1

I know that using an asymmetric algorithm is a very easy way to authenticate peers on a serverless network. I have a project where the networked clients only have symmetrical primitives. They have less than 1Mbyte code space and less than 100DMips, so running RSA in software would take too long.

If there is a server, this is not a hard problem. The client asks for authentication, the server sends a random number, the client does a HASH with secret (shared) key, and passes the result back to the server. Only a client with the secret would produce the answer the server is looking for, so the server is satisfied this is an authenticated client.

Here is the problem: what if all the devices on the network are peers, with none of them trusted more than others? Is it even possible to talk about general network-wide authentication without public key cryptography?

IF I could use RSA, then each node would have all the public keys of all the other nodes. Problem solved.

The only thing I can think of so far is to have each node store a public hash of each nodes private key. Then a series of secure transformations (http://en.wikipedia.org/wiki/Secure_multi-party_computation) are done to the hash in such a way that the other client can recover the transformations only if the hashed key belongs to them. Returning the transformations (without the secret) proves the node really is the one that owns that hash. Has anyone seen papers about this?

I suspect this is even more computationally expensive than just using RSA, but it is an interesting problem.

I have looked for other articles about this, but have not found much:

Authenticate without using a server In addition to recommending not doing client-side authentication, this article suggests to make it good enough. That is not enough for me. I want something this is provably secure, like RSA, just without asymmetric components.

Here is the same problem: Decentralised user authentication -- possible? but the answer is to use public-key authentication.

I just found a possible answer-- pre-shared keys: http://en.wikipedia.org/wiki/TLS-PSK I am afraid this means that one compromised device will compromise the entire network, but I have not dug in very far yet. More research to do.

Any other ideas you have come across?

Community
  • 1
  • 1
user3920315
  • 133
  • 1
  • 2
  • 7
  • You want http://en.wikipedia.org/wiki/Zero-knowledge_proof, which may not be easy. – SLaks Sep 03 '14 at 03:06
  • How would your scheme prevent replay attacks? – SLaks Sep 03 '14 at 03:09
  • First of all, I don't think that "easy" means what you think it means. Second: oh boy... your proposed scheme has issues and it's hard to pick a place to start to answer this. And the answer is likely to be off-topic to boot. I suggest you head over to [crypto.stackexchange.com](http://crypto.stackexchange.com). – Nik Bougalis Sep 03 '14 at 03:17
  • If Node A challenges Node B to prove its identity, part of the protocol should be based on a random number created by Node B. That way a replay is almost impossible. It then becomes the attacker's job to trick Node B into returning re-used or less-random numbers. – user3920315 Sep 03 '14 at 03:26
  • Thanks for the reference to Zero-Knowledge proofs. I read about that years ago, but I did not recognize that it describes my problem quite well. More research to go do! – user3920315 Sep 03 '14 at 03:27
  • If code size and speed is the only reason you're avoiding asymmetric primitives, you may want to consider elliptic curve cryptography. [curve25519-donna](https://github.com/agl/curve25519-donna) compiles to about 5.2 KB of code on ARM Cortex-M3 — it's really quite small. –  Sep 03 '14 at 04:00
  • This question appears to be off-topic because it is mainly about cryptography schemes and should be asked on http://crypto.stackexchange.com/ – Eugene Mayevski 'Callback Sep 03 '14 at 08:08

0 Answers0