1

Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards

使用在 smart cards 的強韌及高效率密碼驗證金鑰協定

IEEE Transactions on Industrial Electronics, VOL.55, NO.6,June 2008

Author: Wen-Shenq Juang, Sian-Teng Chen, and Horng-Twu Liaw

Adviser ： 鄭錦楸 教授 Reporter ：林彥宏

2

Outline

Introduction

Proposed Schemethe parameter generation phase

the registration phase

the precomputation phase

the log-in phase

the password-changing phase

Security Analysis

Cost and Functionality Consideration

Conclusions

3

Introduction

robust remote authentication scheme with smart cards

Advantages:low computation for smart cards

no password table

passwords chosen by the users themselves

withstanding the replay attack

server authentication

withstanding the dictionary attack

revoking the lost cards without changing the users’ identities

4

Introduction

Drawbacks:no ability of anonymity

higher computation and communication cost

no session key agreement

cannot prevent the insider attack

5

Proposed Scheme

base on elliptic curve cryptosystems

consists of five phases:the parameter generation phase

the registration phase

the precomputation phase

the log-in phase

the password-changing phase

6

Proposed Scheme

the parameter generation phase:server select a large prime , and

server finds a point ,

server selects a random number as its private key

server computers the public key

publishes parameters

P Pp Z ,bZa 0) (mod274satisfy and 23 Pbaba

nG order of OGn x

)( GxPS )( , G, n, P, EP PS

7

Proposed Scheme

the registration phase:

||b), h(PWID ii

||b), h(PWID ii

User i Server

iCI

),s ,CIh(IDV

||b)))||h(PW||CI||h(ID||CI|ID(h(PW||b)|Eb

iii

iiiiiSi

}{card iiii , CI, ID, Vb

b} ,CI ,ID ,V ,{bcard iiii

tag

8

Proposed Scheme

the precomputation phase :

ii , CIID

User i Server

),s ,CIh(IDV

||b)))||h(PW||CI||h(ID||CI|ID(h(PW||b)|Eb

iii

iiiiiSi

b} ,CI ,ID ,V ,{bcard iiii

GxrPrc

Gre

S

9

Proposed Scheme

the log-in phase :

User i Server

),s ,CIh(IDV

||b)))||h(PW||CI||h(ID||CI|ID(h(PW||b)|Eb

iii

iiiiiSi

b} ,CI ,ID ,V ,{bcard iiii

GxrPrc

Gre

S

Password ii b(e)Ev ,

Gre authentication tag

registrationregistration table)h(c||u||VM

u

xec

iS

Su , M

Su , M

)Key Session , c , uh(VS

||c||u)||b)||Vh(h(PWM

iK

iiU

UM

KS

ii , CIID

10

Proposed Scheme

the password-changing phase:

User i Log in Server

))||b,h(PW(IDE **iiSk

kSkS

)***** ))||b||h(PW||CI||h(ID||CI)||ID||b(h(PWEb iiiiiiSi

)(bE *iSK

11

Security Analysis

Mutual Authentication

Preventing the Replay Attack

Preventing the Insider Attack

Preventing the Offline Dictionary Attack Without the Smart Card

Preventing the Offline Dictionary Attack With the Smart Card

12

Security Analysis

Mutual AuthenticationA:user , B:server

A can compute the session key and will believe

then use to authentication that A believes B believes

B can compute the session key and will believe

then use to authentication that B believes A believes

kSA B

kSA B

ce ,kS

A BkS

A B

kSA B

u

13

Security Analysis

Preventing the Replay Attackattacker tries to imitate the user to log in to the server by resending the messages

use nonces to prevent this kind of attack

smart card chooses nonces and computers ; the second nonce is selected by the server

r )G(re u

14

Security Analysis

Preventing the Insider Attackthe user’s password is obtained by the server in the registration phase

registration phase will generate a random number ;then

Preventing the Offline Dictionary Attack Without the Smart Card

attacker can get the tapped messages and attempts to guess the user’s password from the tapped messages

if the attacker intercepts the message

b

)||( bPWh i

)||||||)||(( )(, ucVbPWhhMoreEb iiUVi i

15

Security Analysis

Preventing the Offline Dictionary Attack With the Smart Card

called the smart-card-lost problem

only the server can use the secret key to decrypt and obtain

s ib)||( bPWh i

16

Cost and Functionality Consideration

Low Communication and Computation Cost

No Password Table

Choosing and Changing of Passwords by Users

No Time-Synchronization Problem

Identity Protection

Revoking the Lost Cards Without Changing the User’s Identity

Session Key Agreement

17

Cost and Functionality Consideration

Low Communication and Computation Costshorter key-size and faster computation

suitable for small-memory device

Time of crack (ns) RSA bit-length ECC bit-length RSA/ECC

512

768

1024

2048

2100

106

132

160

210

600

5 ： 1

6 ： 1

7 ： 1

10 ： 1

35 ： 1

111020107810

810

410

18

Cost and Functionality Consideration

C1: the password length

C2: memory for storing thecryptographic parametersin a smart card

C3: communication cost ofLogin for cryptographic parameters

19

Cost and Functionality Consideration

No Password Table

server only needs to keep a registration table to store each card’s identifier

card sent to server

Choosing and Changing of Passwords by Users

provide a password-changing phase for users

No Time-Synchronization Problem

in the log-in phase, they use two nonces to prevent the replay attack

||b)))||h(PW||CI||h(ID||CI|ID(h(PW||b)|Eb iiiiiSi

ru and

20

Cost and Functionality Consideration

Identity Protectionuser’s identity in their scheme is included in

Revoking the Lost Cards Without Changing the User’s Identity

if the user loses his smart card, server will set

and issue a new smart card to the user

Session Key Agreementthe user and the server both can agree on a session key

after the log-in phase.

iIDib

1 ii CICI

) , , ( ucVhS iK

21

Cost and Functionality Consideration

E1: computation cost of registration E2: computation cost of the precomputation phase for the client

E3: computation cost of login for the client

E4: computation cost of login for the server

22

Cost and Functionality Consideration

C1: low communication and computation cost C2: no password table

C3: users can choose the password by themselves

C4: no Time-Synchronization Problem C5: mutual authentication

C6: revoking a lost card without changing the user’s identity

C7: identity protection C8: session key agreementC9: preventing the offline dictionary attack with the secret information stored in the smart card

23

Conclusions

they have proposed an efficient and robust user authentication and key agreement scheme

provide identity protection, session key agreement and low communication and computation cost

very useful in limited computation and communication resource environments