Authentication Protocols for E-Commerce
Applications
(認證協定在電子商務上之應用)
指導教授： Chin-Chen Chang 張真誠博士
博士生: Jen-Ho Yang 楊仁和
Department of Computer Science and Information Engineering,
National Chung Cheng University
June 11, 2009
1
Outline
 Introduction
 An efficient ID-based mutual authentication protocol in




mobile environments
An efficient authentication with key agreement protocol for
sensor networks
Non-signature authenticated encryption scheme on elliptic
curve cryptosystems
An fair electronic payment system based upon non-signature
authenticated encryption scheme
Conclusions and future works
2
Introduction (1/3)
User Authentication:
 Personal Identification
 Authentication
Authentication Methods:
 Biometrics: fingerprint, hand geometry, voiceprint, etc.
 Cryptography: password, symmetric cryptosystems,
public key cryptosystems, etc.
3
Introduction (2/3)
Our Research Directions:
 Authentication protocols for limited-power and low
computational ability devices
(mobile devices and sensor networks)
 Authentication protocols for e-commerce applications
 Practical and efficient electronic payment model
4
Introduction (3/3)
 An efficient ID-based mutual authentication protocol in mobile
environments (modular-exponentiation-based)
 An efficient authentication with key agreement protocol for
sensor networks (hash-function-based)
 A non-signature authenticated encryption scheme on elliptic
curve cryptosystems (ECC-based)
 An fair electronic payment system based upon non-signature
authenticated encryption scheme
5
An Efficient ID-Based Mutual Authentication
Protocol in Mobile Environments (1/5)
Disadvantages of Public Key Cryptosystems:
 Trusted key authentication center
 Correctness of user’s public key
 Certificate
 Additional computations for verifying certificate
ID-based Cryptosystems
6
An Efficient ID-Based Mutual Authentication
Protocol in Mobile Environments (2/5)
ID-Based Cryptosystem (Shamir, 1984):
 Using an unique identification (ID) as a public key
 No public key
 No public key table
 No certificate
 No key authentication center
7
An Efficient ID-Based Mutual Authentication
Protocol in Mobile Environments (3/5)
Notations of the Proposed ID-Based Protocol:
TA: A trusted authority for initializing the system parameters
System Parameters:
p1, p2, p3, p4: four primes
e, N: two public integers, where N = p1．p2．p3．p4
d: a secret integer satisfying e  d  1 mod  ( N )
IDm / IDb: the identity of mobile device / base station
Sm/ Sb : the private keys of the mobile device/base station satisfying
Si  e  t  log g ( IDi2 ) mod  ( N )
T: a time stamp
h(·): a secure one-way hash function
8
An Efficient ID-Based Mutual Authentication
Protocol in Mobile Environments (4/5)
Mobile Device
IDm
Base Station
Yb  ( IDb ) k mod N
2
Ym  ( IDm ) k mod N
2
( IDb Yb Ym h(Zb )), T1
Z b'  Yb
S m T1
Z b  ( IDm ) k Sb T1 mod N
2
mod N
h( Z b ) ?  h( Z b' )
Z m  Yb
S m T2
mod N
(Ym h(Z m )), T2
Z m'  Ym
S b T2
mod N
h( Z m ) ?  h( Z m' )
9
An Efficient ID-Based Mutual Authentication
Protocol in Mobile Environments (5/5)
The Advantages of Our Protocol:
1. Preventing well-known attacks
2. Mutual authentication
3. Low computation loads for mobile device
10
An Efficient Authentication with Key Agreement
Protocol for Sensor Networks (1/9)
Sensor Networks:
 A wireless network which is composed of many sensors.
 The sensor is characterized by limited power supply, low
computation ability, and small memory size.
 Sensor networks can be used for battlefield, medical
devices, home monitoring, etc.
11
An Efficient Authentication with Key Agreement
Protocol for Sensor Networks (2/9)
IEEE 802.15.4 defines two physical devices for sensor
networks:
 Full-Functional Device (FFD)
e.g. a sensor, coordinator, router or security manager
 Reduced-Functional Device (RFD)
e.g. a sensor (end device)
 There is a base station (BS) which initializes and preloads
the system parameters for FFD and RFD
12
An Efficient Authentication with Key Agreement
Protocol for Sensor Networks (3/9)
The System Model:
:FFD
:RFD
Base Station
13
An Efficient Authentication with Key Agreement
Protocol for Sensor Networks (4/9)
Authentication with Key Agreement (AKA) Protocols:
 Authentication + session key agreement
 Authentication: verifying the validity of the sensors
 Session key agreement: encrypting the collected data
 AKA can be applied to secure communications on sensor
networks.
14
An Efficient Authentication with Key Agreement
Protocol for Sensor Networks (5/9)
Previous AKA Protocols for Sensor Networks:
 Based upon public key cryptosystems
 Heavy computation load and high power overhead for
sensor networks
The Proposed Protocol:
 Based on one-way hash functions and XOR operations
 Efficient and practical for the sensor networks
15
An Efficient Authentication with Key Agreement
Protocol for Sensor Networks (6/9)
Initializing Phase:
Base station selects the following parameter for sensors:
 h(．): a secure one-way hash function pre-stored in all sensors
 x: a long-term secret key pre-stored in FFD
 h(IDi  x): a long-term secret key pre-stored in RFD
16
An Efficient Authentication with Key Agreement
Protocol for Sensor Networks (7/9)
Authentication with Key Agreement Phase:
RFD
S1  h 2 ( IDi  x)  aR
c  h( a R )
FFD
( IDi , S1 , c)
aR  S1  h 2 ( IDi  x)
c  ? h( a R )
S 2  h(h( IDi  x) aR )  aF
SK  h(h( IDi  x) aR aF )
S3  h(h( IDi  x) aR aF SK )
17
An Efficient Authentication with Key Agreement
Protocol for Sensor Networks (8/9)
Authentication with Key Agreement Phase:
RFD
FFD
( S 2 , S3 )
aF  S 2  h(h( IDi  x) aR )
SK  h(h( IDi  x) aR aF )
S3  ? h(h( IDi  x) aR aF SK )
S 4  h(h( IDi  x) SK )
( IDi , S 4 )
S4  ? h(h( IDi  x) SK )
18
An Efficient Authentication with Key Agreement
Protocol for Sensor Networks (9/9)
The Advantages of Our Scheme:
 Low power requirement
 Fast processing time
 Small communication overhead
19
Non-Signature Authenticated Encryption Scheme
On Elliptic Curve Cryptosystems (1/6)
Message Authentication and Confidentiality
Conventional Method:
Signature-then-encryption
Message
Signing
Digital signature
with message
Symmetric
encryption
Cipher text
Decryption-then-verifying
Cipher text
Symmetric
decryption
Digital signature
Verifying
Heavy computation cost
Message
20
Non-Signature Authenticated Encryption Scheme
On Elliptic Curve Cryptosystems (2/6)
Authenticated Encryption Scheme:
Signature + encryption = Signcryption
Message
Signcryption
Cipher text with
digital signature
Verifying + decryption = Unsigncryption
Cipher text with
digital signature
Unsigncryption
Message
21
Non-Signature Authenticated Encryption Scheme
On Elliptic Curve Cryptosystems (3/6)
Disadvantages of the Previous Authenticated Encryption Schemes:
Requiring the digital signature for authentication
Increasing the computation costs
Our Solution:
Non-signature authenticated encryption scheme on ECC
22
Non-Signature Authenticated Encryption Scheme
On Elliptic Curve Cryptosystems (4/6)
System Parameters:
q : an odd large prime
ECC equation: Eq (a, b) : y 2  x3  ax  b mod q, q  3, 4a3  27b2  0
n : the order of the ECC equation
Q : a public base point in ECC
* : the point multiplication in ECC
Ux / dx : x’s public/private key satisfying Ux = dx*Q
m: the message
Elliptic Curve Discrete Logarithm Problem (ECDLP):
Given two points Q and P in Eq(a, b), it’s hard to find k satisfying Q = k * P.
23
Non-Signature Authenticated Encryption Scheme
On Elliptic Curve Cryptosystems (5/6)
Alice
Bob
r  Z q*
R  r *U A
R  r *U B
K  d A * R  ( k1 , k 2 )
C  Ek1 ( M , r )
( IDA , C, R)
K  d B * R  (k1 , k 2 )
( M , r )  Dk1 (C )
R ?  r *U A
24
Non-Signature Authenticated Encryption Scheme
On Elliptic Curve Cryptosystems (6/6)
 Authentication and message encryption
 Without digital signature scheme
 Low computation loads for the sender and the receiver
25
An Efficient Electronic Payment System Using NonSignature Authenticated Encryption Scheme(1/9)
Electronic Payment Models for E-Commerce:
 Electronic cash
 Electronic check
 Electronic credit card
26
An Efficient Electronic Payment System Using NonSignature Authenticated Encryption Scheme(2/9)
Synchronization Problem:
 The payer wants to send the payment after he receives the
goods.
 The merchant wants to send the goods after he receives the
payment.
Who sends it first ?
27
An Efficient Electronic Payment System Using NonSignature Authenticated Encryption Scheme(3/9)
Solutions of the Synchronization Problem of Previous
Researches:
1. Synchronized transaction online
2. Additional computations for lots of verification equations
Our Solution:
A fair electronic payment system using
non-signature authenticated encryption
scheme
28
An Efficient Electronic Payment System Using NonSignature Authenticated Encryption Scheme(4/9)
System Parameters:
q : an odd large prime
ECC equation: Eq (a, b) : y 2  x3  ax  b mod q, q  3, 4a3  27b2  0
n : the order of the ECC equation
Q : a public base point in ECC
* : the point multiplication in ECC
Ux / dx : x’s public/private key satisfying Ux = dx*Q
T: a time stamp
29
An Efficient Electronic Payment System Using NonSignature Authenticated Encryption Scheme(5/9)
Alice
AD  (( good _ 1, price _ 1), ( good _ 2, price _ 2),
r  Z q*
Merchant
..., ( good _ l , price _ l ))
R  r *U A  (r1 , r2 )
R  r *U B
K  d A * R  (k1 , k 2 )
l
P   price _ i
i 1
m  H1 ( AD || P || r1 )
C1  Ek1 ( ID A , m, P, r , T1 )
( IDA , C1, R, T1 )
Bank
30
An Efficient Electronic Payment System Using NonSignature Authenticated Encryption Scheme(6/9)
Alice
Bank
K  d B * R  (k1 , k 2 )
( ID A , m, P, r , T1 )  Dk1 (C1 )
R ?  r *U A
Deduct P from Alice' s account and
store P in a temporary account
x  Z q*
X  x *Q
e  H 2 (E)
s  d B  x  e  m mod n
( IDB , C2 , T2 )
( IDB , X , s, E , T2 )  Dk1 (C2 )
C2  Ek1 ( IDB , X , s, E , T2 )
Record ( IDA , X , s, E)
in its database
31
An Efficient Electronic Payment System Using NonSignature Authenticated Encryption Scheme(7/9)
Alice
Merchant
R '  r *U M
K '  d A * R '  (k1' , k 2' )
C3  Ek ' ( IDB , X , s, E , AD, R, T3 )
1
(C3 , R, T3 )
K '  d M * R  (k1' , k 2' )
( IDB , X , s, E , AD, R, T3 )  Dk ' (C3 )
1
Check R and T3
l
P   price _ i
i 1
m  H1 ( AD || P || r1 )
e  H 2 (E)
Goods
U B ?  s * Q  ( m  e) * X
32
An Efficient Electronic Payment System Using NonSignature Authenticated Encryption Scheme(8/9)
 The Properties of the Propose System:
 No synchronization problem
 Offline transaction
 Privacy of buying information for the bank
 Anonymity for the merchant
 Low computation and communication loads
33
An Efficient Electronic Payment System Using NonSignature Authenticated Encryption Scheme(9/9)
Comparisons:
Payment
Tools
Electronic Credit
Card
Electronic
Cash
Electronic
Check
Our System
Paying Time
Pay-later
Pay-before
Pay-later
Pay-before
Online/Offline
Online
Both
Both
Offline
Anonymity
No
Yes
No
Yes
Synchronization
Problem
Yes
Yes
Yes
No
Computation
Cost
Low
High
High
Low
Proprties
34
Conclusions and Future Works
 Reducing the computation load for ID-based authentication
protocol
 Applying the non-signature authenticated scheme for
different applications in e-commerce
 Investigating a new electronic payment model for mobile-
commerce
35
Thanks for your listening !
36