Authentication Protocol Analysis (3 marks) Multi-factor user authentication mechanisms require a user to possess multiple authenticatiorn factors, such as a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is"), in order to login a computer system. One commonly used two-factor user authentication mechanism is based on smart- card (something the user has) and password (something the user knows). Such a mechanism should ensure that an adversary cannot pass the authentication even if he/she has obtained one authentication factor. Consider the following two-factor authentication protocol: User Setup. Let r denote a 128-bit secret key of a remote web server, and h(-) a secure cryptographic hash function. Each legitimate client C with identity IDc shares a 6-digit pass- word pwd with the server. In addition, C has a smart-card issued by the server, which has the information (IDc, B,p, g) stored in the Read Only Memory (ROM) of the card, where B-h(pwdh(IDc), p is a large prime number, and g is a generator of Z. Note thatl denotes concatenation of two bit strings. User Login 1. In order to login the server, the client first attaches the smart-card to a card reader which is connected to a computer, and then types in the password pud. The computer retrieves the values of (IDC. B. p.9) from the smart-card via the card reader, and computes Z Bh(pwd). After that, the computer chooses a random number u computes Nc -g" mod p, and sends a login request (IDc, Nc) to the remote server {1, ,p-1} 2. Upon receiving the request, the web server first checks if IDc belongs to a legitimate client If the server cannot find IDc in its database, then the request is rejected. Otherwise, the server chooses a random number v f1,. . .p- 11, computes Ns-g mod p, K-No mod p, -h(x, IDc), and TS-h(Z', Nc, Ns, K). The server then sends (Ns, Ts) to the client 3. After receiving (Ns.Ts) from the server, the clients computer computes K-N2 mod p Th(Z, Nc, Ns, K') and verifies if Ts Ts. If the equation holds, then the server is authenticated, and the clients computer generates To h(Z, Ns, Nc, K'), and sends To to the web server 4. The web server computes Teh(Z', Ns, Nc, K) and verifies if Te Tc. If the equation holds, then the client is authenticated; otherwise, the client authentication fails. If the client has three consecutive authentication failures, then the clients account will be locked by the web server, and the client needs to contact the Administrator in order to unlock the account Your Task: Analyse the above authentication protocol. Does the protocol achieve two-factor user authentication? If your answer is yes, justify your answer by giving a rigorous security analysis for the protocol; otherwise, if your answer is no, show a practical attack against the protocol. When doing the analysis, consider the situation that one of the two authentication factors is compromised and known by the adversary. Note: answer without justification may receive zero mark. Authentication Protocol Analysis (3 marks) Multi-factor user authentication mechanisms require a user to possess multiple authenticatiorn factors, such as a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is"), in order to login a computer system. One commonly used two-factor user authentication mechanism is based on smart- card (something the user has) and password (something the user knows). Such a mechanism should ensure that an adversary cannot pass the authentication even if he/she has obtained one authentication factor. Consider the following two-factor authentication protocol: User Setup. Let r denote a 128-bit secret key of a remote web server, and h(-) a secure cryptographic hash function. Each legitimate client C with identity IDc shares a 6-digit pass- word pwd with the server. In addition, C has a smart-card issued by the server, which has the information (IDc, B,p, g) stored in the Read Only Memory (ROM) of the card, where B-h(pwdh(IDc), p is a large prime number, and g is a generator of Z. Note thatl denotes concatenation of two bit strings. User Login 1. In order to login the server, the client first attaches the smart-card to a card reader which is connected to a computer, and then types in the password pud. The computer retrieves the values of (IDC. B. p.9) from the smart-card via the card reader, and computes Z Bh(pwd). After that, the computer chooses a random number u computes Nc -g" mod p, and sends a login request (IDc, Nc) to the remote server {1, ,p-1} 2. Upon receiving the request, the web server first checks if IDc belongs to a legitimate client If the server cannot find IDc in its database, then the request is rejected. Otherwise, the server chooses a random number v f1,. . .p- 11, computes Ns-g mod p, K-No mod p, -h(x, IDc), and TS-h(Z', Nc, Ns, K). The server then sends (Ns, Ts) to the client 3. After receiving (Ns.Ts) from the server, the clients computer computes K-N2 mod p Th(Z, Nc, Ns, K') and verifies if Ts Ts. If the equation holds, then the server is authenticated, and the clients computer generates To h(Z, Ns, Nc, K'), and sends To to the web server 4. The web server computes Teh(Z', Ns, Nc, K) and verifies if Te Tc. If the equation holds, then the client is authenticated; otherwise, the client authentication fails. If the client has three consecutive authentication failures, then the clients account will be locked by the web server, and the client needs to contact the Administrator in order to unlock the account Your Task: Analyse the above authentication protocol. Does the protocol achieve two-factor user authentication? If your answer is yes, justify your answer by giving a rigorous security analysis for the protocol; otherwise, if your answer is no, show a practical attack against the protocol. When doing the analysis, consider the situation that one of the two authentication factors is compromised and known by the adversary. Note: answer without justification may receive zero mark