- Email: [email protected]
Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards
Computer Standards & Interfaces 29 (2007) 507 – 512 www.elsevier.com/locate/csi
Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards ☆ Xiao-Min Wang a,⁎, Wen-Fang Zhang b , Jia-Shu Zhang a , Muhammad Khurram Khan a a
Key Laboratory of Signal and Information Processing of Sichuan Province, Southwest Jiaotong University, Chengdu, 610031, PR China b Key Laboratory of Information Security and National Computing Grid, Southwest Jiaotong University, Chengdu, 610031, PR China Received 15 February 2006; received in revised form 17 October 2006; accepted 11 November 2006 Available online 16 January 2007
Abstract In 2002, Chien et al. proposed an efficient remote authentication scheme using smart cards, in which only few hashing operations are required. Later, Ku et al. gave an improved scheme to repair the security pitfalls found in Chien et al.'s scheme. Also Yoon et al. presented an enhancement on Ku et al.'s scheme. In this paper, we show that both Ku et al.'s scheme and Yoon et al.'s scheme are still vulnerable to the guessing attack, forgery attack and denial of service (DoS) attack. In addition, their schemes lack efficiency when users input wrong passwords. To remedy these flaws, this paper proposes an efficient improvement over Ku et al.'s and Yoon et al.'s schemes with more security. The computation cost, security, and efficiency of the improved scheme are embarking for the real application in the resource-limited environment. © 2006 Elsevier B.V. All rights reserved. Keywords: Authentication; Smart card; Session key; Password
Contents 1. 2.
Introduction . . . . . . . . . . . . . . . Review of the Ku et al.'s scheme [16] . 2.1. Registration . . . . . . . . . . . 2.2. Login . . . . . . . . . . . . . . 2.3. Verification . . . . . . . . . . . 2.4. Password change . . . . . . . . 3. Cryptanalysis of Ku et al.'s scheme . . 4. Our improved scheme . . . . . . . . . 4.1. Registration . . . . . . . . . . . 4.2. Login . . . . . . . . . . . . . . 4.3. Verification . . . . . . . . . . . 4.4. Password change . . . . . . . . 5. Security analysis . . . . . . . . . . . . 6. Performance analysis . . . . . . . . . . 7. Conclusion . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
☆
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
508 508 508 508 508 509 509 510 510 510 510 510 510 511 511 512
This work is supported by the National Natural Science Foundation of China (grant No. 60272096) and by the Doctor Innovation Fund of Southwest Jiaotong University, 2006. ⁎ Corresponding author. E-mail address: [email protected] (X.-M. Wang). 0920-5489/$ - see front matter © 2006 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2006.11.005
508
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
1. Introduction With the large scale development of network technology, remote user authentication in e-commerce and m-commerce has become an indispensable part to access the precious resources. Remote authentication is a mechanism to authenticate remote users over insecure communication network. During the past two decades, password-based remote authentication schemes have been widely deployed to verify the legitimacy of the remote users. Since Lamport [1] proposed his remote authentication scheme in 1981, several schemes [2,3] have been proposed to improve the security, the cost or the efficiency. One of the common features of these schemes is that a verification table should be securely stored in the server. If the verification table is stolen by the adversary, the system will be partially or totally broken. Due to the low cost, the portability and the cryptographic capacity, smart cards have been widely adopted in remote authentication schemes [4–17]. In 2000, Hwang and Li [9] proposed a new remote user authentication scheme using smart cards. In 2002, based on Sun's scheme [14], Chien et al. [15] proposed a most cost-effective remote user authentication solution, and claimed that their scheme has the merits of providing mutual authentication, freely choosing password, no verification table, and involving only few hashing operations instead of the costly modular exponentiations. Unfortunately, Ku et al. [16] pointed out that Chien et al.'s scheme is vulnerable to reflection attack, insider attack, guessing attack and is not reparable once a user's permanent secret is compromised, and an improved scheme was given further to resolve these security pitfalls. Recently, however, Yoon et al. [17] showed that Ku et al.'s scheme is susceptible to parallel session attack and is insecure for changing the user's password, and also proposed an enhancement to Ku et al.'s scheme to overcome such problems. Due to the power constraint of smart cards and the cost of implementation, the lower the cost, the great chance of success in practical realization. Among those smart card based schemes, Ku et al.'s and Yoon et al.'s schemes require only several hash operations instead of the costly modular exponentiations. Therefore, their schemes exhibit great application potentiality in smart card field, regardless of their security. In this paper, however, we show that both Ku et al.'s scheme and Yoon et al.'s scheme are still vulnerable to the guessing attack, forgery attack and denial of service (DoS) attack. In addition, their schemes are inefficient when user inputs wrong password. To remedy these pitfalls, this paper presents an efficient improvement on them with more security. As a result, only requiring few additional hash operations, our scheme can withstand the previously proposed attacks. In the meanwhile, the wrong passwords input by users can be detected immediately, and a session key is also provided after authentication phase. The computational costs and efficiency of the improved scheme are encouraging for the practical implementation in the resource-constraint environment. The rest of the paper is organized as follows: Section 2 reviews Ku et al.'s scheme. Section 3 gives the cryptanalysis of Ku et al.'s scheme. Section 4 shows the details of the proposed scheme. Section 5 makes the security analysis of the proposed
method. Section 6 compares the performance of proposed scheme with Ku et al.'s and Yoon et al.'s schemes. Finally, the conclusion comes in Section 7. 2. Review of the Ku et al.'s scheme [16] The notations used throughout the paper can be summarized as follows: • • • • • • •
U: denotes the user. ID: denotes the identity of U. PW: denotes the password of U. S: denotes the remote server. x: denotes the permanent secret key of S. h(·): represents a cryptographic unkeyed hash function. hk (·): represents a cryptographic keyed hash function with secret k. • ⇒: represents a secure channel. • →: represents a common channel.
There are four phases in Ku et al.'s scheme: registration, login, verification and password change. 2.1. Registration This phase is invoked whenever U initially registers or reregisters to S. Let n denote the number of times U reregisters to S. 1 U selects a random number b and computes h(b ⊕ PW). 2 U ⇒ S: ID, h(b ⊕ PW). 3 If it is U's initial registration, S create an entry for U in the account database and stores n = 0 in this entry. Otherwise, S sets n = n + 1 in the existing entry for U. Next, S performs the following computations: R = h(EID ⊕ x) ⊕ h(b ⊕ PW), where EID = (ID||n). 4 S ⇒ U: a smart card containing R and h(·). 5 U enters b into his smart card. Note that U's smart card contains R, b and h(·), and U need not remember b after finishing step 5. 2.2. Login 1 U inserts his smart card into the card reader, and then enters ID and PW. 2 Smart card performs the following computations: c1 = R ⊕ h (b ⊕ PW) c2 = h(c1 ⊕ Tu) where Tu denotes U's current timestamp. 3 U → S: {ID, c2, Tu}. 2.3. Verification After {ID, c2, Tu} is received, S and the smart card execute the following steps: 1 If either ID or Tu is invalid, S rejects U's login request. Otherwise, S computes h (h(EID ⊕ x) ⊕ Tu). If the computed
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
result equals the received c2, S accepts U's login request and computes c3 = h (h(EID ⊕ x) ⊕ Ts), where Ts denotes S's current timestamp. Otherwise, S rejects U's login request. 2 S → U: {c3, Ts}. If either Ts is invalid or Ts = Tu, U terminates this session. Otherwise, U computes h(c1 ⊕ Ts) and then compares the result to the received c3. 3 If equal, U successfully authenticates S. 2.4. Password change This phase is invoked whenever U wants to change his password PW with a new one, say PWnew. 1 U inserts his smart card into card reader, enters ID and PW, and requests to change password. Next, U enters PWnew. 2 Smart card computes Rnew = R ⊕ h(b ⊕ PW) ⊕ h(b ⊕ PWnew), which yields h(EID ⊕ x) ⊕ h(b ⊕ PWnew), and then replaces R with Rnew. 3. Cryptanalysis of Ku et al.'s scheme Yoon et al. [17] have pointed out that Ku's scheme [16] is susceptible to parallel session attack and is insecure in changing user's password. In this section, we will show that Ku et al.'s scheme is vulnerable to guessing attack, forgery attack and denial of service attack, and is inefficient for error password login. These flaws also exist in Yoon et al.'s improved scheme [17]. 1 Vulnerable to guessing attack. In Ku et al.'s scheme, U's smart card contains R, b and h(·) after registration. Due to the fact as mentioned in Ref. [16] that the adversary could have extracted the secret information stored in the smart card by monitoring the power consumption [18] or by analyzing the leaked information [19]. Hence the adversary can obtain R = h(EID ⊕ x) ⊕ h(b ⊕ PW) as well as b. Suppose that the adversary also has intercepted one of U's past login messages, i.e. {ID, c2, Tu}, he can perform a guessing attack to obtain PW by guessing a password PW′ and comparing c2′ = h(R ⊕ h(b ⊕ PW′) ⊕ Tu) with the received c2. If c2′ = c2, the adversary has correctly guessed PW′ = PW, otherwise, the adversary tries another candidate password. Since PWs are selected by users, they are usually short and simple for catchiness. Hence PWs can be obtained by off-line guessing attack. 2 Vulnerable to forgery attack. Once the adversary obtained PW by guessing attack (imply that he has also R, b), he can compute c1 = R ⊕ h(b ⊕ PW). Then impersonates U by forging U's login message {ID, h(c1 ⊕ Tu′), Tu′}. Hence, Ku's scheme is still vulnerable to forgery attack. 3 Susceptible to denial of service attack. Due to the unchangeability of c1 = h(ID ⊕ x) in Chien et al.'s scheme [15], a forged login request can not be prohibited even when U detected that his c1 has been compromised. Accordingly, Ku et al. extended ID with EID = (ID||n) and replaced c1 = h
509
(ID ⊕ x) with c1 = h(EID ⊕ x) in their improved scheme, so that c1 can be changed by EID with different n when c1 has been compromised. Unfortunately, the number n is stored in an entry table in server side, which is somewhat equivalent with using verification table, and suffers from the risk of modified entry table and the cost of protecting and maintaining the entry table. Once the intruder modifies n in entry table, the user's login message c2 keeps h(h(EID ⊕ x) ⊕ Tu) as before while the authentication message c2 computed by system will change to h (h(EID′ ⊕ x) ⊕ Tu). Obviously, the legal user's login request will be rejected by system due to c2 ≠ c2′. Hence the Ku et al.'s scheme is susceptible to the denial of service attack. In addition, the system stores n for each user in the entry table, however, this also violates the requirements of not using verification table in ID-based cryptosystems [20]. 4 Inefficiency for error password login. Even if U inputs an error password in login phase, the smart card still sends U's login request unconditionally to server. This error is not detected until the server checks c2? = h(h(EID ⊕ x) ⊕ Tu) at authentication phase. Therefore, the password authentication is delayed and inefficient. In addition, the security of Ku et al.'s scheme completely relied on the one way property of hash function. Most recently, however, Wang et al. [21–23] showed an advanced collision attack on iterative hash algorithms, such as the widely used MD4, MD5, SHA etc. Thus the Ku et al.'s scheme suffers from the potential risk of off-line attack on c2 = h(h(EID⊕x) ⊕ Tu) since c2 and Tu are easily eavesdropped by the adversary. If so, it is possible to obtain h(EID⊕x) from c2 and the adversary can impersonate U to login anytime. Similarly, when h(EID ⊕ x) is revealed, the system secret key x may also be broken under Wang et al.'s attack due to the fact that EID and h(EID ⊕ x) are known to the adversary and both of them keep invariant in each login request. In brief, the user's password PW or the secret information h (EID ⊕ x) or even system secret key x may be revealed in Ku et al.'s scheme, that causes the system suffering from the risk of guessing attack and forgery attack. Moreover, the entry table stored in server side results in a denied service attack happening. In addition, the password authentication is delayed and inefficient. Hence, the security of Ku et al.'s scheme is not like as their claims. It should be stressed that, although Yoon et al.'s [17] proposed an enhancement of Ku et al.'s scheme, they only repaired some pitfalls found in Ku et al.'s scheme, such as the parallel session attack and weakness in password change phase, which do not help to overcome the weaknesses described above. That is, the Yoon et al.'s scheme is still susceptible to the guessing attack, forgery attack and denial of service attack, and inefficiency for error password login. More seriously, Yoon et al. stored V = h(EID⊕x) directly in the smart card, which accommodates the adversary to impersonate U without guessing attack on h(EID⊕x). For brief, the review of Yoon et al.'s scheme is omitted here, we recommend the readers to refer the literature [17] for details.
510
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
4. Our improved scheme This section proposes an efficient improvement on Ku et al.'s and Yoon et al.'s schemes, which keeps the merits of original schemes and can withstand the security flaws described in previous sections. 4.1. Registration This phase is invoked whenever U initially registers to S. 1 U selects a random number b and computes h(b ⊕ PW). 2 U ⇒ S: ID, h(b ⊕ PW). 3 S performs the following computations: p = h(ID ⊕ x), R= p ⊕ h(b ⊕ PW), V = hp (h(b ⊕ PW)). 4 S ⇒ U: a smart card containing R, V, h(·), hk (·). 5 U enters b into his smart card so that he does not need to remember b anymore.
c1′ = h(r ⊕ b) shared between U and S can be used as the session key for the subsequent private communication. 4.4. Password change U inserts his smart card into card reader, enters ID and PW, and requests to change password, then the smart card performs the following steps without any help of server S: 1 Compute p⁎ = R ⊕ h(b ⊕ PW) and V⁎ = hp⁎ (h(b ⊕ PW)). 2 Check whether V⁎ equals to the stored Vor not. If not, rejects the password change request, otherwise U chooses a new password PWnew. 3 Compute Rnew = p⁎ ⊕ h(b ⊕ PWnew) and Vnew = hp⁎ (h(b ⊕ PWnew)), then stores Rnew, Vnew into the user's smart card and replaces the old values R, V respectively. Now, new password is successfully updated and this phase is terminated. 5. Security analysis
4.2. Login 1 U inserts his smart card into the card reader, and then enters ID and PW. 2 Smart card computes p = R ⊕ h(b ⊕ PW) and checks whether hp(h(b ⊕ PW))? = V holds. If not, smart card terminates this session. 3 Smart card generates a random number r, and performs the following computations: c1 =p ⊕h(r ⊕b), c2 =hp(h(r ⊕b) ⊕Tu) where Tu denotes U's current timestamp. 4 U → S: M = {ID, c1, c2, Tu}. 4.3. Verification Upon receiving the login request M, the remote system S performs the following steps: 1 Check either if the format of ID is invalid or Tu = Ts, where Ts is the current timestamp of S, then rejects the login request. 2 If (Ts − Tu) N ΔT, where ΔT denotes the expected valid time interval for transmission delay, then S rejects the login request. 3 S computes p = h(ID ⊕ x) and c1′ = p ⊕ c1 , then check whether equation hp(c1′ ⊕ Tu)? = c2 holds or not. If holds, it means user is authentic and S accepts the login request, and performs step 4. Otherwise, S rejects login request. 4 For the mutual authentication, S computes c3 = hp(c1′ ⊕ Ts) and then sends mutual authentication message {c3, Ts} to user U. 5 Upon receiving the message {c3, Ts}, U verifies either Ts is invalid or Ts = Tu, U terminates this session, otherwise performs step 6. 6 U computes c3′ = hp(h(r ⊕ b) ⊕ Ts) and compares c3′? = c3. If they are equal, then user believes that the remote party is authentic system and the mutual authentication between U and S is completed, otherwise U terminates the operation. In addition, since r is randomly generated in each login phase,
In this section, we only discuss the enhanced security features of our improved scheme. The others such as withstanding insider attack, reflect attack, parallel session attack are provided as same as the original schemes in Refs. [16,17]. 1 Guessing attack resistance. Firstly, R is stored in smart card with R = h(ID ⊕ x) ⊕ h(b ⊕ PW). Since x and PW are unknown to adversary, one can get neither h(ID ⊕ x) nor h(b ⊕ PW) even if R and b are extracted from the smart card. Similarly, even if the stored information V = hp(h(b ⊕ PW)) is revealed, both p = (ID ⊕ x) and h(b ⊕ PW) are still secure. Next, suppose the login message {ID, c1, c2, Tu} sent by U be eavesdropped in a common channel, however, even under the advanced hash collision attack proposed by Wang et al. [21–23], the secret information h(ID ⊕ x) is still secure due to the fact that c1 = h (ID ⊕x) ⊕ h(r ⊕ b) and c2 = hp(h(r ⊕ b) ⊕ Tu) are combined with h(r ⊕b), which is randomized in each login request and one has no way to get it. Moreover, c1, c2, R and V are all combined with two random items, as well as the isomerization, so that the guessing attack on Ku et al.'s scheme will be defeated on our proposed scheme. 2 Forgery/impersonation attack resistance. An adversary can attempt to modify U's login message {ID, c1, c2, Tu} into {ID, c1⁎, c2⁎, Tu⁎}. However, this impersonation attempt will fail in the step 3 of the authentication phase, because an attacker has no way to obtain the values of h(ID ⊕ x) and h (r ⊕ b) to compute the valid value of c2. 3 Replay attack resistance. Neither the replay of an old login message {ID, c1, Tu} nor the replay of the remote system's response {c3, Ts} will work. It would have failed in steps 2 and 5 of the authentication phase, because of the time interval validation, respectively. 4 Denial of service attack resistance. In Ku's and Yoon's schemes, EID = (ID||n) was used instead of ID to repair the poor reparability of h(ID ⊕ x) in Chien's scheme [15] under the assumption of h(ID ⊕ x) being revealed. Such assumption is reasonable for Chien's scheme because of the guessing
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
511
Table 1 Performance comparisons among smart card based schemes Computation cost Login Our scheme Ku's scheme Yoon's scheme 1 2
1
4H 2H 2H
Auth 4H 4H 4H
Communication cost Total 8H 6H 6H
Login 2
2|h(·)| |h(·)| |h(·)|
Entry table
Password change
Error password
Session key
Auth-response
Total
At server side
Protection
Login detection
Generation
|h(·)| |h(·)| |h(·)|
3|h(·)| 2|h(·)| 2|h(·)|
No Yes Yes
Strong Weak Medium
Yes No No
Yes No No
H denotes the computational cost of one hash operation, keyed and unkeyed hash functions are supposed with the same computational cost without loss of generality. |h(·)| denotes the bit-length of hash value.
attack as mentioned in Refs. [1,6]. However, in our scheme, R, V, c1 and c2 are composite results of two secret hash values, i.e. h(ID ⊕ x) is not stored directly into smart card but is combined with the other hash values, such as h(b ⊕ PW) in R or h(r ⊕ b) in c1, or act as the secret key of keyed hash functions in V and c2. Clearly, h(ID ⊕ x) can not be derived from any revealed value R, V, c1 and c2, or their combined values. So the assumption of h(ID ⊕ x) being revealed in Ref. [16] is impractical or impossible for our scheme. That is, no entry table is necessary anymore in our scheme. Hence, the denial of service attack resulting from entry table in Refs. [16,17] is avoided naturally. 5 Server spoofing attack resistance. The spoofing attack is completely solved by providing mutual authentication between user and remote system. Remote system S sends mutual authentication message {c3, Ts} to the user. If an attacker intercepts it and re-sends the forge message i.e. {c3⁎, Ts⁎} to user U, it will be verified in steps 5 and 6 of the authentication phase because the value of c3′ is computed by c3′ = hp(h(r ⊕ b) ⊕ Ts). In addition, replay of this message can be exposed because of the timestamp. 6 High efficiency in password authentication. In login phase, if U inputs an error password PW′, the smart card computers p′ = R ⊕ h(b ⊕ PW′) and checks equation hp′ (h(b ⊕PW′))? =V in 2 step. Obviously, the result is negative when PW ≠PW′, and smart card terminates the login session. Thus, the validity of input password can be immediately detected by smart card yet need not wait for server authenticating as described in Refs. [16,17], which results in high efficiency and communication bandwidth saving. 6. Performance analysis In this section, we summarize some performance issue of our improved scheme. We then compare the results with Ku et al.'s scheme and Yoon et al.'s scheme. Finally, a table of comparisons of performance among the referenced schemes is given at the end of this section. All the three schemes are completely based on hash and exclusion-OR operations. Because exclusion-OR operation requires very few computations, it is usually neglected considering its computational cost. In addition, we mainly focus on the computations of login and authentication phases since the two phases are the main body of an authentication scheme. In login phase of our improved scheme, the smart card performs four hashing operations while both Ku et al.'s and Yoon et al.'s schemes require two hashing operations. In
authentication phase, each of three schemes requires four hash operations. As for registration and password change phases, our scheme requires three and four hashing operations respectively, while both Ku and Yoon schemes require two hashing operations in each phase. This is because our scheme provides two-variant hashing operations for resisting guessing attack, forgery attack and advance collision attacks, even if all the information stored in smart card or transmitted via insecure channel is extracted by adversary. Evidently, it is worth achieving so high security at the cost of only five extra hashing operations. Excluding non-cryptographic parameters ID and Tu, the login request message is 2|h(·)| bits while both Ku and Yoon schemes are |h(·)| bits. In the mutual authentication, the authentication response message is same as that of Ku and Yoon schemes, i.e. |h(·)| bits, excluding the non-cryptographic data Ts. It can be seen that our improvement on Ku and Yoon schemes is of low communicational cost and extremely efficient. In addition to the efficient smart card, the existence of verification table should be removed as possible. But both Ku and Yoon schemes require an entry table at server side for overcoming the poor reparability of h(ID ⊕ x), which suffers from the risk of modifying entry table and the cost of protecting and maintaining the entry table as mentioned in Section 3. In comparison, our improved scheme does not require any verification or entry table at server side. In login phase, the error password input by user can be detected immediately by smart card, and no login request with error password is invoked. While in Refs. [16,17] the login request with error password is unconditionally sent to the remote system, and the error login session is terminated until the server checks c2? = h(h(EID ⊕ x) ⊕ Tu) at authentication phase. Thus, our proposed scheme is more efficient and lower communication bandwidth. Moreover, a session key named h (r ⊕ b) is generated after successful mutual authentication, hence, the extra cost of computation and communication for negotiating session key is also saved. The comparisons among three schemes are summarized in Table 1. 7. Conclusion In this paper, we show that both Ku et al.'s scheme and Yoon et al.'s scheme are vulnerable to guessing attack, forgery attack and denied service attack, as well as inefficiency in password authentication. By introducing the two-variant hashing operation, accordingly, we propose an efficient and secure improvement on them to keep the merits of original schemes. As a result, only few
512
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
additional hash operations are required to solve the security flaws and to gain extra security. The proposed improvement is still completely based on cryptographic hash functions, and does not maintain any verification table on the remote server. By comparing with the traditional Diffie-Hellman or RSA based algorithms, the efficiency of the improved algorithm is very high because it is not involved in any time-consuming modular exponential computing. Another merit of the proposed algorithm is that it is faster and efficient to implement on the smart cards, which have lower computation power and lower communication bandwidth. Hence, our improved scheme can be easily realized in the practical resource-limited environment. References [1] L. Lamport, Password authentication with insecure communication, Communications of the ACM 24 (11) (1981) 770–772. [2] R.E. Lennon, S.M. Matyas, C.H. Mayer, Cryptographic authentication of time-invariant quantities, IEEE Trans. Commun., COM-29, vol. 6, 1981, pp. 773–777. [3] S.M. Yen, K.H. Liao, Shared authentication token secure against replay and weak key attack, Information Processing Letters (1997) 78–80. [4] C.C. Chang, T.C. Wu, Remote password authentication with smart cards, IEE Proceedings. Part E. Computers and Digital Techniques 138 (3) (1991) 165–168. [5] T.C. Wu, H.S. Sung, Authentication passwords over an insecure channel, Computer and Security 15 (5) (1996) 431–439. [6] S.J. Wang, J.F. Chang, Smart card based secure password authentication scheme, Computers and Security 15 (3) (1996) 231–237. [7] K. Tan, H. Zhu, Remote password authentication scheme based on crossproduct, Computer Communications 18 (1999) 390–393. [8] W.H. Yang, S.P. Shieh, Password authentication schemes with smart card, Computer and Security 18 (8) (1999) 727–733. [9] M.S. Hwang, L.H. Li, A new remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (1) (2000) 28–30. [10] X.M. Wang, J.S. Zhang, W.F. Zhang, M.K. Khan, Security improvement on the timestamp-based password authentication scheme using smart cards, IEEE Proceedings on ICEIS'06, Islamabad, April 2006, pp. 140–142. [11] M.K. Khan, J.S. Zhang, X.M. Wang, “Chaotic Hash-based Fingerprint Biometric Remote User Authentication Scheme on Mobile Devices”, Chaos, Solitons and Fractals (in press), doi:10.1016/j.chaos.2006.05.061. [12] M.K. Khan, J.S. Zhang, Cryptanalysis and comments on A dynamic IDbased remote user authentication scheme, International Journal of Computer Science and Network Security 5 (11) (2005) 106–110. [13] M.K. Khan, J.S. Zhang, Improving the security of “A Flexible Remote User Authentication Scheme”, Computer Standards and Interfaces. 29 (2007) 82–85. [14] H.M. Sun, An efficient remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (4) (2000) 958–961. [15] H.Y. Chien, J.K. Jan, Y.M. Tseng, An efficient and practical solution to remote authentication smart card, Computer and Security 21 (4) (2002) 372–375. [16] W.C. Ku, S.M. Chen, Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (1) (2004) 204–207. [17] E.K. E.J.Yoon, K.Y. Ryu, Further improvement of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (2) (2004) 612–614. [18] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, Proc. Advances in Cryptology (CRYPTO'99), 1999, pp. 388–397. [19] T.S. Messerges, E.A. Dabbish, R.H. Sloan, Examining smart card security under the threat of power analysis attacks, IEEE Transactions on Computers 51 (5) (2002) 541–552.
[20] A. Shamir, Identity-based cryptosystems and signature schemes, Proceedings CRYPTO'84 LNCS, vol. 196, 1984, pp. 47–53. [21] X. Wang, F. Guo, X. Lai, H. Yu, Collisions for Hash Functions MD4,MD5, HAVAL-128 and RIPEMD, Rump Session of Crypto'04 and IACR Eprint Archive, August 2004. [22] X. Wang, H.B. Yu, How to Break MD5 and Other Hash Functions, Advances in Cryptology Eurocrypt'05, Springer-Verlag, May 2005, pp. 19–35. [23] X. Wang, Y. L. Yin, H. Yu, Finding collisions in the full SHA1, http://www. infosec.sdu.edu.cn/paper/ sha1-crypto-auth-new-2-yao.pdf, February 2005. Xiao-Min Wang received the B.S. and M.S. degrees from the College of Computer & Communication Engineering, Southwest Jiaotong University, China in 1996 and 2004, respectively. Currently, he is pursuing the Ph.D. degree at Southwest Jiaotong University Chengdu, PR China. His research interests include information security and secure communication, chaotic cryptology, Biometrics, and digital data hiding. He has published over 20 papers in hash function design, threshold signature, and smart card based authentication schemes.
Wen-Fang Zhang received the B.S. and M.S. degrees from the College of Computer & Communication Engineering, Southwest Jiaotong University in 2001 and 2003, respectively. Currently, she is pursuing the Ph.D. degree at Key Lab of Information Security and National Computing Grid, Southwest Jiaotong University of China. Her main research interests include information security, threshold signature, and cryptology.
Jia-Shu Zhang received the B.S. degree in electronic engineering from the University of electronic science and technology of China, Chengdu, PR China in 1987 and a M.S. degree in biomedical engineering and instruments from Chongqing University in 1990, and a Ph.D. degree in communication and information system from the University of electronic science and technology of China, Chengdu, PR China in 2001. He is currently a full professor of information and communication engineering in the School of Information Science and Technology at Southwest Jiaotong University, Chengdu, PR China. His current research interests are in the areas of biometric and information security, signal processing for communication, nonlinear system and chaos.
Muhammad Khurram Khan received the BCS (Hons) and MCS degrees from Bahria University, Institute of Management and Computer Sciences, in 2001 and 2003 respectively, and a Ph.D. degree in signal and information processing from Southwest Jiaotong University Chengdu, PR China in 2006. He is the group leader of ʽResearch Group for Biometrics & Security' at Sichuan Key Lab of Signal & Information Processing, China. His research interests include Biometrics, information and communication security, cryptology, and digital data hiding.
Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards ☆ Xiao-Min Wang a,⁎, Wen-Fang Zhang b , Jia-Shu Zhang a , Muhammad Khurram Khan a a
Key Laboratory of Signal and Information Processing of Sichuan Province, Southwest Jiaotong University, Chengdu, 610031, PR China b Key Laboratory of Information Security and National Computing Grid, Southwest Jiaotong University, Chengdu, 610031, PR China Received 15 February 2006; received in revised form 17 October 2006; accepted 11 November 2006 Available online 16 January 2007
Abstract In 2002, Chien et al. proposed an efficient remote authentication scheme using smart cards, in which only few hashing operations are required. Later, Ku et al. gave an improved scheme to repair the security pitfalls found in Chien et al.'s scheme. Also Yoon et al. presented an enhancement on Ku et al.'s scheme. In this paper, we show that both Ku et al.'s scheme and Yoon et al.'s scheme are still vulnerable to the guessing attack, forgery attack and denial of service (DoS) attack. In addition, their schemes lack efficiency when users input wrong passwords. To remedy these flaws, this paper proposes an efficient improvement over Ku et al.'s and Yoon et al.'s schemes with more security. The computation cost, security, and efficiency of the improved scheme are embarking for the real application in the resource-limited environment. © 2006 Elsevier B.V. All rights reserved. Keywords: Authentication; Smart card; Session key; Password
Contents 1. 2.
Introduction . . . . . . . . . . . . . . . Review of the Ku et al.'s scheme [16] . 2.1. Registration . . . . . . . . . . . 2.2. Login . . . . . . . . . . . . . . 2.3. Verification . . . . . . . . . . . 2.4. Password change . . . . . . . . 3. Cryptanalysis of Ku et al.'s scheme . . 4. Our improved scheme . . . . . . . . . 4.1. Registration . . . . . . . . . . . 4.2. Login . . . . . . . . . . . . . . 4.3. Verification . . . . . . . . . . . 4.4. Password change . . . . . . . . 5. Security analysis . . . . . . . . . . . . 6. Performance analysis . . . . . . . . . . 7. Conclusion . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
☆
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
508 508 508 508 508 509 509 510 510 510 510 510 510 511 511 512
This work is supported by the National Natural Science Foundation of China (grant No. 60272096) and by the Doctor Innovation Fund of Southwest Jiaotong University, 2006. ⁎ Corresponding author. E-mail address: [email protected] (X.-M. Wang). 0920-5489/$ - see front matter © 2006 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2006.11.005
508
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
1. Introduction With the large scale development of network technology, remote user authentication in e-commerce and m-commerce has become an indispensable part to access the precious resources. Remote authentication is a mechanism to authenticate remote users over insecure communication network. During the past two decades, password-based remote authentication schemes have been widely deployed to verify the legitimacy of the remote users. Since Lamport [1] proposed his remote authentication scheme in 1981, several schemes [2,3] have been proposed to improve the security, the cost or the efficiency. One of the common features of these schemes is that a verification table should be securely stored in the server. If the verification table is stolen by the adversary, the system will be partially or totally broken. Due to the low cost, the portability and the cryptographic capacity, smart cards have been widely adopted in remote authentication schemes [4–17]. In 2000, Hwang and Li [9] proposed a new remote user authentication scheme using smart cards. In 2002, based on Sun's scheme [14], Chien et al. [15] proposed a most cost-effective remote user authentication solution, and claimed that their scheme has the merits of providing mutual authentication, freely choosing password, no verification table, and involving only few hashing operations instead of the costly modular exponentiations. Unfortunately, Ku et al. [16] pointed out that Chien et al.'s scheme is vulnerable to reflection attack, insider attack, guessing attack and is not reparable once a user's permanent secret is compromised, and an improved scheme was given further to resolve these security pitfalls. Recently, however, Yoon et al. [17] showed that Ku et al.'s scheme is susceptible to parallel session attack and is insecure for changing the user's password, and also proposed an enhancement to Ku et al.'s scheme to overcome such problems. Due to the power constraint of smart cards and the cost of implementation, the lower the cost, the great chance of success in practical realization. Among those smart card based schemes, Ku et al.'s and Yoon et al.'s schemes require only several hash operations instead of the costly modular exponentiations. Therefore, their schemes exhibit great application potentiality in smart card field, regardless of their security. In this paper, however, we show that both Ku et al.'s scheme and Yoon et al.'s scheme are still vulnerable to the guessing attack, forgery attack and denial of service (DoS) attack. In addition, their schemes are inefficient when user inputs wrong password. To remedy these pitfalls, this paper presents an efficient improvement on them with more security. As a result, only requiring few additional hash operations, our scheme can withstand the previously proposed attacks. In the meanwhile, the wrong passwords input by users can be detected immediately, and a session key is also provided after authentication phase. The computational costs and efficiency of the improved scheme are encouraging for the practical implementation in the resource-constraint environment. The rest of the paper is organized as follows: Section 2 reviews Ku et al.'s scheme. Section 3 gives the cryptanalysis of Ku et al.'s scheme. Section 4 shows the details of the proposed scheme. Section 5 makes the security analysis of the proposed
method. Section 6 compares the performance of proposed scheme with Ku et al.'s and Yoon et al.'s schemes. Finally, the conclusion comes in Section 7. 2. Review of the Ku et al.'s scheme [16] The notations used throughout the paper can be summarized as follows: • • • • • • •
U: denotes the user. ID: denotes the identity of U. PW: denotes the password of U. S: denotes the remote server. x: denotes the permanent secret key of S. h(·): represents a cryptographic unkeyed hash function. hk (·): represents a cryptographic keyed hash function with secret k. • ⇒: represents a secure channel. • →: represents a common channel.
There are four phases in Ku et al.'s scheme: registration, login, verification and password change. 2.1. Registration This phase is invoked whenever U initially registers or reregisters to S. Let n denote the number of times U reregisters to S. 1 U selects a random number b and computes h(b ⊕ PW). 2 U ⇒ S: ID, h(b ⊕ PW). 3 If it is U's initial registration, S create an entry for U in the account database and stores n = 0 in this entry. Otherwise, S sets n = n + 1 in the existing entry for U. Next, S performs the following computations: R = h(EID ⊕ x) ⊕ h(b ⊕ PW), where EID = (ID||n). 4 S ⇒ U: a smart card containing R and h(·). 5 U enters b into his smart card. Note that U's smart card contains R, b and h(·), and U need not remember b after finishing step 5. 2.2. Login 1 U inserts his smart card into the card reader, and then enters ID and PW. 2 Smart card performs the following computations: c1 = R ⊕ h (b ⊕ PW) c2 = h(c1 ⊕ Tu) where Tu denotes U's current timestamp. 3 U → S: {ID, c2, Tu}. 2.3. Verification After {ID, c2, Tu} is received, S and the smart card execute the following steps: 1 If either ID or Tu is invalid, S rejects U's login request. Otherwise, S computes h (h(EID ⊕ x) ⊕ Tu). If the computed
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
result equals the received c2, S accepts U's login request and computes c3 = h (h(EID ⊕ x) ⊕ Ts), where Ts denotes S's current timestamp. Otherwise, S rejects U's login request. 2 S → U: {c3, Ts}. If either Ts is invalid or Ts = Tu, U terminates this session. Otherwise, U computes h(c1 ⊕ Ts) and then compares the result to the received c3. 3 If equal, U successfully authenticates S. 2.4. Password change This phase is invoked whenever U wants to change his password PW with a new one, say PWnew. 1 U inserts his smart card into card reader, enters ID and PW, and requests to change password. Next, U enters PWnew. 2 Smart card computes Rnew = R ⊕ h(b ⊕ PW) ⊕ h(b ⊕ PWnew), which yields h(EID ⊕ x) ⊕ h(b ⊕ PWnew), and then replaces R with Rnew. 3. Cryptanalysis of Ku et al.'s scheme Yoon et al. [17] have pointed out that Ku's scheme [16] is susceptible to parallel session attack and is insecure in changing user's password. In this section, we will show that Ku et al.'s scheme is vulnerable to guessing attack, forgery attack and denial of service attack, and is inefficient for error password login. These flaws also exist in Yoon et al.'s improved scheme [17]. 1 Vulnerable to guessing attack. In Ku et al.'s scheme, U's smart card contains R, b and h(·) after registration. Due to the fact as mentioned in Ref. [16] that the adversary could have extracted the secret information stored in the smart card by monitoring the power consumption [18] or by analyzing the leaked information [19]. Hence the adversary can obtain R = h(EID ⊕ x) ⊕ h(b ⊕ PW) as well as b. Suppose that the adversary also has intercepted one of U's past login messages, i.e. {ID, c2, Tu}, he can perform a guessing attack to obtain PW by guessing a password PW′ and comparing c2′ = h(R ⊕ h(b ⊕ PW′) ⊕ Tu) with the received c2. If c2′ = c2, the adversary has correctly guessed PW′ = PW, otherwise, the adversary tries another candidate password. Since PWs are selected by users, they are usually short and simple for catchiness. Hence PWs can be obtained by off-line guessing attack. 2 Vulnerable to forgery attack. Once the adversary obtained PW by guessing attack (imply that he has also R, b), he can compute c1 = R ⊕ h(b ⊕ PW). Then impersonates U by forging U's login message {ID, h(c1 ⊕ Tu′), Tu′}. Hence, Ku's scheme is still vulnerable to forgery attack. 3 Susceptible to denial of service attack. Due to the unchangeability of c1 = h(ID ⊕ x) in Chien et al.'s scheme [15], a forged login request can not be prohibited even when U detected that his c1 has been compromised. Accordingly, Ku et al. extended ID with EID = (ID||n) and replaced c1 = h
509
(ID ⊕ x) with c1 = h(EID ⊕ x) in their improved scheme, so that c1 can be changed by EID with different n when c1 has been compromised. Unfortunately, the number n is stored in an entry table in server side, which is somewhat equivalent with using verification table, and suffers from the risk of modified entry table and the cost of protecting and maintaining the entry table. Once the intruder modifies n in entry table, the user's login message c2 keeps h(h(EID ⊕ x) ⊕ Tu) as before while the authentication message c2 computed by system will change to h (h(EID′ ⊕ x) ⊕ Tu). Obviously, the legal user's login request will be rejected by system due to c2 ≠ c2′. Hence the Ku et al.'s scheme is susceptible to the denial of service attack. In addition, the system stores n for each user in the entry table, however, this also violates the requirements of not using verification table in ID-based cryptosystems [20]. 4 Inefficiency for error password login. Even if U inputs an error password in login phase, the smart card still sends U's login request unconditionally to server. This error is not detected until the server checks c2? = h(h(EID ⊕ x) ⊕ Tu) at authentication phase. Therefore, the password authentication is delayed and inefficient. In addition, the security of Ku et al.'s scheme completely relied on the one way property of hash function. Most recently, however, Wang et al. [21–23] showed an advanced collision attack on iterative hash algorithms, such as the widely used MD4, MD5, SHA etc. Thus the Ku et al.'s scheme suffers from the potential risk of off-line attack on c2 = h(h(EID⊕x) ⊕ Tu) since c2 and Tu are easily eavesdropped by the adversary. If so, it is possible to obtain h(EID⊕x) from c2 and the adversary can impersonate U to login anytime. Similarly, when h(EID ⊕ x) is revealed, the system secret key x may also be broken under Wang et al.'s attack due to the fact that EID and h(EID ⊕ x) are known to the adversary and both of them keep invariant in each login request. In brief, the user's password PW or the secret information h (EID ⊕ x) or even system secret key x may be revealed in Ku et al.'s scheme, that causes the system suffering from the risk of guessing attack and forgery attack. Moreover, the entry table stored in server side results in a denied service attack happening. In addition, the password authentication is delayed and inefficient. Hence, the security of Ku et al.'s scheme is not like as their claims. It should be stressed that, although Yoon et al.'s [17] proposed an enhancement of Ku et al.'s scheme, they only repaired some pitfalls found in Ku et al.'s scheme, such as the parallel session attack and weakness in password change phase, which do not help to overcome the weaknesses described above. That is, the Yoon et al.'s scheme is still susceptible to the guessing attack, forgery attack and denial of service attack, and inefficiency for error password login. More seriously, Yoon et al. stored V = h(EID⊕x) directly in the smart card, which accommodates the adversary to impersonate U without guessing attack on h(EID⊕x). For brief, the review of Yoon et al.'s scheme is omitted here, we recommend the readers to refer the literature [17] for details.
510
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
4. Our improved scheme This section proposes an efficient improvement on Ku et al.'s and Yoon et al.'s schemes, which keeps the merits of original schemes and can withstand the security flaws described in previous sections. 4.1. Registration This phase is invoked whenever U initially registers to S. 1 U selects a random number b and computes h(b ⊕ PW). 2 U ⇒ S: ID, h(b ⊕ PW). 3 S performs the following computations: p = h(ID ⊕ x), R= p ⊕ h(b ⊕ PW), V = hp (h(b ⊕ PW)). 4 S ⇒ U: a smart card containing R, V, h(·), hk (·). 5 U enters b into his smart card so that he does not need to remember b anymore.
c1′ = h(r ⊕ b) shared between U and S can be used as the session key for the subsequent private communication. 4.4. Password change U inserts his smart card into card reader, enters ID and PW, and requests to change password, then the smart card performs the following steps without any help of server S: 1 Compute p⁎ = R ⊕ h(b ⊕ PW) and V⁎ = hp⁎ (h(b ⊕ PW)). 2 Check whether V⁎ equals to the stored Vor not. If not, rejects the password change request, otherwise U chooses a new password PWnew. 3 Compute Rnew = p⁎ ⊕ h(b ⊕ PWnew) and Vnew = hp⁎ (h(b ⊕ PWnew)), then stores Rnew, Vnew into the user's smart card and replaces the old values R, V respectively. Now, new password is successfully updated and this phase is terminated. 5. Security analysis
4.2. Login 1 U inserts his smart card into the card reader, and then enters ID and PW. 2 Smart card computes p = R ⊕ h(b ⊕ PW) and checks whether hp(h(b ⊕ PW))? = V holds. If not, smart card terminates this session. 3 Smart card generates a random number r, and performs the following computations: c1 =p ⊕h(r ⊕b), c2 =hp(h(r ⊕b) ⊕Tu) where Tu denotes U's current timestamp. 4 U → S: M = {ID, c1, c2, Tu}. 4.3. Verification Upon receiving the login request M, the remote system S performs the following steps: 1 Check either if the format of ID is invalid or Tu = Ts, where Ts is the current timestamp of S, then rejects the login request. 2 If (Ts − Tu) N ΔT, where ΔT denotes the expected valid time interval for transmission delay, then S rejects the login request. 3 S computes p = h(ID ⊕ x) and c1′ = p ⊕ c1 , then check whether equation hp(c1′ ⊕ Tu)? = c2 holds or not. If holds, it means user is authentic and S accepts the login request, and performs step 4. Otherwise, S rejects login request. 4 For the mutual authentication, S computes c3 = hp(c1′ ⊕ Ts) and then sends mutual authentication message {c3, Ts} to user U. 5 Upon receiving the message {c3, Ts}, U verifies either Ts is invalid or Ts = Tu, U terminates this session, otherwise performs step 6. 6 U computes c3′ = hp(h(r ⊕ b) ⊕ Ts) and compares c3′? = c3. If they are equal, then user believes that the remote party is authentic system and the mutual authentication between U and S is completed, otherwise U terminates the operation. In addition, since r is randomly generated in each login phase,
In this section, we only discuss the enhanced security features of our improved scheme. The others such as withstanding insider attack, reflect attack, parallel session attack are provided as same as the original schemes in Refs. [16,17]. 1 Guessing attack resistance. Firstly, R is stored in smart card with R = h(ID ⊕ x) ⊕ h(b ⊕ PW). Since x and PW are unknown to adversary, one can get neither h(ID ⊕ x) nor h(b ⊕ PW) even if R and b are extracted from the smart card. Similarly, even if the stored information V = hp(h(b ⊕ PW)) is revealed, both p = (ID ⊕ x) and h(b ⊕ PW) are still secure. Next, suppose the login message {ID, c1, c2, Tu} sent by U be eavesdropped in a common channel, however, even under the advanced hash collision attack proposed by Wang et al. [21–23], the secret information h(ID ⊕ x) is still secure due to the fact that c1 = h (ID ⊕x) ⊕ h(r ⊕ b) and c2 = hp(h(r ⊕ b) ⊕ Tu) are combined with h(r ⊕b), which is randomized in each login request and one has no way to get it. Moreover, c1, c2, R and V are all combined with two random items, as well as the isomerization, so that the guessing attack on Ku et al.'s scheme will be defeated on our proposed scheme. 2 Forgery/impersonation attack resistance. An adversary can attempt to modify U's login message {ID, c1, c2, Tu} into {ID, c1⁎, c2⁎, Tu⁎}. However, this impersonation attempt will fail in the step 3 of the authentication phase, because an attacker has no way to obtain the values of h(ID ⊕ x) and h (r ⊕ b) to compute the valid value of c2. 3 Replay attack resistance. Neither the replay of an old login message {ID, c1, Tu} nor the replay of the remote system's response {c3, Ts} will work. It would have failed in steps 2 and 5 of the authentication phase, because of the time interval validation, respectively. 4 Denial of service attack resistance. In Ku's and Yoon's schemes, EID = (ID||n) was used instead of ID to repair the poor reparability of h(ID ⊕ x) in Chien's scheme [15] under the assumption of h(ID ⊕ x) being revealed. Such assumption is reasonable for Chien's scheme because of the guessing
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
511
Table 1 Performance comparisons among smart card based schemes Computation cost Login Our scheme Ku's scheme Yoon's scheme 1 2
1
4H 2H 2H
Auth 4H 4H 4H
Communication cost Total 8H 6H 6H
Login 2
2|h(·)| |h(·)| |h(·)|
Entry table
Password change
Error password
Session key
Auth-response
Total
At server side
Protection
Login detection
Generation
|h(·)| |h(·)| |h(·)|
3|h(·)| 2|h(·)| 2|h(·)|
No Yes Yes
Strong Weak Medium
Yes No No
Yes No No
H denotes the computational cost of one hash operation, keyed and unkeyed hash functions are supposed with the same computational cost without loss of generality. |h(·)| denotes the bit-length of hash value.
attack as mentioned in Refs. [1,6]. However, in our scheme, R, V, c1 and c2 are composite results of two secret hash values, i.e. h(ID ⊕ x) is not stored directly into smart card but is combined with the other hash values, such as h(b ⊕ PW) in R or h(r ⊕ b) in c1, or act as the secret key of keyed hash functions in V and c2. Clearly, h(ID ⊕ x) can not be derived from any revealed value R, V, c1 and c2, or their combined values. So the assumption of h(ID ⊕ x) being revealed in Ref. [16] is impractical or impossible for our scheme. That is, no entry table is necessary anymore in our scheme. Hence, the denial of service attack resulting from entry table in Refs. [16,17] is avoided naturally. 5 Server spoofing attack resistance. The spoofing attack is completely solved by providing mutual authentication between user and remote system. Remote system S sends mutual authentication message {c3, Ts} to the user. If an attacker intercepts it and re-sends the forge message i.e. {c3⁎, Ts⁎} to user U, it will be verified in steps 5 and 6 of the authentication phase because the value of c3′ is computed by c3′ = hp(h(r ⊕ b) ⊕ Ts). In addition, replay of this message can be exposed because of the timestamp. 6 High efficiency in password authentication. In login phase, if U inputs an error password PW′, the smart card computers p′ = R ⊕ h(b ⊕ PW′) and checks equation hp′ (h(b ⊕PW′))? =V in 2 step. Obviously, the result is negative when PW ≠PW′, and smart card terminates the login session. Thus, the validity of input password can be immediately detected by smart card yet need not wait for server authenticating as described in Refs. [16,17], which results in high efficiency and communication bandwidth saving. 6. Performance analysis In this section, we summarize some performance issue of our improved scheme. We then compare the results with Ku et al.'s scheme and Yoon et al.'s scheme. Finally, a table of comparisons of performance among the referenced schemes is given at the end of this section. All the three schemes are completely based on hash and exclusion-OR operations. Because exclusion-OR operation requires very few computations, it is usually neglected considering its computational cost. In addition, we mainly focus on the computations of login and authentication phases since the two phases are the main body of an authentication scheme. In login phase of our improved scheme, the smart card performs four hashing operations while both Ku et al.'s and Yoon et al.'s schemes require two hashing operations. In
authentication phase, each of three schemes requires four hash operations. As for registration and password change phases, our scheme requires three and four hashing operations respectively, while both Ku and Yoon schemes require two hashing operations in each phase. This is because our scheme provides two-variant hashing operations for resisting guessing attack, forgery attack and advance collision attacks, even if all the information stored in smart card or transmitted via insecure channel is extracted by adversary. Evidently, it is worth achieving so high security at the cost of only five extra hashing operations. Excluding non-cryptographic parameters ID and Tu, the login request message is 2|h(·)| bits while both Ku and Yoon schemes are |h(·)| bits. In the mutual authentication, the authentication response message is same as that of Ku and Yoon schemes, i.e. |h(·)| bits, excluding the non-cryptographic data Ts. It can be seen that our improvement on Ku and Yoon schemes is of low communicational cost and extremely efficient. In addition to the efficient smart card, the existence of verification table should be removed as possible. But both Ku and Yoon schemes require an entry table at server side for overcoming the poor reparability of h(ID ⊕ x), which suffers from the risk of modifying entry table and the cost of protecting and maintaining the entry table as mentioned in Section 3. In comparison, our improved scheme does not require any verification or entry table at server side. In login phase, the error password input by user can be detected immediately by smart card, and no login request with error password is invoked. While in Refs. [16,17] the login request with error password is unconditionally sent to the remote system, and the error login session is terminated until the server checks c2? = h(h(EID ⊕ x) ⊕ Tu) at authentication phase. Thus, our proposed scheme is more efficient and lower communication bandwidth. Moreover, a session key named h (r ⊕ b) is generated after successful mutual authentication, hence, the extra cost of computation and communication for negotiating session key is also saved. The comparisons among three schemes are summarized in Table 1. 7. Conclusion In this paper, we show that both Ku et al.'s scheme and Yoon et al.'s scheme are vulnerable to guessing attack, forgery attack and denied service attack, as well as inefficiency in password authentication. By introducing the two-variant hashing operation, accordingly, we propose an efficient and secure improvement on them to keep the merits of original schemes. As a result, only few
512
X.-M. Wang et al. / Computer Standards & Interfaces 29 (2007) 507–512
additional hash operations are required to solve the security flaws and to gain extra security. The proposed improvement is still completely based on cryptographic hash functions, and does not maintain any verification table on the remote server. By comparing with the traditional Diffie-Hellman or RSA based algorithms, the efficiency of the improved algorithm is very high because it is not involved in any time-consuming modular exponential computing. Another merit of the proposed algorithm is that it is faster and efficient to implement on the smart cards, which have lower computation power and lower communication bandwidth. Hence, our improved scheme can be easily realized in the practical resource-limited environment. References [1] L. Lamport, Password authentication with insecure communication, Communications of the ACM 24 (11) (1981) 770–772. [2] R.E. Lennon, S.M. Matyas, C.H. Mayer, Cryptographic authentication of time-invariant quantities, IEEE Trans. Commun., COM-29, vol. 6, 1981, pp. 773–777. [3] S.M. Yen, K.H. Liao, Shared authentication token secure against replay and weak key attack, Information Processing Letters (1997) 78–80. [4] C.C. Chang, T.C. Wu, Remote password authentication with smart cards, IEE Proceedings. Part E. Computers and Digital Techniques 138 (3) (1991) 165–168. [5] T.C. Wu, H.S. Sung, Authentication passwords over an insecure channel, Computer and Security 15 (5) (1996) 431–439. [6] S.J. Wang, J.F. Chang, Smart card based secure password authentication scheme, Computers and Security 15 (3) (1996) 231–237. [7] K. Tan, H. Zhu, Remote password authentication scheme based on crossproduct, Computer Communications 18 (1999) 390–393. [8] W.H. Yang, S.P. Shieh, Password authentication schemes with smart card, Computer and Security 18 (8) (1999) 727–733. [9] M.S. Hwang, L.H. Li, A new remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (1) (2000) 28–30. [10] X.M. Wang, J.S. Zhang, W.F. Zhang, M.K. Khan, Security improvement on the timestamp-based password authentication scheme using smart cards, IEEE Proceedings on ICEIS'06, Islamabad, April 2006, pp. 140–142. [11] M.K. Khan, J.S. Zhang, X.M. Wang, “Chaotic Hash-based Fingerprint Biometric Remote User Authentication Scheme on Mobile Devices”, Chaos, Solitons and Fractals (in press), doi:10.1016/j.chaos.2006.05.061. [12] M.K. Khan, J.S. Zhang, Cryptanalysis and comments on A dynamic IDbased remote user authentication scheme, International Journal of Computer Science and Network Security 5 (11) (2005) 106–110. [13] M.K. Khan, J.S. Zhang, Improving the security of “A Flexible Remote User Authentication Scheme”, Computer Standards and Interfaces. 29 (2007) 82–85. [14] H.M. Sun, An efficient remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (4) (2000) 958–961. [15] H.Y. Chien, J.K. Jan, Y.M. Tseng, An efficient and practical solution to remote authentication smart card, Computer and Security 21 (4) (2002) 372–375. [16] W.C. Ku, S.M. Chen, Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (1) (2004) 204–207. [17] E.K. E.J.Yoon, K.Y. Ryu, Further improvement of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (2) (2004) 612–614. [18] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, Proc. Advances in Cryptology (CRYPTO'99), 1999, pp. 388–397. [19] T.S. Messerges, E.A. Dabbish, R.H. Sloan, Examining smart card security under the threat of power analysis attacks, IEEE Transactions on Computers 51 (5) (2002) 541–552.
[20] A. Shamir, Identity-based cryptosystems and signature schemes, Proceedings CRYPTO'84 LNCS, vol. 196, 1984, pp. 47–53. [21] X. Wang, F. Guo, X. Lai, H. Yu, Collisions for Hash Functions MD4,MD5, HAVAL-128 and RIPEMD, Rump Session of Crypto'04 and IACR Eprint Archive, August 2004. [22] X. Wang, H.B. Yu, How to Break MD5 and Other Hash Functions, Advances in Cryptology Eurocrypt'05, Springer-Verlag, May 2005, pp. 19–35. [23] X. Wang, Y. L. Yin, H. Yu, Finding collisions in the full SHA1, http://www. infosec.sdu.edu.cn/paper/ sha1-crypto-auth-new-2-yao.pdf, February 2005. Xiao-Min Wang received the B.S. and M.S. degrees from the College of Computer & Communication Engineering, Southwest Jiaotong University, China in 1996 and 2004, respectively. Currently, he is pursuing the Ph.D. degree at Southwest Jiaotong University Chengdu, PR China. His research interests include information security and secure communication, chaotic cryptology, Biometrics, and digital data hiding. He has published over 20 papers in hash function design, threshold signature, and smart card based authentication schemes.
Wen-Fang Zhang received the B.S. and M.S. degrees from the College of Computer & Communication Engineering, Southwest Jiaotong University in 2001 and 2003, respectively. Currently, she is pursuing the Ph.D. degree at Key Lab of Information Security and National Computing Grid, Southwest Jiaotong University of China. Her main research interests include information security, threshold signature, and cryptology.
Jia-Shu Zhang received the B.S. degree in electronic engineering from the University of electronic science and technology of China, Chengdu, PR China in 1987 and a M.S. degree in biomedical engineering and instruments from Chongqing University in 1990, and a Ph.D. degree in communication and information system from the University of electronic science and technology of China, Chengdu, PR China in 2001. He is currently a full professor of information and communication engineering in the School of Information Science and Technology at Southwest Jiaotong University, Chengdu, PR China. His current research interests are in the areas of biometric and information security, signal processing for communication, nonlinear system and chaos.
Muhammad Khurram Khan received the BCS (Hons) and MCS degrees from Bahria University, Institute of Management and Computer Sciences, in 2001 and 2003 respectively, and a Ph.D. degree in signal and information processing from Southwest Jiaotong University Chengdu, PR China in 2006. He is the group leader of ʽResearch Group for Biometrics & Security' at Sichuan Key Lab of Signal & Information Processing, China. His research interests include Biometrics, information and communication security, cryptology, and digital data hiding.