On the security of efficient user identification scheme

Applied Mathematics and Computation 171 (2005) 1201–1205

www.elsevier.com/locate/amc

On the security of efficient user identification scheme Eun-Kyung Ryu *, Kee-Young Yoo

*

Department of Computer Engineering, Kyungpook National University, 1370 Sankyuk-dong, Buk-gu, Daegu, 702-701, South Korea

Abstract A user identification scheme was proposed by Tseng et al. in 1998, as one of applications that are based on the ideas of ID-based cryptosystems. Recently, Hwang et al. presented an improvement of the Tseng et al.
scheme for wireless mobile environment. In wireless environment, the time for waiting and responding of a mobile device must be reduced due to the lack of the capacity of the battery. The authors tried to achieve this goal by optimizing the pass of the scheme. However, here we show their scheme has some limitation for practical usage in the sense that it is not secure against a key compromise impersonation attack. Ó 2005 Elsevier Inc. All rights reserved. Keywords: Cryptography; User identification; ID-based public cryptosystem; Key compromise impersonation

*

Corresponding authors. E-mail addresses: [email protected] (E.-K. Ryu), [email protected] (K.-Y. Yoo).

0096-3003/$ - see front matter Ó 2005 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2005.01.107

1202

E.-K. Ryu, K.-Y. Yoo / Appl. Math. Comput. 171 (2005) 1201–1205

1. Introduction In 1984, Shamir [2] introduced the concept of an ID-based public key cryptosystem in which every user
s public keys are predetermined by information that uniquely identifies them, such as social security number, email address, etc. Each user in the system sends his/her identity to a key generation center or a thrusted authority to obtain the corresponding long-term secret key. The advantage of the ID-based cyptosystems over public-key cryptosystems is to enable any pair of users to communicate securely without exchanging public key certificates, without keeping a public key directory, and without using online service of a third party. In 1998 Tseng et al. [3] proposed a user identification scheme as one of applications that are based on ID-based cryptosystems. Recently, Hwang et al.[1] presented an improvement of the Tseng et al.
scheme for wireless mobile environment. In wireless environment, the time for waiting and responding that mobile devices are required to show their valid identities to a base station must be reduced because the capacity of the battery is limited. The authors tried to achieve this goal by optimizing the pass of the scheme. However, their protocol has a security problem that an adversary who knows the secret key of an entity A can impersonate other entities to A. That is, suppose that an entity A
s secret key is exposed. Obviously, an adversary who knows this secret key can impersonate A to other entities. However, it is required that this exposure does not allow the adversary to impersonate other entities to A. Resistance to the key compromise impersonation is a fundamental security goal for application using public key cyrptosystems. In this article, we show that Hwang et al
s scheme is not secure against the key compromise attack and how an adversary can perform the attack successfully.

2. Review of Hwang et al.
s user identification scheme We use the same notation as in [1,3]. The identification scheme consists of three phases: the initialization phase, user registration phase and user identification phase. The procedure to identify user i can be described as follows. Initiation Phase: For system setup, a trusted authority (TA) is used to generate system parameters. TA chooses four primes pj between 60 and 70 decimal digits, where for each pj such that the numbers (pj
1)/2 are odd and pairwise relatively prime. Let N = p1 Æ p2 Æ p3 Æ p4. The TA also selects an integer e in Z/ðN Þ and computes the secret value d which satisfies e Æ d  1(mod/(N)). Finally, TA chooses a random integer t from Z/ðN Þ . User Registration Phase: When a user i wants to join the system, the user submits his identity information IDi to the TA. Then the TA computes si  e  t  logg ðID2i Þðmod/ðN ÞÞ and sends si to the user i in a secure way, where

E.-K. Ryu, K.-Y. Yoo / Appl. Math. Comput. 171 (2005) 1201–1205

1203

g is a primitive element in GF(pj), for 1 6 j 6 4 and v 
t(mod/(N)). The TA publishes {N, g, e} and keeps {p1, p2, p3, p4, t, v, d} secret for all users. User Identification Phase: Suppose that a mobile device (M) wants to show its identity is legal to a base station (BS). They perform the protocol as follows: Step 1. Mobile device M chooses a random integer k in ZN and computes k

Y ¼ ðID2m Þ ðmod N Þ Z ¼ ðID2b Þ

ksm T

ðmod N Þ

where IDm and IDb are the identities of the mobile device M and the base station BS, T is a timestamp and sm is the secret key of M. Then sends {(IDmkYkZ),T} to the base station BS. Step 2. After receiving the above messages from M, BS computes Z 0 ¼ ðY Þsb T ðmod N Þ Then, checks if Z = Z 0 . If it holds, BS believes that the identity of M is valid.

3. The key compromise impersonation attack The key compromise impersonation refers to an attack in which an adversary who knows the long-term secret key of an entity A can masquerade to A as another entity, using the A
s compromised key. The key compromise impersonation resilience means that the compromise of the long-term secret key of an entity A does not allow the adversary who knows the key to masquerade to A as a different entity. It is considered as an important security goal that should be equipped with for applications using public key cryptosystems. Here we give an example scenario to show that the Hwang et al.
s scheme is not secure against the key compromise impersonation attack. Fig. 1 is shown the attack on their scheme. Suppose that an adversary E who knows the base station
s long-term secret key sb wishes to impersonate a legitimate mobile device M to the base station BS. In their scheme the adversary can easily succeed the attack by performing as follows: Step 1: The adversary E chooses a random integer k 0 in ZN and computes Ye and Ze as follows: k0

Y e ¼ ðID2m Þ ðmod N Þ s k 0 T

Z e ¼ ðID2m Þ b

ðmod N Þ

1204

E.-K. Ryu, K.-Y. Yoo / Appl. Math. Comput. 171 (2005) 1201–1205

Fig. 1. The KCI attack.

where IDm is the identity of the legitimate mobile device M that the adversary wants to impersonate and T is a timestamp. Then, sends {(IDmkYekZe),T} to the BS. Note that when computing Ze, the adversary can use the public key ID2m of the mobile device rather than the public key ID2b of the base station. This allows the adversary to perform such an attack. Step 2: After receiving the above messages from M, BS computes Z 0 ¼ ðY e Þsb T ðmod N Þ Then, checks if Z = Z 0 . In this scenario, the adversary can successfully impersonate the legitimate mobile device M to the base station BS because 0

0

Z e ¼ ðID2m Þsb k T ðmod N Þ ¼ ðgvdsm Þsb k T ðmod N Þ 0

¼ ðgvdsm k Þsb T ðmod N Þ ¼ ðY e Þsb T ðmod N Þ ¼ Z 0 : The adversary with the knowledge of BS
s secret key sb can therefore impersonate any mobile device in the same way above. For protecting against the attack, it seems to require the use of asymmetric cryptography. If each party can verify that the correct long-term secret key was used, then there must be the other party present. For example, if each party receives a digital signature from the other, the adversary cannot forge the signature from A if it only has B
s secret key.

4. Conclusion In this article, we showed that Hwang et al.
s identification scheme is not secure against a key compromise impersonation attack. How to design an efficient and secure one-pass identification scheme for wireless mobile environment seems to be an important future work.

E.-K. Ryu, K.-Y. Yoo / Appl. Math. Comput. 171 (2005) 1201–1205

1205

Acknowledgement This research was supported by the MIC (Ministry of Information and Communication), Korea, under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Assessment).

References [1] M.S. Hwang, J.W. Lo, S.C. Lin, An efficient user identification scheme based on ID-based cryptosystem, Computer Standards & Interfaces 26 (6) (2004) 565–569. [2] A. Shamir, Identity based cryptosystems and signature schemes, Advances in Cryptology— CRYPTO
84, LNCS 196, Springer-Verlag, 1984, pp. 47–53. [3] Y.M. Tseng, J.K. Jan, ID-based cryptographic schemes using a non-interactive public-key distribution system, Proceedings of the 14th Annual Computer Security Applications Conference, Phoenix, Arizona, pp. 237–243, 1998.