跳到主要內容

臺灣博碩士論文加值系統

(100.28.227.63) 您好!臺灣時間:2024/06/22 02:50
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:陳洧漢
研究生(外文):Wei-Han Chen
論文名稱:使用晶片卡與射頻標籤的匿名身份驗證協定之安全分析
論文名稱(外文):Cryptanalysis on Anonymous Identity Authentication Protocols Using Chip Cards and RFID Tags
指導教授:林熙中
指導教授(外文):Hsi-Chung Lin
口試委員:顏嵩銘林熙中簡恩義
口試委員(外文):Sung-Ming YenHsi-Chung LinEn-Yi Jian
口試日期:2011-06-28
學位類別:碩士
校院名稱:真理大學
系所名稱:資訊工程學系碩士班
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2011
畢業學年度:99
語文別:中文
論文頁數:75
中文關鍵詞:身份驗證協定匿名性晶片卡射頻標籤追蹤攻擊扮演攻擊阻斷標籤服務攻擊
外文關鍵詞:Identity authentication protocolAnonymityChip cardsRFID TagsTracing attackImpersonation attackTag-destroy attack
相關次數:
  • 被引用被引用:1
  • 點閱點閱:323
  • 評分評分:
  • 下載下載:53
  • 收藏至我的研究室書目清單書目收藏:0
為了有效地控管有限的資源,電子化的身份驗證機制已是現代生活中廣泛使用的技術;而為保障使用者的隱私,具匿名性(anonymity)的身份驗證協定為近年來十分受矚目的研究領域。
2004年,Das等學者提出了動態身份(dynamic identity)的概念,以確保驗證訊息不致洩露使用者的身份資訊。2009年,Wang等學者指出Das等學者的身份驗證協定具有安全上的缺失並提出改良的協定,宣稱他們的方法更安全且有效率。本論文將提出針對該身份驗證協定之扮演攻擊(impersonation attack ),首先,攻擊者可對登入請求訊息內的時戳進行竄改,在任何時間都能登入伺服器,不受到原時戳對登入請求訊息造成的時效限制。不僅如此,該攻擊還可讓攻擊者扮演成任意合法使用者登入伺服器。整體而言,本論文所提出的攻擊可以控制時戳與帳號,對該協定造成極大傷害。
動態身份的構想若是設計得宜,確實可能保障使用者的隱私;但是若在實作時,驗證者與被驗證者間之資料同步是一大問題。在2008年Liao與Tzeng提出了一個新型態的RFID身份驗證協定,巧妙地暫存少量資訊,並於雙方失去同步時,利用該暫存資訊恢復同步。本論文針對Liao與Tzeng的RFID身份驗證協定提出侵害匿名性之追蹤攻擊(tracing attack),該攻擊以破壞標籤與資料庫的資料同步為手段,迫使理應動態更新之身份資訊停止更新,並藉此達到追蹤標籤之目的,同時破壞標籤(或標籤持有人)的位置隱私(location privacy)。本論文亦提出可能的改進方案。
以上所討論的驗證協定,均屬於單一伺服器的架構,當使用者有使用多種伺服器資源的需求時,則必需對各個伺服器進行註冊,對使用者極為不便。2010年,Juang等學者提出了多重伺服器環境下之身份驗證協定,嘗試解決此問題。然而,我們發現Juang等學者的身份驗證協定無法抵抗追蹤攻擊、阻斷標籤服務攻擊(Tag-destroy attack)與惡意伺服器之扮演攻擊。

In order to effectively control limited resources, identity authentication is a widely used technology in modern life. Moreover, for the privacy of users, designing identity authentication protocols with anonymity is a popular research topic in recent years.
In 2004, Das et al. introduced the idea of dynamic identity, to ensure that the authentication message will not reveal user's identity information. In 2009, Wang et al. pointed out that Das et al.’s identity authentication protocol is insecure and proposed an improved protocol which is claimed to be more secure and efficient. In this thesis, we will propose an impersonation attack against Wang et al.’s protocol. First of all, an attacker can modify the time-stamp in a login request message, then he can login that server at any time, not subject to the limitation of the original time-stamp. Furthermore, an attacker can impersonation any legitimate user and login the server at any time. Overall, in the proposed attack, an attacker controls the time stamp and the identification, causing great harm to Wang et al.’s protocol.
Dynamic identity may protect the privacy of users if the protocol properly designed; however, data synchronization between a user and a verifier is a big problem in implementation. In 2008, Liao and Tzeng proposed a new type of RFID identity authentication protocol, cleverly uses a small amount of temporary storage to ensure a user and a verifier can re-synchronize after a failed transaction. In this thesis, we will propose tracing attacks against Liao and Tzeng’s protocol. The attack destroys the synchronization between an RFID tag and the database, forcing the identification information stop updating; then achieves the purpose of tracking a tag and compromises the tag’s (or the tag holder’s) location privacy. We also propose possible countermeasure in this thesis.
Previous authentication protocols are designed for single-server environment, it will be inconvenient if a user needed to access different resources provided by different servers. In 2010, Juang et al. try to resolve this issue by suggesting an identity authentication protocol in multi-server environment. However, in this thesis, we found Juang et al.’s identity authentication protocol is insecure against a tracking attack, a tag-destroy attack, and an impersonation attack of malicious server.

第1章 緒論 1
1.1 研究背景 1
1.2 研究貢獻 5
第2章 具匿名性之身份驗證協定背景介紹 7
2.1 文獻回顧 7
2.2 匿名身份驗證協定之特性與攻擊 8
第3章 Wang等學者的身份驗證協定之安全分析 13
3.1 相關文獻回顧 13
3.2 Wang等學者的身份驗證協定 15
3.3 文獻中所提出的安全缺失 18
3.4 扮演攻擊 22
3.5 攻擊之可行性與影響 24
第4章 Liao-Tzeng的身份驗證協定之安全分析 26
4.1 相關文獻回顧 26
4.2 Liao-Tzeng的身份驗證協定 27
4.2.1 資料庫初始化 27
4.2.2 驗證程序 29
4.3 追蹤攻擊 31
4.3.1 追蹤攻擊-直接觀察法 32
4.3.2 追蹤攻擊-抵消亂數法 34
4.3.3 攻擊之可行性與影響 35
4.4 攻擊成因分析 36
4.5 可能修正方案之探討 37
4.6 可能之修正方案 38
第5章 Juang等學者的身份驗證協定之安全分析 45
5.1 相關文獻回顧 45
5.2 Juang等學者的身份驗證協定 46
5.3 Juang等學者的身份驗證協定之不合理處 49
5.4 追蹤攻擊 51
5.5 阻斷標籤服務攻擊 53
5.6 惡意伺服器扮演攻擊 55
第6章 結論 58


[1]Y.Y. Wang, J.Y. Liu, F.X. Xiao, and J. Dan, “A more efficient and secure dynamic ID-based remote user authentication scheme ,” Computer Communications, Vol. 32,Issue. 4, pp. 583-585, 2009.

[2]Y. Chen, J.S. Chou, and C.H. Huang, “Comment on four two-party authentication protocols,” Cryptology ePrint Archive, IACR, Report 2010/165.

[3]M. A. Ahmed, D. R. Lakshmi and S. A. Sattar, “Cryptanalysis of a more efficient and secure dynamic ID-based remote user authentication scheme,” International Journal of Network Security & Its Applications (IJNSA), Vol. 1, No. 3, pp. 32-37, 2009.

[4]H. Lee, D. Choi, Y. Lee, D. Won, and S. Kim, “Security weaknesses of dynamic ID-based remote user authentication protocol,” World Academy of Science, Engineering and Technology, Issue 59, pp. 190-193, 2009.

[5]Y. F. Chang and H. C. Chang, “Security of dynamic ID-based remote user authentication scheme,” 2009 Fifth International Joint Conference on INC, IMS and IDC, pp. 2108-2110, 2009.

[6]S. K. Sood, A. K. Sarje, and K. Singh, “An improvement of Wang et al.’s authentication scheme using smart cards,” National Conference on Communications, pp. 1-5, 2010.

[7]J.L. Tsai, T.C. Wu, and K.Y. Tsai, “New dynamic ID authentication scheme using smart cards,” International Journal of Communication Systems, Vol. 23, Issue. 12, pp. 1449-1462, 2010

[8]T. Dimitriou, “A lightweight RFID protocol to protect against traceability and cloning attacks,” Conference on Security and Privacy for Emerging Areas in Communication Networks, 2005.

[9]Y.H. Liao and W.G. Tzeng, “A secure RFID authentication protocol based on strongly 2-universal hash functions,” in the 18th Information Security Conference, 2008.

[10]W.S. Juang, H.C. Tseng, and Y.Y. Shue, “An efficient and privacy protection multi-server authentication scheme for low-cost RFID Tags,” International Computer Symposium, Taiwan, pp.279-283, 2010.

[11]T. L. Hwang, Y. H. Chen, and C. S. Laih, “Non-interactive password authentications without password tables,” in IEEE Region 10 Conference on Computer and Communication Systems, Vol. 1, pp. 429-431, 1990.

[12]C. C. Chang and S. J. Hwang, “Using smart cards to authenticate remote passwords,” Computers and mathematics with applications, Vol. 26, No. 7, pp. 19-27, 1993.

[13]C. C. Chang and W. Y. Liao, “A remote password authentication scheme based upon Elgamal's signature scheme,” Computers and Security, Vol. 13, No. 2, pp. 137-144, 1994.

[14]T. C. Wu, “Remote login authentication scheme based on a geometric approach,” Computer Communications, Vol. 18, Issue. 12, pp. 959-963, 1995.

[15]C. C. Chang and T. C. Wu, “Remote password authentication with smart cards,” IEE Proceedings - Computers and Digital Techniques, Vol. 138, No. 3, pp. 165-168, May 1991.

[16]S. M. Yen and K. H. Liao, “Shared authentication token secure against replay and weak key attacks,” Information Processing Letters, Vol. 62, No. 2, pp. 77-80, 1997.

[17]H. M. Sun, “An efficient remote use authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 46, No. 4, pp. 958-961, 2000.

[18]M. S. Hwang and L. H. Li, “A new remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 46, Issue. 1, pp. 28-30, 2000.

[19]H. Y. Chien, J. K. Jan, and Y. M. Tseng, “An efficient and practical solution to remote authentication: smart card,” Computers and Security, Vol. 21, Issue. 4, pp. 372-375, 2002.

[20]C. L. Hsu, “Security of Chien et al.'s remote user authentication scheme using smart cards,” Computer Standards and Interfaces, Vol. 26, Issue. 3, pp. 167-169, 2004.

[21]W. C. Ku and S. M. Chen, “Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 50, Issue. 1, pp. 204-207, 2004.

[22]H. T. Yeh, “Improvement of an efficient and practical solution to remote authentication : Smart card,” IEICE transactions on communications, Vol. 89, No. 1, pp. 210-211, 2006.

[23]W. S. Juang, “Efficient password authenticated key agreement using smart cards,” Computers and Security, Vol. 23, Issue. 2, pp. 167-173, 2004.

[24]W. H. Yang and S. P. Shieh, “Password authentication schemes with smart cards,” Computers and Security, Vol. 18, No. 8, pp. 727-733, 1999.

[25]C. I. Fan, Y. C. Chan, and Z. K. Zhang, “Robust remote authentication scheme with smart cards,” Computers and Security, Vol. 24, Issue. 8, pp. 619-628, 2005.

[26]S. J. Wang and J. F. Chang, “Smart card based secure password authentication scheme,” Computers and Security, Vol. 15, Issue. 3, pp. 231-237, 1996.

[27]K. Tan and H. Zhu, “Remote password authentication scheme based on cross-product,” Computer Communications, Vol. 22, Issue. 4, pp. 390-393, 1999.

[28]H. S. Hwang, C. C. Lee, and Y. L. Tang, “A simple remote user authentication scheme,” Mathematical and Computer Modelling, Vol. 36, Issue. 1-2, pp. 103-107, 2002.

[29]C. C. Lee, M. S. Hwang, and W. P. Yang, “A flexible remote user authentication scheme using smart cards,” ACM SIGOPS Operating Systems Review, Vol. 36, Issue. 3, pp. 46-52, 2002.

[30]S. J. Wang, “Yet another log-in authentication using n-dimensional construction based on circle property,” IEEE Transactions on Consumer Electronics, Vol. 49, Issue. 2, pp.337-341, 2003.

[31]S. T. Wu and B. C. Chieu, “A user friendly remote authentication scheme with smart cards,” Computers and Security, Vol. 22, Issue. 6, pp. 547-550, 2003.

[32]C.W. Lin, J.J. Shen, and M.S. Hwang, “Security enhancement for optimal strong-password authentication protocol,” ACM SIGOPS Operating Systems Review, Vol. 37, Issue. 2, pp. 12-16, 2003.

[33]W.S. Juang and S.T. Chen, “Robust and efficient password authenticated key agreement using smart cards,” in the 16th Information Security Conference, 2006.

[34]H. S. Rhee, J. O. Kwon, and D. H. Lee, “A remote user authentication scheme without using smart cards,” Computer Standards and Interfaces, Vol. 31, Issue. 1, pp. 6-13, 2009.

[35]M. L. Das, A. Saxena, and V. P. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, Vol. 50, No. 2, pp. 629 –631, 2004.

[36]A. K. Awasthi, “Comment on a dynamic ID-based remote user authentication scheme,” Transaction on Cryptology, Vol. 1, Issue 2, pp. 15-16, 2004.

[37]A. K. Awasthi and S. Lal, “Security analysis of a dynamic ID-based remote user authentication scheme,” Cryptology ePrint Archive, IACR, Report 2004/238.

[38]W.C. Ku and S.T. Chang, “Impersonation attack on a dynamic ID-based remote user authentication scheme using smart cards," IEICE Transactions on Communications, Vol. E88, No. 5, pp. 2165-2167, 2005.

[39]W.C. Ku, S.T. Chang, and C.H. Hwang, “Cryptanalysis of a dynamic ID-based remote user authentication scheme using smart cards,” 15th Information Security Conference, pp. 162-168, 2005.

[40]J. Yang, J. Park, H. Lee, K. Ren, and K. Kim, “Mutual authentication protocol for low-cost RFID,” in Handout of the Encrypt Workshop on RFID and Lightweight Crypto, 2005.

[41]S. Piramuthu, “Protocols for RFID tag/reader authentication,” Decision Support Systems, Vol. 43, Issue. 3, pp. 897-914, 2007.

[42]C.H. Wang and W.Y. Tasi, “An RFID authentication scheme for wireless communication channel,” in the 18th Information Security Conference, 2008.

[43]Y.K. Chen, Cryptanalysis on RFID Authentication Protocols with Tag Anonymity, Master thsis, National Central University, Taiwan, 2009.

[44]Y.P. Liao, J. Lin and S.S. Wang “A new dynamic ID-based remote user authentication scheme using smart cards,” 16th Information Security Conference, Taiwan, pp. 198-205, 2006.

[45]H.C. Shih, Cryptanalysis on Two Password Authentication Schemes, Master thsis, National Central University, Taiwan, 2008.

[46]S. K. Sood, A. K. Sarje, and K. Singh, “An improvement of Liou et al.’s authentication scheme using smart cards,” International Journal of Computer Applications, Vol. 1, Issue 8, pp. 16-23, 2010.

[47]A. Juels, “RFID security and privacy: a research survey,” IEEE Journal on Selected Areas in Communications, Vol. 24, Issue 2, pp. 381 –394, 2006.

[48]S. Bono, M. Green, A. Stubblefield, A. Juels, A. Rubin, and M. Szydlo , ”Security analysis of a cryptographically-enabled RFID device ,” 14th USENIX Security Symposium, pp 1–16, 2005.

[49]L.A. Lee, S.P. Shieh, “Protecting user privacy with dynamic identity-based scheme for low-cost passive RFID tags,”18th Information Security Conference, 2008.

[50]Miyako Ohkubo, K. Suzuki, and Shingo Kinoshita, “Cryptographic Approach to Privacy -Friendly Tags,” in RFID Privacy Workshop, 2003.

[51]L.H. Li, I.C. Lin, and M.S. Hwang, “A remote password authentication scheme for multiserver architecture using neural networks,” IEEE Transactions on Neural Networks, Vol. 12, No. 6, pp.1498-1504, 2001.

[52]W.C. Ku, “Weaknesses and drawbacks of a password authentication scheme using neural networks for multiserver architecture,” IEEE Transactions on Neural Networks, Vol. 16, No. 4, pp.1002-1505, 2005.

[53]I.C. Lin, M.S. Hwang, and L.H. Li, “A new remote user authentication scheme for multi-server architecture,” Future Generation Computer Systems, Vol. 19, No. 1, pp.13-2, 2003.

[54]W.C. Ku, S.T. Chang, and M.H. Chiang, “Security analysis of a remote user authentication scheme using Euclidean plane for multi-server architecture,” International Computer Symposium, Taiwan, pp.109-114, 2004.

[55]W.J. Tsaur, C.C. Wu, and W.B. Lee, “A smart card-based remote scheme for password authentication in multi-server Internet services,” Computer Standards and Interfaces, Vol. 27, Issue. 1, pp.39-51, 2004.

[56]W.S. Juang, “Efficient multi-server password authenticated key agreement using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 50, Issue. 1, pp.251-255, 2004.

[57]W.C. Ku, M.H. Chiang, and H.M. Chuang, “Cryptanalysis of a password authenticated key agreement scheme using smart cards for multiserver architecture,” Workshop on Consumer Electronics and Signal Processing, 2004.

[58]W.C. Ku, M.H. Chiang, H.M. Chuang, and K.T. Chang, “Weaknesses of a multi-server password authenticated key agreement scheme,” National Computer Symposium, pp.1-5, 2005.

[59]Y.P. Liao and S.S. Wang, “A secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards and Interfaces, Vol. 31, Issue. 1, pp.24-29, 2009.

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top