Group-Access Smart Card with Elliptic Curve Cryptosystem

全文

(1)Group-Access Smart Card with Elliptic Curve Cryptosystem Shyi-Tsong Wu*† and Bin-Chang Chieu* *. Department of Electronic Engineering, National Taiwan University of Science and Technology, Taiwan †. Department of Electronic Engineering, National Ilan Institute of Technology, Taiwan. Abstract The application of Elliptic Curve Cryptosystem has gained more and more attention. ECC uses smaller key size and lower memory requirement to retain the security level and can be a crucial factor in the smart card system. An ECC based implementation of security schemes in smart card system to access coffers is proposed in this paper. For some specific safety consideration, access to coffers by a person is not permissive but a group of authorized people. It involves the problem of secret sharing. The adopted solution of sharing secret is threshold scheme. Every participant possesses a secret shadow, which will be saved in the smart card. After correct reconstructing the shared secrets, it is permissible to access the coffer’s door. For resisting dishonest participants, cheating detection and cheater identification will be included. The user can change his password of smart card freely and need not to memorize his assigned lengthy password and shadow as traditional ID-based schemes makes our implementation much more user friendly. Keyword: Cryptography; Elliptic curve cryptography; Smart card; Threshold scheme. 1. Introduction The security strength of access facilities with mechanical lock is poor for leaving no traces of identifications of persons who enter or exit the facility. Mechanical lock controlled by electronic key-card system is recommended. A user just only attaches his smart card to the card reader and keys in his password then he can access the facility after authentication procedure. Based on the smart card, DES cryptography and shared-secret scheme, Leong and Tan [3] described an elaborate implementation to access a laboratory door. In this paper, an ECC based system with smart cards, shared-secret scheme, cheating detection and cheater identification is proposed. Elliptic curve cryptography (ECC) is one of the best cryptographic techniques because of its small key size and high security [4]. It provides the highest strength per bit of any cryptosystem known today. ECC’s properties make it especially well suited to smart card application. In our scheme, the user need not to memorize the lengthy shared-secret code and can The corresponding address is: Shyi-Tsong Wu, Department of Electronic Engineering, National Ilan Institute of Technology, No.1, Sec. 1, Shen-Lung Road, I-Lan, Taiwan 26041, R.O.C. E-mail: [email protected].

(2) change his password randomly at his will. All the access data, including people’s ID, access time, etc. are centralized saved at the center host for the accommodation of further analysis, rather than distributed smart card memory as that studied by Leong and Tan [3].. 2. Some cryptographic background In this section, we will describe some cryptographic schemes that will be applied further in our implementation. There are Elliptic Curve Cryptography, digital signature scheme, shared-secret scheme and cheater identification. 2.1 Elliptic curve cryptography Here we introduce the Elliptic curve and Elliptic curve digital signature. 2.2.1 Elliptic curve Elliptic curves are so named because they are described by cubic equations. The cubic equation for elliptic curve takes the form: y2 +axy+by = x3 +cx2 +dx+e (1) where a, b, c, d and e are real numbers that satisfy some conditions [8]. Also included in the definition of any elliptic curve is a single element denoted Ο and called the point at infinity or the zero point.. Figure 1. Elliptic Curve of Addition. Addition defined for an elliptic curve is stated as follows: If three points on an elliptic curve lie on a straight line, their sum is Ο . Figure 1 shows example of elliptic curve addition. The addition rule of the three point (P, Q, -R) on the curve is P+Q+(-R) =Ο , (-R) + R=Ο and so P+Q=R..

(3) Multiplication of a point P on an elliptic curve by a positive integer s is defined as the sum of s copies of P. Thus 2P=P+P, 3P=P+P+P=2P+P, 4P=2P+ 2P,····. It is very difficult to find an integer s such that s*P=Q. This is the Elliptic Curve Discrete Logarithm Problem (ECDLP). 2.2.2 Elliptic curve digital signature Firstly, an elliptic curve E defined over GF(p) or GF(2m) with order p and a base point P is selected and made public to all users . Then, public and private key pairs are generated. Elliptic curve digital signature and verification primitive are used for each user’s login and described as follows. Ÿ Key generation Each user follows the steps for key generation: 1. Select a random number s∈[1, p-1]. 2. Compute Q=s*P on curve E. 3. The public key of the user is (E, P, p, Q) and the private key is s. Ÿ EC Nyberg-Rueppel digital signature scheme The following introduction is the EC Nyberg - Rueppel digital signature scheme [5]: 1. The message needed to be sign is m. 2. Randomly generate a key pair (v, V= v*P), where V=( V.x, V.y ). 3. Calculate c = V.x + m (mod p). 4. Calculate d = v - s· c (mod p). 5. Obtain the output pair (c, d) as the signature. The signature verification procedure is as follows: 1.Calculate G=d*P + c*Q. 2.Calcute m′ = c- G.x (mod p) Accept the signature for message m if and only if m′ = m. 2.3 Shared-secret scheme The solution of access to coffer of bank by a group of authorized people is threshold scheme. It divides secret data S into n pieces S1 , S2 , ····, Sn in such a way that: (1)any k-1 or less shadows reveal no knowledge about S, (2)any k or more shadows can be used to reconstruct S. This is known as (k, n) threshold scheme. Shamir published the threshold scheme based on a polynomial interpolatio n [7]. Each member was assigned a shadow associated to the interpolating polynomial, so that any k or more members together can reconstruct the secret. Shamir’s threshold scheme is an ideal threshold scheme for the reason that.

(4) the domain of shadow is the same as the domain of secret [1]. Prior to using a0 = S as the secret, the shadow distributor randomly choose (k-1) number of ai s, for 1 i k-1, to establish a polynomial f(x) of degree (k-1) : f(x) = a 0 + a1x +····+ak-1 xk-1. (2). Computing Si = f(Xi ), i=1,2,····, n, the Si is called the shadow of S for Xi . Any k or more Xi with Si , ( Xi , Si ), can easily reconstruct f(x) and obtain the secret S = f(0). Given a set of two-tuples that includes at least k distinct ( X i1 , K i1 ), ( X i 2 , K i 2 ),···(X i k , K i k ) ∈ Share ={(X1 ,S1 ), (X2 ,S2 ),···, (Xn , Sn )}, we can compute the f(x) of degree of (k-1) by using Lagrange interpolation [2] : k. k. λ =1. j =1 j ≠λ. f ( x ) = ∑ S iλ ∏. (x − X i j ) (X i λ − X i j ). ( mod p ). (3). To prevent obtaining S by exhaustive search, p must be relatively large and S must be relatively long in terms of bit length. Length of 128 bits will be sufficient for our application. 2.4 Cheater detection and cheater identification Tompa and Woll’s suggested a (k, n) threshold protecting policy to safeguard the secret [9]. However, their method cannot deterministically detect cheating and identify the cheater. Wu and Wu [10] applied one-way hash function for cheating and cheater identification. Their scheme is as follows: Ÿ Initialization Shadow distributor performs the following steps: 1.Use Shamir’s (k, n) threshold scheme to distribute shadows Si to user i, for i=1,2,····, n. 2. Choose a one way function h(·) and a prime number p such that h(·) < p. 3. Compute n. n -1. i =1. i =1. t = ∑ h (Si ) ⋅ p 2 ( i −1) + ∑ C ⋅ p 2 i −1. (4). where C is a positive constant randomly chosen over GF(p). 4. Publish t and p. Ÿ Cheater identification Suppose any k participants want to pool their shadows to reconstruct the secret and let G be the set of these participants. The cheating detection and cheater identification is achieved by applying the following procedure. 1. All Uj ∈G present their possessed shadows Sj *s and compute.

(5) t* =. ∑ h(S. j. *. ) ⋅ p 2 ( j −1). (5). Uj∈G. 2. For Uj∈G, check the equation.  t - t*   p 2( j −1)  ( mod p ) = 0 ?  . (6). If the equation holds, Uj is honest; otherwise, Uj is a cheater. It is because that.  t - t*   p 2( j −1)  ( mod p )   = h(Sj ) - h(Sj * ) ( mod p ) = 0 if and only if h(Sj ) = h(Sj * ) In our secret sharing implementation, the cheater detection and cheater identification scheme will be used as a precaution for resisting the deleted user’s and dishonest participant’s login.. 3. The proposed system overview The proposed system employs Elliptic Curve Digital Signature Algorithm (ECDSA) cryptography, shared-secret and smart card technology to control the unlocking of coffer doors. The overall system diagram is shown as Fig. 2. The Host controls the Remote Terminal Units (RTU) via the internet since that is cheaper and has simpler communicating connection configuration compared with the leased lines.. RTU1 RTU2 Host Internet. RTUn. Figure 2. System block diagram. Components of RTU are shown in Fig.3. The main component of RTU is Personal Computer (PCRTU), which communicates the microchip with RS-232 and the Host with internet. Internal Card Reader and External.

(6) Card Reader provide the interfaces for smart cards to communicate with the PCRTU. Since signal level is different between microchip and RS-232, a signal level converter will be included.. Coffer exterior. Door Access Unit. Coffer interior. micro -chip. RS-232 External. Internal. Card Reader. PC. Card Reader. Internet. Figure 3. Remote Terminal Unit. RTU. Host. ŸChoose KRTU∈[1, p-1] as private key. ŸChoose vRTU∈[1, p -1]. ŸQRTU = KRTU *P. ŸVRTU = vRTU *P. ŸSend QRTU. QRTU. ŸQRTU is the public key. ŸReceive ŸSelect the RTU’s Identifier IDRTU ŸcRTU = VRTU.x+ h(QRTU .x, IDRTU, TRTU) Ÿd RTU = vRTU - KHOST· cRTU. QHOST, IDRTU , (cRTU , d RTU), TRTU. ŸSend. ŸReceive ŸCalculate GRTU = d RTU *P + cRTU * QHOST Ÿ eRTU = c RTU – GRTU.x ŸStore IDRTU, eRTU , QHOST, QRTU, (cRTU, d RTU), TRTU, KRTU on RTU ŸQK =K RTU* QHOST=(KRTU· KHOST) *P ŸReceive. ŸQK =KHOST* QRTU=(KHOS T· KRTU) *P E(S t, QK ). ŸSend. ŸD(S t, QK ) ŸAdded store S, t. Figure 4. Remote Terminal Unit Initialization.

(7) Every authenticated member has his own smart card. During entry request, the members insert their smart cards to the External Card Reader and key in their passwords via keypad. The PCRTU authenticates the smart cards and reconstructs the secret S. If the secret is correct, microchip unlocks the Door Access Unit under the instructions of PCRTU. After unlocking the door a few predefined minutes, the door will close automatically. The door status will be detected with an infrared detector. That the door status, the door open time, and the partic ipants who access the door will all be transmitted to Host via the internet and be recorded in the data base of Host.. 4. Implementation 4.1 Set-up The Host performs the set-up procedure as follows: 1. Choose the Elliptic curve E with order p, base point P and private key KHOST ∈ [1, p-1]. 2. Choose random number S for each RTU and a1 , a2 , ····, ak-1∈Zp* , which is corresponding to the coefficients of the polynomial of equation (2). 3. Generate random X1 , X2 , ····, Xn ∈ Zp* and compute the set share = {(Xi , Si ) | 1≤ i ≤ n} for each RTU. 4. Compute the t as equation (4).. Card. Host. ŸChoose PW i ∈[1, p-1]. ŸChoose vC∈[1, p-1]. ŸQC = PW i *P. ŸVC = vC *P. ŸSend QC. QC. ŸReceive. QC is the public key ŸcC = VC .x + h(QC.x, i, TC ) Ÿd C= vC - KHOST· cC QHOST, i, (cC, d C), TC. ŸSend. ŸReceive ŸCalculate GC = d C *P + cC * QHOST Ÿ eC = cC – GC.x Ÿ Store i, eC, QHOST, QC, (cC, d C), TC on Smart Card ŸQK = PW i * QHOST=(PW ·i KHOST) *P ŸReceive. ŸQK =KHOST* QC =(KHOS T·PW i ) *P E(Xi || Si , QK ). ŸD(Xi || Si , QK ) ŸAdded store Xi , Si Figure 5. Card Initialization. ŸSend.

(8) Each RTU performs initial procedures respectively to apply for its certificate. The RTU sends its public key QRTU to Host through secure channel. Host uses its private key to sign the hash value of concatenation of private key QRTU.x, ID of RTU ID RTU, and expiration date of RTU TRTU. The Host then sends the signed message, i.e. certificate of RTU, through secure channel to the RTU as shown in Figure 4, where E(m, K) is the encryption of m with the key K, D(c, K) is the decryption operation and h(· ) is a one way hash function. After generating and using the session key QK , RTU obtains the secret of threshold scheme S and the t of equation (4). Performing the same procedures, smart card acquires its certificate as figure 5, where i is the identifier of user, TC is the expiration date of smart card, and Si is the shadow of user i of threshold scheme. 4.2 Local Login When a user wants to login the local RTU to access the door of coffer, he must pass the authentication procedure. The procedures are described as follows.. Card. RTU. ŸKey in PW i * by user ŸQC* = PW i * *P ŸIf QC* ≠QC, then abort ŸReceive. QRTU. ŸSend. QC *. ŸQK = PW i * QRTU. ŸSend ŸReceive ŸQK = K RTU* QC = (KRTU·PW i )*P ŸGenerate random number r. = (PW i · K RTU)*P. Ÿm0 =E(r, QK .x) ŸReceive. m0. ŸSend. *. ŸD[m0 , QK .x]=r. Ÿm1 =E[(r* ,i , eC, (cC, d C), TC, Xi , Si , T), QK .x] ŸSend. m1. ŸReceive Ÿ D[C1 , QK .x]=(r** , i, eC, (cC, d C), TC, Xi , Si , T) ŸIf r** ≠r, then abort ŸIf TC is not valid, then abort ŸG= d C *P+ cC * QHOST ŸCalculate m′ = eC* = cC - G.x Ÿ If eC* ≠eC, then abort, else accept the user i’s local login. Figure 6. Authentication of Local Login.

(9) Ÿ Local Login Phase 1. The user inserts his smart card to the exterior card reader and keys in his password PWi * . The smart card computes QC* = PWi * *P. If QC* ≠QC, it indicates the pass word PWi * is invalid and then abort. 2. By exchanging mutual public key, smart card and RTU compute session key QK respectively for communication. 3. RTU generates a random number r, encrypts it with session key QK and sends the message m0 to smart card. 4. After decrypting m0 and getting the random number r* , smart card encrypts the concatenation of r* , certificate eC, (cC, d C), expiration date TC, current time T, Xi , Si , and sends it back to RTU in terms of m1 . Ÿ Verification Phase Receiving the message m1 , the PCRTU will perform the following steps: 1. Decrypt m1 , and get (r** , i, eC, (cC, d C), TC , T, Xi , Si ). 2. Check r** and TC. If either of both is invalid, the session will be aborted. And then RTU verifies the validity of the certificate and accordingly accepts the local login or not. Ÿ Secret Reconstruction Phase After k or more member pass the verification phase, the PCRTU use the Lagrange Polynomial Interpolation to reconstruct the S*. If S* is correct, the PCRTU will transmit an open signal and a number to the microchip. The open signal will unlock the door of coffer and the number will inform the microchip how many members will login. If the S* is incorrect, PCRTU will compute the parameter t* of equation (5), detect the cheater and record the ID of the participant. 4.3 Management of Access Record The access data including the user who logins, the access time, the status of RTU and the coffer open/close time will all be saved in PCRTU for future use. Ÿ When the door of coffer was accessed to open, the PCRTU will save the entry records with the form: E( i Tent ENT, KRTU ) where T ent is the time of the access of user i for entry and ENT indicates the entry access to the RTU. Ÿ After k or more members pass the local login phase and correct reconstructing of S, the coffer’s open time and its alternative status will also be saved with the form: E( To. Status, KRTU). Where To is the time of coffer’s opening, Status indicates the status of the coffer on/off..

(10) Ÿ Similarly, the exit records will save the exit data of user i with the following form: E( i Texit EXIT, KRTU ) where T exit is the access time for exit and EXIT indicates the exit access. Ÿ The status of coffer on/off is periodically saved and transmitted to the Host with the form: { IDRTU, E( i. T Status, QK .x) }. Ÿ The PCRTU will feedback the entry record to the Host with the form: { IDRTU , E( i. Tent ENT,. QK .x) } and the exit record with the form: { IDRTU , E( i Texit EXIT, QK .x) }.. 5. Discussions and conclusion Smart cards offer portable storage media, a small processing unit and are not accessible to anyone but their rightful owners. Though the main barriers of smart cards are the lower processing power and constrained memory, implementation of ECC in smart card can solve the problems that the smart cards faced [4]. Our proposed scheme is based on Elliptic Curve Digital Signature Algorithm. Since parameters of QC and PWi are used for users to login the RTU, they must be tightly protected. The QC is stored in the tamper-proof smart card and cannot be retrieved directly. Even QC were compromised, PWi remains secure because of the ECDLP. The strength of security of ECDLP is much harder than that of RSA [6]. The scheme allows users to change their passwords freely. When a user wants to change his password, he submits his smart card and chooses a new password PWi ´ to the PCRTU via card reader. The PCRTU will perform the new QC´ as QC´ = PWi´*P and write the new QC´ into the smart card of user i. After the replacement of QC in the smart card of user i, user i can use the new PWi´ to login. The bit length of PWi is chosen freely by user i, it need not be 128, 256 bits or other bit length, so the password is easy to memorize for the user. In the case of losing smart card, user i can use his ID to re-register a new card CIDi´. After Host checks his basic background data, the lost smart card CIDi will be invalid. The illegal holder of the lost smart card can not login because he have no password of user i . Addition of new user is easier. Its procedure just likes the set-up process. Deletion of user i is troublesome, if the smart card of the removed user is not recovered. It requires an update of all smart cards in the dedicated RTU. The update process, that includes the changes of secret S, t and some other operations, will be performed friendly. It needs only to insert the smart card and key in its corresponding password for the authorized user’s. Although the deleted user is able to login but to open the door of the coffer in the threshold scheme will be in vain, and he will finally be detected by the cheating detection and cheater identification scheme..

(11) References [1] Brickell, E. F, Some ideal secret sharing schemes, J. Combinatorial Mathematics Combinatorial Computing, 6, 1989, pp. 105-113 [2] Gerald, C. F., and Wheatley, P. O., Applied numerical analysis (Harlow, UK: Addison - Wesley), 1994 [3] Leong, P. C. and E. C. Tan, Implement of smart-card access control with threshold scheme, INT. J. ELECTRONICS, 87(6), 2000, pp. 649-657 [4] Liu, Joseph K., Vivtor K. Wei, C. Siu, Roy L. Chan, T. Choi, Multi-applic ation smart card with elliptic curve cryptosystem certificate, EUROCON’2001, Trends in Communications, International Conference on, 2, 2001, pp. 381-384 [5] Nyberg, K., and Rueppel, R. A., A new signature scheme based on the DSA given message recovery, Proceeding of 1st ACM Conference on Computer and Communications Security, Fairfax, 1993, pp. 58-61 [6] Monhammed, Elsayed, A. E. Emarah and Kh. El-shennawy, Elliptic curve cryptosystems on smart card, Security Technology, 2001 IEEE 35th International Carnahan Conference on, 2001, pp. 213-222 [7] Shamir, A., How to share a secret, Communications of the Association for Computing Machinery, 22, 1979, pp. 612-613 [8] Stallings, William, Cryptography and Network Security: Principles and Practice, Prentice-Hall, Inc., 1999 [9] Tompa, M., Woll, H., How to sharing a secret with cheaters, J. Crytol.,1(2), 1988, pp. 133-138 [10] Wu, T.-C. and T.-S. Wu, Cheating detection and cheater identification in secret sharing schemes. IEE Proc.-Comput. Digit. Tech., 142(5), 1995, pp. 367-369.

(12)