Starting a session
Protocol
For our session start, we will here use a classical architecture, but with slightly different commands. First, here is a definition of the exchanges between two actors (say, Alice and Bob) to start a secure session:
- Alice sends a 16-byte random number to a1 … a16 to Bob.
- Bob replies with his own 16-byte random number b1 … b16.
- Alice and Bob both encrypt a1 … a16 with their shared secret, getting the value α1 … α16.
- Alice and Bob both encrypt b1 … b16 with their shared secret, getting the value β1 … β16.
- The session key becomes α9 … α16 β1 … β8.
- Alice sends the value β9 … β16 to Bob, encrypted with the session key, as a proof of authentication.
- Bob verifies that the value is correct.
- Bob then sends the value α1 … α8 to Alice, encrypted with the session key, as a proof of authentication.
- Alice verifies that the value is correct.
- The session has started.
I will not attempt to prove that this algorithm has many interesting properties, but I will just highlight a few of its features:
- In steps 1 and 2, both Alice and Bob generate random data that is used in the session startup process, and the session key depends on both sets of random data, as a measure against replay attacks.
- In steps 3 and 4, the simple encryption used here can be replaced by a more complex algorithm, in order to make it more difficult for an attacker to derive the shared secret from a session key.
- The value returned by Alice to Bob on step 6 (and vice-versa on step 8) as proof of authentication shows that Alice got Bob’s random data, and that Alice knows the shared secret.
- The value returned in steps 6 and 8 are both encrypted with the session key, in order to avoid giving away precious information about the shared secret to a potential attacker.
