Robust and Efficient Password Authenticated Key Agreement Using
Robust and Efficient Password. Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction on Industrial Electronics, Vol. 55, No. 6, pp. 2551 -2556, 2008 Presenter: Jung-wen Lo (駱榮問) Date: Jul. 30, 2009 1
Outline n n n Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Zhang, “Robust remote authentication scheme with smart cards, ” Computers & Security, vol. 24, no. 8, pp. 619– 628, Nov. 2005 Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw, “Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards, ” IEEE Transaction on Industrial Electronics, vol. 55, no. 6, pp. 25512556 Comment 2
Robust remote authentication scheme with smart cards Authors: Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Zhang Src: Computers & Security, vol. 24, no. 8, pp. 619– 628, Nov. 2005
Introduction l Criteria for secure remote authentication scheme using smart card 1) Low computation for smart cards 2) No password table 3) Passwords chosen by the users themselves 4) Not requiring clock synchronization and delay-time limitation 5) Withstanding the replay attack 6) Server authentication 7) Withstanding the offline dictionary attack with the smart card 8) Withstanding the offline dictionary attack without the smart card 9) Revoking the lost cards without changing the users’ identities l Major contribution l l l Withstand replay attack Preventing the offline dictionary attack Two protocol l l Registration protocol Login protocol 4
Registration Protocol System User IDi, h(PWi) IDi CIi … … Random vi bi = Es(h(PWi)||H(IDi)||CIi||vi)) CIi, IDi, bi, n 5
Login Protocol User System bi, Vi, IDi, CIi PWi Card Reader Random u Li={IDi, (bi||h(IDi)||u)2 mod n} L 1 L 2={α, β} r’=α u h((r’||u) ? =β L 3=h(h(PWi)||r) Decrypt: L 1 (bi||h(IDi)||u) bi h(PWi)||h(IDi)||CIi||vi) Verify h(IDi), {IDi, CIi} Random r α=r u β=h((r||u) L 3 h(h(PWi)||r) ? = L 3 6
Performance 7
Conclusion n Properties 1) Low computation for smart cards 2) No password table 3) Passwords chosen by the users themselves 4) Not requiring clock synchronization and delay-time limitation 5) Withstanding the replay attack 6) Server authentication 7) Withstanding the offline dictionary attack with the smart card 8) Withstanding the offline dictionary attack w/o the smart card 9) Revoking the lost cards without changing the users’ identities n Major contribution ¡ ¡ n Withstand replay attack Preventing the offline dictionary attack Major drawbacks ¡ ¡ No ability of anonymity for the user Higher computation and communication cost No session key agreement Cannot prevent the insider attack 8
Robust and Efficient Password. Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction on Industrial Electronics, vol. 55, no. 6, pp. 2551 -2556, 2008 9
Introduction n Improve Fan-Chan-Zhang’s scheme ¡ ¡ n Session key agreement Prevent insider attack Five Phases 1) Parameter generation phase 2) Registration phase 3) Precomputation phase 4) Log-in phase 5) Password-changing phase 10
Notation n n h(): Public one-way hash function. s: Master secret key of a symmetric cryptosystem, which is kept secret by the server. Es(): Secure symmetric encryption algorithm with the secret key s. Ds(): Secure symmetric decryption algorithm with the secret key s. ||: String concatenation operator. P: Large prime. EP: Elliptic curve equation over ZP. x: Server’s private key based on elliptic curve cryptosystems. PS: Server’s public key based on elliptic curve cryptosystems. G: Generator point of a large order. Manuscript 11
Parameter generation phase n Server side ¡ ¡ ¡ ¡ Choose a large prime P Select a, b∈ZP; 4 a 3 + 27 b 2(mod P) ≠ 0 Elliptic curve equation: EP : y 2 = x 3 + ax + b over ZP Find a generator point G of order n where n ×G=O Select a random number x as its private key and safely keeps it in its secret storage. Compute the public key PS = (x • G) Publish the parameters (PS, P, EP, G, n) 12
Registration/Precomputation phase Server User Registration phase (Only Once) IDi, h(Pwi||b) Random b IDi CIi … … bi = Es(h(PWi||b)||IDi||CIi||h(PWi||b))) Vi = h(IDi, s, CIi). bi, Vi, IDi, CIi, b bi, Vi, IDi, CIi Smart Card Precomputation phase Random r e=(r • G) c=(r • Ps)=(r • x • G) Store (c, e) in memory 13
Log-in phase User bi, Vi, IDi, CIi, b PWi Card Reader (c, e) Server bi, Evi(e) Smart Card u, Ms h(c||u||Vi) ? = Ms Mu=h(h(PWi||b)||Vi||c||u) Sk = h(Vi, c, u) Ds(bi) IDi, CIi Verify Vi=h(IDi, s, CIi) Dvi(Evi(e)) e=(r • G) c’=(e • x)=(r • x • G) Random u Ms=h(c’||u||Vi) Mu h(h(PWi||b)||Vi||c||u)? =Mu Sk = h(Vi, c, u) bi = Es(h(PWi||b)||IDi||CIi||h(PWi||b))) 14
Password-changing phase User Card Reader Server Log-in Phase Sk New PW*i, b* Sk ESk(IDi, h(PW*i||b*)) b*i = Es(h(PW*i||b*)||IDi||CIi||h(PW*i||b*))) Smart Card ESk(b*i) Decrypt Store (b*i, b*) in memory b*i, Vi, IDi, CIi, b* 15
Security Analysis n Strong Mutual Authentication ¡ n Preventing the Replay Attack ¡ n ¡ No password table Protected with h(PWi||b) Preventing the Offline Dictionary Attack Without the Smart Card ¡ n Nonce r & u Preventing the Insider Attack ¡ n Both believe the correction of session key Cannot obtain PWi from messages Preventing the Offline Dictionary Attack With the Smart Card ¡ ¡ No obvious password in card (bi) Need server’s help to verify password 16
Communication and storage cost 17
Computation Cost 18
Capability Comparisons 19
Conclusion n Advantages ¡ ¡ ¡ Benefits of Fan et al. ’s scheme Identity protection Session key agreement Low communication and computation cost by using elliptic curve cryptosystems Prevent the insider attack 20
Comment n Register table attack Do. S attack ¡ Eliminate the table n ¡ Modify the data of table, eg, CIi n n Protect the table Verify before use Performance improvement ¡ 3 ways 2 ways 21
Comment: Log-in phase (2 round) User bi, Vi, IDi, CIi, b PWi Card Reader (c, e) Random n Server bi, Evi(e||n) Smart Card h(c||n||u||Vi) ? = Ms Sk = h(Vi, c, u) u, Ms Ds(bi) IDi, CIi Verify Vi=h(IDi, s, CIi) Dvi(Evi(e)) e=(r • G) c’=(e • x)=(r • x • G) Random u Ms=h(c’||n||u||Vi) Sk = h(Vi, c, u) bi = Es(h(PWi||b)||IDi||CIi||h(PWi||b))) 22
- Slides: 22