More secure remote user authentication scheme

Computer Communications 32 (2009) 1018–1021

Contents lists available at ScienceDirect

Computer Communications journal homepage: www.elsevier.com/locate/comcom

More secure remote user authentication scheme Sang-Kyun Kim a, Min Gyo Chung b,* a b

Department of Computer Engineering, Myongji University, Gyeonggido 449-728, Republic of Korea Department of Computer Science, Seoul Women’s University, Seoul 139-774, Republic of Korea

a r t i c l e

i n f o

Article history: Received 19 July 2008 Accepted 22 November 2008 Available online 3 December 2008 Keywords: Authentication Information security Smart card

a b s t r a c t Recently, Yoon and Yoo proposed a remote user authentication scheme which is an improvement on Lee– Kim–Yoo’s method. However, we find out that Yoon–Yoo’s scheme easily reveals a user’s password and is vulnerable to both masquerading user attack and masquerading server attack. Yoon–Yoo’s scheme is also exposed to stolen verifier attack, because it has to maintain a user database in a remote server. This paper proposes a new remote user authentication scheme that resolves all aforementioned problems, while keeping the merits of Yoon–Yoo’s scheme. Ó 2008 Elsevier B.V. All rights reserved.

1. Introduction

2. Review of Yoon–Yoo’s scheme

Understandably, a high security networked system calls for a remote user authentication mechanism, which serves to verify whether communicating parties are genuine and trustworthy. Since Lamport’s seminal work in 1981 [1], a variety of approaches to remote user authentication have been published in the literature. In 2002, Chien–Jan–Tseng [2] presented an authentication scheme to provide the mutual authentication between a user and a remote server. However, their scheme was found to be vulnerable to parallel session attack. Lee–Kim–Yoo enhanced Chien–Jan– Tseng’ scheme by eliminating parallel session attack [3, 4]. Later, Yoon–Yoo [5] showed that Lee–Kim–Yoo’s scheme is also vulnerable to some insidious attacks, such as masquerading server attack. In this paper, however, we demonstrate that Yoon–Yoo’s scheme easily reveals a user’s password and is vulnerable to masquerading user attack and masquerading server attack. Besides, Yoon–Yoo’s scheme is susceptible to stolen verifier attack, because it has to maintain a user database on a server. Therefore, this paper aims to modify Yoon–Yoo’s method and propose a new user authentication scheme that removes all the above problems, while keeping the merits of Yoon–Yoo’s scheme. The rest of this paper is organized as follows. In Section 2, we give a brief review on Yoon–Yoo’s scheme and discuss its drawbacks. In Section 3, we describe the new user authentication scheme proposed in this paper. The security analysis of the proposed scheme is presented in Section 4. Finally, we conclude this paper with a short remark in Section 5.

In this section, we examine again a remote user authentication scheme proposed by Yoon and Yoo in 2005. Yoon–Yoo’s scheme consists of four phases (i.e., registration, login, verification, and password change) and is well summarized in Fig. 1. For convenience of description, we will use the symbols and notations similar to the ones in Yoon–Yoo’s scheme.

* Corresponding author. Tel.: +82 2 970 5753; fax: +82 2 970 5981. E-mail addresses: [email protected] (S.-K. Kim), [email protected] (M.G. Chung). 0140-3664/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2008.11.026

         

U: a user. ID, PW: U’s identifier and password, respectively. CARD: U’s smart card. S: a remote server. x: S’s secret key. T1, T2: U’s current timestamp and S’s current timestamp, respectively. h(): a hash function. : bitwise XOR operation. ?, ): a common communication channel and a secure communication channel, respectively. X ? Y {M}: X sends a message M to Y over a common communication channel.

Registration phase. In this phase, the user U initially registers with the server S. (1) U ) S {ID, PW}. (2) Using ID and PW, S computes a derived key K ¼ hðID PW  xÞ. S also computes R = K  PW and V = K  x. (3) S stores ID and V into a user database and then saves K, R, and h() into a smart card CARD. (4) S ) U {CARD}.

S.-K. Kim, M.G. Chung / Computer Communications 32 (2009) 1018–1021

1019

(1) U inserts his smart card into a smart card reader and then types in his ID and PW. 0 (2) The smart card computes K 0 ¼ R  PW and compares K with the stored K. If they are not equal, the smart card rejects the password change request from U. Otherwise, U chooses a 0 new password PW . The smart card then computes 0 0 0 0 R ¼ K  PW and replaces R with R . 2.1. Security flaws

Fig. 1. Yoon–Yoo’s remote user authentication scheme.

Login phase. In this phase, the user U submits a login request to the server S whenever U wants to access some resources upon S. (1) U inserts his smart card, CARD, into a smart card reader and then inputs his ID and PW. (2) The smart card computes C1 = R  PW. If C1 – K, the smart card rejects U’s login request. Otherwise, it computes C2 = h(C1  T1). (3) U ? S {ID, T1, C2}. Verification phase. Upon receiving the login request from the user U, the server S verifies its authenticity in this phase. (1) S checks the validity of ID and T1. If either one of them is not valid, S aborts the current session. Otherwise, S checks if hðV  x  T 1 Þ is equal to the received C2. If not, S aborts the current session. Otherwise, S successfully authenticates U and computes C 3 ¼ hðV  x  C 2  T 2 Þ. (2) S ? U {T2, C3}. (3) U checks the validity of T2. If T2 is not valid, U terminates the current session. Otherwise, U checks again if hðC 1  C 2  T 2 Þ is equal to the received C3. If not equal, U terminates the current session. Otherwise, U now successfully authenticates S. Password change phase. In this phase, the user U changes his password any time he wants.

We assume that an attacker U a has total control over the communication channel between the user U and the remote server S, which means that he can insert, delete, or alter any messages in the channel. According to the researches in [6, 7], all existing smart cards are vulnerable since the secret values stored in a smart card could be extracted by monitoring its power consumption. Therefore, we further assume that the attacker U a can steal the user’s smart card and extract the values stored in the smart card. Under these two assumptions, we will examine some security flaws of Yoon–Yoo’s remote user authentication method. Leak of password. The server S stores K, R, and h() into the smart card of the user U in the registration phase. If the attacker U a steals the smart card and extracts the secret values from the smart card as in [6, 7], he can then easily figure out U’s password by computing K  R ¼ K  ðK  PWÞ ¼ PW. Masquerading user attack. U a can also use the information on the stolen smart card to forge a login request message with ease. Specifically, U a is able to compute C 2 ¼ hðK  T 1 Þ by using the current timestamp T 1 and the derived key K on the stolen smart card. U a can now impersonate U by sending the login request message fID; T 1 ; C 2 g to the server S. Masquerading server attack. If the derived key K on the smart card is accidentally revealed to the attacker U a as above, it is possible for U a to launch a masquerading server attack. Consider that U a intercepts a login request message fID; T 1 ; C 2 g. He can then forge C 3 ¼ hðK  C 2  T 2 Þ with the revealed key K, the intercepted C2, and the current timestamp T 2 . Consequently, U a can impersonate S by sending fT 2 ; C 3 g back to the user U. Stolen verifier attack. In the registration phase, the server stores ID and V into a user database. However, this user database is always under the threat of stolen verifier attack. In particular, if the attacker U a who has already stolen the smart card is also capable of sneaking into the user database, it will be simple for him to dig out the server secret key x by computing K  V ¼ K ðK  xÞ ¼ x. 3. Proposed scheme In this section, we describe a new remote user authentication scheme which resolves all the above security flaws of Yoon–Yoo’s scheme. Fig. 2 shows the entire protocol structure of the new authentication scheme. Registration phase. In this phase, the user U initially registers with the server S. (1) U ) S {ID, PW}: U chooses his ID and PW, and sends them over a secure communication channel to S. (2) Upon receiving ID and PW, S derives K 1 ¼ hðID  xÞ  N and K 2 ¼ hðID  x  NÞ  hðPW  hðPWÞÞ, where N is a random number unique to the user U. Then S computes a quantity R ¼ K 1  hðPWÞ. (3) S stores the secure information K1, K2, R, and h() into U’s smart card CARD. (4) S ) U {CARD}: Now S finishes the registration procedure by delivering the completed smart card to U.

1020

S.-K. Kim, M.G. Chung / Computer Communications 32 (2009) 1018–1021

(3) Upon receiving the message {T2, C3}, U checks the freshness of T2 in the same way as above. If T2 is not fresh, U terminates the current session. Otherwise, U checks again if hðC 01  C 2  T 2 Þ is equal to the received C3. If not equal, U terminates the current session. Otherwise, U now successfully authenticates S. Password change phase. In this phase, the user U changes his password any time he wants. (1) U inserts his smart card into a smart card reader and then types in his ID and PW. (2) The smart card computes K 01 ¼ R  hðPWÞ and compares K 01 with the stored K1. If they are not equal, the smart card rejects the password change request. Otherwise, U chooses 0 a new password PW . (3) The smart card then computes R0 ¼ K 01  hðPW 0 Þ and K 02 ¼ K 2  hðPW  hðPWÞÞ  hðPW 0  hðPW 0 ÞÞ. It now repla0 ces R and K2 with newly updated R and K 02 , respectively. 4. Security analysis

Fig. 2. Proposed user authentication scheme.

Login phase. In this phase, the user U sends a login request message to the server S whenever U wants to access some resources upon S. (1) U inserts his smart card, CARD, into a smart card reader and then inputs his ID and PW. (2) Using PW, the smart card computes C 1 ¼ R  hðPWÞ. If C1 is not equal to the stored K1, the smart card rejects U’s login request. Otherwise, it computes C 01 ¼ K 2  hðPW  hðPWÞÞ and then C 2 ¼ hðC 01  T 1 Þ, where T1 is the current timestamp. (3) U ! SfID; T 1 ; C 1 ; C 2 g. Verification phase. In this phase, the server S verifies the authenticity of the login message requested by the user U. (1) Upon receiving the message fID; T 1 ; C 1 ; C 2 g, S checks the validity of ID and the freshness of T1. The freshness of T1 0 is checked by performing T 0  T 1 6 DT, where T is the time that S receives the above message and DT is a valid time interval. If ID is not valid or T1 is not fresh, S aborts the current session. Otherwise, S computes N 0 ¼ C 1  hðID  xÞ and checks if hðhðID  x  N 0 Þ  T 1 Þ is equal to the received C2. If not, S terminates the current session. Otherwise, S successfully authenticates U and computes C 3 ¼ hðhðID  x  N 0 Þ C 2  T 2 Þ, where T2 is the current timestamp. (2) S ? U {T2, C3}.

In this section, we give an in-depth analysis of the proposed scheme in terms of security properties. The comparison of Yoon– Yoo’s scheme and our scheme is summarized in Table 1. Server secret key guessing attack. An attacker U a may attempt to extract the server secret key x from K 1 ¼ hðID  xÞ  N or K 2 ¼ hðID  x  NÞ  hðPWÞ. However, this attempt will fail because it is computationally infeasible to invert the one-way hash function h(). Masquerading user attack. If the attacker U a tries to masquerade as the user U, he must be able to forge a valid login message fID; T 1 ; C 1 ; C 2 g. However, it is impossible to compute C 1 ¼ hðID xÞ  N or C 2 ¼ hðhðID  x  NÞ  T 1 Þ without the knowledge of the server secret key x and the user-specific random number N. Suppose further that U a has stolen U’s smart card, so can access all the secure information on the stolen smart card, including K1, K2, R, and h(). Then U a can obtain C1 through K1, but cannot still compute C2 because he cannot derive hðID  x  NÞ from K 1 ; K 2 ; R; hðÞ or any other combinations of them. Therefore, our scheme can defeat the various attempts of masquerading user attack. Masquerading server attack. If U a attempts to impersonate the server S, he must be able to forge a valid response message {T2, C3}. However, this attempt will fail, because it is infeasible to compute C 3 ¼ hðhðID  x  N 0 Þ  C 2  T 2 Þ without the knowledge of hðID  x  N 0 Þ. Note also that there is no way to compute C3, even if K1, K2, and R on the smart card are all revealed by accident and C2 is obtainable from the intercepted login message fID; T 1 ; C 1 ; C 2 g. Stolen verifier attack. We do not use a verification table, so any kind of stolen verifier attack will not occur in our scheme. Table 1 Comparison of Yoon–Yoo’s scheme and our scheme. X: not preventable and O: preventable. Security properties

Yoon–Yoo

Ours

Server secret key guessing attack Masquerading user attack Masquerading server attack Stolen verifier attack Replay attack Parallel session attack Man-in-the-middle attack Secret key forward secrecy Leak of password Early detection of incorrect password Secure password change

O X X X O O O Yes Yes Yes Yes

O O O O O O O Yes No Yes Yes

S.-K. Kim, M.G. Chung / Computer Communications 32 (2009) 1018–1021

Replay attack. Our scheme can resist a replay attack, because the authenticity of two messages fID; T 1 ; C 1 ; C 2 g and {T2, C3} is verified by checking the freshness of two timestamps T1 and T2, respectively. Parallel session attack. U a may launch a parallel session attack by replaying the server’s response message as the user’s login request message at a later time. However, this attack is not possible in our scheme, because the message structure of C3 is totally different from C1 or C2. Man-in-the-middle attack. U a may attempt a man-in-the-middle attack by altering the login request message fID; T 1 ; C 1 ; C 2 g into fID; T 1 ; C 1 ; C 2 g. However, this malicious attempt will fail, because the computation of valid C 1 and C 2 requires the knowledge of x and N. Similarly, U a cannot alter the response message {T2, C3} into fT 2 ; C 3 g, either. Secret key forward secrecy. In our scheme, even if the server secret key x happens to be revealed, the attacker U a cannot impersonate other users by using the revealed key x, because U a cannot compute two quantities, C1 or C2, in the login message without the knowledge of the user’s N and PW. Leak of password. In our scheme, although U a steals U’s smart card, U a cannot extract U’s password, PW, by using K 1 ; K 2 ; R; hðÞ or any other combinations of them. Early detection of incorrect password. In most existing schemes, an incorrect password is detected by a remote server, after a login request message is delivered to the server. In our scheme, however, U’s smart card detects the incorrect password early in the login phase by comparing C1 with K1, without any interactions with the remote server. Secure password change. Before accepting new password, our scheme verifies the correctness of old password by comparing K 01 with the stored K1. Therefore, even if the smart card is stolen, the attacker U a cannot alter U’s password at his own will. 5. Conclusion Various remote user authentication methods have been published in the literature. In recent years, Yoon and Yoo proposed a

1021

remote user authentication method that exhibits some good features such as secure provision of mutual authentication, secret key forward secrecy, fast detection of wrong password, and so on. However, we have discovered some security flaws that lie hidden in Yoon–Yoo’s method. Among others, Yoon–Yoo’s method is vulnerable to masquerading user attack, masquerading server attack, and stolen verifier attack. In this paper, we modify Yoon–Yoos’ method and propose a new remote user authentication method that removes all those security flaws while keeping the merits of Yoon–Yoo’s method. The proposed scheme can prevent masquerading user attack, masquerading server attack, and stolen verifier attack. In addition, it can resist some other malicious attacks, e.g., server secret key guessing attack, replay attack, parallel session attack, and man-in-the-middle attack. Further, it can provide some useful features, e.g., early detection of incorrect password, secret key forward secrecy, secure password change, and prevention of password leak. Acknowledgment This work was supported by a special research grant from Seoul Women’s University (2008). References [1] L. Lamport, Password authentication with insecure communication, Communications of ACM 24 (1981) 770–772. [2] H.Y. Chien, J.K. Jan, Y.M. Tseng, An efficient and practical solution to remote authentication: smart card, Computers & Security 21 (4) (2002) 372–375. [3] S. Lee, H. Kim, K. Yoo, Improved efficient remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (2) (2004) 565–567. [4] S. Lee, H. Kim, K. Yoo, Improvement of Chien et al.’s remote user authentication scheme using smart cards, Computer Standards & Interfaces 27 (2004) 181–183. [5] E. Yoon, K. Yoo, More efficient and secure remote user authentication scheme using smart cards, in: Proceedings of 11th International Conference on Parallel and Distributed System, vol. 2, 2005, pp. 73–77. [6] T.S. Messerges, E.A. Dabbish, R.H. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Transactions on Computers 51 (5) (2002) 541–552. [7] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, Proceedings of Advances in Cryptology (1999) 388–397.