Improvement ofmanik et al. s remote user authentication scheme

Transcription

1 Improvement ofmank et al. s remote user authentcaton scheme Abstract Jue-Sam Chou, a,yaln Chen b Jyun-Yu Ln c a Department of Informaton Management, Nanhua Unversty Chay, 622, Tawan schou@mal.nhu.edu.tw Tel: 886+( ext b Insttute of nformaton systems and applcatons, Natonal Tsng Hua Unversty d949702@oz.nthu.edu.tw Tel: 886+( c Department of Informaton Management, Nanhua Unversty Chay, 622, Tawan asureoker@gmal.com Tel: 886+( ext.2017 In 2005, Mank et al. propose a novel remote user authentcaton scheme usng blnear parngs whch allows a vald user to logn to the remote system but prohbts too many users to logn wth the same logn-id. It also provdes a flexble password change functon. In ths paper, we wll show that ths remote user authentcaton scheme s not secure, an adversary can always pass the authentcaton. Keywords: blnear parngs, securty, Key-Compromse Impersonaton, authentcaton, smart card 1. Introducton In 1976, Dffe and Hellman frst propose a publc key cryptosystem based on the complex dscrete logarthm problem [3] and opened the modern cryptography era. After that, several developed cryptosystems such as A [4], Dgtal sgnature [5] based on the Publc-Key Infrastructure are proposed. Because these systems have a superor securty level, many researches work n ths area attemptng to mprove and extend some exsted applcatons. Under ths scenaro, the dea of ID-Based publc-key cryptosystem was frst ntroduced n 1984 by Shamr whch [6] allows a user to use hs ID as hs publc key. Recently, n 2001, blnear parngs such as Wel parng and Tate parng defned on ellptc curves were proved and can be appled to cryptography. The blnear parngs are an effectve method to reduce the complexty of the dscrete log problem n a fnte feld [1] [2]. Parng provdes a good settng for the blnear Dffe Hellman problem and has been used to desgn several cryptosystems. The beneft of a blnear parng cryptosystem s that t remans the same securty level but reduces the computaton cost. Many protocols are desgned based on the Wel parng. For example, one-round trpartte key agreement[7], the ID-based publc-key encrypton scheme based on blnear Dffe Hellman problem[8], ID-based authentcaton key agreement protocol based on parng[9] and ID-based sgnature schemes[10], etc. In 2005, Mank et al. propose a novel remote user authentcaton scheme usng blnear parngs [12] to prevent an adversary from launchng a forgery attack n a logn sesson. In ths paper, we propose an mpersonaton attack on ther remote user 1

2 authentcaton scheme by showng that any malcous users can mpersonate an entty to deceve the remote server. So, ther scheme cannot provde the securty as clamed. The organzaton of ths artcle s as follows: n Secton 2, we present the prelmnares of blnear parngs and the four secure attrbutes [11] n a key agreement protocols. In Secton 3, we revew the Mank et al. sremote user authentcaton scheme. In secton 4, we descrbe how ther scheme s easy to suffer from the mpersonaton attack. Fnally, a concluson s gven n Secton Blnear parngs In ths secton, we wll frst ntroduce the concepts of blnear parngs map under the assumpton that G 1 s an addtve cyclc group generated by P, whose order s a prme q, and G 2 s a multplcatve cyclc group of the same order. After that, the four secure attrbutes [11] n a sound authentcated key agreement protocol are descrbed. 2.1 Blnear parngs map A map e: G 1 G 1 G 2 s called a blnear map f t satsfes the followng propertes: 1. Blnear: e(ap, bq =e(p,q ab for all P, Q G 1 and a, b Z * q. 2. Non-degenerate: there exst P, Q G 1 such that e(p,q Computable: there s an effcent algorthm to compute e(p; Q for all P, Q G Securty attrbutes In order to reach a hgher securty level, Wlson and Menezes [11] defned several securty attrbutes. We show these attrbutes n the followng. Here, we assume A and B are two honest enttes. 1. Known-Key Securty In each round of key agreement protocol, A and B should generate a unque sesson key. Each sesson key generated n one protocol round s ndependent and should not be exposed f other sesson keys are compromsed. 2. Forward Secrecy The forward secrecy property s that f A and B scurrent sesson key are compromsed, the sesson keys used n the past should not be recovered. 3. Key-Compromse Impersonaton (KCI attack A protocol whch s secure aganst the KCI atack means that f A s long-term secret key s compromsed, the adversary who knows the value can not mpersonate others to A. 4. Unknown Key-Share attack After the protocol, A beleves he shares a key wth B, but B mstakenly beleves that the key s nstead shared wth an adversary. Therefore, a sound authentcated key agreement protocol should prevent the unknown key-share stuaton. 2

3 3. Revew of Mank et al. sremote user authentcaton scheme Mank et al. scheme has three manly phases, the setup phase, the regstraton phase, and the authentcaton phase. 3.1 Setup phase Let G 1 be an addtve cyclc group of a prme order q, G 2 be a multplcatve cyclc group of the same order, and P be a generator of G1. Defne e :( G 1 G 1 G 2 to be a blnear mappng and H: {0,1} * G 1 be a cryptographc hash functon. Suppose the remote system ( selects a secret key s and computes hs publc key as Pub =sp. Then, the publshes the system parameters (G 1, G 2, e, q, P, Pub, H and keeps s secret. 3.2 Regstraton phase Ths phase s executed by the followng steps when a new user U wants to regster wth the. Step1. U submts hs dentty and password PW to the. Step2. On recevng the regstraton request, the computes Reg = sh(id + H(PW. Step3. The personalzes a smart card wth the parameters, Reg, H( and sends the smart card to U over a secure channel. 3.3 Authentcaton phase Ths phase wll be executed whenever a user wants to log nto the. We descrbe t as follows and also delneate t n fgure 1. a. logn Suppose the of user U s stored n the smartcard and U wants to logn to the remote system, then the smart card wll process the logn operaton after U has nserted the smart card and nputted the and PW to the termnal. For example, the smart card wll compute D = T Reg and V = T H (PW, where T s the user system s tmestamp. After that, termnal wll send the logn request <, D, V, T> to the over the publc channel. b. verfcaton After recevng the logn message <, D, V, T>, wll perform the 3

4 followng operatons to verfy t. Step1. Verfy the valdty of the tme nterval between T * and T. If (T * - T T, then goes to step2 else reects. Here T denotes the tme delay whch s n the tolerable range by both the user and. Step2. Checks to see whether e(d, P = e(h(,pub T holds, f t holds, accepts the logn request; otherwse, t reects. The deducton process s as follows: e (D, P = e(t Reg -V, P = e((t(s H( +H(PW -T H (PW, P = e(s H(, P T = e(h(, Pub T The protocol s also shown below n Fgure1: Regstraton phase user a. ID PW Reg = sh(id + H(PW. b. ID Reg H( Authentcaton phase 1.logn user 1. ID, DID, V, T where DID T Reg and V T H ( PW ID, 2.verfcaton 2. Checks hold or not e ( DID V, P e ( H ( ID, Pub T Fgure1. Both of the regstraton and authentcaton phase nmank et al. scheme 3.4 Password change phase Ths phase allows U to change hs password freely. He can easly change hs password wthout takng any assstance from the. Ths phase can be descrbed as follows: Step1. U frst nputs hs correct and PW, and then he submt a newly selected password PW * to the smart card. Step2. The smart card then does the computaton as follows: Reg * = Reg -H(PW + H(PW * = sh(id + H(PW *. ID Thus, the password can be changed to PW * and the smart card wll replace the 4

5 prevously stored Reg by Reg * ID. 4. Our attack In ths secton we wll analyze the protocol proposed by Mank et al. under the assumpton that an adversary X wants to mpersonate a legal regstered user U to. After analyzng, we fnd that the protocol s not secure as they clamed. We descrbe our cryptanalyss as follows. Step1. X can record any logn message <, D, V, T >, sent by U who had ever logged nto. And then computes as follows: D = T Reg -T H (PW. = T [s H( +H(PW ]-T H(PW = T s H( Step2. X can pck a random tmestamp T and computest H(PW, where PW X s randomly selected password not confrmed by. Step3. X computes hs DID and V as follows. DID = T ( D +T T H(PW V = T T s H( + T T H(PW, and = T T H(PW, respectvely. Then X computes:( Let T T = T. DID -V = T Reg -T H (PW = {T [s H( + H(PW ]}-T H (PW = T s H(. Step4. At alater tme T, when X wants to launch an attack, he can use ths forged message <, DID, V, T >to masquerade as U to. Because doesn t store the ID and PW of a specfc user. And t s verfcaton depends only on checkng whether e(did -V, P = e(h(, Pub T " holds. If ths equaton holds, wll accept the forged logn message. Clearly, t can be seem that ths verfcaton equaton holds. Snce we already deduce (DID -V to be T s H( n Step3. As a result, X can easly mpersonate any vald user, for example, he wants by our method. We show our attack n fguare2. s 5

6 vald user ID, DID, V, T Recorded by X X DID V where T" T T' ID, DID, V, T " T" H(PW T" S H(ID T" H(PW Fguare2. Our attack 5. Our mprovement The man problem n ther scheme can be easly seen. It s that the value of V can be cancelled out from D and T s H( remans after ths cancellaton. Thus, we must prevent ths stuaton to occur. To remedy ths problem, the verfcaton equaton should be modfed to e(d, P = e(t s H( + V, P. 6. Conclusons In ths paper, we have shown that Mank et al. sscheme s vulnerable to the mpersonate attack. We have also proposed the resolvable soluton n Secton 5. References [1]G.Frey, H. Ruck, A remark concernng m-dvsblty and the dscrete logarthm n the dvsor class group of curves, Mathematcs of Computaton 62 ( [2] A.Menezes, T.Okamoto, S.Vanston, Reducng ellptc curve logarthms to logarthms n a fnte feld, IEEE Transacton on Informaton Theory 39 ( [3] Dffe, W., Hellman, M., New drectons n cryptography. IEEE Transactons on Informaton Theory 22 (6, [4] R.L. Rvest, A. Shamr, L. Adelman, A method for obtanng dgtal sgnature and publc key cryptosystem, Comm. ACM 21 (2 ( [5] A. Fat, A. Shamr, How to prove yourself: practcal solutons to dentfcaton and sgnature problems, n: A.M. Odlyzko (Ed., Advances n Cryptology, Proceedngs of CRYPTO_86, 1986, Santa Barbara, CA, USA, Lecture Notes n Computer Scence, vol. 263, Sprnger, New York, [6] Shamr, Identty based cryptosystems & sgnature schemes, Advances n Cryptology, CRYPTO 84, Lecture Notes-Computer Scence, 1984, pp [7] A. Joux, A one round protocol for trpartte Dffe Hellman, n: Proceedngs of Algorthmc Number Theory Symposum Lecture Notes n Computer Scence, vol. 1838, Sprnger-Verlag, Berln, 2000, pp [8] D. Boneh, M. Frankln, Identty-based encrypton from the Wel parng, n: Advances n Cryptology Crypto_01, LNCS 2139, Sprnger-Verlag, 2001, pp [9] N.P. Smart, An dentty based authentcaton key agreement protocol based on parng, Electron. Lett. 38 ( [10] K.G. Paterson, ID-based sgnature from parngs on ellptc curves, Electron. Lett. 38 (18(2002,

7 [11] S. B. Wlson, and A. Menezes, Authentcated Dfe-Hellman key agreement protocols, Proceedngs of the 5th Annual Workshop on Selected Areas n Cryptography (SAC 98, Lecture Notes n Computer Scence, pp , [12] M. L. Das, and A. Saxena, A novel remote user authentcaton scheme usng blnear parngs Computers & Securty,