1 研討大綱 1 過去之研究進展 2 我們之提案 Jan

1

研討大綱: 1. 過去之研究進展 2. 我們之提案 Jan, J. K. and Chen, Y. Y. (1998): Paramita. Wisdom Password Authentication Scheme without Verification Tables, The Journal of Systems and Software, U. S. A. , Vol. 42, Aug. 1998, PP. 45 -57. [SCI] 3. 小結語 2

1. 在 ATM( Automated Teller Machine) 提領現金 2. 利用網路簽入或進行電子商務行為 Password Table ID 1 ID 2 PW 1 • • • IDn PW 2 3

1. G. B. Purdy, “A High Security Log-in Procedure, ” CACM, Vol. 17, No. 8, pp. 442 - 445, Aug. 1974. 2. R. L. Rivest, A. Shamir and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, ” CACM, Vol. 21, No. 2, pp. 120 -126, Feb. 1978. 3. R. E. Lennon, S. M. Matyas and C. H. Meyer, “ Cryptographic Authentication of Time Invariant quantities, ” IEEE Trans. Communs. COM-29, No. 6, pp. 773 -777, 1981. 4. T. Y. Hwang, “ Passwords Authentication Using Public-Key Encryption, ” Proc. Of international Carnahan Conference on Security Technology, Zurich, Switzerland, pp. 35 -38, Oct. 1983. 5. A. Shamir, “ Identity Based Cryptosystems & Signature Schemes, ” Proc. Of Crypto. 84, pp. 47 -53, 1984. 6. C. C. Chang and L. H. Wu, “ A New Password Authentication Scheme, ” Journal of Information Science and Engineering, Vol. 6, pp. 139 -147, Jan. 1990. 7. T. L. Hwang, Y. W. Chen and C. S. Laih, “ Non-Interactive Password Authentication Without Password Tables, ” IEEE Region 10 Conference on Computer and Communication Systems, Hong Kong, pp. 1 -9, Sept. 1990. 4

PWi IDi No IDi 格式正確? 公開單向函數 F(PWi) F( ) Yes ID 1 F(PW 1) • • • IDi F(PWi) • • • IDn F(PWn) F(PWi) 是否相同? Yes 接受通關拒絕通關此表不得寫入任何資訊 No 拒絕通關 5

中心: RSA 之 n = p * q e * d = 1 mod (n) {e 和 d 均保密 } 個人: PWi=IDid mod n 輸入 (IDi , PWi ) ? 檢驗 PWie = (IDid)e mod n ? = IDi mod n A 1: No password table ! D 1: one can not freely decide one’s password. D 2: password 可能在申請帳號時被系統管理者知悉 D 3: Remote login 時 password 可能曝光 6

Theorem 1. 3: For n = p * q p, q 均是質數則 (n) = (p)* (q) = (p-1)*(q-1). The Euler totient function (n)即 the reduced set of residues mod n之元素個數. 所以當 n是質數時 , (n) ＝ n-1; 即　{ 1, 2, …, n-1}. Theorem 1. 4 ( Fermat’s Theorem): Let P be prime, then for every a s. t. gcd(a, P) = 1, a. P-1 mod p = 1. Theorem 1. 5(Euler’s Generalization): 對每一對 a與 n, gcd(a, n)=1, 則 a (n) mod n = 1. 7

Theorem: Given e and d satisfying e*d mod (n) = 1, and a message M [0, n-1] such that gcd(M, n)=1, (Me mod n)d mod n = M. 1. 對任意一明文 M需滿足 gcd(M, n) = 1, 此處 n=p*q; p與q為兩大質數. 2. 如何求 e 與 d兩數? 可取一與 (n)互質之數 e, 根據 e*d mod (n)=1之條件, 可求解 d. 3. 若 e 與 n 公開, 而 d 與 (n) 保密, 則安全可保. 4. 若有人欲分解 n= p*q, 若n 是 200位數, 而電腦可處理 106 指令/秒(即 1 MIPS)則破解需106 年. 8

Proposed by Rivest, Shamir and Adleman in 1978 e. B C = E(M) = M mod n. B 明文 M 密文 C 明文 M D(C)=Cd mod n. B = M B 1. n. B = p. q {約略大於 200位數} 2. gcd( e. B , (p-1)(q-1)) = 1 3. 0 < M < n. B 4. e. B. d. B 1 (mod (p-1)(q-1)) 此妙法之理論根據 ? 9

IDi PWi No IDi 格式正確? Pass. Keyi=ESKS(PWi) VPi=DPass. Keyi(TPi) VPi TPi Yes ID 1 TP 1 • • • IDn TPn 拒絕通關 TPi=EPass. Keyi(F(IDi)) IDi F(IDi) VPi =F(IDi)? No 拒絕通關 Yes 10

A 1: Test Pattern Table 可公開 A 2: 不知SKS無法篡改Test Pattern Table D 1: password 在申請帳號時被系統管理者知悉 D 2: SKS一旦更換, 則上圖之資訊全部重新來過, 此乃其美中不足處 D 3: SKS 務必常駐記憶體之中以為驗證之用 11

IDi SKUi No IDi 格式正確? DSKUi( ) VPi EPKS( ) TPi Yes ID 1 TP 1 • • • IDn TPn IDi EPKS( ) VPi =EPKS(IDi)? 拒絕通關 VPi =EPKS(IDi) TPi =DSKS(EPKUi(VPi)) No 拒絕通關 Yes 12

1. PWi =SKUi 2. 驗證表與公鑰 PKS 均可公開 3. 使用者之通行碼 PWi 不必交給系統管理者 4. 系統密鑰 SKS 僅在建造驗證表時使用, 若將驗證表建造者與系統管理者兩者確實分開建制, 則系統之安全可更確保 5. SKS一旦更換, 則下圖之資訊全部重新來過, 此乃其美中不足處 6. 此 protocol 之精神乃在於利用系統與各使用者之公鑰密鑰於使用者之識別名稱 IDi 而得; 其思維邏輯圖示如下: IDi PKS EPKS( ) VPi PKUi EPKUi( ) SKS DSKS( ) TPi 13

中心: RSA 之 n = p * q e * d = 1 mod (n) 個人: PWi=IDid mod n Step 1: Temp = Random e mod n Pass. Key = PWi * Random F(Temp, M) mod n Step 2: 送出 ( Pass. Key, Temp, M) IDi 也需送出 M ? e e e * F(Temp, M) Pass. Key = PWi * Random mod n = (IDid )e * Random e * F(Temp, M) mod n ? ID * Temp. F(Temp, M) mod n = i 14

A 1: No password table ! A 2: Remote Login 時 Password 不會直接曝光! D 1: one can not freely decide one’s password. D 2: password 在申請帳號時被系統管理者知悉 D 3: Remote login 時 Pass. Key 等三項資訊可能被攔截冒用(replay attack)! 15

IDi PWi No IDi 格式正確? DPWi( ) VPi DSKS( ) TPi Yes ID 1 TP 1 • • • IDn TPn IDi VPi =IDi? 拒絕通關 VPi = IDi TPi =ESKS(EPWi(VPi)) No 拒絕通關 Yes 16

A 1. 驗證表與公鑰 PKS 均可公開 A 2. 不知SKS無法篡改 Test Pattern Table A 3. 使用者之通行碼 PWi 不必交給系統管理者 A 4. 系統密鑰 SKS 僅在建造驗證表時使用, 若將驗證表建造者與系統管理者兩者確實分開建制, 則系統之安全可更確保 D 1. SKS一旦更換, 則下圖之資訊全部重新來過, 此乃其美中不足處 @ 此 protocol 之精神乃在於利用系統密鑰與各使用者之通行碼於使用者之識別名稱 IDi 而得; 其思維邏輯圖示如下: (quite the same as T. Y. Hwang’s Method. ) IDi VPi PWi EPWi( ) SKS ESKS( ) TPi 17

中心: RSA 之 n = p * q e * d = 1 mod (n) 個人: PWi=IDid mod n 本法與Shamir 之唯一不同者是用時戳TS取代M Step 1: Temp = Random e mod n Pass. Key = PWi * Random F(Temp, TS) mod n Step 2: 送出 ( Pass. Key, Temp, TS) IDi 也需送出 ? Pass. Key e = PW e * Random e * F(Temp, TS) mod n i = (IDid )e * Random e * F(Temp, TS) mod n ? IDi * Temp. F(Temp, TS) mod n = 18

A 1: No password table ! A 2: Remote Login 時 Password 不會直接曝光! A 3: Remote Login 時 Pass. Key含有Time. Stamp, 以防 replay attack. D 1: one can not freely decide one’s password. D 2: password 在申請帳號時被系統管理者知悉 19

J. K. Jan and Y. Y. Chen, “Paramita-Wisdom Password Authentication Scheme without Verification Tables, ” The Journal of Systems and Software, U. S. A. , Vol. 42, pp. 45 -57, Aug. 1998. 希望達成之目標: 1. 通行碼驗證表無需儲存, 以防入侵者或系統管理者之破壞. 2. 在終端機與系統間不會出現可被還原為通行碼之資訊 3. 在證明的過程中, 通行碼仍然不會曝光 4. 通行碼可以自由決定, 且可自由更換 5. 通行碼長度需適中, 安全性也要足夠 6. 整個通行碼驗證協定應具效率與實用性 20

21

22

23

假設我們每人已有一張國民IC卡, 由政府發卡中心統一發行; 上面記錄發卡中心相關之驗證資訊 , 以及持卡人之身份資訊. 同時, 持卡人基於需要欲向任何特定機構建立關係; 譬如說: 我要用此張國民 IC卡向彰銀要求加入具提領該行之現金功能, 則首要作即身份確認, 其相關作包含: 1. 彰銀依IC卡上之驗證憑藉, 向政府發卡中心要求認證此卡之真偽, 確定後 2. 彰銀為我開戶( 參見下述之個人帳號申請) 3. 提領現金時之身份確認( 參見下述之登錄及確認兩過程) @ 政府發卡中心之IC卡發行與認證可專案研究 24

S 1: 選定一大質數 P 及一小於 P之數 G, 兩者均公開 S 2: 選一密鑰 SK [ 1, P-1 ], 且製造公鑰 PK = GSK mod P S 1: IC卡被確認非膺品后, 將彰銀之註冊簽章 NOi , 註冊時戳 STi , 公開資訊 P, G 及 PK 存入卡內檔案之中. (此時可以徵信客戶以為開戶之決定) S 2: 使用者選擇一個核心暗號 Xi ; 此暗號最好深刻記憶在使用者的腦海中. 利用此暗號及排列組合函數 H( ), 和儲存於卡中之個人身份資料 (Personal Information) 計算出一個介於 1 與 P-1 之間之大數( 通行碼) PWi . PWi = H(Xi ; Personal Information) 25

S 3: 用此 PWi , 在 IC卡及終端設備兩者之分散式計算方式下算出 MEi ; MEi = G PWi mod P MEi 再與註冊時戳 STi 結合(concatenate) 成個人帳號 IDi ; IDi = (STi , MEi ) 然後將 (NOi , IDi ) 傳送給彰銀, 以確定其帳號. S 4: 彰銀在收到上述資訊後, 先確認註冊簽章 NOi 正確無誤 , 即為其開戶且設定其帳戶為 IDi . 然後用其密鑰 SK, 及特定加密函數 E( ) 將IDi 加密得出彰銀之簽章 SGi , 且將其傳送回 IC卡以取代原先之註冊簽章 NOi ; SGi = ESK (IDi ) . 26

S 1: 使用者將 IC卡置入終端讀卡機內, 並輸入核心暗號 Xi ; 計算 PWi = H(Xi ; Personal Information) S 2: 計算 MEi = G PWi mod P (此處及此後可以分散式方式計算) 將 IC卡內註冊時戳 STi 與 MEi 結合(concatenate) 成個人帳號 IDi IDi = (STi , MEi ) S 3: IC卡選一亂數 R [ 1, P-1 ], 以為計算此次登錄所需之共同金鑰 CK CK = PKPWi * GR mod P 並將 R 與 IDi 及 SGi 做 XOR 運算得一整數 XR XR = R IDi SGi 且以 CK 加密現在時刻 T 及亂數 R; TR = ECK (T, R) S 4: 將 ( IDi , XR, TR ) 傳送彰銀. 27

S 1: 彰銀檢查帳號 IDi = (STi , MEi ) 存在與否, 如存在, 則 S 2: 以密鑰 SK 及特定加密函數 E( ) 加密於 IDi 以求取彰銀之簽章 SGi ; SGi = ESK (IDi ) , 而用此算出 R; R = XR IDi SGi S 3: 計算此次登錄之共同金鑰 CK CK = MEi SK * GR mod P = G PWi * SK * GR mod P = G SK * PWi * GR mod P = PKPWi * GR mod P ? S 4: 用此 CK 解 TR; DCK (TR) = ( T, R) ? 查驗現在時刻 T’ - T 且此處之 R 與相同? ; 即可確定身份. 28

1. 通行碼被系統管理員知悉 ? 由於使用者在設定或更換通行碼時, 從 Xi PWi IDi 均在個人之IC 卡上完成 ! 2. 通行碼之自由選擇 ? 核心暗號 Xi 可選簡短易記憶者為之 ! 3. 通行碼之更換容易 ? 若欲以核心暗號 X’i 替換核心暗號 Xi 則先前之處理流程不變, 僅用 PW’i 取代PWi ME’i 取代 MEi ID’i 取代 IDi 不過 , 接下來利用原通行碼PWi , 原帳號 IDi 及原簽章 SGi 來產生另一組 CK, XR 及 TR, 然後將新舊帳號加密如下: CID = ECK (IDi , ID’i ) 且將 (IDi , XR, TR, CID) 送給彰銀. 29

彰銀依照先前所述之確認流程, 先對 IDi , XR 及 TR 確認無誤後, 即可用 CK 解出 (IDi , ID’i ) = DCK (CID) 而確定將IDi 改成 ID’i ; 且算出新簽章 SG’i SG’i = ESK (ID’i ) 最後以 CK及特定加密函數 E( ) 將(ID’i , SG’i ) 加密成 CSG: CSG = ECK (ID’i , SG’i ) 送給IC卡. IC卡收到 CSG 後, 用下述方式算出 (ID’i , SG’i ) (ID’i , SG’i ) = DCK (CSG) 確認 ID’i 無誤後, 將卡上之SGi 更換成 SG’i @ 整個流程由使用者自選新核心暗號 X’i , 再結合 IC卡上之個人資訊排列組合得一相當大的新通行碼 PW’i , 再以此導出個人新帳號 ID’i , 再交由彰銀記錄之. 整個處理無需交由彰銀處理 , 因此只要 IC 卡與終端機配合即可. 30

4. 通行碼在遠程登錄之安全性 ? 由於本方法在網路傳輸之資訊是 XR 及 TR (藉亂數 R保護), 且用每次變動之共用金鑰 CK 加密, 且具時效性(用time stamp), 保證安全. 本法在遠程登錄不採交互式, 故亦可確保其效率. ! 5. IC 卡遺失之風險? 從遺失到止付這段時間, 拾獲者猜出核心暗號 Xi 之機率定義此風險係數. 6. IC 卡被偽造之風險? 由於已在認證過的卡上烙上彰銀之簽章 SGi , 而此簽章是由彰銀之密鑰 SK 與使用者之帳號 IDi 所組成 SGi = ESK (IDi ) , 因此要仿造彰銀的簽章等於猜 SK之機率. 7. IC 卡之目前功能與成本考量. 假設實作上將 P 訂為 200數位(即 640 bits); 則計算下二式: MEi = G PWi mod P CK = PKPWi * GR mod P {兩倍於上式之代價} 31

最多約是 2* log 22 640 = 2 * 640 = 1280 個乘法運算 ! 且每個運算元均是 200 數位. 鑑於目前 IC卡無法承受此計算量之負荷, 因此我們提議分散式計算之. 8. 整合成一卡之時機將至 ! 9. 安全核心之曝光問題若彰銀之SK 用 brute forces 破解; PK = GSK mod P 解此 Discrete Logarithms Problem 在 P 是 200 數位下平均需 (2640 )1/2 = 2320 10100 若一秒可計算一百萬次此種運算 , 則需時 3. 17 * 1086 年 ! SK 若怕被監守自盜, 則宜以機密分享方式保護之 ! 32

33

2. 2. Improved Scheme Based on Geometric Approach 34

Registration phase: CA chooses a large prime P(for modulus usage), a one-way function f( ), and a point (x 0 , y 0) on the Euclidean plane. CA publishes P and f( ), but keeps (x 0 , y 0) secret. User Ui chooses his password PWi and presents f(PWi )to CA. CA preforms: 1. Choosing the identity IDi for Ui , 2. Defining point riw as (0, f(PWi )) and ri 0 as (f(IDi · x 0 ), f(IDi · y 0 )) 3. Constructing a straight line Li passing through these two points above and compute point Ai as the middle point of these two points. So, Ai = (f(IDi · x 0 )/2, (f(PWi )+ f(IDi · y 0 ))/2) = (ai 1 , ai 2 ) 4. Storing {IDi , f, P, Ai } on the smart card for user Ui. 35

Login phase: User Ui inserts his smart card into a terminal and keys in his password. The smart card performs: 1. Getting the timestamp T. 2. Computing riw = (0, f(PWi )). 3. Reconstructing Li passing through riw and Ai. 4. Computing the point Bi as the middle point of riw and Ai ; Bi = (ai 1/2, (ai 2 + f(PWi))/2). 5. Computing a new point ri. T = (0, f(PWi )+f(T)) on the y-axis. 6. Constructing a new line LWT passing through ri. T and Bi. 7. Randomly select a point Ci distinct from ri. T and Bi on the line LWT. 8. Sending the login request message {IDi , Ai , Ci , T} to the system. 36

2. 2. 1. Review of Wu’s Scheme y-axis ri 0=(f(IDi * x 0), f(IDi * y 0)) x-axis 37

Verification phase: The system performs: 1. Validating the IDi and the timestamp T. 2. Computing ri 0 as (f(IDi · x 0 ), f(IDi · y 0 )). F(PWi) 3. Reconstructing the line Li passing through ri 0 and Ai. 4. Computing the intercept point riw of line Li and y-axis. Let riw = (0, Ei). 5. Computing ri. T = (0, Ei + f(T) ). c. f. Bi 6. Computing the intercept point Di of line Li and line LWT , where LWT is reconstructed line passing through ri. T and Ci. 7. Checking whether Di is the middle point of riw and Ai ; if yes, then success. 38

y-axis ri 0=(f(IDi * x 0), f(IDi * y 0)) x-axis 39

How an attacker can easily derive the secret point riw from the eavesdropped messages? The attacker first draws a line LRA passing through point Ai and parallel to y-axis. Let R be the intercepted point of line LRA and LWT. Since Bi is the middle point of riw and Ai , the distance between Ai and R is equal to the distance between riw and ri. T. Thus, the point R can be computed as From point R and Ci , the attacker reconstruct the line LWT , and computes the point ri. T. Finally, the point ri. W can be derived by extracting f(T) from the y-axis value of ri. T. Chien, H. Y. , Jan, J. K. and Tseng, Y. M. (2001): A Modified Remote Login Authentication Scheme based on Geometric Approach, The Journal of Systems and Software, U. S. A. Vol. 55, Jan. 2001, PP. 287 -290. [SCI] 40

2. 2. 2. Our Attack y-axis x-axis Any two lines LWT and LWT’ representing the login message for user at timestamp T and T’, respectively, always intercept at the point Bi. If we denote riw as (0, k), then ri. T and ri. T’ can be denoted as (0, k+f(T)) and (0, k+f(T’)), respectively. Since f( ) is public, the values of f(T) and f(T’) can be computed by the attacker. Therefore, the three equations for the reconstructed lines Li , LWT and LWT’ will contain only three variables k, x and y , which can derive the value of k. 41

2. 2. 3. Improved Scheme 42

2. 4. Novel Scheme Chien, H. Y. Jan, J. K. and Tseng, Y. M. (2002): An Efficient and Practical Solution to Remote Authentication: Smart Card, Computers & Security, Oxford, England, Vol. 21, No. 4, . June 2002, PP. 372 -375. [SCI] 43

2. 4. Novel Scheme Let x be the secret key held by the system(CIC), h( ) be a secure oneway hash function. CIC computes Ri and issues the user the smart card which holds h( ) and Ri. 44

2. 4. Novel Scheme • Login: User keys in his identifier IDi and password PWi ; the IC card then computes the follows: Verification : 45

2. 5. Comparisons among the Smart-Card-Based Schemes Computation & communication overhead of the smart card Verification table Users freely choose the passwords Mutual Our scheme Extremely low 3 TXOR + 2 Th No Yes Wu [1, 10] Low Several TM + 2 Th No Yes No Tan-Zhu [3, 9] Medium (several exponentiations required) No Yes No Yang-Shieh [4] medium No* Yes No Yen-Liao [5] Extremely low Yes Yes authentication 46

2. 5. Comparisons among the Smart-Card-Based Schemes Wu-Sung [6] low No Yes No Jan-Chen [7] medium No* Yes No Wang-Chang Medium [8] No* Yes No Chang-Wu [19, 20] Low + No No No Hwang-Li [11] medium No No No Sun [12] Extremely low No No No * a table is used to store some user specific or card specific data. 47