1 authentication and digital signature schemes and their applications to e-commerce (...
TRANSCRIPT
1
Authentication and Digital Signature Schemes
and Their Applications to E-commerce( 身份認證與數位簽章技術及其在電子商務上的應用 )
Advisor: Chin-Chen Chang1, 2
Student: Ya-Fen Chang2
1 Dept. of Information Engineering and Computer Science,
Feng Chia University
2 Dept. of Computer Science and Information Engineering,
National Chung Cheng University
2
Outline
1. Introduction
2. Password Authentication Without the Server Public Key
3. Password Authenticated Key Exchange for Imbalanced Wireless Network
4. Digital Signature without One-way Hash Function
5. Anonymous Auction Protocols
6. Conclusions
3
1. Introduction (1/4)
Authentication
Establishing the validity of a transmission,
message, or originator
Verifying an individual's authorization to
receive specific categories of information
4
1. Introduction (2/4)
Authentication Schemes
Something you know
password, PIN, the public key, …
Something you have
IC card (smartcard or memory card), …
Something you are
fingerprint, hand geometry, voiceprint, retinal, …
5
1. Introduction (3/4)
Authentication Schemes
Without the public key
Password, pin, IC card, fingerprint, hand geometry, voiceprint,
etc.
Without the verification table
IC card and the public key
With special devices
fingerprint, hand geometry, voiceprint, retinal, …
6
1. Introduction (4/4)
Digital Signature
Origin authentication
Data integrity
Signer nonrepudiation
7
2. Password Authentication Without the Server Public Key (1/7)
2002, Hwang and Yeh’s Protected Password Transmission and Change Schemes
Using the public key systems
Suffering from the denial-of-service attack
8
2. Password Authentication Without the Server Public Key (2/7)
Notations Description
PW the password shared between the user U and the server S
PKS the server S’s public key
ID The user U’s identity
H() cryptographic hash function
flow[i] the information transmitted in the i-th round
r1/r2 random nonce generated by U/S
XOR operation
Epk(m) an asymmetric cryptology encrypting m with the public key pk
E1pw(m) a symmetric cryptology encrypting m with a password pw
E2k(m) a symmetric cryptology encrypting m with a secret key k
g A primitive element in GF(p), where p is a large prime
9
2.1 Hwang and Yeh’s Protected Password Transmission Scheme (3/7)
U S
ID, EPKS(r1, PW)
r1r2, H(r2)
ID, H(r1, r2)
Access granted or denied
Store H(PW)
10
2.2 Hwang and Yeh’s Protected Password Change Scheme (4/7)
U S
ID, EPKS(r1, PW)
r1r2, H(r2)
ID, H(r1, r2), R
Access granted or denied
Choose PWR = H(PW) H(r1+1, r2)
H(PW) = RH(r1+1, r2)Update H(PW)
Store H(PW)
11
2.3 Our Protected Password Transmission Scheme (5/7)
U S
ID, E1PW(gr1 mod p)
Access granted or denied
Store PW
E1PW(gr2 mod p),E2SK(H(flow[1]))
SK = (gr1)r2 mod p
ID, E2SK(H(flow[2]))SK = (gr2)r1 mod p
12
2.4 Our Protected Password Change Scheme (6/7)
U S
ID, E1PW(gr1 mod p)
Access granted or denied
Store PW
E1PW(gr2 mod p),E2SK(H(flow[1]))
SK = (gr1)r2 mod p
ID, E2SK(H(flow[2])), R
SK = (gr2)r1 mod pChoose PWthe current time: TR = E2SK(PW, T)
Decrypt R with SKUpdate PW
13
2.5 Efficiency Comparison (7/7)
computation
operation
HY
U
HY
S
Ours
U
Ours
S
modulo exponential
0(5) 0(3) 2 2
public key en/decryption
1/0 0/1 0/0 0/0
symmetric
en/decryption
0/0 0/0 4/5 4/5
hash 2/4 2/3 2 2
14
3. Password Authenticated Key Exchange for Imbalanced Wireless Network (1/5)
2002, Zhu et al.’s password authenticated key exchange scheme
Based on RSA
For imbalanced wireless network
Suffering from the undetectable on-line password guessing
attack
2003, Yeh et al.’s scheme
Using the simple interactive protocol to authenticate the
public key pair
May Suffer from the off-line password guessing attack
15
3. Password Authenticated Key Exchange for Imbalanced Wireless Network (2/5)
Notations
Description
PW the password shared between the user U and the server S
(n, e) the server S’s public key generated by a public key generator
d S’s private key
Hi() distinct cryptographic hash functions for i = 1, 2,…, 5
IDS/IDU the identity of S/U
Ek(m) a symmetric cryptology encrypting m with the secret key k
Dk(m) a symmetric cryptology decrypting m with the secret key k
p, q two secret large primes only known by S
N the public system parameter, where N=p*q
16
S Un, e, rS rSR{0, 1}l {mi R Zn}1ij
{mie mod n}1ij
{H1(mi)}1ij
H1(mi)?= H1(mi) ,1ij sU R Zn = Epw (IDS,IDU, rS, sU)z =
e mod nz
E(IDU)
cU=H3 (sU) =H4(rS, cU, IDS, IDU)D(E(IDU))?=IDU
H6()
H6() ?= H6()
(IDS,IDU, rS, sU) =Dpw (z d mod n)cU = H3(sU) = H4(rS, cU, IDS, IDU)
3.1 Yeh et al.’s Scheme (3/5)
17
3.2 Our Scheme (4/5)
S UEpw(rS) rSR{0, 1}l
rS = Dpw(Epw(rS))sU R ZN = H5(rS, sU, IDS, IDU) = H2(rS, sU, )z = sU
2 mod Nz,
= H5(rS, sU, IDS, IDU) ?= H2(rS, sU, )
H6() ?=H6()
H6()
18
3.3 Efficiency Comparison (5/5)
computation
operation
Yeh et al.’s
UYeh et al.’s
SOurs
U
Ours
S
modulo exponential
j+1 j+1 2 0
symmetric
En(de)cryption
2 2 1 1
hash j+3 j+3 3 9/5/3
19
4. Digital Signature without One-way Hash Function and Message Redundant Schemes
(1/9)
2000, Zhu et al.’s digital multisignature scheme
Without One-way Hash Function
Without Message Redundant Schemes
Suffering from the forgery attack
20
4.1 Notation (2/9)
Notations Description
g A primitive element in GF(p), where p is a large prime
U the user
V the verifier
x U’s private key, where gcd(x, (p-1)) = 1
y U’s public key, where y = gx mod p
k the random number chosen by U, where k Zp
M the signed message
21
4.2 Shieh et al.’s Scheme (3/9)
The Signature-generation Phase
U executes the followings to sign M.Step 1: Computes s = yM mod p.Step 2: Computes r = M*g-k mod p.Step 3: Computes t, where s + t x-1*(k-r)
(mod (p-1)).Step 4: Sends the signature (s, r, t) of M to the verifier V.
22
4.2 Shieh et al.’s Scheme (4/9)
The Verification Phase
V executes the followings to verify the signature.
Step 1: Computes M ys+t*r*gr gx*(s+t)*M*g-k
*gr gk-r*M*g-k+r (mod p).Step 2: Checks if s = yM mod p.
23
4.3 The Forgery Attack on Shieh et al.’s Scheme (5/9)
Eve executes the followings to get a valid signature.
Step 1: Chooses w Zp randomly.
Step 2: Chooses r Zp randomly. Step 3: Computes gk mod p = yw*gr mod p without knowing k.Step 4: Computes M = r*gk mod p.Step 5: Computes s = yM mod p.Step 6: Computes t = w - s mod (p-1).Step 7: Sends the signature (s, r, t) of M to the verifier V.
24
4.4 Our Scheme (6/9)
The Signature-generation Phase
U executes the followings to sign M.Step 1: Computes s = yM mod p.Step 2: Computes r = M*s*g-k mod p.Step 3: Computes t, where s + t x-1*(k-r)
(mod (p-1)).Step 4: Sends the signature (s, r, t) of M to the verifier V.
25
4.4 Our Scheme (7/9)
The Verification Phase
V executes the followings to verify the signature.
Step 1: Computes M ys+t*r*gr*s-1 gx*(s+t)*M*
s*g-k*gr*s-1 gk-r*M*g-k+r (mod p).Step 2: Checks if s = yM mod p.
26
4.5 The Forgery Attack 1 on Our Scheme (8/9)
After getting the signature (s, r, t) of M, Eveexecutes the followings to get a valid signature.Step 1: Chooses Zp-1* randomly.
Step 2: Computes m = M*y mod p. Step 3: Computes s = ym mod p.Step 4: Sets r = r. Step 5: Sets t = s + t – M + - s + m mod (p-1).Step 6: Sends the signature (s, r, t) of m to the verifier V.
27
4.5 The Forgery Attack 2 on Our Scheme (9/9)
After getting the signature (s, r, t) of M, Eveexecutes the followings to get a valid signature.Step 1: Chooses Zp-1* randomly.Step 2: Sets r = *r mod p. Step 3: Computes such that r + r mod (p-
1).Step 4: Computes m = M**g mod p.Step 5: Sets s= ym mod p.Step 6: Sets t = s + t – M - s + m mod (p-1).Step 6: Sends the signature (s, r, t) of m to the verifier V.
28
5. Anonymous Auction Protocols (1/11)
Auction
English auction
Dutch auction
Sealed-bid auction
Participants
Auctioneer
Bidder
29
5. Anonymous Auction Protocols (2/11)
Sealed-bid auction
→ (1999, Kikuchi et al.) the privacy of the bids
→ the anonymity of the bidding prices
→ the anonymity of the bidders
30
5.1 Notation (3/11)Notations Description
g A primitive element in GF(p), where p is a large prime
Ui the bidder for i = 1, 2,…, m
P the auctioneer
Ui’s public/private key certified by CA
P’s public/private key certified by CA
H() A collision-resistant hash function
ai/b the random number Zp chosen by Ui/P
IDi Ui’s identity
E() an asymmetric cryptology
T the timestamp
ii prvpub K/K
PP prvpub K/K
31
5.2 Initiation (4/11)
Concept: to have Ui and P shared one secret
Step 1: Ui computes
Then Ui sends Xi and Qi to P.
).ID(EQ
and)),X(E(EX
,pmodgX
iKi
iKKi
ai
Ppub
iprvPpub
i
32
5.2 Initiation (5/11)
Step 2: P computes
Then P broadcasts Y and W.Step 3: P computes
).Y(EW
andpmodgY
PprvK
b
.pmodgXk
and),Q(EID
)),X(E(EX
babii
iKi
iKKi
i
Pprv
Pprvipub
33
5.2 Initiation (6/11)
Step 4: Ui checks if
If it holds, Ui computes
→ P and Ui shares ki.
).W(EYPpubK
.pmodgYk baai
ii
34
5.3 Initial Authentication (7/11)
Step 1: Ui randomly chooses M and computes
= H(M, T, ki).
Then Ui sends (M, T, ) to P.
Step 2: P computes = H(M, T, ki) for i = 1, 2,.., m.
If any = , P computes = H(M+1, ki)
and broadcasts (, ).
35
5.4 Anonymous English Auction (8/11)
Step 1: Ui signs his own bid B and computes
Then Ui casts (B, T, D, C).
).k,T,B(HC
and),S(ED
),T,B(ES
i
K
K
Ppub
iprv
36
5.4 Anonymous English Auction (9/11)
Step 2: P sets a timer and computes Ci = H(B, T, ki) for i = 1, 2,…, m and
If any Ci = C, B is valid.
Otherwise, B is invalid.
If the countdown of the timer equals zero, and no
bidder casts the bid. P closes the acution.
)D(ESpprvK
37
5.5 Anonymous Sealed-bid Auction (10/11)
Step 1: Ui signs his own bid B and computes
Then Ui submits (F, D, C) to P.
).k,T,B(HC
and),T,B(EF
),S(ED
),T,B(ES
i
K
K
K
Ppub
Ppub
iprv
38
5.5 Anonymous Sealed-bid Auction (11/11)
Step 2: P computes
Step 3: P sets a timer and computes Ci = H(B, T, ki) for i = 1, 2,…, m.
If any Ci = C, B is valid. Otherwise, B is invalid. After receiving all bids, P resolves the
winner anonymously.
)D(ES
and)F(E)T,B(
pprv
pprv
K
K
39
6. Conclusions
We have proposed different authentication schemes
for different requirements.
As to digital signature, the hash function and the
message redundant scheme are essential to design a
secure digital signature scheme.
The concept of authentication and digital signature
schemes should be employed to ensure the security
of variety of applications via networks.
40
Thanks all