1. 1 Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards 使用在 smart cards 的強韌及高效率密碼驗證金鑰協定 IEEE Transactions on Industrial Electronics, VOL.55, NO.6,June 2008 Author: Wen-Shenq Juang, Sian-Teng Chen, and Horng-Twu Liaw Adviser ： 鄭錦楸 教授 Reporter ：林彥宏

2. 2 Outline Introduction Proposed Scheme the parameter generation phase the registration phase the precomputation phase the log-in phase the password-changing phase Security Analysis Cost and Functionality Consideration Conclusions

3. 3 Introduction robust remote authentication scheme with smart cards Advantages: low computation for smart cards no password table passwords chosen by the users themselves withstanding the replay attack server authentication withstanding the dictionary attack revoking the lost cards without changing the users’ identities

4. 4 Introduction Drawbacks: no ability of anonymity higher computation and communication cost no session key agreement cannot prevent the insider attack

5. 5 Proposed Scheme base on elliptic curve cryptosystems consists of five phases: the parameter generation phase the registration phase the precomputation phase the log-in phase the password-changing phase

6. 6 Proposed Scheme the parameter generation phase: server select a large prime, and server finds a point, server selects a random number as its private key server computers the public key publishes parameters

7. 7 Proposed Scheme the registration phase: User iServer tag

8. 8 Proposed Scheme the precomputation phase : User iServer

9. 9 Proposed Scheme the log-in phase : User iServer Password authentication tag registrationregistration table

10. 10 Proposed Scheme the password-changing phase: User i Log in Server

11. 11 Security Analysis Mutual Authentication Preventing the Replay Attack Preventing the Insider Attack Preventing the Offline Dictionary Attack Without the Smart Card Preventing the Offline Dictionary Attack With the Smart Card

12. 12 Security Analysis Mutual Authentication A:user, B:server A can compute the session key and will believe then use to authentication that A believes B believes B can compute the session key and will believe then use to authentication that B believes A believes AB AB AB AB AB

13. 13 Security Analysis Preventing the Replay Attack attacker tries to imitate the user to log in to the server by resending the messages use nonces to prevent this kind of attack smart card chooses nonces and computers ; the second nonce is selected by the server

14. 14 Security Analysis Preventing the Insider Attack the user’s password is obtained by the server in the registration phase registration phase will generate a random number ;then Preventing the Offline Dictionary Attack Without the Smart Card attacker can get the tapped messages and attempts to guess the user’s password from the tapped messages if the attacker intercepts the message

15. 15 Security Analysis Preventing the Offline Dictionary Attack With the Smart Card called the smart-card-lost problem only the server can use the secret key to decrypt and obtain

16. 16 Cost and Functionality Consideration Low Communication and Computation Cost No Password Table Choosing and Changing of Passwords by Users No Time-Synchronization Problem Identity Protection Revoking the Lost Cards Without Changing the User’s Identity Session Key Agreement

17. 17 Cost and Functionality Consideration Low Communication and Computation Cost shorter key-size and faster computation suitable for small-memory device Time of crack (ns)RSA bit-lengthECC bit-lengthRSA/ECC 512 768 1024 2048 2100 106 132 160 210 600 5 ： 1 6 ： 1 7 ： 1 10 ： 1 35 ： 1

18. 18 Cost and Functionality Consideration C1: the password length C2: memory for storing the cryptographic parameters in a smart card C3: communication cost of Login for cryptographic parameters

19. 19 Cost and Functionality Consideration No Password Table server only needs to keep a registration table to store each card’s identifier card sent to server Choosing and Changing of Passwords by Users provide a password-changing phase for users No Time-Synchronization Problem in the log-in phase, they use two nonces to prevent the replay attack

20. 20 Cost and Functionality Consideration Identity Protection user’s identity in their scheme is included in Revoking the Lost Cards Without Changing the User’s Identity if the user loses his smart card, server will set and issue a new smart card to the user Session Key Agreement the user and the server both can agree on a session key after the log-in phase.

21. 21 Cost and Functionality Consideration E1: computation cost of registration E2: computation cost of the precomputation phase for the client E3: computation cost of login for the client E4: computation cost of login for the server

22. 22 Cost and Functionality Consideration C1: low communication and computation cost C2: no password table C3: users can choose the password by themselves C4: no Time-Synchronization ProblemC5: mutual authentication C6: revoking a lost card without changing the user’s identity C7: identity protectionC8: session key agreement C9: preventing the offline dictionary attack with the secret information stored in the smart card

23. 23 Conclusions they have proposed an efficient and robust user authentication and key agreement scheme provide identity protection, session key agreement and low communication and computation cost very useful in limited computation and communication resource environments