1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen.

Slides:

Advertisements

Similar presentations

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.

Advertisements

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Digital Signatures and Hash Functions. Digital Signatures.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中日期 :

Computer and Information Security 期末報告學號姓名莊玉麟.

1 Security analysis of an enhanced authentication key exchange protocol Authors ： H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date ： 2005/5/20.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

電子商務與數位生活研討會 1 Further Security Enhancement for Optimal Strong-Password Authentication Protocol Tzung-Her Chen, Gwoboa Horng, Wei-Bin Lee,Kuang-Long Lin.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards Computer and Information Security Ming-Hong Shih.

1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科教授 (Prof. Jinn-Ke Jan) 陳育毅.

An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp ,

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

Computer Science Public Key Management Lecture 5.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Introduction to Public Key Cryptography

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

Bob can sign a message using a digital signature generation algorithm

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

多媒體網路安全實驗室 A novel user identification scheme with key distribution preserving user anonymity for distributed computer networks Date:2011/10/05 報告人：向峻霈.

1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.

Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September

An Efficient and Secure Event Signature (EASES) Protocol for Peer-to-Peer Massively Multiplayer Online Games Mo-Che Chan, Shun-Yun Hu and Jehn-Ruey Jiang.

多媒體網路安全實驗室 A novel user authentication and privacy preserving scheme with smartcards for wireless communications 作者 :Chun-Ta Li,Cgeng-Chi Lee 出處 :Mathematical.

Efficient remote mutual authentication and key agreement Improvement of Chien et al. ’ s remote user authentication scheme using smart cards An efficient.

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013

Secure Authentication Scheme with Anonymity for Wireless Communications Speaker : Hong-Ji Wei Date :

11-Basic Cryptography Dr. John P. Abraham Professor UTPA.

1 Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards 使用在 smart cards 的強韌及高效率密碼驗證金鑰協定 IEEE Transactions on Industrial Electronics,

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter:

1 一個新的代理簽章法 A New Proxy Signature Scheme 作者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡報告者 : 郭淑娟.

Digital Signatures, Message Digest and Authentication Week-9.

Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.

A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F

Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004.

Prepared by Dr. Lamiaa Elshenawy

A flexible biometrics remote user authentication scheme Authors: Chu-Hsing Lin and Yi-Yi Lai Sources: Computer Standards & Interfaces, 27(1), pp.19-23,

Sunday, December 20, 2015 ARCHITECTURE OF A SERVER- AIDED SIGNATURE SERVICE (SASS) FOR MOBILE NETWORKS Source: P. Lorenz and P. Dini (Eds.): ICN 2005,

Secure Messenger Protocol using AES (Rijndael) Sang won, Lee

Robust and Efficient Password- Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction.

Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.

Key Management Network Systems Security Mort Anvari.

RSA-based password authenticated key exchange protocol Presenter: Jung-wen Lo( 駱榮問 )

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

SPEAKER: HONG-JI WEI DATE: Efficient and Secure Anonymous Authentication Scheme with Roaming Used in Mobile Networks.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

COM 5336 Lecture 8 Digital Signatures

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 : Xiong Li, Yongping.

Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.

Biometric Encryption Base RSA Algorithm Supervisor: Ass. Prof. Dr. Dang Tran Khanh Student: Dung Ngo Dinh.

@Yuan Xue 285: Network Security CS 285 Network Security Digital Signature Yuan Xue Fall 2012.

CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.

Source: The Journal of Systems and Software, Vol. 73, 2004, pp.507–514

無線環境的認證方法及其在電子商務應用之研究

網路環境中通訊安全技術之研究 Secure Communication Schemes in Network Environments

Date:2011/09/28 報告人：向峻霈出處: Ren-Chiun Wang Wen-Shenq Juang

Presentation transcript:

1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen Chang 2 1 Dept. of Information Engineering and Computer Science, Feng Chia University 2 Dept. of Computer Science and Information Engineering, National Chung Cheng University

2 Outline 1. Introduction 2. Password Authentication Without the Server Public Key 3. Password Authenticated Key Exchange for Imbalanced Wireless Network 4. Digital Signature without One-way Hash Function 5. Anonymous Auction Protocols 6. Conclusions

3 1. Introduction (1/4) Authentication Establishing the validity of a transmission, message, or originator Verifying an individual's authorization to receive specific categories of information

4 1. Introduction (2/4) Authentication Schemes Something you know  password, PIN, the public key, … Something you have  IC card (smartcard or memory card), … Something you are  fingerprint, hand geometry, voiceprint, retinal, …

5 1. Introduction (3/4) Authentication Schemes Without the public key  Password, pin, IC card, fingerprint, hand geometry, voiceprint, etc. Without the verification table  IC card and the public key With special devices  fingerprint, hand geometry, voiceprint, retinal, …

6 1. Introduction (4/4) Digital Signature Origin authentication Data integrity Signer nonrepudiation

7 2. Password Authentication Without the Server Public Key (1/7) 2002, Hwang and Yeh’s Protected Password Transmission and Change Schemes Using the public key systems Suffering from the denial-of-service attack

8 2. Password Authentication Without the Server Public Key (2/7) NotationsDescription PWthe password shared between the user U and the server S PKSthe server S ’ s public key IDThe user U ’ s identity H(  ) cryptographic hash function flow[i]the information transmitted in the i-th round r1/r2random nonce generated by U/S  XOR operation E pk (m)an asymmetric cryptology encrypting m with the public key pk E1 pw (m)a symmetric cryptology encrypting m with a password pw E2 k (m)a symmetric cryptology encrypting m with a secret key k gA primitive element in GF(p), where p is a large prime

9 2.1 Hwang and Yeh’s Protected Password Transmission Scheme (3/7) US ID, E PKS (r1, PW) r1  r2, H(r2) ID, H(r1, r2) Access granted or denied Store H(PW)

Hwang and Yeh’s Protected Password Change Scheme (4/7) U S ID, E PKS (r1, PW) r1  r2, H(r2) ID, H(r1, r2), R Access granted or denied Choose PW R = H(PW)  H(r1+1, r2) H(PW) = R  H(r1+1, r2) Update H(PW) Store H(PW)

Our Protected Password Transmission Scheme (5/7) U S ID, E1 PW (g r1 mod p) Access granted or denied Store PW E1 PW (g r2 mod p), E2 SK (H(flow[1])) SK = (g r1 ) r2 mod p ID, E2 SK (H(flow[2])) SK = (g r2 ) r1 mod p

Our Protected Password Change Scheme (6/7) U S ID, E1 PW (g r1 mod p) Access granted or denied Store PW E1 PW (g r2 mod p), E2 SK (H(flow[1])) SK = (g r1 ) r2 mod p ID, E2 SK (H(flow[2])), R SK = (g r2 ) r1 mod p Choose PW the current time: T R = E2 SK (PW, T) Decrypt R with SK Update PW

Efficiency Comparison (7/7) computation operation HY U HY S Ours U Ours S modulo exponential 0(5)0(3)22 public key en/decryption 1/00/10/0 symmetric en/decryption 0/0 4/5 hash2/42/322

14 3. Password Authenticated Key Exchange for Imbalanced Wireless Network (1/5) 2002, Zhu et al.’s password authenticated key exchange scheme Based on RSA For imbalanced wireless network Suffering from the undetectable on-line password guessing attack 2003, Yeh et al.’s scheme Using the simple interactive protocol to authenticate the public key pair May Suffer from the off-line password guessing attack

15 3. Password Authenticated Key Exchange for Imbalanced Wireless Network (2/5) NotationsDescription PWthe password shared between the user U and the server S (n, e)the server S ’ s public key generated by a public key generator dS ’ s private key Hi()Hi() distinct cryptographic hash functions for i = 1, 2, …, 5 ID S /ID U the identity of S/U E k (m)a symmetric cryptology encrypting m with the secret key k D k (m)a symmetric cryptology decrypting m with the secret key k p, qtwo secret large primes only known by S Nthe public system parameter, where N=p*q

16 S U n, e, r S r S  R {0, 1} l {m i  R Z n } 1  i  j {m i e mod n} 1  i  j {H 1 (m i )} 1  i  j H 1 (m i )?= H 1 (m i ),1  i  j s U  R Z n  = E pw (ID S,ID U, r S, s U ) z =  e mod n z E  (ID U ) c U =H 3 (s U )  =H 4 (r S, c U, ID S, ID U ) D  (E  (ID U ))?=ID U H 6 (  ) H 6 (  ) ?= H 6 (  ) (ID S,ID U, r S, s U ) =D pw (z d mod n) c U = H 3 (s U )  = H 4 (r S, c U, ID S, ID U ) 3.1 Yeh et al. ’ s Scheme (3/5)

Our Scheme (4/5) S U E pw (r S ) r S  R {0, 1} l r S = D pw (E pw (r S )) s U  R Z N  = H 5 (r S, s U, ID S, ID U )  = H 2 (r S, s U,  ) z = s U 2 mod N z,   = H 5 (r S, s U, ID S, ID U )  ?= H 2 (r S, s U,  ) H 6 (  ) ?=H 6 (  ) H 6 (  )

Efficiency Comparison (5/5) computation operation Yeh et al.’s U Yeh et al.’s S Ours U Ours S modulo exponential j+1 20 symmetric En(de)cryption 2211 hashj+3 39/5/3

19 4. Digital Signature without One-way Hash Function and Message Redundant Schemes (1/9) 2000, Zhu et al.’s digital multisignature scheme W ithout One-way Hash Function W ithout Message Redundant Schemes Suffering from the forgery attack

Notation (2/9) NotationsDescription gA primitive element in GF(p), where p is a large prime Uthe user Vthe verifier xU ’ s private key, where gcd(x, (p-1)) = 1 yU ’ s public key, where y = g x mod p k the random number chosen by U, where k  Z p Mthe signed message

Shieh et al. ’ s Scheme (3/9) The Signature-generation Phase U executes the followings to sign M. Step 1: Computes s = y M mod p. Step 2: Computes r = M*g -k mod p. Step 3: Computes t, where s + t  x -1 *(k-r) (mod (p-1)). Step 4: Sends the signature (s, r, t) of M to the verifier V.

Shieh et al. ’ s Scheme (4/9) The Verification Phase V executes the followings to verify the signature. Step 1: Computes M  y s+t *r*g r  g x*(s+t) *M*g -k *g r  g k-r *M*g -k+r (mod p). Step 2: Checks if s = y M mod p.

The Forgery Attack on Shieh et al. ’ s Scheme (5/9) Eve executes the followings to get a valid signature. Step 1: Chooses w  Z p randomly. Step 2: Chooses r  Z p randomly. Step 3: Computes g k mod p = y w *g r mod p without knowing k. Step 4: Computes M = r*g k mod p. Step 5: Computes s = y M mod p. Step 6: Computes t = w - s mod (p-1). Step 7: Sends the signature (s, r, t) of M to the verifier V.

Our Scheme (6/9) The Signature-generation Phase U executes the followings to sign M. Step 1: Computes s = y M mod p. Step 2: Computes r = M*s*g -k mod p. Step 3: Computes t, where s + t  x -1 *(k-r) (mod (p-1)). Step 4: Sends the signature (s, r, t) of M to the verifier V.

Our Scheme (7/9) The Verification Phase V executes the followings to verify the signature. Step 1: Computes M  y s+t *r*g r *s -1  g x*(s+t) *M* s*g -k *g r *s -1  g k-r *M*g -k+r (mod p). Step 2: Checks if s = y M mod p.

The Forgery Attack 1 on Our Scheme (8/9) After getting the signature (s, r, t) of M, Eve executes the followings to get a valid signature. Step 1: Chooses   Z p-1 * randomly. Step 2: Computes m = M*y  mod p. Step 3: Computes s = y m mod p. Step 4: Sets r = r. Step 5: Sets t = s + t – M +  - s + m mod (p-1). Step 6: Sends the signature (s, r, t) of m to the verifier V.

The Forgery Attack 2 on Our Scheme (9/9) After getting the signature (s, r, t) of M, Eve executes the followings to get a valid signature. Step 1: Chooses   Z p-1 * randomly. Step 2: Sets r =  *r mod p. Step 3: Computes  such that r +   r mod (p-1). Step 4: Computes m = M*  *g  mod p. Step 5: Sets s= y m mod p. Step 6: Sets t = s + t – M - s + m mod (p-1). Step 6: Sends the signature (s, r, t) of m to the verifier V.

28 5. Anonymous Auction Protocols (1/11) Auction English auction Dutch auction Sealed-bid auction Participants Auctioneer Bidder

29 5. Anonymous Auction Protocols (2/11) Sealed-bid auction → (1999, Kikuchi et al.) the privacy of the bids → the anonymity of the bidding prices → the anonymity of the bidders

Notation (3/11) NotationsDescription gA primitive element in GF(p), where p is a large prime UiUi the bidder for i = 1, 2, …, m Pthe auctioneer U i ’ s public/private key certified by CA P ’ s public/private key certified by CA H(  ) A collision-resistant hash function a i /b the random number  Z p chosen by U i /P ID i U i ’ s identity E(  ) an asymmetric cryptology Tthe timestamp

Initiation (4/11) Concept: to have U i and P shared one secret Step 1: U i computes Then U i sends X i and Q i to P.

Initiation (5/11) Step 2: P computes Then P broadcasts Y and W. Step 3: P computes

Initiation (6/11) Step 4: U i checks if If it holds, U i computes → P and U i shares k i.

Initial Authentication (7/11) Step 1: U i randomly chooses M and computes  = H(M, T, k i ). Then U i sends (M, T,  ) to P. Step 2: P computes  = H(M, T, k i ) for i = 1, 2,.., m. If any  = , P computes = H(M+1, k i ) and broadcasts ( , ).

Anonymous English Auction (8/11) Step 1: U i signs his own bid B and computes Then U i casts (B, T, D, C).

Anonymous English Auction (9/11) Step 2: P sets a timer and computes C i = H(B, T, k i ) for i = 1, 2, …, m and If any C i = C, B is valid. Otherwise, B is invalid. If the countdown of the timer equals zero, and no bidder casts the bid. P closes the acution.

Anonymous Sealed-bid Auction (10/11) Step 1: U i signs his own bid B and computes Then U i submits (F, D, C) to P.

Anonymous Sealed-bid Auction (11/11) Step 2: P computes Step 3: P sets a timer and computes C i = H(B, T, k i ) for i = 1, 2, …, m. If any C i = C, B is valid. Otherwise, B is invalid. After receiving all bids, P resolves the winner anonymously.

39 6. Conclusions We have proposed different authentication schemes for different requirements. As to digital signature, the hash function and the message redundant scheme are essential to design a secure digital signature scheme. The concept of authentication and digital signature schemes should be employed to ensure the security of variety of applications via networks.

40 Thanks all