cr1 Bilateral Authentication Scheme

cr1 Bilateral Authentication Scheme

cr1 (see cr1(1Mbnu)) is an identification and authentication scheme that protects a system from unauthorized access. By default, cr1 uses DES encryption, and can also be referenced as cr1.des. Because of export restrictions on DES, cr1 can also use ENIGMA encryption. When using ENIGMA encryption, cr1 is referenced as cr1.enigma. Other than the underlying encryption algorithm used, all cr1 schemes behave identically.

The cr1 scheme is bilateral, which means it authenticates both client and server identities. Generally, it authenticates a connection established by a connection server on the client side and a port monitor on the server. When a cr1 exchange is complete, the client, as well as the server, can be certain of the other party's identity.

cr1 requires a system to store a cryptographic key for every protected system with which it needs to communicate. The key is a bit string known only to the principals in the exchange (the client and server); the string is used to encrypt and decrypt messages passed between the two principals. Typically, when a remote client attempts to access a local service protected by cr1, the cr1 scheme on the server engages the client in a sequence of exchanges involving the shared cryptographic key and one-time challenges. If the remote client responds appropriately to the server's challenge, the server can be certain that the remote client is authorized to access the service. If the server does not engage the client in the exchange, the client can engage the server. If the server responds appropriately to the client's challenge, the client can be certain that it is connecting to the desired server, not an imposter.

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004