[Top] [Prev] [Next]

auth

Keyring: auth, readauthinfo, writeauthinfo - authenticate a connection

Synopsis

include "sys.m";
include "keyring.m";
kr:=      load Keyring Keyring->PATH;
auth:     fn(fd: ref Sys->FD, info: ref Authinfo, setid: int)
                          : (string, array of byte);
readauthinfo: fn(filename: string)         : ref Authinfo;
writeauthinfo:fn(filename: string, info: ref Authinfo): int;

Description

auth (fd, info, setid)

The auth function performs mutual authentication over a network connection, usually between a client and a server. The auth function is symmetric, that is, each party runs it on their end of the connection. The Authinfo adt, info, contains the public key of a certifying authority (PKca), the private key of the user (SKu), the public key (PKu) of the user signed by the certifying authority (CERTu), and Diffie-Hellman parameters (alpha, p).

The auth function returns a string and a byte array. If the byte array is nil then the authentication has failed and the string is an error message. If the byte array is non-nil, then it represents a secret shared by the two communicating parties. In this case the string is the name of the party at the other end of the connection.

If the authentication is successful and the argument setid is non-zero then auth attempts to write the id of the party at the other end of the connection into /dev/user (see cons). No error is generated if this does not succeed. If the authentication is not successful and setid is non-zero, auth writes "none" into /dev/user.

The authentication protocol is based on the Station-to-Station protocol. In the following the parties are labeled 0 and 1. Sig0(x) is x signed with 0's private key.

0 -> 1  alpha**r0 mod p, CERTu0, PKu0   
1 -> 0  alpha**r1 mod p, CERTu1, PKu1   
0 -> 1  sig0(alpha**r0 mod p, alpha**r1 mod p)   
1 -> 0  sig1(alpha**r0 mod p, alpha**r1 mod p)

At this point both 0 and 1 share the secret alpha**(r0*r1) which is returned in the byte array.

readauthinfo (filename)

The readauthinfo function reads an Authinfo adt from a file. It returns nil if there is a read or conversion error, a reference to the adt otherwise.

writeauthinfo (filename, info)

The writeauthinfo function writes an Authinfo adt to a file. It returns -1 if the write operation fails, 0 otherwise.

Files

Note that $user is the id of the user.
/usr/$user/keyring

 The conventional directory for storing Authinfo files.

/usr/$user/keyring/default

 The file normally used by server programs.

/usr/$user/keyring/$server

The files normally used by clients where $server is the network name of the server being called, for example, 

tcp!server_name.

See Also

B. Schneier, Applied Cryptography, 1996, J. Wiley & Sons, Inc.


[Top] [Prev] [Next]

infernosupport@lucent.com
Copyright © 1996,Lucent Technologies, Inc. All rights reserved.