1. Threshold password authentication against guessing attacks in Ad hoc networks ► Chai, Zhenchuan; Cao, Zhenfu; Lu, Rongxing ► Ad Hoc Networks Volume: 5, Issue: 7, September, 2007, pp. 1046-1054 97/09/24H.-H. Ou

2. Introduction  Password Authentication  Password or Verification Table  Secret Share  Smart Card  Threshold Password Authentication Scheme  (t, n) threshold password authentication 2008/9/242H.-H. Ou

3. Requirements  The password or verification tables are not stored inside the server nodes.  The password can be chosen and changed freely by the owner.  The password cannot be revealed by the administrator of the server.  The length of a password must be appropriate for memorization.  The scheme can achieve mutual authentication  The system secret cannot be leaked even if some of the server nodes are compromised.  The availability of the system should not be affected even if some of the server nodes are unavailable.  No one can impersonate a legal user to login the server.  The scheme must resist the replay attack, modification attack and stolen- verifier.  The password cannot be broken by guessing attacks even if the mobile device is lost. 2008/9/243H.-H. Ou

4. Basic concepts of the proposed  Hard problem assumptions  Hardness of inverting an one-way hash function  Hardness of discrete logarithm program  Hardness of computational Diffie-Hellman problem  Shamir’s secret sharing scheme  (t,n) secret sharing scheme  Select a large prime p(>x), and a random polynomial f(.) over Z p of degree t-1, satisfying f(0) = x.  Give x i = f(i) to S i, I = 1,…,n  When t servers cooperate, x = f(0) =, where is the Lagrange coefficients. 2008/9/244H.-H. Ou

5. Notations  2008/9/245H.-H. Ou

6. The proposed(1/3)  Set up process  Select a random polynomial f(.) over Z q of degree t-1, satisfying f(0)=x.  Compute f(i)=x i, then send x i to S i through a secure channel  Discard x  Registration phase 2008/9/246H.-H. Ou Communication server

7. The proposed(2/3)  Login & authentication phase 2008/9/247H.-H. Ou Communication server = h(ID) x = h(ID) rxi

8. The proposed(3/3)  Changing password  User can changed freely without registration again. (?)  Smart confirm the validity of PW by interacting with ζ  Replace β with β-h(PW)+h(PW*) mod p 2008/9/248H.-H. Ou

9. Discussion  No password or verification table  Users could choose their own passwords, and can change their passwords without registration again.  Allows user to choose a short and memorable password, without worrying about subjecting to guessing attacks.  Administrator of server cannot know the password of the user.  Achieves mutual authentication  Even if an intruder break into up to t-1 server nodes, he cannot obtain any information about the system key x.  Even if n-t sever nodes are unavailable, the last t nodes can still provide service to user nodes. 2008/9/249H.-H. Ou

10. Performance  Liao-Lee-Hwang’s scheme  Designed for single client/server applications  Comparison with ten existing smart card based schemes and only the proposed can against offline guessing attacks. 2008/9/2410H.-H. Ou Liao-Lee-Hwang’s scheme ?

11. comments  How to suitable the condition of Ad hoc networks?  The changing password process is must to contact with the ζ 2008/9/2411H.-H. Ou