1 / 20

Fixing problems in Lin et al. ’ s OSPA protocol

Fixing problems in Lin et al. ’ s OSPA protocol. Author : Eun-Jun Yoon, Eun-Kyung Ryu, Kee-Young Yoo Source : APPLIED MATHEMATICS AND COMPUTATION 166 (2005) 46-57 Speaker: 吳一杰. Outline. Introduction Review of two simple attacks on Lin et al. ’ s protocol The proposed scheme

marthacarpenter
Download Presentation

Fixing problems in Lin et al. ’ s OSPA protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fixing problems in Lin et al.’s OSPA protocol Author:Eun-Jun Yoon, Eun-Kyung Ryu, Kee-Young Yoo Source:APPLIED MATHEMATICS AND COMPUTATION 166 (2005) 46-57 Speaker:吳一杰

  2. Outline • Introduction • Review of two simple attacks on Lin et al.’s protocol • The proposed scheme • Security analysis • Conclusions

  3. Introduction • SAS (simple and secure) protocol is vulnerable to the replay attack and the DoS attack. • OSPA (optimal strong-password authentication) protocol is vulnerable to the stolen-verifier attack. • Lin et al.’s enhancement OSPA protocol is vulnerable to the replay attack and the DoS attack. • Above are only support unilateral authentication. • This paper proposed scheme can simply update user password and also provide mutual authentication and has more efficient performance by reducing the number of hash operation.

  4. Review of two simple attacks on Lin et al.’s protocol(1/8) • A , S , :user , server and adversary, respectively. • P , P':user’s password and new password. • N , N':random nonce and new random nonce. • vpw , new_vpw:user’s password verifier and new password verifier. • h(·) :a strong one-way hash function. • ⊕:bitwise XOR operation. • ||:concatenation operation. • x:server’s secret key.

  5. Review of two simple attacks on Lin et al.’s protocol(2/8) • Security properties: • Guessing attack. • Replay attack. • Impersonation attack. • Stolen-verifier attack. • Denial of Service attack.

  6. Review of two simple attacks on Lin et al.’s protocol(3/8) Registration phase A S Select N Computes Store Secure channel K , N Smart card Smart card Secure channel

  7. Review of two simple attacks on Lin et al.’s protocol(4/8) Authentication phase A S Smart card A , P

  8. Review of two simple attacks on Lin et al.’s protocol(5/8) DoS Attack A S Smart card A , P

  9. Review of two simple attacks on Lin et al.’s protocol(6/8) Replay Attack(1/3)第n次登入 S A Smart card A , P

  10. Review of two simple attacks on Lin et al.’s protocol(7/8) Replay Attack(2/3) S

  11. Review of two simple attacks on Lin et al.’s protocol(8/8) Replay Attack(3/3) S

  12. The proposed scheme(1/4) • The proposed scheme has at least four merits as follows • User can freely change their passwords. • The scheme can fast detect wrongly inputed password when user inputs wrong password. • The scheme provides mutual authentication. • The scheme has low computation costs.

  13. The proposed scheme(2/4) Registration phase S A Select A,P {A,P} Secure channel X ,K , N , h(·) Smart card Smart card Secure channel

  14. The proposed scheme(3/4) Authentication phase S A Smart card A , P

  15. The proposed scheme(4/4) Password change scheme S A Smart card A , P

  16. Security analysis(1/3) • Guessing attack:he can’t use C2 and C3 to derive P because he doesn’t know N and N’ and secret key x. • Replay attack:because new_vpw hide in C3. • Impersonation attack:for server :because he has no way to obtaining the values h(x||A) and h(P⊕N) to compute C2 and C3 , for user :he can’t derive the value h(x||A) and new_vpw , due to one-way function. • Stolen-verifier attack:he can’t derive h(x||A) and new_vpw by h(P⊕N) because it’s a one-way hash function. • Denial of Service attack:only if C3’=C3 , the server update h(P⊕N) with new_vpw=h(P⊕N’).

  17. Security analysis(2/3)

  18. Security analysis(3/3)

  19. Conclusions • The paper presented an improved version of Lin et al.’s protocol that can withstand the replay attack and DoS attack. • The proposed scheme can simply change user’s password and also provide mutual authentication. • The proposed scheme has more efficient performance by reducing the number of hash function.

  20. Common DoS attack? S A X {C4}

More Related