Download ID C

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts
no text concepts found
Transcript 
An ID-Based Mutual Authentication
and Key Exchange Protocol for LowPower Mobile Devices
Authors: Tsu-Yang Wu and Yuh-Min Tseng
Source: The Computer Journal (Published online on
Sep. 2009)
doi:10.1093/comjnl/bxp083
Reporter: 陳德祐
Date: Jan 15, 2010
Outline
Introduction
The proposed scheme
Security analysis
Comments
2
Introduction
Das, M.L., A. Saxena, V.P. Gulati and D.B. Phatak (2006).
A novel remote user authentication scheme using bilinear
pairings.
Computers and Security, 25(3), 184–189.
Forgery attack
Giri, D., and P.D. Srivastava (2006).
An improved remote user authentication scheme with smart
cards using bilinear pairings.
In Cryptology ePrint Archive.
Computational cost
Multi-server
A Pairing-Based User Authentication Scheme for Wireless
Clients with Smart Cards
Yuh-Min Tseng, Tsu-Yang Wu, Jui-Di Wu
Informatica: International Journal,19(2), pp.285-302, 2008
Mutual auth.
Session key
The proposed scheme
3
Bilinear Pairings
 Bilinear Pairing
 Let G1, G2, GT be cyclic groups of same order q.
 G1, G2 : an additive group
 GT : a multiplicative group
Definition
A bilinear map e : G1  G2  GT
1. Bilinear:
e(aP, bQ) = e( P, Q)ab , for all (P, Q) Î G1 ´ G2 and (a, b) Î Z q* ´ Z q*
2. Non-degenerate: there exists P  G1 , Q  G2 such that e( P, Q)  1
3. Computability:
there is an efficient algorithm to compute e( P, Q) for all (P, Q)  G1  G2
4
Notations and System setup
 S: a powerful server
 C: a low-power computing client
 e : a bilinear map, e : G1 × G2 → GT, (G1=G2 ) with the same
order q
 IDC: the identity of the client C
 DIDC: the private key of the client C
 IDS: the identity of the server S
 P: a generator of the group G1
 s: the system private key in Zq∗
 Ppub: the system public key Ppub = s · P
 H1(): a one-way hash function, H1:{0,1}* × G1 → {0, 1}k
 H2(): a map-to-point function, H2: {0,1}*→ G1
 Public parameters:{e, G1, GT, q, P, Ppub, H1, H2}
5
Key extract phase
Client C
Server S
IDC
(DIDC, QIDC)
DIDC = s · H2(IDC)
= s · QIDC
6
Mutual authentication and key
exchange phase
Client C
DIDC = s · H2(IDC)
= s · QIDC
e( P,V ) = e( P, (r + h) ×DIDC )
r  R Zq ∗
= e( P, (r + h) ×s ×QIDC )
U = r · QIDC
= e( s ×P, (r + h) ×QIDC )
K1 = r · DIDC
h = H1(IDC , U)
V = (r+h) · DIDC
Server S
= e( Ppub , r ×QIDC + h ×QIDC )
( IDC , U, V )
= e( Ppub ,U + h ×QIDC )
QIDC = H2(IDC)
h = H1(IDC , U)
e(P, V)?=e(Ppub , U+h · QIDC)
Acquiring a nonce N
K2 = s ·U
( N , Auth)
Auth= H1(Ppub , IDC , N, U, V , K2)
SK= H1(Auth, N, U, V , K2)
Auth?= H1(Ppub , IDC , N, U, V , K1)
SK= H1(Auth, N, U, V , K1)
7
Security analysis and discussion
Secure against
1.
2.
3.
4.
ID attack
Impersonation attack
Passive attack
Mutual authentication
Theorem 1
Theorem 1+2
Theorem 3
A. Client-to-server authentication Theorem 1
B. Server-to-client authentication Theorem 2
5. Implicit key confirmation Theorem 4 (1+2+3)
6. Partial forward secrecy Theorem 5
Discussion
Replay attack
8
Theorem 1. In the random oracle model, if an adversary with a non-negligible
advantage ε0 can violate the client-to-server authentication of the proposed
protocol, then there exists a challenger C1 to solve the CDH problem.(1, 4A)
Challenger C1
(P, xP, yP)
Ppub = xP
QIDC= H2(IDC) = yP
σ' = (IDC , U', V' )
Attacker A
Forking Lemma
A can generate two valid message
σ' = (IDC , U', V' ) and σ'' = (IDC , U', V'' )
e(P, V')=e(Ppub , U' +h' · QIDC) =e(xP , U' +h' · yP) =e(P , x·U' +x·h'· yP)
e(P, V'')=e(Ppub , U' +h'' · QIDC) =e(xP , U' +h'' · yP)=e(P , x·U' + x·h''· yP)
V' = x·U' +xy·h' P
V '' = x·U' +xy·h'' P
xyP = (V' − V'')/(h' − h'')
h = H1(IDC , U)
xyP
Theorem 2. In the random oracle model, if an adversary A can violate the serverto-client authentication of the proposed protocol with a non-negligible advantage
ε, then there exists a challenger C2 to solve the CDH problem with the advantage
ε' ≥ ε − 1/2k − qC3 /q2, where qC is the maximum number of queries to the oracle
of the client C.
Challenger C2
(ryP, xP)
Ppub = xP
QIDC= H2(IDC) = yP
(U', Ppub )
Attacker A
( N , Auth)
U' = r ·QIDC= ryP
Ppub = xP
Auth= H1(Ppub , IDC , N, U', V , K2)
K2 = x · U' = x · r ·QIDC = xryP
rxyP
10
Theorem 3. In the random oracle model, if an adversary A can guess the coin b
involved in the Test query with a non-negligible advantage ε, then there exists a
challenger C2 to solve the CDH problem.
Secure against the passive attack  Secure against the disclosure of the session key
Challenger C2
(ryP, xP)
Ppub = xP
QIDC= H2(IDC) = yP
(U', Ppub )
Attacker A
Session key K1
U' = r ·QIDC= ryP
Ppub = xP
K1 = r ·DIDC = rxyP
rxyP
11
Theorem 4. In the random oracle model and under the CDH problem, the
proposed protocol provides implicit key confirmation.
Proof.
 Implicit key confirmation: if the client (server) is assured that the
server (client) is able to compute the session key and no one other
than the client/server can compute it.
 Theorems 1 and 2: the client C and the server S can authenticate
each other in the random oracle model and under the CDH
assumption.
 Theorem 3: no one other than the client C and the server S can
compute the session key SK.
 Therefore, the proposed protocol provides implicit key confirmation.
12
Theorem 5. In the random oracle model and under the CDH problem, the
proposed protocol offers partial forward secrecy.
Proof.
 The system private key s is corrupted  all the previous session
keys can be recovered from the transcripts
 K2 = s ·U
 Auth= H1(Ppub , IDC , N, U, V , K2)
 SK= H1(Auth, N, U, V , K2)
 The corruption of the client C (DIDC) cannot help to recover the
previous session keys.
 Therefore, the proposed protocol offers partial forward secrecy.
13
Comparisons
(i) TGe: the time of executing a bilinear pairing operation e, e : G1 × G2 → GT
(ii) TGmul: the time of executing a multiplication operation of point
(iii) TGH: the time of executing a map-to-point hash function H2( )
(iv) TGadd: the time of executing an addition operation of points
(v) TH: the time of executing a one-way hash function H1( )
(vi) Texp: the time of executing a modular exponential operation
(vii) TMAC: the time of executing a message authentication code
14
Mutual authentication and key
exchange phase ~ replay attack
Client C
DIDC = s · H2(IDC)
= s · QIDC
Server S
r  R Zq ∗
U = r · QIDC
K1 = r · DIDC
h h= =HH1(ID
U) U)
1(IDCC,, T,
V = (r+h) · DIDC
( ID(CID
, T,
U, V )
C , U, V )
Check T
QIDC = H2(IDC)
U)U)
h =h =HH
1(ID
1(ID
CC, ,T,
e(P, V)?=e(Ppub , U+h · QIDC)
Acquiring a nonce N
K2 = s ·U
Auth= H1(Ppub , IDC , N, U, V , K2)
( N , Auth)
SK= H1(Auth, N, U, V , K2)
Auth?= H1(Ppub , IDC , N, U, V , K1)
SK= H1(Auth, N, U, V , K1)
15
Comments
Forward secrecy
Nonce-based
Explicit key confirmation
Multi-server environment
16
Related documents