Robust and Efficient Password- Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction on Industrial Electronics, Vol. 55, No. 6, pp , 2008 Presenter: Jung-wen Lo ( 駱榮問 ) Date: Jul. 30, 2009
2 Outline Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Zhang, “Robust remote authentication scheme with smart cards,” Computers & Security, vol. 24, no. 8, pp. 619–628, Nov Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw, “Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards,” IEEE Transaction on Industrial Electronics, vol. 55, no. 6, pp Comment
Robust remote authentication scheme with smart cards Authors: Chun-I Fan, Yung-Cheng Chan, and Zhi-Kai Zhang Src: Computers & Security, vol. 24, no. 8, pp. 619–628, Nov. 2005
4 Introduction Criteria for secure remote authentication scheme using smart card 1) Low computation for smart cards 2) No password table 3) Passwords chosen by the users themselves 4) Not requiring clock synchronization and delay-time limitation 5) Withstanding the replay attack 6) Server authentication 7) Withstanding the offline dictionary attack with the smart card 8) Withstanding the offline dictionary attack without the smart card 9) Revoking the lost cards without changing the users’ identities Major contribution Withstand replay attack Preventing the offline dictionary attack Two protocol Registration protocol Login protocol
5 Registration Protocol User System ID i, h(PW i ) Random v i b i = E s (h(PW i )||H(ID i )||CI i ||v i )) ID i CI i …… CI i,ID i, b i,n
6 Login Protocol User Card Reader System PW i L1L1 L 2 ={α,β} Decrypt: L 1 (b i ||h(ID i )||u) b i h(PW i )||h(ID i )||CI i ||v i ) Verify h(ID i ),{ID i, CI i } Random r α=r u β=h((r||u) r’=α u h((r’||u) ?=β L 3 =h(h(PW i )||r) b i,V i,ID i,CI i Random u L i ={ID i,(b i ||h(ID i )||u) 2 mod n} h(h(PW i )||r) ?= L 3 L3L3
7 Performance
8 Conclusion Properties 1) Low computation for smart cards 2) No password table 3) Passwords chosen by the users themselves 4) Not requiring clock synchronization and delay-time limitation 5) Withstanding the replay attack 6) Server authentication 7) Withstanding the offline dictionary attack with the smart card 8) Withstanding the offline dictionary attack w/o the smart card 9) Revoking the lost cards without changing the users’ identities Major contribution Withstand replay attack Preventing the offline dictionary attack Major drawbacks No ability of anonymity for the user Higher computation and communication cost No session key agreement Cannot prevent the insider attack
Robust and Efficient Password- Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction on Industrial Electronics, vol. 55, no. 6, pp , 2008
10 Introduction Improve Fan-Chan-Zhang’s scheme Session key agreement Prevent insider attack Five Phases 1) Parameter generation phase 2) Registration phase 3) Precomputation phase 4) Log-in phase 5) Password-changing phase
11 Notation h(): Public one-way hash function. s: Master secret key of a symmetric cryptosystem, which is kept secret by the server. E s (): Secure symmetric encryption algorithm with the secret key s. D s (): Secure symmetric decryption algorithm with the secret key s. ||: String concatenation operator. P: Large prime. E P : Elliptic curve equation over Z P. x: Server’s private key based on elliptic curve cryptosystems. P S : Server’s public key based on elliptic curve cryptosystems. G: Generator point of a large order. Manuscript
12 Parameter generation phase Server side Choose a large prime P Select a,b ∈ Z P ; 4a b 2 (mod P) ≠0 Elliptic curve equation: E P : y 2 = x 3 + ax + b over Z P Find a generator point G of order n where n × G = O Select a random number x as its private key and safely keeps it in its secret storage. Compute the public key P S = (x G) Publish the parameters (P S, P, E P, G, n)
13 Registration/Precomputation phase User Server ID i, h(Pw i ||b) b i = E s (h(PW i ||b)||ID i ||CI i ||h(ID i ||CI i ||h(PW i ||b))) V i = h(ID i, s, CI i ). Random b ID i CI i …… b i,V i,ID i,CI i Smart Card Registration phase (Only Once) Precomputation phase Random r e=(r G) c=(rP s )=(rxG) Store (c,e) in memory b i,V i,ID i,CI i,b
14 Log-in phase User Card Reader Server PW i b i, E v i (e) u, M s MuMu D s (b i ) ID i,CI i Verify V i =h(ID i,s,CI i ) D v i (E v i (e)) e=(rG) c’=(ex)=(rxG) Random u M s =h(c’||u||V i ) (c,e) h(c||u||V i ) ?= M s M u =h(h(PW i ||b)||V i ||c||u) S k = h(V i,c,u) b i,V i,ID i,CI i,b b i = E s (h(PW i ||b)||ID i ||CI i ||h(ID i ||CI i ||h(PW i ||b))) Smart Card h(h(PW i ||b)||V i ||c||u)?=M u S k = h(V i,c,u)
15 Password-changing phase User Card Reader Server Log-in Phase E S k (ID i, h(PW * i ||b * )) E S k (b * i ) b * i = E s (h(PW * i ||b*)||ID i ||CI i ||h(ID i ||CI i ||h(PW* i ||b*))) Decrypt Store (b * i, b * ) in memory Smart Card SkSk SkSk New PW * i,b * b * i,V i,ID i,CI i,b *
16 Security Analysis Strong Mutual Authentication Both believe the correction of session key Preventing the Replay Attack Nonce r & u Preventing the Insider Attack No password table Protected with h(PW i ||b) Preventing the Offline Dictionary Attack Without the Smart Card Cannot obtain PW i from messages Preventing the Offline Dictionary Attack With the Smart Card No obvious password in card (b i ) Need server’s help to verify password
17 Communication and storage cost
18 Computation Cost
19 Capability Comparisons
20 Conclusion Advantages Benefits of Fan et al.’s scheme Identity protection Session key agreement Low communication and computation cost by using elliptic curve cryptosystems Prevent the insider attack
21 Comment Register table attack DoS attack Eliminate the table Protect the table Modify the data of table, eg, CI i Verify before use Performance improvement 3 ways 2 ways
22 Comment: Log-in phase (2 round) User Card Reader Server PW i b i, E v i (e||n) u, M s D s (b i ) ID i,CI i Verify V i =h(ID i,s,CI i ) D v i (E v i (e)) e=(rG) c’=(ex)=(rxG) Random u M s =h(c’||n||u||V i ) S k = h(V i,c,u) (c,e) Random n h(c||n||u||V i ) ?= M s S k = h(V i,c,u) b i,V i,ID i,CI i,b b i = E s (h(PW i ||b)||ID i ||CI i ||h(ID i ||CI i ||h(PW i ||b))) Smart Card