Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen.

Published byAllyson Mills Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen."— Presentation transcript:

1 1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen Chang 2 1 Dept. of Information Engineering and Computer Science, Feng Chia University 2 Dept. of Computer Science and Information Engineering, National Chung Cheng University

2 2 Outline 1. Introduction 2. Password Authentication Without the Server Public Key 3. Password Authenticated Key Exchange for Imbalanced Wireless Network 4. Digital Signature without One-way Hash Function 5. Anonymous Auction Protocols 6. Conclusions

3 3 1. Introduction (1/4) Authentication Establishing the validity of a transmission, message, or originator Verifying an individual's authorization to receive specific categories of information

4 4 1. Introduction (2/4) Authentication Schemes Something you know  password, PIN, the public key, … Something you have  IC card (smartcard or memory card), … Something you are  fingerprint, hand geometry, voiceprint, retinal, …

5 5 1. Introduction (3/4) Authentication Schemes Without the public key  Password, pin, IC card, fingerprint, hand geometry, voiceprint, etc. Without the verification table  IC card and the public key With special devices  fingerprint, hand geometry, voiceprint, retinal, …

6 6 1. Introduction (4/4) Digital Signature Origin authentication Data integrity Signer nonrepudiation

7 7 2. Password Authentication Without the Server Public Key (1/7) 2002, Hwang and Yeh’s Protected Password Transmission and Change Schemes Using the public key systems Suffering from the denial-of-service attack

8 8 2. Password Authentication Without the Server Public Key (2/7) NotationsDescription PWthe password shared between the user U and the server S PKSthe server S ’ s public key IDThe user U ’ s identity H(  ) cryptographic hash function flow[i]the information transmitted in the i-th round r1/r2random nonce generated by U/S  XOR operation E pk (m)an asymmetric cryptology encrypting m with the public key pk E1 pw (m)a symmetric cryptology encrypting m with a password pw E2 k (m)a symmetric cryptology encrypting m with a secret key k gA primitive element in GF(p), where p is a large prime

9 9 2.1 Hwang and Yeh’s Protected Password Transmission Scheme (3/7) US ID, E PKS (r1, PW) r1  r2, H(r2) ID, H(r1, r2) Access granted or denied Store H(PW)

10 10 2.2 Hwang and Yeh’s Protected Password Change Scheme (4/7) U S ID, E PKS (r1, PW) r1  r2, H(r2) ID, H(r1, r2), R Access granted or denied Choose PW R = H(PW)  H(r1+1, r2) H(PW) = R  H(r1+1, r2) Update H(PW) Store H(PW)

11 11 2.3 Our Protected Password Transmission Scheme (5/7) U S ID, E1 PW (g r1 mod p) Access granted or denied Store PW E1 PW (g r2 mod p), E2 SK (H(flow[1])) SK = (g r1 ) r2 mod p ID, E2 SK (H(flow[2])) SK = (g r2 ) r1 mod p

12 12 2.4 Our Protected Password Change Scheme (6/7) U S ID, E1 PW (g r1 mod p) Access granted or denied Store PW E1 PW (g r2 mod p), E2 SK (H(flow[1])) SK = (g r1 ) r2 mod p ID, E2 SK (H(flow[2])), R SK = (g r2 ) r1 mod p Choose PW the current time: T R = E2 SK (PW, T) Decrypt R with SK Update PW

13 13 2.5 Efficiency Comparison (7/7) computation operation HY U HY S Ours U Ours S modulo exponential 0(5)0(3)22 public key en/decryption 1/00/10/0 symmetric en/decryption 0/0 4/5 hash2/42/322

14 14 3. Password Authenticated Key Exchange for Imbalanced Wireless Network (1/5) 2002, Zhu et al.’s password authenticated key exchange scheme Based on RSA For imbalanced wireless network Suffering from the undetectable on-line password guessing attack 2003, Yeh et al.’s scheme Using the simple interactive protocol to authenticate the public key pair May Suffer from the off-line password guessing attack

15 15 3. Password Authenticated Key Exchange for Imbalanced Wireless Network (2/5) NotationsDescription PWthe password shared between the user U and the server S (n, e)the server S ’ s public key generated by a public key generator dS ’ s private key Hi()Hi() distinct cryptographic hash functions for i = 1, 2, …, 5 ID S /ID U the identity of S/U E k (m)a symmetric cryptology encrypting m with the secret key k D k (m)a symmetric cryptology decrypting m with the secret key k p, qtwo secret large primes only known by S Nthe public system parameter, where N=p*q

16 16 S U n, e, r S r S  R {0, 1} l {m i  R Z n } 1  i  j {m i e mod n} 1  i  j {H 1 (m i )} 1  i  j H 1 (m i )?= H 1 (m i ),1  i  j s U  R Z n  = E pw (ID S,ID U, r S, s U ) z =  e mod n z E  (ID U ) c U =H 3 (s U )  =H 4 (r S, c U, ID S, ID U ) D  (E  (ID U ))?=ID U H 6 (  ) H 6 (  ) ?= H 6 (  ) (ID S,ID U, r S, s U ) =D pw (z d mod n) c U = H 3 (s U )  = H 4 (r S, c U, ID S, ID U ) 3.1 Yeh et al. ’ s Scheme (3/5)

17 17 3.2 Our Scheme (4/5) S U E pw (r S ) r S  R {0, 1} l r S = D pw (E pw (r S )) s U  R Z N  = H 5 (r S, s U, ID S, ID U )  = H 2 (r S, s U,  ) z = s U 2 mod N z,   = H 5 (r S, s U, ID S, ID U )  ?= H 2 (r S, s U,  ) H 6 (  ) ?=H 6 (  ) H 6 (  )

18 18 3.3 Efficiency Comparison (5/5) computation operation Yeh et al.’s U Yeh et al.’s S Ours U Ours S modulo exponential j+1 20 symmetric En(de)cryption 2211 hashj+3 39/5/3

19 19 4. Digital Signature without One-way Hash Function and Message Redundant Schemes (1/9) 2000, Zhu et al.’s digital multisignature scheme W ithout One-way Hash Function W ithout Message Redundant Schemes Suffering from the forgery attack

20 20 4.1 Notation (2/9) NotationsDescription gA primitive element in GF(p), where p is a large prime Uthe user Vthe verifier xU ’ s private key, where gcd(x, (p-1)) = 1 yU ’ s public key, where y = g x mod p k the random number chosen by U, where k  Z p Mthe signed message

21 21 4.2 Shieh et al. ’ s Scheme (3/9) The Signature-generation Phase U executes the followings to sign M. Step 1: Computes s = y M mod p. Step 2: Computes r = M*g -k mod p. Step 3: Computes t, where s + t  x -1 *(k-r) (mod (p-1)). Step 4: Sends the signature (s, r, t) of M to the verifier V.

22 22 4.2 Shieh et al. ’ s Scheme (4/9) The Verification Phase V executes the followings to verify the signature. Step 1: Computes M  y s+t *r*g r  g x*(s+t) *M*g -k *g r  g k-r *M*g -k+r (mod p). Step 2: Checks if s = y M mod p.

23 23 4.3 The Forgery Attack on Shieh et al. ’ s Scheme (5/9) Eve executes the followings to get a valid signature. Step 1: Chooses w  Z p randomly. Step 2: Chooses r  Z p randomly. Step 3: Computes g k mod p = y w *g r mod p without knowing k. Step 4: Computes M = r*g k mod p. Step 5: Computes s = y M mod p. Step 6: Computes t = w - s mod (p-1). Step 7: Sends the signature (s, r, t) of M to the verifier V.

24 24 4.4 Our Scheme (6/9) The Signature-generation Phase U executes the followings to sign M. Step 1: Computes s = y M mod p. Step 2: Computes r = M*s*g -k mod p. Step 3: Computes t, where s + t  x -1 *(k-r) (mod (p-1)). Step 4: Sends the signature (s, r, t) of M to the verifier V.

25 25 4.4 Our Scheme (7/9) The Verification Phase V executes the followings to verify the signature. Step 1: Computes M  y s+t *r*g r *s -1  g x*(s+t) *M* s*g -k *g r *s -1  g k-r *M*g -k+r (mod p). Step 2: Checks if s = y M mod p.

26 26 4.5 The Forgery Attack 1 on Our Scheme (8/9) After getting the signature (s, r, t) of M, Eve executes the followings to get a valid signature. Step 1: Chooses   Z p-1 * randomly. Step 2: Computes m = M*y  mod p. Step 3: Computes s = y m mod p. Step 4: Sets r = r. Step 5: Sets t = s + t – M +  - s + m mod (p-1). Step 6: Sends the signature (s, r, t) of m to the verifier V.

27 27 4.5 The Forgery Attack 2 on Our Scheme (9/9) After getting the signature (s, r, t) of M, Eve executes the followings to get a valid signature. Step 1: Chooses   Z p-1 * randomly. Step 2: Sets r =  *r mod p. Step 3: Computes  such that r +   r mod (p-1). Step 4: Computes m = M*  *g  mod p. Step 5: Sets s= y m mod p. Step 6: Sets t = s + t – M - s + m mod (p-1). Step 6: Sends the signature (s, r, t) of m to the verifier V.

28 28 5. Anonymous Auction Protocols (1/11) Auction English auction Dutch auction Sealed-bid auction Participants Auctioneer Bidder

29 29 5. Anonymous Auction Protocols (2/11) Sealed-bid auction → (1999, Kikuchi et al.) the privacy of the bids → the anonymity of the bidding prices → the anonymity of the bidders

30 30 5.1 Notation (3/11) NotationsDescription gA primitive element in GF(p), where p is a large prime UiUi the bidder for i = 1, 2, …, m Pthe auctioneer U i ’ s public/private key certified by CA P ’ s public/private key certified by CA H(  ) A collision-resistant hash function a i /b the random number  Z p chosen by U i /P ID i U i ’ s identity E(  ) an asymmetric cryptology Tthe timestamp

31 31 5.2 Initiation (4/11) Concept: to have U i and P shared one secret Step 1: U i computes Then U i sends X i and Q i to P.

32 32 5.2 Initiation (5/11) Step 2: P computes Then P broadcasts Y and W. Step 3: P computes

33 33 5.2 Initiation (6/11) Step 4: U i checks if If it holds, U i computes → P and U i shares k i.

34 34 5.3 Initial Authentication (7/11) Step 1: U i randomly chooses M and computes  = H(M, T, k i ). Then U i sends (M, T,  ) to P. Step 2: P computes  = H(M, T, k i ) for i = 1, 2,.., m. If any  = , P computes = H(M+1, k i ) and broadcasts ( , ).

35 35 5.4 Anonymous English Auction (8/11) Step 1: U i signs his own bid B and computes Then U i casts (B, T, D, C).

36 36 5.4 Anonymous English Auction (9/11) Step 2: P sets a timer and computes C i = H(B, T, k i ) for i = 1, 2, …, m and If any C i = C, B is valid. Otherwise, B is invalid. If the countdown of the timer equals zero, and no bidder casts the bid. P closes the acution.

37 37 5.5 Anonymous Sealed-bid Auction (10/11) Step 1: U i signs his own bid B and computes Then U i submits (F, D, C) to P.

38 38 5.5 Anonymous Sealed-bid Auction (11/11) Step 2: P computes Step 3: P sets a timer and computes C i = H(B, T, k i ) for i = 1, 2, …, m. If any C i = C, B is valid. Otherwise, B is invalid. After receiving all bids, P resolves the winner anonymously.

39 39 6. Conclusions We have proposed different authentication schemes for different requirements. As to digital signature, the hash function and the message redundant scheme are essential to design a secure digital signature scheme. The concept of authentication and digital signature schemes should be employed to ensure the security of variety of applications via networks.

40 40 Thanks all

Download ppt "1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen."

Similar presentations

1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :11.23 1.

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :
Computer and Information Security 期末報告 學號 92321501 姓名 莊玉麟.

Computer and Information Security 期末報告 學號 姓名 莊玉麟.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.

1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
電子商務與數位生活研討會 1 Further Security Enhancement for Optimal Strong-Password Authentication Protocol Tzung-Her Chen, Gwoboa Horng, Wei-Bin Lee,Kuang-Long Lin.

電子商務與數位生活研討會 1 Further Security Enhancement for Optimal Strong-Password Authentication Protocol Tzung-Her Chen, Gwoboa Horng, Wei-Bin Lee,Kuang-Long Lin.
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards Computer and Information Security 92321509 Ming-Hong Shih.

Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards Computer and Information Security Ming-Hong Shih.
1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.

1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.
An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp. 723-728,

An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp ,
Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Similar presentations

Ads by Google