Upload
urian
View
45
Download
0
Tags:
Embed Size (px)
DESCRIPTION
A New Approach for Anonymous Password Authentication. Yanjiang Yang, Jianying Zhou, Feng Bao Institute for Infocomm Research, Singapore. Jian Weng Jinan University, China. Agenda. Introduction Limits of Conventional Anonymous Password Authentication - PowerPoint PPT Presentation
Citation preview
A New Approach for Anonymous Password
Authentication
Yanjiang Yang, Jianying Zhou, Feng Bao
Institute for Infocomm Research, SingaporeJian Weng
Jinan University, China
RFID Security Seminar 2008
2
Agenda
• Introduction
• Limits of Conventional Anonymous Password Authentication
• Our Proposed Approach
• Conclusion
RFID Security Seminar 2008
3
• Introduction
• Limits of Conventional Anonymous Password Authentication
• Our Proposed Approach
• Conclusion
RFID Security Seminar 2008
4
PA: Pros & Cons
• Password Authentication (PA)
– Most widely used entity authentication technique
– Advantages: portability
– Disadvantages: guessing attack • Online guessing attack
• Offline guessing attack
RFID Security Seminar 2008
5
Privacy Concern
• Privacy is increasingly a concern nowadays
• Password authentication in its original form does not protect user privacy
RFID Security Seminar 2008
6
Project Summary - why should it be done? PA: Standard Setting
U1, PW1
U2, PW2
U3, PW3
Un, PWn
Ui, PWi
Password File
Ui
User Server(PWi)
Ui, PWiPWi
RFID Security Seminar 2008
7
Privacy Protection – Anonymous PA
U1, PW1
U2, PW2
U3, PW3
Un, PWn
Ui, PWi Unlinkability
• Unlinkability
RFID Security Seminar 2008
8
• Introduction
• Limits of Conventional Anonymous Password Authentication
• Our Proposed Approach
• Conclusion
RFID Security Seminar 2008
9
Major Weakness
• Server Computation O(N)– Linear to the total number registered
users N
– Server is the bottleneck of the system
RFID Security Seminar 2008
10
• Introduction
• Limits of Conventional Anonymous Password Authentication
• Our Proposed Approach
• Conclusion
RFID Security Seminar 2008
11
Project Summary - why should it be done?A Different Setting
[Cred]PW
PWCred
Important: [Cred]PW is public, requiring no further protection, portability arguably remains
User Server
RFID Security Seminar 2008
12
Project Summary - why should it be done?Design Rationale
• Cred must not be publicly verifiable; otherwise, everyone can guess pw from [Cred]PW
• Cred is verifiable only to server
RFID Security Seminar 2008
13
Project Summary - why should it be done? First Try
• What Credentials Have Unlinkability?
• Blind Signature
Cred = Blnd Sig
[Cred] = [Blnd Sig]PW
• Failurs:– Blind signatures are public verifiable
RFID Security Seminar 2008
14
Project Summary - why should it be done? Second Try
• Still Using Blind Signature, but with Restricted Verifiability (Encryption to Server)
• Failures:– Server knows Cred from [Cred]PW, so if
directly submit Cred to server, then server links credentials encrypted by the same PW
RFID Security Seminar 2008
15
Third Try
• Seems should not directly submit the credentials to server
• Using proof of knowledge– CL signature (by J. Camenisch, A.
Lysyanskaya)– Public parameters: (a, b, c, n)– Signature: (v, k, s) s.t. vk = ambsc (mod n): – Signature showing: NPoK[(v,k,s):vk=ambsc]
RFID Security Seminar 2008
16
Third Try - continue
• Credential: (v,k,s) s.t. vk = aUbsc (mod n)
• How to Achieve Restricted Verifiability
• Encryption of s to Server: Enc(s);• Prove to Server: NPoK[(v,k,U):vka-U=bsc]
• Failurs:– Linkability through Enc(s)
RFID Security Seminar 2008
17
Finale
• We need to blind Enc(), so it should be homomorphic: HE(.)– HE(r1).HE(r2) = HE(r1+r2)
• Partition s: s = s1 + s2
• Encryption s1 to Server Enc(s1), and blind Enc(s1) each time
RFID Security Seminar 2008
18
Finale - continued
• Final Scheme– [Cred]PW = <[v, s2]PW, HE(s1), k>
– Authentication: • partition s2 = s21+s22
• bind HE(s1): HE(s1)HE(s21) = HE(s1+s21)
• Submit bs22gr, HE(s1+s21) to server
• NPoK[(v,k,U,r):vka-U=bs1+s21 bs22gr
c=bsgrc]
RFID Security Seminar 2008
19
Future Work
• User Revocation
• Online Guessing Attacks
RFID Security Seminar 2008
20
• Introduction
• Limits of Conventional Anonymous Password Authentication
• Our Proposed Approach
• Conclusion
RFID Security Seminar 2008
21
Conclusion
• Server Computation in Conventional Anonymous PA has to be O(N)
• We Proposed A New Paradigm for Anonymous PA: Using Password to Protect Authentication Credentials
• Our Scheme Has Constant Server Computation
RFID Security Seminar 2008
22
Project Summary - why should it be done? Q & A
THANK YOU!