Transcript 下載/瀏覽

多媒體網路安全實驗室
An ID-based client authentication with key
agreement protocol for mobile
client–server environment on ECC with provable
security
Date:2012/02/16
報告人：向峻霈
出處: He Debiao , Chen Jianhua and Hu Jin
Information Fusion
2011
多媒體網路安全實驗室
Outline
1
Introduction
2
Proposed scheme
3
Security analysis
4
Functionality comparison
5
3
Conclusion
2
多媒體網路安全實驗室
Introduction
In electronic transactions, remote client
authentication in insecure channel is an
important issue
ECC-based authentication protocols are
more suitable for mobile devices
3
多媒體網路安全實驗室
Proposed scheme
System initializing phase
Client registration phase
Mutual authentication with key agreement
phase
4
多媒體網路安全實驗室
System initializing phase
S generates parameter of the system







Chooses a large prime number q(q>2160)
Fp :y2 = x3 +ax+b mod Fp a,b∈Fp
4a3+27b2 mod q ≠ 0,
G is a generator point of a large order n(n>2160)
H1:{0,1}* -> Zn* H2:{0,1}*-> Zp*
H3:{0,1}* -> Zp*
public parameters
=>(Fp,E,n,P,Ps,H1,H2,H3,MACk(m)
5
多媒體網路安全實驗室
Client registration phase
Client C
Server S
IDC
hCi =H1(IDCi )
DCi =(1/x+hCi )P ∈ G
// private key
PCi =(hCi + x)P
=hCiP + PS
1. off-line
S stores the identity IDCi
DCi into a smart card and returns it to the client
2. on-line
Ci connects to the server S through Internet
S may use the SSL channel in the https mode to deliver the private
key DCi to the client Ci
6
多媒體網路安全實驗室
Mutual authentication with key agreement phase
Client C
M1=(IDC,TC,M,MACK(IDC,TS,M)
M = rc x P
M’ = rC x DC
k = H2(IDc,TC,M,M’)
Server S
Check IDC
Check TC
hC = H1(IDC )
M’ =(1/qs+hC)M
M2=(IDC,TS,W,MACK(IDC,TS,W)
Check MACk(IDC,TS,W)
KC=rC x W
sk = H3(IDC,TC,TS,M,W,KC)
7
k = H2(IDC,TC,M,M’)
Check MACK(IDC,TS,M)
W = rS x P
KS = rS x M
sk = H3(IDC,TC,TS,M,W,KS)
多媒體網路安全實驗室
Security analysis
Discussion about Smart-Card-Stolen attack
Known session key security
Perfect forward secrecy
No key-compromise impersonation
No unknown key-share
No key control
8
多媒體網路安全實驗室
Smart-Card-Stolen attack
3. New card
server
2. request
1.loss
9
validity of users
多媒體網路安全實驗室
Known session key security
 if an adversary, having obtained some previous
session keys
cannot get the session keys of the current run
of the key agreement protocol
10
多媒體網路安全實驗室
Perfect forward secrecy
Client C
Server S
M1=(IDC,TC,M,MACK(IDC,TS,M)
M = rc x P
M’ = rC x DC
k = H2(IDc,TC,M,M’)
Check IDC
Check TC
hC = H1(IDC )
M’ =(1/qs+hC)M
M2=(IDC,TS,W,MACK(IDC,TS,W)
Check MACk(IDC,TS,W)
KC=rC x W
sk = H3(IDC,TC,TS,M,W,KC)
satisfying
k = H2(IDC,TC,M,M’)
Check MACK(IDC,TS,M)
W = rS x P
KS = rS x M
sk = H3(IDC,TC,TS,M,W,KS)
perfect forward secrecy
master key forward secrecy
The adversary has to solve the CDHA
11
多媒體網路安全實驗室
No key-compromise impersonation
The compromise of one client’’s client’s static
private key does not imply that the private keys
of other client
Client C
Server S
IDC
hCi =H1(IDCi )
DCi =(1/x+hCi )P ∈ G
// private key
PCi =(hCi + x)P
=hCiP + PS
12
多媒體網路安全實驗室
No unknown key-share
If the adversary convinces a group of entities
that they share some session key with the
adversary
 the adversary is required to learn the private
key of some entity
13
多媒體網路安全實驗室
No key control
Client C
M1=(IDC,TC,M,MACK(IDC,TS,M)
M = rc x P
M’ = rC x DC
k = H2(IDc,TC,M,M’)
Server S
Check IDC
Check TC
hC = H1(IDC )
M’ =(1/qs+hC)M
M2=(IDC,TS,W,MACK(IDC,TS,W)
Check MACk(IDC,TS,W)
KC=rC x W
sk = H3(IDC,TC,TS,M,W,KC)
14
k = H2(IDC,TC,M,M’)
Check MACK(IDC,TS,M)
W = rS x P
KS = rS x M
sk = H3(IDC,TC,TS,M,W,KS)
多媒體網路安全實驗室
Functionality comparison
TGmul : time of executing a scalar multiplication
operation of point
TGmtph :time of executing a map-to-point hash function
TGgrp :time of generating a random point on the elliptic
curve
TGinv :time of executing a modular inversion operation.
TGadd :time of executing an addition operation of points
TGh :time of executing a one-way hash function
TGmac :time of executing a message authentication code
15
多媒體網路安全實驗室
Our protocol
Yang et al.’s scheme
Yoon et al.’s scheme
Computational cost
(client)
4TGmul + TGmtph +
TGgrp + 2TGadd+ 3TGh
4TGmul + TGmtph +
TGgrp + 2TGadd + 3TGh
3TGmul + 2TGh + 2GTmac
Execution time (client)
63.77 ms
63.77 ms
36.25 ms
Computational cost
(server)
4TGmul + TGmtph +
TGgrp + 2TGadd + 3TGh
4TGmul + TGmtph +
TGgrp + 2TGadd + 3TGh
3TGmul + 3TGh + 2GTmac + TGinv
Execution time (server)
4.39 ms
4.39 ms
2.63 ms
Perfect forward
secrecy
No
No
Yes
Known attacks
Impersonation attack
Unknown
Provably secure
16
多媒體網路安全實驗室
Conclusion
The proposed protocol offers key
agreement and mutual authentication
We demonstrate the comparisons among
our protocol
The proposed protocol is well suited for
mobile client server environment
17
多媒體網路安全實驗室