A New Approach for Anonymous Password Authentication

A New Approach for Anonymous Password

Authentication

Yanjiang Yang, Jianying Zhou, Feng Bao

Institute for Infocomm Research, SingaporeJian Weng

Jinan University, China

RFID Security Seminar 2008

2

Agenda

• Introduction

• Limits of Conventional Anonymous Password Authentication

• Our Proposed Approach

• Conclusion


3

• Introduction



• Conclusion


4

PA: Pros & Cons

• Password Authentication (PA)

– Most widely used entity authentication technique

– Advantages: portability

– Disadvantages: guessing attack • Online guessing attack

• Offline guessing attack


5

Privacy Concern

• Privacy is increasingly a concern nowadays

• Password authentication in its original form does not protect user privacy


6

Project Summary - why should it be done? PA: Standard Setting

U1, PW1

U2, PW2

U3, PW3

Un, PWn

Ui, PWi

Password File

Ui

User Server(PWi)

Ui, PWiPWi


7

Privacy Protection – Anonymous PA

U1, PW1

U2, PW2

U3, PW3

Un, PWn

Ui, PWi Unlinkability

• Unlinkability


8

• Introduction



• Conclusion


9

Major Weakness

• Server Computation O(N)– Linear to the total number registered

users N

– Server is the bottleneck of the system


10

• Introduction



• Conclusion


11

Project Summary - why should it be done?A Different Setting

[Cred]PW

PWCred

Important: [Cred]PW is public, requiring no further protection, portability arguably remains

User Server


12

Project Summary - why should it be done?Design Rationale

• Cred must not be publicly verifiable; otherwise, everyone can guess pw from [Cred]PW

• Cred is verifiable only to server


13

Project Summary - why should it be done? First Try

• What Credentials Have Unlinkability?

• Blind Signature

Cred = Blnd Sig

[Cred] = [Blnd Sig]PW

• Failurs:– Blind signatures are public verifiable


14

Project Summary - why should it be done? Second Try

• Still Using Blind Signature, but with Restricted Verifiability (Encryption to Server)

• Failures:– Server knows Cred from [Cred]PW, so if

directly submit Cred to server, then server links credentials encrypted by the same PW


15

Third Try

• Seems should not directly submit the credentials to server

• Using proof of knowledge– CL signature (by J. Camenisch, A.

Lysyanskaya)– Public parameters: (a, b, c, n)– Signature: (v, k, s) s.t. vk = ambsc (mod n): – Signature showing: NPoK[(v,k,s):vk=ambsc]


16

Third Try - continue

• Credential: (v,k,s) s.t. vk = aUbsc (mod n)

• How to Achieve Restricted Verifiability

• Encryption of s to Server: Enc(s);• Prove to Server: NPoK[(v,k,U):vka-U=bsc]

• Failurs:– Linkability through Enc(s)


17

Finale

• We need to blind Enc(), so it should be homomorphic: HE(.)– HE(r1).HE(r2) = HE(r1+r2)

• Partition s: s = s1 + s2

• Encryption s1 to Server Enc(s1), and blind Enc(s1) each time


18

Finale - continued

• Final Scheme– [Cred]PW = <[v, s2]PW, HE(s1), k>

– Authentication: • partition s2 = s21+s22

• bind HE(s1): HE(s1)HE(s21) = HE(s1+s21)

• Submit bs22gr, HE(s1+s21) to server

• NPoK[(v,k,U,r):vka-U=bs1+s21 bs22gr

c=bsgrc]


19

Future Work

• User Revocation

• Online Guessing Attacks


20

• Introduction



• Conclusion


21

Conclusion

• Server Computation in Conventional Anonymous PA has to be O(N)

• We Proposed A New Paradigm for Anonymous PA: Using Password to Protect Authentication Credentials

• Our Scheme Has Constant Server Computation


22

Project Summary - why should it be done? Q & A

THANK YOU!

A New Approach for Anonymous Password Authentication

Documents

Transcript of A New Approach for Anonymous Password Authentication