1 / 12

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem. No author given (Korea information security Agency) Presented by J.Liu. Outline. Introduction Review of the Hwang-Lo-Lin scheme Cryptanalysis The modified ID-based identification scheme Security analysis

brent-leonard
Download Presentation

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu

  2. Outline • Introduction • Review of the Hwang-Lo-Lin scheme • Cryptanalysis • The modified ID-based identification scheme • Security analysis • Performance analysis • Conclusions

  3. Introduction • ID-based public key cryptosystem. • Maurer-Yacobi(1996)Tseng-Jan(1998) Hwang-Lo-Lin(2004)Horng-Liu-Liu(2005)  This Letter(2005) • Hwang et al. developed the improved scheme was suitable for the wireless environment.

  4. Review of the Hwang-Lo-Lin scheme • TA setup the system parameters as following: • N = p1p2 p3p4, where pi are primes and their decimal digits are between 60-70, (pi-1)/2 are odd and pair wise relatively prime. • DLP is feasible but factoring N is infeasible. • g is a primitive root in each GF(pi). • h(.) is an one way hash function. • ed = 1 mod (N) and tv = 1 mod (N).

  5. Cont • IDb, IDm: identity of base station(BS) and mobile device(M), respectively. • sb = et  logg(IDb2) mod (N) is secret key for BS. • sm = et  logg(IDm2) mod (N) is secret key for M. • T: timestamp {N, g, e, h(.)}are public parameters and keep {p1, p2 , p3, p4 , t, v, d } secret.

  6. Login and authentication • Choose kR ZN*, computes Y = (IDm2)k mod N , Z = (IDb2)ksmT mod N • Sends {IDm, Y, Z, T } to BS. • BS computes Z’ = (Y)sbT, checks Z = Z’ If yes then… else…. ?

  7. Key points

  8. Cryptanalysis • Attacker forge {IDm, Y1, Z1, T’ } from a valid login message {IDm, Y, Z, T } by Y1 = YrT mod N and Z1 = ZrT’ mod N.

  9. The modified ID-based identification scheme • The parameters are the same of Hwang’s scheme, but the 4 primes have bit size more than 1024 bits. (DLP OK? about 300 decimal digits) • M sends {IDm, Z, T} to BS, where Z = H((IDb2)smT mod N) • BS verifies by Z = H((IDm2)sbT mod N)

  10. Security analysis • Passive replay attack: Changes timestamp T.H((IDm2)sbT mod N) H((IDm2)sbT’ mod N) • Active replay attack: The attacker can not change Z and T without sm and sb. • ID-stolen attack: The same with 2.

  11. Performance analysis • Without random number generator(hash function). • Shorter message length (1/2). • Fewer exponential operation (21). • More suitable in wireless environment.

  12. Conclusion • Secure • More suitable.

More Related