200 likes | 295 Views
An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards . 作者 : JongHyup LEE 出處 : 2011 Elsevier Journal of Network and Computer Applications 報告人 : 陳鈺惠
E N D
An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者:JongHyup LEE 出處:2011 Elsevier Journal of Network and Computer Applications 報告人:陳鈺惠 日期:2013/12/04
Introduction 1 Overview of Sood et al.’s scheme 2 Protocol analysis 4 3 Conclusion Proposed scheme 3 5 4 4 Outline
1.Introduction(1/1) • With the rapid development of the Internet and electronic commerce technology, many services are provided through the Internet such as online shopping, online game. • This paper propose an efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards to tackle these problems.
2.Overview of Sood et al.’s scheme (1/8)Registration phase UiSk CS Ai=h(IDi||b) Bi=h(b⊕Pi) Ai、Bi Fi= Ai⊕yi Gi=Bi⊕h(yi)⊕h(x) Ci=Ai⊕h(yi)⊕x (Fi、Gi、h(·)) Stores (Ci、yi⊕x) Smart card Di=b⊕h(IDi||Pi) Ei=h(IDi||Pi)⊕Pi Smart card(Di、Ei、Fi、Gi、h(·)) (SIDk、SKk) Stores(SIDk、SKk⊕h(x||SIDk))
2.Overview of Sood et al.’s scheme (2/8)Login phase UiSkCS IDi* Pi*Smart cardEi*=h(IDi*||Pi*)⊕Pi*Ei*=Ei?b=Di⊕h(IDi||Pi),Ai=h(IDi||b) Bi=h(b⊕Pi),yi=Fi⊕Ai h(x)=Gi⊕Bi⊕h(yi),Zi=h2(x)⊕Ni1 CIDi=Ai⊕h(yi)⊕h(x)⊕Ni1 Mi=h(h(x)||yi||SIDk||Ni1) (SIDk、Zi、CIDi、Mi)
2.Overview of Sood et al.’s scheme (3/8)Authentication and session key agreement phase UiSk CS Ri=Ni2⊕SKk (SIDk、Zi、CIDi、Mi、Ri) Ni1=Zi⊕h2(x),Ni2=Ri⊕SKk Ci*=CIDi⊕Ni1⊕h(x)⊕x Ci*=Ci?,extracts yi Mi*=h(h(x)||yi||SIDk||Ni1) Mi*=Mi? Ki=Ni1⊕Ni3⊕h(SKk||Ni2) Xi=h(IDi||yi||Ni1)⊕h(Ni1⊕Ni2⊕Ni3) Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1) (Ki、Xi、Vi、Ti)
2.Overview of Sood et al.’s scheme(4/8)Authentication and session key agreement phase UiSk CS Ni1⊕Ni3=Ki⊕h(SKk||Ni2) h(IDi||yi||Ni1)=Xi⊕h(Ni1⊕Ni2⊕Ni3) Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Vi*=Vi? (Vi、Ti) Ni2⊕Ni3Ti⊕h(yi||IDi||h(x)||Ni1) Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Vi*=Vi? SK=h(h(IDi||yi||Ni1)||(Ni1⊕Ni2⊕Ni3))
2.Overview of Sood et al.’s scheme (5/8)Leak-of-verifier attack User have(Dk、Ek、Fk、Gk、h(·)) 、IDk、Pk User can compute bk=Dk⊕h(IDk||Pk) Ak=h(IDk||b) yk=Fk⊕Ak Bk=h(b⊕Pk) h(x)=Gk⊕Bk⊕h(yk) Get yk、h(x) If client leaked yi⊕x、Ci=Ai⊕h(yi)⊕xUk get x、h(x)、yi⊕x from ykthen get yi、Ai and h(x) Uklogin
2.Overview of Sood et al.’s scheme (6/8)Leak-of-verifier attack Ukget random number Ni′1 Compute CID′i=Ai⊕h(yi)⊕h(x)⊕Ni′1 M′i=h(h(x)||yi||SIDj||Ni′1) Z′i=h2(x)⊕Ni′1 Uk submits the login request message (SIDj、Z′i、CID′i、M′i) to Sj Sjget random number Ni′2 Compute Ri=Ni2⊕SKjsubmits to CS Compute Ni1=Z′i⊕h2(x)、Ni2=Ri⊕SKj C*i=CID′i⊕Ni′1⊕h(x)⊕x=Ai⊕h(yi)⊕x=Ci CS compute Mi*=h(h(x)||yi||SIDj||Ni′1)=M′i Uk get yi⊕x、Ci=Ai⊕h(yi)⊕x
2.Overview of Sood et al.’s scheme (7/8)Stolen smart card attack If (SIDj、Zi、CIDi、Mi) was eavesdropped and previously valid login Uk compute Ni1=Z′i⊕h2(x) Ai⊕h(yi)=CIDi⊕Ni1⊕h(x) Uk extract (Di、Ei、Fi、Gi、h(·)) Compute bi⊕Pi=Di⊕Ei h(bi⊕Pi)=Bi h(yi)=Gi⊕Bi⊕h(x) Compute Ai⊕h(yi)⊕(Ai⊕h(yi)) Get yi=Fi⊕Ai Uk get h(x)、yi
2.Overview of Sood et al.’s scheme(8/8)Incorrect authentication and session key agreement phase In registration phase,Ui submits Ai、Bi rather than true identity IDi to CS。 But in step4 Xi=h(IDi||yi||Ni1)⊕h(Ni⊕Ni2⊕Ni3) Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1)
3.Proposed scheme(1/4)Registration phase UiSjCS Chooses IDi、Pi、b Ai=h(b||Pi) (IDi、Ai) Bi=h(ID||x),Ci=h(IDi||h(y)||Ai) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x) (Ci、Di、Ei、h(·)、h(y)) Smart card Ui enter b to smart cardsmart card stores (Ci、Di、Ei、h(·)、h(y)、b)
3.Proposed scheme(2/4)Login phase UiSjCS Inputs IDi、Pismart card computes Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai) Ci′=Ci? Smart card generates Ni1 Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1 Pij=Ei⊕h(h(y)||Ni1||SIDj) CIDi=Ai⊕h(Bi||Fi||Ni1) Gi=h(Bi||Ai||Ni1) (Fi、Gi、Pij、CIDi)
3.Proposed scheme(3/4)Authentication and session key agreement phase UiSjCS Sjchooses Ni2 Ki=h(SIDj||y)⊕Ni2 Mi=h(h(x||y)||Ni2)) (Fi、Gi、Pij、CIDi、SIDj、Ki、Mi) Ni2=Ki⊕h(SIDj||y) Mi′=h(h(x||y)||Ni2),Mi′=Mi? Ni1=Fi⊕h(y) Bi=Pij⊕h(h(y)||Ni1||SIDj)⊕h(y||x) Ai=CIDi⊕h(Bi||Fi||Ni1) Gi′=h(Bi||Ai||Ni1),Gi′=Gi? CSgenerates Ni3 Qi=Ni1⊕Ni3⊕h(SIDj||Ni2) Ri=h(Ai||Bi)⊕h(Ni1⊕Ni2⊕Ni3) Vi=h(h(Ai||Bi)||h(Ni1⊕Ni2⊕Ni3)) Ti=Ni2⊕Ni3⊕h(Ai||Bi||Ni1)
3.Proposed scheme(4/4)Authentication and session key agreement phase UiSjCS (Qi、Ri 、Vi 、Ti) Ni1⊕Ni3=Qi⊕h(SIDj||Ni2) h(Ai||Bi)=Ri⊕h(Ni1⊕Ni3⊕Ni2) Vi′=h(h(Ai||Bi)||h(Ni1⊕Ni3⊕Ni2) Vi′=Vi? (Vi、Ti) Ni2⊕Ni3=Ti⊕h(Ai||Bi||Ni1) Vi′=h(h(Ai||Bi)||h(Ni2⊕Ni3⊕Ni1)) Vi′=Vi? SK=h(h(Ai||Bi)||(Ni1⊕Ni2⊕Ni3))
5.Conclusion • This paper can satisfy all the essential requirements for multi-server architecture authentication. • Compared with Sood et al.'s (2011) protocol and other related protocols, our proposed protocol keeps the efficiency and is more secure. Therefore, our protocol is more suitable for the practical applications.