180 likes | 188 Views
Explore the article detailing the innovative ROSI Protocol by Hung-Yu Chien and Jinn-Ke Jan, published in The Computer Journal in 2003. The protocol, utilizing smart cards and hash operations, offers a secure and straightforward authentication method. The text covers detailed security analysis, weaknesses of previous protocols, and the various phases involved in ROSI, including registration and authentication. Discover how ROSI defends against attacks such as replay, impersonation, and modification. Dive into the technical aspects of this robust protocol to enhance security measures.
E N D
Robust and Simple Authentication Protocol Authors: Hung-Yu Chien and Jinn-Ke Jan Source: The Computer Journal, vol. 46, no. 2, pp. 193–201, 2003 speaker: Hao-Chuan Tsai Date: 2004/10/06
Outline • Review of Hash-based Protocols • The RObust and SImple (ROSI) Protocol • Security Analysis • Conclusion
Review of Hash-based Protocols • Hash-based Protocols • use strong passwords or weak passwords with smart card • low computation complexity (Fast) • low deployment cost • Public-key Techniques based Protocols • may use either weak or strong passwords • high computation complexity (Slow) • high deployment cost
Hash Function • Formal Definition (by Merkle, Naor, Yung, Damgard) • A function H( ) is a One-Way Hash Function if it has the following properties: 1. The input, M, is a bit string of arbitrary length and H(M), denoted by h, is a string of fixed length; 2. Given M, it is easy to compute h; 3. Given h, it is hard (computationally infeasible) to compute M such that H(M) = h; 4. Given M, it is hard (computationally infeasible) to find another message, M, such that H(M) = H(M); 5. It is hard (computationally infeasible) to find two random messages, M and M, such that H(M) = H(M). ---------- (Collision-Resistance property)
Example (1/2) • SHA-1 • Secure Hash Algorithm One • the revision of SHA • Employs Circular Shift Register • Developers: NIST • FIPS PUB 180-1 (in 1995) • The original version, FIPS PUB 180, is proposed in 1993. • Basic Features • 160-bit Digest • 4 rounds (each with 20 steps) • Security • no weaknesses have been found yet. • SHA-1 is more secure than MD5
Example (2/2) Elementary Operation in single step:
Review of Hash-based Protocols • SAS (2000) (Simple And Secure protocol) • Can defeat Man-in-the-Middle Attack • Superior to the former three protocols in • storage utilization • processing time • transmission overhead • Weaknesses • Replay Attack • Denial-of-Service Attack • Stolen-Verifier Attack
Review of Hash-based Protocols • OSPA (2001) (Optimal Strong-Password Authentication protocol) • Can defeat Replay Attack and Denial-of-Service Attack • Weaknesses • Stolen-Verifier Attack • Man-in-the-Middle Attack
Review of Hash-based Protocols • Revised SAS (2001) • Two versions • SAS-1: using smart card • SAS-2: without using smart card • Weaknesses • Stolen-Verifier Attack (both) • Denial-of-service attack (both) • Off-line guessing attack (SAS-2)
The RObust and SImple (ROSI) Protocol • ROSI(2003) • Using smart card • Only using a hashing operation and an exclusive-or operation • Support mutual authentication • The ROSI protocol invokes two phases • Registration phase • Authentication phase
Uid, h2(pw||N1) (secure channel) ROSI: registration phase C S Store Uid and h2(pw||N1). Then, S writes R and h(pw||N1) into C’s smart card. Finally, S issues a smart card to C. R (= h(x||Uid)⊕pw), h(pw||N1) (secure channel)
ROSI: the ith authentication phase Store Uid, h2(pw||Ni) C S Uid, c1=h(h(x||Uid)⊕h2(pw||Ni))⊕h2(pw||Ni+1), c2=h3(pw||Ni+1)⊕h(pw||Ni)) Compute h(x||Uid), c'1=h(h(x||Uid)⊕h2(pw||Ni)), extract h2(pw||Ni+1)=c1⊕c'1, h(pw||Ni)=c2⊕h(h2(pw||Ni+1)). Check whether h(h(pw||Ni)=stored verifier, if so, the user is authenticated. And update verifier h2(pw||Ni) with h2(pw||Ni+1). Verify the received Item. Replace the stored h(pw||Ni) with h(pw||Ni+1) h3(pw||Ni+1)⊕h2(pw||Ni)
Security Analysis (1/4) • Replay attack • In the ROSI protocol, each new session request should be synchronized with S’s currently stored verifier, h2(pw||Ni); therefore, a simple replayed messages will not pass S’s verification.
Security Analysis (2/4) • Impersonation attack • The attacker launches an impersonation attack requiring the knowledge of both h(x||Uid) and h(pw||Ni); however, these values are stored in a tamper-resistant device and only the legal user can yield the values correctly.
Security Analysis (3/4) • Modification attack (or Man-in-the-middle attack) • Modifying c1 will cause S to fail on recovering the correct h(pw||Ni) from c2, and modifying c2 also causes S to fail on recovering the correct h(pw||Ni). • The attacker must know both h(x||Uid) and h(pw||Ni) before he can modify both c1 and c2 simultaneously while maintaining the validity of the modified data.
Security Analysis (4/4) • Stolen-verifier attack • The values h(x||Uid), h2(pw||Ni) and h(pw||Ni) must be known simultaneously to generate a valid request, which is infeasible for the attacker. • The attacker who has stolen the verifier h2(pw||Ni) can not derive any useful information, even if the attacker has miraculously stolen two consecutive verifiers.
Conclusion • In this paper, authors have proposed ROSI authentication protocol to strengthen the security.