1 / 16

An ID-Based Mutual Authentication and Key Exchange Protocol for Low-Power Mobile Devices

An ID-Based Mutual Authentication and Key Exchange Protocol for Low-Power Mobile Devices. Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal (Published online on Sep. 2009) doi:10.1093/comjnl/bxp083 Reporter: 陳德祐 Date: Jan 15, 2010. Outline. Introduction

branxton
Download Presentation

An ID-Based Mutual Authentication and Key Exchange Protocol for Low-Power Mobile Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An ID-Based Mutual Authentication andKey Exchange Protocol for Low-PowerMobile Devices Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal (Published online on Sep. 2009) doi:10.1093/comjnl/bxp083 Reporter: 陳德祐 Date: Jan 15, 2010

  2. Outline • Introduction • The proposed scheme • Security analysis • Comments

  3. Introduction Forgery attack Das, M.L., A. Saxena, V.P. Gulati and D.B. Phatak (2006). A novel remote user authentication scheme using bilinear pairings. Computers and Security, 25(3), 184–189. Computational cost Multi-server Giri, D., and P.D. Srivastava (2006). An improved remote user authentication scheme with smart cards using bilinear pairings. In Cryptology ePrint Archive. Mutual auth. Session key A Pairing-Based User Authentication Scheme for Wireless Clients with Smart Cards Yuh-Min Tseng, Tsu-Yang Wu, Jui-Di Wu Informatica: International Journal,19(2), pp.285-302, 2008 The proposed scheme

  4. Bilinear Pairings Bilinear Pairing Let G1, G2, GT be cyclic groups of same order q. G1, G2 : an additive group GT : a multiplicative group Definition • A bilinear map • Bilinear: • Non-degenerate: • Computability:

  5. Notations and System setup • S: a powerful server • C: a low-power computing client • e: a bilinear map, e: G1 × G2 → GT, (G1=G2 ) with the same order q • IDC: the identity of the client C • DIDC: the private key of the client C • IDS: the identity of the server S • P: a generator of the group G1 • s: the system private key in Zq∗ • Ppub: the system public key Ppub= s · P • H1(): a one-way hash function, H1:{0,1}* × G1 →{0, 1}k • H2(): a map-to-point function, H2: {0,1}*→ G1 • Public parameters:{e, G1, GT, q, P, Ppub, H1, H2}

  6. Key extract phase Client C Server S IDC DIDC = s · H2(IDC) = s · QIDC (DIDC, QIDC)

  7. Mutual authentication and key exchange phase DIDC = s · H2(IDC) = s · QIDC Client C Server S r RZq∗ U = r· QIDC K1 = r· DIDC h = H1(IDC , U) V = (r+h) · DIDC ( IDC , U, V ) QIDC = H2(IDC) h = H1(IDC , U) e(P, V)?=e(Ppub, U+h· QIDC) ( N, Auth) Acquiring a nonce N K2 = s·U Auth= H1(Ppub, IDC , N, U, V, K2) SK= H1(Auth, N, U, V, K2) Auth?= H1(Ppub, IDC , N, U, V, K1) SK= H1(Auth, N, U, V, K1)

  8. Security analysis and discussion Theorem1 Theorem1+2 Theorem3 Theorem1 Theorem2 Theorem4 (1+2+3) Theorem5 • Secure against • ID attack • Impersonation attack • Passive attack • Mutual authentication • Client-to-server authentication • Server-to-client authentication • Implicit key confirmation • Partial forward secrecy • Discussion • Replay attack

  9. Theorem 1. In the random oracle model, if an adversarywith a non-negligible advantage ε0 can violate the client-to-server authentication of the proposed protocol, then there exists a challenger C1 to solve the CDH problem.(1, 4A) Challenger C1 Ppub= xP QIDC= H2(IDC) = yP (P, xP, yP) Attacker A σ'= (IDC , U', V') Forking Lemma A can generate two valid message σ'= (IDC , U', V') and σ''= (IDC , U', V'') e(P, V')=e(Ppub, U' +h'· QIDC) =e(xP, U' +h'· yP) =e(P, x·U' +x·h'· yP) e(P, V'')=e(Ppub, U' +h''· QIDC) =e(xP, U' +h''· yP) =e(P, x·U' + x·h''· yP) V' =x·U' +xy·h' P V '' =x·U' +xy·h'' P xyP = (V' − V'')/(h' − h'') h = H1(IDC , U) xyP

  10. Theorem 2. In the random oracle model, if an adversary A can violate the server-to-client authentication of the proposed protocol with a non-negligible advantage ε, then there exists a challenger C2 to solve the CDH problem with the advantage ε' ≥ ε − 1/2k − qC3 /q2, where qC is the maximum number of queries to the oracle of the client C. Challenger C2 Ppub= xP QIDC= H2(IDC) = yP (ryP, xP) (U',Ppub) ( N, Auth) Attacker A U' = r·QIDC= ryP Ppub= xP Auth= H1(Ppub, IDC , N,U', V,K2) K2 = x· U' = x· r·QIDC =xryP rxyP

  11. Theorem 3. In the random oracle model, if an adversary A can guess the coin b involved in the Test query with a non-negligible advantage ε, then there exists a challenger C2 to solve the CDH problem. Secure against the passive attack  Secure against the disclosure of the session key Challenger C2 Ppub= xP QIDC= H2(IDC) = yP (ryP, xP) (U',Ppub) Attacker A Session keyK1 U' = r·QIDC= ryP Ppub= xP K1 = r·DIDC =rxyP rxyP

  12. Theorem 4. In the random oracle model and under the CDH problem, the proposed protocol provides implicit key confirmation. Proof. Implicit key confirmation: if the client (server) is assured that the server (client) is able to compute the session key and no one other than the client/server can compute it. Theorems 1 and 2: the client C and the server S can authenticate each other in the random oracle model and under the CDH assumption. Theorem 3: no one other than the client C and the server S can compute the session key SK. Therefore, the proposed protocol provides implicit key confirmation.

  13. Theorem 5. In the random oracle model and under the CDH problem, the proposed protocol offers partial forward secrecy. Proof. • The system private key s is corrupted all the previous session keys can be recovered from the transcripts • K2 = s·U • Auth= H1(Ppub, IDC , N, U, V, K2) • SK= H1(Auth, N, U, V, K2) • The corruption of the client C (DIDC) cannot help to recover the previous session keys. • Therefore, the proposed protocol offers partial forward secrecy.

  14. Comparisons (i) TGe: the time of executing a bilinear pairing operation e, e : G1 × G2 → GT (ii) TGmul: the time of executing a multiplication operation of point (iii) TGH: the time of executing a map-to-point hash function H2( ) (iv) TGadd: the time of executing an addition operation of points (v) TH: the time of executing a one-way hash function H1( ) (vi) Texp: the time of executing a modular exponential operation (vii) TMAC: the time of executing a message authentication code

  15. Mutual authentication and key exchange phase~replay attack DIDC = s · H2(IDC) = s · QIDC Client C Server S r RZq∗ U = r· QIDC K1 = r· DIDC h = H1(IDC , U) V = (r+h) · DIDC h = H1(IDC , T, U) ( IDC , T, U, V ) Check T ( IDC , U, V ) QIDC = H2(IDC) h = H1(IDC , U) e(P, V)?=e(Ppub, U+h· QIDC) Acquiring a nonce N K2 = s·U Auth= H1(Ppub, IDC , N, U, V, K2) SK= H1(Auth, N, U, V, K2) h = H1(IDC , T, U) ( N, Auth) Auth?= H1(Ppub, IDC , N, U, V, K1) SK= H1(Auth, N, U, V, K1)

  16. Comments Forward secrecy Nonce-based Explicit key confirmation Multi-server environment

More Related