Presentation is loading. Please wait.

Presentation is loading. Please wait.

Date:2011/09/28 報告人:向峻霈 出處: Ren-Chiun Wang  Wen-Shenq Juang 

Published byĐỗ Ngọc Modified over 5 years ago

Similar presentations

Presentation on theme: "Date:2011/09/28 報告人:向峻霈 出處: Ren-Chiun Wang  Wen-Shenq Juang "— Presentation transcript:

1 A lightweight key agreement protocol with user anonymity in ubiquitous computing environments
Date:2011/09/28 報告人:向峻霈 出處: Ren-Chiun Wang  Wen-Shenq Juang  Chen-Chi Wu Chin-Laung Lei  Multimedia and Ubiquitous Engineering pp ,2007

2 Outline Introduction 1 Related work 2 Proposed scheme 3
Functionality comparison 4 Conclusion 3 5

3 When a user wants to get a permitted service from a server
Introduction When a user wants to get a permitted service from a server Authentication Key agreement For protecting the communications between the users and the servers Ex:Diffie-Hellman,RSA algorithms

4 Introduction The previous protocols do not suitable for applying in ubiquitous computing environments The client and the server have to consume much power to compute the communicated messages and to hold a long length private key

5 Related work Review and analyze the security of the SIKA protocol

6 SCPC sets up the system parameters
Key generation phase SCPC sets up the system parameters Ns =p*q selects two integers e and d such that ed  =1 mod  φ(Ns)  φ(N) = (p-1)(q-1) chooses a generator g in the field ZN a hash function H(m) on a message a symmetric-key cryptosystem such as AES public parameters =>e, N, g, and ID secret =>d,p,q

7 Anonymous user identification and key agreement phase
Client Server Service request Ps = IDsd mod N Z = gk x Ps-1 mod N W = gsv v = H(Z,T,IDs)ds M2 =(Z,T,W) u = H(Z,T,IDs) Wes mod Ns = gsu mod Ns a = Ze X IDs mod N Kij = at mod N x =get mod N p = gt X PiH(x,T’) y = Ekij(IDi) M3 = (x,y,p,T’) Kij = xk mod N Dkij(y) -> IDi 檢查ID表是否存在 x * IDiH(x,T’) mod N = pe mod N Accepts this login request

8 Security analysis mod N Client Server Service request Ps = IDsd mod N
Z = gk x Ps-1 mod N W = gsv v = H(Z,T,IDs)ds M2 =(Z,T,W) u = H(Z,T,IDs) Wes mod Ns = gsu mod Ns a = Ze X IDs mod N Kij = at mod N x =get mod N p = gt X PiH(x,T’) y = Ekij(IDi) mod N Client C: a = IDcH(x,T’)d X b X gt mod N M3 = (x,y,p,T’) Kij = xk mod N Dkij(y) -> IDi 檢查ID表是否存在 x * IDiH(x,T’) mod N = pe mod N Client D: b = IDDH(x,T’)d m(m-1)/2 valid clients Accepts this login request

9 Proposed scheme Key generation phase Anonymous user identification and key agreement phase

10 SCPC sets up the system parameters
Key generation phase SCPC sets up the system parameters Chooses a large prime number p Ep :y2 = x3 +ax+b over Zp a,b->Zp 4a3+27b2 mod p ≠ 0, G is a generator point of a large order

11 SCPC sets up the system parameters
Key generation phase SCPC sets up the system parameters Selects a random number Xi in Z*p Computes a corresponding public key Pki = Xi x G //Xi -> secret key Xi -> each registered users(clients and servers) 公布 public key table(public keys&identities) Server公開 identity & public key Identity Public key ID1 PK1 = X1 x G ID2 PK2 = X2 x G IDs PKs = Xs x G

12 Anonymous user identification and key agreement phase
Client Server Service request(T1,M1) T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Xi Key3 = T2 x t1 Dkey 2(M2) ->檢查 H(key3||Nonce1) H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) Accepts this login request

13 Security analysis Withstanding Perfect forward secrecy Anonymity
the server spoofing attack the known-key attack the replay attack the impersonation attack the denial of service attack Perfect forward secrecy Anonymity

14 Security analysis-1/7 The server spoofing attack Client Server
Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The server spoofing attack Accepts this login request

15 Security analysis-2/7 The known-key attack Client Server
Service request(T1,M1) T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Xi Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The known-key attack 解決elliptic curve discrete logarithm problem Accepts this login request

16 Security analysis-3/7 The replay attack Client Server
Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The replay attack Accepts this login request

17 Security analysis-4/7 The impersonation attack Client Server
Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) 1.偽造new IDi -> T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi <-解開Dkey 2(M2) .2 H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The impersonation attack Accepts this login request

18 Security analysis-5/7 The denial of service attack Client Server
Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) The denial of service attack Send 一個偽造message->解決elliptic curve discrete logarithm problem Accepts this login request

19 Security analysis-6/7 Perfect forward secrecy Client Server
Service request( ) T1,M1 T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) Perfect forward secrecy 解決elliptic curve discrete logarithm problem Accepts this login request

20 Security analysis-7/7 Anonymity Client Server Service request( ) T1,M1
T1 = t1 x G Key1 = t1 x PKs M1 = Ekey 1(IDi,Nonce1) Key1 = T1 x Xs Dkey 1(M1) ->(IDi,Nonce1) 檢查ID表是否存在 Key2 = t2 x PKi Key3 = T1 x t2 T2 = t2 x G M2 = Ekey 2(H(key3||Nonce1), Nonce2) T2,M2 Key2 = T2 x Key3 = T2 x t1 Dkey 2(M2) ->驗證 H(key3||Nonce1) y = Ekij(IDi) Xi H(key3||Nonce2) 驗證 H(key3||Nonce2) SK = H(Key3) Anonymity Accepts this login request

21 Functionality comparison
TH : the time of one-way hashing operation TEXP :the time of one exponential operation TINVERSE :the time of one modular inverse operation TSYM :the time of one symmetric encryption or decryption TM :the time for one modular multiplication TECM :the time for the multiplication of a number over an elliptic curve

22 Secret token + public key
Computation cost 年份 Our protocol 1 163 bits *2 = 326 bits 6TH+8TECM+4TSYM = 6TH+232TM+4TSYM 2007 SIKA 1+(1+n) (SCPC and n server’s public keys) 1024 bits 4TH+12TEXP+2TSYM +6TM+1TINVERSE= 4TH+2TSYM+2886TM+1TINVERSE 2006 Lee-Chang’s protocol 1+1 (SCPC’s public key) 2TH+9TEXP+7TM +1TINVERSE= 2TH+2167TM+1TINVERSE 2000 Wu-Hsu’s protocol 2TH+8TEXP+5TM +2TINVERSE= 2TH+1925TM+2TINVERSE 2004 Yang et al.’s protocol 2TH+9TEXP+1TINVERSE +2TSYM+5TM= 2TH+165TM+2TSYM +1TINVERSE

23 Functionality comparison
C1 : No password or password file. C2 : Mutual authentication C3 : Session key agreement C4 : Communication and computation cost. C5 : No time synchronization problem C6 : Do not need to hold system or other participant’s public key C7 : The identity of the client can not be trace C8 : Denial of service attack cannot work in the protocol C9 : No one can impersonate the server to cheat the client C10 : No one can impersonate a valid client to obtain the service from the server

24 Functionality comparison
Our protocol SIKA Lee-Chang’s protocol Wu-Hsu’s protocol Yang et al.’s protocol C1 Yes C2 No C3 C4 Very low Large C5 C6 C7 C8 C9 C10

25 Conclusion Each user only needs to maintain his secret token and can use it to access several service providers The service providers do not need to maintain a password file for verifying the users login requests If a new service provider joins the system, the user’s master key does not need to be updated

26 Thank You !

Download ppt "Date:2011/09/28 報告人:向峻霈 出處: Ren-Chiun Wang  Wen-Shenq Juang "

Similar presentations

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards Computer and Information Security 92321509 Ming-Hong Shih.

Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards Computer and Information Security Ming-Hong Shih.
A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.

A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
多媒體網路安全實驗室 A novel user identification scheme with key distribution preserving user anonymity for distributed computer networks Date:2011/10/05 報告人:向峻霈.

多媒體網路安全實驗室 A novel user identification scheme with key distribution preserving user anonymity for distributed computer networks Date:2011/10/05 報告人:向峻霈.
Cryptanalysis of Two Dynamic ID-based Authentication

Cryptanalysis of Two Dynamic ID-based Authentication
1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.

1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.
Session Initiation Protocol (SIP) 496530018 王承宇 498410098 張永霖.

Session Initiation Protocol (SIP) 王承宇 張永霖.
多媒體網路安全實驗室 A novel user authentication and privacy preserving scheme with smartcards for wireless communications 作者 :Chun-Ta Li,Cgeng-Chi Lee 出處 :Mathematical.

多媒體網路安全實驗室 A novel user authentication and privacy preserving scheme with smartcards for wireless communications 作者 :Chun-Ta Li,Cgeng-Chi Lee 出處 :Mathematical.
Efficient remote mutual authentication and key agreement Improvement of Chien et al. ’ s remote user authentication scheme using smart cards An efficient.

Efficient remote mutual authentication and key agreement Improvement of Chien et al. ’ s remote user authentication scheme using smart cards An efficient.
Cryptography and Network Security (CS435) Part Eight (Key Management)

Cryptography and Network Security (CS435) Part Eight (Key Management)
Secure Authentication Scheme with Anonymity for Wireless Communications Speaker : Hong-Ji Wei Date : 2012-12-08.

Secure Authentication Scheme with Anonymity for Wireless Communications Speaker : Hong-Ji Wei Date :
Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.

Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.
Center for Information Security Technologies ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST,

Center for Information Security Technologies ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST,
A Secure Identification and Key Agreement Protocol with User Anonymity (SIKA) Authors: Kumar Mangipudi and Rajendra Katti Source: Computers & Security,

A Secure Identification and Key Agreement Protocol with User Anonymity (SIKA) Authors: Kumar Mangipudi and Rajendra Katti Source: Computers & Security,

Similar presentations

Ads by Google