Presentation is loading. Please wait.

Presentation is loading. Please wait.

多媒體網路安全實驗室 Robust authentication and key agreement scheme preserving Date:2011/11/05 報告人:向峻霈 出處 : Ren-Chiun Wang Wen-Shenq Juang Chin-Laung Lei Computer.

Published byVirgil Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "多媒體網路安全實驗室 Robust authentication and key agreement scheme preserving Date:2011/11/05 報告人:向峻霈 出處 : Ren-Chiun Wang Wen-Shenq Juang Chin-Laung Lei Computer."— Presentation transcript:

1 多媒體網路安全實驗室 Robust authentication and key agreement scheme preserving Date:2011/11/05 報告人:向峻霈 出處 : Ren-Chiun Wang Wen-Shenq Juang Chin-Laung Lei Computer Communications pp. 274-280,2011

2 多媒體網路安全實驗室 Outline Introduction 1 Proposed scheme 2 Security analysis 33 Functionality comparison 44 Conclusion 35 2

3 多媒體網路安全實驗室 Introduction 3 server file verification user password maintain  In ubiquitous computing environments thin devices low computation and communication verification table password guessing attack is still a key issue

4 多媒體網路安全實驗室 Related work  Wang et al.’s scheme  prevent the smart card loss problem  prevent users from inputting incorrect passwords 4

5 多媒體網路安全實驗室 Registration phase 5 ClientServer h(b ⊕ pw i ),id i writes ( R, V, h(), h P () ) b p=h(id i ⊕ x) R =p ⊕ h(b ⊕ pw i ) V = h p (h(b ⊕ pw i )) secure channel smart card (R,V,h(),h P (),b) h(b ⊕ pw i ) issues the smart card to the client i

6 多媒體網路安全實驗室 Login phase 6 Server Id i,c 1,c 2,T u records a timestamp T s Check id i or T u ==T s Verifie if(T u -T s ) p =h(id i ⊕ x) Verifie h p (c’ 1 ⊕ T u ) ==c 2 c’ 1 =p ⊕ c 1 =h(r ⊕ b) c 3 =h p (c’ 1 ⊕ T s ) smart card p=R ⊕ h(b ⊕ pw i ) verifies V == h p ( h(b ⊕ pw i )) c 1 = p ⊕ h(r ⊕ b)=h(id i ⊕ x) ⊕ h(r ⊕ b) c 2 = h p (h(r ⊕ b) ⊕ T u ) c 3,T s Verifie T s is invalid or T s =T u c’ 3 =h p (h(r ⊕ b) ⊕ T s ) Check c’ 3 ==c 3 session key c’ 1 =h(r ⊕ b) Session key c’ 1 =h(r ⊕ b)

7 多媒體網路安全實驗室 Smart card loss problem 7 Server Id i,c 1,c 2,T u records a timestamp T s Check id i or T u ==T s Verifie if(T u -T s ) p =h(id i ⊕ x) Verifie h p (c’ 1 ⊕ T u ) ==c 2 c’ 1 =p ⊕ c 1 =h(r ⊕ b) c 3 =h p (c’ 1 ⊕ T s ) smart card p=R ⊕ h(b ⊕ pw’ i ) verifies V == h p ( h(b ⊕ pw’ i )) c 1 = p ⊕ h(r ⊕ b)=h(id i ⊕ x) ⊕ h(r ⊕ b) c 2 = h p (h(r ⊕ b) ⊕ T u ) c 3,T s Verifie T s is invalid or T s =T u c’ 3 =h p (h(r ⊕ b) ⊕ T s ) Check c’ 3 ==c 3 session key c’ 1 =h(r ⊕ b) Session key c’ 1 =h(r ⊕ b)

8 多媒體網路安全實驗室 Proposed scheme  Registration phase  The precomputation phase  Authentication and key agreement phase  Password changing phase  Revoking smart card phase  User eviction phase  User anonymity phase 8

9 多媒體網路安全實驗室 Registration phase  server sets up the system parameters  Chooses a large prime number p(p>2 160 )  Ep :y 2 = x 3 +ax+b mod p a,b ∈ p  4a 3 +27b 2 mod p ≠ 0,  G is a generator point of a large order n(n>2 160 ) 9

10 多媒體網路安全實驗室 Registration phase 10 ClientServer id i writes ( id i,B i,G,E P ) pw i id i cid i B i =h(x || id i || cid i ) * G secure channel smart card B i ‘= B i ⊕ h(pw i ) ( id i,B i ’,G,E P ) Precomputation Phase T 1 = R * G //as a point over E p

11 多媒體網路安全實驗室 Authentication and key agreement phase 11 Server T 1,T 2 (id i, T 1, T 2 )-> validity client’s identity h(x || id i || cid i ) T 2 ‘= T1* h(x || id i || cid i ) =R* h(x || id i || cid i )*G K = h(W * T 1 ) V 1 =h(T 2 ’ || K) Send (T 3 = W * G,V 1 ) smart card T 1 = R * G B i = B i ’ ⊕ h(pw i ) = h(x || id i || cid i )*G T 2 = h(R * B i ) = h(R* h(x || id i || cid i )*G) V 1,T 3 K’ = h(R * T 3 ) V 1 ’ = h(R * B i || K’) check V 1 ’=V 1 Relay V 2 = h(R * B i || K’+1) V2V2 Check h(T 2 ’ || K+1) session key K

12 多媒體網路安全實驗室 User eviction phase  Server  Delete table id i  Delete table cid i 12

13 多媒體網路安全實驗室 Password changing phase 13 ClientServer idi writes ( id i,B i,G,E P ) pw i id i cid i B i =h(x || id i || cid i ) * G secure channel smart card B i ‘’= B i ⊕ h(new pwi ) ( id i,B i ’’,G,E P ) Precomputation Phase T 1 = R * G

14 多媒體網路安全實驗室 User anonymity phase(1/2) 14 ClientServer registered information writes (IND i,B i,G,E P ) pw i IND i cid i B i =h(x || IND i || cid i ) * G secure channel smart card B i ‘= B i ⊕ h(pw i ) ( id i,B i ’,G,E P ) Precomputation Phase T 1 = R * G //as a point over E p

15 多媒體網路安全實驗室 User anonymity phase(2/2) 15 Server IND i,T 1,T 2 (IND i, T 1, T 2 )-> validity client’s identity h(x || IND i || cid i ) T 2 ‘= T 1 * h(x || IND i || cid i ) =R* h(x || IND i || cid i )*G K 1 = h(W * T 1 ) V 1 =E K1 (h(T 2 ’ + 1)|| IND inew || B inew ) Send (T 3 = W * G,V 1 ) smart card T 1 = R * G B i = B i ’ ⊕ h(pw i ) = h(x || IND i || cid i )*G T 2 = h(R * B i ) = h(R* h(x || IND i || cid i )*G) V 1,T 3 K 1 ’ = h(R * T 3 ) V 1 ’ = h(R * B i || K’) check V 1 ’=V 1 Relay V 2 = h(R * B i +2) V2V2 Check V’ 2 B inew =h(x || IND inew || cid i ) * G In stored in the registration table session key K

16 多媒體網路安全實驗室 Security considerations  Adversary want simulation valid user  Adversary can generate two valid messages  (T 3,V 1,h 1,h 2 ) and (T 3,V’ 1,h’ 1,h’ 2 )  h’ 1 =T’ 1 *h(x||id i ||cid i )||h’ 2  h’ 2 =W*T’ 1 =W*R*G  Solve  x and ECCDHP 16

17 多媒體網路安全實驗室 Security considerations  Adversary want simulation valid user  (T 1,T 3,) and (T 1,B i )  Probability  hashquery / 2 l-1 17 Send Reveal Hash Test

18 多媒體網路安全實驗室 Security considerations  Against the forgery attack by an active Adversary  T 1 =R*G  h(x||id i ||cid i )  h’ 1 =R*G*h(x||id i ||cid i )  Probability  hashquery / 2 18 Hash

19 多媒體網路安全實驗室 Security considerations  when only the server’s master key x is known.  Session key k = h(W*T 1 )  Adversary can’t work out (W old *T old )or (R old *T 3 )  Probability 19 Solve ECCDHP Problem

20 多媒體網路安全實驗室 Security considerations  If ECCDHP is hard,k is known  Adversary learn k new  Must select R new,T 1new,find R new *G*h(x||id i ||cid i )  Adversary can’t work out (W old *T old )or (R old *T 3 )  Probability 20 V2V2

21 多媒體網路安全實驗室 Security considerations  If session key is known in card  Adversary must hold (id,Bi,G,E p )  (B i *R) ->T 2  Off-line attack from q se  the password guessing attack is 21

22 多媒體網路安全實驗室 Equivalent key sizes in bits 22 Symmetric ECCRSA Years to attack in MIPS Security lifetime 8016010241012 Until 2010 11222420481024 Until 2030 12825630721028 Beyond 2031 The length of the identity is 64 bits Length of a random number is 128 bits length of the master key in the server side is 256 bits

23 多媒體網路安全實驗室 Computation comparison 23 The performance of a client in our scheme and the related schemes.

24 多媒體網路安全實驗室 Computation comparison 24 The performance of an application server in our scheme and the related schemes

25 多媒體網路安全實驗室 Computation cost Our protocol 160 *2 + 224*2 + 64 = 832 bits Fan et al.’s scheme 64 + 2048 + 160 = 2272 bits Liao et al.’s scheme 64 *2 + 160 + 32 = 320 bits Wang et al.’s scheme 64 + 160*2 + 32 = 416 bits 25

26 多媒體網路安全實驗室 Functionality comparison  C1 : server does not need to maintain a security-sensitive verification table  C2 : clients can choose and change their passwords freely  C3 : passwords of the clients cannot be derived by the privileged administrator of the server  C4 : no one can impersonate a valid client to access the resources of the server  C5 : is not prone to the problems of clock synchronization and time-delay  C6 : can withstand  replay, password guessing  stolen-verifier  known-key attacks  if one of the previous session key  communicated messages is known by an adversary, the adversary still cannot impersonate this victim client 26

27 多媒體網路安全實驗室 Functionality comparison  C7 : the client and the server can securely establish a common session key to protect their future communications  C8 : the scheme is practical and efficient. The scheme can easily be implemented and the computation and communication cost is low  C9 : the client can revoke the smart card without changing the identity  C10 : the scheme is secure against the smart card loss problem  C11: an evicted client cannot use the overdue smart card to access the resource of the server 27

28 多媒體網路安全實驗室 Functionality comparison Our protocol Fan et al.’s scheme Liao et al.’s scheme Wang et al.’s scheme C1Yes C2No YesNo C3YesNo Yes C4Yes No C5Yes No C6YesNot supportedNo C7YesNot supportedYesNo C8YesPartially a Yes C9Yes Not supported C10YesNo b No c No C11Yes Not supported 28 a.The computation cost of the server is high in the scheme, b.Rhee et al. have shown that the scheme is insecure against the smart card loss problem. c.Xiang et al. and Yang et al. have shown that the scheme is insecure against the smart card loss problem and is vulnerable to the impersonation, the password guessing, the re-play, and the denial of service attacks

29 多媒體網路安全實驗室 29

30 多媒體網路安全實驗室 Conclusion  extended the scheme to provide the privacy of the client  solves several hard security threats that are difficult to be solved in the previous scholarship 30

31 多媒體網路安全實驗室

32 32 Computation cost MD5 王小云 2 2005 王小云 2 月 2 39 SHA-0 2004 8 月王小云 可在 2 40 的計算複雜度內就找到碰撞 SHA-1 2005 2 月王小云 只需少於 2 69 計算複雜度 ( 生日攻擊法 2 80 ) 2005 8 月王小云 2 63

Download ppt "多媒體網路安全實驗室 Robust authentication and key agreement scheme preserving Date:2011/11/05 報告人:向峻霈 出處 : Ren-Chiun Wang Wen-Shenq Juang Chin-Laung Lei Computer."

Similar presentations

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
多媒體網路安全實驗室 Improved Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks Date : 2012.10.24 Reporter : Hong Ji Wei Authors.

多媒體網路安全實驗室 Improved Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks Date : Reporter : Hong Ji Wei Authors.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :11.23 1.

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :
Computer and Information Security 期末報告 學號 92321501 姓名 莊玉麟.

Computer and Information Security 期末報告 學號 姓名 莊玉麟.
A simple remote user authentication scheme 1. M. S. Hwang, C. C. Lee and Y. L. Tang, “A simple remote user authentication.

A simple remote user authentication scheme 1. M. S. Hwang, C. C. Lee and Y. L. Tang, “A simple remote user authentication.
A Server-aided Signature Scheme Based on Secret Sharing for Mobile Commerce Source: Journal of Computers, Vol.19, No.1, April 2008 Author: Chin-Ling Chen,

A Server-aided Signature Scheme Based on Secret Sharing for Mobile Commerce Source: Journal of Computers, Vol.19, No.1, April 2008 Author: Chin-Ling Chen,
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
電子商務與數位生活研討會 1 Further Security Enhancement for Optimal Strong-Password Authentication Protocol Tzung-Her Chen, Gwoboa Horng, Wei-Bin Lee,Kuang-Long Lin.

電子商務與數位生活研討會 1 Further Security Enhancement for Optimal Strong-Password Authentication Protocol Tzung-Her Chen, Gwoboa Horng, Wei-Bin Lee,Kuang-Long Lin.
A password authentication scheme with secure password updating SEC 期末報告 學號: 89321037 姓名:翁玉芬.

A password authentication scheme with secure password updating SEC 期末報告 學號: 姓名:翁玉芬.
Improvement of Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks IEICE Transactions on Communications, Vol. E86-B, No.

Improvement of Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks IEICE Transactions on Communications, Vol. E86-B, No.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment Authors : Han-Cheng Hsiang and Wei-Kuan Shih.

1 Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment Authors : Han-Cheng Hsiang and Wei-Kuan Shih.
Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards Computer and Information Security 92321509 Ming-Hong Shih.

Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards Computer and Information Security Ming-Hong Shih.
90321011 孫國偉 Efficient Password authenticated key agreement using smart cards Author : Wen-Shenq Juang* Date : 2003.11.26 in Computers & Security.

孫國偉 Efficient Password authenticated key agreement using smart cards Author : Wen-Shenq Juang* Date : in Computers & Security.
1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.

1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.

Similar presentations

Ads by Google