Upload
paloma
View
26
Download
2
Embed Size (px)
DESCRIPTION
A Pairing-Based User Authentication Scheme for Wireless Clients with Smart Cards. Authors: Yuh-Min TSENG, Tsu-Yang WU, Jui-DiWU Source: Informatica: International Journal , Vol.19, No.2, pp.285-302, 2008. Outline. Introduction The Giri–Srivastava scheme The proposed scheme Conclusions - PowerPoint PPT Presentation
Citation preview
A Pairing-Based User Authentication Scheme for Wireless Clients with
Smart Cards
Authors: Yuh-Min TSENG, Tsu-Yang WU, Jui-DiWU
Source: Informatica: International Journal, Vol.19, No.2, pp.285-302, 2008
2
Outline
Introduction The Giri–Srivastava scheme The proposed scheme Conclusions Comments
3
IntroductionDas, M.L., A. Saxena, V.P. Gulati and D.B. Phat
ak (2006). A novel remote user authentication scheme usin
g bilinear pairings. Computers and Security, 25(3), 184–189.
Giri, D., and P.D. Srivastava (2006). An improved remote user authentication scheme
with smart cards using bilinear pairings.In Cryptology ePrint Archive.
forgery attack
computational costmulti-server
The proposed scheme
4
Bilinear Pairings Bilinear Pairing
Let G1, G2 be cyclic groups of same order q.
G1 : an additive group E(Fp)
G2 : a multiplicative group
P : a generator of G1
Definition
A bilinear map
1. Bilinear:
2. Non-degenerate:
3. Computability: 1there is an efficient algorithm to compute ( , ) for all ,e P Q P Q G
1there exists , such that ( , ) 1P Q G e P Q
*1 , and , allfor ,),(),( q
ab ZbaGQPQPebQaPe
1 1 2:e G G G
5
Notations RS : a registration server SS : a service server Ui : a legal user IDi: the identity of the user Ui
IDss: the identity of the service server SS pwi: the password of the user Ui
P: a generator of the group G1
s: the master private key of the RS in Zq∗
PRS: the public key of the RS s.t. PRS = s · P H1(): a one-way hash function {0,1}* → {0, 1}n
H2(): a map-to-point function {0,1}*→ G1 T: a current time stamp ⊕: a simple XOR operation in G1
6
Framework
3 roles: Ui
SS RS
4 phases: The registration phase The login phase The verification phase The password change phase
7
The Giri–Srivastava Scheme
8
The Registration Phase
,i iID pw
2
( )i i RS
i i i
SP pw P
Reg s H ID SP
=
= +
g
gcardSmart
User UiRegistration Server RS
ipw s
2 , , , (), RS i i iP SP Reg H IDSmart card:
9
The login and verification phaseUser Ui Serveripw
Choose r
2 , ,Re , (), RS i i iP SP g H IDSmart card:
T ?
2( - , ) ( , ) ( ( ), )i ie D Y P e T B P e T sH ID P= × = ×
2 2( ( ), ) ( ( ), )T Ti RS ie H ID P e H ID s P= ×
10
The password change Phase
• The smart card performs:
' '
' '
' '
checks and
-
stores and
i i RS
i i
i i RS
i i i i
i i
SP pw P
ID SP
SP pw P
Reg Reg SP SP
SP Reg
= ×
= ×
= +
'i ipw pw
2 , ,Re , (), RS i i iP SP g H IDSmart card:
11
The proposed scheme
12
The Registration Phase
,i iID pw
cardSmart
User UiRegistration Server RS
ipw s
(s. QIDi) Wi
13
The login and verification phase
2
( , ) ( , ( ) )
( , ( ) ( ))i
e P V e P r h DIDi
e P r h s H ID
= + ×
= + ××
2
( , ) ( , )
( , ( ) ) ( , ( ) ( ))RS i i i
i i
e P U h QID e s P r QID h QID
e s P r h QID e s P r h H ID
+ × = × × + ×
= × + × = × + ×
Regi Wi
14
The password change Phase
• The smart card performs:
1
' '
' '1
'
'
( )
checks and
( )
stores and
i i
i i
i i
i i
i i
'i i i i
'i i
W pw P
CW H W
ID CW
W pw P
CW H W
Reg Reg W W
CW Reg
= ×
=
= ×
=
= Å Å
'i ipw pw
Smart card:
15
Security proof
Computational Diffie–Hellman (CDH) problem: Given P, xP, yP ∈ G1, finding xyP.
Computational Diffie–Hellman (CDH) assumption: No probabilistic algorithm can solve the CDH
problem with non-negligible advantage within polynomial time.
16
Challenger C
(P, xP, yP)
xyP
PRS = xP QIDi = H2(IDi) = yP
Attacker AIDi IDSS
H1( )
L1:(τ,Rh)
τ = (IDi, IDSS, T, U) Rh T σ = (IDi, IDSS, T, U, V )
LoginrT, xT
U = rT · QIDi,
V = (rT + h) · xT
A can generate two valid message σ = (IDi, IDSS, T, U, V ) and σ = (IDi, IDSS, T, U, V )
Forking Lemma
xyP = (V − V')/(h − h')
17
Discussions Eviction mechanism
A black ID list A positive list
Clock synchronization problem The smart card should acquire a time stamp or a
random challenge from the server Increase extra transmission between the user and
server but it does not affect the computational cost required by the smart card
Smart card security Poor reparability Insider attack
18
Performance(1/2)
TGe: the time of executing the bilinear pairing operation e: G1 × G1 → G2
TGmul: the time for point scalar multiplication on the group G1
TGH: the time of executing the map-to-point hash function H2()
TGadd: the time for point addition on the group G1
TH: the time of executing the one way hash function H1() Tmul: the time for modular multiplication in Zq
19
Performance(2/2)
20
Conclusions
Mutual authentication Session key establishment