Transcript 下載/瀏覽
多媒體網路安全實驗室
An ID-based client authentication with key
agreement protocol for mobile
client–server environment on ECC with provable
security
Date:2012/02/16
報告人:向峻霈
出處: He Debiao , Chen Jianhua and Hu Jin
Information Fusion
2011
多媒體網路安全實驗室
Outline
1
Introduction
2
Proposed scheme
3
Security analysis
4
Functionality comparison
5
3
Conclusion
2
多媒體網路安全實驗室
Introduction
In electronic transactions, remote client
authentication in insecure channel is an
important issue
ECC-based authentication protocols are
more suitable for mobile devices
3
多媒體網路安全實驗室
Proposed scheme
System initializing phase
Client registration phase
Mutual authentication with key agreement
phase
4
多媒體網路安全實驗室
System initializing phase
S generates parameter of the system
Chooses a large prime number q(q>2160)
Fp :y2 = x3 +ax+b mod Fp a,b∈Fp
4a3+27b2 mod q ≠ 0,
G is a generator point of a large order n(n>2160)
H1:{0,1}* -> Zn* H2:{0,1}*-> Zp*
H3:{0,1}* -> Zp*
public parameters
=>(Fp,E,n,P,Ps,H1,H2,H3,MACk(m)
5
多媒體網路安全實驗室
Client registration phase
Client C
Server S
IDC
hCi =H1(IDCi )
DCi =(1/x+hCi )P ∈ G
// private key
PCi =(hCi + x)P
=hCiP + PS
1. off-line
S stores the identity IDCi
DCi into a smart card and returns it to the client
2. on-line
Ci connects to the server S through Internet
S may use the SSL channel in the https mode to deliver the private
key DCi to the client Ci
6
多媒體網路安全實驗室
Mutual authentication with key agreement phase
Client C
M1=(IDC,TC,M,MACK(IDC,TS,M)
M = rc x P
M’ = rC x DC
k = H2(IDc,TC,M,M’)
Server S
Check IDC
Check TC
hC = H1(IDC )
M’ =(1/qs+hC)M
M2=(IDC,TS,W,MACK(IDC,TS,W)
Check MACk(IDC,TS,W)
KC=rC x W
sk = H3(IDC,TC,TS,M,W,KC)
7
k = H2(IDC,TC,M,M’)
Check MACK(IDC,TS,M)
W = rS x P
KS = rS x M
sk = H3(IDC,TC,TS,M,W,KS)
多媒體網路安全實驗室
Security analysis
Discussion about Smart-Card-Stolen attack
Known session key security
Perfect forward secrecy
No key-compromise impersonation
No unknown key-share
No key control
8
多媒體網路安全實驗室
Smart-Card-Stolen attack
3. New card
server
2. request
1.loss
9
validity of users
多媒體網路安全實驗室
Known session key security
if an adversary, having obtained some previous
session keys
cannot get the session keys of the current run
of the key agreement protocol
10
多媒體網路安全實驗室
Perfect forward secrecy
Client C
Server S
M1=(IDC,TC,M,MACK(IDC,TS,M)
M = rc x P
M’ = rC x DC
k = H2(IDc,TC,M,M’)
Check IDC
Check TC
hC = H1(IDC )
M’ =(1/qs+hC)M
M2=(IDC,TS,W,MACK(IDC,TS,W)
Check MACk(IDC,TS,W)
KC=rC x W
sk = H3(IDC,TC,TS,M,W,KC)
satisfying
k = H2(IDC,TC,M,M’)
Check MACK(IDC,TS,M)
W = rS x P
KS = rS x M
sk = H3(IDC,TC,TS,M,W,KS)
perfect forward secrecy
master key forward secrecy
The adversary has to solve the CDHA
11
多媒體網路安全實驗室
No key-compromise impersonation
The compromise of one client’’s client’s static
private key does not imply that the private keys
of other client
Client C
Server S
IDC
hCi =H1(IDCi )
DCi =(1/x+hCi )P ∈ G
// private key
PCi =(hCi + x)P
=hCiP + PS
12
多媒體網路安全實驗室
No unknown key-share
If the adversary convinces a group of entities
that they share some session key with the
adversary
the adversary is required to learn the private
key of some entity
13
多媒體網路安全實驗室
No key control
Client C
M1=(IDC,TC,M,MACK(IDC,TS,M)
M = rc x P
M’ = rC x DC
k = H2(IDc,TC,M,M’)
Server S
Check IDC
Check TC
hC = H1(IDC )
M’ =(1/qs+hC)M
M2=(IDC,TS,W,MACK(IDC,TS,W)
Check MACk(IDC,TS,W)
KC=rC x W
sk = H3(IDC,TC,TS,M,W,KC)
14
k = H2(IDC,TC,M,M’)
Check MACK(IDC,TS,M)
W = rS x P
KS = rS x M
sk = H3(IDC,TC,TS,M,W,KS)
多媒體網路安全實驗室
Functionality comparison
TGmul : time of executing a scalar multiplication
operation of point
TGmtph :time of executing a map-to-point hash function
TGgrp :time of generating a random point on the elliptic
curve
TGinv :time of executing a modular inversion operation.
TGadd :time of executing an addition operation of points
TGh :time of executing a one-way hash function
TGmac :time of executing a message authentication code
15
多媒體網路安全實驗室
Our protocol
Yang et al.’s scheme
Yoon et al.’s scheme
Computational cost
(client)
4TGmul + TGmtph +
TGgrp + 2TGadd+ 3TGh
4TGmul + TGmtph +
TGgrp + 2TGadd + 3TGh
3TGmul + 2TGh + 2GTmac
Execution time (client)
63.77 ms
63.77 ms
36.25 ms
Computational cost
(server)
4TGmul + TGmtph +
TGgrp + 2TGadd + 3TGh
4TGmul + TGmtph +
TGgrp + 2TGadd + 3TGh
3TGmul + 3TGh + 2GTmac + TGinv
Execution time (server)
4.39 ms
4.39 ms
2.63 ms
Perfect forward
secrecy
No
No
Yes
Known attacks
Impersonation attack
Unknown
Provably secure
16
多媒體網路安全實驗室
Conclusion
The proposed protocol offers key
agreement and mutual authentication
We demonstrate the comparisons among
our protocol
The proposed protocol is well suited for
mobile client server environment
17
多媒體網路安全實驗室