Computer network security techniques include a wide range of methods such as access control mechanisms, user authentication methods, cryptographic systems and traffic integrity protection. Appropriate selection and combination of such methods allows to build very secure networks at the expense of overall system complexity, cost increase and performance degradation. This is particularly the case in the arena of encryption keys distribution services for which dynamic schemes using key distribution servers have been developed.
U.S. Pat. No. 5,148,479 discloses a method of mutually authenticating users on a communications session. A first user A transmits a challenge N1 to a second user B. In response to the first challenge, B generates a first response to the challenge N1 and transmits it to A along with a second challenge N2. User A verifies that the first response to the challenge N1 is correct and then generates and transmits to B a second response to the second challenge N2. User B verifies that the second response is correct. User A and user B are supposed to share a secret which allows them to verify the correctness of the responses to their challenges. Ideally challenges should be different in every authentication instance, therefore it is suggested that challenges be selected randomly from a huge space; these challenges are called nonce challenges.
This kind of user authentication methods does not always provide sufficient protection against intruders attacks, for instance when data lines cannot be physically secured from taps. More generally, intercept attacks where an intruder merely intercepts messages from a user A to a user B and forwards them on to their intended destination B cannot be defended against with user authentication protocols; for instance, such theft and replay attacks can occur in wireless data communications systems using radio frequency or infrared transmission. In such a case, measures are necessary to provide data security in addition to the methods allowing user A and user B to authenticate one another. The encryption of the data flow between A and B is obviously one of these measures. One of the best known secret-key cryptosystems is the so called Data Encryption Standard (DES) which has been standardized by ANSI; it is a block cipher system capable of encrypting one 64-bit block of data at a time, using a 64-bit key. With all block cipher systems such as DES using the same encryption key for large amounts of data increases the risk that a potential intruder might break the cryptographic code through statistical crypt analysis. Therefore when such block cipher systems are used it is necessary to modify dynamically encryption keys to avoid that an intruder may break the cryptographic code.
Dynamic key distribution schemes provide robust methods for key distribution and modification; a key server maintains one secret or public master key for every user or entity in its network, which enables it to distribute encryption keys for peer entities wanting to authenticate one another and communicate.
Upon demand of a user A willing to communicate with a user B, the key server (KS) will securely inform A of the secret key which it may use to communicate with user B. Such methods require a significant number of data flows between A, B and KS. Most of these methods use long messages which make them unsuitable for low network layers. Some require synchronized clocks such as the so called Kerberos authentication service; it is based on the so called Needham Schroeder protocol and uses time tamps depending on reliable synchronized clocks to guarantee the freshness of messages.
European patent application No 0254812 describes a method for key distribution using a key distribution center (KDC), where in advance the remote device has installed in it only the public key of the KDC. The method of this invention still requires that at least two data flows be exchanged to distribute a fresh encryption key.
The complexity and performance degradation associated with prior art key distribution methods is not adequate for low cost communications systems such as wireless local area networks which are on one hand very vulnerable to eavesdroppers and intruders and on the other hand have to meet very stringent cost and performance requirements.