Presentation is loading. Please wait.

Presentation is loading. Please wait.

多媒體網路安全實驗室 An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security Date:2012/02/16.

Published byFrancine White Modified over 8 years ago

Similar presentations

Presentation on theme: "多媒體網路安全實驗室 An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security Date:2012/02/16."— Presentation transcript:

1 多媒體網路安全實驗室 An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security Date:2012/02/16 報告人:向峻霈 出處 : He Debiao, Chen Jianhua and Hu Jin Information Fusion 2011

2 多媒體網路安全實驗室 Outline Introduction 1 Proposed scheme 2 Security analysis 33 Functionality comparison 44 Conclusion 35 2

3 多媒體網路安全實驗室 Introduction  In electronic transactions, remote client authentication in insecure channel is an important issue  ECC-based authentication protocols are more suitable for mobile devices 3

4 多媒體網路安全實驗室 Proposed scheme  System initializing phase  Client registration phase  Mutual authentication with key agreement phase 4

5 多媒體網路安全實驗室 System initializing phase  S generates parameter of the system  Chooses a large prime number q(q>2 160 )  Fp :y 2 = x 3 +ax+b mod F p a,b ∈ F p  4a 3 +27b 2 mod q ≠ 0,  G is a generator point of a large order n(n>2 160 )  H 1 :{0,1}* -> Z n * H 2 :{0,1}*-> Z p *  H 3 :{0,1}* -> Z p *  public parameters =>(F p,E,n,P,P s,H 1,H 2,H 3,MAC k (m) 5

6 多媒體網路安全實驗室 Client registration phase 6 ID C h Ci =H 1 (ID Ci ) D Ci =(1/x+h Ci )P ∈ G // private key P Ci =(h Ci + x)P =h Ci P + P S Client CServer S 1.off-line S stores the identity ID Ci DCi into a smart card and returns it to the client 2. on-line Ci connects to the server S through Internet S may use the SSL channel in the https mode to deliver the private key D Ci to the client C i

7 多媒體網路安全實驗室 Mutual authentication with key agreement phase 7 Client CServer S M 1 =(ID C,T C,M,MAC K (ID C,T S,M) Check ID C Check T C h C = H 1 (ID C ) M’ =(1/q s +h C )M k = H 2 (ID C,T C,M,M’) Check MAC K (ID C,T S,M) W = r S x P K S = r S x M sk = H 3 (ID C,T C,T S,M,W,K S ) M 2 =(ID C,T S,W,MAC K (ID C,T S,W) Check MAC k (ID C,T S,W) K C =r C x W sk = H 3 (ID C,T C,T S,M,W,K C ) M = r c x P M’ = r C x D C k = H 2 (ID c,T C,M,M’)

8 多媒體網路安全實驗室 Security analysis  Discussion about Smart-Card-Stolen attack  Known session key security  Perfect forward secrecy  No key-compromise impersonation  No unknown key-share  No key control 8

9 多媒體網路安全實驗室 Smart-Card-Stolen attack 9 server validity of users 3. New card 1.loss 2. request

10 多媒體網路安全實驗室 Known session key security  if an adversary, having obtained some previous session keys  cannot get the session keys of the current run of the key agreement protocol 10

11 多媒體網路安全實驗室 Perfect forward secrecy 11 Client CServer S M 1 =(ID C,T C,M,MAC K (ID C,T S,M) M 2 =(ID C,T S,W,MAC K (ID C,T S,W) Check MAC k (ID C,T S,W) K C =r C x W sk = H 3 (ID C,T C,T S,M,W,K C ) M = r c x P M’ = r C x D C k = H 2 (ID c,T C,M,M’) Check ID C Check T C h C = H 1 (ID C ) M’ =(1/q s +h C )M k = H 2 (ID C,T C,M,M’) Check MAC K (ID C,T S,M) W = r S x P K S = r S x M sk = H 3 (ID C,T C,T S,M,W,K S ) master key forward secrecy perfect forward secrecy The adversary has to solve the CDHA satisfying

12 多媒體網路安全實驗室 No key-compromise impersonation  The compromise of one client’’s client’s static private key does not imply that the private keys of other client 12 ID C h Ci =H 1 (ID Ci ) D Ci =(1/x+h Ci )P ∈ G // private key P Ci =(h Ci + x)P =h Ci P + P S Client CServer S

13 多媒體網路安全實驗室 No unknown key-share  If the adversary convinces a group of entities that they share some session key with the adversary  the adversary is required to learn the private  key of some entity 13

14 多媒體網路安全實驗室 No key control 14 Client CServer S M 1 =(ID C,T C,M,MAC K (ID C,T S,M) M 2 =(ID C,T S,W,MAC K (ID C,T S,W) Check MAC k (ID C,T S,W) K C =r C x W sk = H 3 (ID C,T C,T S,M,W,K C ) M = r c x P M’ = r C x D C k = H 2 (ID c,T C,M,M’) Check ID C Check T C h C = H 1 (ID C ) M’ =(1/q s +h C )M k = H 2 (ID C,T C,M,M’) Check MAC K (ID C,T S,M) W = r S x P K S = r S x M sk = H 3 (ID C,T C,T S,M,W,K S )

15 多媒體網路安全實驗室 Functionality comparison  TG mul : time of executing a scalar multiplication operation of point  TG mtph : time of executing a map-to-point hash function  TG grp : time of generating a random point on the elliptic curve  TG inv : time of executing a modular inversion operation.  TG add : time of executing an addition operation of points  TG h : time of executing a one-way hash function  TG mac :time of executing a message authentication code 15

16 多媒體網路安全實驗室 Yang et al.’s schemeYoon et al.’s schemeOur protocol Computational cost (client) 4TG mul + TG mtph + TG grp + 2TG add + 3TG h 3TG mul + 2TG h + 2GT mac Execution time (client)63.77 ms 36.25 ms Computational cost (server) 4TG mul + TG mtph + TG grp + 2TG add + 3TG h 3TG mul + 3TG h + 2GT mac + TG inv Execution time (server)4.39 ms 2.63 ms Perfect forward secrecy No Yes Known attacksImpersonation attackUnknownProvably secure 16

17 多媒體網路安全實驗室 Conclusion  The proposed protocol offers key agreement and mutual authentication  We demonstrate the comparisons among our protocol  The proposed protocol is well suited for mobile client server environment 17

18 多媒體網路安全實驗室

19 Security model 19  : non-negligible advantage  t : steps and making at most  q se : Send oracle  q h : Hash oracle  q en : Encrypt oracle  q ex : Execute oracle queries

20 多媒體網路安全實驗室 Security model  B then selects two random numbers r1&r2  r 1 &r 2 Z n  T 1 =r 1 *G  T 2 =r 2 *G  PK s =C 2 20

21 多媒體網路安全實驗室 Security model  Send(,M)  Execute(, )  Hash(M)  Encrypt(M1,M2, K)  Decrypt(C, K) 21

22 多媒體網路安全實驗室 Security model 22

23 多媒體網路安全實驗室 Security model  Send(,M), where M = “start” 23 K 1 = r 1 x PK s M 1 = E k 1 (U c ||N once1 ) msg-out = (T 1 ||M 1 ) internal-stat = (,r 1, N once1,msg-out ) SK( ) = FALSE Return(msg-out)

24 多媒體網路安全實驗室 Security model  Send(,M), where M ≠ “start” 24 K 1 = {0,1} l 2 (U c ||N once1 )<- D k 1 (M 1 ) K 2 = r 2 x PK c K 3 = α ∈ Z n msg-out = (T 2 ||M 2 ) internal-stat = (,r2, N once2,msg-out ) SK( ) = H(k 3 ||N once1 ||N once2 ) M 2 = E k 2 (H(k 3 ||N once1 ), N once2 ) else->msg-out = ⊥

25 多媒體網路安全實驗室 Security model  Send(,M), where M ≠ “start” 25 internal-stat i u = ( U s,r 1, N once1,msg-out 1 ) msg-out = (T 2 ||M 2 ) K 2 = {0,1} l 2 ( δ ||N once2 )<- D k 2 (M 2 ) if( δ==H(K 3 ||N once1 ) ) then {SK( ) = H(k 3 ||N once1 ||N once2 ); return ⊥ ;} else {return ⊥ ;}

26 多媒體網路安全實驗室 Security model  Execute(, ) 26 A Execute queries

27 多媒體網路安全實驗室 Security model  Hash(M) 27 A Hash queries 1. Previous result 2. Return r ->A Check M H-table B 2.1 record(M,r)

28 多媒體網路安全實驗室 Security model  Encrypt(M1,M2, K) 28 A Encrypt queries 1. Return C 2. Return C(M 1 +M 2 ) and record E-table Check record(M 1,M 2,K,C) E-table B 2.1 record(M 1,M 2,K,C)

29 多媒體網路安全實驗室 Security model  Decrypt(C, K) 29 A Decrypt queries 1. Return M 1,M 2 2. Return r 1,r 2 ->A record E-table Check record(M 1,M 2,K,C) E-table B 2.1 record(M 1,M 2,K,C) //r 1,r 2 Hash(), N once2

30 多媒體網路安全實驗室 Security proof of SEIKA(1/2)  We divide the advantage of B into two simulations 30

31 多媒體網路安全實驗室 Security proof of SEIKA(1/2)  α ->PKc ||PKs ->B wins the probability of  encrypted key is broken, B ->  encryption scheme is broken, B -> 31 A Execute queries B Find α

32 多媒體網路安全實驗室 Security proof of SEIKA(2/2) 32 M2M2 derive α  Send 1 has been queried,B->  Depending, B ->,B->  Depending, B ->

33 多媒體網路安全實驗室 Security proof of SEIKA’ 33 M3M3 probability forged H(K 3 ||N once2 ) ≠ H(K 3 ||N once2 )

Download ppt "多媒體網路安全實驗室 An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security Date:2012/02/16."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.
多媒體網路安全實驗室 Improved Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks Date : 2012.10.24 Reporter : Hong Ji Wei Authors.

多媒體網路安全實驗室 Improved Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks Date : Reporter : Hong Ji Wei Authors.
多媒體網路安全實驗室 Source:International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH- MSP),2010 Sixth. Authors:Hsiang-Cheh.

多媒體網路安全實驗室 Source:International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH- MSP),2010 Sixth. Authors:Hsiang-Cheh.
多媒體網路安全實驗室 Towards Secure and Effective Utilization over Encrypted Cloud Data 報告人 : 葉瑞群 日期 :2012/05/09 出處 :IEEE Transactions on Knowledge and Data Engineering.

多媒體網路安全實驗室 Towards Secure and Effective Utilization over Encrypted Cloud Data 報告人 : 葉瑞群 日期 :2012/05/09 出處 :IEEE Transactions on Knowledge and Data Engineering.
A PASS Scheme in Clouding Computing - Protecting Data Privacy by Authentication and Secret Sharing Jyh-haw Yeh Dept. of Computer Science Boise State University.

A PASS Scheme in Clouding Computing - Protecting Data Privacy by Authentication and Secret Sharing Jyh-haw Yeh Dept. of Computer Science Boise State University.
Cross-Realm Password-Based Server Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: Kazuki Yoneyama Presenter: Li-Tzu Chang.

Cross-Realm Password-Based Server Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: Kazuki Yoneyama Presenter: Li-Tzu Chang.
A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :11.23 1.

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.

1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.
An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp. 723-728,

An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp ,
A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.

A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
多媒體網路安全實驗室 A Strong User Authentication Framework for Cloud Computing Date : 2012.08.10 Reporter : Hong Ji Wei Authors : Amlan Jyoti Choudhury, Mangal.

多媒體網路安全實驗室 A Strong User Authentication Framework for Cloud Computing Date : Reporter : Hong Ji Wei Authors : Amlan Jyoti Choudhury, Mangal.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Similar presentations

Ads by Google