A Pairing-Based User Authentication Scheme for Wireless Clients with

Smart Cards

Authors: Yuh-Min TSENG, Tsu-Yang WU, Jui-DiWU

Source: Informatica: International Journal, Vol.19, No.2, pp.285-302, 2008

2

Outline

Introduction The Giri–Srivastava scheme The proposed scheme Conclusions Comments

3

IntroductionDas, M.L., A. Saxena, V.P. Gulati and D.B. Phat

ak (2006). A novel remote user authentication scheme usin

g bilinear pairings. Computers and Security, 25(3), 184–189.

Giri, D., and P.D. Srivastava (2006). An improved remote user authentication scheme

with smart cards using bilinear pairings.In Cryptology ePrint Archive.

forgery attack

computational costmulti-server

The proposed scheme

4

Bilinear Pairings Bilinear Pairing

Let G1, G2 be cyclic groups of same order q.

G1 : an additive group E(Fp)

G2 : a multiplicative group

P : a generator of G1

Definition

A bilinear map

1. Bilinear:

2. Non-degenerate:

3. Computability: 1there is an efficient algorithm to compute ( , ) for all ,e P Q P Q G

1there exists , such that ( , ) 1P Q G e P Q

*1 , and , allfor ,),(),( q

ab ZbaGQPQPebQaPe

1 1 2:e G G G

5

Notations RS : a registration server SS : a service server Ui : a legal user IDi: the identity of the user Ui

IDss: the identity of the service server SS pwi: the password of the user Ui

P: a generator of the group G1

s: the master private key of the RS in Zq∗

PRS: the public key of the RS s.t. PRS = s · P H1(): a one-way hash function {0,1}* → {0, 1}n

H2(): a map-to-point function {0,1}*→ G1 T: a current time stamp ⊕: a simple XOR operation in G1

6

Framework

3 roles: Ui

SS RS

4 phases: The registration phase The login phase The verification phase The password change phase

7

The Giri–Srivastava Scheme

8

The Registration Phase

,i iID pw

2

( )i i RS

i i i

SP pw P

Reg s H ID SP

=

= +

g

gcardSmart

User UiRegistration Server RS

ipw s

2 , , , (), RS i i iP SP Reg H IDSmart card:

9

The login and verification phaseUser Ui Serveripw

Choose r

2 , ,Re , (), RS i i iP SP g H IDSmart card:

T ?

2( - , ) ( , ) ( ( ), )i ie D Y P e T B P e T sH ID P= × = ×

2 2( ( ), ) ( ( ), )T Ti RS ie H ID P e H ID s P= ×

10

The password change Phase

• The smart card performs:

' '

' '

' '

checks and

-

stores and

i i RS

i i

i i RS

i i i i

i i

SP pw P

ID SP

SP pw P

Reg Reg SP SP

SP Reg

= ×

= ×

= +

'i ipw pw

2 , ,Re , (), RS i i iP SP g H IDSmart card:

11

The proposed scheme

12

The Registration Phase

,i iID pw

cardSmart

User UiRegistration Server RS

ipw s

(s． QIDi) Wi

13

The login and verification phase

2

( , ) ( , ( ) )

( , ( ) ( ))i

e P V e P r h DIDi

e P r h s H ID

= + ×

= + ××

2

( , ) ( , )

( , ( ) ) ( , ( ) ( ))RS i i i

i i

e P U h QID e s P r QID h QID

e s P r h QID e s P r h H ID

+ × = × × + ×

= × + × = × + ×

Regi Wi

14

The password change Phase

• The smart card performs:

1

' '

' '1

'

'

( )

checks and

( )

stores and

i i

i i

i i

i i

i i

'i i i i

'i i

W pw P

CW H W

ID CW

W pw P

CW H W

Reg Reg W W

CW Reg

= ×

=

= ×

=

= Å Å

'i ipw pw

Smart card:

15

Security proof

Computational Diffie–Hellman (CDH) problem: Given P, xP, yP ∈ G1, finding xyP.

Computational Diffie–Hellman (CDH) assumption: No probabilistic algorithm can solve the CDH

problem with non-negligible advantage within polynomial time.

16

Challenger C

(P, xP, yP)

xyP

PRS = xP QIDi = H2(IDi) = yP

Attacker AIDi IDSS

H1( )

L1:(τ,Rh)

τ = (IDi, IDSS, T, U) Rh T σ = (IDi, IDSS, T, U, V )

LoginrT, xT

U = rT · QIDi,

V = (rT + h) · xT

A can generate two valid message σ = (IDi, IDSS, T, U, V ) and σ = (IDi, IDSS, T, U, V )

Forking Lemma

xyP = (V − V')/(h − h')

17

Discussions Eviction mechanism

A black ID list A positive list

Clock synchronization problem The smart card should acquire a time stamp or a

random challenge from the server Increase extra transmission between the user and

server but it does not affect the computational cost required by the smart card

Smart card security Poor reparability Insider attack

18

Performance(1/2)

TGe: the time of executing the bilinear pairing operation e: G1 × G1 → G2

TGmul: the time for point scalar multiplication on the group G1

TGH: the time of executing the map-to-point hash function H2()

TGadd: the time for point addition on the group G1

TH: the time of executing the one way hash function H1() Tmul: the time for modular multiplication in Zq

19

Performance(2/2)

20

Conclusions

Mutual authentication Session key establishment