Presentation is loading. Please wait.

Presentation is loading. Please wait.

An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer.

Published byFrancis Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer."— Presentation transcript:

1 An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer Standards & Interfaces, Vol. 27, pp. 313 – 322, 2005 Reporter: Jung-wen Lo ( 駱榮問 ) Date: 2005/07/07

2 2 Introduction  Bellovin-Merritt (1992) Encrypted key exchange  Ding, P. Horster(1995) Password guessing attack  Detectable On-line Password guessing attack  Undetectable On-line Password guessing attack  Off-line Password guessing attack  Zhu et al. (2002) Imbalanced wireless network  Under two dictionary attack by Bao (2003)  Yeh et al. (2003) Vulnerable to off-line dictionary attack

3 3 Zhu et al. ’ s Protocol (2002) Server A (n,e,d,pw) Client B (pw) (n, e), r A r B, s B α=H 2 (pw, ID A,ID B,r A,r B ) z =s B e +α(mod n) z, r B α=H 2 (pw, ID A,ID B,r A,r B ) s B =(z-α) d mod n K =H 3 (s B ) c A  R {0,1} l E K (c A,ID B ) K =H 3 (s B ) D K (E K (c A,ID B )) => c’ A,ID’ B check ID B ? c B =H 4 (s B ) σ’=H 5 (c’ A,c B,ID A,ID B ) H 6 (σ’) H 6 (σ’) ?= H 6 (σ) c B =H 4 (s B ) σ=H 5 (c A,c B,ID A,ID B ) {m i  R Z n } 1  i  N {m i e  R Z n } 1  i  N {H 1 (m i ’)} 1  i  N check H 1 (m ’ i )?=H 1 (m i ) r A  R {0,1} l

4 4 Undetectable On-line Password Guessing Attack Server A (n,e,d,pw) Attacker E (pw’) (n, e), r A r E, s E α’=H 2 (pw’, ID A,ID B,r A,r E ) z’ =s E e +α’ (mod n) z’, r E α’’=H 2 (pw, ID A,ID B,r A,r E ) s’ E = (z’-α’’) d mod n K =H 3 (s’ E ) c A  R {0,1} l E K (c A,ID B ) K’ =H 3 (s E ) D K’ (E K (c A,ID B )) => c’ A,ID’ B If ID’ B = ID B => pw’=pw check H 1 (m’ i )?=H(m i ) Client B (pw) {m i e  R Z n } 1  i  N {H 1 (m i ’)} 1  i  N m ’ i =(m i e ) d r A  R {0,1} l

5 5 Yeh et al. ’ s Protocol (2003) Server A (n,e,d,pw) Client B (pw) (n, e), r A s B  R Z n α=E pw (ID A,ID B,r A,s B ) z =α e mod n z (ID A,ID B,r A,s B )=D pw (z d mod n) c B =H 3 (s B ) σ=H 4 (r A,c B,ID A,ID B ) E σ (ID B ) c B =H 3 (s B ) σ’=H 4 (r A,c B,ID A,ID B ) check D σ’ (E σ (ID B )) ?= ID B H 6 (σ’) H 6 (σ’) ?= H 6 (σ) {m i  R Z n } 1  i  N {m i e  R Z n } 1  i  N {H 1 (m i ’)} 1  i  N m ’ i =(m i e ) d check H 1 (m’ i )?=H(m i ) r A  R {0,1} l

6 6 Cryptanalysis of Yeh et al. ’ s protocol  Off-line dictionary attack Server A (n,e,d,pw) Client B (pw) (n’, e’), r E s B α=E pw (ID A,ID B,r E,s B ) z =α e’ mod n’ z α= z d’ mod n D pw’ (α)?=(ID A,ID B,r E,s B ) {m i  R Z n } 1  i  N {m i e’  R Z n } 1  i  N {H 1 (m i ’)} 1  i  N Attacker E (n’,e’,d’) r E  R {0,1} l

7 7 Proposed scheme Server A (p,q,pw) Client B (pw) E pw (r A ) s B  R Z n σ =F 1 (ID A,ID B,r A,s B ) α=F 2 (r A,s B,σ) z =s B 2 mod n z,α check F 3 (σ’) ?= F 3 (σ) r A = D pw (E pw (r A )) F 3 (σ’) r A  R {0,1} l c 1 =z (p+1)/4 mod p c 2 =(p-z (p+1)/4 ) mod p c 3 =z (q+1)/4 mod q c 4 =(q-z (q+1)/4 ) mod q x=q(q -1 mod p) y=p(p -1 mod q) β 1 =(xc 1 +yc 3 ) mod n β 2 =(xc 1 +yc 4 ) mod n β 3 =(xc 2 +yc 3 ) mod n β 4 =(xc 2 +yc 4 ) mod n s ’ B =β i, i=1,2,3,4 σ ’=F 1 (ID A,ID B,r A,s’ B ) α’=F 2 (r A,s’ B, σ ’) α’ ? = α  ≠ abort ※ n=p*q p ≡ 3 (mod 4) q ≡ 3 (mod 4)

8 8 Proposed scheme(sample) Server A (p,q,pw) Client B (pw) E pw (r A ) s B  R Z n =3 σ =F 1 (ID A,ID B,r A,s B ) α=F 2 (r A,s B,σ) z =s B 2 mod n=9 z,α check F 3 (σ’) ?=F 3 (σ) r A = D pw (E pw (r A )) r A  R {0,1} l =6 c 1 =z (p+1)/4 mod p=81 mod 7=4 c 2 =(p-z (p+1)/4 ) mod p=7-81 mod 7=3 c 3 =z (q+1)/4 mod q=729 mod 11=5 c 4 =(q-z (q+1)/4 ) mod q=11-729 mod 11=8 x=q(q -1 mod p)=11×2=22 y=p(p -1 mod q)=7×8=56 β 1 =(xc 1 +yc 3 ) mod n=(22×4+56×5) mod 77=60 β 2 =(xc 1 +yc 4 ) mod n=(22×4+56×8) mod 77=74 β 3 =(xc 2 +yc 3 ) mod n=(22×3+56×5) mod 77=38 β 4 =(xc 2 +yc 4 ) mod n=(22×3+56×8) mod 77=52 s ’ B =β i, i=1,2,3,4 σ ’=F 1 (ID A,ID B,r A,s’ B ) α’=F 2 (r A,s’ B, σ ’) α ’ ? = α  ≠ abort ※ n=p*q=77 p ≡ 3 (mod 4)=7 q ≡ 3 (mod 4)=11 F 3 (σ’)

9 9 Security Analysis  A malicious user E wants to mount on-line password- guessing attacks on the proposed protocol E impersonates B => Can not derive r A  A malicious user E wants to mount off-line password- guessing attacks on the proposed protocol E eavesdrops and records the transmitted data E pw (r A ), α, z and h(σ) E impersonates A to get the essential information => Can not derive s B  E wants to get the session key σ => Protected by hash function  E guesses B ’ s password by impersonating A => B will not keep on sending the request all the time => When server terminates the protocol several times in a short time, B will detect.  Replay attack => Easily detect, because r A are different all the time

10 10 Performance Analyses (1/2)  The numbers of operations for different computation types Participants (Computation type)AB Zhu et al. ’ s protocol Exponential computationN+1 Symmetric en(de)cryption11 HashN+5 Yeh et al. ’ s protocol Exponential computationN+1 Symmetric en(de)cryption22 HashN+3 Our proposed protocol Exponential computation20 Symmetric en(de)cryption11 Hash8/4/23

11 11 Performance Analyses (2/2)  The numbers of transmissions of the participants Participants Protocol AB Zhu et al. ’ s protocol33 Yeh et al. ’ s protocol33 Our proposed protocol21

12 12 Conclusion  Mutual authentication A and B authenticate each other  Explicit key authentication A is assured B has computed the exchanged key  Computation efficiency the computation load of the wireless device is light  Power saving the power consumption of the wireless device in our protocol is few  Confirmation and completeness Withstand password-guessing attacks

13 13 Comments  E impersonates B Detectable on-line guessing attack Authoir: A will discover it  E eavesdrops and records the transmitted data E pw (r A ), α, z and h(σ) zs B + pw ’ r ’ A  σ’ α’  IF α’=α THEN pw’=pw  Performance analysis unfair Interactive protocol  Hash # error in Server A  2 ×(F 1 +F 2 )+F 3

14 14 Rabin Public Key Cryptosystem(1979) - 錄自詹進科老師講義  Probabilistic encryption systems  Rabin 的想法 是一個密文可以對應到四個明文。因此,在加密時必須加入一些有意義且 易於分辨的訊息於明文中,使得解密時能夠明確地還原出原來的明文  方法簡介 : 選定 n=p*q; 其中 p 與 q 是大質數。令明文為 M ,密文為 C ,公開加密金匙為 (b,n) ,秘密解密金匙為 (p,q) 。  [ 加密程序 ]: C = M * (M + b) mod n , 其中 b 是亂數。  [ 解密程序 ]: 根據上式可知 M 2 + M*b - C = 0 mod n.  故明文可由下述四者之一算出 : M = -b/2  ( (b/2) 2 +C ) 1/2 mod p M = -b/2  ( (b/2) 2 +C ) 1/2 mod q

15 15 Rabin Public Key Cryptosystem  Key generation 選定 n=p*q; 其中 p 與 q 是大質數, p≡ q ≡ 3 (mod 4) 令明文為 M ,密文為 C , A 的公開加密金匙為 n ,秘密解密金匙為 (p,q) 。  [ 加密程序 ]: B -> A C = M 2 mod n  [ 解密程序 ]: ap+bq=1 by Euclidean algorithm r = C (p+1)/4 mod p s = C (q+1)/4 mod q x = (aps+bqr) mod n y = (aps-bqr) mod n  故明文可由下述四者之一算出 : m 1 = x m 2 =- x mod n m 3 = -y m 4 = -y mod n

Download ppt "An efficient password authenticated key exchange protocol for imbalanced wireless Authors: Ya-Fen Chang, Chin-Chen Chang and Jen-Ho Yang Source: Computer."

Similar presentations

Pricing and Power Control in a Multicell Wireless Data Network Po Yu Chen October, 2001 IEEE Journal on Select Areas in Communications.

Pricing and Power Control in a Multicell Wireless Data Network Po Yu Chen October, 2001 IEEE Journal on Select Areas in Communications.
Digital Signature Integrity Authentication Unforgeable Non-repudiation.

Digital Signature Integrity Authentication Unforgeable Non-repudiation.
1 Chemical and Engineering Thermodynamics Chapter 2 Conservation of mass and energy Sandler.

1 Chemical and Engineering Thermodynamics Chapter 2 Conservation of mass and energy Sandler.
布林代數的應用--- 全及項(最小項)和全或項(最大項)展開式

布林代數的應用--- 全及項(最小項)和全或項(最大項)展開式
1 10930 : A-Sequence 星級 : ★★☆☆☆ 題組: Online-judge.uva.es PROBLEM SET Volume CIX 題號: Problem D 10930 : A-Sequence 解題者:薛祖淵 解題日期: 2006 年 2 月 21 日 題意:一開始先輸入一個.

: A-Sequence 星級 : ★★☆☆☆ 題組: Online-judge.uva.es PROBLEM SET Volume CIX 題號: Problem D : A-Sequence 解題者:薛祖淵 解題日期: 2006 年 2 月 21 日 題意:一開始先輸入一個.
1 ID-Based Proxy Signature Using Bilinear Pairings Author: Jing Xu, Zhenfeng Zhang, and Dengguo Feng Presenter: 林志鴻.

1 ID-Based Proxy Signature Using Bilinear Pairings Author: Jing Xu, Zhenfeng Zhang, and Dengguo Feng Presenter: 林志鴻.
Section 1.2 Describing Distributions with Numbers 用數字描述分配.

Section 1.2 Describing Distributions with Numbers 用數字描述分配.
指導教授:陳淑媛 學生:李宗叡 李卿輔.  利用下列三種方法 (Edge Detection 、 Local Binary Pattern 、 Structured Local Edge Pattern) 來判斷是否為場景變換,以方便使用者來 找出所要的片段。

指導教授:陳淑媛 學生:李宗叡 李卿輔.  利用下列三種方法 (Edge Detection 、 Local Binary Pattern 、 Structured Local Edge Pattern) 來判斷是否為場景變換,以方便使用者來 找出所要的片段。
亂數產生器安全性評估 之統計測試 SEC HW7 姓名:翁玉芬 學號:89321037.

亂數產生器安全性評估 之統計測試 SEC HW7 姓名:翁玉芬 學號:
Lecture 8 Median and Order Statistics. Median and Order Statistics2 Order Statistics 問題敘述 在 n 個元素中,找出其中第 i 小的元素。 i = 1 ,即為找最小值。 i = n ,即為找最大值。 i = 或 ,即為找中位數。

Lecture 8 Median and Order Statistics. Median and Order Statistics2 Order Statistics 問題敘述 在 n 個元素中,找出其中第 i 小的元素。 i = 1 ,即為找最小值。 i = n ,即為找最大值。 i = 或 ,即為找中位數。
1 Advanced Chemical Engineering Thermodynamics Appendix H Brief introduction to perturbation theory of dense fluid.

1 Advanced Chemical Engineering Thermodynamics Appendix H Brief introduction to perturbation theory of dense fluid.
1 實驗二 : SIP User Mobility 實驗目的 藉由 Registra 和 Redirect Server 的設計,深入瞭解 SIP 的運 作及訊息格式。 實作部分 ( 1 )實作一個 Registrar 來接收 SIP REGISTER ,而且 要將 REGISTER 中 Contact.

1 實驗二 : SIP User Mobility 實驗目的 藉由 Registra 和 Redirect Server 的設計,深入瞭解 SIP 的運 作及訊息格式。 實作部分 ( 1 )實作一個 Registrar 來接收 SIP REGISTER ,而且 要將 REGISTER 中 Contact.
1 Secure Context-sensitive Authorization 2005 Author : Kazuhiro Minami, David Kotz Presented by Shih Yu Chen.

1 Secure Context-sensitive Authorization 2005 Author : Kazuhiro Minami, David Kotz Presented by Shih Yu Chen.
1 11871:New Land ★★★★☆ 題組: Problem Set Archive with Online Judge 題號: 11871: New Land 解題者:施博修 解題日期: 2011 年 6 月 8 日 題意:國王有一個懶兒子,為了勞動兒子,他想了一個 辦法,令他在某天早上開始走路,直到太陽下山前,靠.

:New Land ★★★★☆ 題組: Problem Set Archive with Online Judge 題號: 11871: New Land 解題者:施博修 解題日期: 2011 年 6 月 8 日 題意:國王有一個懶兒子,為了勞動兒子,他想了一個 辦法,令他在某天早上開始走路,直到太陽下山前,靠.
1 10606: OPENING DOORS ? 題組: Problem Set Archive with Online Judge 題號: 10606: OPENING DOORS 解題者:侯沛彣 解題日期: 2006 年 6 月 11 日 題意: - 某間學校有 N 個學生,每個學生都有自己的衣物櫃.

: OPENING DOORS ? 題組: Problem Set Archive with Online Judge 題號: 10606: OPENING DOORS 解題者:侯沛彣 解題日期: 2006 年 6 月 11 日 題意: - 某間學校有 N 個學生,每個學生都有自己的衣物櫃.
第 4 章 迴歸的同步推論與其他主題.

第 4 章 迴歸的同步推論與其他主題.
MATLAB 程式設計 第 11 章 多維陣列. 11-1 多維陣列的定義 在 MATLAB 的資料型態中,向量可視為 一維陣列,矩陣可視二維陣列,對於維 度 (Dimensions) 超過 1 的陣列則均可視 為「多維陣列」 (Multidimesional Arrays , 簡稱 N-D Arrays)

MATLAB 程式設計 第 11 章 多維陣列 多維陣列的定義 在 MATLAB 的資料型態中,向量可視為 一維陣列,矩陣可視二維陣列,對於維 度 (Dimensions) 超過 1 的陣列則均可視 為「多維陣列」 (Multidimesional Arrays , 簡稱 N-D Arrays)
請問 : 科技融入教學再你的心目中只是一 個不同於其他教學法的選擇 (optional choice) ? 或是一個必要的需要 (demanding needs)?

請問 : 科技融入教學再你的心目中只是一 個不同於其他教學法的選擇 (optional choice) ? 或是一個必要的需要 (demanding needs)?
程式註解說明. 2 程式註解格式 塊狀註解 對檔案、 class 、 method 、資料結構、一段程式 …. 等程式區塊 做說明。 第一行的開頭必需為 “/*” 且沒有其他文字,最後一行的開頭 必需以 “*/” 做為結束,在中間每一行的開頭都必需是一個 “*” 。 單行註解 佔據一整行的說明。 以.

程式註解說明. 2 程式註解格式 塊狀註解 對檔案、 class 、 method 、資料結構、一段程式 …. 等程式區塊 做說明。 第一行的開頭必需為 “/*” 且沒有其他文字,最後一行的開頭 必需以 “*/” 做為結束,在中間每一行的開頭都必需是一個 “*” 。 單行註解 佔據一整行的說明。 以.
Monte Carlo Simulation Part.2 Metropolis Algorithm Dept. Phys. Tunghai Univ. Numerical Methods C. T. Shih.

Monte Carlo Simulation Part.2 Metropolis Algorithm Dept. Phys. Tunghai Univ. Numerical Methods C. T. Shih.

Similar presentations

Ads by Google