1 / 31

Cryptanalysis of Two Dynamic ID-based Authentication Schemes for Multi-Server Architecture

Cryptanalysis of Two Dynamic ID-based Authentication Schemes for Multi-Server Architecture. Ding Wang , Chunguang Ma , Deli Gu, Zhenshan Cui. Present ed by MSc . Ding Wang , November 11, Wuyishan ( ) wangdingg@mail.nankai.edu.cn Tel: 15104596985. Outline. Introduction

aliza
Download Presentation

Cryptanalysis of Two Dynamic ID-based Authentication Schemes for Multi-Server Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptanalysis of Two Dynamic ID-basedAuthentication Schemes for Multi-Server Architecture Ding Wang, ChunguangMa,Deli Gu, Zhenshan Cui Presented by MSc. Ding Wang, November 11, Wuyishan () wangdingg@mail.nankai.edu.cn Tel: 15104596985

  2. Outline • Introduction • Review of Li et al.’s scheme • Proposed attacks • Two observations • Conclusion 图1 802.11i安全框架

  3. Introduction • Remote authentication • a mechanism to authenticate remote users over insecure communication networks • Basic techniques: (1) what a user knows, such as passwords, PINs; (2) what a user has, such as smart cards, tokens; (3) what a user is, such as fingerprints; Network Server User attacker

  4. ID, PW Two-factor Authentication——Smart-card-based Password Authentication • Combine the first two techniques to obtain a secure and efficient scheme with desirable functionalities. ID, PW Remote Server Userwith a low entropy password

  5. Server 1 ID1 , PW1 ID2 , PW2 Server 2 ….. IDj , PWj Userwith a low entropy password Server j A Practical Problem • The traditional two-factor authentication schemes are suitable for single-sever environment. • However, what will happen if there are multiple service servers ? The user has to remember multiple (ID, PW) pairs.

  6. Two-factor authentication for the multi-server environment • Advantages • register once • remember one (ID, PW) pair • access multiple service servers

  7. my phone number? Challenges • powerful adversary • According to the common Dolev-Yao adversary model (1) he can eavesdrop、replay、fabricate 、intercept、 block any messages over the channel (2)what he cannot do is ——“crack” encrypted messages • Due to Side-Channel attacks smart cards should be assumed to be non-tamper resistant • Collusion attacks is practical malicious internal user + dishonest server • Naive users • users tend to choose “weak passwords” We are the first to pay attention to this practical threat.

  8. A Challenge (continue) • Have to reconcile the following issues • Security resistance to various passive and active attacks • Functionalities (user friendliness ) • Performance

  9. What constitutes a practical scheme ? • What constitutes a practical scheme ? • No serious security vulnerabilities • With desirable functionalities • Efficient

  10. Trade-offs andConflicts Security Performance Usability freely password change Offline password guessing attack Timely wrong password detection

  11. A history of “attack-and-improvement”

  12. A misunderstanding-prone concept • “Dynamic ID-based” • Shao, M. and Chin, Y.: A Privacy-Preserving Dynamic ID-Based Remote User Authentication Scheme with Access Control for Multi-Server Environment. IEICE Transactions on Information and Systems, Vol.E95–D, No.1, 161-168 (2012) (An entended version of a paper that has been presented in NSS 2010) • Li, X., Xiong, Y., Ma, J., Wang, W.: An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 35(2), 763–769 (2012) It basically meanstheuser’s identity is dynamically changed during the login process and has nothing to do with the hot “ID-based Cryptography”.

  13. Notations and abbreviations

  14. A demonstration of Li et al.’s scheme

  15. Review of Li et al.’s scheme • Li et al.’s scheme • the registration phase • the login phase • the verification phase • the password update phase

  16. Review of Li et al.’s scheme (1/4)——Service server registration Master secret x; Secret number y; Service Providing Server Sj Control Server ( CS) Choose SIDj

  17. Review of Li et al.’s scheme (1/4)——User registration Master secret x; User Secret number y; IDi, Pi; Choose Control Server ( CS) Choose a random b; Compute Ai=h(b||Pi) ;

  18. Review of Li et al.’s scheme (2/4)——Login phase CS Ui Sj

  19. Review of Li et al.’s scheme (3/4)——Verification phase CS Ui Sj Only based on symmetric cryptographic primitives

  20. Review of Li et al.’s scheme (4/4)——Password Change phase • Support local password update; • W only focus on the login and verification phase, and omit this phase. 20

  21. Two vulnerabilities • Offline password guessing attack • the most damaging threat to a password protocol • User anonymity breach • Li, X., Xiong, Y., Ma, J., Wang, W.: An efficient and secure dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 35(2), 763–769 (2012) • Which means the essential goal can not be achieved 21

  22. obtains {Di, Ei, b, h(y), h(.)} in Ui’s smart card intercepted Security Flaws (1/2)——Offline password guessing attack

  23. Security Flaws (2/2)—— User anonymity breach attack Sjcolludes with Um Ui Ei is kept static in all of Ui’s login requests, and thus can be exploited to trace user activity.

  24. Lessons learned from the cryptanalysis • Two further observations • Only symmetric-key primitives (such as Hash, symmetric encryption, MAC) are intrinsically inadequate to withstand offline password guessing attack. (We managed to prove it in the following work: Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun. Syst. (2012), Submitted on Sep 7, 2012. Last week, it was accepted and made on line, DOI: 10.1002/dac.2468. ) By following our two observations, more than 50% this type of schemes can be easily found problematic . • In the multi-server environment, collusions attacks are majorthreats to user privacy. — —Our new work: On the anonymity of two-factor authentication schemes

  25. Break 50% this type of schemes

  26. Conclusion • Our focus is on two-factor authentication for multi-server architecture. • Two practical attacks are demonstrated on Li et al.’s scheme. • Two observations are put forward. Remarkably, public-key techniques are indispensible to resist against offline password guessing attack. • By following these two observations, more 50% existing schemes can be easily found problematic.

  27. THANK YOU & QUESTION

  28. Side-Channel Attack

  29. Various attacks • Offline password guessing attack • Smart card loss attack • Stolen verifier attack • User impersonation attack • Server masquerading attack • Replay attack • Parallel session attack • Denial of service attack • Password disclosure to server (Insider attack) • Forward secrecy • Key compromise impersonation attack • Unknown key share attack • …

  30. Functionalities • key agreement • mutual authentication • local password change • user anonymity (initiator un-traceability) • no verifier table • support weak password • non-tamper resistant smart cards • repairability

  31. Performance • Computation complexity ( a big hill ) cryptographic operations are often computation-intensive, like modular exponentiation, modulo inversion, pairing … • Storage cost ( not a big problem) • Communication overhead (not a big problem)

More Related