220 likes | 393 Views
Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards. Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction on Industrial Electronics, Vol. 55, No. 6, pp. 2551-2556, 2008 Presenter: Jung-wen Lo ( 駱榮問 ) Date: Jul. 30, 2009. Outline.
E N D
Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu LiawSrc: IEEE Transaction on Industrial Electronics, Vol. 55, No. 6, pp. 2551-2556, 2008 Presenter: Jung-wen Lo (駱榮問) Date: Jul. 30, 2009
Outline • Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Zhang, “Robust remote authentication scheme with smart cards,” Computers & Security, vol. 24, no. 8, pp. 619–628, Nov. 2005 • Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw, “Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards,” IEEE Transaction on Industrial Electronics, vol. 55, no. 6, pp. 2551-2556 • Comment
Robust remote authentication scheme with smart cards Authors: Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Zhang Src: Computers & Security, vol. 24, no. 8, pp. 619–628, Nov. 2005
Introduction • Criteria for secure remote authentication scheme using smart card 1) Low computation for smart cards 2) No password table 3) Passwords chosen by the users themselves 4) Not requiring clock synchronization and delay-time limitation 5) Withstanding the replay attack 6) Server authentication 7) Withstanding the offline dictionary attack with the smart card 8) Withstanding the offline dictionary attack without the smart card 9) Revoking the lost cards without changing the users’ identities • Major contribution • Withstand replay attack • Preventing the offline dictionary attack • Two protocol • Registration protocol • Login protocol
Registration Protocol System User IDi, h(PWi) Random vibi = Es(h(PWi)||H(IDi)||CIi||vi)) CIi,IDi, bi,n CIi,IDi, bi,n
Login Protocol User System bi,Vi,IDi,CIi Card Reader PWi Random uLi={IDi,(bi||h(IDi)||u)2 mod n} L1 Decrypt:L1(bi||h(IDi)||u) bih(PWi)||h(IDi)||CIi||vi) Verify h(IDi),{IDi, CIi}Random rα=ruβ=h((r||u) L2={α,β} r’=αuh((r’||u) ?=β L3=h(h(PWi)||r) L3 h(h(PWi)||r) ?= L3
Conclusion • Properties 1) Low computation for smart cards 2) No password table 3) Passwords chosen by the users themselves 4) Not requiring clock synchronization and delay-time limitation 5) Withstanding the replay attack 6) Server authentication 7) Withstanding the offline dictionary attack with the smart card 8) Withstanding the offline dictionary attack w/o the smart card 9) Revoking the lost cards without changing the users’ identities • Major contribution • Withstand replay attack • Preventing the offline dictionary attack • Major drawbacks • No ability of anonymity for the user • Higher computation and communication cost • No session key agreement • Cannot prevent the insider attack
Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction on Industrial Electronics, vol. 55, no. 6, pp. 2551-2556, 2008
Introduction • Improve Fan-Chan-Zhang’s scheme • Session key agreement • Prevent insider attack • Five Phases 1) Parameter generation phase 2) Registration phase 3) Precomputation phase 4) Log-in phase 5) Password-changing phase
Notation • h(): Public one-way hash function. • s: Master secret key of a symmetric cryptosystem, which is kept secret by the server. • Es(): Secure symmetric encryption algorithm with the secret key s. • Ds(): Secure symmetric decryption algorithm with the secret key s. • ||: String concatenation operator. • P: Large prime. • EP: Elliptic curve equation over ZP . • x: Server’s private key based on elliptic curve cryptosystems. • PS: Server’s public key based on elliptic curvecryptosystems. • G: Generator point of a large order.Manuscript
Parameter generation phase • Server side • Choose a large prime P • Select a,b∈ZP; 4a3 + 27b2(mod P) ≠0 • Elliptic curve equation: EP : y2 = x3 + ax + b over ZP • Find a generator point G of order n where n × G = O • Select a random number x as its private key and safely keeps it in its secret storage. • Compute the public keyPS= (x • G) • Publish the parameters (PS, P, EP, G, n)
Registration/Precomputation phase Server User IDi, h(Pwi||b) Random b Registration phase (Only Once) bi = Es(h(PWi||b)||IDi||CIi||h(IDi||CIi||h(PWi||b))) Vi = h(IDi, s, CIi). bi,Vi,IDi,CIi bi,Vi,IDi,CIi,b Smart Card Random re=(r•G)c=(r•Ps)=(r•x•G)Store (c,e) in memory Precomputation phase
Log-in phase Card Reader Server User bi,Vi,IDi,CIi,b bi, Evi(e) (c,e) PWi Ds(bi)IDi,CIiVerifyVi=h(IDi,s,CIi)Dvi(Evi(e)) e=(r•G) c’=(e•x)=(r•x•G)Random uMs=h(c’||u||Vi) Smart Card u, Ms h(c||u||Vi) ?= MsMu=h(h(PWi||b)||Vi||c||u)Sk = h(Vi,c,u) Mu h(h(PWi||b)||Vi||c||u)?=MuSk = h(Vi,c,u) bi = Es(h(PWi||b)||IDi||CIi||h(IDi||CIi||h(PWi||b)))
Password-changing phase Card Reader Server User Log-in Phase Sk Sk ESk(IDi, h(PW*i||b*)) New PW*i,b* b*i = Es(h(PW*i||b*)||IDi||CIi||h(IDi||CIi||h(PW*i||b*))) Smart Card ESk(b*i) DecryptStore (b*i,b*) in memory b*i,Vi,IDi,CIi,b*
Security Analysis • Strong Mutual Authentication • Both believe the correction of session key • Preventing the Replay Attack • Nonce r & u • Preventing the Insider Attack • No password table • Protected with h(PWi||b) • Preventing the Offline Dictionary Attack Without the Smart Card • Cannot obtain PWi from messages • Preventing the Offline Dictionary Attack With the Smart Card • No obvious password in card (bi) • Need server’s help to verify password
Conclusion • Advantages • Benefits of Fan et al.’s scheme • Identity protection • Session key agreement • Low communication and computation cost by using elliptic curve cryptosystems • Prevent the insider attack
Comment • Register table attack DoS attack • Eliminate the table • Protect the table • Modify the data of table, eg, CIi • Verify before use • Performance improvement • 3 ways 2 ways
Comment: Log-in phase (2 round) Card Reader Server User bi,Vi,IDi,CIi,b bi, Evi(e||n) Ds(bi)IDi,CIiVerifyVi=h(IDi,s,CIi)Dvi(Evi(e)) e=(r•G) c’=(e•x)=(r•x•G)Random uMs=h(c’||n||u||Vi)Sk = h(Vi,c,u) (c,e)Randomn PWi Smart Card u, Ms h(c||n||u||Vi) ?= MsSk = h(Vi,c,u) bi = Es(h(PWi||b)||IDi||CIi||h(IDi||CIi||h(PWi||b)))