1 robust and efficient password-authenticated key agreement using smart cards 使用在 smart cards...
TRANSCRIPT
1
Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards
使用在 smart cards 的強韌及高效率密碼驗證金鑰協定
IEEE Transactions on Industrial Electronics, VOL.55, NO.6,June 2008
Author: Wen-Shenq Juang, Sian-Teng Chen, and Horng-Twu Liaw
Adviser : 鄭錦楸 教授 Reporter :林彥宏
2
Outline
Introduction
Proposed Schemethe parameter generation phase
the registration phase
the precomputation phase
the log-in phase
the password-changing phase
Security Analysis
Cost and Functionality Consideration
Conclusions
3
Introduction
robust remote authentication scheme with smart cards
Advantages:low computation for smart cards
no password table
passwords chosen by the users themselves
withstanding the replay attack
server authentication
withstanding the dictionary attack
revoking the lost cards without changing the users’ identities
4
Introduction
Drawbacks:no ability of anonymity
higher computation and communication cost
no session key agreement
cannot prevent the insider attack
5
Proposed Scheme
base on elliptic curve cryptosystems
consists of five phases:the parameter generation phase
the registration phase
the precomputation phase
the log-in phase
the password-changing phase
6
Proposed Scheme
the parameter generation phase:server select a large prime , and
server finds a point ,
server selects a random number as its private key
server computers the public key
publishes parameters
P Pp Z ,bZa 0) (mod274satisfy and 23 Pbaba
nG order of OGn x
)( GxPS )( , G, n, P, EP PS
7
Proposed Scheme
the registration phase:
||b), h(PWID ii
||b), h(PWID ii
User i Server
iCI
),s ,CIh(IDV
||b)))||h(PW||CI||h(ID||CI|ID(h(PW||b)|Eb
iii
iiiiiSi
}{card iiii , CI, ID, Vb
b} ,CI ,ID ,V ,{bcard iiii
tag
8
Proposed Scheme
the precomputation phase :
ii , CIID
User i Server
),s ,CIh(IDV
||b)))||h(PW||CI||h(ID||CI|ID(h(PW||b)|Eb
iii
iiiiiSi
b} ,CI ,ID ,V ,{bcard iiii
GxrPrc
Gre
S
9
Proposed Scheme
the log-in phase :
User i Server
),s ,CIh(IDV
||b)))||h(PW||CI||h(ID||CI|ID(h(PW||b)|Eb
iii
iiiiiSi
b} ,CI ,ID ,V ,{bcard iiii
GxrPrc
Gre
S
Password ii b(e)Ev ,
Gre authentication tag
registrationregistration table)h(c||u||VM
u
xec
iS
Su , M
Su , M
)Key Session , c , uh(VS
||c||u)||b)||Vh(h(PWM
iK
iiU
UM
KS
ii , CIID
10
Proposed Scheme
the password-changing phase:
User i Log in Server
))||b,h(PW(IDE **iiSk
kSkS
)***** ))||b||h(PW||CI||h(ID||CI)||ID||b(h(PWEb iiiiiiSi
)(bE *iSK
11
Security Analysis
Mutual Authentication
Preventing the Replay Attack
Preventing the Insider Attack
Preventing the Offline Dictionary Attack Without the Smart Card
Preventing the Offline Dictionary Attack With the Smart Card
12
Security Analysis
Mutual AuthenticationA:user , B:server
A can compute the session key and will believe
then use to authentication that A believes B believes
B can compute the session key and will believe
then use to authentication that B believes A believes
kSA B
kSA B
ce ,kS
A BkS
A B
kSA B
u
13
Security Analysis
Preventing the Replay Attackattacker tries to imitate the user to log in to the server by resending the messages
use nonces to prevent this kind of attack
smart card chooses nonces and computers ; the second nonce is selected by the server
r )G(re u
14
Security Analysis
Preventing the Insider Attackthe user’s password is obtained by the server in the registration phase
registration phase will generate a random number ;then
Preventing the Offline Dictionary Attack Without the Smart Card
attacker can get the tapped messages and attempts to guess the user’s password from the tapped messages
if the attacker intercepts the message
b
)||( bPWh i
)||||||)||(( )(, ucVbPWhhMoreEb iiUVi i
15
Security Analysis
Preventing the Offline Dictionary Attack With the Smart Card
called the smart-card-lost problem
only the server can use the secret key to decrypt and obtain
s ib)||( bPWh i
16
Cost and Functionality Consideration
Low Communication and Computation Cost
No Password Table
Choosing and Changing of Passwords by Users
No Time-Synchronization Problem
Identity Protection
Revoking the Lost Cards Without Changing the User’s Identity
Session Key Agreement
17
Cost and Functionality Consideration
Low Communication and Computation Costshorter key-size and faster computation
suitable for small-memory device
Time of crack (ns) RSA bit-length ECC bit-length RSA/ECC
512
768
1024
2048
2100
106
132
160
210
600
5 : 1
6 : 1
7 : 1
10 : 1
35 : 1
111020107810
810
410
18
Cost and Functionality Consideration
C1: the password length
C2: memory for storing thecryptographic parametersin a smart card
C3: communication cost ofLogin for cryptographic parameters
19
Cost and Functionality Consideration
No Password Table
server only needs to keep a registration table to store each card’s identifier
card sent to server
Choosing and Changing of Passwords by Users
provide a password-changing phase for users
No Time-Synchronization Problem
in the log-in phase, they use two nonces to prevent the replay attack
||b)))||h(PW||CI||h(ID||CI|ID(h(PW||b)|Eb iiiiiSi
ru and
20
Cost and Functionality Consideration
Identity Protectionuser’s identity in their scheme is included in
Revoking the Lost Cards Without Changing the User’s Identity
if the user loses his smart card, server will set
and issue a new smart card to the user
Session Key Agreementthe user and the server both can agree on a session key
after the log-in phase.
iIDib
1 ii CICI
) , , ( ucVhS iK
21
Cost and Functionality Consideration
E1: computation cost of registration E2: computation cost of the precomputation phase for the client
E3: computation cost of login for the client
E4: computation cost of login for the server
22
Cost and Functionality Consideration
C1: low communication and computation cost C2: no password table
C3: users can choose the password by themselves
C4: no Time-Synchronization Problem C5: mutual authentication
C6: revoking a lost card without changing the user’s identity
C7: identity protection C8: session key agreementC9: preventing the offline dictionary attack with the secret information stored in the smart card
23
Conclusions
they have proposed an efficient and robust user authentication and key agreement scheme
provide identity protection, session key agreement and low communication and computation cost
very useful in limited computation and communication resource environments