無線通訊驗證協定之研究

A Research on Authentication Protocols for Wireless Communications

彭智瑄

無線通訊 ； 驗證 ； 無線射頻辨識 ； 近場通訊 ； Authentication ； wireless communication ； radio frequency identification ； near field communication

臺中科技大學資訊工程系碩士班學位論文

2017年

碩士

張雅芬

英文

近幾年，隨著無線通訊科技的迅速發展，多樣化的無線通訊應用被提出，讓人們的生活更為便利。許多使用者藉由行動裝置的無線通訊功能去取得所需的資訊及資源；另一方面，無線射頻辨識、近場通訊等無線通訊技術也被企業所採用，以提供便利及多樣化的商業服務。然而，無線通訊裝置無法進行過於複雜的運算，且資料是透過公開且不安全的通道傳輸，故無線通訊傳輸的安全性為目前需解決的一項難題。. 為了確保被服務提供的對象為合法使用者，身分驗證便成為不可或缺的安全需求。在本研究中，我們針對無線通訊驗證的主題進行討論。Lu等學者在2015年指出Kuo等學者所提出之行動通訊網路驗證方法有安全性缺失後，提出應用於無線通訊的驗證方法並且宣稱此方法可確保安全、匿名性與使用者友善。在分析Lu等學者的方法後，我們發現此方法有三個缺失，(1) 使用者在驗證階段傳送固定的參數，會讓攻擊者可以重送參數，以取得使用者的資訊，(2) 同時也無法提供匿名性，(3) 因為在註冊階段並未將亂數儲存，會導致smart card 無法算出相同的參數。 另一方面，Dass和Om學者也提出應用於無線射頻辨識系統的驗證方法並且宣稱此方法是有效且安全的。在分析Dass和Om學者的方法後，發現此方法在驗證階段無法抵禦偽冒攻擊，攻擊者藉由產生新的亂數便可偽冒使用者。在本研究中，我們將詳細說明Lu等學者為無線通訊所設計之身分驗證方法所遭受的威脅。同時，指出Dass和Om學者所提出在無線射頻辨識系統中的驗證方法所遭受的安全威脅。

Recently, with the rapid growth of wireless communication technologies, various wireless communication applications are proposed to make people’s life more convenient. Many users utilize mobile devices’ wireless communication functions to obtain required information and resources. On the other hand, wireless communication technologies such as radio frequency identification (RFID) and near field communication (NFC) are adopted by enterprises to provide convenient and diverse commercial services. Unfortunately, wireless communication devices cannot execute complex computational operations, and data is transmitted through public but insecure channels. How to ensure the security of wireless communications is an urgent and tough issue to solve. To check the legality of the user, authentication is an essential security requirement. In this thesis, we make discussions on authentication schemes for wireless communications. In 2015, Lu et al. found that Kuo et al.’s mobility network authentication scheme suffers from some flaws and proposed an improvement to ensure security, anonymity, and user-friendly for wireless communications. After analyzing Lu et al.’s scheme, we find that it is vulnerable to three weaknesses. First, it cannot resist replay attack. Second, it cannot ensure user anonymity as claimed. Third, a mobile user may not be authenticated by the home agent because of the lack of one random number chosen in registration phase. On the other hand, Dass and Om proposed an authentication scheme for RFID systems by using pseudorandom number generators (PRNGs) and simple cryptographic operations. After analyzing Dass and Om’s scheme, we find that it suffers from masquerade attack in the authentication process such that an attacker can impersonate a user by generating a new random number. In this thesis, we first explicitly indicate how the found three weaknesses damage Lu et al.’s authentication scheme for wireless communications, and then we show why Dass and Om’s authentication scheme for RFID systems suffers from masquerade attack.

1. [1] L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, Vol. 24, pp. 770-772, 1981.
   連結：
2. [2] M. S. Hwang and L. H. Li, “A new remote user authentication scheme using smart card, ” IEEE Transactions on Consumer Electronics, Vol. 46, pp. 28-30, 2000.
   連結：
3. [3] C. K. Chan, “Cryptanalysis of a remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 46, pp. 992-993, 2000.
   連結：
4. [4] H. M. Sun, “An efficient remote use authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 46, pp. 958-961, 2000.
   連結：
5. [5] M. L. Das, A. Saxena and V. p. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, Vol. 50, pp. 629-631, 2004.
   連結：
6. [6] Y. Wang, J. Liu, F. Xiao and J. Dan, “A more efficient and secure dynamic ID-based remote user authentication scheme,” Computer Communications, Vol. 32, pp. 583-585, 2009.
   連結：
7. [7] E. J. Yoon, K. Y. Yoo and K. S. Ha, “A user friendly authentication scheme with anonymity for wireless communications,” Computer and Electrical Engineering, Vol. 37, pp. 356-364, 2011.
   連結：
8. [8] Y. F. Chang, P. Y. Lin, Y. C. Chen, C. S. Chang, J. W. Fan, and C. W. Chan, “An effective authentication scheme with anonymity for wireless communications,” Proceedings of ACEAIT 2015, Osaka, Japan, pp. 255-263, March 2015.
   連結：
9. [9] J. Zhu and J. Ma, “A new authentication scheme with anonymity for wireless environments, ” IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, pp. 230-234, 2004.
   連結：
10. [11] C. C. Wu, W. B. Lee, and W. J. Tsaur, “A secure authentication scheme with anonymity for wireless communications,” IEEE Communications Letters, Vol. 12, No. 10, pp. 722-723, 2008.
    連結：
11. [12] C. C. Chang, C. Y. Lee, and Y. C. Chiu, “Enhanced authentication scheme with anonymity for roaming service in global mobility networks,” Computer Communications, Vol. 32, No. 4, pp. 611-618, 2009.
    連結：
12. [13] H. Mun, K. Han, Y. S. Lee, C. Y. Yeun, and H. H. Choi, “Enhanced secure anonymous authentication scheme for roaming service in global mobility networks,” Mathematical and Computer Modelling, Vol. 55, No. 1-2, pp. 214-222, 2012.
    連結：
13. [14] W. C. Kuo, H. J. Wei, and J. C. Cheng, “An efficient and secure anonymous mobility network authentication scheme,” Journal of Information Security and Applications, Vol. 19, No. 1, pp. 18-24, 2014.
    連結：
14. [15] Y. Lu, X. Wu, and X. Yang, “A secure anonymous authentication scheme for wireless communications using smart cards,” International Journal of Network Security, Vol. 17, No. 3, pp. 237-245, 2015.
    連結：
15. [16] Y. F. Chang, M. H. Hsu, and W.L. Tai, “Comments on Kuo et al.’s anonymous mobility network authentication scheme,” Proceedings of ACEAIT-2016, Kyoto Japan, pp. 778-785, 2016.
    連結：
16. [17] R. Want, “An introduction to RFID technology,” IEEE Pervasive Computing, Vol. 5, No. 1, pp. 25-33, 2006.
    連結：
17. [18] G. Venkataramain and S. Gopalan, “Mobile phone based RFID architecture for secure electronic payments using RFID credit cards,” Proceedings of ARES-2007, Vienna Austria, pp. 610-620, 2007.
    連結：
18. [19] A. Y. Chang, D. R. Tsai, C. L. Tsai and Y. J. Lin, “An improved certificate mechanism for transactions using radio frequency identification enabled mobile phone,” Proceedings of Annual International Carnahan Conference-2009, Zurich Switzerland, pp. 36-40, 2009.
    連結：
19. [20] I. Syamsuddin, T. Dillon, E. Chang and S. Han, “A survey of RFID authentication protocols based on hash-chain method,” Proceedings of ICCIT-2008, Busan South Korea, pp. 559-564, 2008.
    連結：
20. [21] Y. Q. Gui and J. Zhang, “A new authentication RFID protocol with ownership transfer,” Proceedings of ICTC-2013, Jeju South Korea, pp. 359-364, 2013.
    連結：
21. [22] J. Li, Y. Wang, B. Jiao and Y. Xu, “An authentication protocol for secure and efficient RFID communication,” Proceedings of ICLSIM-2010, Harbin China, pp. 1648-1651, 2010.
    連結：
22. [24] F. M. Albert, T. R. Rolando, C. R. Jordi and D. F. Josep, “A scalable RFID authentication protocol supporting ownership transfer and controlled delegation,” Proceedings of RFIDSec-2011, Amherst USA, pp. 147-162, 2012.
    連結：
23. [25] M. Rahman, R. V. Sampangi and S. Sampalli, “Lightweight oriticil for anonymity and mutual authentication in RFID systems,” Proceedings of CCNC-2015, Las Vegas USA, pp. 910-915. 2015.
    連結：
24. [26] P. Dass and H. Om, “A secure authentication scheme for RFID systems,” Procedia Computer Science, Vol. 78, pp. 100-106, 2016.
    連結：
25. [10] C. H. Lin and C. Y. Lee, “Cryptanalysis of a new authentication scheme with anonymity for wireless environments,” Proceedings of the Second International Conference on Advances in Mobile Multimedia, Bail, Indonesia, pp. 399-402, 2004.
26. [23] J. Fu, C. Wu, X. Chen, R. Fan and L. Ping, “Scalable pseudo random RFID private mutual authentication,” Proceedings of ICCET-2010, Chengdu China, pp. 497-500, 2010.