由於網路相關應用的增長，網路安全成為一重要之議題。對於終端使用者來說，在網路中其最重要且最廣泛的應用即是經由公開網路取得伺服器所提供的服務。伺服器只能提供服務給合法的使用者，並能防止任何非法的存取。因此，在公開網路環境中，身分鑑別與訊息機密性為兩大重要之安全服務。具鑑別性共同密鑰產生技術在此提供一良好的解決方案。我們在本論文中提出兩種適用於多伺服系統具鑑別性共同密鑰產生技術。在我們所提出的方法中，一合法的使用者只需利用一通行碼與一張智慧卡即可安全的存取多台伺服器。在每次使用者登入伺服器時，他們會互相鑑別對方的身分，並且產生一共同密鑰。我們分別利用隨機智者模型(random oracle model)與邏輯分析(logic analysis)來證明方法的安全性與鑑別性。我們所提出的方法能夠抵擋重送攻擊(replay attack)、假冒攻擊(impersonation attack)、已知金鑰攻擊(known key attack)、未知金鑰分享攻擊(unknown key share attack)、密碼驗證檔失竊攻擊(stolen verifier attack)及內部攻擊(insider attack)。每一合法使用者能在不連結伺服器的情況下，執行方法中之更改通行碼步驟來變更自己的通行碼。此外，我們所提出的方法植基於幾何直線問題、雜湊函數及互斥或運算。和之前所提出的方法比較之下，我們的方法只需較少的運算量與通訊量，具有較好的效率。

Network security is an important issue since the rising network application.  For an end user, the most important and wide application is to obtain services from servers via open networks.  A server has to provide services only to its legal users and prevent any illegal access.  Therefore, identity authentication and message confidentiality are two primary security services in an open network environment.  An authenticated key agreement protocol is a good solution for providing identity authentication and message confidentiality security services.  We propose two password authenticated key agreement protocols for multi-servers.  In these two protocols, a valid user can access multi-servers securely by keeping one weak password and one smart card only.  The user and server will authenticate each other and generate a common session key in each login process.  The security and authentication of two proposed protocols is demonstrated by random oracle model and logic analysis separately.  Both proposed protocols resist the replay attack, the impersonation attack, the known key attack, the unknown key share attack, the stolen verifier attack and the insider attack.  Each legal user can change his password without connecting to any server by performing the password change phase of each proposed protocol.    Furthermore, both proposed protocols are based on straight line of geometry, hash function and Exclusive OR operation.  They do not use any overload cryptographic operations and require less computational and communicational costs than previous results.

Contents  	I
List of Figures	III
List of Tables	IV
Chapter 1  Introduction	1
1.1  Research motivation	1
1.2  Objectives of the research	2
1.3  Organization	3
Chapter 2  Related works	5
Chapter 3  The type I protocol	8
3.1  Preliminaries	8
3.2  The proposed protocol	10
3.2.1  The registration phase	11
3.2.2  The login phase	12
3.2.3  The password change phase	15
3.3  Security analysis	16
3.3.1  Random oracle model	16
3.3.1.1  The modified Bellare-Rogaway model	17
3.3.1.2  Security proof of the proposed protocol	22
3.3.2  Logic analysis	26
3.3.2.1  Notation and synthetic rules	26
3.3.2.2  Proof of the proposed protocol	27
3.3.3  Unknown key share attack	31
3.3.4  Stolen verifier attack	33
3.3.5  Insider attack	33
3.4  Comparison	34
3.4.1  Security properties	34
3.4.2  Computational costs	36
3.4.3  Communicational costs	37
Chapter 4  The type II protocol	40
4.1  Preliminaries	40
4.2  The proposed protocol	42
4.2.1  The registration phase	43
4.2.2  The login phase	44
4.2.3  The password change phase	47
4.3  Security analysis	47
4.3.1  Random oracle model	48
4.3.2  Logic analysis	53
4.3.3  Unknown key share attack	58
4.3.4  Stolen verifier attack	59
4.3.5  Insider attack	60
4.4  Comparison	60
4.4.1  Security properties	60
4.4.2  Computational costs	62
4.4.3  Communicational costs	63
Chapter 5  Conclusions and future works	66
5.1  Conclusions	66
5.2  Future works	67
References	68 

List of Figures
Figure 1. The login phase of the type I protocol ...................................14
Figure 2. The login phase of the type II protocol ..................................45

List of Tables
Table 1. The security properties comparison of the type I protocol......35
Table 2. The comparison of the computational cost in the type I
protocol ....................................................................................37
Table 3. The comparison of the communicational cost in the type I
protocol ....................................................................................38
Table 4. The security properties comparison of the type II protocol.....61
Table 5. The comparison of the computational cost in the type II
protocol ....................................................................................62
Table 6. The comparison of the communicational cost in the type II
protocol ....................................................................................64

[1]	M. Bellare, D. Pointcheval and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” Advances in Cryptology - EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques, LNCS 1807, 2000, pp. 122--138.
[2]	M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols,” Proceedings of the First ACM Conference on Computer and Communications Security (CCS'93), 1993, pp. 62-73.
[3]	M. Bellare and P. Rogaway, “Provably secure session key distribution: the three party case,” Proceedings of 27th ACM Symposium on Theory of Computing (STOC 95), 1995, pp. 57-66.
[4]	S. Black-Wilson, D. Johnson and A. Menezes, “Key agreement protocols and their security analysis,” Proceedings of 6th IMA International Conference on Crypotography and Coding, LNCS 1355, 1997, pp. 30-45.
[5]	M. Burrows, M. Abadi and R. Needham, “A logic of authentication,” ACM Transactions on Computer Systems(TOCS), Vol. 8, No. 1, 1990, pp. 18-36.
[6]	L. Buttyán, S. Staamann and U. Wilhelm, “A simple logic for authentication protocol design,” Proceedings of 11th IEEE Computer Security Foundations Workshop, 1998, pp. 153-162.
[7]	C.C. Chang, S.J. Hwang, “Using smart cards to authenticate remote passwords,” Computers and Mathematics with Applications, Vol.26, No. 7, 1993, pp. 19-27.
[8]	C.C. Chang, R.J. Hwang, J.B. Daniel, “Using smart cards to authenticate passwords,” Proceedings of the IEEE International Carnahan Conference on Security Technology, 1993, pp. 154-156.
[9]	C.C. Chang and J.Y. Kuo, “An efficient multiserver password authenticated key agreement scheme using smart cards with access control,” Proceedings of 19th IEEE Internal Conference on Advanced Information Networking and Applications (AINA 2005), Vol. 2, 2005, pp. 257-260.
[10]	C.C. Chang, C.S. Laih, “Comment on remote password authentication with smart cards,” IEE Proceedings, Vol. 139, No.4, 1992, pp. 372.
[11]	C.C. Chang, T.C. Wu, “Remote password authentication with smart cards,” IEE Proceedings - Computers and Digital Techniques, Vol. 138, No.3, 1991, pp. 165-168.
[12]	C.M. Chen and W.C. Ku, “Stolen-verifier attack on two new strong-password authentication protocols,” IEICE Transactions on Communications, Vol. E85-B, No. 11, 2002, pp. 2519-2521.
[13]	H. Chien, J. Jan and Y. Tseng, “An Efficient and Practical Solution to Remote Authentication: Smart Card,” Computers and Security, Vol. 21, No. 4, 2002, pp. 372-375.
[14]	W. Diffie, M.E. Hellman, “New directions in cryptography,” IEEE Trans. Inform. Theory, Vol.22, 1976, pp. 644-654.
[15]	S.M. Ghanem and H.A. Wahab, “A simple XOR-based technique for distributing group key in secure multicasting,” Proceedings of Fifth IEEE Symposium on Computers and Communications (ISCC 2000), 2000, pp. 166-171.
[16]	M.-S. Hwang, “Cryptanalysis of remote login authentication scheme,” Computer Communications, Vol. 22, No.8, 1999, pp. 742-744.
[17]	M.-S. Hwang, C.-C. Lee and Y.-L. Tang, “A simple remote user authentication scheme,” Mathematical and Computer Modelling, Vol. 36, No. 1-2, 2002, pp. 103-107.
[18]	M. Hwang and L. Li, “A New Remote User Authentication Scheme Using Smart Cards,” IEEE Transactions on Consumer Electronics, Vol. 46, No. 1, 2000, pp. 28-30.
[19]	T. Hwang, Y. Chen, C.S. Laih, “Non-interactive password authentications without password tables,” Proceedings of the IEEE Region 10th Conference on Computer and Communication Systems, 1990, pp. 429-431.
[20]	IEEE std 1363-2000, IEEE standard specifications for public-key cryptography. The Institute of Electrical and Electronics Engineers, New York, USA, 2000.
[21]	J.K. Jan, Y.Y. Chen, “ ‘Paramita wisdom’ password authentication scheme without verification tables,” Journal of Systems and Software, Vol.42, No. 1, 1998, pp. 45-57.
[22]	W. Juang, “Efficient Password Authenticated Key Agreement Using Smart Cards,” Computers and Security, Vol. 23, No. 2, 2004, pp. 167-173.
[23]	W. Juang, “Efficient multi-server password authenticated key agreement using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, 2004, pp. 251-255.
[24]	W.S. Juang, C.L. Lei, C.Y. Chang, “Anonymous channel and authentication in wireless communications,” Computer Communications, Vol. 22, No. 15-16, 1999, pp. 1502-1511.
[25]	T. Kobayashi and H. Morita, “Fast modular inversion algorithm to match any operation unit,” IEICE Transactions on Fundamentals, Vol. E82-A, No. 5, 1999, pp. 733-740.
[26]	W.C. Ku, “Weaknesses and drawbacks of a password authentication scheme using neural networks for multiserver architecture,” IEEE Transactions on Neural Networks, Vol. 16, No.4, 2005, pp. 1002-1005.
[27]	W.C. Ku, S.T. Chang, M.H. Chiang, “Weaknesses of a remote user authentication scheme using smart cards for multi-server architecture,” IEICE Transactions on Communications, Vol. E88-B, No. 8, 2005, pp. 3451-3454.
[28]	W.C. Ku, C.M. Chen and H.L. Lee, “Cryptanalysis of a variant of Peyravian-Zunic’s password authentication scheme,” IEICE Transactions on Communications, Vol. E86-B, No. 5, 2003, pp. 1682-1684.
[29]	C. Kudla and K.G. Paterson, “Modular security proofs for key agreement protocols,” Advances in Cryptology - ASIACRYPT 2005: 11th International Conference on the Theory and Application of Cryptology and Information Security, LNCS 3788, 2005, pp. 549-565.
[30]	Y.P. Lai and C.C. Chang, “An efficient multi-exponentiation scheme based on modified booth’s method,” International Journal of Electronics, Vol. 90, No. 3, 2003, pp. 221-233.
[31]	L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, Vol. 24, No.11, 1981, pp. 770-772.
[32]	L. Li, I. Lin and M. Hwang, “A Remote Password Authentication Scheme for Multi-server Architecture Using Neural Networks,” IEEE Transactions on Neural Networks, Vol. 12, No. 6, 2001, pp. 1498-1504.
[33]	I.-E. Liao, C.-C. Lee and M.-S. Hwang, “A password authentication scheme over insecure networks,” Journal of Computer and System Sciences, Vol. 72, No. 4, 2006, pp. 727-740.
[34]	H.T. Liaw, J.F. Lin and W.C. Wu, “An efficient and complete remote user authentication scheme using smart cards,” Mathematical and Computer Modelling, Vol. 44, No. 1-2, 2006, pp. 223-228.
[35]	I. Lin, M. Hwang and L. Li, “A New Remote User Authentication Scheme for Multi-server Architecture,” Future Generation Computer Systems, Vol. 19, 2003, pp. 13-22.
[36]	B. Menkus, “Understanding the use of passwords,” Computers and Security, Vol. 7, 1988, pp. 132-136.
[37]	NIST FIPS PUB 197, Advanced Encryption Standard (AES), National Institute of Standards and Technology, U.S. Department of Commerce, 2001.
[38]	NIST FIPS PUB 180-2, Secure Hash Standard, National Institute of Standards and Technology, U.S. Department of Commerce, 2002.
[39]	R.L. Rivest, A. Shamir, L.M. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Commun. ACM, Vol.21, 1978, pp. 120-126.
[40]	A. Shamir, “Identity based on cryptosystems and signature schemes,” Advances in Cryptology, CRYPTO’84, 1984, pp. 47-53.
[41]	K. Singh, “On improvements to password security,” Operating System Review, Vol. 19, 1985, pp. 53-60.
[42]	N. Smart, Cryptography, McGraw-Hill Education, UK, 2002.
[43]	H. Sun, “An Efficient Remote User Authentication Scheme Using Smart Cards,” IEEE Transactions on Consumer Electronics, Vol. 46, No. 4, 2000, pp. 958-961.
[44]	K. Tan and H. Zhu, “Remote Password Authentication Scheme with Smart Cards,” Computer Communications, Vol. 18, 1999, pp. 390-393.
[45]	W.J. Tsaur, C.C. Wu and W.B. Lee, “A smart card-based remote scheme for password authentication in multi-server Internet services,” Computer Standards & Interfaces, Vol. 27, No. 1, 2004, pp. 39-51.
[46]	W.J. Tsaur, C.C. Wu and W.B. Lee, “An enhanced user authentication scheme for multiserver Internet services,” Applied Mathematics and Computation, Vol. 170, No. 1, 2005, pp. 258-266.
[47]	P. Urien, “Internet card, a smart card as a true Internet node,” Computer Communications, Vol. 23, No. 17, 2000, pp. 1655-1666.
[48]	X.G. Wang and Z.C. Chai, “Two secure remote user authentication schemes using smart cards,” Proceedings of IEEE Internal Conference on Machine Learning and Cybernetics, 2006, pp. 2653-2658.
[49]	S.J. Wang, J.F. Chang, “Smart card based secure password authentication scheme,” Computers and Security, Vol. 15, No. 3, 1996, pp. 231-237.
[50]	H.-A. Wen, T.-F. Lee and T. Hwang, “Provably secure three-party password-based authenticated key exchange protocol using Weil pairing,” IEE Proceedings - Communications, Vol. 152, No. 2, 2005, pp. 138-143.
[51]	T.C. Wu, “Remote login authentication scheme based on a geometric approach,” Computer Communications, Vol.18, No.12, 1995, pp. 959-963.
[52]	W. Yang and S. Shieh, “Password Authentication Schemes with Smart Cards,” Computers and Security, Vol. 18, No. 8, 1999, pp. 727-733.