RFC 1004 (rfc1004) - Page 2 of 8
Distributed-protocol authentication scheme
Alternative Format: Original Text Document
RFC 1004 April 1987 (except for private keys) transmitted via these networks, but only to authenticate messages to avoid spoofing and replay attacks. The procedures are intended for distributed systems where each user i runs a common protocol automaton using private state variables for each of possibly several associations simultaneously, one for each user j. An association is initiated by interrogating the Cookie Jar for a one-time key K(i,j), which is used to encrypt the checksum which authenticates messages exchanged between the users. The initiator then communicates the key to its associate as part of a connection establishment procedure such as described in [3]. The information being exchanged in this protocol model is largely intended to converge a distributed data base to specified (as far as practical) contents, and does not ordinarily require a reliable distribution of event occurances, other than to speed the convergence process. Thus, the model is intrinsically resistant to message loss or duplication. Where important, sequence numbers are used to reduce the impact of message reordering. The model assumes that associations between peers, once having been sanctioned, are maintained indefinitely. The exception when an association is broken may be due to a crash, loss of connectivity or administrative action such as reconfiguration or rekeying. Finally, the rate of information exchange is specifically designed to be much less than the nominal capabilities of the network, in order to keep overheads low. 2. Procedures Each user i is assigned a public address A(i) and private key K(i) by an out-of-band procedure beyond the scope of this discussion. The address can take many forms: an autonomous system identifier [2], an Internet address [6] or simply an arbitrary name. However, no matter what form it takes, every message is presumed to carry both the sender and receiver addresses in its header. Each address and its access-control list is presumed available in a public directory accessable to all users, but the private key is known only to the user and Cookie Jar and is not disclosed in messages exchanged between users or between users and the Cookie Jar. An association between i and j is identified by the bitstring consisting of the catenation of the addresses A(i) and A(j), together with a one-time key K(i,j), in the form [A(i),A(j),K(i,j)]. Note that the reciprocal association [A(j),A(i),K(j,i)] is distinguished only by which associate calls the Cookie Jar first. It is the intent in the protocol model that all state variables and keys relevant to a previous association be erased when a new association is initiated and no caching (as suggested in [5]) is allowed. Mills
