department of computer engineering, kyungpook national university author : eun-jun yoon, wan-soo...
TRANSCRIPT
Department of Computer Engineering, Kyungpook National University
Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee ([email protected]) Date : 2007.05.10. (Thu)
Secure Remote User Authentication Scheme Using Bilinear Pairings
Information Security Lab.Information Security Lab. 22/15/15
Contents
Introduction
Review of Das et al.’s scheme
Cryptanalysis of Das el al.’s scheme
Impersonation attack
Off-Line password guessing attack
Proposed scheme
Conclusion
Information Security Lab.Information Security Lab. 33/15/15
Introduction
Remote user authentication Along with confidentiality and integrity, for systems that
allow remote access over untrustworthy networks, like the Internet
Das et al.’s scheme (In 2006)
proposed a remote user authentication scheme using
bilinear pairing
Our refutation
Insecure against the impersonation attack and off-line
password guessing attack
Information Security Lab.Information Security Lab. 44/15/15
Introduction
Bilinear Pairing Let G1, G2 be cyclic groups of same order q.
G1 : an additive group, G2 : a multiplicative group
Definition
A bilinear map from
1. Bilinear:
2. Non-degenerate:
3. Computability: 1, allfor ),( GQPQPe 1exists , such that ( , ) 1P Q G e P Q
*1 , and , allfor ,),(),( q
ab ZbaGQPQPebQaPe
1 1 2:e G G G
Information Security Lab.Information Security Lab. 55/15/15
Introduction
Mathematical Problems
Definition 1
Definition 2
*1
Problem ( ) :
, , integer such that q
Discrete Logarithm DLP
Given Q R G find an x Z R xQ
*
Problem( ) :
( , , ) for , , q
Bilinear Computational Diffie Hellman BCDHP
Given P aP bP a b Z compute abP
Information Security Lab.Information Security Lab. 66/15/15
Das et al.’s Authentication Scheme
Setup Phase : G1 : an additive cyclic group of order prime q
G2 : a multiplicative cyclic group of the same order.
P : a generator of G1
Bilinear mapping e : G1 × G1 ∈ G2
Hash function H : {0, 1}* → G1
① RS selects a secret key s and computes PubRS = sP.
② RS publishes <G1, G2, e, q, P, PubRS , H(·)>
and keeps s secret.
Information Security Lab.Information Security Lab. 77/15/15
Das et al.’s Authentication Scheme
User Ui Remote System
Registration Phase :
IDi, PWi
Smart Card(Secure Channel)
Select IDi, PWi
RegIDi ← s • H(IDi)+H(PWi)
Store IDi, RegIDi, H(•) in Smart Card
Information Security Lab.Information Security Lab. 88/15/15
Das et al.’s Authentication Scheme
Login and Verification Phase :
User Ui Remote System
{ IDi, DIDi, Vi, T}
Input IDi, Pwi
Pick up T
DIDi ← T • RegIDi
Vi ← T • H(PWi)Check (T* - T) ≤ ∆T
Check e(DIDi – Vi, P)=e(H(IDi), PubRS)T
Information Security Lab.Information Security Lab. 99/15/15
Cryptanalysis of Das el al.’s scheme
iiii VrVDIDrDID
T
TrT
'' and
' compute ,' choose
Impersonation attack
User Ui Remote System
{ IDi, DIDi, Vi, T}
Attacker E
'?
'' )),((),( TRSiii PubIDHePVDIDe
{ IDi, DID’i, V’i, T’}
'
'
''
)),((
)),((
)),((
)),((
)),())()(((
)),(Re(
),(),(
TRSi
Ti
Tri
i
iii
iIDi
iiii
PubIDHe
sPIDHe
PIDHse
PIDHsTre
PPWHTrPWHIDHsTre
PPWHTrgTre
PVrDIDrePVDIDe
Information Security Lab.Information Security Lab. 1010/15/15
Cryptanalysis of Das el al.’s scheme
User Ui Remote System
Off-line password guessing attack
{ IDi, DIDi, Vi, T}
Attacker E
'
'
'
(1)
(2) computes ( )
(3) checks if ( )
i
i
i i
PW
E T H PW
E V T H PW
Information Security Lab.Information Security Lab. 1111/15/15
Proposed scheme
Setup Phase : G1 : an additive cyclic group of order prime q
G2 : a multiplicative cyclic group of the same order.
P : a generator of G1
Bilinear mapping e : G1 × G1 ∈ G2
Hash function H : {0, 1}* → G1
F(·) : a collision resistant one-way hash function
① RS selects a secret key s and computes PubRS = sP.
② RS publishes <G1, G2, e, q, P, PubRS , H(·), F(·)>
and keeps s secret.
Information Security Lab.Information Security Lab. 1212/15/15
Proposed scheme
Registration Phase :
User Ui Remote System
IDi, F(Pwi|N)
Smart Card(Secure Channel)
Select IDi, Pwi, NU ← H(IDi, IDs)
Ki ← s • U
VKi ← F(Ki)
RegIDi ← Ki + H(F(Pwi|N)
Store U, VKi, RegIDi,H(•), F(•) in Smart CardEnter N into Smart Card
compute F(Pwi|N)
Information Security Lab.Information Security Lab. 1313/15/15
Proposed scheme
Login and Session key agreement Phase :
User Ui Remote System
{ IDi, C1 }
{ C2, C3 }
Input IDi, PWi
Ki ← RegIDi – H(F(PWi|N)
)(Verify ?
ii KFVK
aPC
Za q
1
* random Choose
{ C4 }
Verify IDi
U ← H(IDi, IDs)
UsK i *
bPC
Zb q
2
*
random Choose
abUPebUCesk ),(),( 1
),,,( 1*
3 CskKIDFC iiabUPeaUCesk ),(),( 2*
),,,( 1**
3 CskKIDFC ii*3
?
3Verify CC ),,,( 2
*4 CskKIDFC ii
),,,( 2**
4 CskKIDFC ii*4
?
4Verify CC
Information Security Lab.Information Security Lab. 1414/15/15
Comparison
Security Properties Das el al.’s scheme Proposed scheme
Passive attack Secure Secure
Active attack Insecure Secure
Guessing attack Insecure Secure
Stolen smart card attack Insecure Secure
Insider attack Insecure Secure
Secure password change Not provide Provide
Mutual authentication Not provide Provide
Session key distribution Not provide Provide
Perfect forward secrecy Not provide Provide
Wrong password detection Slow Fast
Timestamp Required Not Required
Information Security Lab.Information Security Lab. 1515/15/15
Conclusion
Das el al’s scheme is vulnerable to an impersonation attack and an
off-line password guessing attack
Improved authentication scheme based on bilinear computational D-H problem
one-way hash function
»» Provides mutual authentication between the user and
remote system.
»» Not require time synchronization or delay-time limitations
Future work : Must be proved formally
Information Security Lab.Information Security Lab. 1616/15/15
Thank you
Q & A