Recursive Protocol for Group-Oriented Authentication with Key Distribution - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Recursive Protocol for Group-Oriented Authentication with Key Distribution

Description:

Recursive Protocol for Group-Oriented ... Is vulnerable to the domino attack. Chang and Wu, 1998. Does not achieve load-amortization. Ryan and Schneider, 1998 ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 14
Provided by: Tif77
Category:

less

Transcript and Presenter's Notes

Title: Recursive Protocol for Group-Oriented Authentication with Key Distribution


1
Recursive Protocol for Group-Oriented
Authentication with Key Distribution
  • Source Journal of Systems and Software, Vol. 81,
    No. 7, pp. 1227-1239, Jul. 2008
  • Author Tzong-Chen Wu, Thsia-Tzu Huang,
    Chien-Lung Hsu and Kuo-Yu Tsai
  • Speaker Ting-Fang Cheng
  • Date 2009/07/16

2
Introduction
Group-oriented communication
Authentication Group session key
Authentication Server
  • Bull and Otway, 1997
  • Is vulnerable to the domino attack
  • Chang and Wu, 1998
  • Does not achieve load-amortization
  • Ryan and Schneider, 1998
  • Requires extra O(n) waiting time in average for
    the completion of the recursion

3
Notations
  • AS the authentication server
  • Ui the entity involved in the protocol
  • n the number of entities involved in the
    protocol
  • IDi Uis identity
  • Ki the secret key initially shared between Ui
    and AS
  • HashK(.) a keyed one-way hash function using the
    key K
  • .K a symmetric encryption function using the
    key K
  • Ki,j a session key shared between Ui and Uj
  • Ni a nonce generated by Ui
  • the concatenation

4
Ryan-Schneider protocol (1/3)
Forward phase
(1)
(3)
(4)
(2)
U1
U2
U3
U4
AS
  1. U1?U2 X1 ID1, ID2, N1, HashK1(ID1ID2N1)
  2. U2?U3 X2 ID2, ID3, N2, X1,
    HashK2(ID2ID3N2X1)
  3. U3?U4 X3 ID3, ID4, N3, X2,
    HashK3(ID3ID4N3X2)
  4. U4?AS X4 ID4, AS, N4, X3,
    HashK4(ID4ASN4X3)

5
Ryan-Schneider protocol (2/3)
Entity authentication and key establishment phase
(1)
(3)
(4)
(2)
U1
U2
U3
U4
AS
(6)
  • Unravels and verifies X1, X2, X3, and X4
  • Computes
  • M1 ID1, ID2, K1,2?HashK1(N1ID2), ID1, ID2,
    N1K1,2
  • M2 ID2, ID1, K1,2?HashK2(N2ID1), ID2, ID1,
    N2K1,2
  • M3 ID2, ID3, K2,3?HashK2(N2ID3), ID2, ID3,
    N2K2,3
  • M4 ID3, ID2, K2,3?HashK3(N3ID2), ID3, ID2,
    N3K2,3
  • M5 ID3, ID4, K3,4?HashK3(N3ID4), ID3, ID4,
    N3K3,4
  • M6 ID4, ID3, K3,4?HashK4(N4ID3), ID4, ID3,
    N4K3,4
  • AS?U4 M1, M2, M3, M4, M5, M6

6
Ryan-Schneider protocol (3/3)
Backward phase
(1)
(3)
(4)
(2)
U1
U2
U3
U4
AS
(7)
(9)
(6)
(8)
  • U4 extracts K3,4 and verifies it from M6
  • U4?U3 M1, M2, M3, M4, M5
  • U3 extracts K2,3 and K3,4 and verifies them from
    M4 and M5, respectively
  • U3?U2 M1, M2, M3
  • U2 extracts K1,2 and K2,3 and verifies them from
    M2 and M3, respectively
  • U2?U1 M1
  • U1 extracts K1,2 and verifies it from M1

7
Performance evaluations
t0 t1 t2
t3 t4
Forward time scale
U1
U2
U3
U4
AS
Backward time scale
t4 t3 t2
t1 t0
  • O(n) rounds of message
  • 8 2n ? O(n)
  • O(n) completion time
  • 8t 2n ? O(n)
  • O(n) waiting time in average
  • (7t 5t 3t t)/4 4t n ? O(n)

n 4 t is the time unit for each round
8
Proposed protocol (1/4)
Binary tree structure n 2k (k is an integer)
  • Step 1 assigns a number to each entity of
  • the group from 1 to n
  • Step 2 generates a parent for each two
  • nodes, where each parent is
  • assigned a number which is equal
  • to its right node
  • Step 3 if the number of nodes generated
  • from Step 2 is not equal to 1, then
  • returns to Step 2
  • Step 4 assigns a direction of message
    transmission
  • for each two nodes in each level
  • (? forward ? backward)
  • Step 5 assigns a direction of message
    transmission
  • from root to AS

Un
AS
AS
U4
U2
U4
Un
U1
U3
U4
U2
Un-1
Un
9
Proposed protocol (2/4)
Forward phase
(1)
(3)
(2)
U1
U2
U4
AS
(1)
U3
U4
  • U1?U2 X1 X11, X12, where X11 (ID1N1)
    and X12 HashK1(ID1N1)
  • U3?U4 X3 X31, X32, where X31 (ID3N3)
    and X32 HashK3(ID3N3)
  • U2?U4 X2 X21, X22, where X21
    (ID2N2X11) and
  • X22 HashK2(ID2N2X12)
  • U4?AS X4 X41, X42, where X41
    (ID4N4X31X21) and
  • X42 HashK4(ID4N4X32X22)

10
Proposed protocol (3/4)
Entity authentication and key establishment phase
(1)
(3)
(2)
U1
U2
U4
AS
(1)
U3
U4
  • Unravels and verifies X1, X2, X3, and X4
  • Randomly chooses a group session key KG
  • Computes
  • M1 ID1, IDG, KG?HashK1(IDG N1), HashK1(IDG
    N1KG)
  • M2 ID2, IDG, KG?HashK2(IDG N2), HashK2(IDG
    N2KG)
  • M3 ID3, IDG, KG?HashK3(IDG N3), HashK3(IDG
    N3KG)
  • M4 ID4, IDG, KG?HashK4(IDG N4), HashK4(IDG
    N4KG)

11
Proposed protocol (4/4)
Backward phase
(1)
(3)
(2)
U1
U2
U4
AS
(7)
(5)
(6)
(1)
U3
U4
(7)
  • AS?U4 M1, M2, M3, M4
  • U4 extracts KG and verifies it from M4
  • U4?U2 M1, M2
  • U2 extracts KG and verifies it from M2
  • U2?U1 M1
  • U4?U3 M3

12
Performance evaluations
t0 t1 t2
t3
Forward time scale
U1
U2
U4
AS
U3
U4
Backward time scale
t3 t2 t1 t0
  • O(n) rounds of message
  • 8 2n ? O(n)
  • O( log n) completion time
  • 6t 23 2( 1) 2(
    1) ? O( log n)
  • O(log n) waiting time in average
  • (5t 3t 5t t)/4 3.5t ( 1.5)
    ? O( log n)

n 4 t is the time unit for each round
13
Conclusions
  • Perfect forward secrecy
  • Direct authentication
  • No timestamps
  • Nondisclosure
  • Independency
  • Integrity
  • Practicality and efficiency
  • Is performed in a recursive but parallel manner
  • Only uses one-way hash function and exclusive-or
    operations
Write a Comment
User Comments (0)
About PowerShow.com