電腦學刊第十六卷第五期(民國九十四年)
應用在分散式系統中有效率的使用者認證暨存取控制機制 Efficient Access Control Scheme with User Authentication for
Distributed Systems
李南逸 何佩修 Narn-Yih Lee and Pei-Hsiu Ho
南台科技大學資訊管理研究所 Information Management Department Southern Taiwan University of Technology
Tainan, Taiwan, Republic of China
摘 要
學者Jan和Tseng 在1998年提出了兩個應用在分散式環境下的使用者認證和存取控制的機制。 然而He、Wu和Lee 指出該機制是不安全的。本篇論文的目的是提出一個改進Jan和Tseng的第一個機制,並且解決Lee的論文中所提到的尚待解決的問題。本篇論文所提出之機制比He和Wu的第一個機制更有效率。
關鍵詞:密碼學、存取控制、使用者認證
Abstract
Jan and Tseng, in 1998, proposed two integrated schemes of user authentication and access control that provide a data protection system for distributed environments. However, He-Wu and Lee showed that both schemes are insecure, respectively. He-Wu and Lee also presented some im-provements to withstand the proposed security flaws. The aim of the paper is to propose an im-provement of Jan-Tseng's first scheme and solve the open problem in Lee's paper. The proposed scheme is also more efficient than He-Wu's first scheme.
Keyword:Cryptography、Cryptanalysis、Access control、User authentication
1. Introduction
control and user authentication. Then, Yen and Laih [8][9] improved the efficiency of the
In order to prevent the electronic data from be-Harn-Lin scheme [7].
ing unauthorized access, some data protection In 1998, Jan and Tseng [10] further extended mechanisms are required in the modern computer the data protection systems for distributed com-systems. Traditionally, access control schemes puter systems. Two new integrated access con-[1]-[3] and user authentication schemes [4]-[6] are trol schemes with user authentication were pro-proposed separately for data protection in a com-posed in [10]. The first scheme has dynamic
puter system. In 1992, Harn and Lin [7] first property in that it provides an efficient updating proposed a scheme for the integration of access
22
應用在分散式系統中有效率的使用者認證暨存取控制機制:李南逸、何佩修
process for modification of access rights. The second scheme provides an efficient verification process on the servers for multiple access requests by a user at the same time. Unfortunately, He-Wu [11] and Lee [12] showed that both Jan-Tseng's schemes are insecure, respectively. In [11], He-Wu presented two simple corrections to withstand the proposed attacks. In [12], Lee also offered an efficient improvement of Jan-Tseng's second scheme to repair the security flaws. Meanwhile, Lee also announced an open problem in designing a scheme which can satisfy six considerations for user authentication and ac-cess control. The aim of the paper is to propose an improvement of Jan-Tseng's first scheme (JTF scheme in short). The proposed scheme is also more efficient that He-Wu's first scheme.
This paper will present an improved scheme which can achieve both user authentication and access control simultaneously. The security of the improved scheme is based on the difficulty of solving the discrete logarithm problem. The or-ganization of this paper is as follows. We give a brief review of Jan-Tseng's first scheme in Section 2. Then, the improved scheme and the security analysis are given in Section 3 and Section 4, re-spectively. Finally, Section 5 concludes this pa-per.
prime factor, g is a primitive element of GF(P). Assume there are n access rights in the system. For each access rights, the CA chooses a secret xi randomly, where 1< xi< p-1, and X={x0,x1,…,xn-1}. The CA computed public values yi=gximodp, where i =0, 1, 2 ..., n-1.
Registration phase: Assume that a user u is to be grated m access rights yuj, yuj∈{yu0,yu1,yu2,...,yu,n?1}, 0≤j≤m?1, a user u, the CA randomly chooses a m≤n. For
pwu, for 1< pwu chooses an integer ku, and computes ru=gkumodpfor 1< ku IDu?xuj+ku?yuj=pwu?Sujmodp?1, for 1 Login phase: If a user u requests a service to some server for access right yuj, then he/she attaches his/her smart card to a terminal. The smart card first randomly chooses an integer R, for 1 < R < p-1, then computes M=gR mod p, H=h(M, T, IDu), and N=R+pwu?Hmod(p?1). Here h is an one way hash function [13] and T is a time stamp. Finally, the smart card sends the message L={IDu, ru, yuj, Suj, M, N, T} to the server. Verification phase: The server verified the access 2. Review of the JTF Scheme request L for two steps. This section reviews the JTF scheme [10]. The Step 1:The server checks if T'-T is less than the JTF scheme involves three parties of JTF legal time interval for transmission delay, then the scheme :a Central Authority (CA), Servers, and server receives the request. If it is else, the server Users. The CA is responsible for setting up the rejects the request. Here, T' is the time that the system parameters and assigning the access rights server receives the access request. and the corresponding passwords for each user. Step 2:The server computes H=h(M,T,IDu) and The access rights and passwords are stored in a verifies whether the following equation holds or smart card. The smart card will send to the user not, N?SSIDysecretly. Each server is responsible for user au-guj?=Muj(yuju?ruuj)Hmodp. thentication and provides access services for the authorized users. But, it is noted that no secret If it is true, the server accepts the access request of information about the system or authorization data the user u. about the user is stored in the servers. Each user holds a smart card and may request different ser-vices from different servers. 3. The Proposed Scheme This section will present a cryptographic 2.1 The JTF Scheme scheme to improve the security and efficiency of Initialization phase: The CA chooses a large prime the JTF scheme. number p and an integer g, where p-1 has a large 23 電腦學刊第十六卷第五期(民國九十四年) The proposed scheme also involves three parties: a Central Authority, Servers, and Users. These three parties play the same roles as in the Section 2. Initialization phase: System parameters p and g are selected by the CA as in the Section 2.1. Then, the CA chooses a secret xi, 1< xi Registration phase: Suppose that a user u is to be granted m access rights yuj, 0≤j≤m?1, user u. The correctness of the above equation can be verified as follows. M(yuj IDu ?ruu r?yuj )Hmodp )Hmodp =M(g=M(g R xuj?IDu ?g ku?ru?yuj xuj?IDu+ku?ru?yuj(pwu+Suj)?H )Hmodp =g?g=g modp R+(pwu+Suj)?H modp =gNmodp m≤n and yuj∈{yu1,yu2,...,yu,m?1}. The CA chooses an integer pwu, for 1< pwu gcd(pwu,p-1)=1, and computes 4.1 Security analysis pwu IDu=gmodpfor the user u. Then, the CA chooses a random ku, and computes In this section, we will show that the improved ru=gkumodp, 1< ku [11] and [12]. integers Suj to satisfy the following equation IDu?xuj+ru?ku?yuj=(pwu+Suj)modp?1, (1) The secret key xi of the CA can not be de-for 1≤j≤m?1. Finally, the CA stores {pwu, rived. IDu, ru, yuj} to a smart card and delivers it to To derive xi from the corresponding the user secretly. yi=gximodp, the intruder must solve the dis- crete logarithm problem. If a user u wants to de-Login phase: If a user u requests a service to rive CA's secret key xuj, he/she may use the equa-some server for access right yuj, the smart card tionexecutes the following operations. IDu?xuj+ru?ku?yuj=(pwu+Suj)modp?1, First, the smart card chooses an integer R ran-domly, for 1< R card, the user u can not retrieve it. Besides, ku is H=h(M, T, IDu), and N=R+(pwu+Suj)?Hmod(p?1). Here, h a number chosen by the CA. To get ku from ku r=gmodp, it is equivalent to solve discrete uis an one way hash function and T is used as a time stamp. The smart card finally sends the message logarithm problem. Thus, to reveal xuj is very difficult. L={IDu, ru, yuj, M, N, T} to the server. (2) An intruder can not retrieve pwu from the in-Verification phase: The access request L is veri-tercepted message L={IDu, ru,yuj, M, N, T}. fied by the server as follows. Step 1:The server checks (T'-T) is less than the An intruder wants to retrieve pwu from legal time interval and yuj∈Y. If not, the server N=R+(pwu+Suj)?Hmod(p?1), he/she has R mod p to find R first. But, to find R from M=grejects the request. Step 2: The server computes H=h(M,T, IDu) and is equivalent to solve the discrete logarithm prob-lem. verifies whether the following equation holds or not. (3) The replay attack will fail. IDuru?yujHN g?=M(yuj?ru)modp If an intruder replays a previously intercepted message L={IDu, ru, yuj, M, N, T} to a server at the If it is true, the server accepts the request of the time T' and the server received the message L at 24 4 Discussions and Analysis 應用在分散式系統中有效率的使用者認證暨存取控制機制:李南逸、何佩修 the time T''. T''-T will be larger than the legal process. The performance analysis of the JTF time interval, so the server will reject the request. scheme, He-Wu's first scheme and our scheme in If the intruder replaces the time T with T', the the number of modular exponentiations is listed in the Table 1. equation H=h(M,T',ru) will not hold. (4) He-Wu's attacks can not work on the proposed Table 1. The number of modular exponentiations required in the schemes. scheme. According to the attack 1 in [11], the intruder has to find an s'uj from the equation JTF He-Wu’s Our s'uj=suj?(h(IDu,M,T))?1?h(IDu,M,T')scheme scheme scheme Login mod(p?1). phase 1 But the parameter suj is not used in the proposed 1 1 scheme. So, the He-Wu's attack 1 will not work Verifi- in the proposed scheme. According to the attack cation 3 4 4 2 in [11], the intruder has to find a r'u to satisfy the phase equation r'u?yuj?IDuN?1H?1 r'u=(g?M)?yujmodp. However, the intruder is hard to do it without 5 Conclusions knowing the discrete logarithm of yuj. So, the We have presented an improvement of the He-Wu's attack 2 fails in the proposed scheme. Jan-Tseng's first scheme. It provides an efficient (5) Lee's attacks can not work on the proposed updating process for the modification of the access rights. The security of the proposed scheme is scheme. According to the attack 1 in [11], an intruder first based on the discrete logarithms problem. The chooses a random number N' and computes M'=gN’ proposed scheme is secure from the Lee and mod p, H'=h(M',T',IDu). Then, the intruder has to He-Wu's attacks and more efficient than the origi-nal Jan-Tseng and He-Wu's first scheme. find a r'u to satisfy the equation ?ID?r?1?y?1 r'u=yujuuujmodp. Without the knowledge of xuj, the intruder is very References difficult fo find the r'u. According to the attack 2 [1] J.K. Jan, “A Single Key Access Control in [11], the intruder first choose two numbers r'u Scheme in Information Protection System”, Inf. and N' and compute Sci., Vol. 50, pp.1-11, 1990. M'=gN'?[yuj IDu ?r'u r'u?yuj ]?1modp, H'=h(M', T', IDu), and let suj=H'. But, the parameter suj is not used in the verification equation of the newly proposed scheme. Thus, Lee's attack 2 can not work. 4.2 Discussions In order to design a practical access control scheme with user authentication in a distributed computer system, the criteria which Jan-Tseng proposed in [10] are crucial. The JTF scheme, He-Wu's first scheme and our scheme comply with the criteria C1-C5, but not C6. Note that our scheme is securer than the JTF scheme. Moreover, our scheme is more efficient than He-Wu's first scheme in signature verification 25 [2] J.K. Jan, C.C. Chang and S.J. Wang, “A New Dynamic Key-Lock-Pair Access Control Scheme”, Comput. Security, Vol. 10, No. 2, pp.129-139, 1991. [3] C.S. Laih, L. Harn and J.Y. Lee, “On the De-sign of Single-Key-Lock Mechanism Based on Newton's Interpolating Polynomials”, IEEE Trans., Vol. SE-10, No. 2, pp.185-191, 1984. [4] C.C. Chang, S.M. Tsu, and C.Y. Chen, “Re-mote Scheme for Password Authentication Based on Theory of Quadratic Residues”, Comput. Commun., Vol. 18, No. 12, pp.932-946, 1995. [5] D.E. Denning, “Cryptography and Data Secu-rity”, Addison-Wesley, Reading, 1982. 電腦學刊第十六卷第五期(民國九十四年) [6] T.Y.C. Woo and S.S. Lam, “Authentication for Distributed Systems”, IEEE Comput., Vol. 25, pp.39-52, 1992. [7] L. Harn and H.Y. Lin, “Integration of User Authentication and Access Control”, IEE Proc.-Comput. Digit. Tech., Vol. 139, No. 2, pp.139-143, 1992. [8] S.M. Yen and C.S. Laih, “Analysis and Im-provement of an Access Control Scheme with User Authentication”, IEE Proc.-Comput. Digit. Tech., Vol. 141, No. 5, pp.271-273, 1994. [9] S.M. Yen and C.S. Laih, “The Design of Dy-namic Access Control Scheme with User Au-thentication”, Comput. Math. Appl., Vol. 25, No. 7, pp.27-32, 1993. [10] J.K. Jan and Y.M. Tseng, “Two Integrated Schemes of User Authentication and Access Control in a Distributed Computer Network”, IEE Proc.-Comput. Digit Tech., Vol. 145, No. 6, 1998, pp. 419-424. [11] W.-H. He and T.-C. Wu, “Security of the Jan-Tseng Integrated Scheme for User Au thentication and Access Control”, IEE Proc.-Comput. Digit. Tech, Vol. 147, No. 5, 2000, pp.365-368. [12] N.Y. Lee, “Cryptanalysis and Improvement of Two Access Control Schemes with User Au-thentication in a Distributed Computer Net-work”, IEICE Trans. Inf. and Sys., Vol E85-D, NO.2, 2002, pp.386-391. [13] NIST, Secure Hash Standard. FIPS (Federal Information Processing Standards) publication 180, 1993. 26
应用在分散式系统中有效率的使用者认证暨存取控制机制
