Robust and Efficient Password-Authenticated Key Agreement

Using Smart Cards

Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw

Src: IEEE Transaction on Industrial Electronics,Vol. 55, No. 6, pp. 2551-2556, 2008

Presenter: Jung-wen Lo (駱榮問 )Date: Jul. 30, 2009

2

Outline Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Z

hang, “Robust remote authentication scheme with smart cards,” Computers & Security, vol. 24, no. 8, pp. 619–628, Nov. 2005

Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw, “Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards,” IEEE Transaction on Industrial Electronics, vol. 55, no. 6, pp. 2551-2556

Comment

Robust remote authentication scheme

with smart cards

Authors: Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Zhang

Src: Computers & Security, vol. 24, no. 8, pp. 619–628, Nov. 2005

4

Introduction

Criteria for secure remote authentication scheme using smart card1) Low computation for smart cards2) No password table3) Passwords chosen by the users themselves4) Not requiring clock synchronization and delay-time limitation5) Withstanding the replay attack6) Server authentication7) Withstanding the offline dictionary attack with the smart card8) Withstanding the offline dictionary attack without the smart card9) Revoking the lost cards without changing the users’ identities

Major contribution Withstand replay attack Preventing the offline dictionary attack

Two protocol Registration protocol Login protocol

5

Registration Protocol

User System

IDi, h(PWi)

Random vi

bi = Es(h(PWi)||H(IDi)||CIi||vi))

IDi CIi

… …

CIi,IDi, bi,n

CIi,IDi, bi,n

6

Login Protocol

User

Card Reader

System

PWi

L1

L2={α,β}

Decrypt: L1(bi||h(IDi)||u) bih(PWi)||h(IDi)||CIi||vi) Verify h(IDi),{IDi, CIi}Random rα=ruβ=h((r||u)

r’=αuh((r’||u) ?=β L3=h(h(PWi)||r)

bi,Vi,IDi,CIi

Random uLi={IDi,(bi||h(IDi)||u)2 mod n}

h(h(PWi)||r) ?= L3

L3

7

Performance

8

Conclusion Properties

1) Low computation for smart cards2) No password table3) Passwords chosen by the users themselves4) Not requiring clock synchronization and delay-time limitation5) Withstanding the replay attack6) Server authentication7) Withstanding the offline dictionary attack with the smart card8) Withstanding the offline dictionary attack w/o the smart card9) Revoking the lost cards without changing the users’ identities

Major contribution Withstand replay attack Preventing the offline dictionary attack

Major drawbacks No ability of anonymity for the user Higher computation and communication cost No session key agreement Cannot prevent the insider attack

Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards

Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw

Src: IEEE Transaction on Industrial Electronics,

vol. 55, no. 6, pp. 2551-2556, 2008

10

Introduction Improve Fan-Chan-Zhang’s scheme

Session key agreement Prevent insider attack

Five Phases1) Parameter generation phase2) Registration phase3) Precomputation phase4) Log-in phase5) Password-changing phase

11

Notation h(): Public one-way hash function. s: Master secret key of a symmetric cryptosystem,

which is kept secret by the server. Es(): Secure symmetric encryption algorithm with the

secret key s. Ds(): Secure symmetric decryption algorithm with the

secret key s. ||: String concatenation operator. P: Large prime. EP: Elliptic curve equation over ZP . x: Server’s private key based on elliptic curve

cryptosystems. PS: Server’s public key based on elliptic curve

cryptosystems. G: Generator point of a large order.

Manuscript

12

Parameter generation phase

Server side Choose a large prime P Select a,b Z∈ P; 4a3 + 27b2(mod P) ≠0 Elliptic curve equation:

EP : y2 = x3 + ax + b over ZP

Find a generator point G of order n where n × G = O

Select a random number x as its private key and safely keeps it in its secret storage.

Compute the public key PS = (x • G)

Publish the parameters (PS, P, EP, G, n)

13

Registration/Precomputation phase

User Server

IDi, h(Pwi||b)

bi = Es(h(PWi||b)||IDi||CIi||h(IDi||CIi||h(PWi||b))) Vi = h(IDi, s, CIi).

Random b IDi CIi

… …

bi,Vi,IDi,CIi

Smart Card

Registration phase

(Only Once)

Precomputation phase

Random re=(r•G)c=(r•Ps)=(r•x•G)Store (c,e) in memory

bi,Vi,IDi,CIi,b

14

Log-in phase

UserCard

ReaderServer

PWi

bi, Evi(e)

u, Ms

Mu

Ds(bi)IDi,CIi

VerifyVi=h(IDi,s,CIi)

Dvi(Evi

(e)) e=(r•G)

c’=(e•x)=(r•x•G)Random u

Ms=h(c’||u||Vi)

(c,e)

h(c||u||Vi) ?= Ms

Mu=h(h(PWi||b)||Vi||c||u)Sk = h(Vi,c,u)

bi,Vi,IDi,CIi,b

bi = Es(h(PWi||b)||IDi||CIi||h(IDi||CIi||h(PWi||b)))

Smart Card

h(h(PWi||b)||Vi||c||u)?=Mu

Sk = h(Vi,c,u)

15

Password-changing phase

UserCard

ReaderServer

Log-in Phase

ESk(IDi, h(PW*

i||b*))

ESk(b*

i)

b*i = Es(h(PW*

i||b*)||IDi||CIi||h(IDi||CIi||h(PW*i||b*)))

DecryptStore (b*

i, b*) in memory

Smart Card

Sk Sk

New PW*i,b*

b*i,Vi,IDi,CIi,b*

16

Security Analysis Strong Mutual Authentication

Both believe the correction of session key Preventing the Replay Attack

Nonce r & u Preventing the Insider Attack

No password table Protected with h(PWi||b)

Preventing the Offline Dictionary Attack Without the Smart Card Cannot obtain PWi from messages

Preventing the Offline Dictionary Attack With the Smart Card No obvious password in card (bi) Need server’s help to verify password

17

Communication and storage cost

18

Computation Cost

19

Capability Comparisons

20

Conclusion Advantages

Benefits of Fan et al.’s scheme Identity protection Session key agreement Low communication and computation cost

by using elliptic curve cryptosystems Prevent the insider attack

21

Comment

Register table attack DoS attack Eliminate the table

Protect the table

Modify the data of table, eg, CIi

Verify before use

Performance improvement 3 ways 2 ways

22

Comment: Log-in phase (2 round)

UserCard

ReaderServer

PWi

bi, Evi(e||

n)

u, Ms

Ds(bi)IDi,CIi

VerifyVi=h(IDi,s,CIi)

Dvi(Evi

(e)) e=(r•G)

c’=(e•x)=(r•x•G) Random u

Ms=h(c’||n||u||Vi)Sk = h(Vi,c,u)

(c,e)Random n

h(c||n||u||Vi) ?= Ms

Sk = h(Vi,c,u)

bi,Vi,IDi,CIi,b

bi = Es(h(PWi||b)||IDi||CIi||h(IDi||CIi||h(PWi||b)))

Smart Card