Improvements to Mitchell's Remote User Authentication Protocol

0 downloads 0 Views 192KB Size Report
Abstract. A provably secure protocol for remote authentication is presented. ... Authentication protocols using asymmetric key cryptography generally suffer from.
Improvements to Mitchell’s Remote User Authentication Protocol Vipul Goyal1, Abhishek Jain1, and Jean Jacques Quisquater2 1

CSE Department, IT-BHU, India [email protected], [email protected] 2 Crypto Group, UCL, Belgium [email protected]

Abstract. A provably secure protocol for remote authentication is presented. Only public information is stored at the verifying host that makes our scheme resistant to server compromise. We use one time signatures coupled with offline transcripts for synchronization. Due to sole usage of fast cryptographic hash functions, our method is appropriate for low cost user authentication. Our construction improves over the previously proposed technique of Mitchell to overcome its problem of Denial of Service (DoS) attacks.

1 Introduction Authentication is the process by which a system can determine whether or not a given user is who she claims to be. Authentication is the key for information security since if the authentication mechanism is compromised, the rest of the security measures are bypassed as well. Authentication protocols using asymmetric key cryptography generally suffer from performance limitations. Recall that asymmetric key cryptography is typically hundreds of times slower than symmetric key cryptography. This increases the cost of authentication servers several times and renders the protocol impractical for clients with limited computational resources. On the other hand, authentication protocols using symmetric1 key cryptography are vulnerable to either server compromise or network attacks (passive and active). One particularly widespread attack is to passively capture and replay passwords used for user authentication. A solution to this problem is to encode the passwords in such a way that it can be used exactly once and cannot be used to generate any other encoded password. Such an encoding is called a one-time password. A one-time password scheme was first designed by Lamport [16]. Later it was standardized [11,12,13] and implemented [10,17]. However, Lamport’s scheme remains vulnerable to an active adversary who intercepts and traps (or impersonates the host in order to extract) an as yet unused one time password so that he can generate a list of valid unspent OTPs by using the hash chain's one-way property. This 1

To avoid confusion, we collectively refer to protocols using (a) Symmetric key encryption (b) One-way Hash functions as symmetric key authentication protocols in this paper.

D. Won and S. Kim (Eds.): ICISC 2005, LNCS 3935, pp. 69 – 80, 2006. © Springer-Verlag Berlin Heidelberg 2006

70

V. Goyal, A. Jain, and J.J. Quisquater

has been pointed out by a number of authors [8,14,18]. Besides, the number of times a user may authenticate to the server is limited. A symmetric key-based unilateral authentication protocol was recently proposed by Mitchell [21,22] requiring only public information to be stored at the authentication server. Message Authentication codes (MAC) [1,2] were used to maintain storage and computational feasibility for low cost user authentication devices. The scheme has formed part of the Software Based Systems area of the Core 2 Research Programme of the Mobile VCE [24]. However, as acknowledged by the author, the scheme is vulnerable to a DoS attack. Besides, the protocol lacks proofs of security. We discuss this scheme and the associated vulnerabilities in detail in the next subsection. We present a new key-based remote user authentication protocol using one-time signatures coupled with offline transcripts for synchronization. In our attempt to improve over Mitchell’s scheme [22], the relevant goals we wish to achieve are – • • • •

Provable security against server compromise. Provable security against passive and active adversaries. Practical solution for low cost user authentication devices. Unlimited authentications without system re-initialization.

The rest of the paper is organized as follows. Section 2 provides a background on one-time signatures. We present our scheme in Section 3. In section 4, we discuss the security and performance issues of the proposed scheme and provide a comparison with [22]. An enhancement to our scheme is discussed in Section 5. We conclude in Section 6. Throughout the paper, A, B (Alice, Bob) are used to represent system principals, where Alice plays the role of client while Bob plays the role of server. We denote

concatenation of two values by ( X , Y ) . By {ai }i =1 we denote the set {a1 ,..., an } of n n

entities (e.g. secret keys, MAC values etc). Notations specific to a system are introduced as and when required. 1.1 Related Works

Here we discuss the scheme proposed by Mitchell [21,22]. The scheme is divided into two phases, Setup and Operation. A MAC computation over a string X is denoted as M K ( X ) where K is the secret key. Protocol. Mitchell’s remote user authentication scheme I. Setup 1. A performs the following operations. •

Choose an integer constant t, key set



string X . Compute Vi = M Ki ( X ) , ∀i ∈ [1, t ] .

{Ki }ti =1

and a random data

Improvements to Mitchell’s Remote User Authentication Protocol



X,

Transfer

{Vi }ti =1

to

B

71

in a manner guaranteeing their

authenticity. B stores the received data. Note that data integrity is the only assumption. II. Operation 1. A sends login request to B . 2. B sends X to A . 3. A performs the following operations. • Verify X against the stored value (A mismatch signifies a loss of synchronization between A and B . We discuss this situation later on). 2.

{Ki′}ti =1 , random string X ′ , Vi′ = M Ki′ ( X ′ ) and Wi′ = M Ki (V1′,...,Vt′) , ∀i ∈ [1, t ] .



Compute a new key set



Send {Wi′}i =1 to B .

MAC values

t

4.

B sends a random r subset of {i}i =1 , say {ci }i =1 .

5.

A sends

t

{Kc }i =1 , X ′ , {Vi′}ti =1 r

i

r

to B and replaces X , { Ki }i =1 with t

X ′ , { Ki′}i =1 respectively. (In some cases, the old values may be retained t

as discussed below). 6.

{ }i=1 using key subset {Kc }i =1

B first verifies the stored MAC subset Vci

r

r

i

and the stored value X . If the entire MAC subset is correct, then B

{ }i=1 . If this is also correct, B

verifies the MAC subset Wc′i

r

authenticates

A and replaces X , {Vi }i =1 with X ′ , {Vi′}i =1 . t

t

As acknowledged in [22], the scheme is vulnerable to a simple and effective DoS attack. An adversary may first capture the random string X sent by A to B during a protocol execution (step 5 in the above protocol) and then later impersonate B to A using X . Although the login attempt would fail, a single protocol execution between the adversary and A would result in a new random string at A for the next login protocol while that stored at B is still the old one. This results in a loss of synchronization between A and B . Further, this protocol execution would also enable the adversary to learn a chosen subset of r keys sent out by the user in step 4. The adversary may possibly use these keys later to impersonate A to B . Thus, the scheme requires careful choice of t and r so that the probability of an adversary successfully guessing the subset {ci }i =1 in advance is negligible (see Section 3.1 in [22] for details). r

When A later tries to authenticate herself to B , step 2 of the protocol would enable her to learn about the loss of synchronization. Here two options are possible, re-initialize the system manually or use the same key set that was used with the

72

V. Goyal, A. Jain, and J.J. Quisquater

adversary, again for authentication to B . However, there is a potential danger in using the same key set again as the adversary may again impersonate B to A to learn another chosen set of keys. The adversary may choose the new r subset such that it is disjoint with the old key set she already has; she may keep impersonating B to A until she has a significant portion of keys out of t thus enabling her to impersonate A to B . [22] proposes to increase t to enable the user to securely use the same key set a number of times. For example, to use the same key set s times, t may be set to 64 × s with r = 32 to ensure that the probability of a successful attack remains less than 2 −32 . Thus, security may be increased at the cost of performance. However, it is clear that irrespective of how big s may be, the adversary may keep impersonating B to A up to s times so that the key set expires and re-synchronization becomes impossible by using the same key set. In cases where it is possible, the system may be re-initialized by manual means. In other cases, there is no way for the user to authenticate any further. Thus, the DoS attack succeeds.

2 Preliminaries and Notations Hash Functions. Throughout the paper, H : {0,1} → {0,1} is a k -bit cryptographic *

k

hash function (informally known as a one-way hash function [3]) that is hard to invert and collision resistant. One time Signatures. The concept of one time signatures was initially proposed by Lamport [15]. It was subsequently enhanced by Merkle [19,20], Winternitz [21], Bicakci et. al. [4] and Bleichenbacher et. al. [5,6,7]. Signing a one bit message. The signer chooses as the secret key two values X1 and

X 2 (representing ‘0’ and ‘1’) and publishes their images under a one-way function

Y1 = H ( X1 ) and Y2 = H ( X 2 ) as the public key. These X’s and Y’s are called the

secret key components and the public key components, respectively. To sign a single bit message, reveal the pre-image corresponding to the actual ‘0’ or ‘1’ i.e., reveal X1 or X 2 based upon whether the message to be signed is ‘0’ or ‘1’. For signing longer messages, several instances of this basic scheme may be used. Thus we note that to sign an N bit message, 2N X’s and thus 2N Y’s are required and the size of signatures generated is equal to N times the size of secret key components. There are several improvements to this basic scheme. Merkle [19,20] proposed an improvement which reduces the number of public as well as secret key components in Lamport’s method by almost two-fold. Instead of generating two X’s and two Y’s for each bit of the message, the signer generates only one X and one Y for each bit of the message to be signed. When one of the bits in the message to be signed is a ‘1’, the signer releases the corresponding value of X; but when the bit to be signed is a ‘0’, the signer releases nothing. Because this allows the receiver to pretend that he did not receive some of the X’s and therefore to pretend that some of the ‘1’ bits in the signed message were ‘0’, the signer must also sign the count of the ‘0’ bits in the message.

Improvements to Mitchell’s Remote User Authentication Protocol

73

Now, when the receiver pretends that a ‘1’ bit was actually a ‘0’ bit, he must also increase the value of the count field, which can't be done. Because the count field has only log 2 N bits in it, the number of public and secret key components is decreased by almost a factor of two i.e., from 2N to N + log 2 N (or to N + log 2 N + 1 if N is not a power of 2). This also results in the decrease of signature size by almost a factor of two. Winternitz [20] proposed an improvement that reduces the signature size by several folds at the expense of increased computational effort. In Winternitz’s method, the one-way function is applied to two secret key components iteratively for a fixed number of times, resulting in a two-component public key. We now introduce some basic notations associated with one-time signatures used throughout the paper. m

Number of public/secret key components used in the OTS scheme; equal to k + log 2 ( k ) for Merkle’s construction if the output of the hash function is k -bit. Average number of secret key components revealed in an OTS; usually equal to m / 2 .

p

A one-time secret key; equal to the collection of m secret key components. A one-time public key; equal to the collection of m public key components. One-time signature computed over message M with sk ; equal to the collection of the relevant secret key components required to sign M.

sk pk S ( sk , M )

Calculation of a one-time key pair. Given a secret key K A and an integer counter

(

)

value i , a one-time key pair skiA , pkiA for a system principal A is computed as per the following definition.

)} { ( ) ( = { H ( K , i,1) ,..., H ( K , i, m )}

skiA = H K A , i,1 ,..., H K A , i, m pkiA

2

A

2

A

For a given integer value i , the corresponding one-time key pair for a system principal may be computed whenever required.

3 The Proposed Scheme Our scheme is divided into two phases, Setup and Operation. Offline transcripts are computed during the operation phase to restore synchronization whenever required. We use an integer i as a counter for protocol executions.

74

V. Goyal, A. Jain, and J.J. Quisquater

Protocol. Remote Authentication using One-Time Signatures I. Setup 1. A initializes a counter i A ← 1 and performs the following operations.

(



)

Choose a secret key K A , compute a one-time key pair sk1A , pk1A .



pk1A

Transfer to B in a manner guaranteeing its authenticity. This may be done using a certificate issued by a trusted authority. 2. B stores the received value and initializes his counter i B ← 1 . II. Operation 1. A identifies herself to B with her login name.

(

) to A .

2.

B computes a random string riB and sends i B , riB

3.

A performs the following operations. • Verify i B against i A (In case of a mismatch, compute offline transcript) •

Compute skiA , a new one-time key pair

(

)

(

(

( sk

A i +1 ,

H ri B , pkiA+1 and the OTS S skiA , H riB , pkiA+1 • 4.

(

(

Send pkiA+1 , S skiA , H riB , pkiA+1

))

)

pkiA+1 , hash value

)) .

to B . Store riB and set counter

i A ← i A +1. B verifies the correctness of the received OTS. If the OTS is correct, A is authenticated. B replaces pkiA with pkiA+1 and sets the counter iB ← iB +1.

At any point of time, A stores an integer counter and a set of challenge strings sent to her by B , while B stores an integer counter and a one-time public key. Offline Transcript. In case of a mismatch between the counter values in step 3 of the operation phase, A computes an offline transcript. Further actions remain the same as explained in the protocol. We suppose that the counter value at A is ( i + d ) while

that

{r

received

B j ,

from

(

B

is

(

pk jA+1 , S sk jA , H r jB , pk jA+1

i.

))}

Then

the

offline

transcript

is

the

set

i + d −1

consisting of d entries. To compute the

j =i

offline transcript, A performs the following operations.



(

)

Compute the one-time key pair sk jA , pk jA , ∀j ∈ [i, i + d ] .

∀j ∈ [i, i + d ) from the database.



Locate challenge string



Compute the OTS S sk jA , H r jB , pk jA+1

(

r jB ,

(

) ) , ∀j ∈ [i, i + d ) .

Now to authenticate herself to B , A sends the offline transcript along with the

(

(

current OTS S skiA+ d , H riB+ d , pkiA+ d +1

))

and one-time public key pkiA+ d +1 . B uses

Improvements to Mitchell’s Remote User Authentication Protocol

75

the offline transcript to first update his state from pkiA to pkiA+ d . Now he is in a position to verify the current OTS and hence allow A to log in. It is worth noting here that the offline transcript itself is insufficient for authentication. We stress that the current OTS be sent along with it. This is because the OTS in the transcript are based on old challenge strings that are more likely to have been generated by an adversary impersonating B to A during earlier protocol executions (This will be more clear after we discuss DoS attack in Section 4.1). Further, the content of the offline transcript is just a collection of the regular authentication data sent during previous authentication sessions and may be known to an adversary. Hence the transcripts are just a method of catch-up for the host.

4 Security Analysis In

the

security

proofs

{ pki +1 , S ( ski , H ( ri , pki +1 ))}

given

in

this

section,

we

refer

to

the

pair

as a one-time password (OTP). The superscripts refer-

ring to a system principal have been omitted in both the security proofs. Theorem 1. If the underlying one-time signature scheme is secure, then for any integer counter value i , given access to all the one-time passwords sent by the client up to login ( i − 1) and the current server state pki , an adversary cannot compute the

correct i th one-time password. Proof. Assume that the thesis is false i.e., there is an algorithm F that succeeds in computing the correct one-time signature for some login (without the knowledge of the one-time secret key) with non-negligible probability. That is, for ‘some’ integer value i , F runs on the current server state pki and the OTP set

{ pk

j +1 , S

( sk , H ( r , pk ) )}

i −1

j

j

j +1

j =1

, takes a random string ri and one-time public key

pki +1 as input and outputs a valid one-time signature over their hashed value. (On all other inputs, it outputs zero). We show how F can be used to build an algorithm F1 which forges signatures for the underlying one-time signature scheme. F1 is allowed to query an oracle Ο which works in the following manner. On being queried with an integer value i as input, it computes a one-time key pair ( ski , pki ) and outputs pki ; when queried with an integer i and some string as input, it outputs the one-time signature computed over the input string using ski . F1 executes the following algorithm. Algorithm 1 1. Set counter i = 1 2. Query Ο with input i . Receive and store pki

3.

Query Ο with input i + 1 . Receive and store pki +1

76

V. Goyal, A. Jain, and J.J. Quisquater

4.

Compute a random string ri and the hash value H ( ri , pki +1 )

5.

Transfer the OTP set

{ pk

j +1 , S

( sk , H ( r , pk ) )}

i −1

j

j

j +1

j =1

and current server

state pki to F and execute it on input H ( ri , pki +1 ) . If F outputs nonzero then Stop. Else Query Ο

with input

S ( ski , H ( ri , pki +1 ) ) 6.

{i, H ( ri , pki +1 )} .

Receive and store

Set i ← i + 1 , go to step 3

With non-negligible probability, for some integer counter value i , F outputs a valid signature S ′ over the given input. Now, F1 stops and outputs S ′ as a valid onetime signature without the knowledge of the one-time secret key and without having made a query to the oracle Ο for the new one-time signature. This contradicts the assumption that the underlying one-time signature scheme is secure. Hence our theorem is proved. Denial of Service Attacks. We now discuss the effect of DoS attack on our protocol. Observe that an unsuccessful authentication is likely to be caused due to an adversary impersonating B to A . We suppose that since the last successful login, the adversary has engaged in d protocol executions with A impersonating B to A each time. This implies that d is the difference between the counter value stored by the system principals. Hence, if the counter value at A was i when the adversary started the attack, it must be ( i + d ) at this point.

Assume that during ( i + d )

th

protocol execution, A receives ( i + d ) , ri B+ d from B

B . After the failure of the counter value verification, A computes an offline transcript which is a set of cardinality d as explained in Section 3. Now A sends this offline transcript to B along with the usual generated current OTS and one-time public key. B verifies each OTS in the transcript one by one and keeps updating its state. If the verification of all the one-time signatures in the transcript is successful, the state of B is updated to pkiA+ d , the counter value being ( i + d ) . Now he is in a position to verify the regular OTS sent along with the offline transcript. If it is found correct, A is logged in and counter is updated to ( i + d + 1) . Again, it may be the adversary impersonating B to A and exchanging messages with A . In that case, during the next login attempt, A will add the current OTS, onetime public key and the challenge string to the offline transcript to be sent to B . Hence it is clear that though, higher the number of consecutive attacks, higher the size of offline transcript; despite any number of attacks, synchronization can still be restored between A and B . Further, A may not need to store all the challenge strings sent to him so far. When she is sure that the login attempt was successful and she is logged into the genuine server (e.g. on seeing her files or e-mails), she may delete all the challenge strings stored until that point. In section 6, we propose an enhancement to the scheme which does not require such manual intervention on the client side.

Improvements to Mitchell’s Remote User Authentication Protocol

77

Security of offline transcripts. Recall that though both Message Authentication Codes [1,2] and Digital Signatures [9,23] are used for authentication purposes, digital signatures provide non-repudiation whereas MACs are repudiable. The reason being that the verification data released to the verifier in case of digital signatures does not give him the power to modify or create a signature while the secret key released to the verifier in case of MAC gives him modification power. We now discuss the security of the offline transcript mechanism. We claim that this mechanism which employs only one-time signatures is secure and possesses the property of offline verification due to the same reason as discussed above i.e., the verification data does not give modification power to the verifier. Theorem 2. If the underlying one-time signature scheme is secure and H is a collision resistant hash function, then given access to the current server state pki , an adversary cannot modify an offline transcript and the attached current one-time password to his advantage. Proof. Assume that the thesis is false i.e., there is an algorithm F that succeeds in modifying an offline transcript with non-negligible probability. That is, for some integer values i and d , F runs on current server state pki , takes as input set

{

))} j =i (the current one time password being { pki + d +1 , S ( ski +d , H ( ri +d , pki + d +1 ))} ) and outputs a modified valid set Z ′ . We show

(

i+d

(

Z = r j , pk j +1 , S sk j , H r j , pk j +1

how F can be used to build an algorithm F1 which either forges signatures for the underlying one-time signature scheme or finds collisions in the hash function. F1 is allowed to query an oracle Ο which works in the same manner as discussed in the Proof of Theorem 1. F1 first executes Algorithm 2 with input ( i, d ) . Algorithm 2. Prepare Transcript (i, d) 1. Set j = i

2.

Query Ο with input j . Receive and store pk j

3.

Query Ο with input j + 1 . Receive and store pk j +1

4.

Compute a random string r j and the hash value H r j , pk j +1

5.

If j = i + d Stop

(

Else Query

(

Ο

(

S sk j , H r j , pk j +1

6.

))

{ j, H ( r , pk )} .

Receive and store

j

j +1

pki

with the offline transcript

Set j ← j + 1 , go to step 3

It now runs F

{

with input

)

(

on current server state

(

Z = r j , pk j +1 , S sk j , H r j , pk j +1

))} j =i as input. With non-negligible probability, i+d

F

78

V. Goyal, A. Jain, and J.J. Quisquater

outputs a modified valid set Z ′ . F1 now compares Z and Z ′ for each corresponding entry. On finding the first mismatch, it stops. Suppose that the mismatch occurs at

(

some j . Now, if H r j , pk j +1

)

Z

(

= H r j , pk j +1

)

Z′

and

( rj , pk j +1 )

Z

(

≠ r j , pk j +1

)

Z′

;

this means F1 has found a collision in the hash function. Otherwise, F1 outputs the one-time signature from the j th entry in Z ′ as a valid one-time signature, thus contradicting the assumption that the underlying one-time signature scheme is secure. Hence our theorem is proved.

5 An Enhancement to the Scheme Mutual Authentication is a desired feature of a two-party authentication protocol. Both A and B must authenticate each other to prevent an adversary from impersonating either of them. In the proposed scheme, an adversary is able to disturb the synchronization between the system principals due to lack of mutual authentication. Though offline transcripts successfully counter such attacks, it would be appropriate to eradicate such an attack in the first place. To support mutual authentication, the basic protocol can be extended by making A authenticate B in exactly the same manner as B authenticates A . The extended scheme consists of two phases, Setup and Operation. Offline transcripts are no longer required since loss of synchronization is no longer possible. Protocol. Remote Authentication using One-Time Signatures (Extended Version) I. Setup A initializes a counter i A ← 1 and performs the following operations. 1.

a.

(

pk1A

Transfer to B in a manner guaranteeing its authenticity. This may be done using a certificate issued by a trusted authority. B stores the received value and initializes his counter i B ← 1 . He then performs the following operations. b.

2.

)

Choose a secret key K A , compute a one-time key pair sk1A , pk1A .

a.

(

b. Transfer II. Operation

pk1B

to A in a manner guaranteeing its authenticity.

{

}

1.

A computes a random string ri A and sends A, i A , ri A to B .

2.

B performs the following operations. • Verify i A against i B . Stop if mismatch occurs. •

)

Choose a secret key K B , compute a one-time key pair sk1B , pk1B .

Compute skiB , a new one-time key pair

(

)

(

(

( sk

B i +1 ,

H ri A , pkiB+1 and the OTS S skiB , H ri A , pkiB+1

)

pkiB+1 , hash value

)) .

Improvements to Mitchell’s Remote User Authentication Protocol



Compute

a

(

random

(

ri B , pkiB+1 , S skiB , H ri A , pkiB+1 3.

riB

string

) ) to A .

A performs the following operations. • Verify the received OTS. Stop if verification fails. •

Compute skiA , a new one-time key pair

(

)

(

(

( sk

A i +1 ,

H ri B , pkiA+1 and the OTS S skiA , H riB , pkiA+1 • 4.

and

(

(

Send pkiA+1 , S skiA , H riB , pkiA+1

))

79

send

)

pkiA+1 , hash value

)) .

to B . Replace pkiB with pkiB+1

and set counter i A ← i A + 1 . B verifies the correctness of the received OTS. If it is correct, A is authenticated. B replaces pkiA with pkiA+1 and sets the counter iB ← iB +1.

6 Conclusions A new key-based authentication protocol has been presented that uses one-time signatures coupled with offline transcripts for synchronization. The proposed scheme is provably secure against server compromise as well as both passive and active adversaries. The mechanism of offline transcripts provides immunity against DoS attacks and thus improves over Mitchell’s scheme [21,22]. The extended protocol supports mutual authentication and eliminates any possibility of loss of synchronization in the first place. Due to the sole usage of fast cryptographic hash functions, the proposed scheme maintains trivial computational and storage requirements to be a practical solution for low cost user authentication devices where the complexity of implementing public key cryptography should be avoided.

References [1] M. Bellare, R. Canetti, H. Krawczyk, “Keying Hash Functions for Message Authentication”, CRYPTO 96, LNCS Vol. 1109. [2] M. Bellare, R. Canetti, H. Krawczyk, “HMAC: Keyed-Hashing for Message Authentication”, RFC 2104, February 1997. [3] T.A. Berson, L. Gong and T.M.A Lomas, “Secure, Keyed and Collisionful Hash Functions”, Technical Report SRI-CSL-94-08, May 1994. [4] K. Bicakci, G. Tsudik, B. Tung, “How to construct optimal one-time signatures”, Computer Networks (Elsevier), Vol.43 (3), pp.339-349, 2003. [5] D. Bleichenbacher and U. M. Maurer, “Directed Acyclic Graphs, One-way Functions and Digital Signatures”, Proc. CRYPTO 94, LNCS 839, Springer Verlag, 1994, pp 75-82. [6] D. Bleichenbacher, U. M. Maurer, “Optimal Tree-Based One-time Digital Signature Schemes”, Proc. STACS 96, LNCS 1046, Springer Verlag, pp 363-374. [7] D. Bleichenbacher, U. M. Maurer, “On the efficiency of one-time digital signatures”, Proc. ASIACRYPT 96, LNCS 1163, Springer-Verlag, pp 145-158, 1996.

80

V. Goyal, A. Jain, and J.J. Quisquater

[8] L. Chen, C.J. Mitchell, “Comments on the S/Key user authentication scheme”, ACM Operating Systems Review, 30(4), 12-16, October 1996. [9] W. Diffie, M. Hellman. “New Directions in Cryptography”, IEEE Transactions on Information Theory, IT-22 (6), 74-84, 1976. [10] N. Haller, “The S/Key One-Time Password System”, Proceedings of the ISOC Symposium on Network and Distributed System Security, pp 151-157, February 1994. [11] N Haller, “The S/KEY One-Time Password System”, RFC 1760, 1995. [12] N. Haller, “A One-Time Password System”, RFC 1938, May 1996. [13] N Haller, C. Metz, P. Nesser and M. Straw, “A One-Time Password System”, RFC 2289, Feb 1998. [14] C. Kaufman, R. Perlman, M. Speciner, “Network Security, Private Communication in a Public World”, Prentice Hall Series, 2002. [15] L. Lamport, “Constructing Digital Signatures from a One-Way Function”, Technical Report CSL-98, SRI International 1978. [16] L. Lamport, “Password Authentication with Insecure Communication”, Communications of the ACM 24.11 (November 1981), pp 770-772. [17] D.L. McDonald, R.J. Atkinson, C. Metz, “One-Time Passwords in Everything (OPIE): Experiences with Building and Using Strong Authentication”, In Proc. of the 5th USENIX UNIX Security Symposium, June 1995. [18] A. J. Menzees, P. C. Van Oorschot and S. A. Vanstone, “Handbook of Applied Cryptography”, CRC Press, Boca Raton, 1997. [19] R. C. Merkle, “A Digital Signature Based on a Conventional Encryption Function”, Proc. CRYPTO 87, LNCS 293, Springer Verlag, pp 369-378. [20] R. C. Merkle, “A Certified Digital Signature”, Proc. CRYPTO 89, LNCS 435, Springer Verlag, 1990, pp 218-238. [21] C. J. Mitchell, “Authentication of a remote user to a host in a data communication system”, UK patent application filed 3rd November 2001. [22] C. J. Mitchell, “Remote user authentication using public information”, 9th IMA International Conference on Cryptography and Coding, Cirencester, UK, December 2003, Springer-Verlag (LNCS 2898), pp.360-369. [23] R. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public Key Cryptosystems”, Comm. of the ACM, 21(2), 120-126, 1978. [24] Mobile VCE, www.mobilevce.com.