Date ： 2012.09.13 Reporter : Hong Ji Wei

多媒體網路安全實驗室

Cryptanalysis and Improvement of a Secure Authentication Scheme

with Anonymity for Wireless Communications

Cryptanalysis and Improvement of a Secure Authentication Scheme

with Anonymity for Wireless Communications

Date： 2012.09.13

Reporter : Hong Ji Wei

Authors : Chin-Chen Chang, Wei-Bin Lee, and Chia-Yin Lee

From : 2009 Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing


OUTLINE

INTRODUCTION1

REVIEW OF WU,LEE AND TSAUR’S SCHEME2

WEAKNESS OF WU,LEE AND TSAUR’S SCHEME33

IMPROVED SCHEME44

35

2

SECURITY ANALYSIS

CONCLUSION46


INTRODUCTION

3

A good user authentication scheme not only provides high security but also protects user privacy.

Lee, Hwang, and Liao pointed out some security weaknesses in Zhu-Ma’s scheme and presented an improved edition in 2006.

Wu, Lee, and Tsaur pointed out that Lee,Hwang Liao’s scheme doesn’t achieve all security properties.


This scheme can be divided into three phases1. Initial Phase

HA delivers a password and a smart card for MU through

a secure channel.

2. First PhaseFA authenticates to MU and establishes a session key.

3. Second Phase

MU visits FA , and FA serves for MU.

4

REVIEW OF WU,LEE AND TSAUR’S SCHEME


5

Symbles

MU : Mobile User

HA : Home Agent of a mobile user

FA : Foreign Agent of the network

IDA: Identity of A

TA : Timestamp of A

CertA : Certificate of A

(X)K : Symmetric Encryption

EK(X) : Asymmetric Encryption

h(X) : Hash X using hash function

PWA : Password of A

APE :Public key of A

ASE :Private key of APA : Public key of A

SA : Private key of A



Initial phase


MU HA

IDMU

PWMU=h(N||IDMU)

PWMU , r , IDHA , h(.)

Secure Channel

Registration

( ) ( )HA MU

HA MU

r h N ID h N ID

ID ID


7

First phase


MU FA HA

1. ( )

2.MU MU

MU

Compute

L h T PW

n r PW

0, ( ( ) ) , ,MU L HA MUn h ID x x ID T

0

0

, , ( ( ) ) , , ,

( ( , , ( ) ) , , )FA

MU L MU FA FA

S MU L MU FA

b n h ID x x T T Cert

E h b n h ID x x T Cert

1.

2.MU

FA

Check T and Generate b

Compute signature with S

0

0

1.

2. ( ) '

3. ( ( ) )

4. ( ') ( )

5.

6.C ( ( ( )) )FA

FA FA

HA HA MU

MU

MU MU

HA

P MU

Check Cert and T

Compute h N ID n ID ID

Decrypt h ID x x with L

Check h ID h ID and Generate c


ompute W E h h N ID x x

, , ( ( , , ( ( ), ))), ,HA FAS P HA HA HAc W E h b c E h w Cert Cert T

0

1.

2.

( ( ( || )) || || )

FA

MU

Decrypt W with S

Compute session key

k h h h N ID x x

0( ( ))MU kTCert h x x

0

1.

2. ( ( ))MU

Compute k

Decrypt TCert h x x with k

0( )MU kx TCert OtherInfomation

( ) ( )

( )

HA MU

HA MU MU

HA HA

n h N ID h N ID

ID ID PW

h N ID ID

( ) ( )

( )

HA MU

HA MU

MU MU

r h N ID h N ID

ID ID

PW h N ID


Second phase

8


In order to enhance the efficiency, while MU stays with the same FA, the new session key ki can be derived from the unexpired previous secret knowledge xi−1 and a fixed secret x as

1 ( ( ( || )) || || ) 1,2,3...i MU ik h h h N ID x x for i n

MU FA

Authentication

, ( )iMU i MU kTCert x TCert OtherInfomation

1

2

1 0

1

2 1

2

( ( ( || )) || || )

( || || )

( ( ( || )) || || )

( || || )

MU

MU

MU

MU

k

k

k h h h N ID x x

x TCert OtherInformations

k h h h N ID x x

x TCert OtherInformations


WEAKNESS OF WU,LEE AND TSAUR’S SCHEME

9

AnonymityMU FA HA

1. ( )

2.MU MU

MU

Compute

L h T PW

n r PW


0

0

, , ( ( ) ) , , ,

( ( , , ( ) ) , , )FA

MU L MU FA FA

S MU L MU FA



1.

2.MU

FA



0

0

1.

2. ( ) '

3. ( ( ) )

4. ( ') ( )

5.

6.C ( ( ( )) )FA

FA FA

HA HA MU

MU

MU MU

HA

P MU

Check Cert and T







0

1.

2.

( ( ( || )) || || )

FA

MU

Decrypt W with S

Compute session key

k h h h N ID x x


0

1.

2. ( ( ))MU

Compute k



( ) ( )

( )

HA MU

HA MU MU

HA HA

n h N ID h N ID

ID ID PW

h N ID ID

( ) ( )

( )

HA MU

HA MU

MU MU

r h N ID h N ID

ID ID

PW h N ID

2.

( ) ( )

( )

MU

HA MU HA MU

MU

n r PW

h N ID h N ID ID ID

h N ID

1. ( ) ( )HA MU HA MUh N ID r h N ID ID ID


Impersonate attackIf MU’s smart card is stolen by attacker who can perform

impersonate attack.

WEAKNESS OF WU,LEE AND TSAUR’S SCHEME

1. ' *

2. ker ', ( ), , ,

' ( ) ( ) *

' ( *

*

)

HA MU H

HA H

A MU

MU

A MU

HA HA MU

Compute n r PW

Attac have n

n h N ID h N ID ID ID PW

PW

h N ID ID ID PW

He can get fr n h N ID ID ID Po Wm


IMPROVED SCHEME

11

First phaseMU FA HA

1. ( )

2 ( ( ) ). MU

MU MU

MU

Compute

L h T PW

n h h Nr P TW


0

0

, , ( ( ) ) , , ,

( ( , , ( ) ) , , )FA

MU L MU FA FA

S MU L MU FA



1.

2.MU

FA



0

0

1.

2. ( ) '

3. ( ( ) )

4. ( ') ( )

5.

6.C ( ( (

( (

)

)

)

)

)FA

MU

FA FA

HA HA MU

MU

MU MU

HA

P MU

Check Cert and T






h h N T


0

1.

2.

( ( ( || )) || || )

FA

MU

Decrypt W with S

Compute session key

k h h h N ID x x


0

1.

2. ( ( ))MU

Compute k



( ) ( )

( )

HA MU

HA MU MU

HA HA

n h N ID h N ID

ID ID PW

h N ID ID

( ) ( )

( )

HA MU

HA MU

MU MU

r h N ID h N ID

ID ID

PW h N ID

1. ( ) ( )HA MU HA MUh N ID r h N ID ID ID

2. ( ( ) )

( ) ( )

( ) ( ( ) )

MU MU

HA MU HA MU

MU MU

n r PW h h N T

h N ID h N ID ID ID

h N ID h h N T


IMPROVED SCHEME

Initial phase

MU HA

IDMU

PWMU=h(N||IDMU)

PWMU , r , IDHA , h(.),h(N)

Secure Channel

Registration

( ) ( )HA MU

HA MU

r h N ID h N ID

ID ID


13

IMPROVED SCHEME

Our improved scheme can against the impersonation attack.

Assume that an attacker can intercept n,IDHA,TMU

(h(IDMU)||x0||x)L transmitted from MU and modify

this message as n,IDHA,TMU,(h(IDMU’)||x0’||x’)L

However, the attacker still can’t forge a correct n to

pass the authentication processes without knowing

HA’s secret key N and real IDMU


CONCLUSION

We demonstrate some security flaws in Wu,Lee

Tsaur’s scheme and propose an improvement to overcome these drawbacks.

The security analysis shows that our proposed scheme can solve these weaknesses by modifying some procedures of original scheme.

14


Documents

Date ： 2012.09.13 Reporter : Hong Ji Wei