A Pairing-Based User Authentication Scheme for Wireless Clients with Smart Cards Authors: Yuh-Min TSENG, Tsu-Yang WU, Jui-DiWU Source: Informatica: International Journal, Vol.19, No.2, pp.285-302, 2008

Outline Introduction The Giri–Srivastava scheme The proposed scheme Conclusions Comments

Introduction Das, M.L., A. Saxena, V.P. Gulati and D.B. Phatak (2006). A novel remote user authentication scheme using bilinear pairings. Computers and Security, 25(3), 184–189. forgery attack computational cost multi-server Giri, D., and P.D. Srivastava (2006). An improved remote user authentication scheme with smart cards using bilinear pairings. In Cryptology ePrint Archive. The proposed scheme

Bilinear Pairings Bilinear Pairing Let G1, G2 be cyclic groups of same order q. G1 : an additive group E(Fp) G2 : a multiplicative group P : a generator of G1 Definition A bilinear map Bilinear: Non-degenerate: Computability: 4

Notations RS : a registration server SS : a service server Ui : a legal user IDi: the identity of the user Ui IDss: the identity of the service server SS pwi: the password of the user Ui P: a generator of the group G1 s: the master private key of the RS in Zq∗ PRS: the public key of the RS s.t. PRS = s · P H1(): a one-way hash function {0,1}* → {0, 1}n H2(): a map-to-point function {0,1}*→ G1 T: a current time stamp ⊕: a simple XOR operation in G1

Framework 3 roles: 4 phases: Ui SS RS The registration phase The login phase The verification phase The password change phase

The Giri–Srivastava Scheme

The Registration Phase Registration Server RS User Ui Smart card:

The login and verification phase User Ui Server Smart card: Choose r T ?

The password change Phase The smart card performs: Smart card:

The proposed scheme

The Registration Phase Registration Server RS User Ui (s．QIDi) Wi

The login and verification phase Regi Wi

The password change Phase The smart card performs: Smart card:

Security proof Computational Diffie–Hellman (CDH) problem: Given P, xP, yP ∈ G1, finding xyP. Computational Diffie–Hellman (CDH) assumption: No probabilistic algorithm can solve the CDH problem with non-negligible advantage within polynomial time.

A can generate two valid message Challenger C (P, xP, yP) PRS = xP QIDi = H2(IDi) = yP Login rT, xT U = rT · QIDi, V = (rT + h) · xT H1( ) L1:(τ,Rh) τ = (IDi, IDSS, T, U) Rh T σ = (IDi, IDSS, T, U, V ) IDi IDSS Attacker A Forking Lemma A can generate two valid message σ = (IDi, IDSS, T, U, V ) and σ = (IDi, IDSS, T, U, V ) xyP xyP = (V − V')/(h − h')

Discussions Eviction mechanism Clock synchronization problem A black ID list A positive list Clock synchronization problem The smart card should acquire a time stamp or a random challenge from the server Increase extra transmission between the user and server but it does not affect the computational cost required by the smart card Smart card security Poor reparability Insider attack

Performance(1/2) TGe: the time of executing the bilinear pairing operation e: G1 × G1 → G2 TGmul: the time for point scalar multiplication on the group G1 TGH: the time of executing the map-to-point hash function H2() TGadd: the time for point addition on the group G1 TH: the time of executing the one way hash function H1() Tmul: the time for modular multiplication in Zq

Performance(2/2)

Conclusions Mutual authentication Session key establishment