Cryptanalysis of an anonymous user identification and key distribution scheme

全文

(1)Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Cryptanalysis of an anonymous user identification and key distribution scheme. Fuw-Yi Yang Department of Electronics Engineering Chien-kuo Technology University E-mail:[email protected]. Abstract-A. user. be seen in [1, 4, 5]. By keeping the personal data in. identification and key distribution was proposed by. the smart card, rescues the system from maintaining. Wu and Hsu. This paper shows that their scheme is. the password table. Therefore, the mystery of stolen. insecure to three attacks: a malicious responder can. password is no longer a problem.. scheme. of. anonymous. obtain the initiator’s secret key, an adversary can. Wu and Hsu proposed an anonymous user. impersonate a service provider, and an adversary can. identification and key distribution scheme in [3],. impersonate another legal user.. henceforth called WH-scheme. The WH-scheme integrates the user authentication with key agreement,. Keywords: Impersonation attack, identity protection,. i.e., a shared session key is generated after. key agreement, user identification.. processing user authentication. Also, initiator’s identity is transmitted in cipher. Thus no one. 1. Introduction. listening on the channel can glean the identities of the initiators.. The scheme of user authentication is used to. However the WH-scheme is insecure. This paper. distinguish an intruder from a legitimate user. Some. will propose three attacks to it. Assume that a user Ui. of the early schemes authenticate users based on a. sends a service request to a service provider Pj. The. password table [2]. The password table records the. first attack shows that the service provider Pj is able. user’s account and password for each registered user.. to compute Ui’s secret key. Knowing this secret key. As a user wants to login the system, he must enter his. allows the provider impersonating the user Ui. By. account and password. According to the content of. careful computing a user identity, an adversary can. the password table, the system can verify whether or. impersonate a pre-selected victim and launch the. not the user is a legal one.. second and third attacks. These two attacks allow an. Authentication using password table may cause. adversary to impersonate either a service provider. problems. A user may deny having entered the. providing services or a user asking services.. system, because the user’s password is stored inside. 2. Review of the WH-scheme. the system and the user may argue that his password has been stolen. Therefore, the schemes that authenticate users by the pieces of secret data stored. The WH-scheme consists of three entities: a Smart. inside a smart card are explored, these schemes can. Card Producing Center (SCPC), service provider 1. 857.

(2) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. x = Si f(at, T) mod N, and. (access servers), and users. For easy interpretation,. et. (4). this scheme is divided into three phases: system. y = g. initialization, key generation, and anonymous user. where T is the timestamp. Then Ui sends the response. identification.. message (x, y, T) to Pj.. mod N,. (5). Step 4. Service provider Pj checks the timestamp T System initialization: The SCPC randomly chooses. and verifies the response message by computing the. two. quantity. large. prime. numbers. p. and. q,. a. ID = (x / f(yk, T))e mod N.. collision-resistant hash function f(.), two numbers e. (6). and d such that e d = 1 mod φ(N), and a random. If the identity ID is in the identity list, Pj accepts. number g in the multiplicative group Z *N , where N. user ID as an authorized user and grants her/him the. = p q and φ(N) = (p - 1) (q - 1). Then the SCPC. requested services; otherwise, rejects the service. publishes e, f(.), g, and N.. request. Subsequent to a successful user identification, user service. Ui uses (7) to compute the shared session key Kij and. provider Pi and user Ui register on the center SCPC. service provider Pj uses (8) to compute the shared. and obtain a secret token. session key Kji. Note that the quantities of Kij and Kji. Key. generation. (Registration):. d. Si = (IDi) mod N,. Both. are identical.. (1). Kij = atx = (ze / P j)tx = ((gk Sj)e / Pj )tx = gektx. where IDi denotes the identity of service provider or user, i.e. Pi or Ui. In order to obtain services from the. mod N kx. Kji = y. service provider Pi, user Ui also registers on service provider Pi. Unlike registering on the trusted center. et kx. = (g ). (7) ektx. = g. mod N = Kij. (8). Thus Ui and Pj uses the shared session key to. SCPC, Pi issues no token to Ui and uses an identity. decrypt/encrypt the exchanged data.. list to maintain the registered users.. 3. Cryptanalysis of the WH-scheme Anonymous user identification: User Ui can request provider Pj to provide some services. Before granting. The first attack: Service provider can obtain user’s. Ui services, provider Pj should confirm that Ui is a. secret token (secret key) Upon receiving a response message (x, y, T) from. legal user (registered user) without revealing user’s identity. to. the. public.. The. following. Ui, the service provider can compute the user’s secret. steps. demonstrate the details of user identification.. token Si by implementing (4) and (5). The details are. Step 1. User Ui submits a service request to Pj.. shown in (9).. Step 2. Upon receiving this service request, Pj. Si = x / f(at, T) = x / f(gekt, T) = x / f(yk, T) = Si f(at, T) / f(gekt, T) mod N. chooses a random number k, computes the quantity k. z = g Sj mod N,. (9). The secret token Si is essentially a secret key. (2). and sends z to challenge Ui.. issued from the SCPC to user Ui. Thus anyone knows. Step 3. When receiving the challenge z, Ui chooses a. the secret token Si can impersonate user Ui.. random number t and computes the quantities a = z e / P j mod N,. (3). The second attack: Impersonate service provider Pj. 2. 858.

(3) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. Sv = (IDv)d = (Ui / gev)d mod N,. Assume that an adversary Uv has registered on the. ev. center SCPC and obtain a secret token d. ev. where Uv = Ui / g. d. S v = (ID v ) = (g P j ) mod N,. (13). is the registered identity, e is. (10). SCPC’s public key, and v is a random number chosen. where Uv = g Pj is the registered identity, e is. by the adversary. Then the adversary Uv can. SCPC’s public key, and v is a random number chosen. impersonate the user Ui. A scenario of impersonation. by the adversary Uv. Then the adversary Uv can. is as follows.. impersonate the service provider Pj. A scenario of. Step 1. Adversary Uv submits a service request to Pj.. impersonation is as follows.. Step 2. Upon receiving the service request, Pj. Step 1. User Ui submits a service request to Pj.. chooses a random number k, computes the quantity z. However, this request is intercepted by the adversary. = gk Sv mod N and sends z to challenge Uv.. Uv.. Step 3. When receiving the challenge z, Uv chooses a. Step 2. Upon intercepting the service request emitted. random number t, computes the quantities a = ze / Pj. from Ui, the adversary Uv chooses a random number. mod N,. k, computes the quantity z = gk Sv mod N and sends z. x = gv Sv f(at, T) mod N, and. ev. (14). et. to challenge Ui.. y = g mod N, and sends the response message (x, y, T) to Pj.. Step 3. When receiving the challenge z, Ui chooses a e. random number t and computes the quantities a = z /. Step 4. Service provider Pj checks the timestamp T. Pj mod N, x = Si f(at, T) mod N, y = get mod N, and. and verifies the response message by computing the. sends the response message (x, y, T) to Pj. Also Ui. quantity. uses (7) to compute the shared session key Kij. The. ID = (x / f(yk, T))e = [gv (Ui / gev)d f(gekt, T)) / f(gekt, T )] e = U i m o d N .. result is shown in (11). K ij = a. tx. e. = (z / Pj ) g. tx. ektx + evtx. k. ev. d e. = ([g (g P j ) ] / P j ) mod N. tx. (15). The adversary Uv and service provider use (7) and (8). =. to compute their session key.. (11). Step 4. Once again, the adversary Uv intercepts the. As can be seen in (7) and (8), the adversary Uv and. response message emitted from Ui and uses (12) to. user Ui does share the same session key. This result. compute the shared session key Kji.. may also cause problem. As an example, if the. Kji = (y gev)kx = (get gev)kx = gektx. + evtx. Kij. services provided by Pi are pay per access, user Ui. mod N =. will receive bill for accessing the services.. (12). As can be seen in (11) and (12), the adversary Uv. 4. Conclusion. and user Ui does share the same session key. This result may cause problem. As an example, if user Ui initiates the protocol to deposit an electronic fund to. The paper has shown three attacks to the WH-scheme.. Pi’s account, the deposit will eventually be made to. By implementing a response message, the responder. the adversary Uv’s account.. can solve for the initiator’s secret key. Using a pre-computed identity to register on SCPC, an adversary is able to impersonate service provider or. The third attack: Impersonate user Ui. user.. Assume that an adversary Uv has registered on the center SCPC and obtain a secret token. 3. 859.

(4) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Acknowledgement. ACM 1981; 24: 120-125. 3. T. S. Wu and C. L. Hsu, “Efficient user identification. This research was partially supported by National. scheme. with. key. distribution. Science Council, Taiwan, R.O.C. under the contract. preserving anonymity for distributed computer. number: NSC 93-2218-E-270-007.. networks,”. Computers. &. Security. 2004;. 23:120-125.. References. 4. S. J. Wang, “Yet another log-in authentication using n-dimensional construction based on circle property,”. 1. C. C. Chang and T. C. Wu, “Remote password authentication. with. smart. cards,”. IEEE. Transactions. on. Consumer. Electronics 2003; 49(2): 337-341.. IEE. 5. T. C. Wu, “Remote login authentication scheme. Proceedings-E 1991; 138(3): 165-168.. based on a geometric approach,” Computer. 2. L. Lamport, “Password authentication with. Communications 1995; 18(2): 959-963.. insecure communication,” Communications of. 4. 860.

(5)