A new key authentication scheme based on discrete logarithms

A new key authentication scheme based

on discrete logarithms

q

Cheng-Chi Lee

, Min-Shiang Hwang

, Li-Hua Li

a_{Department of Computer and Information Science, National Chiao-Tung University,}

1001 Ta Hsueh Road, Hsinchu, Taiwan, ROC

b_{Department of Information Management, Chaoyang University of Technology, 168 Gifeng E. Rd.,}

Wufeng, Taichung County 413, Taiwan, ROC

Abstract

In this article, we propose a new public key authentication scheme for cryptosystems with a trusty server. The scheme is based on discrete logarithms. In the scheme, the certificate of the public key is a combination of userÕs password and private key. The scheme not only resolve the problems appeared but also is secure for the others public-key authentication.

Ó 2002 Elsevier Science Inc. All rights reserved.

Keywords: Key authentication; Public key; Certificate; Password

1. Introduction

There are two types of commonly used cryptosystem in cryptography [17]: secret key and public-key cryptosystems. In secret key cryptosystem, two people mutually agree on a cryptosystem and a secret key. The agreed key must be distributed in secret. If one person wants to transmit messages to the other, the mutually recognized secret key will be used to encrypt and decrypt mes-sages. However, in public-key cryptosystem, two people mutually agree on a cryptosystem and generate a pair of different keys, the encryption and the

q

This research was partially supported by the National Science Council, Taiwan, ROC, under contract no. NSC90-2213-E-324-004.

*

Corresponding author.

E-mail addresses:[email protected],[email protected] (M.-S. Hwang).

0096-3003/02/$ - see front matter Ó 2002 Elsevier Science Inc. All rights reserved. PII: S 0 0 9 6 - 3 0 0 3 ( 0 2 ) 0 0 1 9 2 - 3

decryption keys, also named as public key and private key. The public key of each user is opened and can be accessed in the public-key directory. If a user wants to transmit messages to the other, the sender use the public key of the receiver accessed from the public-key directory to encrypt the messages. When the receiver receives the encrypted messages, he/she uses the private key to decrypt the messages.

A possible danger event in public-key cryptosystem is worth to notice as follows: an intruder can revise the public key from the public-key directory and substitute the public key of a target user. In this way, the intruder can im-personate the public key of this target user and, hence, raise a security threat of fabrication. The purpose of key authentication is to verify the public key of a legal user and to prevent a forged public key. In the past, there are many schemes had been proposed to deal achieve the authentication goal, such as ID-based schemes [18], certificate-ID-based schemes [12,19], and self-certified public-key scheme [3]. These schemes all require one or more authorities as a trusted center or third party for ratification.

In 1996, Horng and Yang [4] proposed a key authentication scheme, HY-scheme, that uses a server as an authority. In their HY-scheme, the certificate uses the combination of password from particular server and private key of a user. The server has a secure password or verification table to store each userÕs

hashing password, fðPWDÞ, where PWD is the password of the user and f ðÞ is

a one-way function. Hence, the server cannot derive and know the PWD of the user because one-way function cannot inverse [1,15].

Three years later, Zhan et al. [20] point out that HY-scheme cannot prevent from the guessing attack [13]. An improved scheme, ZLYH-scheme [20] is therefore proposed. In their scheme, an intruder cannot use guessing attack to obtain password and forge a public key of a user. However, ZLYH-scheme does not achieve non-repudiation of userÕs public key. We will explain it in Section 4.

To prevent this problem, we shall propose a new key authentication scheme which is based on ZLYH-scheme but enhanced with the discrete logarithm technique [2,14]. Our scheme achieves not only a highly secure process but also the non-repudiation of userÕs public key. In addition, our scheme also uses a server as an authority which is the same as that of HY-scheme and ZLYH-scheme. The server also has a secure password or verification table which is also the same as that of HY-scheme and ZLYH-scheme. In addition, our scheme has a public password table to store each userÕs hashing password,

fðPWD þ rÞ, where PWD is the password of the user; r is a random number

generated by each user, and fðÞ is a one-way function. We will explain it in

Section 3.

The rest of the paper is organized as follows. In the next section, we give a brief review of password authentication system (PAS). In Section 3, a new key authentication scheme, based on the discrete logarithms, is presented. In

Section 4, we discussion the security of our scheme. Finally, conclusions are given in Section 5.

2. Summary of password authentication system

PAS has become popular in our society. The purpose of this system is to authenticate a legal user and to prevent any intruding from illegal users. In general, each user in PAS have a pair of message (ID, PWD), where ID is a userÕs identity and PWD is his/her password which is used to login into the system. When a user wants to access the resource from the system, he/she enters his/her (ID, PWD) to acquire the admission. Once the system receives the message, it checks if (ID, PWD) is registered and legal. If it is legal, the user then enters the system, otherwise, the user is rejected. The implementation of the previous process is that the system keeps a password table of paired (ID, PWD) of all the users. However, this method brings out a problem that once ill-minded user gains access to the password table, he/she can obviously en-danger the who system [5–8].

To overcome this problem, a solution is proposed by Purdy [16] which utilizes a one-way function [2] to hide the original password and makes the information stored in the table difficult to solve, and, hence, protects the system from the intruder. An example of a password table is shown in Table 1.

3. A new key authentication scheme

In [4], Horng and Yang proposed a key authentication scheme, HY-scheme, that is so based on the password table that need a trusted server. However, HY-scheme cannot prevent from the guessing attack [13]. To prevent this, an improved scheme [20], ZLYH-scheme, is proposed by Zhan et al. They only added a long random number to prevent from the guessing attack. However, ZLYH-scheme is not achieve non-repudiation. We will explain it in Section 4. In this paper, we propose a new key authentication for non-repudiation. Our scheme is based on discrete logarithm. Our scheme also uses a trusted server as an authority.

Table 1

An example of a password table

User Identity Password

U1 ID1 fðPWD1Þ U2 ID2 fðPWD2Þ .. . .. . .. . Un IDn fðPWDnÞ

The user of the system has Prvas his/her private key and PWD as his/her password. Let Pub of the userÕs public key is

Pub¼ gPrv

mod p; ð1Þ

where p is a large prime, g is a generator in Z

p and Prvis the userÕs private key.

The p, g and one-way function f are public parameters. We assume that the one-way function f is

fðxÞ ¼ gx_{mod p: ð2Þ}

In the userÕs registration phase, the certificate of the public key of the user is generated by the user with his/her password and private key. Each user chooses

a random number r in Z

psuch that the greatest common divisor ofðPWD þ rÞ

and Prv, denoted gcdððPWD þ rÞ; PrvÞ, is equal to 1 and then calculates

fðPWD þ rÞ. When gcdððPWD þ rÞ; PrvÞ ¼ 1, we can find two integers a and b

such that the following equation holds [17]:

aðPWD þ rÞ þ b Prv ¼ 1: ð3Þ

The user then sends fðPWD þ rÞ, R ¼ gr_{mod p, a, and b to the server secretly.}

fðPWD þ rÞ, a, and b are stored in public password table in the server. The

public password table cannot modify or forge by an attacker because the server can use the technique access control to protect it [9–11]. The server then verifies

if fðPWD þ rÞ ¼ f ðPWDÞ  R and then verifies if f ðPWD þ rÞa Pubb_¼

gmod p. If the equations are equal, the server then verifies the fðPWD þ rÞ, a, and b sent by the legal user. The certificate C of userÕs public key is as follows:

C¼ ðPWD þ rÞ

fðPWD þ rÞ þ Prvmodðp  1Þ: ð4Þ

The certificate C and public-key Pub of the user are opened to public in

net-work. The fðPWD þ rÞ, a, and b are opened to public in the server that

pro-tected by the server using access control.

In the key authentication phase, when someone wants to communicate with

a user, the sender first obtains C, Pub, a, b, and fðPWD þ rÞ of the receiver

from the public directory in network and public password table in the server, and then checks the certificate C of the public key of the receiver by computing the following equation:

fðCÞ ¼ f ðPWD þ rÞaC PubbCmod p

¼ gaðPWDþrÞC_{ g}bPrvC_{mod p}

¼ gaðPWDþrÞCþbPrvC_{mod p}

If the above equation holds, the sender accepts the public-key Pub of the re-ceiver to encrypt the transmission message, otherwise, the sender rejects the Pub of the receiver.

4. Security analysis

Our scheme provides verification of a userÕs public key. Preventing the im-personation of a public key is managed through the difficulty of discrete log-arithm computing. If an intruder attempts to forge a userÕs public key, he/she must obtain the userÕs PWD and r. In our scheme, the forger can only

deter-mine fðPWD þ rÞ, and he/she cannot modify and forge it because it is

pro-tected by the server using the access control [9–11]. If the intruder attempts to forge the userÕs public key, he/she will be required to solve the discrete loga-rithms problem from Eq. (5).

In general, an intruder may try to use a guessing attack to obtain the PWD and r of the user. However, it is difficult to guess the PWD and r simulta-neously, because the r is a very long random number. Since the intruder cannot obtain the PWD and r of the user, he/she cannot forge the userÕs public key. In

order to forge someoneÕs public key, an intruder must substitute Pub0 for the

userÕs public key and calculate C0 _{of the userÕs public-key certificate. He/she}

must compute the equation: fðC0_{Þ ¼ f ðPWD þ rÞ}aC0  Pub0ðbC0Þmod p: ð6Þ or C¼ f 1_{ðf ðPWD þ rÞÞ} fðPWD þ rÞ þ f1_ðPub0_Þmodðp  1Þ: ð7Þ

It is difficult to generate the set, (C0_{, Pub}0_{), such that Eqs. (6) and (7) hold}

unless the intruder can solve the discrete logarithm problem [2,14]. Here, an intruder can only access the public directory in the network. Therefore, he/she can substitute Pub0and C0_{. However, he/she cannot access the fðPWD þ rÞ, a,}

and b because those are protected by the server using access control [9–11]. Another impossible attack is that an attacker may try to derive PWD or Prv from Eq. (3). However, this attack cannot work because the attacker does not know r and he/she must guest two values PWD and Prv simultaneously. Although the attacker knows a and b from public password table, he/she

cannot also to deriveðPWD þ rÞ and Prvfrom Eq. (3) because it has too many

combinations in Eq. (3). For example, Let a¼ 3 and b ¼ 2, the combinations

are {ð1; 1Þ; ð3; 4Þ; ð5; 7Þ; . . .}. Hence, the attacker does know which the

combi-nation is right. Furthermore, (PWDþ r) is protected by the one-way function

fðÞ. Any one cannot derive (PWD þ r) from f ðPWD þ rÞ.

Our scheme does not have the two weaknesses that appeared in HY and ZLYH-schemes.

(1) In the HY-scheme [4], an intruder can guess the userÕs PWD using the guessing attack [13]. Then he/she can obtain the userÕs private key. Hencefor-ward, an intruder can forge the userÕs public key. In our scheme, if an intruder attempts to forge the userÕs public key, he/she must simultaneously guess r and PWD. This is difficult because r is a very long random number. Therefore, an intruder cannot use the guessing attack in our scheme to forge the userÕs public key.

(2) The ZLYH-scheme [20] does not achieve non-repudiation of the userÕs public key. In order to explain why their scheme does not achieve the non-repudiation, we briefly introduce the ZLYH-scheme first. The ZLYH-scheme is similar to our scheme except Eqs. (3)–(5) are different. In the ZLYH-scheme, the certificate C of userÕs public key is

C¼ PWD þ Prv þ r modðp  1Þ: ð8Þ

And the verification of the public-key certificate C is

fðCÞ ¼ f ðPWD þ rÞ  Pub mod p: ð9Þ

If the above equation holds, the sender accepts the public-key Pub, otherwise, the sender rejects the public key.

We consider a case in which a dishonest legal user, has a pair public–private keys (Pub; Prv), uses his/her private key Prv to generate his/her signature for a document. Anyone can verify that signature using the signerÕs public-key Pub. However, the dishonest user can deny the signature later. Since, the signer,

knows his/her fðPWD þ rÞ, he/she can choose a C0 _{to derive the Pub}0_using

Pub0¼ fðC

0_Þ

fðPWD þ rÞmod p: ð10Þ

The dishonest user can substitute the fabrication C0_{and Pub}0

in the public

directory. The signer and others can also show that Pub0 is his/her public key

using Eq. (9). Thus, the signatures, generated using Prvand verified using Pub,

cannot be verified using the forged public key Pub0. Henceforth, the dishonest

user can deny his/her signatures. Therefore, the ZLYH-scheme [20] does not achieve the non-repudiation of the userÕs public key. In our scheme, a dis-honest legal user cannot derive another legal C0_{and Pub}0_{even if he/she knows}

fðPWD þ rÞ, a, and b. It had explained in the above Eq. (6). Therefore, our

scheme can achieve non-repudiation of the userÕs public key.

5. Conclusions

Key authentication scheme can authenticate the public key of the user. In this paper, we have proposed a new key authentication scheme which is based on discrete logarithms. In our scheme, we resolve the problems appeared in

HY-scheme as guessing attack and ZLYH-scheme as non-repudiation. Our scheme not only withstands the guessing attack but also achieves non-repu-diation of the userÕs public key. Our scheme is highly secure than HY-scheme and ZLYH-scheme.

References

[1] I.B. Damgard, A design principle for hash functions, in: Advances in Cryptology-CRYPTOÕ89 Proceedings, Springer-Verlag, 1990, pp. 416–427.

[2] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory IT-22 (1976) 644–654.

[3] M. Girault, Self-certified public keys, in: Advances in Cryptology, EUROCRYPTÕ91, Lecture Notes in Computer Science, 1991, pp. 491–497.

[4] G. Horng, C.S. Yang, Key authentication scheme for cryptosystems based on discrete logarithms, Computer Communications 19 (1996) 848–850.

[5] M.-S. Hwang, Cryptanalysis of remote login authentication scheme, Computer Communica-tions 22 (8) (1999) 742–744.

[6] M.-S. Hwang, Aremote password authentication scheme based on the digital signature method, International Journal of Computer Mathematics 70 (1999) 657–666.

[7] M.-S. Hwang, C.-C. Lee, Y.-L. Tang, An improvement of SPLICE/AS in WIDE against guessing attack, International Journal of Informatica 12 (2001) 297–302.

[8] M.-S. Hwang, L.H. Li, A new remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (1) (2000) 28–30.

[9] M.-S. Hwang, W.-G. Tzeng, W.-P. Yang, An access control scheme based on chinese remainder theorem and time stamp concept, Computers and Security 15 (1) (1996) 73–81. [10] M.-S. Hwang, W.-P. Yang, A new dynamic access control scheme based on subject-object-list,

Data and Knowledge Engineering 14 (1) (1994) 45–56.

[11] M.-S. Hwang, W.-G. Tzeng, W.-P. Yang, A two-key-lock-pair access control method using prime factorization and time stamp, IEICE Transactions on Information and Systems E77-D (9) (1994) 1042–1046.

[12] M. Kohnfelder, A method for certification, in: Tech. Rep. (MIT Laboratory for Computer Science), MIT Press, Cambridge, MA, 1978.

[13] G. Li, M.A. Lomas, R.M. Needham, J.H. Saltzer, Protecting poorly chosen secrets from guessing attacks, IEEE Journal on Selected Areas in Communications 11 (1993) 648–656. [14] U.M. Maurer, Y. Yacobi, A non-interactive public-key distribution system, Designs, Codes

and Cryptography 9 (3) (1996) 305–316.

[15] R. Merkle, One-way hash functions and DES, in: Advances in Cryptology CRYPTOÕ89, Lecture Note in Computer Science, vol. 435, 1989, pp. 428–446.

[16] G.B. Purdy, A high security log-in procedure, Communications of the ACM 17 (1974) 442–445. [17] Bruce Schneier, Applied Cryptography, second ed., John Wiley & Sons, New York, 1996. [18] A. Shamir, Identity based cryptosystems and signature schemes, in: Advances in Cryptology,

CRYPTOÕ84, Lecture Notes in Computer Science, 1984, pp. 47–53.

[19] G. Simmons, Contemporary Cryptology: The Science of Information Integrity, IEEE Press, 1992.

[20] B. Zhan, Z. Li, Y. Yang, Z. Hu, On the security of HY-key authentication scheme, Computer Communications 22 (1999) 739–741.