Authentication and Key Agreement Schemes for Network Applications...
-
Upload
andralyn-lee -
Category
Documents
-
view
31 -
download
5
description
Transcript of Authentication and Key Agreement Schemes for Network Applications...
1
Authentication and Key Agreement SAuthentication and Key Agreement Schemes for Network Applicationschemes for Network Applications 在電腦網路應用環境中的身份認證與金
鑰協議技術之研究
Advisor: Dr. Chin-Chen Chang Student: Hao-Chuan Tsai Date: 12.30.2010 Department of Computer Science and Information Engineering, National Chung Cheng University
2
OutlineOutlineOutlineOutline
• Part I: Authentication Scheme with Key Agreement– three party authenticated key agreement
• Part II: Anonymous Authentication Scheme for Wireless Networks
3
Part I: Authentication Part I: Authentication Scheme with Key AgreementScheme with Key Agreement
Part I: Authentication Part I: Authentication Scheme with Key AgreementScheme with Key Agreement
4
User AuthenticationUser AuthenticationUser AuthenticationUser Authentication
• Goal:
– Convince system of your identity before it
can act on your behalf
• Methods
– Who you are
– What you know
– What you have
5
User Authentication User Authentication (cont.)(cont.)User Authentication User Authentication (cont.)(cont.)
• What you have
– Verify identity based on possession of some
object
– Magnetic Card
– Smart Card (IC Card)8.56cm
5.39cm
1.923cm
1.025cm
6
User Authentication User Authentication (cont.)(cont.)User Authentication User Authentication (cont.)(cont.)• Who you are
– verify identity based on your physical characteristics or involuntary response patterns known as biometrics
– characteristics used include:
– signature (usually dynamic)
– fingerprint
– hand geometry
– face or body profile
– speech
– retina pattern
– always have tradeoff between false rejection and false acceptance
7
User Authentication User Authentication (cont.)(cont.)User Authentication User Authentication (cont.)(cont.)• What you know
– Birthday, School name, Blood type, or Salary ?
– Meaningful Secrets ?
– Meaningless Secrets (Passwords) !
• Traditional Password Mechanism– Procedure:
• 1. Prompt user for a login name and password
• 2. Verify identity by checking that password is correct
– Passwords in the System:
• May be stored in clear mode
• May be stored in cipher mode: Encrypted or One-Way Hashed
– Passwords should be selected with care to reduce risk of exhaustive
search – One problem with traditional passwords is caused by eavesdropping their
transfer over an insecure network
8
User Authentication User Authentication (cont.)(cont.)User Authentication User Authentication (cont.)(cont.)
• Password Practice– Password Complexity Criteria
• At least 7 characters long.• Does not contain your User Name, Real Name, or
Company Name.• Does not contain a complete dictionary word.• Is significantly different from previous passwords.• Contains characters from each of the following
groups:– uppercase letters– lowercase letters– numerals– symbols found on the keyboard.
9
Key EstablishmentKey EstablishmentKey EstablishmentKey Establishment
• Create Session Keys
– Key transport
• A session key is selected by one communication
party and is distributed to others in some way
– Key agreement
• A session key is established by the cooperating of
all communication parties
10
Three-Party Authenticated Key Three-Party Authenticated Key Agreement (3PAKA)Agreement (3PAKA)
Three-Party Authenticated Key Three-Party Authenticated Key Agreement (3PAKA)Agreement (3PAKA)
Drawbacks of 2PAKA– Given N parties
» there are N(N-1)/2 (=nC2) secret keys that should be established
» each party should securely store N-1 secret keys– Awkward for larger-scale networks– Inflexible (difficult to add, update, or delete a party)
ExampleIf N = 6, then there are 6(6-1)/2 = 15 secret keys should be established in advance.
11
Three-Party Authenticated Key Three-Party Authenticated Key Agreement (3PAKA) Agreement (3PAKA) (cont.)(cont.)
Three-Party Authenticated Key Three-Party Authenticated Key Agreement (3PAKA) Agreement (3PAKA) (cont.)(cont.)
• An authenticated key agreement protocol is an interactive method for two or more parties to determine session keys based on their secret keys or public/private keys.
AuthenticationAuthentication
Key agreement / key exchangeSK
Secure communication
Trusted server
12
Typical 3PAKATypical 3PAKATypical 3PAKATypical 3PAKA
13
Weaknesses of Typical Weaknesses of Typical 3PAKA3PAKA
Weaknesses of Typical Weaknesses of Typical 3PAKA3PAKA
• Impersonation attacks
– Impersonate clients or the server
• Man-in-the-middle attacks
• On-line password guessing attacks
• Off-line password guessing attacks
– The most powerful attack
14
The Proposed 3PAKA The Proposed 3PAKA (1/4)(1/4)The Proposed 3PAKA The Proposed 3PAKA (1/4)(1/4)
• The server needs to authenticate the
communication clients explicitly
• The established session key would not
revealed to either the server or others
• Round efficiency
15
The Proposed 3PAKA The Proposed 3PAKA (2/4)(2/4)The Proposed 3PAKA The Proposed 3PAKA (2/4)(2/4)
• Initial phase– The server computes– And then the server computes
– Server also finds a value rc to satisfy the equation
and computes
( , )C CH C pw
( , )C H C sk
modC C Cr q
modCrC g p
16
The Proposed 3PAKA The Proposed 3PAKA (3/4)(3/4)The Proposed 3PAKA The Proposed 3PAKA (3/4)(3/4)
A B
S
1.
2.
1ApwxX g M 2 ( || || || )x x
AX g H g A B
1BpwyY g N 2 ( || || || )y y
BY g H g B A
1ApwxX g M 2 ( || || || )x x
AX g H g A B
17
The Proposed 3PAKA The Proposed 3PAKA (4/4)(4/4)The Proposed 3PAKA The Proposed 3PAKA (4/4)(4/4)
A B
S3
compute
,( || || || )
xyz
A Bsk H A B S g
/ Apwxg X M
/ Bpwyg Y N
retrieve
derive ( || || || )xAH g A B
( || || || )yBH g B A
)||(||)||||||(' Ayzpw
Axyz gHgSBAHgX A
)||(||)||||||(' Bxzpw
Byxz gHgSABHgY B
4 )||(||)||||||(' Bxzpw
Byxz gHgSABHgY B
compute
,( || || || )
xyz
A Bsk H A B S g
18
Part I I : Anonymous Part I I : Anonymous Authentication Scheme for Authentication Scheme for
Wireless NetworksWireless Networks
Part I I : Anonymous Part I I : Anonymous Authentication Scheme for Authentication Scheme for
Wireless NetworksWireless Networks
19
ScenarioScenarioScenarioScenario
HLR
1VLR2VLR
3VLR
MSMS
MSRoaming path
20
ArchitectureArchitectureArchitectureArchitecture• Multiple regional domain
– Each domain is operated under a different administration
• HLR (Home Location Register)
– HLR is used to denote the home domain, the home domain
server, and the home location register, concurrently.
– A subscriber has only one home as his administrative domain
• One who desiring to contact MS must consult his HLR.
• VLR (Visiting Location Register)
– VLR is used to denote the visiting domain, the visiting domain
server, and the visiting location register, concurrently.
– When a subscriber roams into a visited domain, he should
initially establish a residence within that domain.
21
HLRMS
VLRIMSI
IMSI, VLR
IMSI, (RAND1, SRES1, Kc1), (RAND2, SRES2, Kc2), …, (RANDn , SRESn, Kcn).
RAND1
SRES1
enc_with_ A5(Kc1, TMSI)
Computes: SRES1 = A3(Ki, RAND1), Kc1 = A8(Ki, RAND1) SRES2 = A3(Ki, RAND2), Kc2 = A8(Ki, RAND2) … SRESn = A3(Ki, RANDn), Kcn = A8(Ki, RANDn)
Computes: (inside SIM) SRES1 = A3(Ki, RAND1) Kc1 = A8(Ki, RAND1)
Computes: enc_with_ A5(Kc1, TMSI)
Decrypts: enc_with_ A5(Kc1, TMSI)
(Unspecified Secure Channel)
Multiple on-the-fly triplets should be on-line generated and transferred in batch to the VLR. Then, VLR can use them in successive authentication flows with the roaming MS.
VLR needs to ensure that MS is currently in good status.
MS establishes a temporary residence in the visited domain.
22
VLRTMSI
RANDm
SRESm
Computes: (inside SIM) SRESm = A3(Ki, RANDm) Kcm = A8(Ki, RANDm)
enc_with_A5(Kcm, messages)
MS
VLR
TMSI, RANDm
SRESm
Computes: (inside SIM) SRESm
= A3(Ki, RANDm) Kcm = A8(Ki, RANDm)
enc_with_A5(Kcm, messages)
MS
When MS makes a call, the
origination protocol is then
invoked to authenticate himself to
VLR and establish a session key.
23
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
24
Authentication in Wireless Authentication in Wireless Mobile NetworksMobile Networks
Authentication in Wireless Authentication in Wireless Mobile NetworksMobile Networks
25
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
26
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
• The main problems we suffer– Impersonation Attack
• Attackers can impersonate either MS or FA to obtain secret information
– Personal Privacy Problem• The identity of MS can be revealed to others
27
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
• The proposed scheme has the following
characteristics
– Provide mutual authentication
• A mobile client and the communicating entities can be authentic
– An established session key would not revealed to either the
uninvolved servers or others
– Diverting the most complicated operations to either the HLR
or VLR
– The risk of compromising the secret information stored on
HLR is reduced
– Ensure anonymity
28
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
• Initial phase– Sh chooses a long-term private key xsh. ( YSh=xshG)– Sh generates a unique master secret for an MS,
where– Sh also generates the self-verified items
– Eventually, Sh computes as the master delegation key
( , ) ( , ) mod ah
S h a h Uh x S h U S q aU
( || )aU hh S
( , ),aU ae h c U mod .
a a h aU U S Us x e q ( , )
a aU U Ua UaG x y
29
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
• It is worth noting that, if the secrets are generated by the home network for which the public key is YSh, an MS can verify the secrets successfully since
'
( )
( )
.
a a h a a h a
a h a
a h a h a
a a
U U S U U S U
U S U
U S U S U
U U
s G Y e s G x G e
s x e G
x e x e G
G
30
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
Authentication in Wireless Authentication in Wireless Mobile Networks Mobile Networks (cont.)(cont.)
MS VLR HLR
*1
1
choose
compute
R qk Z
k G
*2
2
choose
compute
R qk Z
k G
Sh( || ) Y[ ( , ) || ], [ , , ],[( , )]vh u h a aa
k h s a v u uE h k ts E u ,s ts e s
ShY ( || ){[( , )] , [ , , ], ( , )}a a u ha
u u h s a ve s E u ,s ts h k ts
( || )[ , , ], [ , , , ]u h vha
h s kE N E EMK ts
1. use the private key to retrieve the master delegation key2. verify both MS and VLR3. generate and ephemeral master key EMK
final session key: h(k1k2G,Sv, ts)
],,[)||( NEhau sh
( ( || ) || || )a
N
u h vh h S S ts
31
Security RequirementsSecurity RequirementsSecurity RequirementsSecurity Requirements
32
Performance ComparisonsPerformance ComparisonsPerformance ComparisonsPerformance Comparisons
34
Future worksFuture worksFuture worksFuture works
• Cloud Computing
35
Thanks for your Thanks for your attentionattention
Thanks for your Thanks for your attentionattention