Privacy-Preserving Authentication with Smart Cards

1. Privacy-Preserving Authentication of Users with Smart Cards Using One-Time Credentials Author: Jun-Cheol PARK Source: IEICE TRANS. INF&SYST VOL. E93-D 2010 July Presenter: Hsin-Ruey Tsai

2. Outline • Introduction • Model • Conclusion

3. Introduction • Password-based  Insecure channel ex: Internet • Single ID and password in different sites phishing, spamming email • One time credentials • Hide ID and password from a server • Random and unique session • Lightweight operations

4. Model • Registration Phase • Authentication Phase • Verification and Update Phase

5. Registration Phase User Info. Server id, pw, P, rpw User Smart card P=(P1||P2) 4 digits PIN Revocation pw Smart card Server M, id’, K M=HMAC(pw, Xi ||id) h^(P1+5) ([h^(P2+5) (rpw||S’s URL)]^R) m <id’, h^2 (id’||Y’), h(M), K> id’, m, xi h(id’||Y’) ⊕M Revocation

6. Authentication / Verification and Update Phase id, pw <id’, h^2 (id’||Y’), h(M), K> Smart card Server id’, a, b, c, T a=m ⊕HMAC(pw, Xi ||id)= h(id’||Y’) Check h(a)=h^2 (id’||Y’) b= h(HMAC(pw, Xi ||id) ) ⊕id’’ id’’=b ⊕ h(M) c= h(id’||a||id’’||T) Verify c= h(id’||a||id’’||T) d=h(id’’||T||id’||Y’’) d, e e= h(h(M)||id’’) ⊕ Y’’ Y’’= e⊕ h(h(M)||id’’) Verify d f= h(Y’’||id’’||id’) f Check f

7. Revocation Server User Info. Look up for K K= h^(P1+5) ([h^(P2+5) (rpw||S’s URL)]^R) Server Computer v <P, rpw> SSL User z z= h^(P1+5+v) ([h^(P2+5) (rpw||S’s URL)]^R) Check h^v (K)

8. Security • Linking Authentication Sessions of a User • Attacks to Obtain User ID and Password • Impersonating a User Using Server Database and/or Smart Card’s Storage • Replay attack • Parallel Session Attack • Attack of Revocation

9. conclusion • Enhance privacy • Smart card  <id’, m, xi> each 256bit 96Byte Server identity 4Byte