DES Authentication Protocol

Edit online

This section explains the DES authentication protocol.

DES authentication has the following form of eXternal Data Representation (XDR) enumeration: 

enum authdes_namekind {
     ADN_FULLNAME = 0,
     ADN_NICKNAME = 1
};
typedef opaque des_block[8];
const MAXNETNAMELEN = 255;

A credential is either a client's full network name or its nickname. For the first transaction with the server, the client must use its full name. For subsequent transactions, the client can use its nickname. DES authentication protocol includes a 64-bit block of encrypted DES data and specifies the maximum length of a network user's name.

The authdes_cred union provides a switch between the full-name and nickname forms, as follows: 

union authdes_cred switch (authdes_namekind adc_namekind) {
     case ADN_FULLNAME:
          authdes_fullname adc_fullname;
     case ADN_NICKNAME:
          unsigned int adc_nickname;
};

The full name contains the network name of the client, an encrypted conversation key, and the window. The window is actually a lifetime for the credential. The server can terminate a client's time stamp and not grant the request if the time indicated by the verifier time stamp plus the window has expired. In the first transaction, the server confirms that the window verifier is one second less than the window. To ensure that requests are granted only once, the server can require time stamps in subsequent requests to be greater than the client's previous time stamps.

The structure for a credential using the client's full network name follows: 

struct authdes_fullname {
    string name<MAXNETNAMELEN>; /* name of client              */
    des_block key;              /*PK encrypted conversation key*/
    unsigned int window;        /* encrypted window            */
};
A time stamp encodes the time since midnight, January 1, 1970. The structure for the time stamp follows: 

struct timestamp {
     unsigned int seconds;      /* seconds           */
     unsigned int useconds;     /* and microseconds  */
The client verifier has the following structure: 

struct {
     adv_timestamp;           /* one DES block          */
     adc_fullname.window;     /* one half DES block     */
     adv_winverf;             /* one half DES block     */
}

The window verifier is only used in the first transaction. In conjunction with the fullname credential, these items are packed into the structure shown previously before being encrypted.

This structure is encrypted using CBC mode encryption with an input vector of 0. All other time stamp encryptions use ECB mode encryption. The client's verifier has the following structure: 

struct authdes_verf_clnt {
     timestamp adv_timestamp;     /* encrypted timestamp       */
     unsigned int adv_winverf;    /* encrypted window verifier */
};
The server returns the client's time stamp, minus one second, in an encrypted response verifier. This verifier also sends the client an unencrypted nickname to be used in future transactions. The verifier from the server has the following structure: 

struct authdes_verf_svr {
     timestamp adv_timeverf;     /* encrypted verifier      */
     unsigned int adv_nickname;  /* new nickname for client */
};