多媒體網路安全實驗室

A novel user authentication and privacy preserving scheme with

smartcards for wireless communications

A novel user authentication and privacy preserving scheme with

smartcards for wireless communications

作者 :Chun-Ta Li,Cgeng-Chi Lee出處 :Mathematical and Computer Modelling,2012

報告人 : 葉瑞群日期 :2012/09/07

多媒體網路安全實驗室

2

Outline

Introduction1

Review of He et al.’s scheme2

Three weaknesses in He et al.’s scheme33

The proposed scheme44

Security analusis of the proposed scheme35

Functionality features and performance analysis of the proposed scheme46

Conclusions37

多媒體網路安全實驗室

3

1.Introduction(1/3)

Generally speaking, mobile users (MU) can access the services provided by the home agent of the MU (HA) in a visited foreign agent of the MU (FA).

多媒體網路安全實驗室

4

1.Introduction(2/3)

Recently, He et al. [5] showed that Wu et al.’s scheme is vulnerable to several weaknesses and then proposed a strong

user authentication scheme with smart

cards for wireless communications.

多媒體網路安全實驗室

5

1.Introduction(3/3)

In this paper we will show that He et al.’s scheme has three weaknesses as follows.

1. Lack of user friendliness.2. Unfairness in key agreement.3. Attacks against the user anonymity.

多媒體網路安全實驗室

6

2.Review of He et al.’s scheme(1/7)TABLE 1 (I)

MU The mobile user

PWMU The password of MU

IDMU The identity of MU

HA The home agent of Ui

IDHA The identity of HA

FA The foreign agent of MU roamed

IDFA The identity of FA

N The master secret key stored in HA

TX A timestamp generated by an entity X

SK The common session key

⊕ The bitwise XOR operation

H(.) A collision free one-way hash function

多媒體網路安全實驗室

7

2.Review of He et al.’s scheme(2/7)TABLE 1 (II)

|| String concatenation

Ek[.]/Dk[.] The symmetric encryption/decryption function with key K

Ek{.}/Dk[{.} The asymmetric encryption/decryption function with key K

⇒ A secure channel

→ A common channel

多媒體網路安全實驗室

8

2.Review of He et al.’s scheme (3/7) – Registration phase [1]

MU HAIDMU,H(PWMU⊕d)

TKMU = H(IDMU||XHA)

SKMU = H(N||IDMU)

r = TKMU ID⊕ HA E⊕ N[(IDMU||m)]

{TKMU,SKMU,H(.),r}

SK*MU = H(IDMU||H(PWMU)) SK⊕ MU

VMU = TKMU H(ID⊕ MU||H(PWMU d))⊕

HMU = H(TKMU)

{VMU,HMU,SK*MU,H(.),d,r}

多媒體網路安全實驗室

9

2.Review of He et al.’s scheme (4/7) – Login phase [2]

MU FASmart card

TK*MU = VMU H(ID⊕ MU||H(PWMU d))⊕

H*MU = H(TK*

MU)

check H*MU = HMU

SKMU = H(IDMU||H(PWMU)) SK⊕ *MU

L = H(TMU SK⊕ MU)

F = EL[H(TMU)||IDFA||x0||x]

n = r TK⊕ MU = IDHA E⊕ N[(IDMU||m)]

m1{n,F,IDHA,TMU}

多媒體網路安全實驗室

10

2.Review of He et al.’s scheme (5/7) – Authentication phase [3] - I

MU FA HA E{H(b,n,F,TMU,CertFA)}

m2 = {b,n,F,TMU,TFA, E

{H(b,n,F,TMU,CertFA)},CertFA}

n ID⊕ HA = EN[IDMU||m]

DN[EN] = IDMU,m

check IDMU→database

L = H(TMU SK⊕ MU)

DL[F] = H(TMU),IDFA,x0,x

Check IDFA 、 CertFA

W = E{H(H(N||IDMU))||x0||x}

E= {H(b,c,W,THA,CertHA)}

m3 = {c,W,THA, E={H(b,c,W,THA,CertHA)},CertHA}

多媒體網路安全實驗室

11

2.Review of He et al.’s scheme (6/7) – Authentication phase [3] - II

MU FA HA check THA,PHA→E

D{W} = H(H(N||IDMU)),x0,x

SK = H(H(H(N||IDMU))||x||x0)

m4 = {ESK[TCertMU||H(x0||x)]}

SK = H(H(SKMU)||x||x0)

DSK[m4] = TCertMU,H(x0||x)

多媒體網路安全實驗室

12

2.Review of He et al.’s scheme (7/7) – Password change phase [4]

Smart card

TK*MU = VMU H(ID⊕ MU||H(PWMU|| d))⊕

H*MU = H(TK*

MU),Check H*MU = HMU

MU

Input PWNEWMU

Smart card

SK’MU = H(IDMU||H(PWNEWMU)) SK⊕ MU = H(IDMU||H(PWNEW

MU))⊕

H(IDMU||H(PWMU)) SK⊕ *MU,Replaces SK’MU→SK*

MU

V’MU = TKMU H(ID⊕ MU||H(PWNEWMU d⊕ NEW)),Replaces V’MU→VMU

{V’MU,HMU,SK’MU,H(.),dNEW,r},PWNEWMU

多媒體網路安全實驗室

13

3. Three weaknesses in He et al.’s scheme(1/3)

1.Lack of user friendliness

Authors assumed that the bit length of MU’s IDMU is 128 bit and MU has to bear in mind such a 128 bit identity (usually in the form of as many as 32 hexadecimal ASCII characters).

多媒體網路安全實驗室

14

3. Three weaknesses in He et al.’s scheme(2/3)

2.Unfairness in key agreement

The MU can always choose x0 and x, where x0 and x are two 256 bits random number generated by the MU alone, such that in Step V7,the common session key computed by the FA according to SK = H(H(H(N ‖ IDMU)) ‖ x ‖ x0) is always the MU’s pre-determined x0 and x.

多媒體網路安全實驗室

15

3. Three weaknesses in He et al.’s scheme(3/3)

3. Attacks against the user’s anonymity

Consider that a mobile user MU roams into the foreign network and sends the login message m1 = {n,F,IDHA,TMU} to the FA to access service, the contents of n and IDHA are for the mobile user MU’s exclusive use and these two values always unchanging in Step L4 of the login phase.

多媒體網路安全實驗室

16

4.The proposed scheme(1/7)

Notations

p,q public large prime numbers

SHA= c HA selects a private key

PHA=gc mod p HA computes its public key

SFA= e FA selects a private key

PFA = ge mod p FA computes its public key

多媒體網路安全實驗室

17

4.The proposed scheme(2/7)Registration phase [1]

MU HAIDMU,H(IDMU PW⊕ MU⊕d)

TKMU = H(N||IDMU) H(ID⊕ MU PW⊕ MU d)⊕

r = IDHA E⊕ N[(IDMU||m)]

TKMU,H(.),r

TKMU,H(.),r,d

多媒體網路安全實驗室

18

4.The proposed scheme(3/7)Login phase [2]

MU FASmart card

TK*MU = TKMU H(ID⊕ MU PW⊕ MU d) = H(N||ID⊕ MU)

A = ga mod p

L = H(TMU TK⊕ *MU) , F = EL[TMU||IDFA||A]

DH = PHAa mod p = gac mod p , M=EDH[r]

MU

DH’ = PFAa mod p = gea mod p

m1 = {A,TMU,U=EDH’[M,F,IDHA,TMU]}

多媒體網路安全實驗室

19

4.The proposed scheme(4/7)Authentication phase [3] I

MU FA HA DH’ = Ae mod p =gae mod p

DDH’[U] = M,F,IDHA,TMU

B = gb mod p

V = E{H(A,B,M,F,TMU,TFA,CertFA)}

DH’’ = PHAb mod p = gcb

m2 = {B,TFA,W=EDH’’[A,B,M,

F,TMU,TFA,V,CertFA]}

DH’’ = Bc mod p = gbc mod p

DDH’’[W] =A,B,M,F,TMU,TFA,V,CertFA

DH = Ac mod p = gac mod p

IDHA D⊕ DH[M] = EN[IDMU||m]

DN[EN] = IDMU,m

多媒體網路安全實驗室

20

4.The proposed scheme(5/7)Authentication phase [3] II

MU FA HACheck IDMU→database

L = H(TMU H(N||ID⊕ MU))

MU is not a legal user DL[F] = TMU,IDFA,A

D = gd mod p

X = E{H(A,B,D,THA,CertHA)}

Y = ESK’[H(H(N||IDMU)||D)||A||B||D||X||CertHA]

m3 = {D,THA,Y}

SK’ = Db mod p = gdb mod p

DSK’[Y] = H(H(N||IDMU)||D),A,B,D,X,CertHA

SK = Ab mod p = gab mod p

m4 = {B,Z =

ESK[TCertMU||H(H(N||IDMU)||D)||A||B||D]}

多媒體網路安全實驗室

21

4.The proposed scheme(6/7)Authentication phase [3] III

MU FA HASK = Ba mod p = gba mod p

DSK[Z] = TCertMU,H(H(N||IDMU)||D),A,B,D

多媒體網路安全實驗室

22

4.The proposed scheme(7/7)Password change phase [4]

MU 、 Smart card

TK*MU = TKMU H(ID⊕ MU PW⊕ MU d)=H(N||ID⊕ MU)

H(IDMU PW⊕ NEWMU d’)⊕

TKNEWMU = TK*

MU H(ID⊕ MU PW⊕ NEWMU d’)⊕

Replaces TKNEWMU,d’

多媒體網路安全實驗室

23

5.Security analusis of the proposed scheme(1/3)

The proposed scheme is able to provide user anonymity.

m1 = {A,TMU,U=EDH’[M,F,IDHA,TMU]}

Step1 DH’ = Ae mod p =gae mod pStep2 DDH’[U] = M,F,IDHA,TMU

多媒體網路安全實驗室

24

5.Security analusis of the proposed scheme(2/3)

MU FA HA DH’

DH’

DH’’

DH’’

DH

DH

SK

SK

多媒體網路安全實驗室

25

5.Security analusis of the proposed scheme(3/3)

The proposed scheme meets the security requirement for perfect forward secrecy.

(Diffie-Hellman)

Attacker cannot launch any attack to obtain the MU’s real identity IDMU and password PWMU. TK∗

MU = H(N‖IDMU)

多媒體網路安全實驗室

26

6.Functionality features and performance analysis of the proposed scheme(1/1)

多媒體網路安全實驗室

27

More recently, He et al. showed that Wu et al.,’s smart card based authentication scheme with user anonymity is vulnerable to several weaknesses and then proposed a secure and light-weight user authentication scheme.

多媒體網路安全實驗室