A Challenge-Response Protocol with Digital Signatures

 

JNFS employs a more secure challenge-response mechanism for authentication. The protocol, outlined below, requires a user to use its digital signature to sign a random number to prove its authenticity. There are four stages to authentication:

1. Initialization. The user tells the server it wishes to be authenticated.
2. Challenge. The server generates a challenge and issues it to the user.
3. Response. The user signs the challenge and returns it to the server.
4. Verification. The server verifies that the signed version of the challenge matches the issued challenge and grants access to the client.

In the initialization stage, the user U tells JNFS that it would like access to the file system. The server confirms that U's name appears in the user table and then proceeds to the challenge stage.

JNFS then generates a 64-bit random number R using the SecureRandom class in the java.security package. The server creates a challenge , records it, and issues it to U.

U receives the challenge and generates a response by signing with its secret key . Using the Digital Signature Algorithm [12], it creates a signature for . The user returns back to the server.

The JNFS server verifies the response by using U's public key to interpret the signature . If is indeed a signed version of the challenge that it had previously issued, the server accepts the user's credentials, since only U knows the private key used to produce the signature from the challenge. For efficiency, the server grants U a token ( ) it will use on subsequent transactions until it expires. When expires, U repeats the authentication process to obtain another token.