next up previous
Next: Security of the Protocol Up: Authentication Previous: Traditional Network File System

A Challenge-Response Protocol with Digital Signatures


JNFS employs a more secure challenge-response mechanism for authentication. The protocol, outlined below, requires a user to use its digital signature to sign a random number to prove its authenticity. There are four stages to authentication:

  1. Initialization. The user tells the server it wishes to be authenticated.
  2. Challenge. The server generates a challenge and issues it to the user.
  3. Response. The user signs the challenge and returns it to the server.
  4. Verification. The server verifies that the signed version of the challenge matches the issued challenge and grants access to the client.

In the initialization stage, the user U tells JNFS that it would like access to the file system. The server confirms that U's name tex2html_wrap_inline958 appears in the user table and then proceeds to the challenge stage.

JNFS then generates a 64-bit random number R using the SecureRandom class in the package. The server creates a challenge tex2html_wrap_inline962 , records it, and issues it to U.

U receives the challenge and generates a response by signing tex2html_wrap_inline962 with its secret key tex2html_wrap_inline970 . Using the Digital Signature Algorithm [12], it creates a signature tex2html_wrap_inline972 for tex2html_wrap_inline962 . The user returns tex2html_wrap_inline976 back to the server.

The JNFS server verifies the response by using U's public key tex2html_wrap_inline980 to interpret the signature tex2html_wrap_inline972 . If tex2html_wrap_inline972 is indeed a signed version of the challenge tex2html_wrap_inline962 that it had previously issued, the server accepts the user's credentials, since only U knows the private key tex2html_wrap_inline970 used to produce the signature from the challenge. For efficiency, the server grants U a token ( tex2html_wrap_inline994 ) it will use on subsequent transactions until it expires. When tex2html_wrap_inline994 expires, U repeats the authentication process to obtain another token.

Michael John Radwin
Thu May 8 10:49:26 EDT 1997