16
Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee ([email protected]) Date : 2007.05.10. (Thu) Secure Remote User Authentication Scheme Using Bilinear Pairings

Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee ([email protected])

Embed Size (px)

Citation preview

Page 1: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Department of Computer Engineering, Kyungpook National University

Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee ([email protected]) Date : 2007.05.10. (Thu)

Secure Remote User Authentication Scheme Using Bilinear Pairings

Page 2: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 22/15/15

Contents

Introduction

Review of Das et al.’s scheme

Cryptanalysis of Das el al.’s scheme

Impersonation attack

Off-Line password guessing attack

Proposed scheme

Conclusion

Page 3: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 33/15/15

Introduction

Remote user authentication Along with confidentiality and integrity, for systems that

allow remote access over untrustworthy networks, like the Internet

Das et al.’s scheme (In 2006)

proposed a remote user authentication scheme using

bilinear pairing

Our refutation

Insecure against the impersonation attack and off-line

password guessing attack

Page 4: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 44/15/15

Introduction

Bilinear Pairing Let G1, G2 be cyclic groups of same order q.

G1 : an additive group, G2 : a multiplicative group

Definition

A bilinear map from

1. Bilinear:

2. Non-degenerate:

3. Computability: 1, allfor ),( GQPQPe 1exists , such that ( , ) 1P Q G e P Q

*1 , and , allfor ,),(),( q

ab ZbaGQPQPebQaPe

1 1 2:e G G G

Page 5: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 55/15/15

Introduction

Mathematical Problems

Definition 1

Definition 2

*1

Problem ( ) :

, , integer such that q

Discrete Logarithm DLP

Given Q R G find an x Z R xQ

*

Problem( ) :

( , , ) for , , q

Bilinear Computational Diffie Hellman BCDHP

Given P aP bP a b Z compute abP

Page 6: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 66/15/15

Das et al.’s Authentication Scheme

Setup Phase : G1 : an additive cyclic group of order prime q

G2 : a multiplicative cyclic group of the same order.

P : a generator of G1

Bilinear mapping e : G1 × G1 ∈ G2

Hash function H : {0, 1}* → G1

① RS selects a secret key s and computes PubRS = sP.

② RS publishes <G1, G2, e, q, P, PubRS , H(·)>

and keeps s secret.

Page 7: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 77/15/15

Das et al.’s Authentication Scheme

User Ui Remote System

Registration Phase :

IDi, PWi

Smart Card(Secure Channel)

Select IDi, PWi

RegIDi ← s • H(IDi)+H(PWi)

Store IDi, RegIDi, H(•) in Smart Card

Page 8: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 88/15/15

Das et al.’s Authentication Scheme

Login and Verification Phase :

User Ui Remote System

{ IDi, DIDi, Vi, T}

Input IDi, Pwi

Pick up T

DIDi ← T • RegIDi

Vi ← T • H(PWi)Check (T* - T) ≤ ∆T

Check e(DIDi – Vi, P)=e(H(IDi), PubRS)T

Page 9: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 99/15/15

Cryptanalysis of Das el al.’s scheme

iiii VrVDIDrDID

T

TrT

'' and

' compute ,' choose

Impersonation attack

User Ui Remote System

{ IDi, DIDi, Vi, T}

Attacker E

'?

'' )),((),( TRSiii PubIDHePVDIDe

{ IDi, DID’i, V’i, T’}

'

'

''

)),((

)),((

)),((

)),((

)),())()(((

)),(Re(

),(),(

TRSi

Ti

Tri

i

iii

iIDi

iiii

PubIDHe

sPIDHe

PIDHse

PIDHsTre

PPWHTrPWHIDHsTre

PPWHTrgTre

PVrDIDrePVDIDe

Page 10: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 1010/15/15

Cryptanalysis of Das el al.’s scheme

User Ui Remote System

Off-line password guessing attack

{ IDi, DIDi, Vi, T}

Attacker E

'

'

'

(1)

(2) computes ( )

(3) checks if ( )

i

i

i i

PW

E T H PW

E V T H PW

Page 11: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 1111/15/15

Proposed scheme

Setup Phase : G1 : an additive cyclic group of order prime q

G2 : a multiplicative cyclic group of the same order.

P : a generator of G1

Bilinear mapping e : G1 × G1 ∈ G2

Hash function H : {0, 1}* → G1

F(·) : a collision resistant one-way hash function

① RS selects a secret key s and computes PubRS = sP.

② RS publishes <G1, G2, e, q, P, PubRS , H(·), F(·)>

and keeps s secret.

Page 12: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 1212/15/15

Proposed scheme

Registration Phase :

User Ui Remote System

IDi, F(Pwi|N)

Smart Card(Secure Channel)

Select IDi, Pwi, NU ← H(IDi, IDs)

Ki ← s • U

VKi ← F(Ki)

RegIDi ← Ki + H(F(Pwi|N)

Store U, VKi, RegIDi,H(•), F(•) in Smart CardEnter N into Smart Card

compute F(Pwi|N)

Page 13: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 1313/15/15

Proposed scheme

Login and Session key agreement Phase :

User Ui Remote System

{ IDi, C1 }

{ C2, C3 }

Input IDi, PWi

Ki ← RegIDi – H(F(PWi|N)

)(Verify ?

ii KFVK

aPC

Za q

1

* random Choose

{ C4 }

Verify IDi

U ← H(IDi, IDs)

UsK i *

bPC

Zb q

2

*

random Choose

abUPebUCesk ),(),( 1

),,,( 1*

3 CskKIDFC iiabUPeaUCesk ),(),( 2*

),,,( 1**

3 CskKIDFC ii*3

?

3Verify CC ),,,( 2

*4 CskKIDFC ii

),,,( 2**

4 CskKIDFC ii*4

?

4Verify CC

Page 14: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 1414/15/15

Comparison

Security Properties Das el al.’s scheme Proposed scheme

Passive attack Secure Secure

Active attack Insecure Secure

Guessing attack Insecure Secure

Stolen smart card attack Insecure Secure

Insider attack Insecure Secure

Secure password change Not provide Provide

Mutual authentication Not provide Provide

Session key distribution Not provide Provide

Perfect forward secrecy Not provide Provide

Wrong password detection Slow Fast

Timestamp Required Not Required

Page 15: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 1515/15/15

Conclusion

Das el al’s scheme is vulnerable to an impersonation attack and an

off-line password guessing attack

Improved authentication scheme based on bilinear computational D-H problem

one-way hash function

»» Provides mutual authentication between the user and

remote system.

»» Not require time synchronization or delay-time limitations

Future work : Must be proved formally

Page 16: Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee (complete2@infosec.knu.ac.kr)

Information Security Lab.Information Security Lab. 1616/15/15

Thank you

Q & A