Efficient remote mutual authentication and key agreement Improvement of Chien et al. ’ s remote...
-
Upload
susanna-harrington -
Category
Documents
-
view
213 -
download
1
Transcript of Efficient remote mutual authentication and key agreement Improvement of Chien et al. ’ s remote...
Efficient remote mutual authentication and key agreementImprovement of Chien et al.’s remote user authentication scheme using smart car
dsAn efficient nonce-based authentication scheme with key agreement
Efficient nonce-based remote user authentication scheme using smart cardsAn improvement of Hwang-Lee-Tang’s simple remote user authentication scheme
Authors: Wen-Gong Shieh and Jian-Min WangSource: Computers & Security, 25(1), pp. 72-77, 2006.Authors: Sung-Woon Lee, Hyun-Sung Kim and Kee-Young YooSource: Computers Standards & Interfaces, 27(1), pp. 181-183, 2005.Authors: Yen-Cheng Chen and Lo-Yao YehSource: Applied Mathematics and Computation, 169(1), pp. 982-994, 2005.Authors: Sung-Woon Lee, Hyun-Sung Kim and Kee-Young YooSource: Applied Mathematics and Computation, 167(1), pp. 355-361, 2005.Authors: Eun-Jun Yoon, Eun-Kyung Ryu and Kee-Young YooSource: Computers & Security, 24(1), pp. 50-56, 2005.Reporter: Chun-Ta Li (李俊達 )
2
Outline Introduction Chien et al’s scheme and Hsu’s attack Juang’s scheme and Shieh et al.’s attack Shieh et al.’s scheme Lee et al.’s scheme (CSI) Chen et al.’s scheme Lee et al.’s scheme (AMC) Yoon et al.’s scheme Comments
3
Introduction Motivation
Password-based authentication Dictionary attack Solutions: public key encryption
Light computational overhead Hashing function or symmetric encryption used in an authentication
protocol
Smart card-based authentication scheme Well-chosen password is stored in a smart card
Nonce-based or timestamp-based approaches
4
Introduction (cont.) History
In 1981, Lamport proposed first password-based remote user authentication scheme over an insecure channel (store verification table)
In 1993, Chang-Wu introduced remote password authentication scheme with smart cards (can’t freely change passwords)
In 2000, Hwang-Li proposed a password-based remote user authentication scheme using smart cards (no verification or password table)
In 2002, Hwang-Lee-Tang proposed a simple remote authentication scheme (freely change passwords)
5
Introduction (cont.) Requirements
No verification and password table Freely changing password Mutual authentication Low computation Without synchronized clock Key agreement Some security issues
6
Introduction (cont.) Classification
Password-based user authentication
Smart cardsWithout using smart cards
timestampnonce
mutual authentication
without mutual authentication
. Yoon 2004
without mutual authentication
mutual authentication
. Awasthi 2004. Chen 2005
. Shieh 2006. Shieh 2006
. Lee 2005 . Lee 2005
. Chien 2002. Juang 2004
.Wang 2005. Lee 2005 . Yoon 200
5
. Ku 2004
. Kwon 2005. Lamport 1981
. Peyravian 2006Share ID and PW
No verification and password table
7
Chien et al’s scheme and Hsu’s attack Registration phase
Login/verification phase
User Server1. IDi, PWi
2. Ri = h(IDi x) PWi⊕ ⊕3. Smart card{Ri, h(.)}
User Server
3. IDi, T, C21. C1 = Ri PWi⊕2. C2 = h(C1 T)⊕
4. Check IDi and T5. C1’ = h(IDi x)⊕6. Check h(C1’ T) ?= C2⊕7. C3 = h(C1’ T”)⊕8. T”, C3
9. Check T”10. Check h(C1 T”) ?= C3⊕
8
Chien et al’s scheme and Hsu’s attack(cont.) Hsu’s parallel session attack (2004)
// C2 = h(C1 T)⊕
// Ri = h(IDi x) PWi⊕ ⊕// C1 = Ri PWi⊕
// C3 = h(C1’ T”)⊕
9
Juang’s scheme and Shieh et al.’s attack Registration phase
Login/verification phase
User Server1. IDi, PWi
2. Vi = h(IDi, x)
4. Smart card{Wi, IDi, h(.)}
3. Wi = Vi PWi⊕
// Ci = h(IDi || N1)
// Vi = Wi PWi⊕ Decrypt EVi(ruj, Ci)
Check Ci ?= h(IDi || N1)
// session key Kj = h(rsj, rsu, Vi)
10
Juang’s scheme and Shieh et al.’s attack (cont.) Shieh et al.’s off-line plain-text attack (2006)
// Ci = h(IDi || N1)// Vi = Wi PWi⊕= h(IDi, x)
11
Shieh et al.’s scheme Registration phase: the same as that of Chien et al.’s scheme Login/key agreement phase
User Server3. IDi, Tu, MACu
11. Tu, Ts, MACs
16. Ts, MACu”
1. ai = Ri PWi = h(ID⊕ i x)⊕2. MACu = h(Tu || ai) and store Tu temporarily until the end of the session
4. Check Tu is fresh or not5. ai’ = h(IDi x) and ⊕6. MACu’ = h(Tu || ai’)
7. Check MACu’ ?= MACu
8. Temporarily store (Tu, Ts) and IDi
9. MACs = h(Tu || Ts || ai’)10. Session key Ks = h((Tu || Ts) ai⊕’)12. MACs’ = h(Tu || Ts || ai)
13. Check MACs’ ?= MACs
14. MACu” = h(Ts || (ai+1))15. Session key Ks = h((Tu || Ts) ai)⊕
17. Check Ts and MACu”18. If above holds, accept user’s login
12
Shieh et al.’s scheme (cont.) Messages transmitted in proposed scheme
using synchronized clock
// MACu = h(Tu || ai)
// ai = Ri PWi = h(ID⊕ i x)⊕ // MACs = h(Tu || Ts || ai’)
13
Shieh et al.’s scheme (cont.) Messages transmitted in parallel session attack
14
Lee et al.’s scheme (CSI) Registration/Login phase: the same as that of Chien et al.’s sc
heme
Verification phase:User Server
4. Check IDi and T5. C1’ = h(IDi x)⊕6. Check h(C1’ T) ?= C2⊕
7. C3 = h(h(C1’ T”))⊕8. T”, C3
9. Check T”10. Check h(h(C1 T”)) ?= C3⊕
15
Chen et al.’s scheme Registration phase: the same as that of Chien et al.’s scheme Login/Authentication phase:
User Server
1. ai = Ri PWi = h(ID⊕ i x)⊕2. M1= h2(IDi x) N⊕ ⊕ 1 3. IDi, M1 4. Compute h2(IDi x) and ⊕
extract N1 by computing M1 h⊕ 2(IDi x) ⊕
5. M2 = h(h(IDi x)||N⊕ 1) N⊕ 2 and M3 = h(h(IDi x)||N⊕ 1||N2)6. M2, M3
7. Compute h(h(IDi x)||N⊕ 1) and extract N2 by computing M2 h(h(ID⊕ i x)||N⊕ 1) 8. Verifies M3 ?= h(h(IDi x)||N⊕ 1||N2)
9. M4 = h(h2(IDi x)||N⊕ 1+1||N2+1) 10. M4
11. Verifies M4 ?= h(h2(IDi x)||N⊕ 1+1||N2+1)
12. Session key Ks = h(h3(IDi x)||N⊕ 1+2 || N2+2)
16
Lee et al.’s scheme (AMC)
Parallel session attack
17
Yoon et al.’s scheme Registration phase:
Login/Authentication phase:
18
Comments Comparison
Mutual authentication (steps)
Session key agreement
Use of timestamp
Computation load
Shieh et al.
Lee et al. (CSI)
Chen et al.
Lee et al. (AMC) No
No
Yes
Yes/No Yes (3)
Yes (2)
Yes (3)
Yes (3) No
Yes
No
Yes10H + 6⊕
7H + 8⊕
19H + 15⊕
6H + 7⊕
Yoon et al. Yes (2) No6H + 2⊕ Yes
19
Comments (cont.) Forward secrecy
When compromise of the secret key x, the agreed session key can be constructed by the attacker
Solutions: Diffie-Hellman key exchange algorithm Let N1 = gx and N2 = gy
Session key = gxy
20
Comments (cont.) Identity problems
No verification tables in remote server Impersonation attack
A legitimate user can purposely obtain another valid (ID, PW) by the following tricks: The user declared that he lost his smart card To register a new valid (ID, PW) The original smart card is still legal to use