300 likes | 479 Views
An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards . 作者 : Xiong Li , Yongping Xiong , Jian Ma, Wendong Wang 出處 : Journal of Network and Computer Applications 35 (2012) 763–769
E N D
An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者:XiongLi , YongpingXiong , Jian Ma, Wendong Wang 出處:Journal of Network and Computer Applications 35 (2012) 763–769 報告人:陳鈺惠 日期:2014/1/23
Introduction 1 Overview of Sood et al.’s scheme 2 Weaknesses of Sood et al.’s scheme 5 3 3 3 Proposed scheme Conclusions 6 4 4 4 Outline Protocol analysis
1.Introduction(1/1) • With the rapid development of the Internet and electronic commerce technology, many services are provided through the Internet such as online shopping, online game. • This paper propose an efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards to tackle these problems.
2.Overview of Sood et al.’s scheme (1/4)Registration phase UiSk CS Ai=h(IDi||b) Bi=h(b⊕Pi) Ai、Bi Fi= Ai⊕yi Gi=Bi⊕h(yi)⊕h(x) Ci=Ai⊕h(yi)⊕x (Fi、Gi、h(·)) Stores (Ci、yi⊕x) Smart card Di=b⊕h(IDi||Pi) Ei=h(IDi||Pi)⊕Pi Smart card(Di、Ei、Fi、Gi、h(·)) (SIDk、SKk) Stores(SIDk、SKk⊕h(x||SIDk))
2.Overview of Sood et al.’s scheme (2/4)Login phase UiSkCS IDi* Pi*Smart cardEi*=h(IDi*||Pi*)⊕Pi*,Ei*=Ei?b=Di⊕h(IDi||Pi),Ai=h(IDi||b) Bi=h(b⊕Pi),yi=Fi⊕Ai h(x)=Gi⊕Bi⊕h(yi),Zi=h2(x)⊕Ni1 CIDi=Ai⊕h(yi)⊕h(x)⊕Ni1 Mi=h(h(x)||yi||SIDk||Ni1) (SIDk、Zi、CIDi、Mi)
2.Overview of Sood et al.’s scheme (3/4)Authentication and session key agreement phase UiSk CS Ri=Ni2⊕SKk (SIDk、Zi、CIDi、Mi、Ri) Ni1=Zi⊕h2(x),Ni2=Ri⊕SKk Ci*=CIDi⊕Ni1⊕h(x)⊕x Ci*=Ci?,extracts yi Mi*=h(h(x)||yi||SIDk||Ni1) Mi*=Mi? Ki=Ni1⊕Ni3⊕h(SKk||Ni2) Xi=h(IDi||yi||Ni1)⊕h(Ni1⊕Ni2⊕Ni3) Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1) (Ki、Xi、Vi、Ti)
2.Overview of Sood et al.’s scheme(4/4)Authentication and session key agreement phase UiSk CS Ni1⊕Ni3=Ki⊕h(SKk||Ni2) h(IDi||yi||Ni1)=Xi⊕h(Ni1⊕Ni2⊕Ni3) Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Vi*=Vi? (Vi、Ti) Ni2⊕Ni3Ti⊕h(yi||IDi||h(x)||Ni1) Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Vi*=Vi? SK=h(h(IDi||yi||Ni1)||(Ni1⊕Ni2⊕Ni3))
3.weaknesses of Sood et al.’s scheme(1/2)Leak-of-verifier attack UiSk CS Registration phase Ai=h(IDi||b) Bi=h(b⊕Pi) Ai、Bi Fi= Ai⊕yi Gi=Bi⊕h(yi)⊕h(x) Ci=Ai⊕h(yi)⊕x2. x、h(x)、yi⊕x (Fi、Gi、h(·)) Stores (Ci、yi⊕x) Smart card Di=b⊕h(IDi||Pi) 1.yi、 h(x)Ei=h(IDi||Pi)⊕Pi stores(Di、Ei、Fi、Gi、h(·)) (SIDk、SKk) Stores(SIDk、SKk⊕h(x||SIDk)) Login phaseIDi* Pi* Smart cardEi*=h(IDi*||Pi*)⊕Pi*,Ei*=Ei?b=Di⊕h(IDi||Pi),Ai =h(IDi||b) Bi=h(b⊕Pi),yi=Fi⊕Ai h(x)=Gi⊕Bi⊕h(yi),Zi=h2(x)⊕Ni14.get Ni1 ComputeZi 、 CIDi、 Mi 3.yi、Ai and h(x)CIDi=Ai⊕h(yi)⊕h(x)⊕Ni1 UkloginMi=h(h(x)||yi||SIDk||Ni1) (SIDk、Zi、CIDi、Mi)
3.weaknesses of Sood et al.’s scheme(2/2)Leak-of-verifier attack UiSk CS Authentication and session key agreement phaseRi=Ni2⊕SKk 5.submits(SIDk、Z′i、CID′i、M′i) to Sj(SIDk、Zi、CIDi、Mi、Ri) get Ni′2 Ni1 =Zi⊕h2(x),Ni2 =Ri⊕SKk Ci*=CIDi⊕Ni1⊕h(x)⊕x,Ci*=Ci?,extracts yi 6. C*i=CID′i⊕Ni′1⊕h(x) ⊕x Mi*=h(h(x)||yi||SIDk||Ni1),check whether Mi*=Mi? =Ai⊕h(yi) ⊕x=CiKi=Ni1⊕Ni3⊕h(SKk||Ni2) 7.Uk get x 、 yi (Ci=Ai⊕h(yi)⊕x) Xi=h(IDi||yi||Ni1)⊕h(Ni1⊕Ni2⊕Ni3) Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1) (Ki、Xi、Vi、Ti)
3.weaknesses of Sood et al.’s schemeStolen smart card attack UiSk CS Login phaseIDi* Pi* Smart cardEi*=h(IDi*||Pi*)⊕Pi*,Ei*=Ei?b =Di⊕h(IDi||Pi),Ai =h(IDi||b) Bi =h(b⊕Pi),yi=Fi⊕Ai h(x)=Gi⊕Bi⊕h(yi),Zi=h2(x)⊕Ni1 CIDi=Ai⊕h(yi)⊕h(x)⊕Ni1 1.eavesdropped and Mi=h(h(x)||yi||SIDk||Ni1) 4.Uk can forge a valid login request message previously valid login(SIDk、Zi、CIDi、Mi) Uk get (Di、Ei、Fi、Gi、h(·)、h(x)) Ri=Ni2⊕SKk (SIDk、Zi、CIDi、Mi、Ri) Ni1 =Zi⊕h2(x),Ni2 =Ri⊕SKk 2.CID′i⊕Ni′1⊕h(x) = Ai⊕h(yi)Ci*=CIDi⊕Ni1⊕h(x)⊕x,Ci*=Ci? 3.Di=bi⊕h(IDi||Pi) +Ei=h(IDi||Pi)⊕Pi bi⊕Pi=Di⊕Ei h(bi⊕Pi)=Bi h(yi)=Gi⊕Bi⊕h(x) Compute Ai=h(yi)⊕(Ai⊕h(yi)) Get yi=Fi⊕Ai
3.weaknesses of Sood et al.’s schemeIncorrect authentication and session key agreement phase In registration phase,Ui submits Ai、Bi rather than true identity IDi to CS。 But in step4 Xi=h(IDi||yi||Ni1)⊕h(Ni⊕Ni2⊕Ni3) Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1)
3.Proposed schemeRegistration phase UiSjCS Chooses IDi、Pi、b Ai=h(b||Pi) (IDi、Ai) Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x) (Ci、Di、Ei、h(·)、h(y)) Smart card Ui enter b to smart cardsmart card stores (Ci、Di、Ei、h(·)、h(y)、b)
3.Proposed schemeLogin phase UiSjCS Inputs IDi、Pismart card computes Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai) Ci′=Ci? Smart card generates Ni1 Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1 Pij=Ei⊕h(h(y)||Ni1||SIDj) CIDi=Ai⊕h(Bi||Fi||Ni1) Gi=h(Bi||Ai||Ni1) (Fi、Gi、Pij、CIDi)
3.Proposed scheme(4/5)Authentication and session key agreement phase UiSjCS Sjchooses Ni2 Ki=h(SIDj||y)⊕Ni2 Mi=h(h(x||y)||Ni2)) (Fi、Gi、Pij、CIDi、SIDj、Ki、Mi) Ni2=Ki⊕h(SIDj||y) Mi′=h(h(x||y)||Ni2),Mi′=Mi? Ni1=Fi⊕h(y) Bi=Pij⊕h(h(y)||Ni1||SIDj)⊕h(y||x) Ai=CIDi⊕h(Bi||Fi||Ni1) Gi′=h(Bi||Ai||Ni1),Gi′=Gi? CSgenerates Ni3 Qi=Ni1⊕Ni3⊕h(SIDj||Ni2) Ri=h(Ai||Bi)⊕h(Ni1⊕Ni2⊕Ni3) Vi=h(h(Ai||Bi)||h(Ni1⊕Ni2⊕Ni3)) Ti=Ni2⊕Ni3⊕h(Ai||Bi||Ni1)
3.Proposed scheme(5/5)Authentication and session key agreement phase UiSjCS (Qi、Ri 、Vi 、Ti) Ni1⊕Ni3=Qi⊕h(SIDj||Ni2) h(Ai||Bi)=Ri⊕h(Ni1⊕Ni3⊕Ni2) Vi′=h(h(Ai||Bi)||h(Ni1⊕Ni3⊕Ni2) Vi′=Vi? (Vi、Ti) Ni2⊕Ni3=Ti⊕h(Ai||Bi||Ni1) Vi′=h(h(Ai||Bi)||h(Ni2⊕Ni3⊕Ni1)) Vi′=Vi? SK=h(h(Ai||Bi)||(Ni1⊕Ni2⊕Ni3))
4.Protocol analysisReplay attack The user Ui, the server Sj and the control server CS choose different nonce values Ni1,Ni2,Ni3, respectively, for compute and verify the authentication message.
4.Protocol analysis Impersonation attack UiSj CS Chooses IDi、Pi、b Ai=h(b||Pi) (IDi、Ai) 2.Cannot compute Ai、Bi、Ei to get (IDi、Pi、x ) cannot Impersonation Ui Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x) (Ci、Di、Ei、h(·)、h(y)) 1. Smart card Ui enter b to smart card smart card stores (Ci、Di、Ei、h(·)、h(y)、b) Inputs IDi、Pi smart card computes Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai) Ci′=Ci? Smart card generates Ni1 Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1 Pij=Ei⊕h(h(y)||Ni1||SIDj) 3.cannot Impersonation a valid login request CIDi=Ai⊕h(Bi||Fi||Ni1) Gi=h(Bi||Ai||Ni1) (Fi、Gi、Pij、CIDi)
4.Protocol analysisStolen smart card attack UiSj CS Chooses IDi、Pi、b Ai=h(b||Pi) (IDi、Ai) Bi=h(IDi|| x ),Ci=h(IDi||h(y)||Ai) 1.UKget (Ci、Di、Ei、h(·)、h(y) 、b) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h( y ||x) (Ci、Di、Ei、h(·)、h(y)) 2.cannot compute Ai、Bi 3.Cannot get IDi、Pi to impersonation attack using the lost or stolen smart card
4.Protocol analysisLeak-of-verifier attack No any verifier information stored in the control server CS , the malicious privileged user cannot get any useful information from the CS.
4.Protocol analysisUser's anonymity Chooses IDi、Pi、b Ai=h(b||Pi) Bi=h(IDi||x)
4.Protocol analysismutual authentication and session key agreement In registration phase,Ui submits Ai、Bi rather than true identity IDi to CS。 But in step4 Xi=h(IDi||yi||Ni1)⊕h(Ni⊕Ni2⊕Ni3) Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1) Ui、the serverSj and the control server CS can agree on a shared session key SK=h(h(Ai∥Bi)∥(Ni1⊕Ni2⊕Ni3))
5.Conclusion 1.Sood的協議裡Sk與CS有一把SKK但在本文裡沒有,本文表示沒有任何資料存在CS,但這樣CS與SK怎麼做驗證。 2.沒有做驗證就不能防禦假冒攻擊。
Thank You ! 26
Weaknesses of Proposed schemeImpersonation attack(1/2) UiSj CS UiSj CS Chooses IDi、Pi、b Ai=h(b||Pi) (IDi、Ai) 2.Cannot compute Ai、Bi、Ei to get (IDi、Pi、x ) cannot Impersonation Ui Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x) (Ci、Di、Ei、h(·)、h(y)) 1. Smart card Ui enter b to smart card smart card stores (Ci、Di、Ei、h(·)、h(y)、b) Inputs IDi、Pi smart card computes Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai) Ci′=Ci? Smart card generates Ni1 Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1 Pij=Ei⊕h(h(y)||Ni1||SIDj) 3.cannot Impersonation a valid login request CIDi=Ai⊕h(Bi||Fi||Ni1) Gi=h(Bi||Ai||Ni1) (Fi、Gi、Pij、CIDi) 27
Weaknesses of Proposed schemeImpersonation attack(2/2) Ui Sj CS UiSj CS Chooses IDi、Pi、b Ai=h(b||Pi) (IDi、Ai) Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x) (Ci、Di、Ei、h(·)、h(y)) 1.Ukis legitimate user and use Uk smart card 2.If we can compute Ai、Bi、Eito get IDi、Pi、xand impersonation Ui 3.Legitimate user get (Ci、Di、Ei、h(·)、h(y)) and receive(Fi、Gi、Pij、CIDi) Inputs IDi、Pi4.(1)Ei=Bi⊕h(y||x),(Ei、h(y||x) is known),getBi smart card computes (2)Uk use smart card get Ni1 Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai) (3)CIDi=Ai⊕h(Bi||Fi||Ni1),(CIDi、Bi、Fi、Ni1 is known ),getAi Ci′=Ci? (4)Pij=Ei⊕h(h(y)||Ni1||SIDj),(Ei、h(y)、Ni1、SIDjis known), impersonation Pi Smart card generates Ni1 (5)Fi=h(y)⊕Ni1,(h(y)、Ni1is known) ,impersonation Fi Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1 (6)Gi=h(Bi||Ai||Ni1),(Bi、Ai、Ni1 is known),impersonation Gi Pij=Ei⊕h(h(y)||Ni1||SIDj) (7)CIDi=Ai⊕h(Bi||Fi||Ni1),(CIDi 、Ai、Bi、Fi、Ni1 is known),impersonationCIDi CIDi=Ai⊕h(Bi||Fi||Ni1) 5.Ukcan impersonation (Fi、Gi、Pij、CIDi) to attack Gi=h(Bi||Ai||Ni1) (Fi、Gi、Pij、CIDi) 28 28
Weaknesses of Proposed schemeStolen smart card attack(1/2) UiSj CS Chooses IDi、Pi、b Ai=h(b||Pi) (IDi、Ai) Bi=h(IDi|| x ),Ci=h(IDi||h(y)||Ai) 1.UKget (Ci、Di、Ei、h(·)、h(y) 、b) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h( y ||x) (Ci、Di、Ei、h(·)、h(y)) 2.cannot compute Ai、Bi 3.Cannot get IDi、Pi to impersonation attack using the lost or stolen smart card 29
Weaknesses of Proposed schemeStolen smart card attack(2/2) UiSj CS Chooses IDi、Pi、b Ai=h(b||Pi) (IDi、Ai) Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h (y||x) (Ci、Di、Ei、h(·)、h(y)) 1.Ukis legitimate user and use stolen smart card 2.If we can compute Ai、Bi、Eito get IDi、Pi、x and Impersonation Ui 3.Legitimate user get (Ci、Di、Ei、h(·)、h(y)) and receive(Fi、Gi、Pij、CIDi) 4.(1)Ei=Bi⊕h(y||x),(Ei、h(y||x) is known),getBi (2)Fi=h(y)⊕Ni1,(h(y)、Ni1、Fi is known) (3)CIDi=Ai⊕h(Bi||Fi||Ni1),(CIDi、Bi、Fi、Ni1 is known ),getAi 5.Uk can compute Ai、Bi、Eito get IDi、Pi and impersonation attack using the lost or stolen smart card 30