Cryptanalysis of Two Dynamic ID-based Authentication Schemes for Multi-Server Architecture Ding Wang, Chunguang Ma, Deli Gu, Zhenshan Cui Presented by MSc. Ding Wang, November 11, Wuyishan () wangdingg@mail.nankai.edu.cn Tel: 15104596985

Outline Introduction Review of Li et al.’s scheme Proposed attacks Two observations Conclusion 图1 802.11i安全框架

Introduction Network Server User attacker Remote authentication a mechanism to authenticate remote users over insecure communication networks Basic techniques: (1) what a user knows, such as passwords, PINs; (2) what a user has, such as smart cards, tokens; (3) what a user is, such as fingerprints; Network Server User attacker

Two-factor Authentication ——Smart-card-based Password Authentication Combine the first two techniques to obtain a secure and efficient scheme with desirable functionalities. ID, PW ID, PW Remote Server User with a low entropy password

A Practical Problem The traditional two-factor authentication schemes are suitable for single-sever environment. However, what will happen if there are multiple service servers ? The user has to remember multiple (ID, PW) pairs. Server j Server 1 Server 2 User with a low entropy password IDj , PWj ….. ID1 , PW1 ID2 , PW2

Two-factor authentication for the multi-server environment Advantages register once remember one (ID, PW) pair access multiple service servers

Challenges powerful adversary Naive users According to the common Dolev-Yao adversary model (1) he can eavesdrop、replay、fabricate 、intercept、 block any messages over the channel （2）what he cannot do is — — “crack” encrypted messages Due to Side-Channel attacks smart cards should be assumed to be non-tamper resistant Collusion attacks is practical malicious internal user + dishonest server Naive users users tend to choose “weak passwords” We are the first to pay attention to this practical threat. my phone number?

A Challenge (continue) Have to reconcile the following issues Security resistance to various passive and active attacks Functionalities (user friendliness ) Performance

What constitutes a practical scheme ? No serious security vulnerabilities With desirable functionalities Efficient

Trade-offs and Conflicts Security Performance Usability freely password change Offline password guessing attack Timely wrong password detection

A history of “attack-and-improvement”

A misunderstanding-prone concept “Dynamic ID-based” Shao, M. and Chin, Y.: A Privacy-Preserving Dynamic ID-Based Remote User Authentication Scheme with Access Control for Multi-Server Environment. IEICE Transactions on Information and Systems, Vol.E95–D, No.1, 161-168 (2012) (An entended version of a paper that has been presented in NSS 2010) Li, X., Xiong, Y., Ma, J., Wang, W.: An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 35(2), 763–769 (2012) It basically means the user’s identity is dynamically changed during the login process and has nothing to do with the hot “ID-based Cryptography”.

Notations and abbreviations

A demonstration of Li et al.’s scheme

Review of Li et al.’s scheme the registration phase the login phase the verification phase the password update phase

Review of Li et al.’s scheme (1/4) —— Service server registration Master secret x; Secret number y; Service Providing Server Sj Control Server ( CS) Choose SIDj

Review of Li et al.’s scheme (1/4) —— User registration Master secret x; User Secret number y; Choose IDi, Pi; Control Server ( CS) Choose a random b; Compute Ai= h(b||Pi) ;

Review of Li et al.’s scheme (2/4) —— Login phase Ui CS Sj

Review of Li et al.’s scheme (3/4) —— Verification phase Ui CS Sj Only based on symmetric cryptographic primitives

Review of Li et al.’s scheme (4/4) —— Password Change phase Support local password update; W only focus on the login and verification phase, and omit this phase. 20

Two vulnerabilities Offline password guessing attack the most damaging threat to a password protocol User anonymity breach Li, X., Xiong, Y., Ma, J., Wang, W.: An efficient and secure dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 35(2), 763–769 (2012) Which means the essential goal can not be achieved 21

Security Flaws (1/2) ——Offline password guessing attack obtains {Di, Ei, b, h(y), h(.)} in Ui’s smart card intercepted

Security Flaws (2/2) —— User anonymity breach attack Sj colludes with Um Ui Ei is kept static in all of Ui’s login requests, and thus can be exploited to trace user activity.

Lessons learned from the cryptanalysis Two further observations Only symmetric-key primitives (such as Hash, symmetric encryption, MAC) are intrinsically inadequate to withstand offline password guessing attack. (We managed to prove it in the following work: Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun. Syst. (2012), Submitted on Sep 7, 2012. Last week, it was accepted and made on line, DOI: 10.1002/dac.2468. ) By following our two observations, more than 50% this type of schemes can be easily found problematic . In the multi-server environment, collusions attacks are major threats to user privacy. — —Our new work: On the anonymity of two-factor authentication schemes

Break 50% this type of schemes

Conclusion Our focus is on two-factor authentication for multi-server architecture. Two practical attacks are demonstrated on Li et al.’s scheme. Two observations are put forward. Remarkably, public-key techniques are indispensible to resist against offline password guessing attack. By following these two observations, more 50% existing schemes can be easily found problematic.

THANK YOU & QUESTION

Side-Channel Attack

Various attacks … Offline password guessing attack Smart card loss attack Stolen verifier attack User impersonation attack Server masquerading attack Replay attack Parallel session attack Denial of service attack Password disclosure to server (Insider attack) Forward secrecy Key compromise impersonation attack Unknown key share attack …

Functionalities key agreement mutual authentication local password change user anonymity (initiator un-traceability) no verifier table support weak password non-tamper resistant smart cards repairability

Performance Computation complexity ( a big hill ) cryptographic operations are often computation-intensive, like modular exponentiation, modulo inversion, pairing … Storage cost ( not a big problem) Communication overhead (not a big problem)