Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur 2004.05.12.

Published byKarlie Hopes Modified over 9 years ago

Similar presentations

Presentation on theme: "1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur 2004.05.12."— Presentation transcript:

1 1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur 2004.05.12

2 2 Outline Introduction Review of Yeh-Shen-Hwang’s (YSH) Scheme Stolen-Verifier Attack on YSH Scheme Problems with Re-registration of YSH Scheme Conclusions

3 3 Introduction (1/2) Traditional static password (wiretapping attack) One-time password Public key basedHash function based S/KEY, SAS, OSPA…

4 4 Introduction (2/2) Yeh-Shen-Hwang’s Scheme (2002) –An improved version of S/KEY using smart cards –Can defeat Preplay Attack, Denial-of-Service Attack and Server Spoofing Attack –A session key is established during authentication phase –Weakness Stolen-verifier attack –Drawback Problems with re-registration

5 5 Notations NotationDescription SEEDThe preshared secret between a user and a server KA secret derived from a user’s password NThe permitted number of login times TNumber of a user has successfully login a server H () A cryptographic hash function DA random number generated by a server ⊕ Bit XOR operation

6 6 YSH Scheme: Registration Phase user server Registration request Issues a smart card containing SEED SEED (secure channel) N, SEED ⊕ D 0, H(D 0 ) Uses SEED to verify. If it succeeds, then compute the initial Verifier P 0 =H N (K ⊕ SEED) Extracts P 0 from the received data. Stores id, P 0 P0⊕D0P0⊕D0

7 7 YSH Scheme: Login Phase verifies H(P t ) = P t– 1 user server Login request C (= N–t), SEED ⊕ D t, H(D t ) ⊕ P t–1 Uses SEED to verify and compute P t (= h C (SEED ⊕ K)) Pt⊕DtPt⊕Dt fales Authentication fails true Authentication succeeds

8 8 Stolen-Verifier Attack (1/2) Suppose that an adversary E has stolen an ever used P i after the user’s tth login, where 1  i  t. Before the user’s (t+1)th login, E can use P i to extract D i and SEED. Then, E can guess a password pw' and then derive its corresponding K'. Next, he can compute P i ' = H C (K' ⊕ SEED)

9 9 Stolen-Verifier Attack (2/2) It the computed P i ' equals the stolen P i, E has obtained K (= K'). –Implies E has correctly guessed the user’s password. Knowing SEED and K, E can impersonate the user to login the server or impersonate the server to cheat the user. Knowing SEED, E can obtain the session key D i and decrypt all the messages encrypted with D i. –Does not provide perfect forward secrecy

10 10 Problems with Re-registration (1/6) Suppose SEED and K are left unchanged. SEED = SEED' K = K' P t =P t ' (1 ≦ t ≦ N) re-registration phase

11 11 Problems with Re-registration (2/6) Suppose SEED and K are left unchanged. (cont.) login phase adversary server Login request C (= N–t), SEED ⊕ D t, H(D t ) ⊕ P t–1 D t ♁ D t ' = (SEED ♁ D t ) ♁ (SEED' ♁ D t ') P t ' ♁ D t = (D t ♁ D t ') ♁ (P t ' ♁ D t ') Pt'♁DtPt'♁Dt Authentication succeeds

12 12 Problems with Re-registration (3/6) Suppose SEED and K are left unchanged. (cont.) –Since the received P t ' ♁ D t equals the expected one, the server will be fooled into believing that the adversary is the authentic user. YSH scheme fails to achieve key agreement and authentication as being expected. Although the session key D t is unknown to the adversary, it reveals a potential weakness that may be employed to carry out other subtle attacks to its application systems.

13 13 Suppose SEED is left unchanged, but K is changed. re-registration phase adversary server N, SEED ⊕ D r, H(D r ) D r ♁ D r ' = (SEED ♁ D r ) ♁ (SEED' ♁ D r ') P 0 ' ♁ D r = (D r ♁ D r ') ♁ (P 0 ' ♁ D r ' ) P0'♁DrP0'♁Dr P 0 ' is regarded as P 0 Problems with Re-registration (4/6) user Registration request Issues a smart card containing SEED SEED (secure channel)

14 14 Suppose SEED is left unchanged, but K is changed. (cont.) Login phase adversary server Login request C(= N–t), SEED ⊕ D l, H(D l ) ⊕ P t–1 D l ♁ D l ' = (SEED ♁ D l ) ♁ (SEED' ♁ D l ' ) P t ' ♁ D l = (D l ♁ D l ') ♁ (P t ' ♁ D l ' ) Pt'♁DlPt'♁Dl Authentication succeeds Problems with Re-registration (5/6)

15 15 Problems with Re-registration (6/6) Suppose SEED is left unchanged, but K is changed. (cont.) –Since the received P t ' ♁ D l equals the expected one, the server will be fooled into believing that the adversary is the authentic user. YSH scheme fails to achieve key agreement and authentication as being expected. Although the session key D l is unknown to the adversary, it reveals a potential weakness that may be employed to carry out other subtle attacks to its application systems.

16 16 Conclusion In general, the server stores the verifier of the user’s password rather than the user’s bare password to resist the password-file compromise attack. –However, even though a compromised verifier will not reveal the password directly, it may be used to derive its corresponding password indirectly or cause other subtle security problems. We have shown the weakness and drawbacks of an improved version of S/KEY, the YSH scheme. –To put the Yeh-Shen-Hwang’ scheme into practice, these problems should be solved.

Download ppt "1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur 2004.05.12."

Similar presentations

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :11.23 1.

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :
Computer and Information Security 期末報告 學號 92321501 姓名 莊玉麟.

Computer and Information Security 期末報告 學號 姓名 莊玉麟.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.

1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
A simple remote user authentication scheme 1. M. S. Hwang, C. C. Lee and Y. L. Tang, “A simple remote user authentication.

A simple remote user authentication scheme 1. M. S. Hwang, C. C. Lee and Y. L. Tang, “A simple remote user authentication.

Similar presentations

Ads by Google