Upload
colman
View
54
Download
3
Embed Size (px)
DESCRIPTION
Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards. Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction on Industrial Electronics, Vol. 55, No. 6, pp. 2551-2556, 2008 Presenter: Jung-wen Lo ( 駱榮問 ) Date: Jul. 30, 2009. Outline. - PowerPoint PPT Presentation
Citation preview
Robust and Efficient Password-Authenticated Key Agreement
Using Smart Cards
Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw
Src: IEEE Transaction on Industrial Electronics,Vol. 55, No. 6, pp. 2551-2556, 2008
Presenter: Jung-wen Lo (駱榮問 )Date: Jul. 30, 2009
2
Outline Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Z
hang, “Robust remote authentication scheme with smart cards,” Computers & Security, vol. 24, no. 8, pp. 619–628, Nov. 2005
Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw, “Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards,” IEEE Transaction on Industrial Electronics, vol. 55, no. 6, pp. 2551-2556
Comment
Robust remote authentication scheme
with smart cards
Authors: Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Zhang
Src: Computers & Security, vol. 24, no. 8, pp. 619–628, Nov. 2005
4
Introduction
Criteria for secure remote authentication scheme using smart card1) Low computation for smart cards2) No password table3) Passwords chosen by the users themselves4) Not requiring clock synchronization and delay-time limitation5) Withstanding the replay attack6) Server authentication7) Withstanding the offline dictionary attack with the smart card8) Withstanding the offline dictionary attack without the smart card9) Revoking the lost cards without changing the users’ identities
Major contribution Withstand replay attack Preventing the offline dictionary attack
Two protocol Registration protocol Login protocol
5
Registration Protocol
User System
IDi, h(PWi)
Random vi
bi = Es(h(PWi)||H(IDi)||CIi||vi))
IDi CIi
… …
CIi,IDi, bi,n
CIi,IDi, bi,n
6
Login Protocol
User
Card Reader
System
PWi
L1
L2={α,β}
Decrypt: L1(bi||h(IDi)||u) bih(PWi)||h(IDi)||CIi||vi) Verify h(IDi),{IDi, CIi}Random rα=ruβ=h((r||u)
r’=αuh((r’||u) ?=β L3=h(h(PWi)||r)
bi,Vi,IDi,CIi
Random uLi={IDi,(bi||h(IDi)||u)2 mod n}
h(h(PWi)||r) ?= L3
L3
7
Performance
8
Conclusion Properties
1) Low computation for smart cards2) No password table3) Passwords chosen by the users themselves4) Not requiring clock synchronization and delay-time limitation5) Withstanding the replay attack6) Server authentication7) Withstanding the offline dictionary attack with the smart card8) Withstanding the offline dictionary attack w/o the smart card9) Revoking the lost cards without changing the users’ identities
Major contribution Withstand replay attack Preventing the offline dictionary attack
Major drawbacks No ability of anonymity for the user Higher computation and communication cost No session key agreement Cannot prevent the insider attack
Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards
Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw
Src: IEEE Transaction on Industrial Electronics,
vol. 55, no. 6, pp. 2551-2556, 2008
10
Introduction Improve Fan-Chan-Zhang’s scheme
Session key agreement Prevent insider attack
Five Phases1) Parameter generation phase2) Registration phase3) Precomputation phase4) Log-in phase5) Password-changing phase
11
Notation h(): Public one-way hash function. s: Master secret key of a symmetric cryptosystem,
which is kept secret by the server. Es(): Secure symmetric encryption algorithm with the
secret key s. Ds(): Secure symmetric decryption algorithm with the
secret key s. ||: String concatenation operator. P: Large prime. EP: Elliptic curve equation over ZP . x: Server’s private key based on elliptic curve
cryptosystems. PS: Server’s public key based on elliptic curve
cryptosystems. G: Generator point of a large order.
Manuscript
12
Parameter generation phase
Server side Choose a large prime P Select a,b Z∈ P; 4a3 + 27b2(mod P) ≠0 Elliptic curve equation:
EP : y2 = x3 + ax + b over ZP
Find a generator point G of order n where n × G = O
Select a random number x as its private key and safely keeps it in its secret storage.
Compute the public key PS = (x • G)
Publish the parameters (PS, P, EP, G, n)
13
Registration/Precomputation phase
User Server
IDi, h(Pwi||b)
bi = Es(h(PWi||b)||IDi||CIi||h(IDi||CIi||h(PWi||b))) Vi = h(IDi, s, CIi).
Random b IDi CIi
… …
bi,Vi,IDi,CIi
Smart Card
Registration phase
(Only Once)
Precomputation phase
Random re=(r•G)c=(r•Ps)=(r•x•G)Store (c,e) in memory
bi,Vi,IDi,CIi,b
14
Log-in phase
UserCard
ReaderServer
PWi
bi, Evi(e)
u, Ms
Mu
Ds(bi)IDi,CIi
VerifyVi=h(IDi,s,CIi)
Dvi(Evi
(e)) e=(r•G)
c’=(e•x)=(r•x•G)Random u
Ms=h(c’||u||Vi)
(c,e)
h(c||u||Vi) ?= Ms
Mu=h(h(PWi||b)||Vi||c||u)Sk = h(Vi,c,u)
bi,Vi,IDi,CIi,b
bi = Es(h(PWi||b)||IDi||CIi||h(IDi||CIi||h(PWi||b)))
Smart Card
h(h(PWi||b)||Vi||c||u)?=Mu
Sk = h(Vi,c,u)
15
Password-changing phase
UserCard
ReaderServer
Log-in Phase
ESk(IDi, h(PW*
i||b*))
ESk(b*
i)
b*i = Es(h(PW*
i||b*)||IDi||CIi||h(IDi||CIi||h(PW*i||b*)))
DecryptStore (b*
i, b*) in memory
Smart Card
Sk Sk
New PW*i,b*
b*i,Vi,IDi,CIi,b*
16
Security Analysis Strong Mutual Authentication
Both believe the correction of session key Preventing the Replay Attack
Nonce r & u Preventing the Insider Attack
No password table Protected with h(PWi||b)
Preventing the Offline Dictionary Attack Without the Smart Card Cannot obtain PWi from messages
Preventing the Offline Dictionary Attack With the Smart Card No obvious password in card (bi) Need server’s help to verify password
17
Communication and storage cost
18
Computation Cost
19
Capability Comparisons
20
Conclusion Advantages
Benefits of Fan et al.’s scheme Identity protection Session key agreement Low communication and computation cost
by using elliptic curve cryptosystems Prevent the insider attack
21
Comment
Register table attack DoS attack Eliminate the table
Protect the table
Modify the data of table, eg, CIi
Verify before use
Performance improvement 3 ways 2 ways
22
Comment: Log-in phase (2 round)
UserCard
ReaderServer
PWi
bi, Evi(e||
n)
u, Ms
Ds(bi)IDi,CIi
VerifyVi=h(IDi,s,CIi)
Dvi(Evi
(e)) e=(r•G)
c’=(e•x)=(r•x•G) Random u
Ms=h(c’||n||u||Vi)Sk = h(Vi,c,u)
(c,e)Random n
h(c||n||u||Vi) ?= Ms
Sk = h(Vi,c,u)
bi,Vi,IDi,CIi,b
bi = Es(h(PWi||b)||IDi||CIi||h(IDi||CIi||h(PWi||b)))
Smart Card