Date:2011/09/28 報告人：向峻霈出處: Ren-Chiun Wang Wen-Shenq Juang

Slides:

Advertisements

Similar presentations

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.

Advertisements

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards Computer and Information Security Ming-Hong Shih.

A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Computer Science Public Key Management Lecture 5.

多媒體網路安全實驗室 A novel user identification scheme with key distribution preserving user anonymity for distributed computer networks Date:2011/10/05 報告人：向峻霈.

Cryptanalysis of Two Dynamic ID-based Authentication

1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.

Session Initiation Protocol (SIP) 王承宇張永霖.

多媒體網路安全實驗室 A novel user authentication and privacy preserving scheme with smartcards for wireless communications 作者 :Chun-Ta Li,Cgeng-Chi Lee 出處 :Mathematical.

Efficient remote mutual authentication and key agreement Improvement of Chien et al. ’ s remote user authentication scheme using smart cards An efficient.

Cryptography and Network Security (CS435) Part Eight (Key Management)

Secure Authentication Scheme with Anonymity for Wireless Communications Speaker : Hong-Ji Wei Date :

Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.

Center for Information Security Technologies ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST,

A Secure Identification and Key Agreement Protocol with User Anonymity (SIKA) Authors: Kumar Mangipudi and Rajendra Katti Source: Computers & Security,

1 Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards 使用在 smart cards 的強韌及高效率密碼驗證金鑰協定 IEEE Transactions on Industrial Electronics,

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter:

Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee

多媒體網路安全實驗室 Robust authentication and key agreement scheme preserving Date:2011/11/05 報告人：向峻霈出處 : Ren-Chiun Wang Wen-Shenq Juang Chin-Laung Lei Computer.

Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach Tzong-Chen Wu and Yen-Ching Lin Department of Information Management.

Secure Messenger Protocol using AES (Rijndael) Sang won, Lee

Robust and Efficient Password- Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction.

Key Management Network Systems Security Mort Anvari.

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

SPEAKER: HONG-JI WEI DATE: Efficient and Secure Anonymous Authentication Scheme with Roaming Used in Mobile Networks.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.

多媒體網路安全實驗室 An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security Date:2012/02/16.

1 Example security systems n Kerberos n Secure shell.

A Secure Authentication Scheme with Anonymity for Wireless Communications IEEE COMMUNICATIONS LETTERS, VOL. 12, NO. 10, OCTOBER 2008 Chia-Chun Wu, Wei-Bin.

CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.

An Efficient and Practical Authenticated Communication Scheme for Vehicular Ad Hoc Networks Source: IEEE Transactions on Vehicular Technology, Reviewing.

多媒體網路安全實驗室 A novel user identification scheme with key distribution preserving user anonymity for distributed computer networks Date:2011/10/12 報告人：向峻霈.

Smart Card Based Authenticated Key Agreement Schemes

Non-PKI Methods for Public Key Distribution

Reviews Rocky K. C. Chang 20 April 2007.

Author:YongBin Zhou, ZhenFeng Zhang, and DengGuo Feng Presenter:戴士桀

Reporter:Chien-Wen Huang

網路環境中通訊安全技術之研究 Secure Communication Schemes in Network Environments

A secure and traceable E-DRM system based on mobile device

CS480 Cryptography and Information Security

Efficient password authenticated key agreement using smart cards

SAKAWP: Simple Authenticated Key Agreement Protocol Based on Weil Pairing Authors: Eun-Jun Yoon and Kee-Young Yoo Src: International Conference on Convergence.

Security of a Remote Users Authentication Scheme Using Smart Cards

IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985

Recent Developments on Multimedia and Secure Networking Technologies

By Hyun-Chul Kim, Hong-Woo Lee, Kyung-Seok Lee, Moon-Seog Jun

The Application of Elliptic Curves Cryptography in Embedded Systems

Key Management Network Systems Security

El Gamal and Diffie Hellman

An efficient biometric based remote user authentication scheme for secure internet of things environment Source: Journal of Intelligent & Fuzzy Systems.

Authors：Debiao He, Sherali Zeadally, Neeraj Kumar and Wei Wu

An Improved Novel Key Management Protocol for RFID Systems

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security

Authors: Yuh-Min TSENG, Tsu-Yang WU, Jui-DiWU

Recent Developments on Multimedia and Secure Networking Technologies

刘振上海交通大学计算机科学与工程系电信群楼3-509

Biometrics-based RSA Cryptosystem for Securing Real-Time Communication

Privacy Protection for E-Health Systems by

A lightweight authentication scheme with privacy protection for smart grid communications Source: Future Generation Computer Systems Volume 100, November.

Presentation transcript:

A lightweight key agreement protocol with user anonymity in ubiquitous computing environments Date:2011/09/28 報告人：向峻霈出處: Ren-Chiun Wang Wen-Shenq Juang Chen-Chi Wu Chin-Laung Lei Multimedia and Ubiquitous Engineering pp. 313-318 ,2007

Outline Introduction 1 Related work 2 Proposed scheme 3 Functionality comparison 4 Conclusion 3 5

When a user wants to get a permitted service from a server Introduction When a user wants to get a permitted service from a server Authentication Key agreement For protecting the communications between the users and the servers Ex:Diffie-Hellman,RSA algorithms

Introduction The previous protocols do not suitable for applying in ubiquitous computing environments The client and the server have to consume much power to compute the communicated messages and to hold a long length private key

Related work Review and analyze the security of the SIKA protocol

SCPC sets up the system parameters Key generation phase SCPC sets up the system parameters Ns =p*q selects two integers e and d such that ed =1 mod φ(Ns) φ(N) = (p-1)(q-1) chooses a generator g in the field ZN a hash function H(m) on a message a symmetric-key cryptosystem such as AES public parameters =>e, N, g, and ID secret =>d,p,q

Anonymous user identification and key agreement phase Client Server Service request Ps = IDsd mod N Z = gk x Ps-1 mod N W = gsv v = H(Z,T,IDs)ds M2 =(Z,T,W) u = H(Z,T,IDs) Wes mod Ns = gsu mod Ns a = Ze X IDs mod N Kij = at mod N x =get mod N p = gt X PiH(x,T’) y = Ekij(IDi) M3 = (x,y,p,T’) Kij = xk mod N Dkij(y) -> IDi 檢查ID表是否存在 x * IDiH(x,T’) mod N = pe mod N Accepts this login request

Security analysis mod N Client Server Service request Ps = IDsd mod N Z = gk x Ps-1 mod N W = gsv v = H(Z,T,IDs)ds M2 =(Z,T,W) u = H(Z,T,IDs) Wes mod Ns = gsu mod Ns a = Ze X IDs mod N Kij = at mod N x =get mod N p = gt X PiH(x,T’) y = Ekij(IDi) mod N Client C: a = IDcH(x,T’)d X b X gt mod N M3 = (x,y,p,T’) Kij = xk mod N Dkij(y) -> IDi 檢查ID表是否存在 x * IDiH(x,T’) mod N = pe mod N Client D: b = IDDH(x,T’)d m(m-1)/2 valid clients Accepts this login request

Proposed scheme Key generation phase Anonymous user identification and key agreement phase

SCPC sets up the system parameters Key generation phase SCPC sets up the system parameters Chooses a large prime number p Ep :y2 = x3 +ax+b over Zp a,b->Zp 4a3+27b2 mod p ≠ 0, G is a generator point of a large order

SCPC sets up the system parameters Key generation phase SCPC sets up the system parameters Selects a random number Xi in Z*p Computes a corresponding public key Pki = Xi x G //Xi -> secret key Xi -> each registered users(clients and servers) 公布 public key table(public keys&identities) Server公開 identity & public key Identity Public key ID1 PK1 = X1 x G ID2 PK2 = X2 x G … IDs PKs = Xs x G

Anonymous user identification and key agreement phase Client Server Service request(T1,M1) T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Xi Key3 = T2 x t1 Dkey 2(M2) ->檢查 H(key3||Nonce1) H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) Accepts this login request

Security analysis Withstanding Perfect forward secrecy Anonymity the server spoofing attack the known-key attack the replay attack the impersonation attack the denial of service attack Perfect forward secrecy Anonymity

Security analysis-1/7 The server spoofing attack Client Server Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The server spoofing attack Accepts this login request

Security analysis-2/7 The known-key attack Client Server Service request(T1,M1) T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Xi Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The known-key attack 解決elliptic curve discrete logarithm problem Accepts this login request

Security analysis-3/7 The replay attack Client Server Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The replay attack Accepts this login request

Security analysis-4/7 The impersonation attack Client Server Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) 1.偽造new IDi -> T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi <-解開Dkey 2(M2) .2 H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The impersonation attack Accepts this login request

Security analysis-5/7 The denial of service attack Client Server Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The denial of service attack Send 一個偽造message->解決elliptic curve discrete logarithm problem Accepts this login request

Security analysis-6/7 Perfect forward secrecy Client Server Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) Perfect forward secrecy 解決elliptic curve discrete logarithm problem Accepts this login request

Security analysis-7/7 Anonymity Client Server Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) Anonymity Accepts this login request

Functionality comparison TH : the time of one-way hashing operation TEXP :the time of one exponential operation TINVERSE :the time of one modular inverse operation TSYM :the time of one symmetric encryption or decryption TM :the time for one modular multiplication TECM :the time for the multiplication of a number over an elliptic curve

Secret token + public key Computation cost 年份 Our protocol 1 163 bits *2 = 326 bits 6TH+8TECM+4TSYM = 6TH+232TM+4TSYM 2007 SIKA 1+(1+n) (SCPC and n server’s public keys) 1024 bits 4TH+12TEXP+2TSYM +6TM+1TINVERSE= 4TH+2TSYM+2886TM+1TINVERSE 2006 Lee-Chang’s protocol 1+1 (SCPC’s public key) 2TH+9TEXP+7TM +1TINVERSE= 2TH+2167TM+1TINVERSE 2000 Wu-Hsu’s protocol 2TH+8TEXP+5TM +2TINVERSE= 2TH+1925TM+2TINVERSE 2004 Yang et al.’s protocol 2TH+9TEXP+1TINVERSE +2TSYM+5TM= 2TH+165TM+2TSYM +1TINVERSE

Functionality comparison C1 : No password or password file. C2 : Mutual authentication C3 : Session key agreement C4 : Communication and computation cost. C5 : No time synchronization problem C6 : Do not need to hold system or other participant’s public key C7 : The identity of the client can not be trace C8 : Denial of service attack cannot work in the protocol C9 : No one can impersonate the server to cheat the client C10 : No one can impersonate a valid client to obtain the service from the server

Functionality comparison Our protocol SIKA Lee-Chang’s protocol Wu-Hsu’s protocol Yang et al.’s protocol C1 Yes C2 No C3 C4 Very low Large C5 C6 C7 C8 C9 C10

Conclusion Each user only needs to maintain his secret token and can use it to access several service providers The service providers do not need to maintain a password file for verifying the users login requests If a new service provider joins the system, the user’s master key does not need to be updated

Thank You !