Full and partial deniability for authentication schemes

Deniable authentication is a type of authentication protocol with the special property of deniability. However, there have been several different definitions of deniability in authentication protocols. In this paper, we clarify this issue by defining two types of deniable authentication: In the first type of deniable authentication, the receiver of the authenticated message cannot prove to a third party that the sender has authenticated any message to him. We call this type of deniability full deniability. In the second type of deniable authentication, whilst the receiver can prove to a third party that the sender has authenticated some message to him, but he cannot prove to a third party that the sender has authenticated any particular message to the receiver. We call this type of deniability partial deniability. Note that partial deniability is not implied by full deniability, and that it has applications different from those of full deniability. Consequently, we present two identity-based authentication schemes and prove that one is fully deniable while the other is partially deniable. These two schemes can be useful in different scenarios.     

Full and partial deniability for authentication schemes

Deniable authentication is a type of authentication protocol with the special property of deniability. However, there have been several different definitions of deniability in authentication protocols. In this paper, we clarify this issue by defining two types of deniable authentication: In the first type of deniable authentication, the receiver of the authenticated message cannot prove to a third party that the sender has authenticated any message to him. We call this type of deniability full deniability. In the second type of deniable authentication, whilst the receiver can prove to a third party that the sender has authenticated some message to him, but he cannot prove to a third party that the sender has authenticated any particular message to the receiver. We call this type of deniability partial deniability. Note that partial deniability is not implied by full deniability, and that it has applications different from those of full deniability. Consequently, we present two identity-based authentication schemes and prove that one is fully deniable while the other is partially deniable. These two schemes can be useful in different scenarios.     

Improvements of authenticated encryption schemes with message linkages for message flows

Recently, Tseng et al. proposed two authenticated encryption schemes (basic scheme and generalized scheme) with message linkages, which are efficient in terms of the communication and computation costs in comparison with all the previously proposed schemes. The basic authenticated encryption scheme suited for only after receiving the entire signature blocks, the recipient can then recover the message blocks. In order to allow the receiver to perform the receiving and the recovering processes simultaneously according to application requirements and the transmission efficiency of the network, the generalized authenticated encryption scheme was then proposed. In this paper, we show that both Tseng et al.’s authenticated encryption schemes do not achieve integrity and authentication. Improvements are then proposed to repair the weaknesses.     

A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards

Advancement in communication technology provides a scalable platform for various services, where a remote user can access the server from anywhere without moving from its place. It provides a unique opportunity for online services such that a user does not need to be physically present at the service center. These services adopt authentication and key agreement protocols in order to ensure authorized and secure access to the resources. Most of the authentication schemes proposed in the literature support a single-server environment, where the user has to register with each server. If a user wishes to access multiple application servers, he/she requires to register with each server. The multi-server authentication introduces a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on a user’s password and biometrics (Chuang and Chen, 2014). Their scheme is a lightweight, which requires the computation of only hash functions. In this paper, we first analyze Chuang and Chen’s scheme and then identify that their scheme does not resist stolen smart card attack which causes the user’s impersonation attack and server spoofing attack. We also show that their scheme fails to protect denial-of-service attack. We aim to propose an efficient improvement on Chuang and Chen’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Chuang and Chen’s scheme. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against the replay and man-in-the-middle attacks. In addition, our scheme is comparable in terms of the communication and computational overheads with Chuang and Chen’s scheme and other related existing schemes.     

Algorithm substitution attacks against receivers

This work describes a class of Algorithm Substitution Attack (ASA) generically targeting the receiver of a communication between two parties. Our work provides a unified framework that applies to any scheme where a secret key is held by the receiver; in particular, message authentication schemes (MACs), authenticated encryption (AEAD) and public key encryption (PKE). Our unified framework brings together prior work targeting MAC schemes (FSE’19) and AEAD schemes (IMACC’19); we extend prior work by showing that public key encryption may also be targeted. ASAs were initially introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance, as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. Previous work looking at ASAs against encryption schemes can be divided into two groups. ASAs against PKE schemes target key generation by creating subverted public keys that allow an adversary to recover the secret key. ASAs against symmetric encryption target the encryption algorithm and leak information through a subliminal channel in the ciphertexts. We present a new class of attack that targets the decryption algorithm of an encryption scheme for symmetric encryption and public key encryption, or the verification algorithm for an authentication scheme. We present a generic framework for subverting a cryptographic scheme between a sender and receiver, and show how a decryption oracle allows a subverter to create a subliminal channel which can be used to leak secret keys. We then show that the generic framework can be applied to authenticated encryption with associated data, message authentication schemes, public key encryption and KEM/DEM constructions. We consider practical considerations and specific conditions that apply for particular schemes, strengthening the generic approach. Furthermore, we show how the hybrid subversion of key generation and decryption algorithms can be used to amplify the effectiveness of our decryption attack. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs.

     

Insider attacks on multi-proxy multi-signature schemes

In 2004, Hwang and Chen demonstrated new multi-proxy multi-signature schemes that allow a group of authorized proxy signers to sign messages on behalf of a group of original signers. Later, Lyuu and Wu pointed out Hwang et al.’s schemes were not secure and then proposed a modified scheme. They claimed that their modified schemes were secure. But in this paper we show a new attack on the Lyuu-Wu et al.’s schemes. Moreover, the original Hwang-Chen’s schemes are also vulnerable to this insider attack. Furthermore, we point out some improvements for the Lyuu-Wu scheme and Hwang-Chen schemes according to Wang et al.’s methods [Wang GL, Han XX, Zhu B. On the security of two threshold signature schemes with traceable signers. In: Applied Cryptography and Network Security (ACNS 2003). Lect Notes Comput Sci (LNCS), vol. 2846, Springer-Verlag; 2003. p. 111-222]. These improvements can resist our insider attack.     

公开验证认证加密方案中的第三方验证

通过对两个认证加密方案中第三方验证的分析和改进，说明了在设计一个公开验证认证加密方案中的第三方验证时，为了防止来自接收者的攻击，加入接收者的身份信息和将消息与签名验证关联都是十分必要的。     

Signature scheme with message recovery and its application

Recently Chen, [K. Chen, Signature with message recovery, Electronics Letters, 34(20) (1998) 1934], proposed a signature with message recovery. But Mitchell and Yeun [C. J. Mitchell and C. Y. Yeun, Comment - signature with message recovery, Electronics Letters, 35(3) (1999) 217] observed that Chen's scheme is only an authenticated encryption scheme and not a signature scheme as claimed. In this article, we propose a new signature scheme in the sense of Mitchell and Yeun and with message recovery feature. The designated verifier signature is introduced by Jakobsson et al. [M. Jakobsson, K. Sako, R. Impagliazzo, Designated verifier proofs and their applications, Proc. of Eurocrypt’96, LNCS 1070 (1996) pp. 143–154]. We propose a designated verifier signature scheme with non-repudiation of origin. We also give a protocol for a convertible designated verifier signature scheme with non-repudiation of origin. Both of these schemes are based on our proposed signature scheme with message recovery.     

Convertible multi-authenticated encryption scheme

A convertible authenticated encryption (CAE) scheme allows the signer to generate a valid authenticated ciphertext on his chosen message such that only the designated recipient can retrieve the message. Further, the recipient has the ability to convert the authenticated ciphertext into ordinary signature in case of a dispute or repudiation. The previous proposed CAE schemes can only allow one signer to produce the authenticated ciphertext. It might be inadequate for multiparty environments. In this paper, we elaborate on the merits of CAE and multi-signature schemes to propose a convertible multi-authenticated encryption scheme which has the following advantages: (i) The size of the generated authenticated ciphertext is independent of the number of total participating signers. (ii) Except for the designated recipient, no one can obtain the signed message and verify its corresponding signature. (iii) The signature is cooperatively produced by a group of signers instead of a single signer. (iv) In case of a later dispute on repudiation, the recipient has the ability to convert the authenticated ciphertext into an ordinary one for convincing anyone of the signers’ dishonesty.     

一种抗阻断攻击的认证组密钥协商协议

一个非认证的组密钥协商协议不能对通信参与者和消息进行认证,它必须依赖认证的网络信道或其它的认证方法.分析了Burmester等人在认证广播信道下提出的著名组密钥协商协议,指出它不能抵抗内部恶意节点发起的密钥协商阻断攻击,该攻击导致组内其它诚实节点不能正确计算出一致的组密钥.提出了一种改进的认证的组密钥协商协议,在原协议中加入了消息正确性的认证方法,能够对组内恶意节点进行检测,并在随机预言模型下证明了改进的协议能够抵抗密钥协商阻断攻击.     

Authenticated encryption schemes with message linkages for message flows

Two efficient authenticated encryption schemes with message linkages are proposed. One is a basic scheme, that it has the better performance in comparison with the all previously proposed schemes in terms of the communication and the computation costs. However, it has a property as same as the previously proposed schemes, that the message blocks can be recovered only after the entire signature blocks have been received. Therefore, the basic scheme is applicable to encrypt all-or-nothing flow. Thus, we improve the basic scheme and also propose a generalized scheme, which allows the receiver to recover the partial message blocks before receiving the entire signature blocks. That is, the receiver may perform the receiving and the recovering processes simultaneously. Therefore, the generalized scheme is applicable to message flows. The generalized scheme requires smaller bandwidth and computational time as compared to the previously proposed authenticated encryption schemes with message linkages for message flows.     

一个改进的基于混沌映射的移动端认证协议

摘要：人们使用移动设备进行电子转账,网上购物等经济活动需要认证协议来保证安全。最近,Zhu提出了一个基于混沌映射的认证协议方案。针对此方案,分析了其存在的缺陷,包括易遭受用户模仿攻击,离线字典攻击,无法提供用户匿名性,以及注册阶段及口令修改阶段存在设计缺陷,提出了一个改进的基于混沌映射（切比雪夫多项式）的移动端认证协议来克服这些缺陷。之后用BAN逻辑证明了安全性,又同其他相关方案进行了性能比较,结果显示提出的协议更加安全实用。     

Comment on Lee et al.’s group signature and e-auction scheme

Recently, Lee et al. used their new group signature with the function of authenticated encryption to design a sealed-bid auction scheme, and they claimed that their schemes are secure. In this paper, we show that if the group manager has a valid group signature of a member, without the member’s secret key, he can forge a group signature on arbitrary message on behalf of the member; then, if the registration manager (RM) and the auction manager (AM) conspired (with each other) in their auction scheme, they can forge a new bid on any goods on behalf of the bidder who has sent his/her bid to AM. Therefore, their group signature and auction scheme are insecure. Finally, we improve Lee et al.’s group signature scheme to overcome the modification attack and achieve the security requirements.     

A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography

The use of e-payment system for electronic trade is on its way to make daily life more easy and convenient. Contrarily, there are a number of security issues to be addressed, user anonymity and fair exchange have become important concerns along with authentication, confidentiality, integrity and non-repudiation. In a number of existing e-payment schemes, the customer pays for the product before acquiring it. Furthermore, many such schemes require very high computation and communication costs. To address such issues recently Yang et al. proposed an authenticated encryption scheme and an e-payment scheme based on their authenticated encryption. They excluded the need of digital signatures for authentication. Further they claimed their schemes to resist replay, man-in-middle, impersonation and identity theft attack while providing confidentiality, authenticity, integrity and privacy protection. However our analysis exposed that Yang et al.’s both authenticated encryption scheme and e-payment system are vulnerable to impersonation attack. An adversary just having knowledge of public parameters can easily masquerade as a legal user. Furthermore, we proposed improved authenticated encryption and e-payment schemes to overcome weaknesses of Yang et al.’s schemes. We prove the security of our schemes using automated tool ProVerif. The improved schemes are more robust and more lightweight than Yang et al.’s schemes which is evident from security and performance analysis.     

Security of robust generalized MQV key agreement protocol without using one-way hash functions

The MQV key agreement protocol has been adopted by IEEE P1363 Committee to become a standard, which uses a digital signature to sign the Diffie–Hellman public keys without using any one-way hash function. Based on the MQV protocol, Harn and Lin proposed a generalized key agreement protocol to enable two parties to establish multiple common secret keys in a single round of message exchange. However, the Harn–Lin protocol suffers from the known-key attack if all the secret keys established are adopted. Recently, Tseng proposed a new generalized MQV key agreement protocol without using one-way hash functions. Tseng claimed that the proposed protocol is robust since the new protocol can withstand the forgery attack and the known-key attack. In this paper we show that this protocol is not secure since the receiver can forge signatures. We also propose an improved authenticated multiple-key agreement protocol, which is secure against the forgery attack and the known-key attack.     

具有（t,n）共享验证的认证加密方案及其安全性

在具有（t,n)共享验证的认证加密方案中，n个验证者共同分享信息恢复的责任，t个或t个以上的验证者互相合作可恢复加密的信息，少于t个验证者却不能恢复加密的信息，1998年Hsu和Wu提出了一种具有（t,n)共享验证的谁加密方案，但该方案不能抵抗欺骗行为的攻击，改进了Hsu-Wu方案，其安全性基于大数的因式分解问题和离散对数问题，本方案不仅能识别骗子的多种欺骗行为，提高了安全水平，而且传输信息量小。     

An efficient non-interactive deniable authentication scheme based on trapdoor commitment schemes

Deniable authentication scheme is one of useful tools for secure communications. The scheme allows a sender to prove the authenticity of a message to a specified receiver without permitting the receiver to prove that the message was authenticated by the sender. Non-interactive schemes are more attractive than interactive schemes in terms of communication overhead, and thus several non-interactive deniable authentication scheme have been proposed. In this paper, we propose an efficient non-interactive deniable authentication scheme based on trapdoor commitment scheme. We construct an efficient trapdoor commitment scheme which provides very efficient commitment evaluation operation. Then we design an efficient non-interactive deniable authentication scheme by using the trapdoor commitment scheme. We also prove the security of our scheme under firmly formalized security model.     

An anonymous two-factor authenticated key agreement scheme for session initiation protocol using elliptic curve cryptography

The Session Initiation Protocol (SIP) is a signaling protocol widely applied in the world of multimedia communication. Numerous SIP authenticated key agreement schemes have been proposed with the purpose of ensuring security communication. Farash recently put forward an enhancement employing smart cards counted on Zhang et al.’s scheme. In this study, we observe that the enhanced scheme presented by Farash has also some security pitfalls, such as disclosure of user identity, lack of a pre-authentication in the smart card and vulnerability to key-compromise masquerading attack which results in an off-line guessing attack. We then propose an anonymous modified scheme with elliptic curve cryptography to eliminate the security leakages of the scheme proposed by Farash. We demonstrate that our scheme is immune to different kinds of attacks including attacks involved in Farash’s scheme. We mention Burrows-Abadi-Needham logic for completeness of the proposed scheme. Also, we compare the performance of our scheme with its predecessor schemes and the comparative results shows that it perfectly satisfies the needs of SIP.     

基于身份的增强三方认证密钥协商协议

现有的三方认证密钥协商协议安全性低且计算开销较大,提出一种基于身份的增强三方认证密钥协商协议。新协议在实现密钥协商基本安全属性的同时,利用短签名和时间戳技术进一步提高安全性。分析表明,增强协议能满足现有已知的三方密钥协商安全属性,且仅需两次双线性对运算,计算开销更低。此外,提出更强的抗密钥泄露伪装属性,首次指出陈浩等人以及陈家琪等人方案存在重大缺陷。     

新的不使用冗余和Hash的安全认证加密方案

最近提出的一类新的认证加密方案首次将消息可恢复签名和对称加密有机结合,而且不需要使用Hash函数或Redundancy函数。但分析发现该方案不具有数字签名所要求的基本条件,不能抵抗消息接收者的伪造攻击。为此提出了一种新的认证加密方案,该方案的安全性以求解离散对数难题和双重模难题为基础,而且可以在发生纠纷时将认证加密的签名转化为普通的签名,任何人都可以验证签名的有效性。