user authentication schemes with pseudonymity for ubiquitous sensor network in ngn authors: binod...
TRANSCRIPT
User authentication User authentication schemes with pseudonymity schemes with pseudonymity for ubiquitous sensor for ubiquitous sensor network in NGNnetwork in NGN
Authors: Binod Vaidya, Joel J. Rodrigues and Jong Hyuk ParkSource: International Journal of Communication Systems, vol. 23, p.p. 1201-1222, 2010.Presenter: Yung-Chih Lu (呂勇志 )Date: 2010/03/18
1
OutlineOutlineIntroductionDynamic user authentication
schemesProposed SchemePerformance EvaluationSecurity AnalysisConclusionComment
2
Introduction Introduction (1/3)(1/3)
Goal◦Mutual authentication and User
privacy◦Saving resource
Computation cost Communication cost Storage Overhead
3
Introduction Introduction (2/3)(2/3)
Ubiquitous Sensor Network in NGN◦Support for a wide range of services◦Unrestricted access by users to
different service providers
4NGN : Next Generation Network GW: Registration Sensor GatewayUD : User’s Device LN: Sensor Login-Node
Introduction Introduction (3/3)(3/3)
Ubiquitous Sensor Network in NGN
5
NGN : Next Generation Network GW: Registration Sensor GatewayUD : User’s Device LN: Sensor Login-Node
Dynamic user authentication Dynamic user authentication schemes (1/3)schemes (1/3)Registration Phase
6
User Device
SensorGatewa
y
SensorLogin-Node
UID, h(PW) 1.Compute N=h(PW) ㊉ h(x ㊉
UID)2.Store UID, h(PW), N, TS
Secure Channel
Successful Reg.
UID, N, TS
(Lee-Chun Ko, IEEE ISWCS 2008)
UID: A user’s identity ⊕: Bitwise XOR operation TS: TimestampPW: A user’s password h(.): A one-way hash function
Store UID, N, TS
Dynamic user authentication Dynamic user authentication schemes (2/3)schemes (2/3)Login & Authentication Phase
7
User Device
SensorGatewa
y
SensorLogin-Node
UID, A, t1
UID, C, t1,t3
A=h(h(PW) ㊉ t1)1.Check(t2-t1)>△T2.Check UIDC=h(A ㊉ h(N ㊉t3))
1.Check UID and t12.Check (t4-t3)>△T3.Verify if C=C’ Store t in the databaseA’=h(h(PW) ㊉ t1), C’=h(A’ ㊉ h(N ㊉t3))4.MASN=h(A ㊉ N㊉ t5),MAU=h(A ㊉h(PW))
Permit Login, MASN ㊉ MAU, h(MAU), t5 1.Check(t6-t5)>△T
2. Compute MASN=h(A ㊉ N㊉t5),3.Verify h(MAU)4. Compute MA*
U=h (MAU||t7)UID: A user’s identity ⊕: Bitwise XOR operation t, TS: TimestampPW: A user’s password U: The user SN: The sensor login-node
Dynamic user authentication Dynamic user authentication schemes (3/3)schemes (3/3)Login & Authentication Phase
(Cont.)
8
User Device
SensorGatewa
y
SensorLogin-Node
Permit_Login, MA*
U, t7 1.Check(t8-t7)>△T2.Compute MAU=h(A ㊉h(PW))3.verify MA*
UPassword Change Phase UID, h(PW),
h(PW’) 1.Check(UID, h(PW))in the database2. N’=h(PW’) ㊉ h(x ㊉ UID)3.Update UID, h(PW’), N’, TS’)
Successful Change
UID, N’, TS’
UID: A user’s identity ⊕: Bitwise XOR operation t, TS: TimestampPW: A user’s password U: The user SN: The sensor login-node
Secure Channel
Proposed Scheme (1/3)Proposed Scheme (1/3)Registration Phase
9
User Device
SensorGatewa
y
SensorLogin-Node
UID, vpw1.Compute g=h(UID)2. Compute TID=g ㊉ N0
3.Compute X=h(TID||x)4.Store TID, vpw, X, TS
Secure Channel
Succ_Reg(X, N0)
TID, X, TS
vpw=h(PW)
1.Compute g = h(UID)2.Compute TID=g ㊉N0
3.Store TID, X
UID: A user’s identity ⊕: Bitwise XOR operation t, T, TS: TimestampPW: A user’s password N0, N1: Random nonces x: gateway’s Secret key∆T: Allowed time interval for transmission delay
Store TID, X, TS
Proposed Scheme Proposed Scheme (2/3)(2/3)Login & Authentication Phase
10
User Device
SensorGatewa
y
SensorLogin-Node
TID, A, t
TID, CK,T0, t
A=h(vpw||t)
1.Check TID2.Check (T0-t)≧ △T3.Ck=h(X ㊉ A ㊉T0)1.Check TID and t
2.Check (T1-T0)≧ △T ; (T0-t)≧ △T3.Verify if CK=CK’ Store t in the databaseA’=h(vpw||t), CK’=h(X ㊉ A’ ㊉ T0)4.VM=h(X||A’||T1)5. Store t
Acc_login, VM, T11.Check (T2-T1)≧ △T 2.Verify VM= VM’VM’=h(X||A||T1)3. Compute YK =H(VM'||T2)UID: A user’s identity ⊕: Bitwise XOR operation
PW: A user’s password N0, N1: Random nonces t, T, TS: Timestamp∆T: Allowed time interval for transmission delay
Proposed Scheme Proposed Scheme (3/3)(3/3)Login & Authentication Phase
(Cont.)
11
User Device
SensorGatewa
y
SensorLogin-Node
Acc_login, YK, T1, T2
Password Change Phase
TID, vpw, vpw1
1.Compute TID1=g⊕N1
2.Compute X1=H(TID1||x)3.Compute TID1’=TID1⊕X4.Update TID, vpw, X, TS
TID, TID1’, X1, TS1
Compute vpw1=H(PW1)
Succ_Change(X1, N1)1.Obtain TID1=g⊕N1
2.Update TID, X1.Obtain TID1=TID1’⊕X2.Update TID, X, TS
1.Check (T3-T2)≧ △T ; (T2-T1)≧ △T2.Verify YK=YK’ VM''= h(X||A||T1) YK'= h(VM''||T2)
TID:Temporary User ID ⊕: Bitwise XOR operation t, T, TS: TimestampPW: A user’s password N0, N1: Random nonces x: gateway’s Secret key∆T: Allowed time interval for transmission delay
Secure Channel
Performance Evaluation Performance Evaluation (1/4)(1/4)Overheads Cost
12
K: The number of sensor nodes TXOR: The time for performing an XOR operationTH: The time for performing a one-way hash functionCMH: The delay time for the communication taken place between the LN andthe GW in multi-hops
Performance Evaluation Performance Evaluation (2/4)(2/4)Functional Requirements
13
Performance Evaluation Performance Evaluation (3/4)(3/4)Computational overheads for
authentication
14
Performance Evaluation Performance Evaluation (4/4)(4/4)Authentication latency time
15
Security Analysis (1/3)Security Analysis (1/3)Replay attack
◦Login message Solution: timestamp
◦Accept login message Solution: timestamp
Forgery attack with node capture attack◦Get TID, X, TS, CK, T0, t
Solution: A cannot be capture◦Get TID, X, TS, TID, A, t
Solution: t is already in the databaseA: the stored bits by the adversary.B: the common stored bits by two neighboring sensor nodesα : the number of broadcasted random bits 16
Security Analysis (2/3)Security Analysis (2/3)Man-in-the-middle attack
◦Get TID, A, t, CK, T0, t Solution: X cannot be capture
Stolen verifier attack with node capture attack◦Get vpw, TID, X, TS
Solution: user pseudomynitySecret key forward secrecy
◦Get secret key x, TID, A, t Solution: without knowing X=(TID||x)
17
Security Analysis (3/3)Security Analysis (3/3)Provide user pseudonymity
◦Reason: TID=h(UID) ㊉ N0
Provide Mutual authentication◦Reason: common secret value
18
ConclusionConclusionThe proposed protocols are robust
against many security attacks and have better security properties in terms of user privacy and mutual authentication.
They have analyzed the proposed schemes using simulations and the results show that both are quite efficient.
19
CommentCommentKey RecoveryIn login phase, (T0-t)≧ △T is an
unnecessary check.Maybe ⊕ is simpler than || .
20