Individuals or computer systems often need to have authenticated and confidential communications over an open channels, such as the Internet. While such secure communications may be achieved by physical means, it is more cost effective and flexible to use cryptographic means.
To have secure communications using cryptographic means, parties need to first execute a protocol to authenticate each other and at the same time establish a mutually agreed conventional up on secret key, which is then used to encrypt subsequent communications between the parties. Conventional authentication and key exchange protocols normally require that, the parties either share a secret (e.g., a password) or know each other's public keys.
A cryptographic system, or cryptosystem, uses an encryption key to convert plaintext into ciphertext (an unintelligible or undecipherable form of the original information) and a decryption key to recover the plaintext from ciphertext. If the encryption key and the decryption key are identical, the cryptosystem is referred to as symmetric key cryptosystem. If the encryption and decryption keys are different and it is computationally infeasible to determine the decryption key from the encryption key, the cryptosystem is referred to as an asymmetric key cryptosystem or public key cryptosystem. In a public key cryptosystem, anyone can encrypt a message using a public encryption key. However, only the holder of a corresponding private decryption key can decrypt the ciphertext and recover the message. In a public key cryptosystem, it is often important to securely bind a public key with the legitimate user's ID. Such a binding can be achieved using public key certificates, which are digitally signed and issued by a certification authority.
Roughly speaking, a one-way hash function h( ) has the properties that:                1) for any message m, the hash h(m) can be easily computed;        2) given h(m), finding m is computationally infeasible; and        3) finding two messages that have the same hash is computationally infeasible.        
For more information on cryptosystems, digital signature schemes, public key certificates, and one-way hash functions, reference is made to A. Menezes, P. Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, pp. 425-488, pp. 559-561, and pp. 321-383 1996; and C. Kaufman, R. Perlman, and M. Speciner, Network Security—Private Communication in A Public World, PTR Prentice Hall, Englewood Cliffs, N.J., pp. 152-158, pp. 177-204 and pp. 101-129 1995.
The UNIX (a trademark of Bell Laboratories) operating system provides a classical example of a password based authentication system. In UNIX, each user is provided with a unique login user name and is allowed to choose a secret password. The UNIX system maintains a password file containing the user name and a hash of the user's password computed using a one-way hash function with the user's password as input. When a UNIX user desires to access the UNIX system, the user keys in his or her user name and password to a terminal. The terminal computes the hash of the password and sends the hash along with the user name to the UN system. Because only the user knows the password, if the hash and user name match those in the password file, the user is considered authenticated.
The UNIX password system is simple to implement, but has a number of problems. Firstly, it is vulnerable to a “replay” attack. That is an eavesdropper can intercept the user name and the hash of the password, and replay them to the UNIX system. Secondly, knowing the hash of a password, an eavesdropper can mount an off-line dictionary attack. The person can guess a password, compute its hash, and see if the two hash values match. The person can then systematically try passwords, one at a time, until a match is found. Since people tend to choose easy to remember or “weak passwords”, such an attack can be very effective. Thirdly, the UNIX system only authenticates the user, and no secret key is established to encrypt subsequent interactions between the user and the system.
A number of authentication and key establishment protocols have been proposed to improve upon the UNIX password protocol. Examples include:                1) R. Needham and M. Schroeder, “Using encryption for authentication in large networks of computers”, Communications of the ACM, Vol. 21, December 1978, pp. 993-999;        2) D. Otway and O. Rees, “Efficient and timely authentication”, Operating Systems Review, Vol. 21, No. 1, January 1987, pp. 8-10;        3) L. Gong, M. Lomas, R. Needham, and J. Saltzer, “Protecting poorly chosen secrets from guessing attacks”, IEEE Journal on Selected Areas of Communications, Vol. 11, No. 5, June 1993, pp. 648-656; and        
4) U.S. Pat. No. 5,440,635 issued to S. Bellovin and M. Merritt on Aug. 8, 1995.
A number of the conventional authentication protocols require that the parties share secret information (such as a password) or possess each other's public keys in advance. There are many potential difficulties for a human user to share secrets with a large number of remote parties. Firstly, it requires a secure secret distribution mechanism to be in place. Secondly and more importantly, human users are not good at remembering secrets of good quality, since such secrets look like random data. Knowing each other's public key in authenticated manners is also problematic in a distributed and open environment.
Without good authentication and encryption, voice-over-IP (the Internet protocol) can be eavesdropped without much difficulty. Pretty Good Privacy Phone or PGPfone (both are trademarks of Pretty Good Privacy Inc.) implements an authentication protocol based on exchange of voice signals and Diffie-Hellman key exchange protocol, P. Zimmermann, PGPfone Owner's Manual, Version 1.0 beta 5, 5 Jan. 1996, http://web.mit.edu/network/pgpfone/manual.
Before proceeding with a discussion of the PGPfone authentication protocol, the Diffie-Hellman key exchange protocol, W. Diffie and M. Hellman, “New directions in cryptography”, IEEE Transactions on Information Theory, Vol. IT-22, No. 6, pp. 644-654, November 1976 is reviewed. Diffie-Hellman key exchange allows two parties, without sharing keying material in advance, to agree to a secret key over an open channel, but without authentication. In Diffie-Hellman key exchange, two parties A and B agree on an appropriate prime p and a generator of Z*p, where Z*p={x|0<x≦p−1}. Party A generates a random number x, 1<x<p−1, and then computes and sends to Bob gx modulo p. Party B generates a random number y, 1<y<p−1, and then computes and sends to party A gy modulo p.
Party A computes a shared key k=(gy)x modulo p, and party B computes k=(gx)y modulo p. The Diffie-Hellman protocol can be carried out in any group in which the discrete logarithm problem is difficult to solve. This protocol, however, is vulnerable to “man-in-the-middle” attacks. If a party C comes in the middle between parties A and B, when party A wishes to have a Diffie-Hellman exchange with party B, party C intercepts all the messages from A and B and enters the Diffie-Hellman exchange with A and B, respectively. As a result, C agrees a secret key with A and another secret key with B so that C can decrypt all the messages from A using the key shared with A and re-encrypt the messages using the key shared with B.
The PGPfone authentication protocol assumes that the two parties are familiar with each other's voice. The two parties first establish a shared value (e.g., gxy mod p) by performing a Diffie-Hellman exchange. The parties next compute the hash of the shared value. Each party then reads the first few bytes (in hexadecimal format or in English words. PGPfone; maintains a list that maps the 256 values of a byte to 256 English words) of the hash to each other. If the bytes at the two ends match and if the voice sounds like that of the claimed party, the parties are considered authentic. However, if an attacker is able to collect sound samples of all the 256 words by, for example, eavesdropping on someone's phone calls, the attacker is able to impersonate the victim at will.
Thus, a need clearly exists for a method of remote authentication based on exchanging signals representing biometrics information and establishing a cryptographic key.