David John Otway

A nested mutual authentication protocol

This paper describes an authentication protocol that is suited to modern, object-based, client-server systems. Each object in a chain, whether acting in a client or server role, handles authentication with its neighbours, without any need to be aware of the resultant global behaviour. Session keys are returned by an authentication server which services a client-server chain as a whole: nested requests are built along the forward chain; the final server presents the whole package to the authentication server; and sessions keys are delivered back down the chain. The protocol, as described, avoids entanglement with the politics of cryptography by using One-Way-Hash-Functions throughout. The authentication chain might traverse different legal jurisdictions, but adjacent applications can use returned session keys for any legitimate purpose, including message sealing or encryption.