Threshold password authentication against
guessing attacks in Ad hoc networks
►Chai, Zhenchuan; Cao,
►Ad Hoc
Zhenfu; Lu, Rongxing
Networks Volume: 5, Issue: 7, September, 2007, pp. 1046-1054
97/09/24H.-H. Ou
Introduction
Password Authentication




Password or Verification Table
Secret Share
Smart Card
Threshold Password Authentication Scheme


2
(t, n) threshold password authentication
H.-H. Ou
2008/9/24
Requirements
The password or verification tables are not stored inside the server nodes.
The password can be chosen and changed freely by the owner.
The password cannot be revealed by the administrator of the server.
The length of a password must be appropriate for memorization.
The scheme can achieve mutual authentication
The system secret cannot be leaked even if some of the server nodes are
compromised.
The availability of the system should not be affected even if some of the
server nodes are unavailable.
No one can impersonate a legal user to login the server.
The scheme must resist the replay attack, modification attack and stolenverifier.
The password cannot be broken by guessing attacks even if the mobile
device is lost.










3
H.-H. Ou
2008/9/24
Basic concepts of the proposed
Hard problem assumptions




Hardness of inverting an one-way hash function
Hardness of discrete logarithm program
Hardness of computational Diffie-Hellman problem
Shamir’s secret sharing scheme





4
(t,n) secret sharing scheme
Select a large prime p(>x), and a random polynomial f(.) over Zp of degree t-1,
satisfying f(0) = x.
Give xi = f(i) to Si, I = 1,…,n
z i
When t servers cooperate, x = f(0) = i ( xi L0i ) , where L0i   j, j i
i j
is the Lagrange coefficients.
H.-H. Ou
2008/9/24
Notations

5
H.-H. Ou
2008/9/24
The proposed(1/3)
Set up process




Select a random polynomial f(.) over Zq of degree t-1, satisfying f(0)=x.
Compute f(i)=xi, then send xi to Si through a secure channel
Discard x
Registration phase

Communication server
6
H.-H. Ou
2008/9/24
The proposed(2/3)
Login & authentication phase

 h(ID)
r
rxi
 L0i xi
 h( ID) i
 h( ID)rx  E
i
Communication server
= h(ID)x
= h(ID)rxi
 L0i xi
h( ID)i
7
H.-H. Ou
2008/9/24
 h( ID) x  B
The proposed(3/3)
Changing password


User can changed freely without registration again. (?)

Smart confirm the validity of PW by interacting with ζ
Replace β with β-h(PW)+h(PW*) mod p

8
H.-H. Ou
2008/9/24
Discussion
No password or verification table
Users could choose their own passwords, and can change their passwords
without registration again.
Allows user to choose a short and memorable password, without worrying
about subjecting to guessing attacks.
Administrator of server cannot know the password of the user.
Achieves mutual authentication
Even if an intruder break into up to t-1 server nodes, he cannot obtain any
information about the system key x.
Even if n-t sever nodes are unavailable, the last t nodes can still provide
service to user nodes.







9
H.-H. Ou
2008/9/24
Performance
Liao-Lee-Hwang’s scheme



Designed for single client/server applications
Comparison with ten existing smart card based schemes and only the proposed
can against offline guessing attacks.
Liao-Lee-Hwang’s scheme
?
10
H.-H. Ou
2008/9/24
comments
How to suitable the condition of Ad hoc networks?
The changing password process is must to contact with the ζ


11
H.-H. Ou
2008/9/24