Efficient remote mutual authentication and key agreement
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Authors: Wen-Gong Shieh and Jian-Min Wang Source: Computers & Security, 25(1), pp. 72-77, 2006. PowerPoint PPT Presentation


  • 31 Views
  • Uploaded on
  • Presentation posted in: General

Download Presentation

Authors: Wen-Gong Shieh and Jian-Min Wang Source: Computers & Security, 25(1), pp. 72-77, 2006.

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Authors wen gong shieh and jian min wang source computers security 25 1 pp 72 77 2006

Efficient remote mutual authentication and key agreementImprovement of Chien et al.’s remote user authentication scheme using smart cardsAn efficient nonce-based authentication scheme with key agreementEfficient nonce-based remote user authentication scheme using smart cardsAn improvement of Hwang-Lee-Tang’s simple remote user authentication scheme

Authors: Wen-Gong Shieh and Jian-Min Wang

Source: Computers & Security, 25(1), pp. 72-77, 2006.

Authors: Sung-Woon Lee, Hyun-Sung Kim and Kee-Young Yoo

Source: Computers Standards & Interfaces, 27(1), pp. 181-183, 2005.

Authors: Yen-Cheng Chen and Lo-Yao Yeh

Source: Applied Mathematics and Computation, 169(1), pp. 982-994, 2005.

Authors: Sung-Woon Lee, Hyun-Sung Kim and Kee-Young Yoo

Source: Applied Mathematics and Computation, 167(1), pp. 355-361, 2005.

Authors: Eun-Jun Yoon, Eun-Kyung Ryu and Kee-Young Yoo

Source: Computers & Security, 24(1), pp. 50-56, 2005.

Reporter: Chun-Ta Li (李俊達)


Outline

Outline

  • Introduction

  • Chien et al’s scheme and Hsu’s attack

  • Juang’s scheme and Shieh et al.’s attack

  • Shieh et al.’s scheme

  • Lee et al.’s scheme (CSI)

  • Chen et al.’s scheme

  • Lee et al.’s scheme (AMC)

  • Yoon et al.’s scheme

  • Comments


Introduction

Introduction

  • Motivation

    • Password-based authentication

      • Dictionary attack

      • Solutions: public key encryption

    • Light computational overhead

      • Hashing function or symmetric encryption used in an authentication protocol

    • Smart card-based authentication scheme

      • Well-chosen password is stored in a smart card

    • Nonce-based or timestamp-based approaches


Introduction cont

Introduction (cont.)

  • History

    • In 1981, Lamport proposed first password-based remote user authentication scheme over an insecure channel (store verification table)

    • In 1993, Chang-Wu introduced remote password authentication scheme with smart cards (can’t freely change passwords)

    • In 2000, Hwang-Li proposed a password-based remote user authentication scheme using smart cards (no verification or password table)

    • In 2002, Hwang-Lee-Tang proposed a simple remote authentication scheme (freely change passwords)


Introduction cont1

Introduction (cont.)

  • Requirements

    • No verification and password table

    • Freely changing password

    • Mutual authentication

    • Low computation

    • Without synchronized clock

    • Key agreement

    • Some security issues


Introduction cont2

Introduction (cont.)

  • Classification

Password-based user authentication

Without using smart cards

Smart cards

nonce

timestamp

.Lamport 1981

without mutual authentication

mutual authentication

without mutual authentication

mutual authentication

.Kwon 2005

.Peyravian 2006

.Juang 2004

.Yoon 2004

.Chien 2002

Share ID and PW

.Chen 2005

.Awasthi 2004

.Ku 2004

.Lee 2005

.Lee 2005

.Wang 2005

.Yoon 2005

.Shieh 2006

.Lee 2005

.Shieh 2006

No verification and password table


Chien et al s scheme and hsu s attack

Chien et al’s scheme and Hsu’s attack

  • Registration phase

  • Login/verification phase

User

Server

1. IDi, PWi

2. Ri = h(IDi ⊕ x) ⊕ PWi

3. Smart card{Ri, h(.)}

User

Server

1. C1 = Ri ⊕PWi

2. C2 = h(C1 ⊕T)

3. IDi, T, C2

4. Check IDi and T

5. C1’ = h(IDi ⊕ x)

6. Check h(C1’ ⊕ T) ?= C2

8. T”, C3

7. C3 = h(C1’ ⊕ T”)

9. Check T”

10. Check h(C1 ⊕ T”) ?= C3


Chien et al s scheme and hsu s attack cont

Chien et al’s scheme and Hsu’s attack(cont.)

  • Hsu’s parallel session attack (2004)

// C2 = h(C1 ⊕T)

// C3 = h(C1’ ⊕ T”)

// C1 = Ri ⊕PWi

// Ri = h(IDi ⊕ x) ⊕ PWi


Juang s scheme and shieh et al s attack

Juang’s scheme and Shieh et al.’s attack

  • Registration phase

  • Login/verification phase

User

Server

1. IDi, PWi

2. Vi = h(IDi, x)

3. Wi = Vi ⊕PWi

4. Smart card{Wi, IDi, h(.)}

// Vi = Wi ⊕PWi

Decrypt EVi(ruj, Ci)

// Ci = h(IDi || N1)

Check Ci ?= h(IDi || N1)

// session key Kj = h(rsj, rsu, Vi)


Juang s scheme and shieh et al s attack cont

Juang’s scheme and Shieh et al.’s attack (cont.)

  • Shieh et al.’s off-line plain-text attack (2006)

// Ci = h(IDi || N1)

// Vi = Wi ⊕PWi

= h(IDi, x)


Shieh et al s scheme

Shieh et al.’s scheme

  • Registration phase: the same as that of Chien et al.’s scheme

  • Login/key agreement phase

User

Server

3. IDi, Tu, MACu

1. ai = Ri ⊕ PWi = h(IDi ⊕x)

4. Check Tu is fresh or not

2. MACu = h(Tu || ai) and store Tu temporarily until the end of the session

5. ai’ = h(IDi ⊕x) and

6. MACu’ = h(Tu || ai’)

7. Check MACu’ ?= MACu

8. Temporarily store (Tu, Ts) and IDi

11. Tu, Ts, MACs

9. MACs = h(Tu || Ts || ai’)

10. Session key Ks = h((Tu || Ts) ⊕ai’)

12. MACs’ = h(Tu || Ts || ai)

13. Check MACs’ ?= MACs

16. Ts, MACu”

14. MACu” = h(Ts || (ai+1))

17. Check Ts and MACu”

15. Session key Ks = h((Tu || Ts) ⊕ai)

18. If above holds, accept user’s login


Shieh et al s scheme cont

Shieh et al.’s scheme (cont.)

  • Messages transmitted in proposed scheme using synchronized clock

// ai = Ri ⊕ PWi = h(IDi ⊕x)

// MACs = h(Tu || Ts || ai’)

// MACu = h(Tu || ai)


Shieh et al s scheme cont1

Shieh et al.’s scheme (cont.)

  • Messages transmitted in parallel session attack


Lee et al s scheme csi

Lee et al.’s scheme (CSI)

  • Registration/Login phase: the same as that of Chien et al.’s scheme

  • Verification phase:

User

Server

4. Check IDi and T

5. C1’ = h(IDi ⊕ x)

6. Check h(C1’ ⊕ T) ?= C2

7. C3 = h(h(C1’ ⊕ T”))

8. T”, C3

9. Check T”

10. Check h(h(C1 ⊕ T”)) ?= C3


Chen et al s scheme

Chen et al.’s scheme

  • Registration phase: the same as that of Chien et al.’s scheme

  • Login/Authentication phase:

User

Server

1. ai = Ri ⊕ PWi = h(IDi ⊕x)

2. M1= h2(IDi ⊕x) ⊕ N1

3. IDi, M1

4. Compute h2(IDi ⊕x) and extract N1 by computing M1 ⊕ h2(IDi ⊕x)

5. M2 = h(h(IDi ⊕x)||N1) ⊕N2 and M3 = h(h(IDi ⊕x)||N1||N2)

7. Compute h(h(IDi ⊕x)||N1) and extract N2 by computing M2 ⊕ h(h(IDi ⊕x)||N1)

6. M2, M3

8. Verifies M3 ?= h(h(IDi ⊕x)||N1||N2)

9. M4 = h(h2(IDi ⊕x)||N1+1||N2+1)

10. M4

11. Verifies M4 ?= h(h2(IDi ⊕x)||N1+1||N2+1)

12. Session key Ks = h(h3(IDi ⊕x)||N1+2 || N2+2)


Lee et al s scheme amc

Lee et al.’s scheme (AMC)

Parallel session attack


Yoon et al s scheme

Yoon et al.’s scheme

  • Registration phase:

  • Login/Authentication phase:


Comments

Comments

  • Comparison

Mutual authentication (steps)

Computation load

Use of timestamp

Session key agreement

Yes/No

Yes (3)

Yes

Shieh et al.

10H + 6⊕

Lee et al. (CSI)

Yes

Yes (2)

No

7H + 8⊕

Chen et al.

19H + 15⊕

No

Yes (3)

Yes

Lee et al. (AMC)

6H + 7⊕

No

No

Yes (3)

Yoon et al.

6H + 2⊕

Yes

Yes (2)

No


Comments cont

Comments (cont.)

  • Forward secrecy

    • When compromise of the secret key x, the agreed session key can be constructed by the attacker

    • Solutions: Diffie-Hellman key exchange algorithm

      • Let N1 = gx and N2 = gy

      • Session key = gxy


Comments cont1

Comments (cont.)

  • Identity problems

    • No verification tables in remote server

    • Impersonation attack

      • A legitimate user can purposely obtain another valid (ID, PW) by the following tricks:

        • The user declared that he lost his smart card

        • To register a new valid (ID, PW)

        • The original smart card is still legal to use


  • Login