IC Card-Based Single Sign-On System that Remains Secure under Card Analysis

Full text


IC Card-Based Single Sign-On System that Remains

Secure under Card Analysis

Jun Furukawa, Kazue Sako, and Satoshi Obana

NEC Corporation, Japan

j-furukawa@ay.jp.nec.com, k-sako@ab.jp.nec.com, obana@bx.jp.nec.com


Today, many users of the network access to multiple inde-pendent services consecutively or even simultaneously. Sin-gle sign-on systems help such users to access services easily with only a single log-in process. Some single sign-on sys-tems that require users’ IC cards be authenticated directly by services, achieve high level of security in that they allow no third party to have the power to impersonate users. How-ever, most of these systems are vulnerable when IC cards are analyzed since the security is solely dependent on the secret information born in side the card. In this paper, we propose a novel single sign-on system with IC card that still keeps certain level of security even when user’s IC card is analyzed. In the system, secret information is kept distributedly in IC card and portal.

Categories and Subject Descriptors

D.4.6 [Security and Protection]: Access controls

General Terms



Single Sign-On, Authenticated Key Exchange, Card Analy-sis, Distributed Key



Nowadays, many users of the network access consecutively or even simultaneously to an increasing number of indepen-dent services that authenticate users. By using a single sign-on system, e.g., [1,18,28,30] etc., such users are able to access these services swiftly with only a single log-in process. Sin-gle sign-on systems are often realized by using portal sites. Once the user logs in to a portal site, he gains access to all services without being prompted to log in again at each of them.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

DIM’09,November 13, 2009, Chicago, Illinois, USA. Copyright 2009 ACM 978-1-60558-786-8/09/11 ...$10.00.

While single sign-on systems help users for accessing ser-vices easily, that these systems collect information for au-thentications may increase security concerns. This is self-contradictory since authentication, the cost of which the single sign-on system aims to reduce, aims to secure ser-vices.

This problem can be avoided in such IC card based sys-tems that an IC card automatically responds to multiple services for authentications by using the secret stored in it if once the user enters password to it. IC card based sys-tems also have benefits that it is much easier for their users to be authenticated not only at their own machines but also at machines available in public and that the risk of users’ secret keys to be stolen by malwares can be reduced.

A disadvantage of the IC card based system as above is that the all secrets including the password which controls accesses to an IC card itself are stored in the card. Hence, one who can analyze the data in IC cards can access to the entire secret in stolen cards. Indeed, since most of IC cards do not have their own power source, it is hard for them to erase/destroy their secrets as soon as they detect the analysis. Such processes are hard to be carried out without power.

Since the discovery of scanning tunneling microscopy by Binnig and Rohrer [7, 8], its various modifications have been developed and one can now use a scanning Maxwell stress microscope (SMM) [32], a variant of scanning probe micro-scope with cantilever, to measure the electrical charge that records each bit of secrets. Recent SMMs have a lateral res-olution of about 20nm with sensitivity in surface potential of 0.4mV, which is enough for analysis of IC cards. Although it is not a high-end card, it is reported in [19] that the content of a MIFARE Classic card can be cloned and manipulated even without advanced technique.

Another disadvantage of IC card based systems is that installing and updating keys for services are not easy. In some system, it takes about half a minute to copy a public key certificate, the public key, and the corresponding pri-vate key to non-volatile memory. The size of circuit that is elaborately made hard to be tampered as much as possible also increases as the number of services increase.

In this paper, we propose a novel IC card based single sign-on system such that its security does not heavily depend sign-on the tamper resistance of IC card. And users in our system can easily be registered on new services.

Our single sign-on system uses a portal site and this por-tal site keeps each user’s secrets which are encrypted by the user’s secret key. Because the secrets are encrypted, these


data alone are not enough for the portal site to impersonate users. For each registered user, the portal site keeps a pass-word and a key for authentication. The passpass-word is used to authenticate the user and the key is used to authenticate the IC card of the user. This password is remembered by the user and is never stored in the IC card. Hence, no one can obtain the password by stealing and analyzing this IC card. If both the user and the IC card are authenticated, the portal site transfers the corresponding encrypted secrets to the user via secure channel. The IC card decrypts these secrets, stores the results in its volatile memory temporarily, and use them in order to be authenticated by services. Since the secrets are stored only in the volatile memory, the pro-cessors can be covered by a protective mesh that cuts the power supply to the volatile memory when it is damaged. Writing in volatile memory is fast too. Registering new ser-vices can be done by registering new encrypted secret on the portal but without adding any data to the IC card.

Our system considers attackers that potentially have chances to (1) eavesdrop and falsify communicated messages, (2) steal IC cards and analyze them, (3) steal the passwords from users, (4) control terminals that users insert their IC cards, and (5) control the portal site. Since these attacks except (2) often have been successful in practice by wire tap-ping, thievery, furtive glance, guessing easy password, virus, spywares, or intrusion, we should consider all of them well. The attack of type (2) is characteristic in our paper. We consider this type of attack tends to be overlooked but will be a serious threat to systems that handle highly sensitive personal information. User in our system remains secure un-less an attacker simultaneously succeeds in both attacks of type (2) and either of (3), (4), or (5). This property reduces the vulnerability to card analysis.

Since users need to share common keys with services for secure communication, i.e., accessing to the services securely, single sign-on system is a variant of key exchange. A large number of key exchange protocols are often run concurrently in many systems including huge and complicated ones, and it is natural that a certain amount of users in huge systems who run these protocols are corrupted. Hence, requirements for the security of key exchange protocols are understood to be quite strong. Indeed these requirements have been exemplified to be non-trivial by works including [2–4, 6, 9, 14, 15, 17, 29]. Therefore, we consider it is also important to analyze the security of single sign-on system in a rigorous manner by modeling it as key exchange. We have modeled single sign-on along the line adopted in the well accepted strong model of [14].

Our system does not require users to register their IC cards to services. Each user need to have a secret for access-ing each service independent to his IC card. What his IC card does is to simply keep this secret securely by sharing it with a portal. The portal does not need to authenticate services or verify the sharing data. The portal simply au-thenticates user and its IC card and simply keeps what is given by the user. It later returns this data to the user when it succeeded to authenticate the user and the IC card. Therefore, it is easy for users to register new services to por-tals, update secrets kept in porpor-tals, and change portals with which they share their secrets.

Related works: Gennaro et al. in [20] considered a model where IC card that consists of tamper-proof yet readable part and read-proof yet tamperable part. Although this

model is quite strong compared to our model, they con-cluded that a self-destructing capability is necessary to se-cure data. Key exchanges that use both password and IC card and that remain secure even when one of them is com-promised are also considered in several literature such as [26, 31]. Yang et al. in [31] considered a protocol where each secret data for authentication from the password of user and a secret stored in IC card. This protocol when applied to single sing-on system achieves similar property as our pro-tocol. But all the data for authentications can be recovered from any of server and IC card while our protocol requires the portal and IC card. We believe it is easier to have an environment where single portals need to be trusted in some extent than all service providers need to be trusted. Organization: The paper is organized as follows: Section 2 gives a security model of single sign-on systems as a variant of key exchange protocols. It first models how the system works and specifies the requirements of security. Section 3 proposes our single sign-on system. It first introduces sev-eral known cryptographic building blocks that we use. Then, our full system is presented. Section 5 proves that our sys-tem satisfies the security requirements that we introduced in Section 2. Section 6 concludes our paper.




Protocol Model

The players in our IC card based single sign-on system are users, IC cards, terminals, portals, and servers for services. Each user has its own IC card and remembers one password which is short enough to remember but long enough to re-sist against on-line exhaustive search. Each terminal can communicate with portals and an IC cards inserted to it. It can also communicate with a user through some interfaces such as keyboard and display. Portals can communicate with terminals and servers. Letters Υ,Γ,Θ,Φ,Σ with indices are used to represents, respectively, a user, an IC card, a ter-minal, a portal, and a server. We also let a symbol Π of player also denote the identifier of that player. The man-agement of sessions, identifiers of sessions, internal states of sessions, identifiers of keys is important in key exchanges. The following models how these are generated, kept, and deleted.

The system works as in the following.

1. A user Υ inserts its IC card Γ to a terminal Θ. 2. Terminal Θ generates a new session and its session

identifier sid. This session is labeled as (Θ,sid) and keeps its own session (internal) state. Next, Session (Θ,sid) asks Υ to enter the password and receives the passwordωentered by Υ.

3. Session (Θ,sid) communicates with a portal Φ that is specified by Γ or Υ. When Φ receives a message from Session (Θ,sid) with respect to a new session, it generates a new session and its session identifiersid0. This session is labeled as (Φ,sid0) and keeps its own session state.

4. Session (Θ,sid) uses both ωand Γ in order to be au-thenticated by (Φ,sid0). Once it is authenticated, Ses-sion (Θ,sid) gets the list of servers with the help of Φ and Γ and shows it to Υ.


5. Υ chooses a server Σ and login name ΥΣ in the list.

Then, Session (Θ,sid) generates a new (sub)session and its session identifier sid00. This session is labeled as (Θ,sid00) and keeps its own session state.

6. Session (Θ,sid00) communicates with Σ by the name of ΥΣ. Server Σ also generates a new session and

its session identifier sid000. This session is labeled as (Σ,sid000), and it keeps its own session state, and com-municates with Session (Θ,sid00).

7. Session (Θ,sid00) of Θ and Session (Σ,sid000) of Server Σ establish a common key keyand its key identifierkid. Session (Θ,sid00) outputs (Θ,sid00,Σ,ΥΣ,kid,key) and

Session (Σ,sid000) outputs (Σ,sid000,Σ,ΥΣ,kid,key).

We say a session is completedif it outputs a key as above. If a session is completed, the session itself with its state is deleted completely. The established key

key is going to be used for communication between Terminal Θ and Server Σ with respect to User ΥΣ.

8. If User Υ or a program run by this user later speci-fies another server Σ0 and a login name ΥΣ0, Session

(Θ,sid) and Server Σ0also establishes a key as (Θ,sid) did with Σ. This process no longer requires Υ to enter its password.

After all, the single sign-on system is a variant of key ex-change protocol in which users are able to exex-change keys with multiple servers by entering their passwords only once. The introduced protocol model compromises no usability as an IC card-based single sign-on system. Users are only re-quired to insert its card and password and to choose services as other single sign-on systems.


Security Requirements

To define the security requirements of the system, we need to specify the potential ability of adversaries. We assume that an adversary A has complete control over the com-munication between terminals, portals, and servers. It also controls over schedules of users, portals, and servers. It has ability to corrupt players. Once it has corrupted players, it can control that player totally. To model the capability ofA, we assume thatAknows all identifiers of existing session1 and can send the following queries.

Definition 1. (Queries of Adversary)

Sign-On(Υ,Γ,Θ,new-session): Once this query is made, userΥinserts IC cardΓto terminalΘand enters the password.

Send(Π;M): Once this query is made, the message M is sent toΠ. Aobtains the response fromΠ. Πcan be either of terminals, portals, or servers.

RevealState(Π,sid): IfΠhas a session state for the session labeled by(Π,sid), it is given to A.

RevealKey(Π,sid): IfΠ has already output

(Π,sid,Σ,ΥΣ,kid,key) for some Σ,ΥΣ,kid, and key,

Ais givenkey.



These information are sent unencrypted in our model.

IfΠis a user, his password is given toA. IfΠis an IC card,Aobtains enough information

to replicate this IC card.

IfΠ is a terminal, Aobtains total control of the terminal. This terminal can attack inserted IC card in resettable manner (c.f, [12]).

IfΠis a portal or a server, every data as well as the long-term secret stored inΠ is given toA Because of queriesSign-On andSend,A has complete control over the schedules of users and the communication in the network. Note that portals and servers are only in-voked by others. Because of query RevealState, strong corruption2is modeled here as [14]. Many types of

corrup-tions are modeled by queryCorrupt. This query expresses such cases as when a written down password is stolen, a too simple password is guessed, a password is learned over the shoulder, a terminals such as a PC is contaminated by a virus or stolen, or a manager of portal or server is taken a bribe. It is really difficult to completely eliminate any of these cases. The queryCorruptalso models analysis of IC cards. No known mechanisms can strongly prevent mod-ern scanning tunneling microscopy from measuring secrets stored in IC cards. Hence, these cases deserve considering.

Although passive attacks are not explicitly expressed, at-tacks adversaries can carry out are clearly stronger than those since adversaries can simply send received messages of players to the valid destinations.

Before specifying security requirement, we need to define matching of sessions and virtual corruption of user.

Definition 2. We say a session (Π,sid) and0,sid0)

arematchingif these sessions have the same key identifier

kidin their session states.

Definition 3. Suppose that(Θ,sid)is any session gener-ated by the querySign-On(Υ,Γ,Θ,new-session)and(Φ,sid0) is any session that is matching with Session(Θ,sid). Then, we say the pair of user and its IC card (Υ,Γ) isvirtually

corruptedat a certain point in time if both of the following

events 1. and 2. have happened before that point in time: 1. AqueriesCorrupt(Γ).

2. Either of the following events has happened:

• AqueriesCorrupt(Υ).

• AqueriesCorrupt(Θ)before Session(Θ,sid)is completed.

• AqueriesCorrupt(Φ)before Session(Φ,sid0)is completed.

• AqueriesRevealState(Θ,sid)after Session (Θ,sid)is generated but before it is completed.


Although the word “corruption” is misleading here, in the context of strong corruption model, adversary is able to ob-tain the internal state of a session by corrupting the ses-sion during the protocol run. This ability is modeled by RevealKey query and we do not call it “corrupt-session” query here. On the other hand, the ability of adversary to corrupt authentication modules that stores long-term se-cret is modeled byCorruptquery. In the weak corruption model, adversary can only obtain long-term secret but not session states.


• AqueriesRevealState(Φ,sid0) after Session (Φ,sid0) is generated but before it is completed. Note that we do not say the pair of user and its IC card (Υ,Γ) is virtually corrupted when only one of corrupting IC card Γ, corrupting user Υ, or corrupting the portal Φ has happened. This means that only either of analyzing IC card or getting password from the user of from the portal does not imply the adversary has virtually corrupted a pair of user and its IC card.

Definition 4. We say that a single sign-on protocol is SSO-AKE-secure if, for every polynomial time adversaryA, the difference between the probability thatAwins the

follow-ingSSO-AKE-gameand1/2is negligible. The SSO-AKE

game proceeds as in the following:

At the beginning of the SSO-AKE-game, A and all play-ers are set up. Then,Ainteracts with the players by mak-ing queries as specified in Definition 1. A is allowed to make one queryTest(Π,sid)defined below for someΠand

sidsuch thatΠhas output(Π,sid,Σ,ΥΣ,kid,key) for some

Σ,ΥΣ,kid, andkeyonce during the SSO-AKE-game.

Test(Π,sid): Once this query is made, b ∈ {0,1} is randomly chosen and A is given key if b = 1, and a randomly chosen key if b= 0.

Moreover, QueryTest(Π,sid)needs to satisfy the following condition (freshness condition):

1. No query RevealKey(Π,sid) is made after Session (Π,sid)is completed.

2. No query RevealKey(Π0,sid0) is made after Session0,sid0), which is matching with(Π,sid), is completed. 3. No query RevealState(Π,sid) is made after Session

(Π,sid)is generated but before is not yet completed. 4. No query RevealState(Π0,sid0), which is matching

with (Π,sid), is made after Session (Π0,sid0) is gen-erated but is not yet completed

5. No queryCorrupt(Π)is made before Session(Π,sid) is completed.

6. No queryCorrupt(Π0), such that there exists Session (Π0,sid0)that is matching with(Π,sid), is made before Session0,sid0)is completed.

7. The pair of user and its IC card(Υ,Γ) remains to be not virtually corrupted until Session (Π,sid) and its matching session are completed.

WhenAoutputs a bitb0∈ {0,1}and terminates, the SSO-AKE-game ends.

We sayA wins the SSO-AKE-game ifb=b0, wherebis the bit that oracle generated whenAqueriedTest(Π,sid,pid). We do not consider the adversary wins the game if it ob-tained an essential data for guessing the key. The freshness condition excludes such a case from those cases that ad-versary wins the game. In other word, users are able to run sessions that securely access to services as long as these users succeed to keep those sessions fresh.

The first six elements in the freshness condition are the same as those in the case of authenticated key exchange

protocols. The last two are the characteristic to our IC card-based single sign-on system.

We note that this SSO-AKE security implies forward se-crecy in strong corruption model since adversaries who steal session states and corrupt sessions, IC cards, or users after they had output a key cannot get any knowledge about this key.

Definition 5. We say that a single sign-on protocol is SSO-MA-secure if, for every polynomial time adversary A, the probability that A wins the following SSO-MA-game is negligible. The SSO-MA-game proceeds as in the following:

At the beginning of the SSO-MA-game,Aand all players are set up. Then, A interacts with the players by making queries as specified in Definition 1. WhenAterminates, the SSO-MA-game ends. We say Awins the SSO-MA-game if one of the following cases happens beforeAterminates.

Impersonation: There exists an uncorrupted session (Π,sid) that outputs(Π,sid,Σ,ΥΣ,kid,key) such that

the pair of user and its IC card(Υ,Γ)is virtually un-corrupted but the number of sessions that have been matching with(Π,sid) is none.

Break of mutual authentication: Two uncorrupted sessions(Π,sid)and0,sid0)output


respectively, such thatkid=kid0 and the pair of user and its IC card(Υ,Γ)is virtually uncorrupted but ei-therΣ6= Σ0, orΥΣ= Υ6 0Σ, orκ6=κ0.

The first condition implies that an uncorrupted session outputs a key only when there exists a matching session who agreed to generate a key. This is invulnerability against im-personation. The second condition implies that two match-ing sessions output the same key with respect to the same user. Note that we do not impose honest sessions to out-put keys when their matching sessions outout-put keys. As is discussed in [23], imposing such a condition is impossible in our communication model.

Definition 6. We say that a single sign-on protocol is

SSO-AKE-MA-secure if it is both SSO-AKE secure and

SSO-MA secure.



Our system leverages a signature, an authenticated key exchange, a password-based authenticated key exchange, a tweakable cipher, and a pseudorandom function as building blocks. These are briefly presented in this section.



Signature consists of three algorithmsSGen,Sign, and Ver-ify. SGen, given a security parameterκand a random tape of length polynomial ofκ, outputs a verification key and a signing key. Sign, given a message and the signing key, out-puts a signature. Verify, given a message, a signature, and a verification key, outputs 1 or 0 that represents, respectively, acceptance or rejection of the signature.

Roughly, we say a signature scheme is existentially un-forgeable under chosen message attacks (the signature scheme is EUF-CMA) if no polynomial time adversaryAwho can win the following game: The game begins when a verifica-tion keyvkeyand a signing keyskeyare output bySGenthat


is given a security parameterκand a random tape. vkeyis given toA. Ais provided signatures on messages that A adaptively chooses. These signatures are generated bySign

that is givenskey. We sayAwins the game ifAsucceeds to output a pair of a message and a signature such thatVerify

withvkeyaccepts but that are not provided toA.

We assume an EUF-CMA signature that our system uses is such as DSA (Digital Signature Algorithm), ECDSA (El-liptic Curve variant of DSA) in IEEE 1363, [10, 16, 27] etc.


Authenticate Key Exchange

Authenticated key exchange (AKE) is a protocol by which two parties agree to a common key. Each party invokes a session when it initiates a protocol or when it responds to a protocol initiation. Each session is assumed to be given an identifier that is unique within the party it belongs to. Such a session handles the protocol for which it is invoked and interacts with its counter session until a common key is es-tablished. Then the session outputs the key to the party and completes itself. For this task, each session keeps a state, called session state, in which it stores temporary data. Each party has a long-term secret, such as a signing key, and uses this for message authentications when required by its ses-sions. The counter session with which one session interacts and establishes a common key is called the matching ses-sion. We assume sessions that are mutually matching share the same key identifier. Each party may run multiple ses-sions concurrently.

Roughly, we say a key exchange is AKE-secure if no poly-nomial time adversaryAcan gain knowledge about the key that one session output under the condition that A does not attack parties in crucial manner. More concretely, this condition, called freshness condition, is as follows: (1) A does not explicitly obtains the key that session output or its matching session outputs, (2) adversary does not obtains the content of the session states of the session or of the matching session after they are invoked but before they are completed, and (3) adversary does not obtains the long-term secret of a party that invoked either the session or the matching session before these sessions are completed.

Roughly, we say a key exchange is MA-secure if no poly-nomial time adversary A can make two uncorrupted and matching parties output different keys and if no polynomial time adversaryAcan make uncorrupted party output a key unless its matching session exists.

We assume an AKE-secure authenticated key exchange that our system uses is such as those in [14, 15] etc, where we assume that the signing key of party, as its long-term secret, is used to sign on messages it sends in order that these message can be authenticated.


Password-Based Authenticated Key


Password-based authenticated key exchange (PAKE) is a variant of authenticated key exchange in which authentica-tions rely on only passwords. Unlike authenticaauthentica-tions based on signatures or message authentication codes with long se-crets, authentications based on passwords are weak if off-line exhaustive search is possible. However, restricting exhaus-tive search in only on-line authentication settings is possible. Thus, sufficiently secure authenticated key exchange that re-lies on password-based authentication is possible.

The notions of session identifier, session state, matching

session, and key identifier in PAKE are similar to those in authenticated key exchange. We assume PAKE that our system uses is such as those in [3, 13, 22] etc.

We can add some resilience to server compromise to these PAKEs by using the general method introduced in [21].


Tweakable Cipher

Tweakable cipher introduced in [24] has not only the usual input of message and cryptographic key as a symmetric key cryptosystem, but also a third input, the tweak. The role of tweaks is similar to that of initialization vector in CBC modes or a nonce of OBC mode. Tweakable cipher consists of three algorithms TGen, TEnc, andTDec. TGen, given a security parameterκ, length of tweaks, and a random tape of length polynomial ofκ, outputs a shared keyckey. TEnc, given a message m, a tweak tw, and the shared key ckey, outputs a ciphertextciph=TEnc(ckey,tw, m). TDec, given a ciphertextciph, a tweaktw, and the shared keyckey, out-puts a messagem=TDec(ckey,tw,ciph).

Roughly, we say a tweakable cipher is secure if no polyno-mial time adversary can distinguish the following two pairs of oracles with non negligible probability.

A pair of oracles E(K, ,) and D(K, ,). E(K, ,) and D(K, ,) are, respectively, an encryption oracle and de-cryption oracle of the tweakable cipher where keyK is randomly chosen. Ais allowed to choose any tweak and message or ciphertext as their input.

A pair of oracles Π(,) and Π1(,). Π(,) and Π1(,) are, respectively, a tweakable random permutation and its inverse. Ais allowed to choose any tweak and mes-sage or ciphertext as their input.

We assume the tweakable cipher that our system uses is such one that is constructed from symmetric cipher as did in [24].


Pseudorandom Function

That IC card has few random source causes problem when it uses probabilistic signature scheme since most of proba-bilistic signature schemes are known to be weak if the ran-dom tapes used for signing are revealed. On the other hand, most of deterministic signatures such as RSA-FDH [5] and BLS signature [11] are inefficient. Hence, we use pseudoran-dom function to provide enough ranpseudoran-domness so as to use an efficient probabilistic signature scheme.

Letrbe the length of random tape required for generating a signature andm be the maximum length of the message to be signed on. Informally, pseudorandom function we con-sider is such functionF :{0,1}p× {0,1}m+1→ {0,1}r that every polynomial time machine cannot distinguish with non negligible probability whether it is accessing F(seed) or a uniform random function H :{0,1}m+1 → {0,1}r when

seedis chosen randomly from{0,1}p.

Each IC card is given a randomly generatedseed∈ {0,1}p when it is setup. When an IC card generates a signature on messageM, it generates a random tape by feeding this mes-sage and seedto the above pseudorandom function. Once

seedis fixed, the IC card deterministically generates a sig-nature from the given message.






We assume that a user Υ who has an IC card Γ uses a portal Φ. User Υ has an account in each of m servers

{Σ`}`=1,...,m. We let Υ` denote the user name of Υ at Σ`.

Without loss of generality, we assume here that each Σ` authenticates Υ` by using a signature scheme. We let the name of entity such as Υ also denotes its identifier. System: 1. Security parametersκ, λ∈Nare chosen.

2. If the exploited PAKE protocol requires a com-mon reference stringcrs, it is generated.

3. κ, λ, andcrsare distributed to all portal, termi-nals, and servers.

Portal: 1. Φ is givenκ, λandcrs.

2. The portal Φ runs SGen by feeding it κ to ob-tain a pair of signing key and verification key (skeyΦ,vkeyΦ).

Servers: 1. Each server is givenκ.

2. Each server Σ`runs SGenby feeding itκ to ob-tain a pair of signing key and verification key (skeyΣ


User: 1. We assume a user Υ is givenκ, λ,crs,vkeyΦ, and


2. Υ runs SGen by feeding itκ to obtain a pair of signing key and verification key (vkey,skey). 3. Υ randomly chooses a password w among more

than 2λcandidates.

4. Υ runsTGenby feeding itκand obtainsckey. 5. For each Σ` to which Υ has an account, Υ runs

SGen by feeding itκ to obtain a pair of signing key and verification key (skey`,vkey`). Υ registers

vkey`to Σ`as Υ`. 6. Υ generatesciphΥ=


`,Υ`)`=1,...,m), (ciphΥ,`)`=1,...,m=


Υ registers (Υ,vkey, w,ciphΥ,(ciphΥ,`)`=1,...,m) to


7. Υ randomly chooses a stringseed∈ {0,1}p. IC Card: 1. Υ stores Υ,vkey,skey,ckey,Φ,vkeyΦ,crs, and

seedin the non-volatile memory of IC card Γ.


Interface of IC Card

IC card in our system is equipped with the following inter-face. Our IC card has a volatile memory. When the IC card responds to Sign-L and Sign-M, it needs random num-ber source if the used signature scheme is probabilistic. In such case, the random number is supplied by applying pseu-dorandom function to the string (seed, b, M) where b = 0 when query isSign-Mand is 1 when query isSign-L.

Newsession(): Once this command is input to an IC card, the IC card returns (Υ,Φ) stored in it.

Dec(non-volatile, C): Once this command is input to an IC card, the IC card computes

M = Dec(ckey,non-volatile, C) and output the result M.

Dec(volatile, C): Once this command is input to an IC card, it first completely deletes all the data in the volatile memory, then the IC card computes M =

Dec(ckey,volatile, C) and stores them in its volatile mem-ory.

Sign-L(M): Once this command is input to an IC card, the IC card generates a signature on (Υ,Φ, M) by usingvkeyandskey. The signature is output.

Sign-M(M):Once this command is input to an IC card, IC card parse the content of its volatile memory as (Υ`,Σ`,vkey`,skey`). Then, the IC card generates a signature on (Υ`,Σ`, M) by using vkey` and skey`

in the volatile memory. Then, the IC card completely deletes all the data in its volatile memory.


Our Sign-On Protocol

1. First, a user Υ decides to use a terminal Θ and inserts its IC card Γ to Θ. Υ waits for the response.

2. Θ randomly chooses a session identifier sidt∈ {0,1 and invokes a new session labeled as (Θ,sidt). Θ sends a messageNewsession() to the card Γ.

3. Γ returns (Υ,Φ), which is stored in the session state of (Θ,sidt).

4. Θ shows Υ on its display and requires the user its password.

5. Υ sees Υ on the display of Θ, verifies that the identifier is his, and enters the passwordw.

6. Θ sends (Θ,sidt,Υ,Φ,newsession) to Φ.

7. Φ finds data (Υ,vkey, w,ciphΥ,(ciphΥ,`)`=1,...,m) is

reg-istered. Then, Φ randomly chooses a session identifier

sidp ∈ {0,1 and invokes a new session labeled as (Φ,sidp). Φ stores Θ,sidt,Υ in the corresponding ses-sion state.

8. Session (Θ,sidt) and Session (Φ, sidp) use w to com-plete the PAKE protocol with key identifier

kid0= (Θ,sidt,Φ,sidp,Υ,pake). As the result they ob-tain the exchanged keykey0.

9. Θ reuses Session (Θ,sidt) to engage in AKE protocol with (Φ, sidp), and Φ reuses Session (Φ, sidp) to en-gage in AKE protocol with Session (Θ,sidt). Session (Θ,sidt) sends Command Sign-L(M) to Γ when the messageMneeds to be authenticated by (Φ,sidp). Ses-sion Φ uses (skeyΦ,vkeyΦ) to make the signature when a message needs to be authenticated by (Θ,sidt). Both sessions complete the AKE protocol with key identi-fierkid00= (Θ,sidt,Φ,sidp,Υ,ake). As the result they obtain exchanged keykey00.

10. From now, until either of sessions terminates, Session (Θ,sidt) and Session (Φ, sidp) communicate via secure channel spanned bykey=key0⊕key00with respect to the key identifierkid= (Θ,sidt,Φ,sidp,Υ,).

11. The portal Φ sendsciphΥto Session (Θ,sidt). (Θ,sidt)

sends CommandDec(non-volatile,ciphΥ) to obtain


`,Υ`)`=1,...,m. (Θ,sidt) shows Υ the list of servers and user names (Σ`,Υ`)`=1,...,mvia the display of Θ.


12. Υ chooses a server to which it accesses from the list, say Σj. Then, Θ sends Σj to Φ, which is replied with


13. Θ sends CommandDec(volatile,ciphΥ,j) so the volatile memory in Γ stores (Σj,vkeyΣj,Υj) in it.

14. Θ randomly chooses a new session identifier sida

{0,1and invokes a new session labeled as (Θ,sida). Θ sends a message (Θ,sida,new-session,Σj,Υj) to Σj. 15. When the server Σjreceives (Θ,sida,new-session,Σj,Υj),

Σjfinds that it storespkeyjcorresponding to Υj. Then Σj randomly chooses a new session identifier sids

{0,1and invokes a new session labeled as (Σj,sids). 16. Session (Θ,sida) and (Σj,sids) engage in an AKE pro-tocol. During the AKE protocol, Θ sends Command Sign-M(M) to Γ when the message M needs to be authenticated by (Σj,sids) as one belongs to Υj. Ses-sion (Σj,sids) uses (skeyΣ

j,vkeyΣj) to make a signa-ture when a message needs to be authenticated by (Θ,sida).

17. At the end of the AKE protocol, Θ and Σj obtain a key keyj with key identifier kidj = (Θ,sida,Σj,sids). Θ outputs (Θ,sida,Σj,Υj,kidj,keyj) and Σj outputs (Σj,sida,Σj,Υj,kidj,keyj).

18. Whenever Υ accesses to another server, repeat proce-dures from 12. This does no requires Υ to enter its password again.


New Service Registration and Service


When a user Υ registers new service, the following process is carried out.

1. With out loss of generality, we assume that a user Υ has an account for a server Σm+1as a user Υm+1and

that Υ is using a pair of signing key and verification key (skeym+1,vkeym+1) for the access.

2. Υ generatesciphΥ=





3. Υ and Φ first span a secure channel as they do in the sign-on protocol. Then, Υ sends

(Υ,vkey, w,ciphΥ,(ciphΥ,`)`=1,...,m+1) to Φ. Φ update

the corresponding data.

With a similar process, services that are already registered can also be updated.



Suppose that we use, for example, the signature scheme in [27], the AKE in [15], and the PAKE in [3] all in an elliptic curve, and the tweak cipher in [24]. Then, for the first sign-on to a service, most dominant computatisign-on for the IC card, the terminal, the portal, and the service are, respectively, 2 scalar multiplication and several symmetric key crypto op-erations, 10 scalar multiplications, 7 scalar multiplications, and 5 scalar multiplications. For the following sign-on to an-other service, most dominant computation for the IC card, the terminal, and the service are only, respectively, 1 scalar multiplication and several symmetric key crypto operations, 2 scalar multiplications, and 5 scalar multiplications.




SSO-AKE-MA security

Theorem 7. The proposed single sign-on system is SSO-AKE-MA-secure.

Proof. IC cards in the proposed system require

random-ness only when they need to generate probabilistic signa-tures. If the signature scheme is deterministic, IC card is completely deterministic and we do not need to take care of its randomness source. If the used signature scheme is probabilistic, its randomness is supplied by the pseudoran-dom function whose input is the seed and the message to be signed. Hence, the signature is deterministically generated in this case too.

Now we consider this converted deterministic signature scheme, that is, the combination of the signature scheme and the pseudorandom function. By using the similar tech-nique used in [12], we are able to prove that the converted deterministic signature scheme is also EUF-CMA if the un-derlying probabilistic signature scheme is EUF-CMA.

For this, we consider the following intermediate signature scheme. When it is given a new message, it generates a signature using truly random tape. However, when it is given the same message, it returns the signature it gener-ated for this message before. This intermediate signature scheme is clearly EUF-CMA. Our converted signature is the same as this intermediate scheme except the random tape is replaced with the output of the pseudorandom function whose input is the seed and the message. Since each random tape is used only once, distinguishing our converted signa-ture scheme and the intermediate scheme is breaking the pseudorandom function. Therefore, our converted signature scheme is EUF-CMA deterministic signature scheme.

Because of the above observation, we are able to analyze the security of our system by assuming that the signature used in the IC card is deterministic.

Now, the theorem follows from Lemma 8 and 10 below. Lemma 8. The proposed single sign-on system is SSO-AKE-secure when the signature used in the IC card is deter-ministic.

Proof. Suppose that there exists an adversary A that

breaks SSO-AKE security of the proposed system.

Let Test(Π,sid) be the query A made during the SSO-AKE-game, (Π,sid,Σ,ΥΣ,kid,key) be the output of Session

(Π,sid), and (skeyΣ,vkeyΣ) be the pair of private key and

public key that Υ has for accessing Σ as ΥΣ.

Claim 9. A generates no valid signature with respect tovkeyΣwhichΓhas not output be-fore Session(Π,sid)is completed.

Proof. Suppose that A generates such

sig-nature before Session (Π,sid) is completed on the contrary. Then, if we consider a new game Game 1which is exactly the same as the orig-inal SSO-AKE-game except thatGame 1ends when Session (Π,sid) is completed, there exists an adversary that can generate the valid signa-ture with respect to vkeyΣ inGame 1.

More-over, in this game, the pair of user and its IC card (Υ,Γ) never are virtually corrupted.


1. A does not queryCorrupt(Γ) before Ses-sion (Π,sid) is completed.

2. Otherwise.

We first focus on Case 1. We consider a new gameGame 2that is the same asGame 1 ex-cept in the following: (1)ciphΥ,Σ:=

TEnc(ckey,volatile,(ΥΣ,Σ,vkeyΣ,skeyΣ))`=1,...,mis replaced with a ciphertext of a random string, (2) WhenAqueriedSign-M(M) after it queried Dec(volatile,ciphΥ,Σ) to Γ, a valid signature on

M byskeyΣ is returned. Then, Game 2 is

in-distinguishable from Game 1otherwise it con-tradicts to the fact that ciphΥ,Σ is a tweakable cipher.

SinceskeyΣdoes not really exist inGame 2, Γ works as a signing oracle in it. Hence, a genera-tion of a valid signature with respect tovkeyΣby

AinGame 2is a forgery, which contradicts to the EUF-CMA property of the exploited signa-ture scheme. Therefore, Case 1 does not occur.

We next focus on Case 2. We consider a new gameGame 3that is the same asGame 1 ex-cept thatciphΥ,Σ:=

TEnc(ckey,volatile,(ΥΣ,Σ,vkeyΣ,skeyΣ))`=1,...,mis replaced with a ciphertext of random string when Φ transfers it to terminals. However, when it is transferred, this ciphertext of random string is replaced back to the original ciphertext.

Game 3 is indistinguishable fromGame 1 sinceciphΥ,Σtransferred from Φ to a terminal is

always encrypted by the key generated by PAKE between Φ and Υ. Adoes not corrupt Υ since thatAcorrupts Γ inGame 1andGame 3 con-tradicts to that the pair of user and its IC card (Υ,Γ) is not virtually corrupted. A also does not corrupt Φ because of the freshness condition. Therefore, distinguishingGame 1andGame 2 contradicts to the fact that the exploited PAKE is secure.

We next consider a new gameGame 4that is the same asGame 3except in the following: (1) The ciphertext of random string is not re-placed back to the original ciphertext, (2) when

AqueriedSign-M(M) after it queried

Dec(volatile,ciphΥ,Σ) to Γ, a valid signature on M byskeyΣis returned. Because the pair of user

and its IC card (Υ,Γ) is not virtually corrupted,

Aqueries neitherCorrupt(Θ) norRevealState(Θ) for any terminal Θ that is supposed to haveciphΥ,Σ

in it at the time of the queries. Hence, that ci-phertext of random string is stored instead of

ciphΥ,ΣinGame 4does not help Adistinguish

Game 4fromGame 3unless the terminal out-put some data that is related to these cipher-texts. The terminal does output such data but it is only when it asks to an inserted IC card to sign on a message. The freshness condition im-plies that this IC card is Γ since uncorrupted Υ should be working on the uncorrupted terminal. Hence, it is not the adversary who can obtain the data that Γ outputs.

Since skeyΣ does not really exist in Game

4, Γ works as a signing oracle in it. Hence, a

generation of a valid signature with respect to

vkeyΣbyAis a forgery, which contradicts to the

EUF-CMA property of the exploited signature scheme again. Therefore, Case 2 does not occur either.

As long as the above claim holds, IC card Γ works as a signing module and no adversaries are unable to play its role for. In this case, SSO-AKE security of the system is reduced to AKE security of the exploited key exchange between Σ and the terminal.

Therefore, that the proposed single sign-on system is SSO-AKE-secure is proved.

Lemma 10. The proposed single sign-on system is SSO-MA-secure when the signature used in the IC card is deter-ministic.

Proof. As is proved in the claim in the proof of Lemma

8, because of that the pair of user and its IC card (Υ,Γ) never be virtually corrupted in this case, IC card Γ works as a signing module and no adversaries are unable to play its role for. Then, SSO-MA-security of the proposed sin-gle sign-on system follows the MA-security of the exploited authenticated key exchange protocol.



Since the portal always send the same data to terminals when the user sign-ons, the portal is not able to figure out from this procedure itself to which service the user accesses.



The number of information systems whose security heavily depends on IC cards is increasing rapidly. We proposed a novel single sign-on system with IC card that still keeps certain level of security even when user’s IC card is analyzed. Such single sign-on system can reduce the risk of information system when IC cards are tampered. We have not considered side channel attacks to IC card by terminals. This needs to be considered in future works.




[1] Opensso.https://opensso.dev.java.net/. [2] Mihir Bellare, Ran Canetti, and Hugo Krawczyk. A

modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). InSTOC, pages 419–428, 1998.

[3] Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. InEUROCRYPT, pages 139–155, 2000.

[4] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In Douglas R. Stinson, editor, CRYPTO, volume 773 ofLecture Notes in Computer Science, pages 232–249. Springer, 1993.

[5] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62–73, 1993.

[6] Mihir Bellare and Phillip Rogaway. Provably secure session key distribution: the three party case. InSTOC, pages 57–66. ACM, 1995.

[7] Gerd Binnig, Heinrich Rohrer, Ch. Gerber, and E. Weibel. Surface studies by scanning tunneling microscopy. In Physical Review Letters 49, pages 57–61, 1982.

[8] Gerd Binnig, Heinrich Rohrer, Ch. Gerber, and E. Weibel. Tunneling through a controllable vacuum gap. InApplied Physics Letters 40, pages 178–180, 1982.

[9] Ray Bird, Inder S. Gopal, Amir Herzberg, Philippe A. Janson, Shay Kutten, Refik Molva, and Moti Yung. Systematic design of two-party authentication protocols. In Joan Feigenbaum, editor,CRYPTO, volume 576 ofLecture Notes in Computer Science, pages 44–61. Springer, 1991. [10] Dan Boneh and Xavier Boyen. Short signatures without

random oracles. In Christian Cachin and Jan Camenisch, editors,EUROCRYPT, volume 3027 ofLecture Notes in Computer Science, pages 56–73. Springer, 2004. [11] Dan Boneh, Ben Lynn, and Hovav Shacham. Short

signatures from the weil pairing. In Colin Boyd, editor, ASIACRYPT, volume 2248 ofLecture Notes in Computer Science, pages 514–532. Springer, 2001.

[12] Ran Canetti, Oded Goldreich, Shafi Goldwasser, and Silvio Micali. Resettable zero-knowledge (extended abstract). In STOC, pages 235–244, 2000.

[13] Ran Canetti, Shai Halevi, Jonathan Katz, Yehuda Lindell, and Philip D. MacKenzie. Universally composable password-based key exchange. In Ronald Cramer, editor, EUROCRYPT, volume 3494 ofLecture Notes in Computer Science, pages 404–421. Springer, 2005.

[14] Ran Canetti and Hugo Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In Pfitzmann [25], pages 453–474.

[15] Ran Canetti and Hugo Krawczyk. Universally composable notions of key exchange and secure channels. In Lars R. Knudsen, editor,EUROCRYPT, volume 2332 ofLecture Notes in Computer Science, pages 337–351. Springer, 2002. [16] Ronald Cramer and Victor Shoup. Signature schemes

based on the strong rsa assumption. InACM Conference on Computer and Communications Security, pages 46–51, 1999.

[17] Whitfield Diffie, Paul C. van Oorschot, and Michael J. Wiener. Authentication and authenticated key exchanges. Des. Codes Cryptography, 2(2):107–125, 1992.

[18] OpenID Foundation. Openid.


[19] Flavio D. Garcia, Gerhard de Koning Gans, Ruben Muijrers, Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, and Bart Jacobs. Dismantling mifare classic. In Sushil Jajodia and Javier L´opez, editors,ESORICS, volume 5283 ofLecture Notes in Computer Science, pages 97–114. Springer, 2008.

[20] Rosario Gennaro, Anna Lysyanskaya, Tal Malkin, Silvio Micali, and Tal Rabin. Algorithmic tamper-proof (atp)

security: Theoretical foundations for security against hardware tampering. In Moni Naor, editor,TCC, volume 2951 ofLecture Notes in Computer Science, pages 258–277. Springer, 2004.

[21] Craig Gentry, Philip D. MacKenzie, and Zulfikar Ramzan. A method for making password-based key exchange resilient to server compromise. In Cynthia Dwork, editor, CRYPTO, volume 4117 ofLecture Notes in Computer Science, pages 142–159. Springer, 2006.

[22] Jonathan Katz, Rafail Ostrovsky, and Moti Yung. Efficient password-authenticated key exchange using

human-memorable passwords. In Pfitzmann [25], pages 475–494.

[23] Jonathan Katz and Ji Sun Shin. Modeling insider attacks on group key-exchange protocols. InCCS ’05: Proceedings of the 12th ACM conference on Computer and

communications security, pages 180–189, New York, NY, USA, 2005. ACM Press.

[24] Moses Liskov, Ronald L. Rivest, and David Wagner. Tweakable block ciphers. In Moti Yung, editor,CRYPTO, volume 2442 ofLecture Notes in Computer Science, pages 31–46. Springer, 2002.

[25] Birgit Pfitzmann, editor.Advances in Cryptology -EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, Austria, May 6-10, 2001, Proceeding, volume 2045 ofLecture Notes in Computer Science. Springer, 2001. [26] David Pointcheval and S´ebastien Zimmer. Multi-factor

authenticated key exchange. In Steven M. Bellovin, Rosario Gennaro, Angelos D. Keromytis, and Moti Yung, editors, ACNS, volume 5037 ofLecture Notes in Computer Science, pages 277–295, 2008.

[27] Claus-Peter Schnorr. Efficient identification and signatures for smart cards. In Gilles Brassard, editor,CRYPTO, volume 435 ofLecture Notes in Computer Science, pages 239–252. Springer, 1989.

[28] OASIS Security Services Technical Committee of the open standards consortium. Saml –security assertion markup language.http://saml.xml.org/.

[29] Victor. Shoup. On formal models for secure key exchange (version 4). IBM RZ 312., 1999.

[30] Jennifer G. Steiner, B. Clifford Neuman, and Jeffrey I. Schiller. Kerberos: An authentication service for open network systems. InUSENIX Winter, pages 191–202, 1988. [31] Guomin Yang, Duncan S. Wong, Huaxiong Wang, and

Xiaotie Deng. Two-factor mutual authentication based on smart cards and passwords.J. Comput. Syst. Sci., 74(7):1160–1172, 2008.

[32] Hiroshi Yokoyama and Takahito Inoue. Scanning maxwell stress microscope for nanometre-scale surface electrostatic imaging of thin films. InThin Solid Films 242, pages 33–39, 1994.





Related subjects :