Mutual authentication using symmetric crypto: ISO 9798-2 versusMAP2

From: Ernest Hammingweight (hammingweight_at_hotmail.com)
Date: 12/29/04 

Date: 29 Dec 2004 02:17:22 -0800

Hi

I need a client and a server to authenticate each other. Both are
fairly limited devices (the client is a smartcard). I'd like to use a
symmetric crypto protocol. Two alternatives would appear to be the
MAP2 protocol of Bellare-Rogaway or the 3-pass protocol of ISO 9798-2.
I was wondering whether anybody had any suggestions which might be
better and any info on what authentication protocols are widely
deployed. Life is always easier if I can point to a precedent in
justifying my choice.

For those unfamiliar with the protocols they follow later (they're
fairly similar). E_K denotes some function using a key K and a
symmetric crypto algorithm that provides data authentication.

For both protocols the parties involved are A and B. R_A and R_B are
noces generated by A and B. Text1, Text2 and Text3 are arbitrary
strings that may be authenticated.

The MAP2 protocol is as follows:
A->B: R_A, Text1
B->A: E_K( B,A, R_A,R_B, Text1, Text2 )
A->B: E_K( A, R_B, Text3 )

ISO 9798-2 (slightly simplified) is as follows:
A->B: R_A, Text1
B->A: E_K( R_A, R_B, B, Text2 )
A->B: E_K( R_B, R_A, Text3 )

MAP2 looks superior to me. Why doesn't B authenticate the data Text1
in ISO9798-2? Also party B doesn't indicate that it knows it's
communicating with party A. In practice neither of these may be
serious (they're probably not for my purposes) but they suggest that
MAP2 is a better designed protocol. Another feature I like of MAP2 is
that it can easily be transformed into AKEP1 or AKEP2 which provide
authentication and key exchange while 9798-2 doesn't concern itself
with key exchange (and key exchange may be a 'nice-to-have').

Anyway, I'd appreciate all comments even if they just support or rebut
my prejudices.
Any indication that ISO 9798-2 is actually used would be appreciated.

Relevant Pages

  • Re: How secure is Digest Mode compared to Integrated Authenticatio
    ... Secure authentication protocols like Integrated does not support ... Because the protocol never passes username/ ... document which delineates the weaknesses of Digest mode. ... password integrity is. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Passwords with Lan Manager (LM) under Windows
    ... A device's security associations are contained in its Security Association Database ... Internet Protocol Security (IPSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows 2000 operating system. ... As for "article you reference does indeed use the phrase "IPSec Authentication," but as any who reads it ...
    (Pen-Test)
  • Re: How secure is Digest Mode compared to Integrated Authenticatio
    ... However, Digest is still weak against attacks like man-in-the-middle, ... It is unfortunate that the more secure authentication protocols ... password integrity is. ... b users must authenticate with *some* protocol from the Intranet and ...
    (microsoft.public.inetserver.iis.security)
  • new authentication protocol, possible SRP alternative
    ... I've been studying authentication protocols lately and am interested ... I've designed a protocol that appears to me to provide the same ... Bob stores: ... An attacker who discovers K should ...
    (sci.crypt)
  • [Full-disclosure] Fwd: hamachi p2p vpn nat-friendly protocol details
    ... are used for encryption and authentication. ... Crypto suite is essentially just a protocol number. ... a prototype and it soon become obvious that both SSL and IKE ... I sort of wonder at the utility of a TCP implementation of the p2p ...
    (Full-Disclosure)