An efficient and security dynamic identity based authentication protocol for multi-server architectu...
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

作者 : Xiong Li , Yongping Xiong , Jian Ma, Wendong Wang PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on
  • Presentation posted in: General

An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards . 作者 : Xiong Li , Yongping Xiong , Jian Ma, Wendong Wang 出處 : Journal of Network and Computer Applications 35 (2012) 763–769

Download Presentation

作者 : Xiong Li , Yongping Xiong , Jian Ma, Wendong Wang

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Xiong li yongping xiong jian ma wendong wang

An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards

作者:XiongLi , YongpingXiong , Jian Ma, Wendong Wang

出處:Journal of Network and Computer Applications 35 (2012) 763–769

報告人:陳鈺惠

日期:2014/1/23


Outline

Introduction

1

Overview of Sood et al.’s scheme

2

Weaknesses of Sood et al.’s scheme

5

3

3

3

Proposed scheme

Conclusions

6

4

4

4

Outline

Protocol analysis


1 introduction 1 1

1.Introduction(1/1)

  • With the rapid development of the Internet and electronic commerce technology, many services are provided through the Internet such as online shopping, online game.

  • This paper propose an efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards to tackle these problems.


2 overview of sood et al s scheme

2.Overview of Sood et al.’s scheme


2 overview of sood et al s scheme 1 4 registration phase

2.Overview of Sood et al.’s scheme(1/4)Registration phase

UiSk CS

Ai=h(IDi||b)

Bi=h(b⊕Pi)

Ai、Bi

Fi= Ai⊕yi

Gi=Bi⊕h(yi)⊕h(x)

Ci=Ai⊕h(yi)⊕x

(Fi、Gi、h(·)) Stores (Ci、yi⊕x)

Smart card

Di=b⊕h(IDi||Pi)

Ei=h(IDi||Pi)⊕Pi

Smart card(Di、Ei、Fi、Gi、h(·))

(SIDk、SKk)

Stores(SIDk、SKk⊕h(x||SIDk))


2 overview of sood et al s scheme 2 4 login phase

2.Overview of Sood et al.’s scheme(2/4)Login phase

UiSkCS

IDi* Pi*Smart cardEi*=h(IDi*||Pi*)⊕Pi*,Ei*=Ei?b=Di⊕h(IDi||Pi),Ai=h(IDi||b)

Bi=h(b⊕Pi),yi=Fi⊕Ai

h(x)=Gi⊕Bi⊕h(yi),Zi=h2(x)⊕Ni1

CIDi=Ai⊕h(yi)⊕h(x)⊕Ni1

Mi=h(h(x)||yi||SIDk||Ni1)

(SIDk、Zi、CIDi、Mi)


2 overview of sood et al s scheme 3 4 authentication and session key agreement phase

2.Overview of Sood et al.’s scheme(3/4)Authentication and session key agreement phase

UiSk CS

Ri=Ni2⊕SKk

(SIDk、Zi、CIDi、Mi、Ri)

Ni1=Zi⊕h2(x),Ni2=Ri⊕SKk

Ci*=CIDi⊕Ni1⊕h(x)⊕x

Ci*=Ci?,extracts yi

Mi*=h(h(x)||yi||SIDk||Ni1)

Mi*=Mi?

Ki=Ni1⊕Ni3⊕h(SKk||Ni2)

Xi=h(IDi||yi||Ni1)⊕h(Ni1⊕Ni2⊕Ni3)

Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]

Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1)

(Ki、Xi、Vi、Ti)


2 overview of sood et al s scheme 4 4 authentication and session key agreement phase

2.Overview of Sood et al.’s scheme(4/4)Authentication and session key agreement phase

UiSk CS

Ni1⊕Ni3=Ki⊕h(SKk||Ni2)

h(IDi||yi||Ni1)=Xi⊕h(Ni1⊕Ni2⊕Ni3)

Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]

Vi*=Vi?

(Vi、Ti)

Ni2⊕Ni3Ti⊕h(yi||IDi||h(x)||Ni1)

Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]

Vi*=Vi?

SK=h(h(IDi||yi||Ni1)||(Ni1⊕Ni2⊕Ni3))


3 weaknesses of sood et al s scheme 1 2 leak of verifier attack

3.weaknesses of Sood et al.’s scheme(1/2)Leak-of-verifier attack

UiSk CS

Registration phase Ai=h(IDi||b)

Bi=h(b⊕Pi) Ai、Bi

Fi= Ai⊕yi

Gi=Bi⊕h(yi)⊕h(x)

Ci=Ai⊕h(yi)⊕x2. x、h(x)、yi⊕x

(Fi、Gi、h(·)) Stores (Ci、yi⊕x)

Smart card

Di=b⊕h(IDi||Pi)

1.yi、 h(x)Ei=h(IDi||Pi)⊕Pi

stores(Di、Ei、Fi、Gi、h(·)) (SIDk、SKk)

Stores(SIDk、SKk⊕h(x||SIDk))

Login phaseIDi* Pi* Smart cardEi*=h(IDi*||Pi*)⊕Pi*,Ei*=Ei?b=Di⊕h(IDi||Pi),Ai =h(IDi||b)

Bi=h(b⊕Pi),yi=Fi⊕Ai

h(x)=Gi⊕Bi⊕h(yi),Zi=h2(x)⊕Ni14.get Ni1 ComputeZi 、 CIDi、 Mi

3.yi、Ai and h(x)CIDi=Ai⊕h(yi)⊕h(x)⊕Ni1

UkloginMi=h(h(x)||yi||SIDk||Ni1)

(SIDk、Zi、CIDi、Mi)


3 weaknesses of sood et al s scheme 2 2 leak of verifier attack

3.weaknesses of Sood et al.’s scheme(2/2)Leak-of-verifier attack

UiSk CS

Authentication and

session key agreement phaseRi=Ni2⊕SKk

5.submits(SIDk、Z′i、CID′i、M′i) to Sj(SIDk、Zi、CIDi、Mi、Ri)

get Ni′2 Ni1 =Zi⊕h2(x),Ni2 =Ri⊕SKk

Ci*=CIDi⊕Ni1⊕h(x)⊕x,Ci*=Ci?,extracts yi

6. C*i=CID′i⊕Ni′1⊕h(x) ⊕x Mi*=h(h(x)||yi||SIDk||Ni1),check whether Mi*=Mi?

=Ai⊕h(yi) ⊕x=CiKi=Ni1⊕Ni3⊕h(SKk||Ni2) 7.Uk get x 、 yi

(Ci=Ai⊕h(yi)⊕x) Xi=h(IDi||yi||Ni1)⊕h(Ni1⊕Ni2⊕Ni3)

Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]

Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1)

(Ki、Xi、Vi、Ti)


3 weaknesses of sood et al s scheme stolen smart card attack

3.weaknesses of Sood et al.’s schemeStolen smart card attack

UiSk CS

Login phaseIDi* Pi* Smart cardEi*=h(IDi*||Pi*)⊕Pi*,Ei*=Ei?b =Di⊕h(IDi||Pi),Ai =h(IDi||b)

Bi =h(b⊕Pi),yi=Fi⊕Ai

h(x)=Gi⊕Bi⊕h(yi),Zi=h2(x)⊕Ni1

CIDi=Ai⊕h(yi)⊕h(x)⊕Ni1

1.eavesdropped and Mi=h(h(x)||yi||SIDk||Ni1) 4.Uk can forge a valid login request message

previously valid login(SIDk、Zi、CIDi、Mi)

Uk get (Di、Ei、Fi、Gi、h(·)、h(x))

Ri=Ni2⊕SKk

(SIDk、Zi、CIDi、Mi、Ri)

Ni1 =Zi⊕h2(x),Ni2 =Ri⊕SKk

2.CID′i⊕Ni′1⊕h(x) = Ai⊕h(yi)Ci*=CIDi⊕Ni1⊕h(x)⊕x,Ci*=Ci?

3.Di=bi⊕h(IDi||Pi)

+Ei=h(IDi||Pi)⊕Pi

bi⊕Pi=Di⊕Ei

h(bi⊕Pi)=Bi

h(yi)=Gi⊕Bi⊕h(x)

Compute Ai=h(yi)⊕(Ai⊕h(yi))

Get yi=Fi⊕Ai


3 weaknesses of sood et al s scheme incorrect authentication and session key agreement phase

3.weaknesses of Sood et al.’s schemeIncorrect authentication and session key agreement phase

In registration phase,Ui submits Ai、Bi rather than true identity IDi to CS。

But in step4

Xi=h(IDi||yi||Ni1)⊕h(Ni⊕Ni2⊕Ni3)

Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]

Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1)


3 proposed scheme 1 5

3.Proposed scheme(1/5)


3 proposed scheme registration phase

3.Proposed schemeRegistration phase

UiSjCS

Chooses IDi、Pi、b

Ai=h(b||Pi)

(IDi、Ai)

Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai)

Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x)

(Ci、Di、Ei、h(·)、h(y))

Smart card

Ui enter b to smart cardsmart card stores (Ci、Di、Ei、h(·)、h(y)、b)


3 proposed scheme login phase

3.Proposed schemeLogin phase

UiSjCS

Inputs IDi、Pismart card computes

Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai)

Ci′=Ci?

Smart card generates Ni1

Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1

Pij=Ei⊕h(h(y)||Ni1||SIDj)

CIDi=Ai⊕h(Bi||Fi||Ni1)

Gi=h(Bi||Ai||Ni1)

(Fi、Gi、Pij、CIDi)


3 proposed scheme 4 5 authentication and session key agreement phase

3.Proposed scheme(4/5)Authentication and session key agreement phase

UiSjCS

Sjchooses Ni2

Ki=h(SIDj||y)⊕Ni2

Mi=h(h(x||y)||Ni2))

(Fi、Gi、Pij、CIDi、SIDj、Ki、Mi)

Ni2=Ki⊕h(SIDj||y)

Mi′=h(h(x||y)||Ni2),Mi′=Mi?

Ni1=Fi⊕h(y)

Bi=Pij⊕h(h(y)||Ni1||SIDj)⊕h(y||x)

Ai=CIDi⊕h(Bi||Fi||Ni1)

Gi′=h(Bi||Ai||Ni1),Gi′=Gi?

CSgenerates Ni3

Qi=Ni1⊕Ni3⊕h(SIDj||Ni2)

Ri=h(Ai||Bi)⊕h(Ni1⊕Ni2⊕Ni3)

Vi=h(h(Ai||Bi)||h(Ni1⊕Ni2⊕Ni3))

Ti=Ni2⊕Ni3⊕h(Ai||Bi||Ni1)


3 proposed scheme 5 5 authentication and session key agreement phase

3.Proposed scheme(5/5)Authentication and session key agreement phase

UiSjCS

(Qi、Ri 、Vi 、Ti)

Ni1⊕Ni3=Qi⊕h(SIDj||Ni2)

h(Ai||Bi)=Ri⊕h(Ni1⊕Ni3⊕Ni2)

Vi′=h(h(Ai||Bi)||h(Ni1⊕Ni3⊕Ni2)

Vi′=Vi?

(Vi、Ti)

Ni2⊕Ni3=Ti⊕h(Ai||Bi||Ni1)

Vi′=h(h(Ai||Bi)||h(Ni2⊕Ni3⊕Ni1))

Vi′=Vi?

SK=h(h(Ai||Bi)||(Ni1⊕Ni2⊕Ni3))


4 protocol analysis replay attack

4.Protocol analysisReplay attack

The user Ui, the server Sj and the control server CS choose different nonce values Ni1,Ni2,Ni3, respectively, for compute and verify the authentication message.


4 protocol analysis impersonation attack

4.Protocol analysis Impersonation attack

UiSj CS

Chooses IDi、Pi、b

Ai=h(b||Pi) (IDi、Ai)

2.Cannot compute Ai、Bi、Ei to get (IDi、Pi、x )

cannot Impersonation Ui Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai)

Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x)

(Ci、Di、Ei、h(·)、h(y))

1. Smart card

Ui enter b to smart card smart card stores (Ci、Di、Ei、h(·)、h(y)、b)

Inputs IDi、Pi smart card computes

Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai)

Ci′=Ci?

Smart card generates Ni1

Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1

Pij=Ei⊕h(h(y)||Ni1||SIDj) 3.cannot Impersonation a valid login request

CIDi=Ai⊕h(Bi||Fi||Ni1)

Gi=h(Bi||Ai||Ni1)

(Fi、Gi、Pij、CIDi)


4 protocol analysis stolen smart card attack

4.Protocol analysisStolen smart card attack

UiSj CS

Chooses IDi、Pi、b

Ai=h(b||Pi) (IDi、Ai)

Bi=h(IDi|| x ),Ci=h(IDi||h(y)||Ai)

1.UKget (Ci、Di、Ei、h(·)、h(y) 、b) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h( y ||x)

(Ci、Di、Ei、h(·)、h(y)) 2.cannot compute Ai、Bi

3.Cannot get IDi、Pi to impersonation attack using the lost or stolen smart card


4 protocol analysis leak of verifier attack

4.Protocol analysisLeak-of-verifier attack

No any verifier information stored in the control server CS , the malicious privileged user cannot get any useful information from the CS.


4 protocol analysis user s anonymity

4.Protocol analysisUser's anonymity

Chooses IDi、Pi、b

Ai=h(b||Pi)

Bi=h(IDi||x)


4 protocol analysis mutual authentication and session key agreement

4.Protocol analysismutual authentication and session key agreement

In registration phase,Ui submits Ai、Bi rather than true identity IDi to CS。

But in step4

Xi=h(IDi||yi||Ni1)⊕h(Ni⊕Ni2⊕Ni3)

Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]

Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1)

Ui、the serverSj and the control server CS can agree on a shared session key SK=h(h(Ai∥Bi)∥(Ni1⊕Ni2⊕Ni3))


4 protocol analysis 7 7

4.Protocol analysis(7/7)


5 conclusion

5.Conclusion

1.Sood的協議裡Sk與CS有一把SKK但在本文裡沒有,本文表示沒有任何資料存在CS,但這樣CS與SK怎麼做驗證。

2.沒有做驗證就不能防禦假冒攻擊。


Xiong li yongping xiong jian ma wendong wang

Thank You !

26


Weaknesses of proposed scheme impersonation attack 1 2

Weaknesses of Proposed schemeImpersonation attack(1/2)

UiSj CS

UiSj CS

Chooses IDi、Pi、b

Ai=h(b||Pi) (IDi、Ai)

2.Cannot compute Ai、Bi、Ei to get (IDi、Pi、x )

cannot Impersonation Ui Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai)

Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x)

(Ci、Di、Ei、h(·)、h(y))

1. Smart card

Ui enter b to smart card smart card stores (Ci、Di、Ei、h(·)、h(y)、b)

Inputs IDi、Pi smart card computes

Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai)

Ci′=Ci?

Smart card generates Ni1

Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1

Pij=Ei⊕h(h(y)||Ni1||SIDj) 3.cannot Impersonation a valid login request

CIDi=Ai⊕h(Bi||Fi||Ni1)

Gi=h(Bi||Ai||Ni1)

(Fi、Gi、Pij、CIDi)

27


Weaknesses of proposed scheme impersonation attack 2 2

Weaknesses of Proposed schemeImpersonation attack(2/2)

Ui Sj CS

UiSj CS

Chooses IDi、Pi、b

Ai=h(b||Pi) (IDi、Ai)

Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai)

Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x)

(Ci、Di、Ei、h(·)、h(y))

1.Ukis legitimate user and use Uk smart card

2.If we can compute Ai、Bi、Eito get IDi、Pi、xand impersonation Ui

3.Legitimate user get (Ci、Di、Ei、h(·)、h(y)) and receive(Fi、Gi、Pij、CIDi)

Inputs IDi、Pi4.(1)Ei=Bi⊕h(y||x),(Ei、h(y||x) is known),getBi

smart card computes (2)Uk use smart card get Ni1

Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai) (3)CIDi=Ai⊕h(Bi||Fi||Ni1),(CIDi、Bi、Fi、Ni1 is known ),getAi

Ci′=Ci? (4)Pij=Ei⊕h(h(y)||Ni1||SIDj),(Ei、h(y)、Ni1、SIDjis known), impersonation Pi

Smart card generates Ni1 (5)Fi=h(y)⊕Ni1,(h(y)、Ni1is known) ,impersonation Fi

Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1 (6)Gi=h(Bi||Ai||Ni1),(Bi、Ai、Ni1 is known),impersonation Gi

Pij=Ei⊕h(h(y)||Ni1||SIDj) (7)CIDi=Ai⊕h(Bi||Fi||Ni1),(CIDi 、Ai、Bi、Fi、Ni1 is known),impersonationCIDi

CIDi=Ai⊕h(Bi||Fi||Ni1) 5.Ukcan impersonation (Fi、Gi、Pij、CIDi) to attack

Gi=h(Bi||Ai||Ni1)

(Fi、Gi、Pij、CIDi)

28

28


Weaknesses of proposed scheme stolen smart card attack 1 2

Weaknesses of Proposed schemeStolen smart card attack(1/2)

UiSj CS

Chooses IDi、Pi、b

Ai=h(b||Pi) (IDi、Ai)

Bi=h(IDi|| x ),Ci=h(IDi||h(y)||Ai)

1.UKget (Ci、Di、Ei、h(·)、h(y) 、b) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h( y ||x)

(Ci、Di、Ei、h(·)、h(y)) 2.cannot compute Ai、Bi

3.Cannot get IDi、Pi to impersonation attack using the lost or stolen smart card

29


Weaknesses of proposed scheme stolen smart card attack 2 2

Weaknesses of Proposed schemeStolen smart card attack(2/2)

UiSj CS

Chooses IDi、Pi、b

Ai=h(b||Pi) (IDi、Ai)

Bi=h(IDi||x),Ci=h(IDi||h(y)||Ai)

Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h (y||x)

(Ci、Di、Ei、h(·)、h(y))

1.Ukis legitimate user and use stolen smart card

2.If we can compute Ai、Bi、Eito get IDi、Pi、x and Impersonation Ui

3.Legitimate user get (Ci、Di、Ei、h(·)、h(y)) and receive(Fi、Gi、Pij、CIDi)

4.(1)Ei=Bi⊕h(y||x),(Ei、h(y||x) is known),getBi

(2)Fi=h(y)⊕Ni1,(h(y)、Ni1、Fi is known)

(3)CIDi=Ai⊕h(Bi||Fi||Ni1),(CIDi、Bi、Fi、Ni1 is known ),getAi

5.Uk can compute Ai、Bi、Eito get IDi、Pi and impersonation attack using the lost or stolen smart card

30


  • Login