Entity Authentication – TLS Cryptography In-Depth

Ensuring freshness – Entity Authentication

5.5.1 Ensuring freshness

In challenge-response protocols, the freshness of messages describes the property of being recent in the sense of originating subsequent to the beginning of the protocol run [117]. Time-variant parameters provide uniqueness and timeliness guarantees and prevent replay and interleaving attacks [117]. Non-repeating challenges can be generated very simply by using pseudorandom numbers (but be careful: if n-bit numbers are generated, they will start to repeat after roughly 2n∕2 numbers; see also Section 11.4.1, Collision resistance in Chapter 11, Hash Functions and Message Authentication Codes), monotonically increasing counters, or even timestamps (if Alice and Bob are synchronized in time). Such non-repeating numbers are also called nonces, an abbreviation of number used once.

While random numbers do not have any prerequisites to ensure timeliness, counters require both claimant and verifier to store the state, and timestamps require them to have distributed clocks.

The verifier must control the time-variant parameter to guarantee timeliness or uniqueness. The verifier may control the parameter explicitly, for instance, by choosing the random number, or implicitly, for instance, using a common logical clock time.

If the challenges come from a pseudo-random generator, additionally, there is no way for an attacker to anticipate the value of the challenge for the next protocol execution.

In challenge-response protocols, Alice (the verifier) sends a nonce to Bob. Bob, in turn, responds with a message whose construction requires the knowledge of the random number (and, for instance, a secret shared by Alice and Bob). If Bob’s response is valid, it is deemed to be fresh [117] because that random number links Alice’s challenge to Bob’s response.

Counters or sequence numbers serve as unique identifiers of a message. Like random numbers, counters prevent message replay. If counters are used, Alice and Bob accept a message only if the counter value has not been previously used. The simplest counter scheme is to start at zero (or one) and increment the counter value with each successive message. A less restrictive policy would accept any counter values as long as they are increasing, thereby tolerating messages lost due to benign communication errors.

Timestamps are more versatile compared to random numbers and counters. In addition to ensuring timeliness, timestamps can be used to implement time-limited access and detect forced delays [117].

If timestamps are used in a challenge-response protocol, the party sending the message reads their local timestamp and binds it to the message using a cryptographically secure technique. The receiving party gets the current time from their local clock and subtracts from it the received timestamp. The message is accepted if the timestamp difference is within an acceptable window.

To use timestamps securely, both the claimant and verifier need clocks that are loosely synchronized and protected against manipulation. In addition, they must synchronize their local clocks to account for the clock drift. Moreover, the maximum clock skew must be compatible with the chosen acceptance window [117].