130 likes | 145 Views
This paper analyzes a variant of Peyravian-Zunic's password authentication scheme, identifying weaknesses such as replay attacks and denial of service attacks.
E N D
Cryptanalysis of a Variant of Peyravian-Zunic’s Password Authentication Scheme Author: Wei-Chi Ku, Chien-Ning Chen, and Hui-Lung Lee Source: IEICE Transactions on Communications, Vol. E86-B, No. 5, May 2003, pp. 1682-1684. Speaker: Yo-Chi Huang Date: 2004/12/07
Outline • Hwang-Yeh’s Scheme • Notations • Protocols • Protected Password Transmission Protocol • Protected Password Change Protocol • Weaknesses of Hwang-Yeh’s Scheme • Threat of Replay Attack • Denial of Service Attack
Notations • C = client • S = server • E = adversary • id, pw : identity, password of C • Ks, Ks-1 : • Ks = public key of S • Ks-1 = secret key of S • rc, rs: • rc = random number generated by C • rs = random number generated by S • H = a collision-resistant hash function • ⊕ = bitwise XOR operation • {m}Ks= message m encrypted with Ks
Protected Password Transmission Protocol • H(pw) is stored in S as the verifier for pw
C S id, { rc , pw }Ks 1 rs ⊕ rc , H( rs ) 2 id, ( rc , rs) 3 Access granted / denied 4 Protected Password Transmission Protocol
Protected Password Change Protocol • Pw' = C’s new password • S computes H(pw')⊕H(rc+1,rs)⊕H(rc+1,rs) to get H(pw')
C S id, { rc , pw }Ks 1 rs ⊕ rc , H( rs ) 2 id, ( rc , rs ), H( pw' ) ⊕ H( rc+1, rs ) 3' Access granted / denied 4 Protected Password Change Protocol
Threat of Replay Attack • Protected Password Transmission Protocol • E has stolen an ever used rc and message • (1) E S : id, {rc, pw}Ks(recorded) • (2) E S : rs new⊕rc, H(rs new) • E computes H(rc, rs new) • (3) E S : id, H(rc,rs new) • (4) E S : access granted
E S id, { rc , pw }Ks 1 rs new ⊕ rc , H( rs new ) 2 id, H( rc , rs new ) 3 Access granted / denied 4 Threat of Replay Attack
Threat of Replay Attack • Protected Password Change Protocol • E has stolen an ever used rc and message • (1) E S : id, {rc, pw}Ks(recorded) • (2) E S : rs new⊕rc, H(rs new) • E computes H(rc, rs new), H(pwE), H(pwE) ⊕H(rc+1,rs new) • (3') E S : id, H(rc,rs new), H(pwE)⊕H(rc+1,rsnew) • (4) E S : access granted
E S id, { rc , pw }Ks 1 rs new ⊕ rc , H( rs new ) 2 id, ( rc , rs new ), H( pwE ) ⊕ H( rc+1, rs new ) 3' Access granted 4 Threat of Replay Attack
rE Denial of Service Attack • Protected Password Change Protocol • E generated a random number rE • (3') C S : id, H(rc,rs), H(pw')⊕H(rc+1,rs) • (3') C S : id, H(rc,rs),rE • (4) C S : access granted • H(pw')⊕H(rc+1,rs)⊕H(rc+1,rs) = H(pw') • rE⊕H(rc+1,rs)=???
Denial of Service Attack C S id, { rc , pw }Ks 1 rs ⊕ rc , H( rs ) 2 id, ( rc , rs ), H( pw' ) ⊕ H( rc+1, rs ) 3' E id, ( rc , rs ), rE Access granted 4 H( pw' ) ⊕ H( rc+1, rs ) ⊕ H( rc+1, rs ) = H( pw' ) rE⊕ H( rc+1, rs ) =???