1. Field of the Invention
The present invention relates to encryption and computer security. More specifically, the present invention relates to a method and an apparatus for facilitating a key exchange protocol that operates with a pre-shared key and that hides the identities of entities involved in the key exchange.
2. Related Art
Recent advances in computer networks make it easier to access a computer system from a remote location. For example, “road warrior” with a laptop computer can access a server at a central office in order to receive email or access files from the server. However, providing this ability can lead to security problems because an attacker may also be able to access the organization's computer systems. Furthermore, even if the attacker is not able to access the organization's computer systems, the attacker may be able to eavesdrop on communications between the remote user and the organization's computer systems.
In order to guard against such attacks, an organization can install a “firewall” to filter all communications with an external network, and a remote user can be given a secret key that is known only to the remote user and the firewall. This secret key can then be used to encrypt subsequent communications between the remote user and the firewall.
The remote user can then be required to authenticate itself to the firewall in order to gain access to protected computer systems within the firewall. This authentication can be accomplished by sending an identifier for the remote user to the firewall. In response to this identifier, the firewall sends a challenge to the remote user. The remote user encrypts this challenge using a pre-shared secret key that was previously agreed upon between the remote user and the firewall, and then sends the encrypted challenge to the firewall. The firewall can then decrypt the encrypted challenge using the same pre-shared secret key to verify that the remote user possesses the pre-shared secret key. All subsequent communications between the remote user and the firewall are then encrypted using the pre-shared secret key. However, note that this technique requires the remote user to send its identifier to the firewall in the clear. Hence, an attacker can intercept the identifier and can thereby determine the identity of the remote user.
Another technique that can be used to establish a secure communication session between two computer systems involves an anonymous Diffie-Hellman exchange. A Diffie-Hellman exchange allows two computer systems to agree on a secret shared key, even though they can only exchange messages in public. Referring the FIG. 2, a Diffie-Hellman exchange begins by allowing two parties “A” and “B” to pick random numbers SA and SB, respectively (steps 202 and 204). A then computes TA=gSA mod p, where p is a large prime number and g is number less than p with certain restrictions that are not important for a basic understanding of the method (step 206). Similarly, B computes TB=gSB mod p (step 208). Next, A and B exchange TA and TB (steps 210 and 212). A then computes the shared secret key as TBSA mod p (step 214). B similarly computes the shared secret key as TASB mod p (step 216). Note that TBSA=(gSA)SB=gSASB=(gSA)SB=TASB mod p. A and B can then use this shared secret key to encrypt subsequent communications.
However, the Diffie-Hellman technique does not solve the authentication problem for an active attacker, because an active attacker can intercept communications from the remote user in order to impersonate the firewall. In this way, the active attacker will establish shared secrets with each end. Hence, even if the remote user encrypts its identifier with what it thinks is the shared secret key with the other end, the attacker is able to decrypt this identifier.
The Internet Engineering Task Force (IETF) has developed a standard to facilitate using pre-shared secret keys. (see htt—www.ietf.cnri.reston.va.us-internet-drafts-draft-ietf-ipsec-ike-base-mode-02.txt). The variant that uses pre-shared secret keys requires the Internet Protocol (IP) address of the remote user to be the identifier for the remote user. However, using the IP address of the remote user will not work if the remote user attempts to log in from a remote location with a different IP address.
Hence, what is needed is a method and an apparatus for facilitating a key exchange protocol that operates with a pre-shared key and that hides the identities of entities involved in the key exchange.