1. Field of the Invention
The invention includes cryptography. More particularly, an embodiment of the invention includes electric signal transmission and modification by particular algorithmic function encoding for secure key exchange to effectuate mutual identification and authentication.
2. Background Information
Cryptography may be viewed as the process or skill of communicating in or deciphering secret writings or ciphers. To prevent anyone but the intended recipient from reading communicated data, plain text (cleartext) may be converted into ciphered text (ciphertext) through a cryptography procedure referred to as encryption. Forming the basis of network security, a common type of data encryption includes public-key encryption.
Public-key encryption (PKE or “public-key cryptography”) may be an encryption scheme where each participant receives a pair of keys, called the public key and the private key. Each public key may be published while each private key may be kept secret. Using the public key of a message's intended recipient, the message to that intended recipient may be encrypted so that it may only be decrypted by the intended recipient using that participant's private key. Public-key encryption may be used for authentication, confidentiality, integrity, and non-repudiation.
As with most cryptography discussions, the descriptions in this patent make use of two actors, namely Alice and Bob, who are trying to conduct secure communications before the watchful eyes of passive eavesdropper, Eve, and without the interference of malicious active attacker (or man-in-the-middle), Mallory. Most public key exchange algorithms involve Alice (client) sending Bob (server) a data packet and Bob sending Alice a data packet, where each may combine the parts included in the data packets to generate a single-use, shared session key, and then prove to each other that the shared key is valid.
The first public-key encryption scheme was patented by Martin Hellman, Bailey Diffie, and Ralph Merkle in 1980 as U.S. Pat. No. 4,200,770. Through the Hellman-Diffie-Merkle key exchange (conventionally the Diffie-Hellman key exchange), the need for the sender and the receiver to share secret information (private keys) via some secure channel may be eliminated since all exchanged communications involve only public keys, and no private key need be transmitted or shared.
Although the Diffie-Hellman key exchange may establish a communication channel secure from eavesdropping, the Diffie-Hellman key exchange is subject to man-in-the-middle attacks. That is, an interloper such as Mallory may dispose himself between Bob and Alice and pretend to be Alice to Bob and pretend to be Bob to Alice. This may occur since the Diffie-Hellman key exchange fails to identify or authenticate to Bob that Alice may be really Alice, or vice versa. Since Mallory may dispose himself between Bob and Alice, Mallory may decrypt, examine, and reencrypt passing data packets without the knowledge of Bob or Alice.
As an alternative to positioning himself as an interloper, Mallory may eliminate Bob from the picture and emulate or “spoof” his identity. After Mallory establishes a secure channel with Alice, the spoofing Mallory may continue the communication with Alice until he receives a privileged piece of information, such as a password, or has delivered a virus or Trojan horse to Alice's system.
To overcome the limitations of the Diffie-Hellman key exchange, U.S. Pat. No. 5,241,599, known as Encrypted Key Exchange (EKE), modifies Diffie-Hellman by encrypting at least one of Bob and Alice's public keys with a secret password that may be known to both Alice and Bob prior to transmission over a network. However, for EKE to work, the shared secret password must be stored as cleartext within the server Bob. An augmentation of U.S. Pat. No. 5,241,599 (Augmented EKE protocol or A-EKE) employs a one-way hash of the user's password as the encryption key in the Diffie-Hellman variant of EKE. The user then sends an extra message based on the original password. This message may authenticate the newly chosen session key.
Simple Password Exponential Key Exchange (SPEKE), developed by Integrity Sciences of Westboro, Mass., modifies Encrypted Key Exchange (EKE) to guard against dictionary attacks by storing shared secret passwords as a specially computed derivative that may not be equivalent or reversible to the original plaintext of the shared secret passwords. An attacker may not be able to use a captured password database directly to compromise the targeted host. A less secure implementation of SPEKE allows the host to store the passwords as cleartext. Secure Remote Password (SRP) protocol, developed by Stanford University of Stanford, Calif., is another password authentication and key-exchange protocol along the same lines as SPEKE.