Frequently Asked Questions For
Information Security Intelligence:
Cryptographic Principles & Applications
Explain how to use (a) a shared secret and (b) public/private keys, to authenticate two communicating parties.
In authenticating two communicating parties we will require that one side must be able to prove that they know some secret of which only the two sides are aware. In general we can accomplish this through cryptographic means through a challenge response test.
In the case of symmetrical cryptography (a shared secret) Alice can send Bob a challenge number r encrypted with key k. If Bob is really Bob then he will have the shared secret k which will enable him to decrypt r k and return the value r. Potentially Bob will include a comparable challenge for Alice with a different r value before they engage in the communication. This is a reasonable method for authentication using symmetrical cryptography. {note: a variant of this is to send the r unencrypted and have the recipient encrypt r using k and return the encrypted value which you then decrypt and check}
A similar analogy can be conceived using asymmetrical (public key) cryptography. In this case Alice chooses r and encrypts it with Bob's public key. Bob then receives it and decrypts it with his private key. Bob then returns the value of r to Alice. Since Bob should be the only one with Bob's private key the fact that he can decrypt it proves once again he is Bob. Likewise Bob will challenge Alice in a similar fashion. {note: again there are variants such as Alice can send r and have bob sign it with his private key. In this case he sends back the signed r and she checks the signature by decrypting it with Bob's public key – again this proves he is Bob because only Bob has Bob's private key to create the signature.} The advantage to the public key method is that you do not have to have a prearranged secret.
Many of the answers to FAQs are from lectures presented at JWU.
