ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
Cryptanalysis of Two Dynamic ID-based Authentication Schemes for Multi-Server Architecture
description
Transcript of Cryptanalysis of Two Dynamic ID-based Authentication Schemes for Multi-Server Architecture
1
Cryptanalysis of Two Dynamic ID-based Cryptanalysis of Two Dynamic ID-based Authentication Authentication Schemes for Multi-Server Schemes for Multi-Server ArchitectureArchitectureDing Wang, Chunguang Ma, Deli Gu, Zhenshan
Cui
Presented by MSc. Ding Wang, November 11, Wuyishan
() [email protected]: 15104596985
2图 1 802.11i 安全框架
Outline
Introduction Review of Li et al.’s scheme Proposed attacks Two observations Conclusion
3
Introduction
User
attacker
Server
Remote authentication a mechanism to authenticate remote users over
insecure communication networks Basic techniques: (1) what a user knows, such as passwords, PINs; (2) what a user has, such as smart cards, tokens; (3) what a user is, such as fingerprints;
Network
4
Two-factor Authentication ——Smart-card-based Password Authentication
Combine the first two techniques to obtain a secure and efficient scheme with desirable functionalities.
User with a low entropy password
Remote Server
ID, PWID, PW
5
A Practical Problem
The traditional two-factor authentication schemes are suitable for single-sever environment.
However, what will happen if there are multiple service servers ?
Server j
Server 1
Server 2
User with a low entropy password
IDj , PW
j…..
ID1 , PW1
ID2 , PW2
The user has to remember multiple (ID, PW) pairs.
6
Two-factor authentication for the multi-server environment
Advantages register once remember one (ID, PW) pair
access multiple service servers
7
Challenges powerful adversary
According to the common Dolev-Yao adversary model (1) he can eavesdrop、replay、 fabricate 、 intercept、 block any messages over the channel (2 )what he cannot do is — — “crack” encrypted messages Due to Side-Channel attacks smart cards should be assumed to be non-tamper resistant Collusion attacks is practical malicious internal user + dishonest server
Naive users users tend to choose “weak passwords”
my phone number?
We are the first to pay attention to this practical
threat.
8
A Challenge (continue)
Have to reconcile the following issues
Security resistance to various passive and active attacks
Functionalities (user friendliness )
Performance
9
What constitutes a practical scheme ?
What constitutes a practical scheme ? No serious security vulnerabilities With desirable functionalities Efficient
10
Trade-offs and Conflicts
Security Performance
freely password change
Offline password guessing attack
Timely wrong password detection
Usability
11
1993, Chang-Wu(smart card)
2000 Hwang-Li(no verifier-table)
2002 Chen et al.
2000 Sun(hash)
2004 Ku et al.
2005 Lee et al.2004 Yoon et al.
2007 Wang et al.
2011 Sood2011 Chen et al.
2011 Wang RC (ECC)
2012 Wu-Zhu
2011 Pu Q2011 Li et al.
2009 Hsiang
2011 Kim-Choi
2009 Wang
2011 Khan2011 He et al.
2012 Ma et al.
2004 Das et al.(user anonymity)
2005 Chien-Chen
2007 Hu et al.2009 Xu et al. (provable security)
2010 Song
2010 Horng et al.
2010 Yeh et al.
2011 Roy 2010 Wu et al.
2012 Chen et al.2012 Wei et al.
2009 Chung et al.
2005 Yoon et al.
2011 Li et al.
2009 Kim-Chung
2012 Wang-Ma
2012 Wang et al.
2012 Wang et al.
2010 Tsai
2012 Chen et al.
2012 Wen-Li
2012 Ma et al.
2011 Fang et al.
2012 Wang et al.
2012 Zhu
2003 Lin et al.
2008 Lee et al. (DLP)2009 Liao-Wang
2011 Sood et al.2010 Shao-Chin
(NSS 2010)
2011 Lee et al.
2012 Li et al.
2012 Li et al.
2012 Xue et al.
2005 Choi et al.
2008 Tsai et al. (hash)
2009 Hsiang-Shih
2012 Shao-Chin
2010 Yeh-Lo
2012 Tsai et al.
A history of “attack-and-improvement”
Under the non-tamper
resistance assumption of
the smart cards
Under the tamper
resistance assumption of
the smart cards
12
A misunderstanding-prone concept
“Dynamic ID-based”1. Shao, M. and Chin, Y.: A Privacy-Preserving Dynamic ID-Based
Remote User Authentication Scheme with Access Control for Multi-Server Environment. IEICE Transactions on Information and Systems, Vol.E95–D, No.1, 161-168 (2012) (An entended version of a paper that has been presented in NSS 2010)
2. Li, X., Xiong, Y., Ma, J., Wang, W.: An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 35(2), 763–769 (2012)
It basically means the user’s identity is dynamically changed during the login process and has nothing to do with the hot “ID-based Cryptography”.
13
Notations and abbreviations
14
A demonstration of Li et al.’s scheme
15
Review of Li et al.’s scheme
Li et al.’s scheme the registration phase the login phase the verification phase the password update phase
16
Review of Li et al.’s scheme (1/4) —— Service server registration
Master secret x;
SIDjChoose
Secret number y;Service Providing
Server SjControl Server ( CS)
17
Review of Li et al.’s scheme (1/4) —— User registration
UserUser
IDi, Pi;Choose
Master secret x;Secret number y;
Control Server ( CS)
Compute
Ai= h(b||Pi) ;a random b;Choose
18
Review of Li et al.’s scheme (2/4) —— Login phase
Sj
CSUi
19
Review of Li et al.’s scheme (3/4) —— Verification phase
Sj
CSUi
Only based on symmetric cryptographic primitives
20
Review of Li et al.’s scheme (4/4) —— Password Change phase
Support local password update; W only focus on the login and
verification phase, and omit this phase.
21
Two vulnerabilities
Offline password guessing attack the most damaging threat to a password
protocol
User anonymity breach Li, X., Xiong, Y., Ma, J., Wang, W.: An efficient and secure
dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 35(2), 763–769 (2012)
Which means the essential goal can not be achieved
22
Security Flaws (1/2)Security Flaws (1/2) ————Offline password guessing attack
obtains {Di, Ei, b, h(y), h(.)} in Ui’s smart card intercepted
23
Security Flaws (2/2)Security Flaws (2/2) —— —— User anonymity breach attack
Sj colludes with Um
Ui
Ei is kept static in all of Ui’s login requests, and thus can be exploited to trace user activity.
24
Lessons learned from the cryptanalysis
Two further observations Only symmetric-key primitives (such as Hash,
symmetric encryption, MAC) are intrinsically inadequate to withstand offline password guessing attack.
(We managed to prove it in the following work: Security flaws in two improved remote user authentication schemes using smart
cards. Int. J. Commun. Syst. (2012), Submitted on Sep 7, 2012. Last week, it was accepted and made on line, DOI: 10.1002/dac.2468. )
In the multi-server environment, collusions attacks are major threats to user privacy.
— —Our new work: On the anonymity of two-factor authentication schemes
By following our two observations, more than 50% this type of schemes can be
easily found problematic .
25
Break 50% this type of schemes1993, Chang-Wu(smart card)
2000 Hwang-Li(no verifier-table)
2002 Chen et al.
2000 Sun(hash)
2004 Ku et al.
2005 Lee et al.2004 Yoon et al.
2007 Wang et al.
2011 Sood2011 Chen et al.
2011 Wang RC (ECC)
2012 Wu-Zhu
2011 Pu Q2011 Li et al.
2009 Hsiang
2011 Kim-Choi
2009 Wang
2011 Khan2011 He et al.
2012 Ma et al.
2004 Das et al.(user anonymity)
2005 Chien-Chen
2007 Hu et al.2009 Xu et al. (provable security)
2010 Song
2010 Horng et al.
2010 Yeh et al.
2011 Roy 2010 Wu et al.
2012 Chen et al.2012 Wei et al.
2009 Chung et al.
2005 Yoon et al.
2011 Li et al.
2009 Kim-Chung
2012 Wang-Ma
2012 Wang et al.
2012 Wang et al.
2010 Tsai
2012 Chen et al.
2012 Wen-Li
2012 Ma et al.
2011 Fang et al.
2012 Zhu
2003 Lin et al.
2008 Lee et al. (DLP)2009 Liao-Wang
2011 Sood et al.2010 Shao-Chin
(NSS 2010)
2011 Lee et al.
2012 Li et al.
2012 Li et al.
2012 Xue et al.
2005 Choi et al.
2008 Tsai et al. (hash)
2009 Hsiang-Shih
2012 Shao-Chin
2010 Yeh-Lo
2012 Tsai et al.
26
Conclusion Our focus is on two-factor authentication for
multi-server architecture. Two practical attacks are demonstrated on Li et
al.’s scheme. Two observations are put forward. Remarkably, public-key techniques are indispensible to resist
against offline password guessing attack.
By following these two observations, more 50% existing schemes can be easily found problematic.
27
THANK YOU & QUESTION
28
Side-Channel Attack
29
Various attacks Offline password guessing attack Smart card loss attack Stolen verifier attack User impersonation attack Server masquerading attack Replay attack Parallel session attack Denial of service attack Password disclosure to server (Insider attack) Forward secrecy Key compromise impersonation attack Unknown key share attack …
30
Functionalities
key agreement mutual authentication local password change user anonymity (initiator un-traceability) no verifier table support weak password non-tamper resistant smart cards repairability
31
Performance
Computation complexity ( a big hill ) cryptographic operations are often computation-intensive, like
modular exponentiation, modulo inversion, pairing …
Storage cost ( not a big problem) Communication overhead (not a big
problem)