RFC 1004 (rfc1004) - Page 2 of 8

Distributed-protocol authentication scheme

RFC 1004                                                      April 1987


   (except for private keys) transmitted via these networks, but only to
   authenticate messages to avoid spoofing and replay attacks.

   The procedures are intended for distributed systems where each user i
   runs a common protocol automaton using private state variables for
   each of possibly several associations simultaneously, one for each
   user j. An association is initiated by interrogating the Cookie Jar
   for a one-time key K(i,j), which is used to encrypt the checksum
   which authenticates messages exchanged between the users. The
   initiator then communicates the key to its associate as part of a
   connection establishment procedure such as described in [3].

   The information being exchanged in this protocol model is largely
   intended to converge a distributed data base to specified (as far as
   practical) contents, and does not ordinarily require a reliable
   distribution of event occurances, other than to speed the convergence
   process. Thus, the model is intrinsically resistant to message loss
   or duplication. Where important, sequence numbers are used to reduce
   the impact of message reordering. The model assumes that associations
   between peers, once having been sanctioned, are maintained
   indefinitely.  The exception when an association is broken may be due
   to a crash, loss of connectivity or administrative action such as
   reconfiguration or rekeying. Finally, the rate of information
   exchange is specifically designed to be much less than the nominal
   capabilities of the network, in order to keep overheads low.


2. Procedures

   Each user i is assigned a public address A(i) and private key K(i) by
   an out-of-band procedure beyond the scope of this discussion. The
   address can take many forms: an autonomous system identifier [2], an
   Internet address [6] or simply an arbitrary name. However, no matter
   what form it takes, every message is presumed to carry both the
   sender and receiver addresses in its header. Each address and its
   access-control list is presumed available in a public directory
   accessable to all users, but the private key is known only to the
   user and Cookie Jar and is not disclosed in messages exchanged
   between users or between users and the Cookie Jar.

   An association between i and j is identified by the bitstring
   consisting of the catenation of the addresses A(i) and A(j), together
   with a one-time key K(i,j), in the form [A(i),A(j),K(i,j)]. Note that
   the reciprocal association [A(j),A(i),K(j,i)] is distinguished only
   by which associate calls the Cookie Jar first. It is the intent in
   the protocol model that all state variables and keys relevant to a
   previous association be erased when a new association is initiated
   and no caching (as suggested in [5]) is allowed.



Mills