跳到主要內容

臺灣博碩士論文加值系統

(44.192.22.242) 您好!臺灣時間:2021/07/31 10:14
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:鍾鎬戎
研究生(外文):Hao-Rung Chung
論文名稱:遠端使用者通行碼身份認證方法之弱點與改進以及攻擊之正規化分析
論文名稱(外文):Weaknesses and Improvements of Remote User Password Authentication Schemes and Formal Analysis of Attacks
指導教授:林振緯顧維祺顧維祺引用關係
學位類別:碩士
校院名稱:輔仁大學
系所名稱:資訊工程學系
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2007
畢業學年度:95
語文別:英文
論文頁數:86
中文關鍵詞:通行碼身份認證智慧卡假冒發起者攻擊假冒回應者攻擊正規分析
外文關鍵詞:password authenticationsmart cardimpersonation-of-initiator attackimpersonation-of-responder attackformal analysis
相關次數:
  • 被引用被引用:0
  • 點閱點閱:149
  • 評分評分:
  • 下載下載:16
  • 收藏至我的研究室書目清單書目收藏:0
遠端使用者身份認證是資訊安全中最重要的議題之一,而通行碼身份認證方法則是目前常見的遠端使用者身份認證方法。現今通行碼身份認證方法可依是否採用智慧卡機制而分為兩類,使用智慧卡之通行碼身份認證設計通常能夠抵擋竊取或篡改通行碼驗證資訊類的攻擊,而非使用智慧卡之通行碼身份認證設計因容易建置且成本不高,故可視為使用者身份認證機制中最簡單方便的設計。至今關於改進通行碼身份認證設計的研究不斷被提出且各有其優點,然而,我們發現許多新的設計仍有安全弱點與實用上的缺點。在本論文中,我們首先分析五套最近被提出的使用智慧卡之通行碼身份認證設計:我們發現 (1) Lin與Lai的設計無法抵擋假冒攻擊與內部者攻擊;(2) Yoon與Yoo的設計無法抵擋智慧卡遭竊攻擊與內部者攻擊,且其可修復性較差;(3) Chen、Tsai與Horng的兩套設計無法抵擋假冒攻擊與智慧卡遭竊攻擊,且其可修復性較差;(4) Wang等人的設計無法抵擋假冒攻擊與離線猜測攻擊,且其可修復性較差,也無法提供完美的向前保密性。接著,我們分析兩套非使用智慧卡之通行碼身份認證設計:我們發現 (1) Chang、Yang與Hwang的設計無法抵擋阻斷服務攻擊;(2) Lu與Cao的設計無法抵擋假冒發起者攻擊、假冒回應者攻擊與中間人攻擊。之後,我們各提出ㄧ套使用智慧卡之通行碼身份認證設計與非使用智慧卡之通行碼身份認證設計,並且說明此兩套改進的通行碼身份認證設計較現有類似的通行碼身份認證設計有更佳的安全性及實用性。此外,由於正規分析方法已逐漸受到重視,有越來越多的通行碼身份認證設計經由正規分析方法發現其潛在的不安全性,在本論文的最後,我們以正規分析方法描述Lu與Cao的設計所無法抵擋的攻擊,藉此進ㄧ步地說明此設計並不能達成正規模型中所定義的安全目標。
Existing password-based authentication schemes can be categorized into the password authentication scheme using smart cards and the password authentication scheme without using smart cards. The password authentication scheme using smart cards usually can avoid possible attacks on verification table. On the other hand, the password authentication scheme without using smart cards is one of the simplest user authentication mechanisms as its inexpensiveness, convenience, and easy implementation. Up to now, many password authentication schemes have been proposed, and each has its pros and cons. However, we find that several newly published schemes still have several weaknesses and drawbacks. In this thesis, we first analyze five new password authentication schemes using smart cards: We show that (1) Lin-Lai’s scheme is vulnerable to an impersonation attack and an insider attack; (2) Yoon-Yoo’s scheme is vulnerable to a stolen smart card attack and an insider attack, and is not easily reparable; (3) two Chen-Tsai-Horng’s schemes are vulnerable to an impersonation attack and a stolen smart card attack, and are not easily reparable; (4) Wang et al.’s scheme is vulnerable to an impersonation attack and an off-line password guessing attack, and is not easily reparable and fails to provide perfect forward secrecy. Next, we analyze two new password authentication schemes without using smart cards: We show that (1) Chang-Yang-Hwang’s scheme is vulnerable to a denial-of-service attack; (2) Lu-Cao’s scheme is vulnerable to an impersonation-of-initiator attack, an impersonation-of-responder attack and a man-in-the-middle attack. And then, we propose an improved password authentication scheme using smart cards and an improved password authentication scheme without using smart cards. Furthermore, we compare the two improved schemes with several similar schemes with respect to security and practicability, respectively. As more and more password authentication schemes have been found to be flawed by using formal analysis, formal analysis approaches should be credited for demonstrating insecurities in flawed schemes. Finally, we further employ a formal model to interpret our attacks on Lu-Cao’s scheme to show that Lu-Cao’s scheme cannot achieve the security definition of the formal model.
Chapter 1. Introduction 1
Chapter 2. Cryptanalysis of New Schemes Using Smart Cards 8
2.1 Lin-Lai’s scheme 8
2.1.1 Review of Lin-Lai’s scheme 9
2.1.2 Cryptanalysis of Lin-Lai’s scheme 11
2.2 Yoon-Yoo’s scheme 13
2.2.1 Review of Yoon-Yoo’s scheme 14
2.2.2 Cryptanalysis of Yoon-Yoo’s scheme 16
2.3 Chen-Tsai-Horng’s schemes 18
2.3.1 Review of Chen-Tsai-Horng’s scheme-1 19
2.3.2 Review of Chen-Tsai-Horng’s scheme-2 21
2.3.3 Cryptanalysis of Chen-Tsai-Horng’s schemes 23
2.4 Wang et al.’s scheme 26
2.4.1 Review of Wang et al.’s scheme 27
2.4.2 Cryptanalysis of Wang et al.’s scheme 30
Chapter 3. Cryptanalysis of New Schemes Without Using Smart Cards 35
3.1 Chang-Yang-Hwang’s scheme 35
3.1.1 Review of Chang-Yang-Hwang’s authenticated key agreement scheme 36
3.1.2 Cryptanalysis of Chang-Yang-Hwang’s authenticated key agreement scheme 38
3.2 Lu-Cao’s scheme 40
3.2.1 Review of Lu-Cao’s S-3PAKE scheme 40
3.2.2 Cryptanalysis of Lu-Cao’s S-3PAKE scheme 43
Chapter 4. Improved Schemes 48
4.1 An improved password authentication scheme using smart cards 48
4.1.1 The improved scheme using smart cards 48
4.1.2 Cryptanalysis of the improved scheme using smart cards 55
4.1.3 Comparisons 59
4.2 An improved password authentication scheme without using smart cards 60
4.2.1 The improved scheme without using smart cards. 60
4.2.2 Cryptanalysis of the improved scheme without using smart cards 63
4.2.3 Comparisons 65
Chapter 5. Formal Analysis of Attacks 67
5.1 Formal model for Lu-Cao’s scheme 68
5.1.1 Characteristics of the participating entities 68
5.1.2 The capabilities of the adversary 69
5.1.3 Security definition 71
5.1.4 Description of Lu-Cao’s scheme 72
5.2 Formal analysis of Lu-Cao’s scheme 74
5.2.1 Impersonation-of-initiator attack 74
5.2.2 Impersonation-of-responder attack 75
5.2.3 Man-in-the-middle attack 76
Chapter 6. Conclusion 78
References 80
Publications List 86
[AP05]M. Abdalla and D. Pointcheval, “Simple password-based encrypted key exchange protocols,” Proceedings of CT-RSA’05, LNCS, vol. 3376, pp.191–208, 2005.
[BM92]S. M. Bellovin and M. Merritt. “Encrypted key exchange: Password-based protocols secure against dictionary attacks,” Proceedings of 1992 IEEE Symposium on Research in Security and Privacy, pp.72–84, 1992.
[BPR00]M. Bellare, P. Pointcheval, and P. Rogaway, “Authenticated key exchange against dictionary attacks,” Proceedings Eurocrypt’00, LNCS, pp.122–138, 2000.
[BR93a]M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols,” Proceedings First ACM Annual Conference on Computer and Communications Security, pp.62–73, 1993.
[BR93b]M. Bellare and P. Rogaway, “Entity authentication and key distribution,” Proceedings of Crypto’93, LNCS, pp.232–249, 1993.
[BR95]M. Bellare and P. Rogaway, “Provably secure session key distribution: The three party case,” Proceedings of 27th ACM Symposium on the Theory of Computing, pp.57–66, 1995.
[CBH06]K.-K. Choo, C. Boyd, and Y. Hitchcock, “The importance of proofs of security for key establishment protocols: Formal analysis of Jan-Chen, Yang-Shen-Shieh, Kim-Huh-Hwang-Lee, Lin-Sun-Hwang, and Yeh-Sun protocols,” Computer Communications, vol. 29, issue 15, pp. 2788–2797, Sep. 2006.
[CC00]C. K. Chan and L. M. Cheng, “Cryptanalysis of a remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, vol. 46, no. 4, pp. 992-993, Nov. 2000.
[CH03]C. C. Chang and K. F. Hwang, “Some forgery attacks on a remote user authentication scheme using smart cards,” Informatics, vol. 14, no. 3, pp. 289-294, 2003.
[CJT02]H. Y. Chien, J. K. Jan, and Y. M. Tseng, “An efficient and practical solution to remote authentication: smart card,” Computers & Security, vol. 21, issue 4, pp. 372-375, Aug. 2002.
[CL92]C. C. Chang and C. S. Laih, “Correspondence: Remote password authentication with smart cards,” IEE Proceedings-E, vol. 139, no. 4, pp. 372, July 1992.
[CTH06]T. H. Chen, D. Tsai, and G. Horng, “Secure user-friendly remote authentication schemes,” Information & Security, An International Journal, vol. 18, pp. 111-121, 2006.
[CW91]C. C. Chang and T. C. Wu, “Remote password authentication with smart cards,” IEE Proceedings-E, vol. 138, no. 3, pp. 165-168, May 1991.
[CYH05]T. Y. Chang, W. P. Yang, and M. S. Hwang, “Simple authenticated key agreement and protected password change protocol,” Computers & Mathematics with Applications, vol. 49, issues 5-6, pp. 703-714, April-May 2005.
[DH95]Y. Ding and P. Horster, “Undetectable on-line password guessing attacks,” ACM SIGOPS Operating Systems Review, vol. 29 issue 4, pp.77-89, Oct. 1995.
[DOW92]W. Diffie, P. C. Van Oorschot, and M. J. Wiener, “Authentication and authenticated key exchanges,” Designs Codes and Cryptography, vol. 2, no. 2, pp. 107-125, June 1992.
[E85]T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469-472, July 1985.
[FCZ05]C. I. Fan, Y. C. Chan, and Z. K. Zhang, “Robust remote authentication scheme with smart cards,” Computers & Security, vol. 24, issue 8, pp. 619-628, Nov. 2005.
[G92]L. Gong, “A security risk of depending on synchronized clocks,” ACM SIGOPS Operating Systems Review, vol. 26, issue 1, pp. 49-53, Jan. 1992.
[H04]C. L. Hsu, “Security of Chien et al.’s remote user authentication scheme using smart cards,” Computer Standards & Interfaces, vol. 26, issue 3, , pp. 167-169, May 2004.
[H05]C. L. Hsu, “A user friendly remote authentication scheme with smart cards against impersonation attacks,” Applied Mathematics & Computation, vol. 170, issue 1, pp. 135-143, Nov. 2005.
[HCL90]T. Hwang, Y. Chen, and C. S. Laih, “Non-interactive password authentications without password tables,” Proceedings of IEEE Region 10 Conference on Computer and Communication Systems, Hong Kong, pp. 429-431, Sep. 1990.
[HK95]T. Hwang and W. C. Ku, “Reparable key distribution protocols for internet environments,” IEEE Transactions on Communications, vol. 43, no. 5, pp. 1947-1979, May 1995.
[HL00]M. S. Hwang and L. H. Li, “A new remote user authentication scheme using smart card,” IEEE Transactions on Consumer Electronics, vol. 46, no. 1, pp. 28-30, Feb. 2000.
[HL05]K. F. Hwang and I. E. Liao, “Two attacks on a user friendly remote authentication scheme with smart cards,” ACM SIGOPS Operating Systems Review, vol. 39, issue 2, pp. 94-96, April, 2005.
[HLL07]T. Hwang, K. C. Lee, and C. M. Li, “Provably secure three-party authenticated quantum key distribution protocols,” IEEE Transactions on Dependable and Secure Computing, vol. 4, issue 1, pp. 71–80, 2007.
[HTS03]B. T. Hsieh, H. T. Yeh, and H. M. Sun “Cryptanalysis of a fingerprint-based remote user authentication scheme using smart cards,” Proceedings of IEEE 37th Annual 2003 International Carnahan Conference on Security Technology, pp. 349–350, Oct. 2003.
[KC04]W. C. Ku and S. M. Chen, “Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 204-207, Feb. 2004.
[KJJ99]P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” Proceedings of CRYPTO’99, pp. 388-397, 1999.
[L03]C. L. Lin, Provably secure password authenticated key exchanges, National Cheng Kung University, 2003.
[LC05]N. Y. Lee and Y. C. Chiu, “Improved remote authentication scheme with smart card,” Computer Standards & Interfaces, vol. 27, issue 2, pp. 177-180, Jan. 2005.
[LC07]R. Lu and Z. Cao, “Simple three-party key exchange protocol,” Computers & Security, vol. 26, issue 1, pp. 94-97, Feb. 2007.
[LHL07]T. F. Lee, T. Hwang, and C. L. Lin, “Enhanced three-party encrypted key exchange without server public keys,” Computers & Security, vol. 23, issue 7, pp. 571-577, Oct. 2004.
[LL04a]C. H. Lin and Y. Y. Lai, “A fingerprint-based user authentication scheme for multimedia systems,” Proceedings of IEEE International Conference on Multimedia and Expo, vol. 2, pp. 935-938, June, 2004.
[LL04b]C. H. Lin and Y. Y. Lai, “A flexible biometrics remote user authentication scheme,” Computer Standards & Interfaces, vol. 27, issue 1, pp. 19-23, Nov. 2004.
[LLC05]C. Y. Lee, C. H. Lin, and C. C. Chang, “An improved low computation cost user authentication scheme for mobile communication,” Proceedings of IEEE 19th International Conference on Advanced Information Networking and Applications, vol. 2, pp. 249-252, March 2005.
[LLH06]I. E. Liao, C. C. Lee, and M. S. Hwang, “A password authentication scheme over insecure networks,” Journal of Computer and System Sciences, vol. 72, issue 4, pp. 727-740, June 2006.
[LRY02]J. K. Lee, S. R. Ryu, and K.Y. Yoo, “Fingerprint-based remote user authentication scheme using smart cards,” Electronics Letters, vol. 38, issue 12, pp. 554-555, June 2002.
[LSH00]C. L. Lin, H. M. Sun, and T. Hwang, “Three-party encrypted key exchange: attacks and a solution,” ACM SIGOPS Operating Systems Review, vol. 34, issue 4, pp. 12-20, Oct. 2000.
[LSSH01]C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang, “Three-party encrypted key exchange without server public-keys,” Communications Letters, vol. 5, issue 12, pp. 497–499, Dec. 2001.
[M89]C. Mitchell, “Limitations of challenge-response entity authentication,” Electronics Letters, vol. 25, no. 17, pp. 1195-1196, Aug. 1989.
[MDS02]T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining smart-card security under the threat of power analysis attacks,” IEEE Transactions on Computers, vol. 51, no. 5, pp. 541-552, May 2002.
[NLKW07]J. Nam, Y. Lee, S. Kim, and D. Won, “Security weakness in a three-party pairing-based protocol for password authenticated key exchange,” Information Sciences, vol. 177, issue 6, pp. 1376-1375, March 2007.
[S00a]H. M. Sun, “An efficient remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, vol. 46, no. 4, pp. 958-961, Nov. 2000.
[S00b]H. Sun, “On the security of simple authenticated key agreement algorithm,” Proceedings of the Management Theory Workshop, 2000.
[SLH03]J. J. Shen, C. W. Lin, and M. S. Hwang, “A modified remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, vol. 49, no. 2, pp. 414-416, May 2003.
[SS99]D. Seo and P. Sweeney, “Simple authenticated key agreement algorithm,” IEE Electronics Letters, vol. 35 no. 13, pp. 1073-1074, 1999.
[STW95]M. Steiner, G. Tsudik, and M. Waidner, “Refinement and extension of encrypted key exchange,” ACM SIGOPS Operating Systems Review, vol. 29, issue 3, pp. 22-30, July 1995.
[T00]Y. M. Tseng, “Weakness in simple authenticated key agreement protocol,” Electronics Letters, vol. 36 no. 1, pp. 48-49, 2000.
[WC03]S. T. Wu and B. C. Chieu, “A user friendly remote authentication scheme with smart cards,” Computers & Security, vol. 22, issue 6, pp. 547-550, 2003.
[WC96]S. J. Wang and J. F. Chang, “Smart card based secure password authentication scheme,” Computers & Security, vol. 15, issue 3, pp. 231-237, 1996.
[WLH05]H. A. Wen, T. F. Lee, and T. Hwang, “Provably secure three-party password-based authenticated key exchange protocol using Weil pairing,” IEE Proceedings Communications, vol. 152, issue 2, pp. 138-143, 2005.
[WLH06]H. A. Wen, C. L. Lin, and T. Hwang, “Provably secure authenticated key exchange protocols for low power computing clients,” Computers & Security, vol. 25 issue 2, pp. 106-113, March 2006.
[WZZK07]X. M. Wang, W. F. Zhang, J. S. Zhang, and M. K. Khan, “Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards,” Computer Standards & Interfaces, vol. 29, issue 5, pp. 507-512, July 2007.
[YRY04]E. J. Yoon, E. K. Ryu, and K. Y. Yoo, “Further improvement of an efficient password based remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, vol. 50, no. 2, pp. 612-614, May 2004.
[YS02]H. T. Yeh and H. M. Sun, “Simple authenticated key agreement protocol resistant to password guessing attacks,” ACM SIGOPS Operating Systems Review, vol. 36 issue 4, pp. 14-22, Oct. 2002.
[YSH04]H. T. Yeh, H. M. Sun, and B. T. Hsieh, “Security of a remote user authentication scheme using smart cards,” IEICE Transactions on Communications, vol. E87-B, no. 1, pp. 192-194, Jan. 2004.
[YW04]C. C. Yang and R. C. Wang, “Cryptanalysis of a user friendly remote authentication scheme with smart cards,” Computers & Security, vol. 23, issue 5, pp. 425-427, July 2004.
[YY06]E. J. Yoon and K. Y. Yoo, “A forgery attack on a low computation cost,” International Journal of Network Security, vol.3, no.1, pp.51–53, July 2006.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊