A Novel Stateless Authentication Protocol
I appreciate I’m the last talk of the day before the dinner, so the good news is, I haven’t got very many transparencies.
I want to talk about state. I think it’s fair to say that stored state is generally regarded as a bad thing. The more we can get rid of stored state the better we would be. I’m sure there are exceptions to this rule, but it’s a nice rule of thumb at least. And through the 1990s there was a lot of effort made to devise protocols which minimise requirements for stored state, particularly in the server in client server protocols. One major goal of this effort was to try and get rid of obvious denial of service attacks where you just exhaust the server’s state table. Now I would suggest, given the theme of this workshop, that there are other good reasons for getting rid of state, not just denial of service, but perhaps you can make network protocols simpler, and perhaps more reliable, make implementations easier to prove correct, and so on, by getting rid of state and therefore simplifying the state machine for the protocol. What’s the cost? Well typically you would make the messages slightly longer because you can’t really get rid of state all together, you have to put it somewhere, and you put it in the messages, and so the cost is going to be slightly longer messages. This isn’t a new idea for goodness sake, after all in http we’ve been using cookies for a long time, well at least those of us who enable cookies on our machine have.
KeywordsAuthentication Protocol Security Protocol Service Attack Single Counter Longe Message
Unable to display preview. Download preview PDF.