Upload
chanda-roberts
View
37
Download
1
Embed Size (px)
DESCRIPTION
A novel user authentication and privacy preserving scheme with smartcards for wireless communications. 作者 :Chun-Ta Li,Cgeng -Chi Lee 出處 :Mathematical and Computer Modelling,2012 報告人 : 葉瑞群 日期 : 2012/09/07. Introduction. 1. - PowerPoint PPT Presentation
Citation preview
多媒體網路安全實驗室
A novel user authentication and privacy preserving scheme with
smartcards for wireless communications
A novel user authentication and privacy preserving scheme with
smartcards for wireless communications
作者 :Chun-Ta Li,Cgeng-Chi Lee出處 :Mathematical and Computer Modelling,2012
報告人 : 葉瑞群日期 :2012/09/07
多媒體網路安全實驗室
2
Outline
Introduction1
Review of He et al.’s scheme2
Three weaknesses in He et al.’s scheme33
The proposed scheme44
Security analusis of the proposed scheme35
Functionality features and performance analysis of the proposed scheme46
Conclusions37
多媒體網路安全實驗室
3
1.Introduction(1/3)
Generally speaking, mobile users (MU) can access the services provided by the home agent of the MU (HA) in a visited foreign agent of the MU (FA).
多媒體網路安全實驗室
4
1.Introduction(2/3)
Recently, He et al. [5] showed that Wu et al.’s scheme is vulnerable to several weaknesses and then proposed a strong
user authentication scheme with smart
cards for wireless communications.
多媒體網路安全實驗室
5
1.Introduction(3/3)
In this paper we will show that He et al.’s scheme has three weaknesses as follows.
1. Lack of user friendliness.2. Unfairness in key agreement.3. Attacks against the user anonymity.
多媒體網路安全實驗室
6
2.Review of He et al.’s scheme(1/7)TABLE 1 (I)
MU The mobile user
PWMU The password of MU
IDMU The identity of MU
HA The home agent of Ui
IDHA The identity of HA
FA The foreign agent of MU roamed
IDFA The identity of FA
N The master secret key stored in HA
TX A timestamp generated by an entity X
SK The common session key
⊕ The bitwise XOR operation
H(.) A collision free one-way hash function
多媒體網路安全實驗室
7
2.Review of He et al.’s scheme(2/7)TABLE 1 (II)
|| String concatenation
Ek[.]/Dk[.] The symmetric encryption/decryption function with key K
Ek{.}/Dk[{.} The asymmetric encryption/decryption function with key K
⇒ A secure channel
→ A common channel
多媒體網路安全實驗室
8
2.Review of He et al.’s scheme (3/7) – Registration phase [1]
MU HAIDMU,H(PWMU⊕d)
TKMU = H(IDMU||XHA)
SKMU = H(N||IDMU)
r = TKMU ID⊕ HA E⊕ N[(IDMU||m)]
{TKMU,SKMU,H(.),r}
SK*MU = H(IDMU||H(PWMU)) SK⊕ MU
VMU = TKMU H(ID⊕ MU||H(PWMU d))⊕
HMU = H(TKMU)
{VMU,HMU,SK*MU,H(.),d,r}
多媒體網路安全實驗室
9
2.Review of He et al.’s scheme (4/7) – Login phase [2]
MU FASmart card
TK*MU = VMU H(ID⊕ MU||H(PWMU d))⊕
H*MU = H(TK*
MU)
check H*MU = HMU
SKMU = H(IDMU||H(PWMU)) SK⊕ *MU
L = H(TMU SK⊕ MU)
F = EL[H(TMU)||IDFA||x0||x]
n = r TK⊕ MU = IDHA E⊕ N[(IDMU||m)]
m1{n,F,IDHA,TMU}
多媒體網路安全實驗室
10
2.Review of He et al.’s scheme (5/7) – Authentication phase [3] - I
MU FA HA E{H(b,n,F,TMU,CertFA)}
m2 = {b,n,F,TMU,TFA, E
{H(b,n,F,TMU,CertFA)},CertFA}
n ID⊕ HA = EN[IDMU||m]
DN[EN] = IDMU,m
check IDMU→database
L = H(TMU SK⊕ MU)
DL[F] = H(TMU),IDFA,x0,x
Check IDFA 、 CertFA
W = E{H(H(N||IDMU))||x0||x}
E= {H(b,c,W,THA,CertHA)}
m3 = {c,W,THA, E={H(b,c,W,THA,CertHA)},CertHA}
多媒體網路安全實驗室
11
2.Review of He et al.’s scheme (6/7) – Authentication phase [3] - II
MU FA HA check THA,PHA→E
D{W} = H(H(N||IDMU)),x0,x
SK = H(H(H(N||IDMU))||x||x0)
m4 = {ESK[TCertMU||H(x0||x)]}
SK = H(H(SKMU)||x||x0)
DSK[m4] = TCertMU,H(x0||x)
多媒體網路安全實驗室
12
2.Review of He et al.’s scheme (7/7) – Password change phase [4]
Smart card
TK*MU = VMU H(ID⊕ MU||H(PWMU|| d))⊕
H*MU = H(TK*
MU),Check H*MU = HMU
MU
Input PWNEWMU
Smart card
SK’MU = H(IDMU||H(PWNEWMU)) SK⊕ MU = H(IDMU||H(PWNEW
MU))⊕
H(IDMU||H(PWMU)) SK⊕ *MU,Replaces SK’MU→SK*
MU
V’MU = TKMU H(ID⊕ MU||H(PWNEWMU d⊕ NEW)),Replaces V’MU→VMU
{V’MU,HMU,SK’MU,H(.),dNEW,r},PWNEWMU
多媒體網路安全實驗室
13
3. Three weaknesses in He et al.’s scheme(1/3)
1.Lack of user friendliness
Authors assumed that the bit length of MU’s IDMU is 128 bit and MU has to bear in mind such a 128 bit identity (usually in the form of as many as 32 hexadecimal ASCII characters).
多媒體網路安全實驗室
14
3. Three weaknesses in He et al.’s scheme(2/3)
2.Unfairness in key agreement
The MU can always choose x0 and x, where x0 and x are two 256 bits random number generated by the MU alone, such that in Step V7,the common session key computed by the FA according to SK = H(H(H(N ‖ IDMU)) ‖ x ‖ x0) is always the MU’s pre-determined x0 and x.
多媒體網路安全實驗室
15
3. Three weaknesses in He et al.’s scheme(3/3)
3. Attacks against the user’s anonymity
Consider that a mobile user MU roams into the foreign network and sends the login message m1 = {n,F,IDHA,TMU} to the FA to access service, the contents of n and IDHA are for the mobile user MU’s exclusive use and these two values always unchanging in Step L4 of the login phase.
多媒體網路安全實驗室
16
4.The proposed scheme(1/7)
Notations
p,q public large prime numbers
SHA= c HA selects a private key
PHA=gc mod p HA computes its public key
SFA= e FA selects a private key
PFA = ge mod p FA computes its public key
多媒體網路安全實驗室
17
4.The proposed scheme(2/7)Registration phase [1]
MU HAIDMU,H(IDMU PW⊕ MU⊕d)
TKMU = H(N||IDMU) H(ID⊕ MU PW⊕ MU d)⊕
r = IDHA E⊕ N[(IDMU||m)]
TKMU,H(.),r
TKMU,H(.),r,d
多媒體網路安全實驗室
18
4.The proposed scheme(3/7)Login phase [2]
MU FASmart card
TK*MU = TKMU H(ID⊕ MU PW⊕ MU d) = H(N||ID⊕ MU)
A = ga mod p
L = H(TMU TK⊕ *MU) , F = EL[TMU||IDFA||A]
DH = PHAa mod p = gac mod p , M=EDH[r]
MU
DH’ = PFAa mod p = gea mod p
m1 = {A,TMU,U=EDH’[M,F,IDHA,TMU]}
多媒體網路安全實驗室
19
4.The proposed scheme(4/7)Authentication phase [3] I
MU FA HA DH’ = Ae mod p =gae mod p
DDH’[U] = M,F,IDHA,TMU
B = gb mod p
V = E{H(A,B,M,F,TMU,TFA,CertFA)}
DH’’ = PHAb mod p = gcb
m2 = {B,TFA,W=EDH’’[A,B,M,
F,TMU,TFA,V,CertFA]}
DH’’ = Bc mod p = gbc mod p
DDH’’[W] =A,B,M,F,TMU,TFA,V,CertFA
DH = Ac mod p = gac mod p
IDHA D⊕ DH[M] = EN[IDMU||m]
DN[EN] = IDMU,m
多媒體網路安全實驗室
20
4.The proposed scheme(5/7)Authentication phase [3] II
MU FA HACheck IDMU→database
L = H(TMU H(N||ID⊕ MU))
MU is not a legal user DL[F] = TMU,IDFA,A
D = gd mod p
X = E{H(A,B,D,THA,CertHA)}
Y = ESK’[H(H(N||IDMU)||D)||A||B||D||X||CertHA]
m3 = {D,THA,Y}
SK’ = Db mod p = gdb mod p
DSK’[Y] = H(H(N||IDMU)||D),A,B,D,X,CertHA
SK = Ab mod p = gab mod p
m4 = {B,Z =
ESK[TCertMU||H(H(N||IDMU)||D)||A||B||D]}
多媒體網路安全實驗室
21
4.The proposed scheme(6/7)Authentication phase [3] III
MU FA HASK = Ba mod p = gba mod p
DSK[Z] = TCertMU,H(H(N||IDMU)||D),A,B,D
多媒體網路安全實驗室
22
4.The proposed scheme(7/7)Password change phase [4]
MU 、 Smart card
TK*MU = TKMU H(ID⊕ MU PW⊕ MU d)=H(N||ID⊕ MU)
H(IDMU PW⊕ NEWMU d’)⊕
TKNEWMU = TK*
MU H(ID⊕ MU PW⊕ NEWMU d’)⊕
Replaces TKNEWMU,d’
多媒體網路安全實驗室
23
5.Security analusis of the proposed scheme(1/3)
The proposed scheme is able to provide user anonymity.
m1 = {A,TMU,U=EDH’[M,F,IDHA,TMU]}
Step1 DH’ = Ae mod p =gae mod pStep2 DDH’[U] = M,F,IDHA,TMU
多媒體網路安全實驗室
24
5.Security analusis of the proposed scheme(2/3)
MU FA HA DH’
DH’
DH’’
DH’’
DH
DH
SK
SK
多媒體網路安全實驗室
25
5.Security analusis of the proposed scheme(3/3)
The proposed scheme meets the security requirement for perfect forward secrecy.
(Diffie-Hellman)
Attacker cannot launch any attack to obtain the MU’s real identity IDMU and password PWMU. TK∗
MU = H(N‖IDMU)
多媒體網路安全實驗室
26
6.Functionality features and performance analysis of the proposed scheme(1/1)
多媒體網路安全實驗室
27
More recently, He et al. showed that Wu et al.,’s smart card based authentication scheme with user anonymity is vulnerable to several weaknesses and then proposed a secure and light-weight user authentication scheme.
多媒體網路安全實驗室