1

Cryptanalysis of Two Dynamic ID-based Cryptanalysis of Two Dynamic ID-based Authentication Authentication Schemes for Multi-Server Schemes for Multi-Server ArchitectureArchitectureDing Wang, Chunguang Ma, Deli Gu, Zhenshan

Cui

Presented by MSc. Ding Wang, November 11, Wuyishan

() wangdingg@mail.nankai.edu.cnTel: 15104596985

2图 1 802.11i 安全框架

Outline

Introduction Review of Li et al.’s scheme Proposed attacks Two observations Conclusion

3

Introduction

User

attacker

Server

Remote authentication a mechanism to authenticate remote users over

insecure communication networks Basic techniques: (1) what a user knows, such as passwords, PINs; (2) what a user has, such as smart cards, tokens; (3) what a user is, such as fingerprints;

Network

4

Two-factor Authentication ——Smart-card-based Password Authentication

Combine the first two techniques to obtain a secure and efficient scheme with desirable functionalities.

User with a low entropy password

Remote Server

ID, PWID, PW

5

A Practical Problem

The traditional two-factor authentication schemes are suitable for single-sever environment.

However, what will happen if there are multiple service servers ?

Server j

Server 1

Server 2

User with a low entropy password

IDj , PW

j…..

ID1 , PW1

ID2 , PW2

The user has to remember multiple (ID, PW) pairs.

6

Two-factor authentication for the multi-server environment

Advantages register once remember one (ID, PW) pair

access multiple service servers

7

Challenges powerful adversary

According to the common Dolev-Yao adversary model (1) he can eavesdrop、replay、 fabricate 、 intercept、 block any messages over the channel （2 ）what he cannot do is — — “crack” encrypted messages Due to Side-Channel attacks smart cards should be assumed to be non-tamper resistant Collusion attacks is practical malicious internal user + dishonest server

Naive users users tend to choose “weak passwords”

my phone number?

We are the first to pay attention to this practical

threat.

8

A Challenge (continue)

Have to reconcile the following issues

Security resistance to various passive and active attacks

Functionalities (user friendliness )

Performance

9

What constitutes a practical scheme ?

What constitutes a practical scheme ? No serious security vulnerabilities With desirable functionalities Efficient

10

Trade-offs and Conflicts

Security Performance

freely password change

Offline password guessing attack

Timely wrong password detection

Usability

11

1993, Chang-Wu(smart card)

2000 Hwang-Li(no verifier-table)

2002 Chen et al.

2000 Sun(hash)

2004 Ku et al.

2005 Lee et al.2004 Yoon et al.

2007 Wang et al.

2011 Sood2011 Chen et al.

2011 Wang RC (ECC)

2012 Wu-Zhu

2011 Pu Q2011 Li et al.

2009 Hsiang

2011 Kim-Choi

2009 Wang

2011 Khan2011 He et al.

2012 Ma et al.

2004 Das et al.(user anonymity)

2005 Chien-Chen

2007 Hu et al.2009 Xu et al. (provable security)

2010 Song

2010 Horng et al.

2010 Yeh et al.

2011 Roy 2010 Wu et al.

2012 Chen et al.2012 Wei et al.

2009 Chung et al.

2005 Yoon et al.

2011 Li et al.

2009 Kim-Chung

2012 Wang-Ma

2012 Wang et al.

2012 Wang et al.

2010 Tsai

2012 Chen et al.

2012 Wen-Li

2012 Ma et al.

2011 Fang et al.

2012 Wang et al.

2012 Zhu

2003 Lin et al.

2008 Lee et al. (DLP)2009 Liao-Wang

2011 Sood et al.2010 Shao-Chin

(NSS 2010)

2011 Lee et al.

2012 Li et al.

2012 Li et al.

2012 Xue et al.

2005 Choi et al.

2008 Tsai et al. (hash)

2009 Hsiang-Shih

2012 Shao-Chin

2010 Yeh-Lo

2012 Tsai et al.

A history of “attack-and-improvement”

Under the non-tamper

resistance assumption of

the smart cards

Under the tamper

resistance assumption of

the smart cards

12

A misunderstanding-prone concept

“Dynamic ID-based”1. Shao, M. and Chin, Y.: A Privacy-Preserving Dynamic ID-Based

Remote User Authentication Scheme with Access Control for Multi-Server Environment. IEICE Transactions on Information and Systems, Vol.E95–D, No.1, 161-168 (2012) (An entended version of a paper that has been presented in NSS 2010)

2. Li, X., Xiong, Y., Ma, J., Wang, W.: An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 35(2), 763–769 (2012)

It basically means the user’s identity is dynamically changed during the login process and has nothing to do with the hot “ID-based Cryptography”.

13

Notations and abbreviations

14

A demonstration of Li et al.’s scheme

15

Review of Li et al.’s scheme

Li et al.’s scheme the registration phase the login phase the verification phase the password update phase

16

Review of Li et al.’s scheme (1/4) —— Service server registration

Master secret x;

SIDjChoose

Secret number y;Service Providing

Server SjControl Server ( CS)

17

Review of Li et al.’s scheme (1/4) —— User registration

UserUser

IDi, Pi;Choose

Master secret x;Secret number y;

Control Server ( CS)

Compute

Ai= h(b||Pi) ;a random b;Choose

18

Review of Li et al.’s scheme (2/4) —— Login phase

Sj

CSUi

19

Review of Li et al.’s scheme (3/4) —— Verification phase

Sj

CSUi

Only based on symmetric cryptographic primitives

20

Review of Li et al.’s scheme (4/4) —— Password Change phase

Support local password update; W only focus on the login and

verification phase, and omit this phase.

21

Two vulnerabilities

Offline password guessing attack the most damaging threat to a password

protocol

User anonymity breach Li, X., Xiong, Y., Ma, J., Wang, W.: An efficient and secure

dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 35(2), 763–769 (2012)

Which means the essential goal can not be achieved

22

Security Flaws (1/2)Security Flaws (1/2) ————Offline password guessing attack

obtains {Di, Ei, b, h(y), h(.)} in Ui’s smart card intercepted

23

Security Flaws (2/2)Security Flaws (2/2) —— —— User anonymity breach attack

Sj colludes with Um

Ui

Ei is kept static in all of Ui’s login requests, and thus can be exploited to trace user activity.

24

Lessons learned from the cryptanalysis

Two further observations Only symmetric-key primitives (such as Hash,

symmetric encryption, MAC) are intrinsically inadequate to withstand offline password guessing attack.

(We managed to prove it in the following work: Security flaws in two improved remote user authentication schemes using smart

cards. Int. J. Commun. Syst. (2012), Submitted on Sep 7, 2012. Last week, it was accepted and made on line, DOI: 10.1002/dac.2468. )

In the multi-server environment, collusions attacks are major threats to user privacy.

— —Our new work: On the anonymity of two-factor authentication schemes

By following our two observations, more than 50% this type of schemes can be

easily found problematic .

25

Break 50% this type of schemes1993, Chang-Wu(smart card)

2000 Hwang-Li(no verifier-table)

2002 Chen et al.

2000 Sun(hash)

2004 Ku et al.

2005 Lee et al.2004 Yoon et al.

2007 Wang et al.

2011 Sood2011 Chen et al.

2011 Wang RC (ECC)

2012 Wu-Zhu

2011 Pu Q2011 Li et al.

2009 Hsiang

2011 Kim-Choi

2009 Wang

2011 Khan2011 He et al.

2012 Ma et al.

2004 Das et al.(user anonymity)

2005 Chien-Chen

2007 Hu et al.2009 Xu et al. (provable security)

2010 Song

2010 Horng et al.

2010 Yeh et al.

2011 Roy 2010 Wu et al.

2012 Chen et al.2012 Wei et al.

2009 Chung et al.

2005 Yoon et al.

2011 Li et al.

2009 Kim-Chung

2012 Wang-Ma

2012 Wang et al.

2012 Wang et al.

2010 Tsai

2012 Chen et al.

2012 Wen-Li

2012 Ma et al.

2011 Fang et al.

2012 Zhu

2003 Lin et al.

2008 Lee et al. (DLP)2009 Liao-Wang

2011 Sood et al.2010 Shao-Chin

(NSS 2010)

2011 Lee et al.

2012 Li et al.

2012 Li et al.

2012 Xue et al.

2005 Choi et al.

2008 Tsai et al. (hash)

2009 Hsiang-Shih

2012 Shao-Chin

2010 Yeh-Lo

2012 Tsai et al.

26

Conclusion Our focus is on two-factor authentication for

multi-server architecture. Two practical attacks are demonstrated on Li et

al.’s scheme. Two observations are put forward. Remarkably, public-key techniques are indispensible to resist

against offline password guessing attack.

By following these two observations, more 50% existing schemes can be easily found problematic.

27

THANK YOU & QUESTION

28

Side-Channel Attack

29

Various attacks Offline password guessing attack Smart card loss attack Stolen verifier attack User impersonation attack Server masquerading attack Replay attack Parallel session attack Denial of service attack Password disclosure to server (Insider attack) Forward secrecy Key compromise impersonation attack Unknown key share attack …

30

Functionalities

key agreement mutual authentication local password change user anonymity (initiator un-traceability) no verifier table support weak password non-tamper resistant smart cards repairability

31

Performance

Computation complexity ( a big hill ) cryptographic operations are often computation-intensive, like

modular exponentiation, modulo inversion, pairing …

Storage cost ( not a big problem) Communication overhead (not a big

problem)