Abstract. We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modi£ed, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to public-key infrastructures, since we no longer need any central authority, and to password-based authenticated key exchange, since we no longer need to establish a con£dential password. It can be used to establish secure associations in ad-hoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the user-aided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his long-term keys corrupted.
On Building Secure CommunicationsOne of the key issue of modern cryptography is the problem of establishing a secure peer-to-peer communication over an insecure channel. Assuming that we can establish a private and authenticated key, standard tunneling techniques can achieve it. In the seminal work of Merkle [32] and Dif£e and Hellman [18], the private and authenticated key establishment problem was reduced to establishing a communication in which messages are authenticated. Public key cryptosystems such as RSA [39] further reduce to the establishment of an authenticated public key. Note that the seed authentication is also a limiting factor for quantum cryptography [10].Another major step was the notion of password-based authenticated key agreement which was £rst proposed by Bellovin and Merritt [8,9] and whose security was proven by Bellare, Pointcheval, and Rogaway [5] in the random oracle model. Another protocol, provably secure in the standard model, was proposed by Katz, Ostrovsky, and Yung [29]. Here, we assume that a private and authenticated short password was set up prior to the protocol. The key agreement protocol is such that no of¤ine dictionary attack is feasible against the password so that the threat model restricts to online passwordguessing attacks which are easily detectable. 1 When compared to the above approach, we thus reduce the size of the initial key, but we require its con£dentiality again.1 See Chapter 7 of [12] for a survey on password-based authenticated key agreement.