On the security of two password authenticated key agreement scheme using smart cards

The Journal of China Universities of Posts and Telecommunications June 2012, 19(Suppl. 1): 137–141 www.sciencedirect.com/science/journal/10058885

http://jcupt.xsw.bupt.cn

On the security of two password authenticated key agreement scheme using smart cards YANG Jun-zuo1 ( ), WANG Yong-jian1, QIAN Hai-feng2, ZHOU Yuan1 1. National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China 2. Department of Computer Science and Technology, East China Normal University, Shanghai 200241, China

Abstract After a password authenticated key agreement scheme using smart cards was proposed by Juang et al in 2008. Sun et al and Li et al respectively demonstrated some weaknesses in Juang’s scheme and proposed improved schemes. However, although the later two schemes overcome the weaknesses in earlier scheme, we find several weaknesses in them. In Sun’s scheme, there are two defects, insecurity under card-compromise attack and weaknesses of password-changing operation. And in Li’s scheme we find following defects: vulnerability to denial of server (DoS) attack, server-compromise forward insecurity, complex key setup and session key problems. This paper discussed these problems in detail and our analysis will be helpful to avoid similar mistakes in future works. Keywords anonymity, authentication, key agreement, smart card, anonymity, untraceability, network security

1

Introduction 

With requirement of user’s authentication in various network environments, many password-based authenticated key agreement protocols, Refs. [1–11] have been proposed. In these password-based schemes mentioned above, human-memorable passwords, such as a string with certain meaning, are employed, owing to convenience in use. A client remembers a password and the corresponding server stores its verification data that are used to verify the client’s identity. In addition, a session key, used to provide privacy and data integrity, can be produced during the process of authentication. In 2008, Juang et al proposed a password-authenticated key agreement scheme using smart cards (hereinafter JCL) [9], JCL addresses threaten of smart card loss and reduces implementation costs by employing the elliptic-curve algorithm, and it also has many other properties as mentioned in Ref. [9]: no password or verification table, freely chosen password, no time-synchronization problem, anonymity (identity Received date: 21-04-2012 Corresponding author: YANG Jun-zuo, E-mail: [email protected] DOI: 10.1016/S1005-8885(11)60455-X

protection), mutual authentication, session key agreement, etc. However, although JCL is a robust and efficient scheme, there are still some weaknesses existing in it, Sun et al in Ref. [10] and Li et al in Ref. [11] separately analyzed JCL’s weaknesses and proposed improved schemes. Sun et al pointed out that JCL suffers from three weaknesses: inability of password-changing operation, session-key problem and inefficiency of the double secret keys, then they proposed a improved scheme (hereinafter SUN) [10]. SUN overcomes these weaknesses they mentioned, and reduces storage and computation costs on smart card compared with JCL. Li et al pointed out that anonymity property provided by JCL is just only the so-called initiator anonymity (i.e., sender anonymity in Ref. [12]), and comparatively, a more ideal anonymity property is initiator untraceability (i.e., sender untraceability in Ref. [12]). As a countermeasure, Li et al proposed an enhanced scheme (hereinafter LI) [11], LI provides the initiator untraceability property [12], and introduced consistency verification in the password changing phase to prevent a kind of DoS attack found in JCL. This paper demonstrated that SUN and LI also suffer from some weaknesses. There are two defects, insecurity

138

The Journal of China Universities of Posts and Telecommunications

2012

under card-compromise attack and weaknesses of password-changing operation, found in SUN. And we also find following defects in LI: vulnerability to DoS attack, server-compromise forward insecurity, complex key setup and session key problems. We hope our analysis will enable similar mistakes to be avoided in the future works. We review the two schemes, SUN and LI, and analyze insecurities of them in Sect. 2. And in Sect. 3, we make a conclusion. The notations required in this paper include the following. 1) p is a large prime. 2) E is elliptic curve over finite field Fp .

In the parameter generation phase, the server first chooses a large prime p and an elliptic curve E over finite field Fp , then finds a point G of large order n, and sets

3) G of large order n. 4) ( x, P ) is the servers private-public key pair based on

the master key of the server. In the authentication phase, the card selects ru R [1, n  1] , computes Gu ru G and sends IM, Gu to

elliptic curve cryptosystems. 5) h(˜) , h1 (˜) and h2 (˜) are cryptographically secure hash functions. 6) Es (˜) is a symmetric (block) cipher with the secret key s of the server. 7)  is the password dictionary. 8) || denotes the string concatenation operator, and | r | represents the bit length of r .

2

Analysis of previous works

In this section, we point out the weaknesses found in the schemes SUN and LI, which motivate us to design a secure two-factor authentication DRCC in the next section. Our design trick will eliminate these weaknesses and allow other appealing features. 2.1

Review of SUN

The scheme SUN in Ref. [10] contains four phases, parameter-generation, registration, login (including the precomputation), and password-changing phases as showed in Fig. 1.

(1)
IDu ; (3)
Gu (5)
M u

(2)
IM ru G , IM ; h2 ( K su || Gs );

(4)
Gs

Es ( ID || r ), V rs G , M s

h( ID || s ) † h( PW );

h2 ( K su || Gu || Gs );

(6)
V * V † h( PW ) † h( PW *).

Fig. 1 The authentication SUN

( p, E , G, n) as the system parameters. Moreover, the

scheme also needs three public hash functions h(˜) , h1 (˜) , and h2 (˜) . In the registration phase, the user submits his identity IDu to the server who will select a random number r and respond with password PW and the smart card containing IM Es ( ID || r ) and V h( ID || s ) † h( PW ), where ID IDu || IDs , IDs is the identity of the server, and s is

the server after the user keys in the password PW. The server decrypts IM to obtain ID which will be confirmed for consistency. Then the server selects rs R [1, n  1] , computes Gs rs G , and returns ( M s , Gs ) to the card, where K su h1 (h( ID || s ) || rs Gu ) , M s h2 ( K su || Gu || Gs ) . The card can compute V c V † h( PW ), K su h1 (V c || ru Gs ), validate M s h2 ( K su || Gu || Gs ) , and then send M u h2 ( K su || Gs ) to the server. Now the server can check whether or not M u h2 ( K su || Gs ) holds. If yes, the server accepts the login request of the card. To change his password from PW to PW * , the user replaces on his card V with V * V † h( PW ) † h( PW *) .

2.2 Cryptanalysis of SUN We find in SUN the following two defects: insecurity under card-compromise attack, and weaknesses of password-changing operation. 2.2.1 Insecurity under card-compromise attack We have the theorem below. Theorem 2.1 The scheme SUN is vulnerable to the off-line password guessing attack if the smart card is compromised. Proof As described below, the adversary A can derive the user’s password if the smart card is compromised. 1) A o S : A sends ( IM , GA ) to the server by computing GA rAG , for rA R [1, n  1] , since the smart card contains IM .

Supplement 1

YANG Jun-zuo, et al. / On the security of two password authenticated key agreement scheme using smart cards 139

2) A m S : Upon receiving ( IM , GA ) , the server decrypts IM to confirm the consistency of ID . IM will of course pass the verification (since it was generated in the registration phase by the server itself), then the server chooses rs R [1, n  1] and responds with Gs rs G , M s h2 ( K su || GA || Gs ) , where K su h1 (h( ID || s ) || rs GA ) . 3) A outputs PW : A computes rA Gs rs GA , then picks up a new PW from the password dictionary  and check whether h2 (h1 (h( PW ) † V ) || rAGs ) || GA || Gs ) M s . If yes, then h( ID || s ) h( PW ) † V . Thus, M s h2 (h1 (h( PW ) † V ) || rAGs ) || GA || Gs ) must hold. Given the password dictionary  which is relatively small in real applications, the adversary A may thus crack the password exhaustively with computational complexity less than O(3 |  | ht ) since each time A only needs to

2.2.2 Weaknesses of password-changing operation In the offline password-changing phase of SUN, the user changes his password independently without interaction with the server. Eventually, he can use either the old password with the old card or the new password with a new card to login. This also happened in JCL [9], which was viewed as a weakness by Sun et al themselves [10]. Another subtle flaw of Sun et al’s non-interactive password-changing results from the fact that the password can not be expected to be read reliably into the computer or other card readers. For example, password mistyping is very common in reality, which may be random, or be skewed by the adversary via technical means or social engineering manipulation [13]. If the user wants to change his password from PW to PW * and keys in the password PW * , mistyping (no matter random or being skewed by the adversary) may happen, and the card reader treats some value, say PW ** , as the expected PW * . Then V ** V † h( PW ) † h( PW **) may cause an authentication failure in the next session. This could happen very easily. Suppose that a malicious colleague of the user wants to make the user’s card ineffective, she/he can launch the lunch time attack. Namely, she/he may run the password-changing program by inputting two random strings PW1 and PW2 , then the card becomes useless since the user knows neither PW1 nor PW2 . Thus opens

subtle

vulnerability

The scheme LI contains five phases, parameter generation, registration, pre-computation, login, and password-changing phases. The first phase is identical to that of JCL, and the public parameters are ( p, E , G, P xG ) , the master key of the server is ( x, s ) . Others are described in Fig. 2. In the registration phase, the user chooses a password PW and a random string b, then sends ( IDu , h( PW || b), N 0 ) to the server where N 0 is a nonce. The server creates the card identifier CI and stores the 3-tuple ( IDu , CI , N 0 ) in its registration table. Then the smart card N0 that contains bID u

IDu , t

compute three hash function values.

mistyping password.

2.3 Review of LI

in

changing

Es (t || h(t )) , VIDu

h( IDu || s || CI ) ,

CI

is issued by the server, where ( IDu || CI || N 0 ) || ( IDu || CI || N 0 ) † h( PW || b) . Lastly,

the user also stores b into the card.

(1)
IDu , h( PW || b), N 0 ;

N0 (2)
bID , VIDu , IDu , CI ; u

(3)
e

N0 (4)
bID , EVID ( N1 || e); u

rG, c

rxG;

u

N1 IDu

(5)
Nb1 , u † h64 (b ), M s ;

(6)
h(h( PW || b) || VIDu || c || u );

(7)
Ek (( IDu || CI || N *) || h( PW * || b*));

N* (8)
Ek (bID || IDu || CI || N *). u

Fig. 2 The authentication LI

e

In the pre-computation phase, the user pre-computes rG , c rxG , r R ' n . N0 , In the login phase, the card sends to the server bID u

N0 , the EVID ( N1 || e) , N1 is a nonce. After decrypting bID u u

server gets t ( IDu || CI || N0 ) || ( IDu || CI || N0 ) † h( PW || b) and h(t ) , computes VIDu h( IDu || s || CI ) and derives N1 ,

e

by

decrypting

EVID ( N1 || e) u

with

VIDu

h( IDu || s || CI ) . Finally, the server updates in the registration table the 3-tuple ( IDu || CI || N 0 ) by ( IDu || CI || N1 ) , picks u R {0,1}64 , computes c xe , M s h(c || u || VIDu ) and sends to the card Nb1 , N1 N1 u † h64 (bID ) , M s . Herein, bID u u

tc

Es (t c || h(t c)) where

( IDu || CI || N1 ) || ( IDu || CI || N1 ) † h( PW || b) ,

N1 Nb1 bID † (h( N1 || e ||1) || h( N1 || e || 2) || h( N1 || e || 3)) . u

140

The Journal of China Universities of Posts and Telecommunications

N1 The user recovers bID from Nb1 , and further gets u u N1 ) . Thus, the card can verify whether from u † h64 (bID u

Ms

N0 by h(c || u || VIDu ) holds. If yes, it replaces bID u

N1 bID , u

and

responds

with

the

message

Mu

h(h( PW || b) || VIDu || c || u ) . After verifying that M u , the

server sets k

(VIDu || c || u ) as the session key.

If a user wants to change his password from PW to PW * , he first executes the login protocol for a session key k, then sends Ek (( IDu || CI || N *) || h( PW * || b*)) to the server who updates ( Du , CI , N ) with ( Du , CI , N *) , N* || IDu || CI || N *) as a response, where and delivers Ek (bID u N* bID u

Es (( IDu || CI || N *) || ( IDu || CI || N *) † h( PW * || b*) ||

h( IDu || CI || N * || ( IDu || CI || N *) † h( PW * || b*))). The card N N* , VIDu , IDu , CI , b) by (bID , VIDu , IDu , can then replace (bID u u

CI , b*) after decrypting the received message.

2.4 Cryptanalysis of LI We find in LI the following defects: vulnerability to DoS attack, server-compromise forward insecurity, and complex key setup and session key problems. 2.4.1 Vulnerability to DoS attack In the password-changing phase of JCL, a DoS attack is discovered by Sun et al and can be generalized to the scheme LI without any modification. Besides, LI is vulnerable to another DoS attack. Theorem 2.2 In LI, there exists a DoS attack in the login phase. Proof According to the following steps, the adversary can disable the user to login via the card later. N0 1) Get bID and EVID ( N1 || e) sent by the user in the u

2012

by updates in T the 3-tuple ( IDu || CI || N 0 ) ( IDu || CI || N c) . Eventually, the legal user won’t be able to login again with the registered card and corresponding password as ( IDu || CI || N 0 ) z ( IDu || CI || N c) . Note that N c N 0 happens with negligible probability since R is randomly chosen. 2.4.2 Server-compromise forward insecurity Forward secrecy requires that, if long-term private keys of one or more entities are compromised, the secrecy of previous session keys should be preserved [14]. However, we detect that LI and JCL are forward insecure if the master key of the server is compromised. This weakness is much more dangerous than user-compromise forward insecurity as the adversary can now infer the session keys of all legal users logged in previously to the server. Theorem 2.3 Given a transcript of a session talk S of LI (or JCL) and the master key of the server, anyone can obtain the corresponding session key. N0 Proof Given a session talk S {(bID , EVID ( N1 || e)), u u

N1 IDu

( Nb1, u † h64 (b ), M s ), M u } and the master key ( x, s ) of

the server in LI, the adversary can get the session key via the following: N0 for IDu , CI , N 0 and 1) Use s to decrypt bID u compute VIDu by using s, IDu and CI . 2) Use VIDu to decrypt EVID ( N1 || e) for ( N1 , e) and u

compute

N1 bID u

Nb1 † (h( N1 || e || 1) || h( N1 || e || 2) || h( N1 ˜

N1 N1 ) and bID . || e || 3)), and u from u † h64 (bID u u

3) Compute c

x ˜ e , then output k

h(VIDu || c || u ) .

This attack can be generalized to JCL easily 2.4.3 Complex key setup and session key problems

u

login phase. 2) Replace EVID ( N1 || e) with a random string u

R of

N0 the same length and send bID , R to the server; u

3) Block the communication (or send each party invalid random strings) and quit the session. N0 Since the adversary uses correct bID which contains u ( IDu || CI || N 0 ) in the registration table T, the tuple N0 (bID , R) u

will pass the verification. After obtaining

N c || ec by decrypting R under key VIDu , the server

A two-party key agreement scheme provides 1) the explicit key confirmation if one entity is assured that another entity has actually computed the session key; or 2) the implicit key confirmation if one entity is assured that another entity can compute the session key. It is believed in Ref. [14] that three-move key agreement scheme can provide the explicit key confirmation. However, LI merely provides the implicit key confirmation. On the other hand, using double keys in LI (exploiting the public key infrastructure) doesn’t enhance the security,

Supplement 1

YANG Jun-zuo, et al. / On the security of two password authenticated key agreement scheme using smart cards 141

while increases the complexity of system implementation. Furthermore, strong anonymity (or untraceability) for users is at the cost of communication efficiency.

3

Conclusions

This paper pointed out the weaknesses found in schemes SUN and LI, In scheme SUN, there are two defects, that are insecurity under card-compromise attack and weaknesses of password-changing operation. More-over, scheme LI also suffers from following defects: vulnerability to DoS attack, server-compromise forward insecurity, complex key setup and session key problems. We hope that our analysis will help avoid similar mistakes in the future works and motivate to design more secure enhanced schemes.

References 1. Khan M, Kim S, Alghathbar K. Cryptanalysis and security enhancement of a `more efficient & secure dynamic ID-based remote user authentication scheme. Computer Communications. 2011, 34(3): 305309 2. Wang R, Juang W, Lei C. Robust authentication and key agreement scheme preserving the privacy of secret key. Computer Communications. 2011, 34(3): 274280 3. He D, Ma M, Zhang Y, et al. A strong user authentication scheme with

4.

5.

6. 7. 8. 9.

10.

11.

12. 13. 14.

smart cards for wireless communications. Computer Communications. 2011, 34(3): 367374 Vaidya B, Park J, Yeo S, et al. Robust one-time password authentication scheme using smart card for home network environment. Computer Communications. 2011, 34(3): 326336 Bellovin S, Merritt M. Encrypted key exchange: password-based protocols secure against dictionary attacks. Proceedings of IEEE Symposium on Security and Privacy. 2002: 7284 IEEE P1363.2, http://grouper.ieee.org/groups/1363/passwdPK/ submissions.html Lamport L. Password authentication with insecure communication. ACM Communications. 1981, 24(11): 770772 Fan C, Chan Y, Zhang Z. Robust remote authentication scheme with smart cards. Computers and Security. 2005, 24(8): 619628 Juang W, Chen S, Liaw H. Robust and efficient password-authenticated key agreement using smart cards. IEEE Transactions on Industrial Electronics. 2008, 15(6): 25512556 Sun D, Huai J, Sun J, et al. Improvements of Juang et al's password authenticated key agreement scheme with smart cards. IEEE Transactions on Industrial Electronics. 2009, 56(6): 22842291 Li X, Qiu W, Zheng D, et al. Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE Transactions on Industrial Electronics. 2010, 57(2): 793800 Hughes D, Shmatikov V. Information hiding, anonymity and privacy: a modular approach. Journal of Computer Security. 2004, 12(1): 336 Kolesnikov V, Rackoff C. Password mistyping in two-factorauthenticated key exchange. Proceedings of ICALP'08. 2008: 702714 Boyd C, Mathuria A. Protocols for authentication and key establishment. Springer, 2003