1 / 18

Robust and Simple Authentication Protocol Authors: Hung-Yu Chien and Jinn-Ke Jan

Robust and Simple Authentication Protocol Authors: Hung-Yu Chien and Jinn-Ke Jan Source: The Computer Journal, vol. 46, no. 2, pp. 193 – 201, 2003 speaker: Hao-Chuan Tsai Date: 2004/10/06. Outline. Review of Hash-based Protocols The RObust and SImple (ROSI) Protocol Security Analysis

knewton
Download Presentation

Robust and Simple Authentication Protocol Authors: Hung-Yu Chien and Jinn-Ke Jan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robust and Simple Authentication Protocol Authors: Hung-Yu Chien and Jinn-Ke Jan Source: The Computer Journal, vol. 46, no. 2, pp. 193–201, 2003 speaker: Hao-Chuan Tsai Date: 2004/10/06

  2. Outline • Review of Hash-based Protocols • The RObust and SImple (ROSI) Protocol • Security Analysis • Conclusion

  3. Review of Hash-based Protocols • Hash-based Protocols • use strong passwords or weak passwords with smart card • low computation complexity (Fast) • low deployment cost • Public-key Techniques based Protocols • may use either weak or strong passwords • high computation complexity (Slow) • high deployment cost

  4. Hash Function • Formal Definition (by Merkle, Naor, Yung, Damgard) • A function H( ) is a One-Way Hash Function if it has the following properties: 1. The input, M, is a bit string of arbitrary length and H(M), denoted by h, is a string of fixed length; 2. Given M, it is easy to compute h; 3. Given h, it is hard (computationally infeasible) to compute M such that H(M) = h; 4. Given M, it is hard (computationally infeasible) to find another message, M, such that H(M) = H(M); 5. It is hard (computationally infeasible) to find two random messages, M and M, such that H(M) = H(M). ---------- (Collision-Resistance property)

  5. Example (1/2) • SHA-1 • Secure Hash Algorithm One • the revision of SHA • Employs Circular Shift Register • Developers: NIST • FIPS PUB 180-1 (in 1995) • The original version, FIPS PUB 180, is proposed in 1993. • Basic Features • 160-bit Digest • 4 rounds (each with 20 steps) • Security • no weaknesses have been found yet. • SHA-1 is more secure than MD5

  6. Example (2/2) Elementary Operation in single step:

  7. Review of Hash-based Protocols • SAS (2000) (Simple And Secure protocol) • Can defeat Man-in-the-Middle Attack • Superior to the former three protocols in • storage utilization • processing time • transmission overhead • Weaknesses • Replay Attack • Denial-of-Service Attack • Stolen-Verifier Attack

  8. Review of Hash-based Protocols • OSPA (2001) (Optimal Strong-Password Authentication protocol) • Can defeat Replay Attack and Denial-of-Service Attack • Weaknesses • Stolen-Verifier Attack • Man-in-the-Middle Attack

  9. Review of Hash-based Protocols • Revised SAS (2001) • Two versions • SAS-1: using smart card • SAS-2: without using smart card • Weaknesses • Stolen-Verifier Attack (both) • Denial-of-service attack (both) • Off-line guessing attack (SAS-2)

  10. The RObust and SImple (ROSI) Protocol • ROSI(2003) • Using smart card • Only using a hashing operation and an exclusive-or operation • Support mutual authentication • The ROSI protocol invokes two phases • Registration phase • Authentication phase

  11. The RObust and SImple (ROSI) Protocol

  12. Uid, h2(pw||N1) (secure channel) ROSI: registration phase C S Store Uid and h2(pw||N1). Then, S writes R and h(pw||N1) into C’s smart card. Finally, S issues a smart card to C. R (= h(x||Uid)⊕pw), h(pw||N1) (secure channel)

  13. ROSI: the ith authentication phase Store Uid, h2(pw||Ni) C S Uid, c1=h(h(x||Uid)⊕h2(pw||Ni))⊕h2(pw||Ni+1), c2=h3(pw||Ni+1)⊕h(pw||Ni)) Compute h(x||Uid), c'1=h(h(x||Uid)⊕h2(pw||Ni)), extract h2(pw||Ni+1)=c1⊕c'1, h(pw||Ni)=c2⊕h(h2(pw||Ni+1)). Check whether h(h(pw||Ni)=stored verifier, if so, the user is authenticated. And update verifier h2(pw||Ni) with h2(pw||Ni+1). Verify the received Item. Replace the stored h(pw||Ni) with h(pw||Ni+1) h3(pw||Ni+1)⊕h3(pw||Ni)

  14. Security Analysis (1/4) • Replay attack • In the ROSI protocol, each new session request should be synchronized with S’s currently stored verifier, h2(pw||Ni); therefore, a simple replayed messages will not pass S’s verification.

  15. Security Analysis (2/4) • Impersonation attack • The attacker launches an impersonation attack requiring the knowledge of both h(x||Uid) and h(pw||Ni); however, these values are stored in a tamper-resistant device and only the legal user can yield the values correctly.

  16. Security Analysis (3/4) • Modification attack (or Man-in-the-middle attack) • Modifying c1 will cause S to fail on recovering the correct h(pw||Ni) from c2, and modifying c2 also causes S to fail on recovering the correct h(pw||Ni). • The attacker must know both h(x||Uid) and h(pw||Ni) before he can modify both c1 and c2 simultaneously while maintaining the validity of the modified data.

  17. Security Analysis (4/4) • Stolen-verifier attack • The values h(x||Uid), h2(pw||Ni) and h(pw||Ni) must be known simultaneously to generate a valid request, which is infeasible for the attacker. • The attacker who has stolen the verifier h2(pw||Ni) can not derive any useful information, even if the attacker has miraculously stolen two consecutive verifiers.

  18. Conclusion • In this paper, authors have proposed ROSI authentication protocol to strengthen the security.

More Related