1. Smart Card Based Authenticated Key Agreement Schemes
Feng Chia
University
MSN
Laboratory
Smart Card Based Authenticated Key Agreement Schemes
Thesis Defense – 31 August 2015
Advisor: Prof. Chin-Chen Chang
Student: Hai-Duong Le

2. Feng Chia University - 31 August 2015
Outline
Research Motivation
Objectives
The proposed schemes
Two-party AKE (Authenticated Key Exchange)
Group key exchange
AKE for Mobile Roaming
AKE in Wireless Sensor Networks
Three-factor AKE
Conclusions
Future Works
Feng Chia University - 31 August 2015

3. Feng Chia University - 31 August 2015
Research Motivation
Authentication + Key Agreement
secure communication
Requirements:
Authentication
Establishing shared session key
Confidentiality
Integrity
Feng Chia University - 31 August 2015

4. Research Motivation Anonymity vs. Untraceability
login_request{ID,…}
response{}
Anonymity: conceal user’s identity
Untraceability: protect user’s information related to identity, location, and movements especially in mobile devices
Feng Chia University - 31 August 2015

5. Authentication Factors:
What you know: e.g. passwords, PIN numbers
What you have: e.g. smart cards, security tokens
What you are: biometric, e.g. iris scan, fingerprint, palm print
Feng Chia University - 31 August 2015

6. Feng Chia University - 31 August 2015
Objectives
Design AKE schemes for different types of network models
Two-party AKE
Group key exchange
AKE in Wireless Sensor Networks
AKE for Mobile Roaming
Three-factor AKE
Using password and smart card
Feng Chia University - 31 August 2015

7. Feng Chia University - 31 August 2015
Preliminaries
Diffie-Hellman hard problems:
Given cyclic group 𝔾 with generator 𝑔∈ ℤ 𝑝 ∗ of order 𝑝, where 𝑝 is a prime number.
Discrete logarithm: given 𝑔 𝑎 , where 𝑎∈ ℤ 𝑝 ∗ , find 𝑎.
Computational Diffie-Hellman (CDH): given 𝑔 𝑎 and 𝑔 𝑏 , where 𝑎,𝑏∈ ℤ 𝑝 ∗ , find 𝑔 𝑎𝑏 .
Decisional Diffie-Hellman (DDH): given 𝑔 𝑎 , 𝑔 𝑏 and 𝑔 𝑐 , where 𝑎,𝑏,𝑐∈ ℤ 𝑝 ∗ , decide if 𝑔 𝑎𝑏 = 𝑔 𝑐 .
Feng Chia University - 31 August 2015

8. Feng Chia University - 31 August 2015
Preliminaries
Elliptic Curve:
Given cyclic group 𝔾 𝑝 = 𝑃 of order 𝑝, where 𝑃 is the generator point and 𝑝 is a prime number.
Discrete logarithm: given 𝑎𝑃, where 𝑎∈ ℤ 𝑝 ∗ , find 𝑎.
Computational Diffie-Hellman (ECCDH): given 𝑎𝑃 and 𝑏𝑃, where 𝑎,𝑏∈ ℤ 𝑝 ∗ , find 𝑎𝑏𝑃.
Decisional Diffie-Hellman (ECDDH): given 𝑎𝑃, 𝑏𝑃 and 𝑐𝑃, where 𝑎,𝑏,𝑐∈ ℤ 𝑝 ∗ , decide if 𝑎𝑏𝑃=𝑐𝑃.
Feng Chia University - 31 August 2015

9. Feng Chia University - 31 August 2015
Scheme 1: Two-party AKE (1/7) Mobile Friendly and Highly Efficient Authenticated Key Agreement Protocol Featuring Untraceability
authentication
Verification table
password
Goals:
Mutual authentication
Key agreement
Anonymity & untraceability
Efficiency
Feng Chia University - 31 August 2015

10. Scheme 1: Two-party AKE (2/7) - Registration Phase
User 𝑼
Server 𝑺
(long-term secret 𝑥)
Choose
password 𝑃𝑊
random number 𝑏
Create message
𝑚={𝐼𝐷,ℎ 𝑃𝑊∥𝑏 } 𝑚
(secure channel)
Choose random number 𝑟
Compute
𝑀 1 =ℎ 𝑟∥𝑥 ⊕ℎ(𝑃𝑊∥𝑏)
M 2 =ℎ 𝐼𝐷∥𝑥 ⊕ℎ(𝑃𝑊∥𝑏)
Issue
𝑆𝐶={𝑟, 𝑀 1 , 𝑀 2 } 𝑆𝐶
Write 𝑏 into 𝑆𝐶
Feng Chia University - 31 August 2015

11. Scheme 1: Two-party AKE (3/7) - Login Phase
User 𝑼
𝑆𝐶={𝑏,𝑟, 𝑀 1 , 𝑀 2 }
Server 𝑺
(long-term secret 𝑥)
{𝑟, 𝑁 1 , 𝑁 2 }
Input 𝐼𝐷, 𝑃𝑊
Choose random number 𝑛
Compute
ℎ 𝑟∥𝑥 ′ = 𝑀 1 ⊕ℎ 𝑃𝑊∥𝑏
ℎ 𝐼𝐷∥𝑥 = 𝑀 2 ⊕ℎ(𝑃𝑊∥𝑏)
𝑁 1 =ℎ 𝑟∥𝑥 ′ ⊕𝑛
𝑁 2 =ℎ(𝑛∥𝑟)
Compute
𝑛 ′ = 𝑁 1 ⊕ℎ(𝑟∥𝑥)
Check if 𝑁 2 =ℎ( 𝑛 ′ ∥𝑟)
Choose random number 𝑟 𝑛𝑒𝑤
𝑃 1 =ℎ 𝑛 ′ ∥ℎ 𝑟∥𝑥 ⊕ 𝑟 𝑛𝑒𝑤
𝑃 2 =ℎ 𝑛 ′ ⊕ℎ 𝑟 𝑛𝑒𝑤 ∥𝑥
𝑃 3 =ℎ( 𝑛 ′ ∥ℎ 𝑟 𝑛𝑒𝑤 ∥𝑥 ∥ 𝑟 𝑛𝑒𝑤 )
{ 𝑃 1 , 𝑃 2 , 𝑃 3 }
Compute
𝑟 𝑛𝑒𝑤 ′ = 𝑃 1 ⊕ℎ(𝑛∥ℎ(𝑟∥𝑥)′)
ℎ 𝑟 𝑛𝑒𝑤 ∥𝑥 ′ = 𝑃 2 ⊕ℎ(𝑛′)
Check if 𝑃 3 =ℎ(𝑛∥ℎ 𝑟 𝑛𝑒𝑤 ∥𝑥 ′ ∥ 𝑟 𝑛𝑒𝑤 )
𝑁 3 =𝐼𝐷⊕ℎ(𝑛∥ 𝑟 𝑛𝑒𝑤 ′ )
𝑁 4 =ℎ(𝑛∥ℎ 𝐼𝐷∥𝑥 ′ ∥ 𝑟 𝑛𝑒𝑤 ′ )
𝑆𝐾=ℎ(𝑛∥𝐼𝐷∥ 𝑟 𝑛𝑒𝑤 ′ )
{ 𝑁 3 , 𝑁 4 }
Compute
𝐼 𝐷 ′ = 𝑁 3 ⊕ℎ( 𝑛 ′ ∥ 𝑟 𝑛𝑒𝑤 ′ )
Check if 𝑁 4 =ℎ( 𝑛 ′ ∥ℎ 𝐼𝐷∥𝑥 ∥ 𝑟 𝑛𝑒𝑤 ′ )
𝑆𝐾=ℎ( 𝑛 ′ ∥𝐼 𝐷 ′ ∥ 𝑟 𝑛𝑒𝑤 )
Feng Chia University - 31 August 2015

12. Scheme 1: Two-party AKE (4/7) - Password Changing Phase
User 𝑼
Login into 𝑆
Input new password 𝑃 𝑊 𝑛𝑒𝑤
𝑆𝐶 computes
𝑀 1𝑛𝑒𝑤 = 𝑀 1 ⊕ℎ 𝑃𝑊∥𝑏 ⊕ℎ 𝑃 𝑊 𝑛𝑒𝑤 ∥𝑏
𝑀 2𝑛𝑒𝑤 = 𝑀 2 ⊕ℎ 𝑃𝑊∥𝑏 ⊕(𝑃 𝑊 𝑛𝑒𝑤 ∥𝑏)
Replace 𝑀 1 , 𝑀 2 by 𝑀 1𝑛𝑒𝑤 , 𝑀 2𝑛𝑒𝑤 in 𝑆𝐶’s memory
Feng Chia University - 31 August 2015

13. Scheme 1: Functionality (5/7 )
Table 2.1 Security Properties with Related Schemes
[91]
[101]
[22]
[71]
Ours
Mutual Authentication & Key Agreement
Yes
Provide Anonymity No
Provide Initiator Untraceability
Withstand against ID Theft
Withstand against Replay Attack
Withstand against Denial of Service Attack
Withstand against Offline Password-Guessing
Withstand against Masquerading Attack
Withstand against Server Spoofing Attack
Solve Time Synchronization Problem
[91] Wang, Y.Y., Liu, J.Y., Xiao, F.X., and Dan, J., "A more efficient and secure dynamic ID-based remote user authentication scheme," Computer Communications, vol. 32, no. 4, pp , 2009.
[101] Yeh, K.H., Su, C.H., Lo, N.W., Li, Y.J., and Hung, Y.X., "Two robust remote user authentication protocols using smart cards," Journal of Systems and Software, vol. 83, no. 12, pp , 2010.
[22] Chang, C.-C., Le, H.-D., Lee, C.-Y., and Chang, C.-H., "A robust and efficient smart card oriented remote user authentication protocol," Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), 2011 Seventh International Conference on, pp , 2011.
[71] Li, X.X., Qiu, W.D., Zheng, D., Chen, K.F., and Li, J.H., "Anonymity enhancement on robust and efficient password- authenticated key agreement using smart cards," IEEE Transactions on Industrial Electronics, vol. 57, no. 2, pp , 2010.
Feng Chia University - 31 August 2015

14. Scheme 1: Performance (6/7)
Table 2.2 Comparing the Computation Cost and Storage Costs with Other Schemes
[91]
[101]
[22]
[71]
Ours A1
2𝐻+2𝑋
4𝐻+1𝑋
4𝐻+2𝑋
3𝐻+3𝑆 A2 2𝑚 A3
9𝐻+14𝑋
14𝐻+4𝑋
16𝐻+8𝑋
18𝐻+14𝑆+1𝑚
20𝐻+10𝑋 A4
2𝐻+15𝑆 A5
11𝐻+16𝑋
18𝐻+5𝑋
21𝐻+17𝑆+1𝑚
24𝐻+12𝑋 A6
320 bits
448 bits
384 bits
512 bits A7
2 rounds
3 rounds A8
Low
High
A1 The computation cost in registration phase
A2 Pre-computation at user side
A3 The computation cost in login phase
A4 The computation cost in password changing phase
A5 Totally computation cost
A6 Storage memory in the smart card
A7 The rounds between user and server communication
A8 Power consumption
𝐻 One-way hash function
𝑋 Logic gate of exclusive OR
𝑆 Symmetric key encryption or decryption on one block
𝑚 Elliptic curve multiplication
Feng Chia University - 31 August 2015

15. Scheme 1:Two-party AKE (7/7) - Summaries
Secure two-party AKE with:
untraceability
forward secrecy
low computation and communication cost
Feng Chia University - 31 August 2015

16. Feng Chia University - 31 August 2015
Scheme 2: Group Key Exchange (1/10) A Provably Secure Smart Card Based Authenticated Group Key Exchange Protocol
Goals
Constant rounds
Flexible and efficient in rekeying
Authentication
Establishing a group key
Feng Chia University - 31 August 2015

17. Scheme 2: Group Key Exchange (2/10) - Initialization & Setup
Server chooses:
a cyclic group 𝔾 of large prime order 𝑝 with a generator 𝑔
long-term secret 𝑥
Message Authentication Code
MAC tag generation: 𝜇=𝑇𝑎𝑔 𝑘,𝑚
Tag verification: 𝑉𝑒𝑟 𝑘,𝑚,𝜇
Feng Chia University - 31 August 2015

18. Scheme 2: Group Key Exchange (3/10) - Registration Phase
User 𝑼 𝒊
Server 𝑺
(long term secret 𝑥)
Choose a password 𝑝 𝑤 𝑖
{𝐼 𝐷 𝑖 ,𝐻 𝑝 𝑤 𝑖 }
Compute
𝐶 𝑖 =𝐻 𝑝 𝑤 𝑖 ⊕ 𝑔 𝑥⋅𝐻(𝐼 𝐷 𝑖 )
(secure channel)
𝑆𝐶= {𝐶 𝑖 }
Feng Chia University - 31 August 2015

19. Scheme 2: Group Key Exchange (4/10) - Setup Phase
Server 𝑺
(long term secret 𝑥)
User 𝑼 𝒊 , for 𝑖=1,2,…𝑛
( 𝐶 𝑖 =𝐻 𝑝 𝑤 𝑖 ⊕ 𝑔 𝑥⋅𝐻(𝐼 𝐷 𝑖 ) )
{ 𝑅 𝑆 }
(broadcast)
Input 𝐼 𝐷 𝑖 , 𝑝 𝑤 𝑖
Choose random number 𝑟 𝑖 ∈ ℤ 𝑝 ∗
Compute
𝑐 𝑖 = 𝐶 𝑖 ⊕𝐻 𝑝 𝑤 𝑖 = 𝑔 𝑥⋅𝐻 𝐼 𝐷 𝑖
𝑘 𝑖 𝑚𝑎𝑐 = 𝑅 𝑆 𝐻 𝐼 𝐷 𝑖 ⋅ 𝑐 𝑖 = 𝑔 𝑟⋅𝐻 𝐼 𝐷 𝑖
𝑅 𝑖 = 𝑔 𝑟 𝑖
𝜇 𝑖 =𝑇𝑎𝑔( 𝑘 𝑖 𝑚𝑎𝑐 , 𝐼 𝐷 𝑖 ∥ 𝑅 𝑖 )
Choose random number 𝑟∈ ℤ 𝑝 ∗
Compute 𝑅 𝑆 = 𝑔 𝑟 𝑔 −𝑥
{𝐼 𝐷 𝑖 , 𝑅 𝑖 , 𝜇 𝑖 }
For 𝑖=1,2,…,𝑛 , compute
𝑘 𝑖 𝑚𝑎𝑐 = 𝑔 𝑟⋅𝐻 𝐼 𝐷 𝑖
Verify all the tags
𝑉𝑒𝑟( 𝑘 𝑖 𝑚𝑎𝑐 ,𝐼 𝐷 𝑖 ∥ 𝑅 𝑖 , 𝜇 𝑖 )
If all users are genuine
Choose random 𝐾∈ ℤ 𝑝 ∗
Compute for 𝑖=1,2,…,𝑛
𝑘 𝑖 =𝐾⊕𝐻 𝑅 𝑖 𝑟⋅𝐻 𝐼 𝐷 𝑖 =𝐾⊕𝐻 𝑔 𝑟 𝑟 𝑖 ⋅𝐻 𝐼 𝐷 𝑖
𝜇 𝑆→𝑖 =𝑇𝑎𝑔 𝑘 𝑖 𝑚𝑎𝑐 , 𝑘 𝑖
(broadcast)
𝐼 𝐷 1 , 𝑘 1 , 𝜇 𝑆→1 , 𝐼 𝐷 2 , 𝑘 2 , 𝜇 𝑆→2 , …, 𝐼 𝐷 𝑛 ,𝑘 𝑛 , 𝜇 𝑆→𝑛
(unicast)
Verify the tag 𝜇 𝑆→𝑖
Compute
𝐾= 𝑘 𝑖 ⊕ 𝐻( 𝑘 𝑖 𝑚𝑎𝑐 𝑟 𝑖 )
𝑠𝑘=𝐻(𝐾∥ 𝑅 1 ∥ 𝑅 2 ∥…∥ 𝑅 𝑛 )
Feng Chia University - 31 August 2015

20. Scheme 2: Group Key Exchange (5/10) - Join Phase with Unchanged SK
Suppose that 𝑙 new members join the group
Server 𝑺
(long term secret 𝑥)
User 𝑼 𝒋 for 𝑗=𝑛+1, 𝑛+2, …, 𝑛+𝑙
( 𝐶 𝑗 =𝐻 𝑝 𝑤 𝑗 ⊕ 𝑔 𝑥⋅𝐻(𝐼 𝐷 𝑗 ) )
{ 𝑅 𝑆 }
(broadcast)
Input 𝐼 𝐷 𝑗 , 𝑝 𝑤 𝑗
Choose random number 𝑟 𝑗 ∈ ℤ 𝑝 ∗
Compute
𝑐 𝑗 = 𝐶 𝑗 ⊕𝐻 𝑝 𝑤 𝑗 = 𝑔 𝑥⋅𝐻 𝐼 𝐷 𝑗
𝑘 𝑗 𝑚𝑎𝑐 = 𝑅 𝑆 𝐻 𝐼 𝐷 𝑗 ⋅ 𝑐 𝑗 = 𝑔 𝑟⋅𝐻 𝐼 𝐷 𝑗
𝑅 𝑗 = 𝑔 𝑟 𝑗
𝜇 𝑗 =𝑇𝑎𝑔( 𝑘 𝑗 𝑚𝑎𝑐 , 𝐼 𝐷 𝑗 ∥ 𝑅 𝑗 )
For 𝑙 new users, compute
𝑘 𝑗 𝑚𝑎𝑐 = 𝑔 𝑟⋅𝐻 𝐼 𝐷 𝑗
Verify all the tags
𝑉𝑒𝑟( 𝑘 𝑗 𝑚𝑎𝑐 ,𝐼 𝐷 𝑗 ∥ 𝑅 𝑗 , 𝜇 𝑗 )
If all new users are genuine
Compute for all new users
𝑘 𝑗 =𝑠𝑘⊕𝐻 𝑅 𝑗 𝑟⋅𝐻 𝐼 𝐷 𝑗 =𝑠𝑘⊕𝐻 𝑔 𝑟 𝑟 𝑗 ⋅𝐻 𝐼 𝐷 𝑗
𝜇 𝑆→𝑗 =𝑇𝑎𝑔 𝑘 𝑗 𝑚𝑎𝑐 , 𝑘 𝑗
{𝐼 𝐷 𝑗 , 𝑅 𝑗 , 𝜇 𝑗 }
(broadcast)
Verify the tag 𝜇 𝑆→𝑗
Compute
𝑠𝑘= 𝑘 𝑗 ⊕ 𝐻( 𝑘 𝑗 𝑚𝑎𝑐 𝑟 𝑗 )
𝐼 𝐷 𝑛+1 , 𝑘 𝑛+1 , 𝜇 𝑆→𝑛+1 , 𝐼 𝐷 𝑛+2 , 𝑘 𝑛+2 , 𝜇 𝑆→𝑛+2 , …, 𝐼 𝐷 𝑛+𝑙 , 𝑘 𝑛+𝑙 , 𝜇 𝑆→𝑛+𝑙
(unicast)
Feng Chia University - 31 August 2015

21. Scheme 2: Group Key Exchange (6/10) - Join Phase with New SK
Suppose that 𝑙 new members join the group
Server 𝑺
(long term secret 𝑥)
User 𝑼 𝒋 for 𝑗=𝑛+1, 𝑛+2, …, 𝑛+𝑙
( 𝐶 𝑗 =𝐻 𝑝 𝑤 𝑗 ⊕ 𝑔 𝑥⋅𝐻(𝐼 𝐷 𝑗 ) )
{ 𝑅 𝑆 }
(broadcast)
Input 𝐼 𝐷 𝑗 , 𝑝 𝑤 𝑗
Choose random number 𝑟 𝑗 ∈ ℤ 𝑝 ∗
Compute
𝑐 𝑗 = 𝐶 𝑗 ⊕𝐻 𝑝 𝑤 𝑗 = 𝑔 𝑥⋅𝐻 𝐼 𝐷 𝑗
𝑘 𝑗 𝑚𝑎𝑐 = 𝑅 𝑆 𝐻 𝐼 𝐷 𝑗 ⋅ 𝑐 𝑗 = 𝑔 𝑟⋅𝐻 𝐼 𝐷 𝑗
𝑅 𝑗 = 𝑔 𝑟 𝑗
𝜇 𝑗 =𝑇𝑎𝑔( 𝑘 𝑗 𝑚𝑎𝑐 , 𝐼 𝐷 𝑗 ∥ 𝑅 𝑗 )
For 𝑙 new users, compute
𝑘 𝑗 𝑚𝑎𝑐 = 𝑔 𝑟⋅𝐻 𝐼 𝐷 𝑗
Verify all the tags
𝑉𝑒𝑟( 𝑘 𝑗 𝑚𝑎𝑐 ,𝐼 𝐷 𝑗 ∥ 𝑅 𝑗 , 𝜇 𝑗 )
If all new users are genuine
Choose a new random 𝐾 𝑛𝑒𝑤
Compute for 𝑖=1,2,…,𝑛+𝑙
𝑘 𝑖 = 𝐾 𝑛𝑒𝑤 ⊕𝐻 𝑅 𝑖 𝑟⋅𝐻 𝐼 𝐷 𝑖 = 𝐾 𝑛𝑒𝑤 ⊕𝐻 𝑔 𝑟 𝑟 𝑖 ⋅𝐻 𝐼 𝐷 𝑖
𝜇 𝑆→𝑖 =𝑇𝑎𝑔 𝑘 𝑖 𝑚𝑎𝑐 , 𝑘 𝑖
{𝐼 𝐷 𝑗 , 𝑅 𝑗 , 𝜇 𝑗 }
(broadcast)
User 𝑼 𝒊 for 𝑖=1, 2, …, 𝑛+𝑙
Verify the tag 𝜇 𝑆→𝑖
Compute
𝐾 𝑛𝑒𝑤 = 𝑘 𝑖 ⊕ 𝐻( 𝑘 𝑖 𝑚𝑎𝑐 𝑟 𝑖 )
𝑠 𝑘 𝑛𝑒𝑤 =𝐻( 𝐾 𝑛𝑒𝑤 ∥ 𝑅 1 ∥ 𝑅 2 ∥…∥ 𝑅 𝑛+𝑙 )
𝐼 𝐷 1 , 𝑘 1 , 𝜇 𝑆→1 , 𝐼 𝐷 2 , 𝑘 2 , 𝜇 𝑆→2 , …, 𝐼 𝐷 𝑛+𝑙 , 𝑘 𝑛+𝑙 , 𝜇 𝑆→𝑛+𝑙
(unicast)
Feng Chia University - 31 August 2015

22. Scheme 2: Group Key Exchange (7/10) - Remove Phase
Suppose that 𝑙 users leave the group, 𝑗=𝑛−𝑙+1, 𝑛−𝑙+2, …𝑛
Server 𝑺
(long term secret 𝑥)
User 𝑼 𝒊 for 𝑖=1, 2, …, 𝑛−𝑙
Choose a new random 𝐾 𝑛𝑒𝑤
Compute for 𝑖=1,2,…,𝑛−𝑙
𝑘 𝑖 = 𝐾 𝑛𝑒𝑤 ⊕𝐻 𝑅 𝑖 𝑟⋅𝐻 𝐼 𝐷 𝑖 = 𝐾 𝑛𝑒𝑤 ⊕𝐻 𝑔 𝑟 𝑟 𝑖 ⋅𝐻 𝐼 𝐷 𝑖
𝜇 𝑆→𝑖 =𝑇𝑎𝑔 𝑘 𝑖 𝑚𝑎𝑐 , 𝑘 𝑖
𝐼 𝐷 1 , 𝑘 1 , 𝜇 𝑆→1 , 𝐼 𝐷 2 , 𝑘 2 , 𝜇 𝑆→2 , …, 𝐼 𝐷 𝑛−𝑙 , 𝑘 𝑛−𝑙 , 𝜇 𝑆→𝑛−𝑙
(unicast)
Verify the tag 𝜇 𝑆→𝑖
Compute
𝐾 𝑛𝑒𝑤 = 𝑘 𝑖 ⊕ 𝐻( 𝑘 𝑖 𝑚𝑎𝑐 𝑟 𝑖 )
𝑠 𝑘 𝑛𝑒𝑤 =𝐻( 𝐾 𝑛𝑒𝑤 ∥ 𝑅 1 ∥ 𝑅 2 ∥…∥ 𝑅 𝑛+𝑙 )
Feng Chia University - 31 August 2015

23. Scheme 2: Group Key Exchange (8/10) - Performance Comparison
Table 3.2 Protocol Comparison
Protocol
Round
Communication
Computation
Exp
Mul H
XOR
Enc
MAC
Bresson et al. [12] n
𝑛⋅ 𝑙 𝑝 2𝑛 3
Dutta et al. [36] 2
2 𝑙 𝐸 4
𝑛−1
𝑛+3
Lee et al. [65]
2 𝑙 𝐼𝐷 + 𝑙 𝐸 + 𝑙 𝐻
𝑛+1
Abdalla et al. [2]
𝑙 𝑟 +2 𝑙 𝑝 + 𝑙 𝐻
𝑛+2
Ours
Server
𝑛⋅ 𝑙 𝑟 + 𝑙 𝑝 +𝑛⋅ 𝑙 𝐻
2𝑛+2 𝑛
User
𝑙 𝐼𝐷 + 𝑙 𝑝 + 𝑙 𝐻 1
𝑙 𝑝 : the maximum length of the prime number 𝑝
𝑙 𝐸 : the maximum length of the cypher-texts
𝑙 𝐻 : the maximum length of the outputs of hash function
𝑙 𝐼𝐷 : the maximum length of the user identities
𝑙 𝑟 : the maximum length of and the random numbers
Exp : the maximum number of exponentiations
Mul : multiplications
H : hash operations
XOR : XOR operations
Enc : encryptions and decryptions
MAC : message authentication code operations
Feng Chia University - 31 August 2015

24. Scheme 2: Group Key Exchange (9/10) - Performance Comparison
[12] Bresson, E., Chevassut, O., and Pointcheval, D., "Group Diffie-Hellman key exchange secure against dictionary attacks," in Advances in Cryptology—ASIACRYPT 2002, Springer, pp , 2002.
[36] Dutta, R. and Barua, R., "Password-based encrypted group key agreement," International Journal of Network Security, vol. 3, no. 1, pp , 2006.
[65] Lee, S.M., Hwang, J.Y., and Lee, D.H., "Efficient password-based group key exchange," in Trust and Privacy in Digital Business, Springer, pp , 2004.
[2] Abdalla, M., Bresson, E., Chevassut, O., and Pointcheval, D., "Password-based group key exchange in a constant number of rounds," in Public Key Cryptography-PKC 2006, Springer, pp , 2006.
Feng Chia University - 31 August 2015

25. Scheme 2: Group Key Exchange (10/10) - Summaries
A secure two-factor authenticated group key exchange protocol
Low computation cost on users’ devices
Suitable for mobile devices
Feng Chia University - 31 August 2015

26. Feng Chia University - 31 August 2015
Scheme 3: AKE for Mobile Roaming (1/8) A Novel Untraceable Authentication Scheme for Mobile Roaming in GLOMONET
Goals
Mutual authentication
Key establishment
Session key update
Anonymity & Untraceability
Home agent
(3)
(2)
(4)
(1)
Foreign agent
Feng Chia University - 31 August 2015

27. Scheme 3: AKE for Mobile Roaming (2/8) - Registration PhaseMU HA
(long-term secret 𝑠)
Choose 𝑏 1
Compute PW MU =ℎ(𝑝 𝑤 𝑀𝑈 ∥ 𝑏 1 )
𝑃 𝑊 𝑀𝑈 , 𝐼 𝐷 𝑀𝑈
(Secure channel)
Choose b 2 ,𝑟
Compute
𝑃𝐼 𝐷 𝑀𝑈 =ℎ 𝐼 𝐷 𝑀𝑈 ∥ 𝑏 2
𝑆𝑅=ℎ 𝑟∥𝑠
𝑃𝑆𝑅=𝑆𝑅⊕𝑃 𝑊 𝑀𝑈
𝐷𝐼 𝐷 𝑀𝑈 =𝑃𝐼 𝐷 𝑀𝑈 ⊕𝑆𝑅
𝑉𝐼 𝐷 𝑀𝑈 =ℎ 𝑟∥𝑃𝐼 𝐷 𝑀𝑈
Store 𝐷𝐼 𝐷 𝑀𝑈 , 𝑉𝐼 𝐷 𝑀𝑈
𝑆𝐶={ 𝑏 2 ,𝑟, 𝑃𝑆𝑅}
Write 𝑏 2 into 𝑆𝐶
𝑆𝐶= 𝑟, 𝑃𝑆𝑅, 𝑏 1 , 𝑏 2
𝐶𝑢𝑟𝑟𝑒𝑛𝑡−𝐷𝐼𝐷
𝐶𝑢𝑟𝑟𝑒𝑛𝑡−𝑉𝐼𝐷
𝑃𝑟𝑒𝑣𝑖𝑜𝑢𝑠−𝐷𝐼𝐷
𝑃𝑟𝑒𝑣𝑖𝑜𝑢𝑠−𝑉𝐼𝐷
𝐷𝐼 𝐷 𝑀𝑈
𝑉𝐼 𝐷 𝑀𝑈 −
Feng Chia University - 31 August 2015

28. Scheme 3: AKE for Mobile Roaming (3/8) - Authentication PhaseFA HA MU
𝑚 2
Compute
𝑆 𝑅 ′ =ℎ 𝑟∥𝑠
𝑃𝐼 𝐷 𝑀𝑈 ′ =𝐷𝐼 𝐷 𝑀𝑈 ⊕𝑆 𝑅 ′
𝑉𝐼 𝐷 𝑀𝑈 ′ =ℎ(𝑟∥𝑃𝐼 𝐷 𝑀𝑈 ′ )
𝑟 1 ′ = 𝑅 1 ⊕𝑆 𝑅 ′
𝑉 1 ′ =ℎ 𝑟 1 ∥𝑃𝐼 𝐷 𝑀𝑈 ′ ∥𝐼 𝐷 𝐹𝐴
Search database for 𝐷𝐼 𝐷 𝑀𝑈
Retrieve 𝑉𝐼 𝐷 𝑀𝑈
Verify 𝐼 𝐷 𝐹𝐴
Check if 𝑉𝐼 𝐷 𝑀𝑈 ′ =𝑉𝐼 𝐷 𝑀𝑈 and 𝑉 1 ′ = 𝑉 1
Choose 𝑟 2
𝑟 ∗ = 𝑟 1 ′ ⊕ 𝑟 2
𝑆 𝑅 ∗ =ℎ( 𝑟 ∗ ∥𝑠)
𝑅 2 = 𝑟 2 ⊕ℎ(𝑆 𝑅 ′ )
𝑀𝑆𝑅=𝑆 𝑅 ∗ ⊕ 𝑟 2
𝑉 2 =ℎ( 𝑟 2 ∥𝑆 𝑅 ∗ ∥𝑆𝑅∥𝑎𝑃.𝑥∥𝐼 𝐷 𝐹𝐴 )
𝑉 3 =ℎ(𝑟∥ 𝑟 ∗ )
𝑃𝐼 𝐷 𝑀𝑈 ∗ =ℎ( 𝑟 ∗ ∥𝑠)
𝐷𝐼 𝐷 𝑀𝑈 ∗ =𝑃𝐼 𝐷 𝑀𝑈 ∗ ⊕𝑆 𝑅 ∗
𝑉𝐼 𝐷 𝑀𝑈 ∗ =ℎ( 𝑟 ∗ ∥𝑃𝐼 𝐷 𝑀𝑈 ∗ ) Replace 𝐷𝐼 𝐷 𝑀𝑈 by 𝐷𝐼 𝐷 𝑀𝑈 ∗ ,
𝑉𝐼 𝐷 𝑀𝑈 by 𝑉𝐼 𝐷 𝑀𝑈 ∗
Choose 𝑟 1
Compute
PW MU =ℎ 𝑝 𝑤 𝑀𝑈 ∥ 𝑏 1
𝑆𝑅=𝑃𝑆𝑅⊕𝑃 𝑊 𝑀𝑈
𝑃𝐼 𝐷 𝑀𝑈 =ℎ 𝐼 𝐷 𝑀𝑈 ∥ 𝑏 2
𝐷𝐼 𝐷 𝑀𝑈 =𝑃𝐼 𝐷 𝑀𝑈 ⊕𝑆𝑅
𝑅 1 = 𝑟 1 ⊕𝑆𝑅
𝑉 1 =ℎ( 𝑟 1 ∥𝑃𝐼 𝐷 𝑀𝑈 ∥𝐼 𝐷 𝐹𝐴 )
𝑚 1 ={𝑟,𝐷𝐼 𝐷 𝑖 , 𝑅 1 , 𝑉 1 ,𝐼 𝐷 𝐻𝐴 }
Select 𝑎
Compute 𝑎𝑃
(Secure channel)
𝑚 2 ={𝑟,𝑃𝐼 𝐷 𝑀𝑈 , 𝑅 1 , 𝑉 1 ,𝐼 𝐷 𝐹𝐴 , 𝑎𝑃}
𝑚 3 ={𝑅 2 ,𝑀𝑆𝑅, 𝑉 2 , 𝑉 3 }
Store 𝑉 3
𝑚 4 ={𝑅 2 ,𝑀𝑆𝑅, 𝑉 2 , 𝑎𝑃}
Compute
𝑟 2 ′ = 𝑅 2 ⊕ℎ(𝑆𝑅)
𝑆 𝑅 ∗ ′ =𝑀𝑆𝑅⊕ 𝑟 2
𝑉 2 ′ =ℎ( 𝑟 2 ′ ∥𝑆 𝑅 ∗ ′ ∥𝑆𝑅∥𝑎𝑃.𝑥∥𝐼 𝐷 𝐹𝐴 )
Check if 𝑉 2 ′ = 𝑉 2
Select random number 𝑏
𝑟 ∗ = 𝑟 1 ⊕ 𝑟 2 ′
𝑉 3 =ℎ(𝑟∥ 𝑟 ∗ )
𝐾 𝑀𝐹 =ℎ 𝑎𝑏𝑃.𝑥
𝐶 𝑀𝐹 =ℎ( 𝐾 𝑀𝐹 ∥ 𝑉 3 )
𝑚 5 ={𝑏𝑃, 𝐶 𝑀𝐹 }
Compute
𝐾 𝑀𝐹 =ℎ(𝑎𝑏𝑃.𝑥)
𝐶 𝑀𝐹 ′ =ℎ( 𝐾 𝑀𝐹 ∥ 𝑉 3 )
𝐶 𝑀𝐹 ∗ =ℎ(ℎ 𝐾 𝑀𝐹 ∥ 𝑉 3 )
Check if 𝐶 𝑀𝐹 ′ = 𝐶 𝑀𝐹
Store 𝐶 𝑀𝐹 ∗ and 𝑉 3
Feng Chia University - 31 August 2015

29. Scheme 3: AKE for Mobile Roaming (4/8) - Session Key Update PhaseMU FA
Choose 𝑐
Compute
𝐶 𝑀𝐹 ∗ =ℎ(ℎ 𝐾 𝑀𝐹 ∥ 𝑉 3 )
𝑉 𝑀𝐹1 =ℎ 𝑐𝑃.𝑥∥ 𝑉 3
𝑚 6 ={ 𝐶 𝑀𝐹 ∗ ,𝑐𝑃, 𝑉 𝑀𝐹1 }
Search for 𝐶 𝑀𝐹 ∗
Retrieve 𝑉 3 if found
Compute 𝑉 𝑀𝐹1 ′ =ℎ(𝑐𝑃.𝑥∥ 𝑉 3 )
Check if 𝑉 𝑀𝐹1 ′ = 𝑉 𝑀𝐹1 Choose 𝑑
Compute
𝐾 𝑀𝐹 ∗ =ℎ 𝑐𝑑𝑃.𝑥
𝑉 𝑀𝐹2 =ℎ( 𝑉 3 ∥ 𝐾 𝑀𝐹 ∗ )
Update 𝐶 𝑀𝐹 ∗ to ℎ(ℎ 𝐾 𝑀𝐹 ∗ ∥ 𝑉 3 )
𝑚 7 ={𝑑𝑃, 𝑉 𝑀𝐹2 }
Compute
𝐾 𝑀𝐹 ∗ =ℎ 𝑐𝑑𝑃.𝑥
𝑉 𝑀𝐹2 ′ =ℎ( 𝑉 3 ∥ 𝐾 𝑀𝐹 ∗ )
Check if 𝑉 𝑀𝐹2 ′ = 𝑉 𝑀𝐹2
Feng Chia University - 31 August 2015

30. Scheme 3: AKE for Mobile Roaming (5/8) - Password Changing Phase
Suppose 𝑀𝑈 is already authenticated
𝑀𝑈 inputs new password 𝑝 𝑤 𝑀𝑈 ∗
Compute
𝑃 𝑊 𝑀𝑈 =ℎ( 𝑏 1 ∥𝑝 𝑤 𝑀𝑈 )
𝑃 𝑊 𝑀𝑈 ∗ =ℎ 𝑏 1 ∥𝑝 𝑤 𝑀𝑈 ∗
𝑃𝑆 𝑅 ∗ =𝑃𝑆𝑅⊕𝑃 𝑊 𝑀𝑈 ⊕𝑃 𝑊 𝑀𝑈 ∗
Replace 𝑃𝑆𝑅 with 𝑃𝑆 𝑅 ∗
Feng Chia University - 31 August 2015

31. Scheme 3: AKE for Mobile Roaming (6/8) - Performance
Table 4.3 Comparison regarding security properties
Mun et al. [76]
Xie et al. [96]
Kuo et al. [60]
Ours
Achieve anonymity
Yes
Achieve untraceability
Provide perfect forward secrecy
Prevent disclosure of user's password No
Prevent replay attack
Provide mutual authentication (MU-HA)
Provide mutual authentication (MU-FA)
Prevent man-in-the-middle attack
Session key security
Smart card lost attack
Stolen verifier attack
[76] Mun, H., Han, K., Lee, Y.S., Yeun, C.Y., and Choi, H.H., "Enhanced secure anonymous authentication scheme for roaming service in global mobility networks," Mathematical and Computer Modelling, vol. 55, no. 1, pp , 2012.
[96] Xie, Q., Hu, B., Tan, X., Bao, M., and Yu, X., "Robust anonymous two-factor authentication scheme for roaming service in global mobility network," Wireless Personal Communications, vol. 74, no. 2, pp , 2014.
[60] Kuo, W.-C., Wei, H.-J., and Cheng, J.-C., "An efficient and secure anonymous mobility network authentication scheme," Journal of Information Security and Applications, 2014.
Feng Chia University - 31 August 2015

32. Scheme 3: AKE for Mobile Roaming (7/8) - Performance
Table 4.4 Comparison regarding computation costs
Mun et al. [76]
Xie et al. [96]
Kuo et al. [60]
Ours 𝑀𝑈
2𝑡 𝑝 + 𝑡 𝑠 +5 𝑡 ℎ + 2𝑡 𝑋𝑂𝑅
3 𝑡 𝑒 +4 𝑡 ℎ +2 𝑡 𝑠 + 𝑡 𝑋𝑂𝑅
2𝑡 𝑝 +9 𝑡 ℎ +6 𝑡 𝑋𝑂𝑅
2𝑡 𝑝 +7 𝑡 ℎ +7 𝑡 𝑋𝑂𝑅 𝐹𝐴
2𝑡 𝑝 + 𝑡 𝑠 +4 𝑡 ℎ + 2𝑡 𝑋𝑂𝑅
3 𝑡 𝑒 +2 𝑡 ℎ +3 𝑡 𝑠
2𝑡 𝑝 +2 𝑡 ℎ
2𝑡 𝑝 +3 𝑡 ℎ 𝐻𝐴
5 𝑡 ℎ +3 𝑡 𝑋𝑂𝑅
2 𝑡 𝑒 + 𝑡 ℎ +4 𝑡 𝑠 + 𝑡 𝑋𝑂𝑅
6 𝑡 ℎ +2 𝑡 𝑋𝑂𝑅
8 𝑡 ℎ +6 𝑡 𝑋𝑂𝑅
Total
4𝑡 𝑝 +2 𝑡 𝑠 +14 𝑡 ℎ +7 𝑡 𝑋𝑂𝑅
8 𝑡 𝑒 +7 𝑡 ℎ +9 𝑡 𝑠 + 2𝑡 𝑋𝑂𝑅
4𝑡 𝑝 +11 𝑡 ℎ +8 𝑡 𝑋𝑂𝑅
4𝑡 𝑝 +18 𝑡 ℎ +13 𝑡 𝑋𝑂𝑅
𝑡 𝑒 : time for performing modular exponentiation
𝑡 𝑝 : time for performing elliptic curve point multiplication
𝑡 𝑠 : time for performing symmetric encryption/decryption
𝑡 ℎ : time for performing hash operation
𝑡 𝑋𝑂𝑅 : time for performing XOR operation
Feng Chia University - 31 August 2015

33. Scheme 3: AKE for Mobile Roaming (8/8) - Summaries
Achieve mutual authentication for 𝑀𝑈−𝐻𝐴, and 𝑀𝑈−𝐹𝐴
Mobile user’s activities are not traceable
Perfect forward secrecy
Very efficient and suitable for use in mobile networks
Feng Chia University - 31 August 2015

34. Feng Chia University - 31 August 2015
Scheme 4: AKE for Wireless Sensor Networks A Provably Secure, Efficient and Flexible Authentication Scheme for Ad hoc Wireless Sensor Networks
Sensor node
Sensor nodes
Low battery power
Low in computation power
Deployed in hostile
Sensor node
(1)
(2)
(4)
Goals
Mutual authentication
User – sensor
User – gateway
Sensor - gateway
Key establishment
Anonymity
(3)
Gateway node
Wireless Sensor Networks
Feng Chia University - 31 August 2015

35. Feng Chia University - 31 August 2015
Scheme 4: AKE for Wireless Sensor Networks - Protocol 𝒫 1 : Pre-deployment Phase
GWN
𝑆 𝑗
Compute
𝑓 𝑗 =ℎ(𝑆𝐼 𝐷 𝑗 ∥ 𝑋 𝐺𝑊𝑁 )
{ 𝑓 𝑗 }
Write 𝑓 𝑗 into its memory
Feng Chia University - 31 August 2015

36. Scheme 4: AKE for Wireless Sensor Networks (1/8) - Registration Phase
User 𝑼 𝒊
GWN
Select random 𝑟 𝑖
Compute
𝑀 𝑃 𝑖 =ℎ( 𝑟 𝑖 ∥𝑃 𝑊 𝑖 )
Choose a random 𝑟 𝑖 ′
Compute
𝑀 𝐼 𝑖 =ℎ( 𝑟 𝑖 ′ ∥𝐼 𝐷 𝑖 )
𝑓 𝑖 =ℎ(𝑀 𝐼 𝑖 ∥ 𝑋 𝐺𝑊𝑁 )
𝑒 𝑖 =𝑀 𝑃 𝑖 ⊕ 𝑓 𝑖
Create a smart card 𝑆 𝐶 𝑖 ={𝑀 𝐼 𝑖 , 𝑒 𝑖 }
𝑚 𝑈𝑟𝑒𝑔 ={𝐼 𝐷 𝑖 ,𝑀 𝑃 𝑖 }
(Secure channel)
𝑆 𝐶 𝑖 ={𝑀 𝐼 𝑖 , 𝑒 𝑖 }
Write 𝑟 𝑖 into 𝑆 𝐶 𝑖
𝑆 𝐶 𝑖 ={𝑀 𝐼 𝑖 , 𝑒 𝑖 , 𝑟 𝑖 }
Feng Chia University - 31 August 2015

37. Feng Chia University - 31 August 2015
Scheme 4: AKE for Wireless Sensor Networks (2/8) - Protocol 𝒫 1 : Authentication Phase
User 𝑼 𝒊
Sensor 𝑺 𝒋
𝑓 𝑗 =ℎ(𝑆𝐼 𝐷 𝑗 ∥ 𝑋 𝐺𝑊𝑁 )
𝑮𝑾𝑵
Input 𝐼 𝐷 𝑖 , 𝑃 𝑊 𝑖 Get timestamp 𝑇 1
𝑆𝐶 computes
𝑀 𝑃 𝑖 =ℎ( 𝑟 𝑖 ∥𝑃 𝑊 𝑖 )
𝑓 𝑖 = 𝑒 𝑖 ⊕𝑀 𝑃 𝑖
𝑌 𝑖 =ℎ 𝑓 𝑖 ∥ 𝑇 1
Select a random nonce 𝐾 𝑖
𝑍 𝑖 = 𝐾 𝑖 ⊕ 𝑌 𝑖
𝑁 𝑖 =ℎ 𝑌 𝑖 ∥𝑀 𝐼 𝑖 ∥ 𝑆𝐼𝐷 𝑗
𝑚 1 ={𝑀 𝐼 𝑖 , 𝑍 𝑖 , 𝑁 𝑖 , 𝑇 1 }
Check 𝑇 1
Get timestamp 𝑇 2
Compute
𝐴 𝑗 =ℎ( 𝑓 𝑗 ∥ 𝑁 𝑖 ∥ 𝑇 2 )
𝑚 2
Check 𝑇 1 , 𝑇 2
Compute
𝑓 𝑗 ′ =ℎ(𝑆𝐼 𝐷 𝑗 ∥ X 𝐺𝑊𝑁 )
𝐴 𝑗 ′ =ℎ 𝑓 𝑗 ′ ∥ 𝑁 𝑖 ∥ T 2
𝑓 𝑖 ′ =ℎ(𝑀 𝐼 𝑖 ∥ 𝑋 𝐺𝑊𝑁 )
𝑌 𝑖 ′ =ℎ( 𝑓 𝑖 ′ ∥ 𝑇 1 )
𝑁 𝑖 ′ =ℎ( 𝑌 𝑖 ′ ∥𝑀 𝐼 𝑖 ∥ 𝑆𝐼𝐷 𝑗 )
Check if 𝑁 𝑖 ′ = 𝑁 𝑖 and 𝐴 𝑗 ′ = 𝐴 𝑗
Get timestamp 𝑇 3
𝐹 𝑖𝑗 = 𝑌 𝑖 ′ ⊕ℎ 𝑓 𝑗 ′ ∥ 𝑇 3
𝐻 𝑗 =ℎ( 𝑌 𝑖 ′ )
𝐸 𝑖 =ℎ( 𝑓 𝑖 ′ ∥𝑁 𝑖 ′ )
𝑚 2 ={𝑀 𝐼 𝑖 , 𝑁 𝑖 , 𝑆𝐼 𝐷 𝑗 , 𝐴 𝑗 , 𝑇 1 , 𝑇 2 }
𝑚 3 ={ 𝐹 𝑖𝑗 , 𝐻 𝑗 , 𝐸 𝑖 , 𝑇 3 }
Check 𝑇 3
Compute
𝑌 𝑖 ′ =ℎ 𝑓 𝑗 ∥ 𝑇 3 ⊕ 𝐹 𝑖𝑗
𝐻 𝑗 ′ =ℎ( 𝑌 𝑖 ′ )
Check if 𝐻 𝑗 ′ = 𝐻 𝑗
𝐾 𝑖 = 𝑍 𝑖 ⊕ 𝑌 𝑖 ′
Select 𝐾 𝑗
Get timestamp 𝑇 4
𝑅 𝑖𝑗 =ℎ 𝐾 𝑖 ∥ 𝑇 4 ⊕ 𝐾 𝑗
𝑆𝐾=ℎ( 𝐾 𝑖 ⊕ 𝐾 𝑗 )
𝑚 4 ={ 𝑅 𝑖𝑗 , 𝐸 𝑖 , 𝑇 4 }
Check 𝑇 4
Compute
𝐸 𝑖 ′ =ℎ( 𝑓 𝑖 ∥ 𝑁 𝑖 )
Check if 𝐸 𝑖 ′ = 𝐸 𝑖
𝐾 𝑗 ′ = 𝑅 𝑖𝑗 ⊕ℎ 𝐾 𝑖 ∥ 𝑇 4
𝑆𝐾=ℎ( 𝐾 𝑖 ⊕ 𝐾 𝑗 )
Feng Chia University - 31 August 2015

38. Feng Chia University - 31 August 2015
Scheme 4: AKE for Wireless Sensor Networks (3/8) - Protocol 𝒫 2 : Authentication Phase
User 𝑼 𝒊
Sensor 𝑺 𝒋
𝑓 𝑗 =ℎ(𝑆𝐼 𝐷 𝑗 ∥ 𝑋 𝐺𝑊𝑁 )
𝑮𝑾𝑵
Input 𝐼 𝐷 𝑖 , 𝑃 𝑊 𝑖
Get timestamp 𝑇 1
𝑆𝐶 computes
𝑀 𝑃 𝑖 =ℎ( 𝑟 𝑖 ∥𝑃 𝑊 𝑖 )
𝑓 𝑖 = 𝑒 𝑖 ⊕𝑀 𝑃 𝑖
𝑌 𝑖 =ℎ 𝑓 𝑖 ∥ 𝑇 1
Select 𝑎∈ ℤ 𝑝 and compute
𝐾 𝑖 =𝑎𝑃
𝑍 𝑖 = 𝐾 𝑖 ⊕ 𝑌 𝑖
𝑁 𝑖 =ℎ 𝑌 𝑖 ∥𝑀 𝐼 𝑖 ∥ 𝑆𝐼𝐷 𝑗
𝑚 1 ={𝑀 𝐼 𝑖 , 𝑍 𝑖 , 𝑁 𝑖 , 𝑇 1 }
Check 𝑇 1
Get timestamp 𝑇 2
Compute
𝐴 𝑗 =ℎ( 𝑓 𝑗 ∥ 𝑁 𝑖 ∥ 𝑇 2 )
𝑚 2
Check 𝑇 1 , 𝑇 2
Compute
𝑓 𝑗 ′ =ℎ(𝑆𝐼 𝐷 𝑗 ∥ X 𝐺𝑊𝑁 )
𝐴 𝑗 ′ =ℎ 𝑓 𝑗 ′ ∥ 𝑁 𝑖 ∥ T 2
𝑓 𝑖 ′ =ℎ(𝑀 𝐼 𝑖 ∥ 𝑋 𝐺𝑊𝑁 )
𝑌 𝑖 ′ =ℎ( 𝑓 𝑖 ′ ∥ 𝑇 1 )
𝑁 𝑖 ′ =ℎ( 𝑌 𝑖 ′ ∥𝑀 𝐼 𝑖 ∥ 𝑆𝐼𝐷 𝑗 )
Check if 𝑁 𝑖 ′ = 𝑁 𝑖 and 𝐴 𝑗 ′ = 𝐴 𝑗
Get timestamp 𝑇 3
𝐹 𝑖𝑗 = 𝑌 𝑖 ′ ⊕ℎ 𝑓 𝑗 ′ ∥ 𝑇 3
𝐻 𝑗 =ℎ( 𝑌 𝑖 ′ )
𝐸 𝑖 =ℎ( 𝑓 𝑖 ′ ∥𝑁 𝑖 ′ )
𝑚 2 ={𝑀 𝐼 𝑖 , 𝑁 𝑖 , 𝑆𝐼 𝐷 𝑗 , 𝐴 𝑗 , 𝑇 1 , 𝑇 2 }
𝑚 3 ={ 𝐹 𝑖𝑗 , 𝐻 𝑗 , 𝐸 𝑖 , 𝑇 3 }
Check 𝑇 3
Compute
𝑌 𝑖 ′ =ℎ 𝑓 𝑗 ∥ 𝑇 3 ⊕ 𝐹 𝑖𝑗
𝐻 𝑗 ′ =ℎ( 𝑌 𝑖 ′ )
Check if 𝐻 𝑗 ′ = 𝐻 𝑗
𝐾 𝑖 = 𝑍 𝑖 ⊕ 𝑌 𝑖 ′
Get timestamp 𝑇 4
Select 𝑏∈ ℤ 𝑝 and compute
𝐾 𝑗 =𝑏𝑃
𝑅 𝑖𝑗 =ℎ 𝐾 𝑖 ∥ 𝑇 4 ⊕ 𝐾 𝑗
𝑆𝐾=ℎ(𝑎𝑏𝑃.𝑥)
𝑚 4 ={ 𝑅 𝑖𝑗 , 𝐸 𝑖 , 𝑇 4 }
Check 𝑇 4
Compute
𝐸 𝑖 ′ =ℎ( 𝑓 𝑖 ∥ 𝑁 𝑖 )
Check if 𝐸 𝑖 ′ = 𝐸 𝑖
𝐾 𝑗 ′ = 𝑅 𝑖𝑗 ⊕ℎ 𝐾 𝑖 ∥ 𝑇 4
𝑆𝐾=ℎ(𝑎𝑏𝑃.𝑥)
Feng Chia University - 31 August 2015

39. Feng Chia University - 31 August 2015
Scheme 4: AKE for Wireless Sensor Networks (4/8) - Password Changing Phase
User 𝑈 𝑖
Login into server
Input new password 𝑃 𝑊 𝑖 𝑛𝑒𝑤
Compute
𝑀 𝑃 𝑖 =ℎ 𝑟 𝑖 ∥𝑃 𝑊 𝑖
𝑀 𝑃 𝑖 𝑛𝑒𝑤 =ℎ( 𝑟 𝑖 ∥𝑃 𝑊 𝑖 𝑛𝑒𝑤 )
𝑒 𝑖 𝑛𝑒𝑤 = 𝑒 𝑖 ⊕𝑀 𝑃 𝑖 ⊕𝑀 𝑃 𝑖 𝑛𝑒𝑤
Replace 𝑒 𝑖 with 𝑒 𝑖 𝑛𝑒𝑤 in 𝑆𝐶’s memory
Feng Chia University - 31 August 2015

40. Feng Chia University - 31 August 2015
Scheme 4: AKE for Wireless Sensor Networks (5/8) - Performance Comparison
Table 5.2 Comparison of computation cost with lightweight protocols
Li et al. [68]
Turkanovic et al. [88]
𝒫 1
User
9 𝑡 ℎ +6 𝑡 𝑋𝑂𝑅
≈0.0045𝑠
7 𝑡 ℎ +4 𝑡 𝑋𝑂𝑅
≈ 𝑠
Sensor
5 𝑡 ℎ +3 𝑡 𝑋𝑂𝑅
≈ 𝑠
5 𝑡 ℎ +6 𝑡 𝑋𝑂𝑅
5 𝑡 ℎ +4 𝑡 𝑋𝑂𝑅
Gateway
12 𝑡 ℎ +6 𝑡 𝑋𝑂𝑅
≈0.006 𝑠
8 𝑡 ℎ +1 𝑡 𝑋𝑂𝑅
≈0.004 𝑠
𝑡 ℎ : time for performing a hash operation
𝑡 𝑋𝑂𝑅 : time for performing an XOR operation
[68] Li, C.T., Weng, C.Y., and Lee, C.C., "An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks," Sensors, vol. 13, no. 8, pp , 2013.
[88] Turkanovic, M., Brumen, B., and Holbl, M., "A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion," Ad Hoc Networks, vol. 20, pp , 2014.
Feng Chia University - 31 August 2015

41. Feng Chia University - 31 August 2015
Scheme 4: AKE for Wireless Sensor Networks (6/8) - Performance Comparison
Table 5.3 Comparison of computation cost with ECC based protocols
Shi et al. [78]
Choi et al. [27]
𝒫 2
User
3 𝑡 𝑚𝑢𝑙 +5 𝑡 ℎ
≈ 𝑠
3 𝑡 𝑚𝑢𝑙 +9 𝑡 ℎ
≈ 𝑠
2 𝑡 𝑚𝑢𝑙 +7 𝑡 ℎ
≈ 𝑠
Sensor
2 𝑡 𝑚𝑢𝑙 +3 𝑡 ℎ
2 𝑡 𝑚𝑢𝑙 +6 𝑡 ℎ
≈ 𝑠
2 𝑡 𝑚𝑢𝑙 +5 𝑡 ℎ
≈ 𝑠
Gateway
1 𝑡 𝑚𝑢𝑙 +4 𝑡 ℎ
≈ 𝑠
1 𝑡 𝑚𝑢𝑙 +5 𝑡 ℎ
≈ 𝑠
9 𝑡 ℎ
≈ 𝑠
𝑡 𝑚𝑢𝑙 : the time for performing an elliptic curve point multiplication
𝑡 ℎ : time for performing a hash operation
𝑡 𝑋𝑂𝑅 : time for performing an XOR operation
[27] Choi, Y., Lee, D., Kim, J., Jung, J., Nam, J., and Won, D., "Security Enhanced User Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography," Sensors, vol. 14, no. 6, pp , 2014.
[78] Shi, W. and Gong, P., "A new user authentication protocol for wireless sensor networks using elliptic curves cryptography," International Journal of Distributed Sensor Networks, vol. 2013, 2013.
Feng Chia University - 31 August 2015

42. Feng Chia University - 31 August 2015
Scheme 4: AKE for Wireless Sensor Networks (7/8) - Performance Comparison
Table 5.4 Comparison of security features
Li et al. [68]
Turkanovic
et al. [88]
Shi et al. [78]
Choi et al. [27]
Mutual authentication
Yes
Session key security No
Perfect forward secrecy
Replay attack
Smart card lost attack
User anonymity
Impersonation attack
Stolen verifier attack
𝒫 1
𝒫 2
Feng Chia University - 31 August 2015

43. Scheme 4: AKE for Wireless Sensor Networks (8/8) - Summaries
Two authentication schemes for the wireless sensor networks
𝒫 1 is efficient
𝒫 2 provides perfect forward secrecy
Switching between 2 modes is easy
Anonymity
Feng Chia University - 31 August 2015

44. Feng Chia University - 31 August 2015
Scheme 5: Three-factor AKE (1/7) Provably Secure and Efficient Three-Factor Authenticated Key Agreement Scheme with Untraceability
authentication
password
Verification table
Goals
Mutual authentication
Session key establishment
More secure scheme
Anonymity & untraceability
Prevent password-guessing attack after smart card was stolen
Feng Chia University - 31 August 2015

45. Scheme 5: Three-factor AKE (2/7) - Registration Phase
User 𝑼
Server 𝑺
Choose 𝑝𝑤, 𝑏, 𝑟 0
Compute 𝑃𝑊=ℎ(𝑝𝑤∥𝑏)
𝑚 𝑟𝑒𝑔1 ={𝐼𝐷, 𝑃𝑊⊕𝐻 𝐵𝐼 𝑂 𝑅𝑒 , 𝑃𝑊⊕ 𝑟 0 }
𝑚 𝑟𝑒𝑔1
Select 𝑟
Compute
𝑉 0 =ℎ 𝐼𝐷∥𝑟 ⊕𝑃𝑊⊕ 𝑟 0
Encrypt using secret 𝑠
𝐼𝑀= 𝐸 𝑠 𝐼𝐷∥𝑟∥𝑃𝑊⊕𝐻 𝐵𝐼 𝑂 𝑅𝑒
(secure channel)
𝑆𝐶={𝑉 0 ,𝐼𝑀}
Compute 𝑉= 𝑉 0 ⊕ 𝑟 0
Replace 𝑉 0 with 𝑉
Write 𝑏 into smart card’s memory
Feng Chia University - 31 August 2015

46. Scheme 5: Three-factor AKE (3/7) - Authentication Phase
User 𝑼
𝑆𝐶={𝑏,𝑉,𝐼𝑀}
Server 𝑺
Choose 𝑟 1
Compute 𝑃𝑊′=ℎ(𝑝𝑤∥𝑏)
𝑉 ′ =𝑉⊕𝑃𝑊=ℎ 𝐼𝐷∥𝑟
𝑇 1 =ℎ 𝑉′⊕ 𝑟 1 ⊕𝑃𝑊′⊕𝐻 𝐵𝐼 𝑂 𝑡
𝑚 1 ={ 𝑟 1 , 𝑇 1 ,𝐼𝑀}
Decrypt 𝐼𝑀→𝐼𝐷, 𝑟, 𝑃𝑊⊕𝐻(𝐵𝐼 𝑂 𝑅𝑒 )
Compute
𝑃𝑊′⊕𝐻 𝐵𝐼 𝑂 𝑡 = 𝑇 1 ⊕ℎ ℎ 𝐼𝐷∥𝑟 ⊕ 𝑟 1
Check if
𝑑 𝑃𝑊⊕𝐻 𝐵𝐼 𝑂 𝑡 ,𝑃 𝑊 ′ ⊕𝐻 𝐵𝐼 𝑂 𝑅𝑒 <𝜖
If yes, select r new , 𝑟 2 and compute
𝑉 𝑛𝑒𝑤 =ℎ(𝐼𝐷∥ 𝑟 𝑛𝑒𝑤 )
𝐼 𝑀 𝑛𝑒𝑤 = 𝐸 𝑠 𝐼𝐷∥ 𝑟 𝑛𝑒𝑤 ∥𝑃𝑊⊕𝐻 𝐵𝐼 𝑂 𝑅𝑒
𝑇 2 = 𝐸 𝑉 ′ ( 𝑟 1 ∥ 𝑟 2 ∥ 𝑉 𝑛𝑒𝑤 ∥𝐼 𝑀 𝑛𝑒𝑤 )
𝐾=ℎ 𝑟 2 ∥ 𝑉 ′
𝑚 2 = 𝑇 2
Decrypt 𝑇 2 → 𝑟 1 , 𝑟 2 , 𝑉 𝑛𝑒𝑤 , 𝐼 𝑀 𝑛𝑒𝑤
Check if 𝑟 1 is valid
Compute K=ℎ 𝑟 2 ∥ 𝑉 ′
𝑇 3 =ℎ( 𝑟 2 +1)
Replace 𝑉 with 𝑉 𝑛𝑒𝑤 , 𝐼𝑀 with 𝐼 𝑀 𝑛𝑒𝑤
𝑚 3 ={ 𝑇 3 }
Verify 𝑇 3
Feng Chia University - 31 August 2015

47. Scheme 5: Three-factor AKE (4/7) - Password Change Phase
User 𝑈
Input 𝑝w and 𝑝 𝑤 𝑛𝑒𝑤
Compute
𝑉 𝑛𝑒𝑤 =𝑉⊕ℎ 𝑝𝑤∥𝑏 ⊕ℎ(𝑝 𝑤 𝑛𝑒𝑤 ∥𝑏)
Replace 𝑉 with 𝑉 𝑛𝑒𝑤 in the 𝑆𝐶’s memory
Feng Chia University - 31 August 2015

48. Scheme 5: Three-factor AKE (5/7) - Performance
Table 6.1 Comparison of computation cost
Phases
Chang et al. [23]
Li-Hwang [67]
Das [30]
Li et al. [69]
Our protocol
Registration
User
1 𝑡 ℎ +1 𝑡 𝑋
2 𝑡 ℎ +2 𝑡 𝑋
Server
1 𝑡 𝑠 +1 𝑡 ℎ +2 𝑡 𝑋
3 𝑡 ℎ +1 𝑡 𝑋
3 𝑡 ℎ +2 𝑡 𝑋
4 𝑡 ℎ +2 𝑡 𝑋
1 𝑡 𝑠 +1 𝑡 ℎ +1 𝑡 𝑋
Login
1 𝑡 𝑠 +3 𝑡 ℎ +3 𝑡 𝑋
4 𝑡 ℎ +3 𝑡 𝑋
5 𝑡 ℎ +4 𝑡 𝑋
2 𝑡 ℎ +5 𝑡 𝑋
1 𝑡 𝑠 +5 𝑡 ℎ +4 𝑡 𝑋
3 𝑡 𝑠 +3 𝑡 ℎ +3 𝑡 𝑋
5 𝑡 ℎ +2 𝑡 𝑋
3 𝑡 ℎ +4 𝑡 𝑋
3 𝑡 𝑠 +5 𝑡 ℎ +1 𝑡 𝑋
𝑡 𝑠 , 𝑡 ℎ , 𝑡 𝑋 : times for performing symmetric encryption/decryption, hash operation and exclusive or operation, respectively
[23] Chang, C.C., Le, H.D., and Chang, C.H., "Novel untraceable authenticated key agreement protocol suitable for mobile communication," Wireless Personal Communications, vol. 71, no. 1, pp , 2013.
[30] Das, A.K., "Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards," IET Information Security, vol. 5, no. 3, pp , 2011.
[67] Li, C.T. and Hwang, M.S., "An efficient biometrics-based remote user authentication scheme using smart cards," Journal of Network and Computer Applications, vol. 33, no. 1, pp. 1-5, 2010.
[69] Li, J.P., Ding, Y.M., Xiong, Z.G., and Liu, S.Y., "An improved biometric-based user authentication scheme for C/S system," International Journal of Distributed Sensor Networks, 2014.
Feng Chia University - 31 August 2015

49. Scheme 5: Three-factor AKE (6/7) - Performance
Table 6.2 Comparison of security features
Chang et al. [23]
Li-Hwang [67]
Das [30]
Li et al. [69]
Our protocol
Mutual authentication
Yes No
Key Agreement
User untraceabilitty
Dictionary attack
Replay attack
Impersonation attack
Server masquerading attack
Stolen smart card attack
Man-in-the-middle attack
Insider attack
Denial-of-service
Feng Chia University - 31 August 2015

50. Scheme 5: Three-factor AKE (7/7) - Summaries
A secure three-factor authentication and agreement scheme
Biometric template as the third authentication factor
User untraceability
Suitable for mobile applications
Feng Chia University - 31 August 2015

51. Feng Chia University - 31 August 2015
Conclusions
AKE protocols for networks
Client – Server
Group Key Exchange
Mobile Roaming
Wireless Sensor Networks
Efficient
Mobile-friendly
Provide anonymity & untraceability
Feng Chia University - 31 August 2015

52. Feng Chia University - 31 August 2015
Future Works
Authentication in Near Field Communication (NFC)
Combining smart card and biometric
Feng Chia University - 31 August 2015