Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur 2004.05.12.

Similar presentations


Presentation on theme: "1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur 2004.05.12."— Presentation transcript:

1 1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur

2 2 Outline Introduction Review of Yeh-Shen-Hwang’s (YSH) Scheme Stolen-Verifier Attack on YSH Scheme Problems with Re-registration of YSH Scheme Conclusions

3 3 Introduction (1/2) Traditional static password (wiretapping attack) One-time password Public key basedHash function based S/KEY, SAS, OSPA…

4 4 Introduction (2/2) Yeh-Shen-Hwang’s Scheme (2002) –An improved version of S/KEY using smart cards –Can defeat Preplay Attack, Denial-of-Service Attack and Server Spoofing Attack –A session key is established during authentication phase –Weakness Stolen-verifier attack –Drawback Problems with re-registration

5 5 Notations NotationDescription SEEDThe preshared secret between a user and a server KA secret derived from a user’s password NThe permitted number of login times TNumber of a user has successfully login a server H () A cryptographic hash function DA random number generated by a server ⊕ Bit XOR operation

6 6 YSH Scheme: Registration Phase user server Registration request Issues a smart card containing SEED SEED (secure channel) N, SEED ⊕ D 0, H(D 0 ) Uses SEED to verify. If it succeeds, then compute the initial Verifier P 0 =H N (K ⊕ SEED) Extracts P 0 from the received data. Stores id, P 0 P0⊕D0P0⊕D0

7 7 YSH Scheme: Login Phase verifies H(P t ) = P t– 1 user server Login request C (= N–t), SEED ⊕ D t, H(D t ) ⊕ P t–1 Uses SEED to verify and compute P t (= h C (SEED ⊕ K)) Pt⊕DtPt⊕Dt fales Authentication fails true Authentication succeeds

8 8 Stolen-Verifier Attack (1/2) Suppose that an adversary E has stolen an ever used P i after the user’s tth login, where 1  i  t. Before the user’s (t+1)th login, E can use P i to extract D i and SEED. Then, E can guess a password pw' and then derive its corresponding K'. Next, he can compute P i ' = H C (K' ⊕ SEED)

9 9 Stolen-Verifier Attack (2/2) It the computed P i ' equals the stolen P i, E has obtained K (= K'). –Implies E has correctly guessed the user’s password. Knowing SEED and K, E can impersonate the user to login the server or impersonate the server to cheat the user. Knowing SEED, E can obtain the session key D i and decrypt all the messages encrypted with D i. –Does not provide perfect forward secrecy

10 10 Problems with Re-registration (1/6) Suppose SEED and K are left unchanged. SEED = SEED' K = K' P t =P t ' (1 ≦ t ≦ N) re-registration phase

11 11 Problems with Re-registration (2/6) Suppose SEED and K are left unchanged. (cont.) login phase adversary server Login request C (= N–t), SEED ⊕ D t, H(D t ) ⊕ P t–1 D t ♁ D t ' = (SEED ♁ D t ) ♁ (SEED' ♁ D t ') P t ' ♁ D t = (D t ♁ D t ') ♁ (P t ' ♁ D t ') Pt'♁DtPt'♁Dt Authentication succeeds

12 12 Problems with Re-registration (3/6) Suppose SEED and K are left unchanged. (cont.) –Since the received P t ' ♁ D t equals the expected one, the server will be fooled into believing that the adversary is the authentic user. YSH scheme fails to achieve key agreement and authentication as being expected. Although the session key D t is unknown to the adversary, it reveals a potential weakness that may be employed to carry out other subtle attacks to its application systems.

13 13 Suppose SEED is left unchanged, but K is changed. re-registration phase adversary server N, SEED ⊕ D r, H(D r ) D r ♁ D r ' = (SEED ♁ D r ) ♁ (SEED' ♁ D r ') P 0 ' ♁ D r = (D r ♁ D r ') ♁ (P 0 ' ♁ D r ' ) P0'♁DrP0'♁Dr P 0 ' is regarded as P 0 Problems with Re-registration (4/6) user Registration request Issues a smart card containing SEED SEED (secure channel)

14 14 Suppose SEED is left unchanged, but K is changed. (cont.) Login phase adversary server Login request C(= N–t), SEED ⊕ D l, H(D l ) ⊕ P t–1 D l ♁ D l ' = (SEED ♁ D l ) ♁ (SEED' ♁ D l ' ) P t ' ♁ D l = (D l ♁ D l ') ♁ (P t ' ♁ D l ' ) Pt'♁DlPt'♁Dl Authentication succeeds Problems with Re-registration (5/6)

15 15 Problems with Re-registration (6/6) Suppose SEED is left unchanged, but K is changed. (cont.) –Since the received P t ' ♁ D l equals the expected one, the server will be fooled into believing that the adversary is the authentic user. YSH scheme fails to achieve key agreement and authentication as being expected. Although the session key D l is unknown to the adversary, it reveals a potential weakness that may be employed to carry out other subtle attacks to its application systems.

16 16 Conclusion In general, the server stores the verifier of the user’s password rather than the user’s bare password to resist the password-file compromise attack. –However, even though a compromised verifier will not reveal the password directly, it may be used to derive its corresponding password indirectly or cause other subtle security problems. We have shown the weakness and drawbacks of an improved version of S/KEY, the YSH scheme. –To put the Yeh-Shen-Hwang’ scheme into practice, these problems should be solved.


Download ppt "1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur 2004.05.12."

Similar presentations


Ads by Google