1 / 20

Authors: Wen-Gong Shieh and Jian-Min Wang Source: Computers & Security, 25(1), pp. 72-77, 2006.

boris-bush
Télécharger la présentation

Authors: Wen-Gong Shieh and Jian-Min Wang Source: Computers & Security, 25(1), pp. 72-77, 2006.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient remote mutual authentication and key agreementImprovement of Chien et al.’s remote user authentication scheme using smart cardsAn efficient nonce-based authentication scheme with key agreementEfficient nonce-based remote user authentication scheme using smart cardsAn improvement of Hwang-Lee-Tang’s simple remote user authentication scheme Authors: Wen-Gong Shieh and Jian-Min Wang Source: Computers & Security, 25(1), pp. 72-77, 2006. Authors: Sung-Woon Lee, Hyun-Sung Kim and Kee-Young Yoo Source: Computers Standards & Interfaces, 27(1), pp. 181-183, 2005. Authors: Yen-Cheng Chen and Lo-Yao Yeh Source: Applied Mathematics and Computation, 169(1), pp. 982-994, 2005. Authors: Sung-Woon Lee, Hyun-Sung Kim and Kee-Young Yoo Source: Applied Mathematics and Computation, 167(1), pp. 355-361, 2005. Authors: Eun-Jun Yoon, Eun-Kyung Ryu and Kee-Young Yoo Source: Computers & Security, 24(1), pp. 50-56, 2005. Reporter: Chun-Ta Li (李俊達)

  2. Outline • Introduction • Chien et al’s scheme and Hsu’s attack • Juang’s scheme and Shieh et al.’s attack • Shieh et al.’s scheme • Lee et al.’s scheme (CSI) • Chen et al.’s scheme • Lee et al.’s scheme (AMC) • Yoon et al.’s scheme • Comments

  3. Introduction • Motivation • Password-based authentication • Dictionary attack • Solutions: public key encryption • Light computational overhead • Hashing function or symmetric encryption used in an authentication protocol • Smart card-based authentication scheme • Well-chosen password is stored in a smart card • Nonce-based or timestamp-based approaches

  4. Introduction (cont.) • History • In 1981, Lamport proposed first password-based remote user authentication scheme over an insecure channel (store verification table) • In 1993, Chang-Wu introduced remote password authentication scheme with smart cards (can’t freely change passwords) • In 2000, Hwang-Li proposed a password-based remote user authentication scheme using smart cards (no verification or password table) • In 2002, Hwang-Lee-Tang proposed a simple remote authentication scheme (freely change passwords)

  5. Introduction (cont.) • Requirements • No verification and password table • Freely changing password • Mutual authentication • Low computation • Without synchronized clock • Key agreement • Some security issues

  6. Introduction (cont.) • Classification Password-based user authentication Without using smart cards Smart cards nonce timestamp .Lamport 1981 without mutual authentication mutual authentication without mutual authentication mutual authentication .Kwon 2005 .Peyravian 2006 .Juang 2004 .Yoon 2004 .Chien 2002 Share ID and PW .Chen 2005 .Awasthi 2004 .Ku 2004 .Lee 2005 .Lee 2005 .Wang 2005 .Yoon 2005 .Shieh 2006 .Lee 2005 .Shieh 2006 No verification and password table

  7. Chien et al’s scheme and Hsu’s attack • Registration phase • Login/verification phase User Server 1. IDi, PWi 2. Ri = h(IDi ⊕ x) ⊕ PWi 3. Smart card{Ri, h(.)} User Server 1. C1 = Ri ⊕PWi 2. C2 = h(C1 ⊕T) 3. IDi, T, C2 4. Check IDi and T 5. C1’ = h(IDi ⊕ x) 6. Check h(C1’ ⊕ T) ?= C2 8. T”, C3 7. C3 = h(C1’ ⊕ T”) 9. Check T” 10. Check h(C1 ⊕ T”) ?= C3

  8. Chien et al’s scheme and Hsu’s attack(cont.) • Hsu’s parallel session attack (2004) // C2 = h(C1 ⊕T) // C3 = h(C1’ ⊕ T”) // C1 = Ri ⊕PWi // Ri = h(IDi ⊕ x) ⊕ PWi

  9. Juang’s scheme and Shieh et al.’s attack • Registration phase • Login/verification phase User Server 1. IDi, PWi 2. Vi = h(IDi, x) 3. Wi = Vi ⊕PWi 4. Smart card{Wi, IDi, h(.)} // Vi = Wi ⊕PWi Decrypt EVi(ruj, Ci) // Ci = h(IDi || N1) Check Ci ?= h(IDi || N1) // session key Kj = h(rsj, rsu, Vi)

  10. Juang’s scheme and Shieh et al.’s attack (cont.) • Shieh et al.’s off-line plain-text attack (2006) // Ci = h(IDi || N1) // Vi = Wi ⊕PWi = h(IDi, x)

  11. Shieh et al.’s scheme • Registration phase: the same as that of Chien et al.’s scheme • Login/key agreement phase User Server 3. IDi, Tu, MACu 1. ai = Ri ⊕ PWi = h(IDi ⊕x) 4. Check Tu is fresh or not 2. MACu = h(Tu || ai) and store Tu temporarily until the end of the session 5. ai’ = h(IDi ⊕x) and 6. MACu’ = h(Tu || ai’) 7. Check MACu’ ?= MACu 8. Temporarily store (Tu, Ts) and IDi 11. Tu, Ts, MACs 9. MACs = h(Tu || Ts || ai’) 10. Session key Ks = h((Tu || Ts) ⊕ai’) 12. MACs’ = h(Tu || Ts || ai) 13. Check MACs’ ?= MACs 16. Ts, MACu” 14. MACu” = h(Ts || (ai+1)) 17. Check Ts and MACu” 15. Session key Ks = h((Tu || Ts) ⊕ai) 18. If above holds, accept user’s login

  12. Shieh et al.’s scheme (cont.) • Messages transmitted in proposed scheme using synchronized clock // ai = Ri ⊕ PWi = h(IDi ⊕x) // MACs = h(Tu || Ts || ai’) // MACu = h(Tu || ai)

  13. Shieh et al.’s scheme (cont.) • Messages transmitted in parallel session attack

  14. Lee et al.’s scheme (CSI) • Registration/Login phase: the same as that of Chien et al.’s scheme • Verification phase: User Server 4. Check IDi and T 5. C1’ = h(IDi ⊕ x) 6. Check h(C1’ ⊕ T) ?= C2 7. C3 = h(h(C1’ ⊕ T”)) 8. T”, C3 9. Check T” 10. Check h(h(C1 ⊕ T”)) ?= C3

  15. Chen et al.’s scheme • Registration phase: the same as that of Chien et al.’s scheme • Login/Authentication phase: User Server 1. ai = Ri ⊕ PWi = h(IDi ⊕x) 2. M1= h2(IDi ⊕x) ⊕ N1 3. IDi, M1 4. Compute h2(IDi ⊕x) and extract N1 by computing M1 ⊕ h2(IDi ⊕x) 5. M2 = h(h(IDi ⊕x)||N1) ⊕N2 and M3 = h(h(IDi ⊕x)||N1||N2) 7. Compute h(h(IDi ⊕x)||N1) and extract N2 by computing M2 ⊕ h(h(IDi ⊕x)||N1) 6. M2, M3 8. Verifies M3 ?= h(h(IDi ⊕x)||N1||N2) 9. M4 = h(h2(IDi ⊕x)||N1+1||N2+1) 10. M4 11. Verifies M4 ?= h(h2(IDi ⊕x)||N1+1||N2+1) 12. Session key Ks = h(h3(IDi ⊕x)||N1+2 || N2+2)

  16. Lee et al.’s scheme (AMC) Parallel session attack

  17. Yoon et al.’s scheme • Registration phase: • Login/Authentication phase:

  18. Comments • Comparison Mutual authentication (steps) Computation load Use of timestamp Session key agreement Yes/No Yes (3) Yes Shieh et al. 10H + 6⊕ Lee et al. (CSI) Yes Yes (2) No 7H + 8⊕ Chen et al. 19H + 15⊕ No Yes (3) Yes Lee et al. (AMC) 6H + 7⊕ No No Yes (3) Yoon et al. 6H + 2⊕ Yes Yes (2) No

  19. Comments (cont.) • Forward secrecy • When compromise of the secret key x, the agreed session key can be constructed by the attacker • Solutions: Diffie-Hellman key exchange algorithm • Let N1 = gx and N2 = gy • Session key = gxy

  20. Comments (cont.) • Identity problems • No verification tables in remote server • Impersonation attack • A legitimate user can purposely obtain another valid (ID, PW) by the following tricks: • The user declared that he lost his smart card • To register a new valid (ID, PW) • The original smart card is still legal to use

More Related