Review of Xxxxx et al. Description of the scheme [10]: TTP setup phase: The TTP first chooses a bilinear map e : G1 × G1 → X0, xxxx X0, X0 xx a cyclic additive and multiplicative group respectively, both of order q, and P a generator of G1. Also five hash functions are identified: H1 : {0, 1}∗ → Zq∗, H2 : G2 × {0, 1}∗ → {0, 1}m, H3 : {0, 1}∗ → {0, 1}n, H4 : G2 → Zq∗, and H5 : {0, 1}∗ × G1 → Zq∗, with m = n + w and w a constant determined by the security level. Then the private key k is chosen and its corresponding public key is computed Ppub = kP. These system parameters are published by the TTP. Registration phase: In this phase, both the SM and the SP need to undergo a different process. For the SM, after receiving its identity XXX, the TTP chooses a random number rA ∈ Zq∗ and computes RA = rAP and dA = H5(IDAǁRA)k + rA. The pair (dA, RA) is sent over a secure channel to the SM. The SM stores in its tamper-proof module the pair (dA, RA). H ID For the SP with identity IDB, the TTP computes the private key as dB = k+ 1 ) and sends 1 ( B dB also over a secure channel. Denote hdb = H(IDBǁdB), then the SP stores the pair (db, hdb) in its tamper-proof module. Key negotiation phase: The steps in the key negotiation phase to derive the session key SK are summarised in Figure 2. Weaknesses in [10]: Now we discuss the weaknesses of Xxxxx et al.’s scheme, as follows.
Review of Xxxxx et al. Description of the scheme [10]: TTP setup phase: The TTP first chooses a bilinear map e : G1 × G1 → X0, xxxx X0, X0 xx a cyclic additive and multiplicative group respectively, both of order q, and P a generator of G1. Also five hash functions are identified: H1 : {0, 1}∗ → Zq∗, H2 : G2 × {0, 1}∗ → {0, 1}m, H3 : {0, 1}∗ → {0, 1}n, H4 : G2 → Zq∗, and H5 : {0, 1}∗ × G1 → Zq∗, with m = n + w and w a constant determined by the security level. Then the private key k is chosen and its corresponding public key is computed Ppub = kP. These system parameters are published by the TTP. Registration phase: In this phase, both the SM and the SP need to undergo a different process. For the SM, after receiving its identity XXX, the TTP chooses a random number rA ∈ Zq∗ and computes RA = rAP and dA = H5(XXX RA)k + rA. The pair (dA, RA) is sent over a secure channel to the SM. The SM stores in its tamper-proof module the pair (dA, RA).
Review of Xxxxx et al s Authentication and Key Agreement Scheme In this section, we review Xxxxx et al.’s authenticated key agreement scheme. It comprises four phases: registration, login, authentication and key agreement, as well as password change.
Review of Xxxxx et al s Scheme. Xxxxx et al.’s Scheme[30] consists of five phases: parameter-generation, registration, authentication, password changing and smart card recocation. For the sake of simplicity, we show the first three phases in FIGURE 2.
Review of Xxxxx et al s Schemes This section briefly reviews Xxxxx et al.’s key agreement protocol and protected password change protocol and then show how stolen-verifier attacks and Denial- of-Service attacks can work on their protocol. Abbreviations used in this paper are as follows: – id: public user identity of client. – pw: secret and possibly weak user password. – K: strong secret key of server. | − – p, q: large prime numbers p and q such that q p 1. – g: generator with order q in the Galois field GF (p), in which Xxxxxx-Xxxxxxx problem is considered hard. ∈ − – a, b: session-independent random exponents [1,q 1] chosen by client and server, respectively. – sk: shared session key computed by client and server. – H(·): strong one-way hash function. – ⊕: bit-wise XOR operation.