Improvement on a Provable Secure Access Control using Smart Cards
全文
(2) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. yuj) in order to acquire the service of yuj. Therefore, the verification phase consists of two procedures to check whether these two signatures are valid. The server does the following computations to conclude the verification process. Assume that the request message L arrived at time T'.. the CA, each user can apply to the servers for some access services. There are four phases in the implementation, i.e., initialization phase, registration phase, login phase, and verification phase. The details are described as follows. Initialization phase: The CA chooses and publishes a large prime number p such that (p – 1) has a large prime factor q. Let g be an element of the set Z *p = {1, 2, …, (p – 1)}. The. Step 1. Checks whether (T' - T) is less than the legal transmission time. If not, rejects the request.. order of this element is q. A collision freeness hash function h(.) maps arbitrary bits string to a bit string having fixed length k, i.e., h(.): {0, 1}* {0, 1}k. Assume that the system includes n access rights. For each access right i, CA generates a secret number xi ∈R Zq, and uses it to compute yi = g xi mod p, where the symbol a ∈R b denotes that the element a is chosen randomly from the set b. Therefore, the access rights managed by CA are essentially the two sets X = {xi | xi ∈R Zq } and Y = {yi| yi = g xi mod p}, where 0 < i < (n + 1).. Step 2. Uses the equation g. Suj. = ruh( ru ,IDu ) y ujru mod p to. confirm that (IDu, ru, Suj) is a valid certificate. Step 3. Calculates H = h(r, T, IDu, ru, Suj, yuj). Step 4. The equation g s = r H IDur mod p is used to prove that the second signature is signed by user u. Accepts user u as legal and grants the service yuj to him, if both equations are valid, but otherwise denies the services to user u.. 3. Cryptanalysis of the scheme reviewed Registration phase: Assume that CA wants to grant a set of m access rights to user u. Let Yu denote this set of authorized access rights, then Yu ⊆ Y and Yu = {yuj | yuj ∈ Y}, where 0 < j < (m + 1). The CA and user execute cooperatively the following steps to complete the registration phase.. Although the scheme in [5] has rigorous treatment on the security of a request message, it is found that it does not discuss the security on the access control. This section proposes an attack on the access control. From the initialization phase, it is found that for each service yi, the secret parameter xi is the same for all users. Assume that user u has been granted the services ya and yb. Hence (2), (3), and (4) are obtained.. Step 1. User u selects a number xu ∈R Zq as his private key. Then, the corresponding public key is IDu = g xu mod p. The user stores xu to a smart card and registers IDu in the access control system. Step 2. CA picks an integer ku ∈R Zq, and computes ru= g ku mod p. If ru = 0 mod q repeats Step 2 again. Step 3. CA computes the quantities Suj from the linear congruence equation Suj = h(ru, IDu) ku+ ru xuj mod q,. Sua = h(ru, IDu) ku+ ru xa mod q, Sub = h(ru, IDu) ku+ ru xb mod q, xa – xb = (Sua – Sub) / ru mod q.. (2) (3) (4). By intercepting the request messages Lua = {r’, s’, T’, IDu, ru, Sua, yua} and Lub = {r’’, s’’, T’’, IDu, ru, Sub, yub}, any one can calculate the quantity (xa – xb) using (4). Assume that another user v has obtained the service ya. Then user v can calculate the quantity Svb in the following way:. (1). where j = 1, …, m. Step 4. CA stores IDu, ru, Suj, and yuj to the smart card. The smart card then contains xu, IDu, ru, Suj, and yuj (j = 1, …, m). This card enables user u (user IDu) to issue a request message for obtaining the service yuj ∈ Yu.. xa – xb = (Sua – Sub) / ru = (Sva – Svb) / rv mod q, Svb = Sva - rv (Sua – Sub) / ru mod q.. (5). By (5), user v successfully calculates the quantity of Svb, which is the CA’s signature on the service yb and the identity IDv. Using the same method, if user u colludes with user v, user u can transfer all services granted by CA to user v. This result violates the security of access control.. Login phase: User u attaches his smart card to a terminal and conducts the following steps, whenever he wants to enter the service yuj at time T. Step 1. Chooses an integer k ∈R Zq and computes the quantities r = gk mod p, H = h(r, T, IDu, ru, Suj, yuj), s = (k H + xu r) mod q. If r = 0 mod q, repeats this step again. Step 2. Constructs the message L = {r, s, T, IDu, ru, Suj, yuj} and sends it to the server.. 4. Improvement in the reviewed scheme. Verification phase: In fact, L contains two signatures: (IDu, ru, Suj) and ((T, IDu, ru, Suj, yuj), r, s). The first signature is a certificate issued by CA to certify the identity of user u. The second one is signed by user u on the message (T, IDu, ru, Suj,. 100. From (2) and (3), it can be seen that CA uses the same random number ku to issue signatures on every service granted to user u. The unknown variable ku can thus be canceled out as shown in (4). The cancellation of ku leaks information, i.e., the differences between the secret keys xa and xb. Therefore, modifying the signing equation is required, which is used in the registration phase, so that the unknown variable ku cannot be eliminated..
(3) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. The improved version of registration phase, login phase, and verification phase are described below.. IDu, ruj, suj, yuj). Step 4. Verify the second signature by the equation g s = r H. Improved registration phase: Let Yu = {yuj | yuj ∈ Y, 1 ≤ j ≤ m} denote the set of services that will be granted to user u. User u and CA execute the following steps together to finish the improved registration phase.. IDur mod p. Grants the service yuj to user u, if he. passes Step 1 to Step 4. Otherwise, denies services to user u.. 5. Analysis of security Step 1. This step is the same as Step 1 for the registration phase shown in Section 2, i.e., user u chooses xu ∈R Zq as his private key. The corresponding public key is. The security of the request message has been proven to be secure against the adaptive chosen message attack in the reviewed scheme. In this section, an attempt to prove that the access control system has the same strength of security. Every user in the system has obtained a set of signatures issued by CA using the secret keys of services. Lemma 1 will show that the quantities of signatures sua, sub, sva, and svb are independent of each other. Thus, the security of the access control system is reduced to the security of digital signatures. Since the digital signatures used in the improved registration phase has been proven to be secure against the adaptive chosen message attack in the schemes [5, 7-8], it is proven that the improved access control has this strength of security.. x. IDu = g u mod p. Step 2. For each yj ∈ Yu, CA picks an integer kuj ∈R Zq, and k. computes ruj= g uj mod p. If ruj = 0 mod q repeats this step. Therefore, CA has calculated the set Ru = k. { ruj| kuj ∈R Zq, ruj= g uj mod p, ruj ≠ 0 mod q, and 1 ≤ j ≤ m}. Step 3. Solving for Suj in the linear congruence equation (6), we obtain the set of signatures for the set of access rights Yu, i.e., Su = { suj| suj satisfies (6), yuj ∈ Yu, and 1 ≤ j ≤ m}. suj = h(ruj, IDu) kuj+ ruj xuj mod q. Lemma 1. Assume that user u has obtained signatures sua and sub, and user v has received signatures sva and svb. These signatures are mutually independent, if they are calculated according to (6) in the improved registration phase. Proof. The four signing equations are listed below. sua = h(rua, IDu) kua+ rua xa mod q (7) sub = h(rub, IDu) kub+ rub xb mod q (8) sva = h(rva, IDv) kva+ rva xa mod q (9) svb = h(rvb, IDv) kvb+ rvb xb mod q (10). (6). Step 4. CA stores IDu, Ru, Su, and Yu to the smart card. The smart card then contains xu, IDu, ruj, suj, and yuj (j = 1,..., m). This card enables user u to issue the request message for obtaining the service yuj ∈ Yu. Improved login phase: Assume that at time T, user u requires the service yuj. He inserts his smart card to a card reader and constructs the request message Luj. Essentially, the request message is a signature of user u on the public key IDu and the desired service yuj. The following steps describe the details of the signing procedure.. The four numbers kua, kub, kva, and kvb are selected randomly from Zq, therefore, they are mutually independent. Consequently, sua, sub, sva, and svb are also mutually independent. □. Step 1. Selects an integer k ∈R Zq, and computes the quantities r = gk mod p, H = h(r, T, IDu, ruj, suj, yuj), s = (k H + xu r) mod q. If r = 0 mod q, repeats this step. Step 2. Constructs the request message Luj = {r, s, T, IDu, ruj, suj, yuj} and sends it to the server.. Lemma 2. The signatures issued to users are mutually independent with overwhelming probability. Proof. Assume that there are n users and each user has no more m access rights. Hence, Lemma 1 holds true, if m n << q. □. Improved verification phase: On receiving the request message Luj, the server will verify two signatures: (IDu, ruj, suj) and ((T, IDu, ruj, suj, yuj), r, s). The first signature is issued from CA using the private key xuj, and the second one is a signature signed by user u. A detailed description of the verification is given below. Assume that the request message L arrived at time T'. Step 1. Reject the request if (T' - T) is greater than the legal transmission time. Step 2. Use the equation g. suj. h( ruj , IDu ). = ruj. r. yujuj mod p to. confirm that (IDu, ruj, suj) is a valid certificate to the public key IDu. Step 3. Calculate the quantity of message digest H = h(r, T,. 101. Lemma 3. The security of the access control system can be reduced to the security of digital signatures. Proof. Assume that the check on the differences between timestamp T' and T (Step 1) is sufficient to safeguard the improved scheme from replay attack (A three moves identification protocol could be used, when in doubt about the security of using timestamp.). The security of the request message (Step 3 and 4) has been proven in scheme [5]. Therefore, the security of the access control system is reduced to verifying the certificates in Step 2. A valid certificate (IDu, ruj, suj) is a necessary condition for the server granting service yj to user u. However, to forge a valid certificate is to forge a signature suj. Thus, we have.
(4) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. proven this lemma.. □. Theorem 4. The access control system is secure against the adaptive chosen message attack. Proof. The digital signatures generated by (6) have been proven to be secure against the adaptive chosen message attack [5, 7-8]. Hence, Theorem 4 is proven, by Lemma 3. □. 6. Conclusions It has been shown that the users in the reviewed scheme can deduce the differences between private keys. With this information, users are able to counterfeit certificates so as to intrude into the access control system. An improvement to remedy this flaw is proposed. The improvement is proven to be secure under the adaptive chosen message attack. Thus, the improvement is not only to mend a flaw, but also to protect the scheme from other undetected flaws.. References 1. A. Silberschatz, P. B. Galvin, and G. Gagne, “Operating Systems Concepts,” Sixth Edition. John Wiley & Sons, 2001. 2. L. Lamport, “Password authentication with insecure communication,” Communications of ACM, Vol. 24, pp. 770-772, 1981. 3. L. Harn and H. N. Lin, ”Integration of user authentication and access control,” IEE Proceedings-E, 139, (2), pp. 139-143, 1992. 4. N. Y. Lee, ”Integrating access control with user authentication using smart cards,” IEEE Transactions on Consumer Electronics, 46, (4), pp. 943-948, 2000. 5. F. Y. Yang and J. K. Jan, ”A provable access control using smart cards”, IEEE Transactions on Consumer Electronics, 49, (4), pp. 1223-1226, 2003. 6. S. Goldwasser, S. Micali, and R. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SIAM journal of computing, Vol. 17, No. 2, pp. 281-308, 1988. 7. D. Pointcheval and J. Stern, “Security proofs for signature schemes,” Advances in Cryptology-EUROCRYPT’96, LNCS 1070, pp. 387-398, 1996. 8. D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, Vol. 13, N0. 3, pp. 361-396, 2000.. 102.
(5)
相關文件
It has been well-known that, if △ABC is a plane triangle, then there exists a unique point P (known as the Fermat point of the triangle △ABC) in the same plane such that it
From the findings reported above, it is undeniable that there has been huge progress in ITEd in Hong Kong schools, as reflected by the significantly improved infrastructure, the
After students have had ample practice with developing characters, describing a setting and writing realistic dialogue, they will need to go back to the Short Story Writing Task
Robinson Crusoe is an Englishman from the 1) t_______ of York in the seventeenth century, the youngest son of a merchant of German origin. This trip is financially successful,
fostering independent application of reading strategies Strategy 7: Provide opportunities for students to track, reflect on, and share their learning progress (destination). •
Strategy 3: Offer descriptive feedback during the learning process (enabling strategy). Where the
Now, nearly all of the current flows through wire S since it has a much lower resistance than the light bulb. The light bulb does not glow because the current flowing through it
In addition to speed improvement, another advantage of using a function handle is that it provides access to subfunctions, which are normally not visible outside of their