Presentation is loading. Please wait.

Presentation is loading. Please wait.

An ID-Based Mutual Authentication and Key Exchange Protocol for Low- Power Mobile Devices Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal.

Published byNigel Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "An ID-Based Mutual Authentication and Key Exchange Protocol for Low- Power Mobile Devices Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal."— Presentation transcript:

1 An ID-Based Mutual Authentication and Key Exchange Protocol for Low- Power Mobile Devices Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal (Published online on Sep. 2009) doi:10.1093/comjnl/bxp083 Reporter: 陳德祐 Date: Jan 15, 2010

2 2 Outline Introduction The proposed scheme Security analysis Comments

3 3 Introduction Das, M.L., A. Saxena, V.P. Gulati and D.B. Phatak (2006). A novel remote user authentication scheme using bilinear pairings. Computers and Security, 25(3), 184–189. Giri, D., and P.D. Srivastava (2006). An improved remote user authentication scheme with smart cards using bilinear pairings. In Cryptology ePrint Archive. Forgery attack Computational cost Multi-server A Pairing-Based User Authentication Scheme for Wireless Clients with Smart Cards Yuh-Min Tseng, Tsu-Yang Wu, Jui-Di Wu Informatica: International Journal,19(2), pp.285-302, 2008 The proposed scheme Mutual auth. Session key

4 4 Bilinear Pairings Bilinear Pairing  Let G 1, G 2, G T be cyclic groups of same order q.  G 1, G 2 : an additive group  G T : a multiplicative group Definition A bilinear map 1.Bilinear: 2.Non-degenerate: 3.Computability:

5 5 Notations and System setup S : a powerful server C : a low-power computing client e : a bilinear map, e : G 1 × G 2 → G T, ( G 1 =G 2 ) with the same order q ID C : the identity of the client C DID C : the private key of the client C ID S : the identity of the server S P : a generator of the group G 1 s : the system private key in Z q ∗ P pub : the system public key P pub = s · P H 1 () : a one-way hash function, H 1 :{0,1} * × G 1 → {0, 1} k H 2 () : a map-to-point function, H 2 : {0,1} * → G 1 Public parameters: {e, G 1, G T, q, P, P pub, H 1, H 2 }

6 Key extract phase 6 Client CServer S ID C (DID C, QID C ) DID C = s · H 2 (ID C ) = s · QID C

7 Mutual authentication and key exchange phase 7 Client CServer S r  R Z q ∗ U = r · QID C K 1 = r · DID C h = H 1 (ID C, U) V = (r+h) · DID C ( ID C, U, V ) QID C = H 2 (ID C ) h = H 1 (ID C, U) e(P, V)?=e(P pub, U+h · QID C ) ( N, Auth) Auth?= H 1 (P pub, ID C, N, U, V, K 1 ) SK= H 1 (Auth, N, U, V, K 1 ) DID C = s · H 2 (ID C ) = s · QID C Acquiring a nonce N K 2 = s ·U Auth= H 1 (P pub, ID C, N, U, V, K 2 ) SK= H 1 (Auth, N, U, V, K 2 )

8 Security analysis and discussion Secure against 1.ID attack 2.Impersonation attack 3.Passive attack 4.Mutual authentication A.Client-to-server authentication B.Server-to-client authentication 5.Implicit key confirmation 6.Partial forward secrecy Discussion  Replay attack 8 Theorem 1 Theorem 1+2 Theorem 2 Theorem 1 Theorem 3 Theorem 4 (1+2+3) Theorem 5

9 Challenger C 1 (P, xP, yP) xyP P pub = xP QID C = H 2 (ID C ) = yP Attacker A A can generate two valid message σ' = (ID C, U', V' ) and σ'' = (ID C, U', V'' ) Forking Lemma xyP = (V' − V'')/(h' − h'') e(P, V')=e(P pub, U' +h' · QID C ) e(P, V'')=e(P pub, U' +h'' · QID C ) =e(xP, U' +h' · yP) =e(xP, U' +h'' · yP) =e(P, x·U' +x·h'· yP) =e(P, x·U' + x·h''· yP) V' = x·U' +xy·h' PV '' = x·U' +xy·h'' P Theorem 1. In the random oracle model, if an adversary with a non-negligible advantage ε 0 can violate the client-to-server authentication of the proposed protocol, then there exists a challenger C 1 to solve the CDH problem.(1, 4A) σ' = (ID C, U', V' ) h = H 1 (ID C, U)

10 Theorem 2. In the random oracle model, if an adversary A can violate the server- to-client authentication of the proposed protocol with a non-negligible advantage ε, then there exists a challenger C 2 to solve the CDH problem with the advantage ε' ≥ ε − 1/2 k − q C 3 /q 2, where q C is the maximum number of queries to the oracle of the client C. Challenger C 2 (ryP, xP) rxyP P pub = xP QID C = H 2 (ID C ) = yP Attacker A (U', P pub ) ( N, Auth) Auth= H 1 (P pub, ID C, N, U', V, K 2 ) K 2 = x · U' = x · r ·QID C = xryP U' = r ·QID C = ryP P pub = xP 10

11 11 Theorem 3. In the random oracle model, if an adversary A can guess the coin b involved in the Test query with a non-negligible advantage ε, then there exists a challenger C 2 to solve the CDH problem. Challenger C 2 (ryP, xP) rxyP P pub = xP QID C = H 2 (ID C ) = yP Attacker A (U', P pub ) K 1 = r ·DID C = rxyP U' = r ·QID C = ryP P pub = xP Session key K 1 Secure against the passive attack  Secure against the disclosure of the session key

12 Proof. Implicit key confirmation: if the client (server) is assured that the server (client) is able to compute the session key and no one other than the client/server can compute it. Theorems 1 and 2: the client C and the server S can authenticate each other in the random oracle model and under the CDH assumption. Theorem 3: no one other than the client C and the server S can compute the session key SK. Therefore, the proposed protocol provides implicit key confirmation. 12 Theorem 4. In the random oracle model and under the CDH problem, the proposed protocol provides implicit key confirmation.

13 Proof. The system private key s is corrupted  all the previous session keys can be recovered from the transcripts  K 2 = s ·U  Auth= H 1 (P pub, ID C, N, U, V, K 2 )  SK= H 1 (Auth, N, U, V, K 2 ) The corruption of the client C (DID C ) cannot help to recover the previous session keys. Therefore, the proposed protocol offers partial forward secrecy. 13 Theorem 5. In the random oracle model and under the CDH problem, the proposed protocol offers partial forward secrecy.

14 Comparisons 14 (i) TG e : the time of executing a bilinear pairing operation e, e : G 1 × G 2 → G T (ii) TG mul : the time of executing a multiplication operation of point (iii) TG H : the time of executing a map-to-point hash function H 2 ( ) (iv) TG add : the time of executing an addition operation of points (v) T H : the time of executing a one-way hash function H 1 ( ) (vi) T exp : the time of executing a modular exponential operation (vii) T MAC : the time of executing a message authentication code

15 Mutual authentication and key exchange phase ~ replay attack 15 Client CServer S r  R Z q ∗ U = r · QID C K 1 = r · DID C h = H 1 (ID C, U) V = (r+h) · DID C ( ID C, U, V ) QID C = H 2 (ID C ) h = H 1 (ID C, U) e(P, V)?=e(P pub, U+h · QID C ) Acquiring a nonce N K 2 = s ·U Auth= H 1 (P pub, ID C, N, U, V, K 2 ) SK= H 1 (Auth, N, U, V, K 2 ) ( N, Auth) Auth?= H 1 (P pub, ID C, N, U, V, K 1 ) SK= H 1 (Auth, N, U, V, K 1 ) DID C = s · H 2 (ID C ) = s · QID C h = H 1 (ID C, T, U) Check T h = H 1 (ID C, T, U) ( ID C, T, U, V )

16 Comments Forward secrecy Nonce-based Explicit key confirmation Multi-server environment 16

Download ppt "An ID-Based Mutual Authentication and Key Exchange Protocol for Low- Power Mobile Devices Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal."

Similar presentations

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
A key agreement protocol using mutual Authentication for Ad-Hoc Networks IEEE 2005 Authors : Chichun Lo, Chunchieh Huang, Yongxin Huang Date : 2005_11_29.

A key agreement protocol using mutual Authentication for Ad-Hoc Networks IEEE 2005 Authors : Chichun Lo, Chunchieh Huang, Yongxin Huang Date : 2005_11_29.
多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.
11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.

11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.
Kerberos Assisted Authentication in Mobile Ad-hoc Networks Authors: Asad Amir Pirzada and Chris McDonald Sources: Proceedings of the 27th Australasian.

Kerberos Assisted Authentication in Mobile Ad-hoc Networks Authors: Asad Amir Pirzada and Chris McDonald Sources: Proceedings of the 27th Australasian.
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :11.23 1.

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Mutual authentication and group key agreement for low-power mobile devices Authors: Emmanuel Bresson, Olivier Chevassut, Abdeilah Essiari, David Pointcheval.

Mutual authentication and group key agreement for low-power mobile devices Authors: Emmanuel Bresson, Olivier Chevassut, Abdeilah Essiari, David Pointcheval.
Identity Based Encryption

Identity Based Encryption
Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.

Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
A password authentication scheme with secure password updating SEC 期末報告 學號: 89321037 姓名:翁玉芬.

A password authentication scheme with secure password updating SEC 期末報告 學號: 姓名:翁玉芬.
Identity-based authenticated key agreement protocol based on Weil pairing N.P.Smart ELECTRONICS LETTERS 20 th June 2002 vol.38 No13 p.630-632 Present by.

Identity-based authenticated key agreement protocol based on Weil pairing N.P.Smart ELECTRONICS LETTERS 20 th June 2002 vol.38 No13 p Present by.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp. 723-728,

An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp ,
A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.

A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.

Similar presentations

Ads by Google