- Email: [email protected]
Security of Chien et al.'s remote user authentication scheme using smart cards
Computer Standards & Interfaces 26 (2004) 167 – 169 www.elsevier.com/locate/csi
Security of Chien et al.’s remote user authentication scheme using smart cards Chien-Lung Hsu * Department of Information Management, National Taiwan University of Science and Technology, Taipei, 106 Taiwan, ROC Received 8 May 2003; received in revised form 21 July 2003; accepted 28 July 2003
Abstract In 2000, Sun proposed an efficient remote user authentication scheme using smart cards. Recently, Chien et al. pointed out that Sun’s scheme only achieves the unilateral authentication and further proposed a new efficient and practical solution to achieve the mutual user authentication. This paper, however, will demonstrate that Chien et al.’s scheme is vulnerable to the parallel session attack. D 2003 Elsevier B.V. All rights reserved. Keywords: Authentication; Smart card; Parallel session attack; Cryptanalysis
1. Introduction A remote password authentication scheme is to authenticate the legitimacy of the remote users over an insecure channel. In such a system, the password is often regarded as a secret shared between the authentication server (AS) and the remote user. With the knowledge of the password, the remote user can use it to create and send a valid login message to AS for gaining the access right. On the other hand, AS also uses the shared password to check the validity of the login message for authenticating the remote user. In 1981, Lamport [5] proposed a remote password authentication scheme using a * P.O. Box 7-27 Hsi-Chih, Hsi-Chih City, Taipei Hsien, 112 Taiwan, ROC. Tel./fax: +886-2-869-19619. E-mail addresses: [email protected], [email protected] (C.-L. Hsu). 0920-5489/$ - see front matter D 2003 Elsevier B.V. All rights reserved. doi:10.1016/S0920-5489(03)00094-1
password table to achieve user authentication. In 2000, Hwang and Li [4] pointed out that Lamport’s scheme [8] suffers from the risk of a modified password table and the cost of protecting and maintaining the password table. They further proposed a new remote user authentication scheme using smart cards to get rid of the risk and the cost. Hwang and Li’s scheme [4] cannot only withstand the replaying attacks but also authenticate the remote users without maintaining a password table. Later, Sun [8] proposed an efficient smart card-based remote user authentication scheme to improve the efficiency of Hwang and Li’s scheme [4]. Recently, Chien et al. [1] pointed out that Sun’s scheme only achieves unilateral user authentication that only AS can authenticate the legitimacy of the remote user while the user cannot authenticate that of AS. Chien et al. [1] further proposed a remote user authentication scheme using smart card to
168
C.-L. Hsu / Computer Standards & Interfaces 26 (2004) 167–169
achieve the mutual user authentication that both AS and the remote user can verify the legitimacy of the other one. This paper aims to demonstrate that Chien et al.’s scheme [1] is vulnerable to the parallel session attack that the intruder without knowing user’s password can masquerade as the legal user by creating a valid login message from the eavesdropped communication between AS and the user. In Section 2, we will briefly review Chien et al.’s [1] remote user authentication scheme using smart cards. In Section 3, we demonstrate the parallel attack on Chien et al.’s scheme. Finally, we give conclusions in Section 4.
2. Review of Chien et al.’s remote user authentication scheme Chien et al.’s scheme [1] consists of three phases: the registration, the login, and the verification phases. The registration phase deals with the remote user’s registration, determines a password shared between AS and the user, and issues a smart card to the user. In the login phase, a remote user can use his password to create a login message to AS for gaining the access right. In the authentication phase, AS can check the validity of the login message with user’s password and determine whether the user can gain the access right. These phases are described in detail as follows. 2.1. Registration phase Let h be a secure one-way hash function [6,7] and x be the secret key owned by the authentication server (AS). The new user Ui associated with the identity IDi randomly chooses his password PWi and then submits (IDi ,PWi ) to AS for registration. AS computes, Ri = h(IDiPx)PPWi and issues a smart card containing (Ri,h) to Ui, where the symbol ‘‘P’’ denotes the bitwise exclusive-or operation for two bit-strings. 2.2. Login phase When Ui wants to login the authentication server AS for gaining the access right, Ui inserts his smart card to the terminal device and keys in his identity IDi and password PWi . The smart card computes
Fig. 1. The message transmission of Chien et al.’s scheme [1].
C1 = RiPPWi and C2 = h(C1PT), and then sends the login message (IDi,T,C2) to AS, where T is the current time stamp. 2.3. Authentication phase Upon receiving (IDi,T,C2) from Ui, the server AS performs the following tasks: 1. Check the validity of IDi. If IDi is invalid, then AS rejects Ui’s login request. 2. Check if (T V T) V DT, where T Vis the timestamp when AS received the login message and DT is the expected valid time interval for transmission delay. If it does not hold, AS rejects Ui’s login request. 3. Compute h(h(IDiPx)PT) and check if it is equal to the received C2. If it holds, the identification of the user Ui is authenticated. Otherwise, AS rejects Ui’s login request. 4. Compute the response message C3 = h(h(IDiPx) PT W) and reply (T W,C3) to Ui, where T W is the current time stamp. On receiving the message (T W,C3) from AS, the user Ui computes h(C1PT W) and checks if it is equal to the received C3. If it holds, the legitimacy of AS is verified. Illustration of the message transmission of Chien et al.’s scheme [1] is depicted as Fig. 1.
3. The proposed parallel session attack Consider the scenario of the parallel session attack [3] that an intruder Ua without knowing users’ passwords wants to masquerade as a legal user Ui by creating a valid login message from the eavesdropped communication between AS and Ui. When Ui wants to login the authentication server AS, Ui sends the login message (IDi,T,C2) to AS, where T is the current time stamp. If (IDi,T,C2) is valid, the identification of Ui is authenticated and AS responses (T W,C3) to Ui, where T Wis the current time stamp. Once Ua intercepts this message, he masquerades as the legal user Ui to
C.-L. Hsu / Computer Standards & Interfaces 26 (2004) 167–169
169
Acknowledgements The author would like to thank the referees for their valuable comments.
References Fig. 2. Parallel session attack.
start a new session with AS by sending (IDi,T W,C2*) back to AS, where C2*= C3. The login message (IDi,T W,C2*) will pass the user authentication of Chien et al.’s scheme [1] due to the fact that C 2* = C3 = h(h(IDiPx)PT W). Finally, AS responses the message (T j,C3) to Ui, where C3*= h(C1VPT j) and T j is the current timestamp. The intruder U intercepts and drops this message. Fig. 2 depicts the message transmission of the parallel session attack.
4. Conclusions We have shown that Chien et al.’s scheme [1] cannot withstand the parallel session attack. The parallel session attack can be plotted effectively due to the symmetric structure of the messages exchanged between the user and AS [2]. Hence, Chien et al.’s schemes cannot achieve the security requirement as their claims.
[1] H.Y. Chien, J.K. Jan, Y.M. Tseng, An efficient and practical solution to remote authentication: smart card, Computers & Security 21 (4) (2002) 372 – 375. [2] W. Diffie, P.C. van Oorschot, M.J. Wiener, Authentication and authenticated key exchange, Designs, Codes and Cryptography 2 (2) (1992) 107 – 125. [3] L. Gong, A security risk of depending on synchronized clocks, Operating Systems Review 26 (1) (1992) 49 – 53. [4] M.S. Hwang, L.H. Li, A new remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (1) (2000) 28 – 30. [5] L. Lamport, Password authentication with insecure communication, Communications of the ACM 24 (11) (1981) 770 – 772. [6] National Institute of Standards and Technology, NIST FIPS PUB 180, Secure hash standard, U.S. Department of Commerce (1993). [7] R.L. Rivest, The MD5 Message-Digest algorithm, RFC 1231, Internet Activities Board, Internet Privacy Task Force (1992). [8] H.M. Sun, An efficient remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (4) (2000) 958 – 961.
Security of Chien et al.’s remote user authentication scheme using smart cards Chien-Lung Hsu * Department of Information Management, National Taiwan University of Science and Technology, Taipei, 106 Taiwan, ROC Received 8 May 2003; received in revised form 21 July 2003; accepted 28 July 2003
Abstract In 2000, Sun proposed an efficient remote user authentication scheme using smart cards. Recently, Chien et al. pointed out that Sun’s scheme only achieves the unilateral authentication and further proposed a new efficient and practical solution to achieve the mutual user authentication. This paper, however, will demonstrate that Chien et al.’s scheme is vulnerable to the parallel session attack. D 2003 Elsevier B.V. All rights reserved. Keywords: Authentication; Smart card; Parallel session attack; Cryptanalysis
1. Introduction A remote password authentication scheme is to authenticate the legitimacy of the remote users over an insecure channel. In such a system, the password is often regarded as a secret shared between the authentication server (AS) and the remote user. With the knowledge of the password, the remote user can use it to create and send a valid login message to AS for gaining the access right. On the other hand, AS also uses the shared password to check the validity of the login message for authenticating the remote user. In 1981, Lamport [5] proposed a remote password authentication scheme using a * P.O. Box 7-27 Hsi-Chih, Hsi-Chih City, Taipei Hsien, 112 Taiwan, ROC. Tel./fax: +886-2-869-19619. E-mail addresses: [email protected], [email protected] (C.-L. Hsu). 0920-5489/$ - see front matter D 2003 Elsevier B.V. All rights reserved. doi:10.1016/S0920-5489(03)00094-1
password table to achieve user authentication. In 2000, Hwang and Li [4] pointed out that Lamport’s scheme [8] suffers from the risk of a modified password table and the cost of protecting and maintaining the password table. They further proposed a new remote user authentication scheme using smart cards to get rid of the risk and the cost. Hwang and Li’s scheme [4] cannot only withstand the replaying attacks but also authenticate the remote users without maintaining a password table. Later, Sun [8] proposed an efficient smart card-based remote user authentication scheme to improve the efficiency of Hwang and Li’s scheme [4]. Recently, Chien et al. [1] pointed out that Sun’s scheme only achieves unilateral user authentication that only AS can authenticate the legitimacy of the remote user while the user cannot authenticate that of AS. Chien et al. [1] further proposed a remote user authentication scheme using smart card to
168
C.-L. Hsu / Computer Standards & Interfaces 26 (2004) 167–169
achieve the mutual user authentication that both AS and the remote user can verify the legitimacy of the other one. This paper aims to demonstrate that Chien et al.’s scheme [1] is vulnerable to the parallel session attack that the intruder without knowing user’s password can masquerade as the legal user by creating a valid login message from the eavesdropped communication between AS and the user. In Section 2, we will briefly review Chien et al.’s [1] remote user authentication scheme using smart cards. In Section 3, we demonstrate the parallel attack on Chien et al.’s scheme. Finally, we give conclusions in Section 4.
2. Review of Chien et al.’s remote user authentication scheme Chien et al.’s scheme [1] consists of three phases: the registration, the login, and the verification phases. The registration phase deals with the remote user’s registration, determines a password shared between AS and the user, and issues a smart card to the user. In the login phase, a remote user can use his password to create a login message to AS for gaining the access right. In the authentication phase, AS can check the validity of the login message with user’s password and determine whether the user can gain the access right. These phases are described in detail as follows. 2.1. Registration phase Let h be a secure one-way hash function [6,7] and x be the secret key owned by the authentication server (AS). The new user Ui associated with the identity IDi randomly chooses his password PWi and then submits (IDi ,PWi ) to AS for registration. AS computes, Ri = h(IDiPx)PPWi and issues a smart card containing (Ri,h) to Ui, where the symbol ‘‘P’’ denotes the bitwise exclusive-or operation for two bit-strings. 2.2. Login phase When Ui wants to login the authentication server AS for gaining the access right, Ui inserts his smart card to the terminal device and keys in his identity IDi and password PWi . The smart card computes
Fig. 1. The message transmission of Chien et al.’s scheme [1].
C1 = RiPPWi and C2 = h(C1PT), and then sends the login message (IDi,T,C2) to AS, where T is the current time stamp. 2.3. Authentication phase Upon receiving (IDi,T,C2) from Ui, the server AS performs the following tasks: 1. Check the validity of IDi. If IDi is invalid, then AS rejects Ui’s login request. 2. Check if (T V T) V DT, where T Vis the timestamp when AS received the login message and DT is the expected valid time interval for transmission delay. If it does not hold, AS rejects Ui’s login request. 3. Compute h(h(IDiPx)PT) and check if it is equal to the received C2. If it holds, the identification of the user Ui is authenticated. Otherwise, AS rejects Ui’s login request. 4. Compute the response message C3 = h(h(IDiPx) PT W) and reply (T W,C3) to Ui, where T W is the current time stamp. On receiving the message (T W,C3) from AS, the user Ui computes h(C1PT W) and checks if it is equal to the received C3. If it holds, the legitimacy of AS is verified. Illustration of the message transmission of Chien et al.’s scheme [1] is depicted as Fig. 1.
3. The proposed parallel session attack Consider the scenario of the parallel session attack [3] that an intruder Ua without knowing users’ passwords wants to masquerade as a legal user Ui by creating a valid login message from the eavesdropped communication between AS and Ui. When Ui wants to login the authentication server AS, Ui sends the login message (IDi,T,C2) to AS, where T is the current time stamp. If (IDi,T,C2) is valid, the identification of Ui is authenticated and AS responses (T W,C3) to Ui, where T Wis the current time stamp. Once Ua intercepts this message, he masquerades as the legal user Ui to
C.-L. Hsu / Computer Standards & Interfaces 26 (2004) 167–169
169
Acknowledgements The author would like to thank the referees for their valuable comments.
References Fig. 2. Parallel session attack.
start a new session with AS by sending (IDi,T W,C2*) back to AS, where C2*= C3. The login message (IDi,T W,C2*) will pass the user authentication of Chien et al.’s scheme [1] due to the fact that C 2* = C3 = h(h(IDiPx)PT W). Finally, AS responses the message (T j,C3) to Ui, where C3*= h(C1VPT j) and T j is the current timestamp. The intruder U intercepts and drops this message. Fig. 2 depicts the message transmission of the parallel session attack.
4. Conclusions We have shown that Chien et al.’s scheme [1] cannot withstand the parallel session attack. The parallel session attack can be plotted effectively due to the symmetric structure of the messages exchanged between the user and AS [2]. Hence, Chien et al.’s schemes cannot achieve the security requirement as their claims.
[1] H.Y. Chien, J.K. Jan, Y.M. Tseng, An efficient and practical solution to remote authentication: smart card, Computers & Security 21 (4) (2002) 372 – 375. [2] W. Diffie, P.C. van Oorschot, M.J. Wiener, Authentication and authenticated key exchange, Designs, Codes and Cryptography 2 (2) (1992) 107 – 125. [3] L. Gong, A security risk of depending on synchronized clocks, Operating Systems Review 26 (1) (1992) 49 – 53. [4] M.S. Hwang, L.H. Li, A new remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (1) (2000) 28 – 30. [5] L. Lamport, Password authentication with insecure communication, Communications of the ACM 24 (11) (1981) 770 – 772. [6] National Institute of Standards and Technology, NIST FIPS PUB 180, Secure hash standard, U.S. Department of Commerce (1993). [7] R.L. Rivest, The MD5 Message-Digest algorithm, RFC 1231, Internet Activities Board, Internet Privacy Task Force (1992). [8] H.M. Sun, An efficient remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (4) (2000) 958 – 961.