an id-based mutual authentication and key exchange protocol for low-power mobile devices
DESCRIPTION
An ID-Based Mutual Authentication and Key Exchange Protocol for Low-Power Mobile Devices. Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal (Published online on Sep. 2009) doi:10.1093/comjnl/bxp083 Reporter: 陳德祐 Date: Jan 15, 2010. Outline. Introduction - PowerPoint PPT PresentationTRANSCRIPT
An ID-Based Mutual Authentication and Key Exchange Protocol for Low-Power Mobile Devices
Authors: Tsu-Yang Wu and Yuh-Min Tseng
Source: The Computer Journal (Published online on Sep. 2009)
doi:10.1093/comjnl/bxp083
Reporter: 陳德祐Date: Jan 15, 2010
2
Outline
IntroductionThe proposed schemeSecurity analysisComments
3
IntroductionDas, M.L., A. Saxena, V.P. Gulati and D.B. Phatak (2006). A novel remote user authentication scheme using bilinear
pairings. Computers and Security, 25(3), 184–189.
Giri, D., and P.D. Srivastava (2006). An improved remote user authentication scheme with smart
cards using bilinear pairings.In Cryptology ePrint Archive.
Forgery attack
Computational costMulti-server
A Pairing-Based User Authentication Scheme for Wireless Clients with Smart Cards
Yuh-Min Tseng, Tsu-Yang Wu, Jui-Di WuInformatica: International Journal,19(2), pp.285-302, 2008
The proposed scheme
Mutual auth.Session key
4
Bilinear Pairings Bilinear Pairing
Let G1, G2, GT be cyclic groups of same order q.
G1, G2 : an additive group
GT : a multiplicative group
Definition
A bilinear map
1. Bilinear:
2. Non-degenerate:
3. Computability:1 2there is an efficient algorithm to compute ( , ) for all ( , )e P Q P Q G G
1 2there exists , such that ( , ) 1P G Q G e P Q
* *1 2( , ) ( , ) , for all ( , ) and ( , )ab
q qe aP bQ e P Q P Q G G a b Z Z= Î ´ Î ´
1 2: Te G G G
5
Notations and System setup S: a powerful server C: a low-power computing client e : a bilinear map, e : G1 × G2 → GT, (G1=G2 ) with the same
order q IDC: the identity of the client C DIDC: the private key of the client C IDS: the identity of the server S P: a generator of the group G1
s: the system private key in Zq∗
Ppub: the system public key Ppub = s · P H1(): a one-way hash function, H1:{0,1}* × G1 → {0, 1}k
H2(): a map-to-point function, H2: {0,1}*→ G1 Public parameters:{e, G1, GT, q, P, Ppub, H1, H2}
Key extract phase
6
Client C Server S
IDC
(DIDC, QIDC)
DIDC = s · H2(IDC)
= s · QIDC
Mutual authentication and key exchange phase
7
Client C Server S
pub
pub
( , ) ( , ( ) DID )
( , ( ) QID )
( , ( ) QID )
( , QID QID )
( , QID )
C
C
C
C C
C
e P V e P r h
e P r h s
e s P r h
e P r h
e P U h
= + ×
= + ××
= × + ×
= × + ×
= + ×
r R Zq∗
U = r · QIDC
K1 = r · DIDC
h = H1(IDC , U)
V = (r+h) · DIDC
( IDC , U, V )
QIDC = H2(IDC)
h = H1(IDC , U)
e(P, V)?=e(Ppub , U+h · QIDC)
( N , Auth)
Auth?= H1(Ppub , IDC , N, U, V , K1)
SK= H1(Auth, N, U, V , K1)
DIDC = s · H2(IDC)
= s · QIDC
Acquiring a nonce N
K2 = s ·U
Auth= H1(Ppub , IDC , N, U, V , K2)
SK= H1(Auth, N, U, V , K2)
Security analysis and discussionSecure against
1. ID attack
2. Impersonation attack
3. Passive attack
4. Mutual authenticationA. Client-to-server authentication
B. Server-to-client authentication
5. Implicit key confirmation
6. Partial forward secrecy
Discussion Replay attack
8
Theorem 1
Theorem 1+2
Theorem 2
Theorem 1
Theorem 3
Theorem 4 (1+2+3)
Theorem 5
Challenger C1
(P, xP, yP)
xyP
Ppub = xP QIDC= H2(IDC) = yP
Attacker A
A can generate two valid message σ' = (IDC , U', V' ) and σ'' = (IDC , U', V'' )
Forking Lemma
xyP = (V' − V'')/(h' − h'')
e(P, V')=e(Ppub , U' +h' · QIDC)
e(P, V'')=e(Ppub , U' +h'' · QIDC)
=e(xP , U' +h' · yP)
=e(xP , U' +h'' · yP)
=e(P , x·U' +x·h'· yP)
=e(P , x·U' + x·h''· yP)
V' = x·U' +xy·h' P V '' = x·U' +xy·h'' P
Theorem 1. In the random oracle model, if an adversary with a non-negligible advantage ε0 can violate the client-to-server authentication of the proposed protocol, then there exists a challenger C1 to solve the CDH problem.(1, 4A)
σ' = (IDC , U', V' )
h = H1(IDC , U)
Theorem 2. In the random oracle model, if an adversary A can violate the server-to-client authentication of the proposed protocol with a non-negligible advantage ε, then there exists a challenger C2 to solve the CDH problem with the advantageε' ≥ ε − 1/2k − qC
3 /q2, where qC is the maximum number of queries to the oracle of the client C.
Challenger C2
(ryP, xP)
rxyP
Ppub = xP QIDC= H2(IDC) = yP
Attacker A (U', Ppub ) ( N ,
Auth)
Auth= H1(Ppub , IDC , N, U', V , K2)
K2 = x · U' = x · r ·QIDC = xryP
U' = r ·QIDC= ryPPpub = xP
10
11
Theorem 3. In the random oracle model, if an adversary A can guess the coin b involved in the Test query with a non-negligible advantage ε, then there exists a challenger C2 to solve the CDH problem.
Challenger C2
(ryP, xP)
rxyP
Ppub = xP QIDC= H2(IDC) = yP
Attacker A (U', Ppub )
K1 = r ·DIDC = rxyP
U' = r ·QIDC= ryPPpub = xP
Session key K1
Secure against the passive attack Secure against the disclosure of the session key
Proof. Implicit key confirmation: if the client (server) is assured that the
server (client) is able to compute the session key and no one other than the client/server can compute it.
Theorems 1 and 2: the client C and the server S can authenticate each other in the random oracle model and under the CDH assumption.
Theorem 3: no one other than the client C and the server S can compute the session key SK.
Therefore, the proposed protocol provides implicit key confirmation.
12
Theorem 4. In the random oracle model and under the CDH problem, the proposed protocol provides implicit key confirmation.
Proof. The system private key s is corrupted all the previous session
keys can be recovered from the transcripts K2 = s ·U
Auth= H1(Ppub , IDC , N, U, V , K2)
SK= H1(Auth, N, U, V , K2)
The corruption of the client C (DIDC) cannot help to recover the previous session keys.
Therefore, the proposed protocol offers partial forward secrecy.
13
Theorem 5. In the random oracle model and under the CDH problem, the proposed protocol offers partial forward secrecy.
Comparisons
14
(i) TGe: the time of executing a bilinear pairing operation e, e : G1 × G2 → GT
(ii) TGmul: the time of executing a multiplication operation of point
(iii) TGH: the time of executing a map-to-point hash function H2( )
(iv) TGadd: the time of executing an addition operation of points
(v) TH: the time of executing a one-way hash function H1( )
(vi) Texp: the time of executing a modular exponential operation
(vii) TMAC: the time of executing a message authentication code
Mutual authentication and key exchange phase ~ replay attack
15
Client C Server S
r R Zq∗
U = r · QIDC
K1 = r · DIDC
h = H1(IDC , U)
V = (r+h) · DIDC
( IDC , U, V )
QIDC = H2(IDC)
h = H1(IDC , U)
e(P, V)?=e(Ppub , U+h · QIDC)
Acquiring a nonce N
K2 = s ·U
Auth= H1(Ppub , IDC , N, U, V , K2)
SK= H1(Auth, N, U, V , K2)( N , Auth)
Auth?= H1(Ppub , IDC , N, U, V , K1)
SK= H1(Auth, N, U, V , K1)
DIDC = s · H2(IDC)
= s · QIDC
h = H1(IDC , T, U) Check T
h = H1(IDC , T, U)
( IDC , T, U, V )
Comments
Forward secrecyNonce-basedExplicit key confirmationMulti-server environment
16