an association is broken may be due
to a crash, loss of connectivity or administrative action such as
reconfiguration or rekeying. Finally, the rate of information
exchange is specifically designed to be much less than the nominal
capabilities of the network, in order to keep overheads low.
2. Procedures
Each user i is assigned a public address A(i) and private key K(i) by
an out-of-band procedure beyond the scope of this discussion. The
address can take many forms: an autonomous system identifier [2], an
Internet address [6] or simply an arbitrary name. However, no matter
what form it takes, every message is presumed to carry both the
sender and receiver addresses in its header. Each address and its
access-control list is presumed available in a public directory
accessable to all users, but the private key is known only to the
user and Cookie Jar and is not disclosed in messages exchanged
between users or between users and the Cookie Jar.
An association between i and j is identified by the bitstring
consisting of the catenation of the addresses A(i) and A(j), together
with a one-time key K(i,j), in the form [A(i),A(j),K(i,j)]. Note that
the reciprocal association [A(j),A(i),K(j,i)] is distinguished only
by which associate calls the Cookie Jar first. It is the intent in
the protocol model that all state variables and keys relevant to a
previous association be erased when a new association is initiated
and no caching (as suggested in [5]) is allowed.
Mills