Post on 23-Mar-2016
description
1
Enhanced secure anonymous authentication scheme for roaming service in global mobility networks
Hyeran Mun, Kyusuk Han, Yan Sun Lee, Chan Yeob Yeun, Hyo Hyun Choi
Mathematical and Computer ModellingVolume 55, Issues 1–2, January 2012, Pages 214–222
Citation: 3Presenter: 林致良Date: 2012/11/26
2
Outline
• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous
authentication scheme• Analysis• Conclusion
3
Outline
• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous
authentication scheme• Analysis• Conclusion
4
Introduction
• The GLOMONET provides global roaming service that permits mobile users to use the services provided by the home agent in a foreign agent.
• Many security problems such as user’s privacy are brought into attention
GLOMONET: Global mobility network
5
Introduction
You will see :• Security weaknesses in Wu–Lee–Tsaur’s
scheme such as disclosing of the legitimate user and failing to achieve perfect forward secrecy.
• A new novel scheme that also achieves mutual authentication and resistance to a man-in-the-middle attack.
6
Outline
• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous
authentication scheme• Analysis• Conclusion
7
Wu–Lee–Tsaur’s scheme
Wu–Lee–Tsaur’s authentication scheme consists of three phases: 1. Initial phase 2. first phase 3. second phase
8
Wu–Lee–Tsaur’s scheme
Initial phase
PWMU = h(N ǁ IDMU) rMU = h(N ǁ IDHA) ⊕ h(N ǁ IDMU) ⊕ IDHA ⊕ IDMU
where N is a secret random number that is kept by HA
9
Wu–Lee–Tsaur’s schemeFirst phase
1. nMU, (h(IDMU) ǁ x0 ǁ x)L, IDHA,TMU
2. b, nMU, (h(IDMU) ǁ x0 ǁ x)L , TMU, CertFA ,TFA
ESFA (h(b, nMU, (h(IDMU) ǁ x0 ǁ x)L, TMU, CertFA))
3. c, CertHA, THA, EPFA (h(h(N ǁ IDMU) ǁ x0 ǁ x)ESHA (h(b, c, EPFA (h(h(N ǁ IDMU)) ǁx0 ǁ x), CertHA))
4. (TCertMU ǁ h(x0 ǁ x))k
nMU = rMU ⊕ PWMU
L = h(TMU ⊕ PWMU) HA computes IDMU = h(N ǁ IDHA) ⊕ nMU⊕ IDHA
h’ = h(IDMU) compare with (h(IDMU) ǁ x0 ǁ x)L
MU can be authenticatedsession key k = h(h(h(N ǁ IDMU)) ǁx0ǁx)MU check h(x0 ǁ x) is equal to originalFA can be authenticated
10
Wu–Lee–Tsaur’s scheme
Second phase (update session key) • When MU accesses FA at ith session, MU requests FA to update the session key.Step 1: MU → FA : TCertMU, (xi ǁ TCertMU)ki
New ith session key ki can be computed by using An unexpired previous secret random number xi−1 Fixed the secret random number x
ki = h(h(h(N ǁ IDMU)ǁ x ǁ xi−1), (i = 1, 2, 3, . . . , n).
11
Outline
• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous
authentication scheme• Analysis• Conclusion
12
Weaknesses of Wu–Lee–Tsaur’s scheme
Weakness 1 : Failing to achieve the anonymity
Weakness 2: Disclosure password of legitimate user
Weakness 3: Perfect forward secrecy
Assume :A legitimate user and an attacker A register the same HA.
A is able to intercept all messages between FA and MU.Because anyone can overhear all sent and received packets within range of a wireless devices in wireless environment
13
Weaknesses of Wu–Lee–Tsaur’s scheme
1. Failing to achieve the anonymity (Zeng et al.)Step 1: A requests registration of HA, and obtains h(.) , IDHA , PWA = h(N ǁ IDA)
rA = h(NǁIDHA) ⊕ h(N ǁ IDA) ⊕ IDHA ⊕ IDA.Step 2: A can compute h(Nǁ IDHA) as follows: rA ⊕ h(NǁIDA) ⊕ IDHA ⊕ IDA = h(NǁIDHA) ⊕ h(Nǁ IDA) ⊕ IDHA ⊕ IDA ⊕ h(Nǁ IDA) ⊕ IDHA ⊕ IDA = h(Nǁ IDHA).
Step 3: A is able to intercept messages nMU, (h(IDMU) ǁx0ǁx)L , IDHA, and TMU.
Step 4: A can obtain IDMU by using nMU , IDHA, and h(NǁIDHA) nMU ⊕ h(Nǁ IDHA) ⊕ IDHA =
h(NǁIDHA) ⊕ h(NǁIDMU) ⊕ IDcHA ⊕ IDMU ⊕ h(NǁIDMU) ⊕ h(Nǁ IDHA) ⊕ IDHA
= IDMU. nMU = rMU ⊕ PWMU
利用 XOR 特性A ⊕B = CC ⊕ B = AA ⊕ A = 0
14
Weaknesses of Wu–Lee–Tsaur’s scheme
2. Disclosure password of legitimate user
A can obtain legitimate user’s password PWMU. A can compute PWMU as follows:
(1) A can guess composition of rMU by using rA. Composition of rA is h(N ǁ IDHA) ⊕ h(N ǁ IDMU) ⊕ IDHA ⊕ IDMU.IDMU is composition of rMU instead of IDA.
(2) A can compute legitimate user MU’s password PWMU by using intercepted nMU and guessed rMU.nMU ⊕ rMU = h(N ǁ IDMU) ⊕ h(N ǁ IDHA) ⊕ IDHA ⊕ IDMU ⊕ h(N ǁ IDMU)⊕ h(N ǁ IDHA) ⊕ h(N ǁ IDMU) ⊕ IDHA ⊕ IDMU
= h(N ǁ IDMU) = PWMU rMU
15
Weaknesses of Wu–Lee–Tsaur’s scheme
2. Disclosure password of legitimate user
16
Weaknesses of Wu–Lee–Tsaur’s scheme
2. Disclosure password of legitimate user
Question:How can A guess composition of rMU by using rA.
rA = h(N ǁ IDHA) ⊕ h(N ǁ IDA) ⊕ IDHA ⊕ IDA
rMU = h(N ǁ IDHA) ⊕ h(N ǁ IDMU) ⊕ IDHA ⊕ IDMU
17
Weaknesses of Wu–Lee–Tsaur’s scheme
3. Perfect forward secrecy
18
Outline
• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous
authentication scheme• Analysis• Conclusion
19
New enhancement for anonymous authentication scheme
The proposed scheme consists of three phases: 1. registration2. Authentication and establishment of session key 3.update session key
20
New enhancement for anonymous authentication scheme
First phase: registration
1. NMU, IDMU
2. Generate NHA
Compute PWMU = h(NMUǁNHA)Compute rMU = h(IDMUǁPWMU) ⊕IDHA
3. rMU , IDHA , NHA, PWMU, h(.)
21
New enhancement for anonymous authentication scheme
Second phase: Authentication and establishment of session key
1. IDHA,NHA, rMU
2.Generate NFA
4. Compare rMU with r’ MU= h(IDMUǁPWMU) ⊕IDHA
(Authenticate MU)Compute PHA = h(PWMUǁNFA)Compute SHA = h(IDFAǁNFA) ⊕rMU⊕PHA
3. IDFA,NFA, rMU
5. SHA, PFA
PWMU = h(NMUǁNHA)rMU = h(IDMUǁPWMU) ⊕IDHA
22
New enhancement for anonymous authentication scheme
6. Verify SHA
(i)Compute S’HA = h(IDFA ǁNFA) ⊕ rMU ⊕ PHA
(ii)Compare SHA with S’HA
Compute SFA = h(SHA ǁ NFA ǁ NHA) and aP
9. bP , SMF
7. SFA, aP , PFA = (SHAǁIDFAǁNFA)
8. Verify SFA (Authenticate HA andFA)1. S’HA = h(IDFA ǁNFA) ⊕ rMU ⊕ h(PWMUǁ NFA)2. Compare SFA with S’FA = h(SHA ǁ NFA ǁ NHA) 算 bP, KMF = h(abP) , SMF = fKMF (NFA ǁ bP)
10. Computes KMF = h(abP) Verify SMF (Authenticate MU)
23
New enhancement for anonymous authentication scheme
Third phase: update session key : KMFi (i = 1.2.3……n)
1. Select bi, compute biP1. biP
2.Select ai, compute ai PNew session key : h(aibiP)SMFi = fKMFi (aibiP ǁ ai−1bi−1P)3. aiP , SMFi
4.Compute KMFi = h(abP) Compare S’MFi = fKMFi (aibiP ǁai−1bi−1P) with SMFi
24
Outline
• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous
authentication scheme• Analysis• Conclusion
25
Security Analysis
Achieve anonymityFA receives rMU = h(IDMU ǁ PWMU) ⊕ IDHA instead of IDMU
Thus, FA has no way of guessing IDMU without PWMU = h(NMU ǁ NHA) and IDHA
Provide perfect forward secrecyPrevent disclose of legitimate user’s passwordTo obtain user’s password, an attacker should know two nonces NMU and NHA.rMU = h(IDMU ǁ PWMU) ⊕ IDHA, PHA = h(PWMUǁ NFA) and SFA = h(SHAǁNFAǁNHA)
Prevent replay attackThe scheme can resist a replay attack by using nonces.
Provide mutual authentication between MU and HAProvide mutual authentication between MU and FA
26
Security Analysis
27
Performance analysis
No need for time synchronization: Previous scheme use timestamps for resisting a replay attack.
Use Elliptic Curve Diffie–Hellman (ECDH): New scheme uses ECDH instead of using public key cryptosystem with certificates to reduce communication overhead.
28
Outline
• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous
authentication scheme• Analysis• Conclusion
29
Conclusion
• There are security weaknesses in Wu–Lee–Tsaur’s scheme such as failing to provide anonymity, disclosing of user’s password and perfect forward secrecy.
• This paper proposes a novel enhanced scheme that uses Elliptic Curve Diffie–Hellman (ECDH).
• This scheme is efficient, provides mutual authentication, and resists the man-in-the-middle attack.