1. Field
The invention generally relates to data communications and security. More particularly, embodiments of the invention relate to mutual authentication of two communicating parties through verification of the public key of one of the parties without revealing that public key.
2. Background Information
Communication between two parties over an open channel poses several security problems for the communicating parties. Their communications can be overheard or forged by a third party, which poses a problem for them if they wished their exchanges to be confidential and authentic.
The risk of a third party intercepting, interpreting, and interjecting messages over an open channel is typically addressed by encryption and authentication performed with a secret key shared only between the two legitimate parties. Such a secret key in turn is often established based on public key cryptography methods. These methods allow two parties to exchange a public piece of information and use their counterparty's public information, along with a piece of their own private information, to derive the shared secret key that no one with knowledge only of the parties' public keys could trivially determine.
These exchanges of public information to generate secrets shared only between the two communicating parties, called Diffie-Hellman exchanges, are now used widely for pairing or associating two communicating parties with each other over an open channel. Two popular algorithms to use to this end are exponential discrete logarithm cryptography and elliptic curve cryptography.
Diffie-Hellman exchanges, however, do not solve the problem of impersonation, where a party to communication is pretending to be another party in order to obtain information or privilege. This sort of attack is particularly effective when the same party impersonates each party to a communication to the other party, gaining access to the information exchanged between them. These so-called “man in the middle,” or MITM attacks, present an ongoing problem of authentication. Specifically, how can a party communicating over an open channel authenticate the identity of the counterparty?
One popular solution to this problem uses a password or other predetermined shibboleth. The two parties authenticate each other by each confirming that the other party has knowledge of the same password. This poses its own issues. Each party risks exposing the password to a third party, often due to intended or unintended human behavior. In particular, the central controller of a network could be compromised, exposing its list file containing the passwords for the devices it controls to wrong hands. Once an adversary obtains a password intended to be shared only between two legitimate parties, the adversary can impersonate one of these parties to communicate with the other party breaking the security check.
Therefore, what is needed is a method and system that allow two legitimate parties to authenticate each other while preventing false impersonation even if an attacker has managed to gather the authentication credentials.