Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen.

Similar presentations


Presentation on theme: "1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen."— Presentation transcript:

1 1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen Chang 2 1 Dept. of Information Engineering and Computer Science, Feng Chia University 2 Dept. of Computer Science and Information Engineering, National Chung Cheng University

2 2 Outline 1. Introduction 2. Password Authentication Without the Server Public Key 3. Password Authenticated Key Exchange for Imbalanced Wireless Network 4. Digital Signature without One-way Hash Function 5. Anonymous Auction Protocols 6. Conclusions

3 3 1. Introduction (1/4) Authentication Establishing the validity of a transmission, message, or originator Verifying an individual's authorization to receive specific categories of information

4 4 1. Introduction (2/4) Authentication Schemes Something you know  password, PIN, the public key, … Something you have  IC card (smartcard or memory card), … Something you are  fingerprint, hand geometry, voiceprint, retinal, …

5 5 1. Introduction (3/4) Authentication Schemes Without the public key  Password, pin, IC card, fingerprint, hand geometry, voiceprint, etc. Without the verification table  IC card and the public key With special devices  fingerprint, hand geometry, voiceprint, retinal, …

6 6 1. Introduction (4/4) Digital Signature Origin authentication Data integrity Signer nonrepudiation

7 7 2. Password Authentication Without the Server Public Key (1/7) 2002, Hwang and Yeh’s Protected Password Transmission and Change Schemes Using the public key systems Suffering from the denial-of-service attack

8 8 2. Password Authentication Without the Server Public Key (2/7) NotationsDescription PWthe password shared between the user U and the server S PKSthe server S ’ s public key IDThe user U ’ s identity H(  ) cryptographic hash function flow[i]the information transmitted in the i-th round r1/r2random nonce generated by U/S  XOR operation E pk (m)an asymmetric cryptology encrypting m with the public key pk E1 pw (m)a symmetric cryptology encrypting m with a password pw E2 k (m)a symmetric cryptology encrypting m with a secret key k gA primitive element in GF(p), where p is a large prime

9 9 2.1 Hwang and Yeh’s Protected Password Transmission Scheme (3/7) US ID, E PKS (r1, PW) r1  r2, H(r2) ID, H(r1, r2) Access granted or denied Store H(PW)

10 10 2.2 Hwang and Yeh’s Protected Password Change Scheme (4/7) U S ID, E PKS (r1, PW) r1  r2, H(r2) ID, H(r1, r2), R Access granted or denied Choose PW R = H(PW)  H(r1+1, r2) H(PW) = R  H(r1+1, r2) Update H(PW) Store H(PW)

11 11 2.3 Our Protected Password Transmission Scheme (5/7) U S ID, E1 PW (g r1 mod p) Access granted or denied Store PW E1 PW (g r2 mod p), E2 SK (H(flow[1])) SK = (g r1 ) r2 mod p ID, E2 SK (H(flow[2])) SK = (g r2 ) r1 mod p

12 12 2.4 Our Protected Password Change Scheme (6/7) U S ID, E1 PW (g r1 mod p) Access granted or denied Store PW E1 PW (g r2 mod p), E2 SK (H(flow[1])) SK = (g r1 ) r2 mod p ID, E2 SK (H(flow[2])), R SK = (g r2 ) r1 mod p Choose PW the current time: T R = E2 SK (PW, T) Decrypt R with SK Update PW

13 13 2.5 Efficiency Comparison (7/7) computation operation HY U HY S Ours U Ours S modulo exponential 0(5)0(3)22 public key en/decryption 1/00/10/0 symmetric en/decryption 0/0 4/5 hash2/42/322

14 14 3. Password Authenticated Key Exchange for Imbalanced Wireless Network (1/5) 2002, Zhu et al.’s password authenticated key exchange scheme Based on RSA For imbalanced wireless network Suffering from the undetectable on-line password guessing attack 2003, Yeh et al.’s scheme Using the simple interactive protocol to authenticate the public key pair May Suffer from the off-line password guessing attack

15 15 3. Password Authenticated Key Exchange for Imbalanced Wireless Network (2/5) NotationsDescription PWthe password shared between the user U and the server S (n, e)the server S ’ s public key generated by a public key generator dS ’ s private key Hi()Hi() distinct cryptographic hash functions for i = 1, 2, …, 5 ID S /ID U the identity of S/U E k (m)a symmetric cryptology encrypting m with the secret key k D k (m)a symmetric cryptology decrypting m with the secret key k p, qtwo secret large primes only known by S Nthe public system parameter, where N=p*q

16 16 S U n, e, r S r S  R {0, 1} l {m i  R Z n } 1  i  j {m i e mod n} 1  i  j {H 1 (m i )} 1  i  j H 1 (m i )?= H 1 (m i ),1  i  j s U  R Z n  = E pw (ID S,ID U, r S, s U ) z =  e mod n z E  (ID U ) c U =H 3 (s U )  =H 4 (r S, c U, ID S, ID U ) D  (E  (ID U ))?=ID U H 6 (  ) H 6 (  ) ?= H 6 (  ) (ID S,ID U, r S, s U ) =D pw (z d mod n) c U = H 3 (s U )  = H 4 (r S, c U, ID S, ID U ) 3.1 Yeh et al. ’ s Scheme (3/5)

17 17 3.2 Our Scheme (4/5) S U E pw (r S ) r S  R {0, 1} l r S = D pw (E pw (r S )) s U  R Z N  = H 5 (r S, s U, ID S, ID U )  = H 2 (r S, s U,  ) z = s U 2 mod N z,   = H 5 (r S, s U, ID S, ID U )  ?= H 2 (r S, s U,  ) H 6 (  ) ?=H 6 (  ) H 6 (  )

18 18 3.3 Efficiency Comparison (5/5) computation operation Yeh et al.’s U Yeh et al.’s S Ours U Ours S modulo exponential j+1 20 symmetric En(de)cryption 2211 hashj+3 39/5/3

19 19 4. Digital Signature without One-way Hash Function and Message Redundant Schemes (1/9) 2000, Zhu et al.’s digital multisignature scheme W ithout One-way Hash Function W ithout Message Redundant Schemes Suffering from the forgery attack

20 20 4.1 Notation (2/9) NotationsDescription gA primitive element in GF(p), where p is a large prime Uthe user Vthe verifier xU ’ s private key, where gcd(x, (p-1)) = 1 yU ’ s public key, where y = g x mod p k the random number chosen by U, where k  Z p Mthe signed message

21 21 4.2 Shieh et al. ’ s Scheme (3/9) The Signature-generation Phase U executes the followings to sign M. Step 1: Computes s = y M mod p. Step 2: Computes r = M*g -k mod p. Step 3: Computes t, where s + t  x -1 *(k-r) (mod (p-1)). Step 4: Sends the signature (s, r, t) of M to the verifier V.

22 22 4.2 Shieh et al. ’ s Scheme (4/9) The Verification Phase V executes the followings to verify the signature. Step 1: Computes M  y s+t *r*g r  g x*(s+t) *M*g -k *g r  g k-r *M*g -k+r (mod p). Step 2: Checks if s = y M mod p.

23 23 4.3 The Forgery Attack on Shieh et al. ’ s Scheme (5/9) Eve executes the followings to get a valid signature. Step 1: Chooses w  Z p randomly. Step 2: Chooses r  Z p randomly. Step 3: Computes g k mod p = y w *g r mod p without knowing k. Step 4: Computes M = r*g k mod p. Step 5: Computes s = y M mod p. Step 6: Computes t = w - s mod (p-1). Step 7: Sends the signature (s, r, t) of M to the verifier V.

24 24 4.4 Our Scheme (6/9) The Signature-generation Phase U executes the followings to sign M. Step 1: Computes s = y M mod p. Step 2: Computes r = M*s*g -k mod p. Step 3: Computes t, where s + t  x -1 *(k-r) (mod (p-1)). Step 4: Sends the signature (s, r, t) of M to the verifier V.

25 25 4.4 Our Scheme (7/9) The Verification Phase V executes the followings to verify the signature. Step 1: Computes M  y s+t *r*g r *s -1  g x*(s+t) *M* s*g -k *g r *s -1  g k-r *M*g -k+r (mod p). Step 2: Checks if s = y M mod p.

26 26 4.5 The Forgery Attack 1 on Our Scheme (8/9) After getting the signature (s, r, t) of M, Eve executes the followings to get a valid signature. Step 1: Chooses   Z p-1 * randomly. Step 2: Computes m = M*y  mod p. Step 3: Computes s = y m mod p. Step 4: Sets r = r. Step 5: Sets t = s + t – M +  - s + m mod (p-1). Step 6: Sends the signature (s, r, t) of m to the verifier V.

27 27 4.5 The Forgery Attack 2 on Our Scheme (9/9) After getting the signature (s, r, t) of M, Eve executes the followings to get a valid signature. Step 1: Chooses   Z p-1 * randomly. Step 2: Sets r =  *r mod p. Step 3: Computes  such that r +   r mod (p-1). Step 4: Computes m = M*  *g  mod p. Step 5: Sets s= y m mod p. Step 6: Sets t = s + t – M - s + m mod (p-1). Step 6: Sends the signature (s, r, t) of m to the verifier V.

28 28 5. Anonymous Auction Protocols (1/11) Auction English auction Dutch auction Sealed-bid auction Participants Auctioneer Bidder

29 29 5. Anonymous Auction Protocols (2/11) Sealed-bid auction → (1999, Kikuchi et al.) the privacy of the bids → the anonymity of the bidding prices → the anonymity of the bidders

30 30 5.1 Notation (3/11) NotationsDescription gA primitive element in GF(p), where p is a large prime UiUi the bidder for i = 1, 2, …, m Pthe auctioneer U i ’ s public/private key certified by CA P ’ s public/private key certified by CA H(  ) A collision-resistant hash function a i /b the random number  Z p chosen by U i /P ID i U i ’ s identity E(  ) an asymmetric cryptology Tthe timestamp

31 31 5.2 Initiation (4/11) Concept: to have U i and P shared one secret Step 1: U i computes Then U i sends X i and Q i to P.

32 32 5.2 Initiation (5/11) Step 2: P computes Then P broadcasts Y and W. Step 3: P computes

33 33 5.2 Initiation (6/11) Step 4: U i checks if If it holds, U i computes → P and U i shares k i.

34 34 5.3 Initial Authentication (7/11) Step 1: U i randomly chooses M and computes  = H(M, T, k i ). Then U i sends (M, T,  ) to P. Step 2: P computes  = H(M, T, k i ) for i = 1, 2,.., m. If any  = , P computes = H(M+1, k i ) and broadcasts ( , ).

35 35 5.4 Anonymous English Auction (8/11) Step 1: U i signs his own bid B and computes Then U i casts (B, T, D, C).

36 36 5.4 Anonymous English Auction (9/11) Step 2: P sets a timer and computes C i = H(B, T, k i ) for i = 1, 2, …, m and If any C i = C, B is valid. Otherwise, B is invalid. If the countdown of the timer equals zero, and no bidder casts the bid. P closes the acution.

37 37 5.5 Anonymous Sealed-bid Auction (10/11) Step 1: U i signs his own bid B and computes Then U i submits (F, D, C) to P.

38 38 5.5 Anonymous Sealed-bid Auction (11/11) Step 2: P computes Step 3: P sets a timer and computes C i = H(B, T, k i ) for i = 1, 2, …, m. If any C i = C, B is valid. Otherwise, B is invalid. After receiving all bids, P resolves the winner anonymously.

39 39 6. Conclusions We have proposed different authentication schemes for different requirements. As to digital signature, the hash function and the message redundant scheme are essential to design a secure digital signature scheme. The concept of authentication and digital signature schemes should be employed to ensure the security of variety of applications via networks.

40 40 Thanks all


Download ppt "1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen."

Similar presentations


Ads by Google