A new method for using hash functions to solve remote user authentication

A new method for using hash functions to solve remote user authentication

Available online at www.sciencedirect.com Computers and Electrical Engineering 34 (2008) 53–62 www.elsevier.com/locate/compeleceng A new method for ...

321KB Sizes 1 Downloads 116 Views

Available online at www.sciencedirect.com

Computers and Electrical Engineering 34 (2008) 53–62 www.elsevier.com/locate/compeleceng

A new method for using hash functions to solve remote user authentication Tzung-Her Chen a, Wei-Bin Lee

b,*

a

b

Department of Computer Science and Information Engineering, National Chiayi University, 300 University Road, Chiayi City, Taiwan 600, ROC Department of Information Engineering, Feng Chia University, 100 Wenhwa Road, Seatwen Taichung, Taiwan 407, ROC Received 15 March 2005; received in revised form 6 December 2006; accepted 2 January 2007 Available online 21 March 2007

Abstract Recently, Peyravian and Zunic proposed the remote password authentication schemes only based on the collision-resistant hash function. The schemes are, therefore, easy to implement and simple to use. The attractive properties cause a series of discussion. Several security flaws are found and remedied. Unfortunately, most of the remedies either are insecure or violate the original advantages because of involving public-key cryptosystems or modular exponential operations. Hence, it is still a challenge to design a secure scheme abiding by the beneficial assumption of the Peyravian–Zunic schemes. The proposed scheme not only keeps the original advantages (user friendness and computational cheapness) but also highlights certain of valuable features, such as (1) mutual authentication (higher security level), (2) server’s ignorance of users’ passwords (further security guaranee to users, specially for financial services), (3) immunity from maintaining security-sensitive table (maintaining burden reduction to servers), and so forth. Ó 2007 Elsevier Ltd. All rights reserved. Keywords: User authentication; Password; Hash function; Cryptography; Mutual authentication

1. Introduction It is no doubt that communication networks have brought convenience to people as well as the potential threat of security problems. Since the current Internet and mobile communication are not yet secure, such that remote servers could be cracked, communication content could be eavesdropped, authentication messages could be modified, and identities could be impersonated. User authentication is the essential security mechanism for remote login systems in which a password-based authentication scheme is the most commonly used technique to provide authentication between the legal users and the remote server. Taking computational cost into consideration, user authentication schemes can be further classified into two broad categories: encryption-based [1–7] and hash-function-based [8–12] techniques. *

Corresponding author. E-mail addresses: [email protected] (T.-H. Chen), [email protected] (W.-B. Lee).

0045-7906/$ - see front matter Ó 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.compeleceng.2007.01.001

54

T.-H. Chen, W.-B. Lee / Computers and Electrical Engineering 34 (2008) 53–62

The former are based on cryptosystem, such as DES, RSA, and ElGamal, etc. Their main disadvantage is high computational cost. In contrast to an encryption-based technique, a hash-function-based technique, based on the collision-resistant hash function such as SHA-1 [13], is more simple and efficient to implement. In consideration of practicability, there are more and more hash-function-based schemes proposed. In 2000, Peyravian and Zunic proposed a pair of user authentication schemes allowing the users to transmit passwords and change passwords over public networks [8]. It is worthwhile to note that their scheme is not based on cryptosystems. On the contrary, their scheme is based on the collision-resistant hash function only and is simple and efficient to implement. Unfortunately, Hwang and Yeh found three weaknesses, guessing attacks, stolen-verifier attacks and denial-of-service attacks, existing in the Peyravian–Zunic scheme and further proposed an improved version [14]. But the same security flaws are found in the new versions [15–17]. Two new methods are also proposed in [15] and [16], but these enhanced schemes involve the public-key cryptosystems, violating the original advantages as mentioned above of the Peyravian–Zunic scheme. Based on the Diffie-Hellman key agreement protocol, the remedied schemes in [18–21] involve modular exponential operations also violate the merits of computational cheapness from collision-resistant hash functions. After the scheme in [19] has been shown to suffer from password guessing and stolen-verifier attacks [20], unfortunately the improved scheme in [20] has been, afterward, found to exist two security flaws, stolen-verifier and denial-of-service attacks [18]. On the other hand, Lee et al. and Yoon et al. also proposed their improved versions in [9,22] to enhance security of the Peyravian–Zunic scheme, respectively. Compared to the improved schemes in [14–16], the new methods in [9,22] have the main merit: preserving the original attractive advantages. However, Ku et al. showed that these methods in [9,22] still suffers from guessing attacks, stolen-verifier attacks and denial-ofservice attacks, respectively [22,23]. The aforementioned security weaknesses to the series of the Peyravian–Zunic scheme are further analyzed and the security design guidelines are summarized as follows: 1. Password guessing attacks. One of the main advantages of the Peyravian–Zunic scheme is that a user has freedom to change his new password. It is considerable that users maybe choose an easy-to-remember password with a short or meaningful string. Password guessing attacks are, hence, possible. The key of a password-guessing succeed is whether the attacker is able to verify the correctness of the guessed password. Suppose an attacker has intercepted the login message in a previous login phase. He can guess a password and then verify its validation by comparing it with the intercepted message. If holds, the password is guessed exactly; otherwise, he tries another guess for the password again. Actually, most present schemes suffer from this attack. This weakness can be removed by combining the password with a nonce that is not guessable. 2. Stolen-verifier attacks. In the series of the Peyravian–Zunic scheme, the server maintains a verification table including verifiers such as each user’s identity and variant of password. Once an attacker has stolen a verifier, he could masquerade the corresponding server to fool the user or impersonate a legal user to access the resource of the server. The key of success is what kind of information revealed from the stolen verification table. 3. Denial-of-service attacks. The denial-of-service attack occurs in password change phase while the server updates the new verifier for the next login. A wrong verifier in the verification table of course makes the server reject all subsequent login requests of the legal user. It is intuitive that the sever must have the ability to check the received new verifier before updating it into the table. In this paper, based on the above analysis the security flaws found in the aforementioned schemes are removed to form a new one. In some situations, mutual authentication is necessary to provide higher security. Therefore, the proposed scheme not only keeps the original advantages, simple and efficient to implement, but also highlights a feature, mutual authentication between the user and the remote server, found in many authentication protocols but seldom addressed in the series of the Peyravian–Zunic schemes without involving public key cryptosystems. Certain of added advantages are, hence, obtained such as (1) the server is not required to maintain a security-sensitive table; and (2) the system does not reveal user passwords to the server.

T.-H. Chen, W.-B. Lee / Computers and Electrical Engineering 34 (2008) 53–62

55

The rest of the paper is organized as follows. In the next section, a new remote user authentication scheme is proposed. Security analyses and discussions are presented in Sections 3 and 4, respectively. Finally, some brief conclusions will be given in Section 5. 2. The proposed scheme In this section, a secure and efficient user authentication scheme is proposed to enhance the security of the series of the Peyravian–Zunic scheme. To make the idea concisely and clearly, Figs. 1 and 2 are used to illustrate the proposed scheme. In registration phase (R.1) Ui ! S: IDi, HPWi In registration phase, a user Ui chooses his password PWi and computes a password digest HPWi = H(IDi, PWi, N), where N is a nonce. Then Ui sends IDi and HPWi to the remote server.

Fig. 1. The authentication phase.

Fig. 2. The password change phase.

56

T.-H. Chen, W.-B. Lee / Computers and Electrical Engineering 34 (2008) 53–62

(R.2) S ! SC: H(IDi  K), H(Æ) Upon receiving IDi and HPWi, the server computes a verifier v = H(HPWi  H(IDi  K)) and stores it into the verification table with IDi. Then it writes H(IDi  K) and H(Æ) into the smart card SC and releases it to Ui. The long-term secret key K is kept secret by the server. After receiving the smart card, Ui enters N into the card and he does not need to remember N. In authentication phase (A.1) SC ! S: IDi, r  H(IDi  K), Auth In authentication phase, the user Ui inserts his smart card into a login device and enters his identity IDi and password PWi. The smart card SC will randomly choose a number r to compute r  H(IDi  K) and Auth = H(H(H(IDi, PWi, N)  H(IDi  K)), r). Then {IDi, r  H(IDi  K), Auth} are sent to the server. (A.2) S ! SC: s  H(IDi  K), H(r, s) Upon receiving the message, the server computes H(IDi  K) and obtains r by XORing (r  H(IDi  K)) with H(IDi  K). Then the server computes Auth 0 = H(v, r) and compares the Auth 0 with the received Auth. If equivalent, the server randomly chooses a number s, and computes s  H(IDi  K) and H(r, s). Then the server sends s  H(IDi  K) and H(r, s) to the client. (A.3) SC ! S: IDi, H(s, r) After receiving the message, the smart card obtains s by computing (s  H(IDi  K))  H(IDi  K). After verifying the validation of the received H(r, s), the server is authenticated.Next, the smart card calculates H(s, r) and sends {IDi, H(s, r)} to the server. Upon receiving IDi and H(s, r), the server compares the hash value of s and r with the received H(s, r). If equivalent, the user is authenticated and access to the remote server is granted; otherwise this login request is rejected. In password change phase In password change phase, the latter two operations P.2 and P.3 are the same as A.2 and A.3 in authentication phase. Hence, only the first operation is described in details. (P.1) SC ! S: IDi, r  H(IDi  K), Auth, Mask, ChkMask. (P.2) S ! SC: s  H(IDi  K), H(r, s). (P.3) SC ! S: IDi, H(s, r). Suppose that Ui wants to change his password PWi to the new one NewPWi. Ui first enables the the smart card into a login device and then enters the identity IDi, the password PWi and the new password NewPWi. The smart card SC will randomly choose a number r to compute r  H(IDi  K); Auth = H(H(H(IDi, PWi, N)  H(IDi  K)), r); NewHPWi = H(IDi, NewPWi, N); Mask = NewHPWi  H(H(H(IDi, PWi, N)  H(IDi  K)), r + 1); and ChkMask = H(NewHPWi, r + 2). Then {IDi, r  H(IDi  K), Auth, Mask, ChkMask} are sent to the server. Upon receiving the message, the server computes H(IDi  K) and obtains r by XORing (r  H(IDi  K)) with H(IDi  K). Then the server computes Auth 0 = H(v, r) and compares the Auth 0 with the received Auth. If it fails, the request is rejected; otherwise, the process goes on. The server computes the new password digest NewHPWi = Mask  H(v, r + 1) and then obtains v 0 = H(NewHPWi  H(IDi  K)). Next, the server must check the validity of NewHPWi by comparing the hash value of NewHPWi and (r + 2) with the received ChkMask. Next, the server randomly chooses a number s, and computes s  H(IDi  K), H(r, s). Then the server sends s  H(IDi  K) and H(r, s) to the client.

T.-H. Chen, W.-B. Lee / Computers and Electrical Engineering 34 (2008) 53–62

57

The client authenticates the server by verifying the validation of the received H(r, s). Thereafter, the client sends {IDi, H(s, r)} to the server. The server verifies the identity of Ui likewise. After that, the server updates the old v with the fresh v 0 in the verification table. The one-time-used random number r and s are assumed to be well-protected during authentication and password change phases. After that, both r and s are distorted by the system. 3. Security analyses In this session we will prove that the present scheme is secure under secure one-way hash function and welldefined tamper-resistant smart card device. Therefore, certain of definitions and assumptions are given first. Definition 1 (One-way hash function). A hash function is a function that takes a variable-size input and returns a fixed-size result called hash value. If a hash function H(Æ) is one-way, it must satisfy the following conditions: (1) (2) (3) (4)

The hash function can take input of any size, and the result (hash value) should be fix-sized. For any message m, it is easy to compute m’s hash value H(m). It is computationally infeasible to find a message m from it’s hash value H(m). For any message m1, it is computationally infeasible to find another message m2 such that H(m1) = H(m2). (5) It is computationally infeasible to find a pair of different messages m1 and m2 such that H(m1) = H(m2).

Definition 2 (Tamper-resistant device (TRD)). Tamper-resistant device aims at the objectives to prevent the outsiders from reading what must be kept secret as well as tampering stored message. More precisely, TRD is resistance to tampering by either the normal users or others with physical access to it. Usually, TRD could efficiently perform lightweight cryptographic operations such as hash function, symmetric cryptographic operations but not asymmetric operations. It is worthwhile to note that in the field of security more and more researches show that tamper-resistant hardware provides higher security level than software technique. TRD has been studied for many years and used in realistic applications, such as Cable TV box, DVD and applications with smart cards, etc. Assumption 1. The existence of one-way hash function allows both user and server to compute collision-free hash values. This hash function needs not keep secret between user and server, but public. Assumption 2. The existence of tamper-resistant smart card does not allow either system users or attackers to read/modify the stored message. But the tamper-resistant smart card manufactory preserves certain of functions to the server to write user registration message (authentication token) into the smart cards. Assumption 3 (Remote user password authentication problem). A remote user password authentication scheme is the method not only both user and server being able to authenticate each other during the remote user login phase but also resisting against impersonation (forgery) attacks, intending to illegally trigger communication on behalf of a legal participant, including user impersonation and sever impersonation. Proposition 1 (Security). The present remote user password authentication scheme is secure under secure one-way hash function and well-defined tamper-resistant smart card device. Proof. The proof is completed by means of demonstrating completeness and security. Firstly, mutual authentication between user and sever is achieved based on a challenge response protocol. After user registration to sever, the server delegates an authentication token, mainly H(IDi  K), to the user. After that, the user has the same authority as the server. Based on this concept, both user and server can authenticate each other.

58

T.-H. Chen, W.-B. Lee / Computers and Electrical Engineering 34 (2008) 53–62

The user has {H(IDi  K), N} and remembers PWi. On the other hand, the server keeps v = H(HPWi  H(IDi  K)) in a table. Note, {H(IDi  K), N} is assumed well-protected in a tamper-resistant smart card from extracting H(IDi  K) (Assumption 2) and H(HPWi  H(IDi  K)) cannot be extracted out H(IDi  K) under the one-way property (Assumption 1). In authentication phase, user computes a challenge CuTOs = {r  H(IDi  K), Auth} to server. Since server can derive H(IDi  K) from his long-term secret K to extract r from the received r  H(IDi  K), he can compute the response RsTOu = {s  H(IDi  K), H(r, s)}, also regarded as the challenge CsTOuto user. Upon receiving the message RsTOu = CsTOu, user authenticates server by RsTOu and computes the response RuTOs = {H(s, r)} to server. Finally, server authenticates user by RuTOs. In password change phase, user additionally sends out a pair of {Mask, ChkMask} used to confirm the integrity of Mask using ChkMask by server. The other operations are the same as those in the authentication phase. Hence, the completeness of the present remote user authentication scheme is shown. Secondly, an attacker to the present scheme is regarded to be a success if he can act on behalf of either a legitimate user to login to a server or a normal server to fool a user. There are two steps to show the security of the present scheme. In the first step, we prove that one attacker could impersonate user or sever if and only if he can obtain H(IDi  K). In the second step, we demonstrate that H(IDi  K) cannot be extracted from either communication over public networks or information stored in the server side. Step 1: As above-mentioned analysis to completeness, we know H(IDi  K) is the critical factor to security. Without knowing H(IDi  K), user and sever cannot be successfully authenticated by each other through a challenge-response protocol. On the one hand, user cannot calculate the valid challenge Auth in Step A.1 and response H(s, r) in Step A.3. On the other hand, server cannot compute H(IDi  K) to forge a valid response {s  H(IDi  K), H(r, s)} to convince user of validation. With H(IDi  K), mutual authentication can be guaranteed. The details have been shown in the proof of completeness and thus omitted here. Step 2: Based on Assumption 1, it is nonsense to extract H(IDi  K) from the intercepted communication messages no matter from r  H(IDi  K) without knowing one-time-used random number r, or Auth = H(H(H(IDi, PWi, N)  H(IDi  K)), r) in Step A.1, P.1, s  H(IDi  K) in Step A.2, P.2, and Mask = NewHPWi  H(H(H(IDi, PWi,N)  H(IDi  K)), r + 1) in Step P.1. It is also infeasible to extract H(IDi  K) out from the stolen v = H(HPWi  H(IDi  K)) from the server side. To summarize, the presented scheme is secure under secure one-way hash function and well-defined tamperresistant smart card device. h As possible attacks discussed and analyzed in [4–9,14–24], the following possible attacks are discussed as follows to further describe that the proposed scheme does work. In password authentication phase, impersonation attacks are possible: user impersonation (forgery) attacks, server impersonation (forgery) attacks, replay attacks, password guessing attacks and stolen-verifier attacks. On the other hand, in password change phase, password authentication schemes may be vulnerable to the denial-of-service attack. In addition, it is considerable that the verification table stored in the server might be stolen. Proposition 2 (User impersonation attacks). The present scheme is secure against user impersonation (forgery) attacks. Proof. If an attacker wants to impersonate a legal user, he should forge a login message to pass the authentication of the server. However, he cannot calculate the valid Auth = H(H(H(IDi, PWi, N)  H(IDi  K)), r) in Step A.1 and response H(s, r) in Step A.3 without knowing any of {H(IDi  K), N, r, PWi}. He is not able to generate a valid login request. h Proposition 3 (Replay attacks). The present scheme is secure against replay attacks.

T.-H. Chen, W.-B. Lee / Computers and Electrical Engineering 34 (2008) 53–62

59

Proof. For each new login request, the protocol renews the nonce r and s. The response message including r in Step A.2 is used to detect the replay attacks intending to fool the user. On the other hand, the response message including s in Step A.3 is used to detect the replay attacks intending to fool the server. The server resists the replay attacks by issuing s, protected by XORing H(IDi  K), as a challenge and verifying the related response H(s, r) later. Suppose an attacker intercepts the previous messages r  H(IDi  K) and Auth in Step A.1. Subsequently, he faces the challenge to extract the fresh s from {s  H(IDi  K), H(r, s)} in Step A.2 to replay H(s, r) in Step A.3. Since the server is waiting for the response H(s, r) to the fresh s in Step A.3, at the present stage the attacker has not H(IDi  K) to extract s and accordingly computes H(s, r). Hence, he has no way to pass the subsequent authentication by replaying the intercepted previous login message. h Proposition 4 (Cut-and-paste attacks). The present scheme is secure against cut-and-paste attacks. Proof. A cut-and-paste attack is an assault on the integrity of a login message in which the attacker substitutes a section of the login message (authenticator) with a different section that looks like (but is not the same as) the one removed in some ways. With cut-and-paste is a type of message modification attack, the attacker may remove a login message from network traffic, alter it, and reinsert it. In Step A.1, the two sections of the message {r  H(IDi  K), Auth} are relatively bound to r. In Step A.2, the two sections of the message {s  H(IDi  K), H(r, s)} are relatively bound to s. In Step A.3, the message {H(s, r)} are bound to s and r in Steps A.1 and A.2. The situations in Steps P.2 and P.3 are the same as those in Steps A.2 and A.3. At last, the four sections of the message {r  H(IDi  K), Auth, Mask, ChkMask} in Step A.1 are bound each other to r. This is, the present scheme is able to rule the cut-and-paste attacks out. h Proposition 5 (Server impersonation attacks). The present scheme is secure against server impersonation (foragery) attacks. Proof. If an attacker wants to impersonate the remote server successfully, he sends {s  H(IDi  K), H(r, s)} to the client in Step A.2. Then the client will extracts s from s  H(IDi  K) and verify the validation of s according to H(r, s). Since the attacker has no idea about the server’s long-term secret key K, he cannot compute H(IDi  K) to forge a valid {s  H(IDi  K), H(r, s)}. On the other hand, because only the server and the smart card can compute H(IDi  K), the server is able to extract the newest r which is protected in Step A.1 by H(IDi  K). As a result, the client can easily authenticate the server after receiving the transmitted message in Step A.2. In sum, server impersonation attacks are, hence, nonsense. h Proposition 6 (Password guessing attacks). The present scheme is secure against password guessing attacks. Proof. There are only three intercepted instances including the passwords: Auth = H(H(H(IDi, PWi, N)  H(IDi  K)), r); Mask = NewHPWi  H(H(H(IDi, PWi, N)  H(IDi  K)), r + 1); and ChkMask = H(NewHPWi, r + 2). If an attacker obtains Auth which will be used to examine a guessed password PW 0 , for computing a uncertain Auth 0 = H(H(H(IDi,PW 0 ,N)  H(IDi  K)), r), he must know r,N,K simultaneously; otherwise, he cannot verify the correctness of the guessed password. Likewise, if he has Mask, he also must know r, N, K to check the validation of a guessed password. Lastly, if he has ChkMask = H(NewHPWi, r + 2) = H(H(IDi, NewPWi, N), r + 2), he should guess a password NewPW 0 and simultaneously know N and r to verify the guessed NewPW 0 . In a word, if an attacker intercepts one of them, it is infeasible to guess/verify the user’s password PWi and NewPWi without knowing r, N, and K. h Proposition 7 (Stolen-verifier attacks). The present scheme is secure against stolen-verifier attacks.

60

T.-H. Chen, W.-B. Lee / Computers and Electrical Engineering 34 (2008) 53–62

Proof. Servers are always the attractive target of malicious attacks. It is not trivial to take stolen-verifier attacks into account. In the proposed scheme, user password PWi is mixed with a nonce N to form the verifier v = H(HPWi  H(IDi  K)) = H H(IDi,PWi,N)  H(IDi  K) and then stored in the server side. An attacker may have the verifier v, if he finds some ways to steal the verification table from the server. Suppose that, he has no feasible way to extract K, N, PWi, HPWi, and H(IDi  K) from v, in which is mainly based on the assumption of one-way property of H(Æ). In this case, guessing attacks are infeasible as analyzed above. h Proposition 8 (Denial-of-service attacks). The present scheme is secure against denial-of-service attacks. Proof. In password change phase, if an attacker wants to perform the denial-of-service attack, he replaces Mask = NewHPWi  H(H(H(IDi, PWi, N)  H(IDi  K)),r + 1) with an arbitrary value Y. Upon receiving Y, the server extracts a false NewHPW 0i by XORing Y with H(v, r + 1). After further checking the validity of NewHPW 0i , the server finds that the hash value of NewHPW 0i and (r+2) is not equal to the received ChkMask. Therefore, the server rejects this password change request. h 4. Discussions In this section, a number of features are highlighted to provide either a higher security level for system or an easy-to-use environment for users. These valuable merits of the proposed scheme are described below. Mutual authentication. The identity of the login user is authenticated by the two operations: (1) checking if the received Auth = H(H(H(IDi, PWi, N)  H(IDi  K)), r) in Step A.1 is equal to the computed Auth 0 = H(v, r); and (2) checking the validation of H(s, r) in Step A.3. The former aims to check if the user knows the common secret H(IDi  K). However, this message may be replayed by an attacker. Thus the latter is adopted to rule out the possibility of replay attacks by means of issuing a fresh s by the server. On the other hand, the identity of the server is authenticated by checking if the server possesses the secret key K to generate H(IDi  K) to extract r in Step A.1 and compute s  H(IDi  K), H(r, s) in Step A.2. Since only both the legal user and the regular server know H(IDi  K), it implies that authentication for the server is indirectly proved. Therefore, the proposed scheme satisfies the feature of mutual authentication to keep an adversary from fooling/cheating the legal users. Computational cheapness. In addition, it is clear that the proposed scheme is only based on one-way hash functions without involving either public-key cryptosystems or even modular exponential operations. In terms of computational cost, the comparison of our scheme with the other schemes which belong to the series of the Peyravian–Zunic scheme is summarized in Table 1. Server’s ignorance of users’ passwords. Practically, a user may have the same password used for various network services on different servers. If the server knows the user’s password, it does not guarantee that the server will not profit from impersonating a legal user, especially in the sensitive applications of network banking. In the proposed scheme, the user sends HPWi = H(IDi, PWi, N) to the sever, in which without knowing N the server has no feasible to obtain or guess PWi. Immunity from maintaining security-sensitive table. From the security analysis in the last section, the proposed scheme has been shown against stolen-verifier attacks. It implies the stored information is not security-sensitive. This deters the server from becoming an attractive target, and simultaneously reduces the burden of the maintenance. Choosing friendly password. Usually, an easy-to-remember password is convenient and friendly to use. Conversely, it will be not used correctly with high probability. Therefore, it forms a design tradeoff between Table 1 Computational cost comparisons of the proposed scheme and several related schemes

Public key en/decryption Modular exponential Symmetric en(de)cryption Hash function

Peyravian–Zunic [8]

Lin–Hwang [15]

Yang et al. [16]

Chang et al. [21]

Yoon–Yoo [18]

Our scheme

No No No Yes

Yes No No Yes

Yes No No Yes

No Yes Yes Yes

Yes No No Yes

No No No Yes

T.-H. Chen, W.-B. Lee / Computers and Electrical Engineering 34 (2008) 53–62

61

Table 2 Functionality comparisons of the proposed scheme and several related schemes

Mutual authentication Computational cheapness Ignorance of users’ passwords Without security sensitive table Choosing friendly password Changing password easily

Peyravian–Zunic [8]

Lin–Hwang [15]

Yang et al. [16]

Chang et al. [21]

Yoon–Yoo [18]

Our scheme

No Low Noa Noa Yes Yes

Yes High No No Yes Yes

Yes High No No Yes Yes

Yes High No No Yes Yes

Yes High No Yes Yes Yes

Yes Low Yes Yes Yes Yes

a The server stores user’s H(IDi, PWi) and it’s not difficult to guess user’s password for the server and the adversary who performs a stolen-verifier attack.

friendliness and security. However, passwords are helpful, if kept secret, to provide additional security protection if the smart card is lost. From the aforementioned security analyses, the proposed scheme can securely benefit from choosing friendly passwords. Changing password easily. In practical password-based system, users are encouraged to change their passwords periodically and as often as possible. In password change phase, the user does not need to register to the server again to change the secret information in the smartcard Instead, he only needs to launch the password change operation in which only two additional messages {Mask, ChkMask} are needed. Hence, the proposed scheme presents this alternative function to facilitate simplicity, friendliness and effectiveness. Further, the functionality comparison of our scheme with the other schemes is summarized in Table 2. According to these features and the above security analysis, its obvious that the proposed scheme is simple, efficient, secure, and friendly. 5. Conclusions The major characteristics of the Peyravian–Zunic scheme are easy to implement and simple to use. Unfortunately, its enhanced versions either are vulnerable to some attacks or violate the original advantages. Hence, a new solution is provided to not only remove the security flaws existing in the series of the Peyravian–Zunic scheme but also highlight a number of secure, efficient, and friendly features. References [1] Chang CC, Hwang SJ. Using smart cards to authenticate remote passwords. Comput Math Appl 1993;26(7):19–27. [2] Chang CC, Liao WY. A remote password authentication scheme based upon ElGamal’s signature scheme. Comput Securit 1994;13(2):137–44. [3] Jan JK, Chen YY. ‘Paramita wisdom’ password authentication scheme without verification tables. J Syst Software 1998;42:45–57. [4] Yang WH, Shieh SP. Password authentication schemes with smart cards. Comput Securit 1999;18:727–33. [5] Hwang MS, Li LH. A new remote user authentication scheme using smart cards. IEEE Trans Consumer Electron 2000;46(1):28–30. [6] Lee JK, Ryu SR, Yoo KY. Fingerprint-based remote user authentication scheme using smart cards. Electron Lett 2002;38(12):554–5. [7] Lin IC, Hwang MS, Li LH. A new remote user authentication scheme for multi-server architecture. Future Generat Comput Syst 2003;19:13–22. [8] Peyravian M, Zunic N. Methods for protecting password transmission. Comput Securit 2000;19(5):466–9. [9] Lee CC, Li LH, Hwang MS. A remote user authentication scheme using hash functions. ACM SIGOPS Oper Syst Rev 2002;36(4):23–9. [10] Lamport L. Password authentication with insecure communication. Commun ACM 1981;24:28–30. [11] Haller NM. The S/Key (TM) one-time password system. In: Proceedings of the Internet society symposium on network and distributed system security, 1994. p. 151–8. [12] Sandirigama M, Shimizu A, Noda MT. Simple and secure password authentication protocol (SAS). IEICE Trans Commun 2000;E83-B(6):1363–5. [13] Schneier B. Applied cryptography. 2nd ed. New York: John Wiley; 1996. [14] Hwang JJ, Yeh TC. Improvement on Peyravian–Zunic’s password authentication schemes. IEICE Trans Commun 2002;E85-B(4):823–5. [15] Lin CL, Hwang T. A password authentication scheme with secure password updating. Comput Securit 2003;22(1):68–72.

62

T.-H. Chen, W.-B. Lee / Computers and Electrical Engineering 34 (2008) 53–62

[16] Yang CC, Chang TY, Li JW, Hwang MS. Security enhancement for protecting password transmission. IEICE Trans Commun 2003;E86-B(7):2178–81. [17] Ku WC, Chen CM, Lee HL. Cryptanalysis of a variant of Peyravian–Zunic’s password authentication scheme. IEICE Trans Commun 2003;E86B(5):1682–4. [18] Yoon EJ, Yoo KY. Weakness and solution of Yang et al.’s protected password changing scheme. Appl Math Comput 2005;168(2):788–94. [19] Tseng YM, Jan JK, Chien HY. On the security of methods for protecting password transmission. Informatica 2001;12(3):469–77. [20] Yang CC, Chang TY, Hwang MS. Security of improvement on methods for protecting password transmission. Informatica 2003;14(4):551–8. [21] Chang YF, Chang CC, Liu YL. Password authentication without the server public key. IEICE Trans Commun 2004;E87-B(10):2178–81. [22] Yoon EJ, Ryu EK, Yoo KY. A secure user authentication scheme using hash functions. ACM SIGOPS Oper Syst Rev 2004;38(2):62–8. [23] Ku WC, Chen CM, Lee HL. Weaknesses of Lee–Li–Hwang’s hash-based password authentication scheme. ACM SIGOPS Oper Syst Rev 2003;37(4):19–25. [24] Ku WC, Chiang MH, Chang ST. Weaknesses of Yoon–Ryu–Yoo’s hash-based password authentication scheme. ACM SIGOPS Oper Syst Rev 2005;39(1):85–9.