1 / 13

Cryptanalysis of a Variant of Peyravian-Zunic ’ s Password Authentication Scheme

This paper analyzes a variant of Peyravian-Zunic's password authentication scheme, identifying weaknesses such as replay attacks and denial of service attacks.

lay
Télécharger la présentation

Cryptanalysis of a Variant of Peyravian-Zunic ’ s Password Authentication Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptanalysis of a Variant of Peyravian-Zunic’s Password Authentication Scheme Author: Wei-Chi Ku, Chien-Ning Chen, and Hui-Lung Lee Source: IEICE Transactions on Communications, Vol. E86-B, No. 5, May 2003, pp. 1682-1684. Speaker: Yo-Chi Huang Date: 2004/12/07

  2. Outline • Hwang-Yeh’s Scheme • Notations • Protocols • Protected Password Transmission Protocol • Protected Password Change Protocol • Weaknesses of Hwang-Yeh’s Scheme • Threat of Replay Attack • Denial of Service Attack

  3. Notations • C = client • S = server • E = adversary • id, pw : identity, password of C • Ks, Ks-1 : • Ks = public key of S • Ks-1 = secret key of S • rc, rs: • rc = random number generated by C • rs = random number generated by S • H = a collision-resistant hash function • ⊕ = bitwise XOR operation • {m}Ks= message m encrypted with Ks

  4. Protected Password Transmission Protocol • H(pw) is stored in S as the verifier for pw

  5. C S id, { rc , pw }Ks 1 rs ⊕ rc , H( rs ) 2 id, ( rc , rs) 3 Access granted / denied 4 Protected Password Transmission Protocol

  6. Protected Password Change Protocol • Pw' = C’s new password • S computes H(pw')⊕H(rc+1,rs)⊕H(rc+1,rs) to get H(pw')

  7. C S id, { rc , pw }Ks 1 rs ⊕ rc , H( rs ) 2 id, ( rc , rs ), H( pw' ) ⊕ H( rc+1, rs ) 3' Access granted / denied 4 Protected Password Change Protocol

  8. Threat of Replay Attack • Protected Password Transmission Protocol • E has stolen an ever used rc and message • (1) E S : id, {rc, pw}Ks(recorded) • (2) E  S : rs new⊕rc, H(rs new) • E computes H(rc, rs new) • (3) E  S : id, H(rc,rs new) • (4) E  S : access granted

  9. E S id, { rc , pw }Ks 1 rs new ⊕ rc , H( rs new ) 2 id, H( rc , rs new ) 3 Access granted / denied 4 Threat of Replay Attack

  10. Threat of Replay Attack • Protected Password Change Protocol • E has stolen an ever used rc and message • (1) E S : id, {rc, pw}Ks(recorded) • (2) E  S : rs new⊕rc, H(rs new) • E computes H(rc, rs new), H(pwE), H(pwE) ⊕H(rc+1,rs new) • (3') E S : id, H(rc,rs new), H(pwE)⊕H(rc+1,rsnew) • (4) E  S : access granted

  11. E S id, { rc , pw }Ks 1 rs new ⊕ rc , H( rs new ) 2 id, ( rc , rs new ), H( pwE ) ⊕ H( rc+1, rs new ) 3' Access granted 4 Threat of Replay Attack

  12. rE Denial of Service Attack • Protected Password Change Protocol • E generated a random number rE • (3') C S : id, H(rc,rs), H(pw')⊕H(rc+1,rs) • (3') C S : id, H(rc,rs),rE • (4) C  S : access granted • H(pw')⊕H(rc+1,rs)⊕H(rc+1,rs) = H(pw') • rE⊕H(rc+1,rs)=???

  13. Denial of Service Attack C S id, { rc , pw }Ks 1 rs ⊕ rc , H( rs ) 2 id, ( rc , rs ), H( pw' ) ⊕ H( rc+1, rs ) 3' E id, ( rc , rs ), rE Access granted 4 H( pw' ) ⊕ H( rc+1, rs ) ⊕ H( rc+1, rs ) = H( pw' ) rE⊕ H( rc+1, rs ) =???

More Related