Improvement on a Provable Secure Access Control using Smart Cards

全文

(1)Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Improvement on a Provable Secure Access Control using Smart Cards Fuw-Yi Yang Department of Applied Mathematics National Chung Hsing University E-mail:yangfy@ms7.hinet.net. Jinn-Ke Jan Department of Computer Science National Chung Hsing University E-mail:jkjan@cs.nchu.edu.tw the access control information inspires us to integrate the schemes of user authentication and access control into one module [3, 4, 5]. By storing these secret data in a smart card, the system is free to collect the tables of user authentication and access control. In addition, the integration benefits security, communication overheads, and computation cost, especially in the distributed computer networks. However, the scheme in [5] has a drawback. Although the scheme is claimed to be secure, it is found only to be secure in digital signatures signed by cardholders. The scheme’s access control leaks secret information about the integrated system. Collusion of some cardholders can reveal secret data of the system by implementing the leaked information.. Abstract—An access control scheme integrating with user authentication is proposed. Though the scheme is provably secure in request messaging (authentication), there is a flaw in access control. This paper presents an attack on the access control system; and further, an improvement is proposed to remedy this flaw. Our improvement only increases the information size and the cost of computations during registration time, but these quantities are not increased during the login and verification phase. Keywords: access authentication.. control,. digital. signature,. user. 1.1 Contributions This paper proposes an attack on the scheme in [5]. After illustrating the cryptanalysis, an improvement to mend the information leakage is proposed. Guaranteeing the security, a formal proof is given to confirm that the improvement is secure against the adaptive chosen message attacks [6]. In this model of attack, it is assumed that an adversary has access to a signing oracle, which generates the signatures, i.e., the access rights granted by the system. The adversary is allowed to collect the access rights by asking the signing oracle as he wishes, except the one that the adversary is forging. This level of security is sufficient to prevent the system from being attacked by the collusions of the smart card holders.. 1. Introduction Access control is chiefly concerned with controlling access to the resources held by a system. Depending on the policies of the system, the central authority can grant or deny access to users. Traditionally, the operating system maintains some tables, e.g., capability list or access control matrix, to perform access control [1]. Before granting access rights to a user, the system must have authenticated the user. Therefore, a user authentication scheme is required to achieve this goal. Many earlier schemes authenticated users based on a password table [2]. The password table records the user’s account and password for each registered user. As a user wants to login the system, he must enter his account number and password. According to the content of the password table, the system can verify whether the login user is a legal one. Authentication using a password table may cause problems. A user may deny having entered the system, because the user’s password is stored inside the system and the user may argue that his password has been stolen. Therefore, the schemes that authenticate users by the pieces of secret data stored inside a smart card are explored. By keeping the personal data in the smart cards, rescues the system from maintaining the password table. Therefore, the mystery of the stolen password is no longer a problem. The problem of stealing a password is also possible in the access control systems that are dependent on some stored tables. Thus, like the solution to the problem of a stolen password in the authentication scheme, storing the access control data in a smart card is a way to solve the problem described above. A smart card that contains both the authentication data and. 1.2 Organization Section 2 reviews the scheme in [5], which is shown to be insecure in Section 3. An improvement is proposed in Section 4. Section 5 shows that the improvement is secure. Finally, Section 6 concludes the paper.. 2. Review of the previous scheme This section reviews the scheme in [5], which consists of three entities: a central authority (CA), servers, and users. For each registered user, the CA is responsible for storing the information of access rights and authentication to a smart card. Then the CA delivers the smart card to the user in a secure way. Each server stores resources and provides some access services. Although the server is responsible for user authentication and access control, it does not hold secret information about the access control system or authorization data about the users. By means of the smart card issued from. 99.

(2) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. yuj) in order to acquire the service of yuj. Therefore, the verification phase consists of two procedures to check whether these two signatures are valid. The server does the following computations to conclude the verification process. Assume that the request message L arrived at time T'.. the CA, each user can apply to the servers for some access services. There are four phases in the implementation, i.e., initialization phase, registration phase, login phase, and verification phase. The details are described as follows. Initialization phase: The CA chooses and publishes a large prime number p such that (p – 1) has a large prime factor q. Let g be an element of the set Z *p = {1, 2, …, (p – 1)}. The. Step 1. Checks whether (T' - T) is less than the legal transmission time. If not, rejects the request.. order of this element is q. A collision freeness hash function h(.) maps arbitrary bits string to a bit string having fixed length k, i.e., h(.): {0, 1}* {0, 1}k. Assume that the system includes n access rights. For each access right i, CA generates a secret number xi ∈R Zq, and uses it to compute yi = g xi mod p, where the symbol a ∈R b denotes that the element a is chosen randomly from the set b. Therefore, the access rights managed by CA are essentially the two sets X = {xi | xi ∈R Zq } and Y = {yi| yi = g xi mod p}, where 0 < i < (n + 1).. Step 2. Uses the equation g. Suj. = ruh( ru ,IDu ) y ujru mod p to. confirm that (IDu, ru, Suj) is a valid certificate. Step 3. Calculates H = h(r, T, IDu, ru, Suj, yuj). Step 4. The equation g s = r H IDur mod p is used to prove that the second signature is signed by user u. Accepts user u as legal and grants the service yuj to him, if both equations are valid, but otherwise denies the services to user u.. 3. Cryptanalysis of the scheme reviewed Registration phase: Assume that CA wants to grant a set of m access rights to user u. Let Yu denote this set of authorized access rights, then Yu ⊆ Y and Yu = {yuj | yuj ∈ Y}, where 0 < j < (m + 1). The CA and user execute cooperatively the following steps to complete the registration phase.. Although the scheme in [5] has rigorous treatment on the security of a request message, it is found that it does not discuss the security on the access control. This section proposes an attack on the access control. From the initialization phase, it is found that for each service yi, the secret parameter xi is the same for all users. Assume that user u has been granted the services ya and yb. Hence (2), (3), and (4) are obtained.. Step 1. User u selects a number xu ∈R Zq as his private key. Then, the corresponding public key is IDu = g xu mod p. The user stores xu to a smart card and registers IDu in the access control system. Step 2. CA picks an integer ku ∈R Zq, and computes ru= g ku mod p. If ru = 0 mod q repeats Step 2 again. Step 3. CA computes the quantities Suj from the linear congruence equation Suj = h(ru, IDu) ku+ ru xuj mod q,. Sua = h(ru, IDu) ku+ ru xa mod q, Sub = h(ru, IDu) ku+ ru xb mod q, xa – xb = (Sua – Sub) / ru mod q.. (2) (3) (4). By intercepting the request messages Lua = {r’, s’, T’, IDu, ru, Sua, yua} and Lub = {r’’, s’’, T’’, IDu, ru, Sub, yub}, any one can calculate the quantity (xa – xb) using (4). Assume that another user v has obtained the service ya. Then user v can calculate the quantity Svb in the following way:. (1). where j = 1, …, m. Step 4. CA stores IDu, ru, Suj, and yuj to the smart card. The smart card then contains xu, IDu, ru, Suj, and yuj (j = 1, …, m). This card enables user u (user IDu) to issue a request message for obtaining the service yuj ∈ Yu.. xa – xb = (Sua – Sub) / ru = (Sva – Svb) / rv mod q, Svb = Sva - rv (Sua – Sub) / ru mod q.. (5). By (5), user v successfully calculates the quantity of Svb, which is the CA’s signature on the service yb and the identity IDv. Using the same method, if user u colludes with user v, user u can transfer all services granted by CA to user v. This result violates the security of access control.. Login phase: User u attaches his smart card to a terminal and conducts the following steps, whenever he wants to enter the service yuj at time T. Step 1. Chooses an integer k ∈R Zq and computes the quantities r = gk mod p, H = h(r, T, IDu, ru, Suj, yuj), s = (k H + xu r) mod q. If r = 0 mod q, repeats this step again. Step 2. Constructs the message L = {r, s, T, IDu, ru, Suj, yuj} and sends it to the server.. 4. Improvement in the reviewed scheme. Verification phase: In fact, L contains two signatures: (IDu, ru, Suj) and ((T, IDu, ru, Suj, yuj), r, s). The first signature is a certificate issued by CA to certify the identity of user u. The second one is signed by user u on the message (T, IDu, ru, Suj,. 100. From (2) and (3), it can be seen that CA uses the same random number ku to issue signatures on every service granted to user u. The unknown variable ku can thus be canceled out as shown in (4). The cancellation of ku leaks information, i.e., the differences between the secret keys xa and xb. Therefore, modifying the signing equation is required, which is used in the registration phase, so that the unknown variable ku cannot be eliminated..

(3) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. The improved version of registration phase, login phase, and verification phase are described below.. IDu, ruj, suj, yuj). Step 4. Verify the second signature by the equation g s = r H. Improved registration phase: Let Yu = {yuj | yuj ∈ Y, 1 ≤ j ≤ m} denote the set of services that will be granted to user u. User u and CA execute the following steps together to finish the improved registration phase.. IDur mod p. Grants the service yuj to user u, if he. passes Step 1 to Step 4. Otherwise, denies services to user u.. 5. Analysis of security Step 1. This step is the same as Step 1 for the registration phase shown in Section 2, i.e., user u chooses xu ∈R Zq as his private key. The corresponding public key is. The security of the request message has been proven to be secure against the adaptive chosen message attack in the reviewed scheme. In this section, an attempt to prove that the access control system has the same strength of security. Every user in the system has obtained a set of signatures issued by CA using the secret keys of services. Lemma 1 will show that the quantities of signatures sua, sub, sva, and svb are independent of each other. Thus, the security of the access control system is reduced to the security of digital signatures. Since the digital signatures used in the improved registration phase has been proven to be secure against the adaptive chosen message attack in the schemes [5, 7-8], it is proven that the improved access control has this strength of security.. x. IDu = g u mod p. Step 2. For each yj ∈ Yu, CA picks an integer kuj ∈R Zq, and k. computes ruj= g uj mod p. If ruj = 0 mod q repeats this step. Therefore, CA has calculated the set Ru = k. { ruj| kuj ∈R Zq, ruj= g uj mod p, ruj ≠ 0 mod q, and 1 ≤ j ≤ m}. Step 3. Solving for Suj in the linear congruence equation (6), we obtain the set of signatures for the set of access rights Yu, i.e., Su = { suj| suj satisfies (6), yuj ∈ Yu, and 1 ≤ j ≤ m}. suj = h(ruj, IDu) kuj+ ruj xuj mod q. Lemma 1. Assume that user u has obtained signatures sua and sub, and user v has received signatures sva and svb. These signatures are mutually independent, if they are calculated according to (6) in the improved registration phase. Proof. The four signing equations are listed below. sua = h(rua, IDu) kua+ rua xa mod q (7) sub = h(rub, IDu) kub+ rub xb mod q (8) sva = h(rva, IDv) kva+ rva xa mod q (9) svb = h(rvb, IDv) kvb+ rvb xb mod q (10). (6). Step 4. CA stores IDu, Ru, Su, and Yu to the smart card. The smart card then contains xu, IDu, ruj, suj, and yuj (j = 1,..., m). This card enables user u to issue the request message for obtaining the service yuj ∈ Yu. Improved login phase: Assume that at time T, user u requires the service yuj. He inserts his smart card to a card reader and constructs the request message Luj. Essentially, the request message is a signature of user u on the public key IDu and the desired service yuj. The following steps describe the details of the signing procedure.. The four numbers kua, kub, kva, and kvb are selected randomly from Zq, therefore, they are mutually independent. Consequently, sua, sub, sva, and svb are also mutually independent. □. Step 1. Selects an integer k ∈R Zq, and computes the quantities r = gk mod p, H = h(r, T, IDu, ruj, suj, yuj), s = (k H + xu r) mod q. If r = 0 mod q, repeats this step. Step 2. Constructs the request message Luj = {r, s, T, IDu, ruj, suj, yuj} and sends it to the server.. Lemma 2. The signatures issued to users are mutually independent with overwhelming probability. Proof. Assume that there are n users and each user has no more m access rights. Hence, Lemma 1 holds true, if m n << q. □. Improved verification phase: On receiving the request message Luj, the server will verify two signatures: (IDu, ruj, suj) and ((T, IDu, ruj, suj, yuj), r, s). The first signature is issued from CA using the private key xuj, and the second one is a signature signed by user u. A detailed description of the verification is given below. Assume that the request message L arrived at time T'. Step 1. Reject the request if (T' - T) is greater than the legal transmission time. Step 2. Use the equation g. suj. h( ruj , IDu ). = ruj. r. yujuj mod p to. confirm that (IDu, ruj, suj) is a valid certificate to the public key IDu. Step 3. Calculate the quantity of message digest H = h(r, T,. 101. Lemma 3. The security of the access control system can be reduced to the security of digital signatures. Proof. Assume that the check on the differences between timestamp T' and T (Step 1) is sufficient to safeguard the improved scheme from replay attack (A three moves identification protocol could be used, when in doubt about the security of using timestamp.). The security of the request message (Step 3 and 4) has been proven in scheme [5]. Therefore, the security of the access control system is reduced to verifying the certificates in Step 2. A valid certificate (IDu, ruj, suj) is a necessary condition for the server granting service yj to user u. However, to forge a valid certificate is to forge a signature suj. Thus, we have.

(4) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. proven this lemma.. □. Theorem 4. The access control system is secure against the adaptive chosen message attack. Proof. The digital signatures generated by (6) have been proven to be secure against the adaptive chosen message attack [5, 7-8]. Hence, Theorem 4 is proven, by Lemma 3. □. 6. Conclusions It has been shown that the users in the reviewed scheme can deduce the differences between private keys. With this information, users are able to counterfeit certificates so as to intrude into the access control system. An improvement to remedy this flaw is proposed. The improvement is proven to be secure under the adaptive chosen message attack. Thus, the improvement is not only to mend a flaw, but also to protect the scheme from other undetected flaws.. References 1. A. Silberschatz, P. B. Galvin, and G. Gagne, “Operating Systems Concepts,” Sixth Edition. John Wiley & Sons, 2001. 2. L. Lamport, “Password authentication with insecure communication,” Communications of ACM, Vol. 24, pp. 770-772, 1981. 3. L. Harn and H. N. Lin, ”Integration of user authentication and access control,” IEE Proceedings-E, 139, (2), pp. 139-143, 1992. 4. N. Y. Lee, ”Integrating access control with user authentication using smart cards,” IEEE Transactions on Consumer Electronics, 46, (4), pp. 943-948, 2000. 5. F. Y. Yang and J. K. Jan, ”A provable access control using smart cards”, IEEE Transactions on Consumer Electronics, 49, (4), pp. 1223-1226, 2003. 6. S. Goldwasser, S. Micali, and R. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SIAM journal of computing, Vol. 17, No. 2, pp. 281-308, 1988. 7. D. Pointcheval and J. Stern, “Security proofs for signature schemes,” Advances in Cryptology-EUROCRYPT’96, LNCS 1070, pp. 387-398, 1996. 8. D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, Vol. 13, N0. 3, pp. 361-396, 2000.. 102.

(5)