多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處 :2011 Elsevier Journal of Network and Computer Applications 報告人 : 陳鈺惠 日期 :2013/12/04

多媒體網路安全實驗室 Outline Introduction 1 Overview of Sood et al.’s scheme 2 Proposed scheme 43 2 Protocol analysis 34 Conclusion 45

多媒體網路安全實驗室 1.Introduction(1/1)  With the rapid development of the Internet and electronic commerce technology, many services are provided through the Internet such as online shopping, online game.  This paper propose an efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards to tackle these problems. 3

多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme UiUi The ith user SkSk The kth service providing server CSThe control server ID i The identity of the user U i PiPi The password of the user U i SID k The identity of the server S k yiyi The random number chosen by CS for user U i xThe master secret key maintained by CS bA random number chosen by the user for registration CID i The dynamic identity generated by the user U i for authentication SKA session key shared among the user, the service providing server and the CS N i1 A random number generated by the user U i 's smart card N i2 A random number generated by the server S k for the user U i N i3 A random number generated by the CS for the user U i h(·)A one-way hash function ⊕ Exclusive-OR operation ∥ Message concatenation operation 4

多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme(1/8) Registration phase U i S k CS A i =h(ID i ||b) B i =h(b ⊕ P i ) A i 、 B i F i = A i ⊕ y i G i =B i ⊕ h(y i ) ⊕ h(x) C i =A i ⊕ h(y i ) ⊕ x (F i 、 G i 、 h(·)) Stores (C i 、 y i ⊕ x) Smart card D i =b ⊕ h(ID i ||P i ) E i =h(ID i ||P i ) ⊕ P i Smart card(D i 、 E i 、 F i 、 G i 、 h(·)) (SID k 、 SK k ) Stores(SID k 、 SK k ⊕ h(x||SID k )) 5

多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme(2/8) Login phase U i S k CS ID i * P i * Smart card E i *=h(ID i *||P i *) ⊕ P i * E i *=E i ? b=D i ⊕ h(ID i ||P i ) ， A i =h(ID i ||b) B i =h(b ⊕ P i ) ， y i =F i ⊕ A i h(x)=G i ⊕ B i ⊕ h(y i ) ， Z i =h 2 (x) ⊕ N i1 CID i =A i ⊕ h(y i ) ⊕ h(x) ⊕ N i1 M i =h(h(x)||y i ||SID k ||N i1 ) (SID k 、 Z i 、 CID i 、 M i ) 6

多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme(3/8) Authentication and session key agreement phase U i S k CS R i =N i2 ⊕ SK k (SID k 、 Z i 、 CID i 、 M i 、 R i ) N i1 =Z i ⊕ h 2 (x) ， N i2 =R i ⊕ SK k C i *=CID i ⊕ N i1 ⊕ h(x) ⊕ x C i *=C i ? ， extracts y i M i *=h(h(x)||y i ||SID k ||N i1 ) M i *=M i ? K i =N i 1 ⊕ N i3 ⊕ h(SK k ||N i2 ) X i =h(ID i ||y i ||N i1 ) ⊕ h(N i1 ⊕ N i2 ⊕ N i3 ) V i =h[h(N i1 ⊕ N i2 ⊕ N i3 )||h(ID i ||y i ||N i1 )] T i =N i2 ⊕ N i3 ⊕ h(y i ||ID i| |h(x)||N i1 ) (K i 、 X i 、 V i 、 T i ) 7

多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme(4/8) Authentication and session key agreement phase U i S k CS N i1 ⊕ N i3 =K i ⊕ h(SK k ||N i2 ) h(ID i ||y i ||N i1 )=X i ⊕ h(N i1 ⊕ N i2 ⊕ N i3 ) V i *=h[h(N i1 ⊕ N i2 ⊕ N i3 )||h(ID i ||y i ||N i1 )] V i *=V i ? (V i 、 T i ) N i2 ⊕ N i3 T i ⊕ h(y i ||ID i ||h(x)||N i1 ) V i *=h[h(N i1 ⊕ N i2 ⊕ N i3 )||h(ID i ||y i ||N i1 )] V i *=V i ? SK=h(h(ID i ||y i ||N i1 )||(N i1 ⊕ N i2 ⊕ N i3 )) 8

多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme(5/8) Leak-of-verifier attack User have(D k 、 E k 、 F k 、 G k 、 h(·)) 、 ID k 、 P k User can compute b k =D k ⊕ h(ID k ||P k ) A k =h(ID k ||b) y k =F k ⊕ A k B k =h(b ⊕ P k ) h(x)=G k ⊕ B k ⊕ h(y k ) Get y k 、 h(x) If client leaked y i ⊕ x 、 Ci=Ai ⊕ h(y i ) ⊕ x U k get x 、 h(x) 、 y i ⊕ x from y k then get y i 、 A i and h(x) U k login 9

多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme(6/8) Leak-of-verifier attack U k get random number N i ′ 1 Compute CID′ i =A i ⊕ h(y i ) ⊕ h(x) ⊕ N i ′ 1 M′ i =h(h(x)||y i ||SID j ||N i ′ 1 ) Z′ i =h 2 (x) ⊕ N i ′ 1 U k submits the login request message (SID j 、 Z′ i 、 CID′ i 、 M′ i ) to S j S j get random number N i ′ 2 Compute R i =N i2 ⊕ SK j submits to CS Compute N i1 =Z′ i ⊕ h 2 (x) 、 N i2 =R i ⊕ SK j C* i =CID′ i ⊕ N i ′ 1 ⊕ h(x) ⊕ x=A i ⊕ h(y i ) ⊕ x=C i CS compute M i *=h(h(x)||y i ||SID j ||N i ′ 1 )=M′ i U k get y i ⊕ x 、 C i =A i ⊕ h(y i ) ⊕ x 10

多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme(7/8) Stolen smart card attack If (SID j 、 Z i 、 CID i 、 M i ) was eavesdropped and previously valid login U k compute N i1 =Z′ i ⊕ h 2 (x) A i ⊕ h(y i )=CID i ⊕ N i1 ⊕ h(x) U k extract (D i 、 E i 、 F i 、 G i 、 h(·)) Compute b i ⊕ P i =D i ⊕ E i h(b i ⊕ P i )=B i h(y i )=G i ⊕ B i ⊕ h(x) Compute A i ⊕ h(y i ) ⊕ (A i ⊕ h(y i )) Get y i =F i ⊕ A i U k get h(x) 、 y i 11

多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme(8/8) Incorrect authentication and session key agreement phase In registration phase ， U i submits A i 、 B i rather than true identity ID i to CS 。 But in step4 X i =h(ID i ||y i ||N i1 ) ⊕ h(N i ⊕ N i2 ⊕ N i3 ) V i =h[h(N i1 ⊕ N i2 ⊕ N i3 )||h(ID i ||y i ||N i1 )] T i =N i2 ⊕ N i3 ⊕ h(y i ||ID i ||h(x)||N i1 ) 12

多媒體網路安全實驗室 13 UiUi The ith user SjSj The service providing server CSThe control server ID i The identity of the user U i PiPi The password of the user U i SID k The identity of the server S k yiyi The random number chosen by CS for user U i xThe master secret key maintained by CS bA random number chosen by the user for registration CID i The dynamic identity generated by the user U i for authentication SKA session key shared among the user, the service providing server and the CS N i1 A random number generated by the user U i 's smart card N i2 A random number generated by the server S k for the user U i N i3 A random number generated by the CS for the user U i h(·)A one-way hash function ⊕ Exclusive-OR operation ∥ Message concatenation operation

多媒體網路安全實驗室 3.Proposed scheme(1/4) Registration phase U i S j CS Chooses ID i 、 P i 、 b A i =h(b||P i ) (ID i 、 A i ) B i =h(ID||x) ， C i =h(ID i ||h(y)||A i ) D i =B i ⊕ h(ID i ||A i ) ， E i =B i ⊕ h(y||x) (C i 、 D i 、 E i 、 h(·) 、 h(y)) Smart card U i enter b to smart card smart card stores (C i 、 D i 、 E i 、 h(·) 、 h(y) 、 b) 14

多媒體網路安全實驗室 3.Proposed scheme(2/4) Login phase U i S j CS Inputs ID i 、 P i smart card computes A i =h(b||P i ) ， C i ′=(ID i ||h(y)||A i ) C i ′=C i ? Smart card generates N i1 B i =D i ⊕ h(ID i ||A i ) ， F i =h(y) ⊕ N i1 P ij =E i ⊕ h(h(y)||N i1 ||SID j ) CID i =A i ⊕ h(B i ||F i ||N i1 ) G i =h(B i ||A i ||N i1 ) (F i 、 G i 、 P ij 、 CID i ) 15

多媒體網路安全實驗室 3.Proposed scheme(3/4) Authentication and session key agreement phase U i S j CS S j chooses N i2 K i =h(SID j ||y) ⊕ N i2 M i =h(h(x||y)||N i2 )) (F i 、 G i 、 P ij 、 CID i 、 SID j 、 K i 、 M i ) N i2 =K i ⊕ h(SID j ||y) M i ′=h(h(x||y)||N i2 ) ， M i ′=M i ? N i1 =F i ⊕ h(y) B i =P ij ⊕ h(h(y)||N i1 ||SID j ) ⊕ h(y||x) A i =CID i ⊕ h(B i ||F i ||N i1 ) G i ′=h(B i ||A i ||N i1 ) ， G i ′=G i ? CS generates N i3 Q i =N i1 ⊕ N i3 ⊕ h(SID j ||N i2 ) R i =h(A i ||B i ) ⊕ h(N i1 ⊕ N i2 ⊕ N i3 ) V i =h(h(A i ||B i )||h(N i1 ⊕ N i2 ⊕ N i3 )) T i =N i2 ⊕ N i3 ⊕ h(A i ||B i ||N i1 ) 16

多媒體網路安全實驗室 3.Proposed scheme(4/4) Authentication and session key agreement phase U i S j CS (Q i 、 R i 、 V i 、 T i ) N i1 ⊕ N i3 =Q i ⊕ h(SID j ||N i2 ) h(A i ||B i )=R i ⊕ h(N i1 ⊕ N i3 ⊕ N i2 ) V i ′=h(h(A i ||B i )||h(N i1 ⊕ N i3 ⊕ N i2 ) V i ′=V i ? (V i 、 T i ) N i2 ⊕ N i3 =T i ⊕ h(A i ||B i ||N i1 ) V i ′=h(h(A i ||B i )||h(N i2 ⊕ N i3 ⊕ N i1 )) V i ′=V i ? SK=h(h(A i ||B i )||(N i1 ⊕ N i2 ⊕ N i3 )) 17

多媒體網路安全實驗室 4.Protocol analysis 18

多媒體網路安全實驗室 5.Conclusion  This paper can satisfy all the essential requirements for multi-server architecture authentication.  Compared with Sood et al.'s (2011) protocol and other related protocols, our proposed protocol keeps the efficiency and is more secure. Therefore, our protocol is more suitable for the practical applications. 19

多媒體網路安全實驗室