Computer and Information Security 期末報告 學號 姓名 莊玉麟

Attacks on the (enhanced) Yang-Shieh authentication Author: Ke-Fei Chen, Sheng Zhong Source: Computers and Security, Volume: 22, Issue: 8, December, 2003, pp Speaker: Yu-Lin Chuang

Outline Yang-Shieh’s scheme(1999/12) Chan-Cheng’s attack(2002/1) Chen’s attack(2003/12) Conclusion

Yang-Shieh ’ s Scheme Registration phase : KIC (Key Information Center) 1. Generates primes p, q, and n=pq 2. ed=1 (mod (p-1)(q-1)), e is a prime and d is a int. 3. Find a primitive element g in GF(p) and GF(q) 4. S i =ID i d mod n 5. Generates CID i and h i =g PW i ×d mod n 6. Public: n, e, g ; only KIC know: p, q, d 7. Write n, e, g, ID i, CID i, S i, h i to smart card U i : user ID i : user’s identity PW i : chosen password

New user Ui submits IDi and PWi to KIC ID i, PW i Generate p, q, and n=pq Prime number e and an integer d ed=1(mod(p-1)(q-1)) Find an integer g in GF(p) and GF(q) User iKIC S i =ID i d mod n Generate CID i and computes h i =g PW i ×d mod n n, e, g, ID i, CID i, S i, h i Smart Card

Login phase : 1. Key in ID i and PW i 2. Generates a random number r i 3. M = {ID i, CID i, X i, Y i, n, e, g, T} X i =g r i ×PW i mod n Y i =S i × h i r i ×f(CID i,T) mod n Where T is the current time used as a timestamp and f(x,y) is a one-way hash function

Verify phase : 1. Verify ID i and CID i 2. Check T and T’ 3. Check Y i e mod n = ID i × X i f(CID i,T) mod n

Login and Verify phase Key in ID i and PW i ID i, CID i, X i, Y i, n, e, g, T Check ID i and CID i Check T and T’ Y i e mod n = ID i × X i f(CID i,T) mod n Smart cardRemote system Random number r i X i =g r i × PW i mod n Y i =S i × h i r i × f(CID i,T) mod n

Yang-Shieh ’ s Scheme Y i e mod n = ID i × X i f(CID i,T) mod n Y i = S i × h i r i × f(CID i,T) mod n = ID i d × g PW i × d × r i × f(CID i,T) mod n (S i = ID i d mod n, h i =g PW i × d mod n) X i =g r i × PW i mod n

Chan-Cheng’s attack ID f = Y i e mod n X f = Y i e mod n ID f, CID i, X f, Y f, n, e, g, T c Check ID f and CID i Check T c and T c ’ Y f e mod n = ID f × X f f(CID i,T c ) mod n Smart cardRemote system Y f =Y i × Y i f(CID i,T c ) mod n

Fan et al.’s attack Random number r, k ID f = r e mod n X f = k e mod n ID f, CID i, X f, Y f, n, e, g, T c Check ID f and CID i Check T c and T c ’ Y f e mod n = ID f × X f f(CID i,T c ) mod n Smart cardRemote system Y f = rk f(CID i,T c ) mod n

Fan et al. ’ s Improvement RSA should be 1024 bits ID i range between 1 and 2 27 － 1

Chen ’ s attacks If e < 27, choose X f =1, Y f =2, and ID f =Y f e Y f e = ID f × X f f(CID i,T) (mod n) ID f =2 e [1, 2 27 － 1]

Chen ’ s attacks (cont.) If e ≧ Pick a valid CID j at random 2. Extended Euclidean algorithm: gcd(e,f(CID j, T)) 3. If gcd(e,f(CID j, T))=1, let a × e + b × f(CID j,T) = 1, else go to step 1 4. Y f = ID i a mod n X f = ID i -b mod n M={ID i, CID j, X f, Y f, n, e, g, T}

Chen ’ s attacks (cont.) Y f e =ID i a × e (mod n) =ID i 1-b × f(CID j, T) (mod n) =ID i × (ID i -b ) f(CID j, T) (mod n) =ID i (X f ) f(CID j, T) (mod n) Y f = ID i a mod n X f = ID i -b mod n a×e + b×f(CID j, T) = 1

Conclusions Cannot fix the scheme by adding a simple restriction on the range of the smart card identifiers Pick T slightly ahead of the current time