Fixing problems in Lin et al's OSPA protocol

1
Fixing problems in Lin et al.s OSPA protocol

• AuthorEun-Jun Yoon, Eun-Kyung Ryu, Kee-Young Yoo
• SourceAPPLIED MATHEMATICS AND COMPUTATION 166
  (2005) 46-57
• Speaker???

2
Outline

• Introduction
• Review of two simple attacks on Lin et al.s
  protocol
• The proposed scheme
• Security analysis
• Conclusions

3
Introduction

• SAS (simple and secure) protocol is vulnerable to
  the replay attack and the DoS attack.
• OSPA (optimal strong-password authentication)
  protocol is vulnerable to the stolen-verifier
  attack.
• Lin et al.s enhancement OSPA protocol is
  vulnerable to the replay attack and the DoS
  attack.
• Above are only support unilateral authentication.
• This paper proposed scheme can simply update user
  password and also provide mutual authentication
  and has more efficient performance by reducing
  the number of hash operation.

4
Review of two simple attacks on Lin et al.s
protocol(1/8)

• A , S , user , server and adversary,
  respectively.
• P , P'users password and new password.
• N , N'random nonce and new random nonce.
• vpw , new_vpwusers password verifier and new
  password verifier.
• h() a strong one-way hash function.
• ?bitwise XOR operation.
• concatenation operation.
• xservers secret key.

5
Review of two simple attacks on Lin et al.s
protocol(2/8)

• Security properties
• Guessing attack.
• Replay attack.
• Impersonation attack.
• Stolen-verifier attack.
• Denial of Service attack.

6
Review of two simple attacks on Lin et al.s
protocol(3/8)
Registration phase
A
S
Select N
Computes
Store
Secure channel
K , N
Smart card
Smart card
Secure channel
7
Review of two simple attacks on Lin et al.s
protocol(4/8)
Authentication phase
A
S
Smart card
A , P
8
Review of two simple attacks on Lin et al.s
protocol(5/8)
DoS Attack
A
S
Smart card
A , P
9
Review of two simple attacks on Lin et al.s
protocol(6/8)
Replay Attack(1/3)?n???
S
A
Smart card
A , P
10
Review of two simple attacks on Lin et al.s
protocol(7/8)
Replay Attack(2/3)
S
11
Review of two simple attacks on Lin et al.s
protocol(8/8)
Replay Attack(3/3)
S
12
The proposed scheme(1/4)

• The proposed scheme has at least four merits as
  follows
• User can freely change their passwords.
• The scheme can fast detect wrongly inputed
  password when user inputs wrong password.
• The scheme provides mutual authentication.
• The scheme has low computation costs.

13
The proposed scheme(2/4)
Registration phase
S
A
Select A,P
A,P
Secure channel
X ,K , N , h()
Smart card
Smart card
Secure channel
14
The proposed scheme(3/4)
Authentication phase
S
A
Smart card
A , P
15
The proposed scheme(4/4)
Password change scheme
S
A
Smart card
A , P
16
Security analysis(1/3)

• Guessing attackhe cant use C2 and C3 to derive
  P because he doesnt know N and N and secret key
  x.
• Replay attackbecause new_vpw hide in C3.
• Impersonation attackfor server because he has
  no way to obtaining the values h(xA) and h(P?N)
  to compute C2 and C3 , for user he cant derive
  the value h(xA) and new_vpw , due to one-way
  function.
• Stolen-verifier attackhe cant derive h(xA)
  and new_vpw by h(P?N) because its a one-way hash
  function.
• Denial of Service attackonly if C3C3 , the
  server update h(P?N) with new_vpwh(P?N).

17
Security analysis(2/3)
18
Security analysis(3/3)
19
Conclusions

• The paper presented an improved version of Lin et
  al.s protocol that can withstand the replay
  attack and DoS attack.
• The proposed scheme can simply change users
  password and also provide mutual authentication.
• The proposed scheme has more efficient
  performance by reducing the number of hash
  function.

20
Common
DoS attack?
S
A
C4
X