Weaknesses and improvements of the Yoon–Ryu–Yoo remote user authentication scheme using smart cards

Computer Communications 32 (2009) 649–652

Contents lists available at ScienceDirect

Computer Communications journal homepage: www.elsevier.com/locate/comcom

Weaknesses and improvements of the Yoon–Ryu–Yoo remote user authentication scheme using smart cards Han-Cheng Hsiang a,b,*, Wei-Kuan Shih a a b

Department of Computer Science, National Tsing Hua University, No. 101, Kuang Fu Rd, Sec. 2, 300 HsingChu, Taiwan Department of Information Management, Vanung University of Science and Technology, Chungli 320, Taiwan, ROC

a r t i c l e

i n f o

Article history: Received 31 August 2007 Accepted 20 November 2008 Available online 27 November 2008 Keywords: Authentication Cryptography Password guessing attack Parallel session attack

a b s t r a c t Remote user authentication scheme is a procedure which allows a server to authenticate a remote user through insecure channel. Recently, Yoon, Ryu and Yoo made an enhancement based on Ku–Chen’s remote user authentication scheme by using smart cards. The scheme has the merits of providing mutual authentication, no verification table, freely choosing password, involving only few hashing operations and parallel session attack resistance. In this paper, we point out security flaws of Yoon–Ryu–Yoo’s protocols against masquerading attack, off-line password guessing attacks and parallel session attack. An improvement to enhance Yoon–Ryu–Yoo’s security scheme is proposed. Crown Copyright Ó 2008 Published by Elsevier B.V. All rights reserved.

1. Introduction Remote user authentication scheme is a procedure which allows a server to authenticate a remote user through insecure channel. Password-based authentication scheme is the most common method to check the validity of the login message and authenticate the user. In 1981, Lamport [1] proposed a remote password authentication scheme that could authenticate remote users over an insecure channel. Since then, many similar schemes [2,3] have been proposed to improve security, efficiency or cost. In 2000, Hwang and Li [4] developed a password based remote user authentication scheme by using smart cards. However, Hwang and Li’s scheme was only to maintain a secret key without storing a password table in the system. The scheme could not withstand masquerade attack. In 2002, Chien et al. [5] proposed an efficient password based remote user authentication scheme, and claimed that their scheme has the merits of providing mutual authentication, no verification table, freely choosing password, and involving only few hashing operations. In 2004, Ku–Chen [6] showed that Chien et al.’s scheme is vulnerable to a reflection attack [7], insider attack [8] and is not reparable. An improved scheme was developed to preclude the weakness of Chien et al.’s scheme. Later, Yoon et al. [9] presented an enhancement because they found that the improved scheme was still susceptible to parallel session attack [10] and insecure for changing the user’s password in password change phase. * Corresponding author. Current address: No. 103, Rong-an 5th St., Zhongli City, Taoyuan County 32073, Taiwan, ROC. Tel.: +886 3 4515811. E-mail address: [email protected] (W.-K. Shih).

In this paper, we state the Yoon–Ryu–Yoo’s scheme is vulnerable to parallel session attack which was stated by Duan et al. [11]. In addition, we found that masquerading attack and password guess attack were existed. To remedy these pitfalls, this paper presents an efficient scheme. The proposed scheme not only inherits the merits of their scheme but also enhances the security of their scheme. The rest of this paper is organized as follows. In Section 2, a brief review of Yoon–Ryu–Yoo’s scheme is given. Section 3 describes a cryptanalysis of Yoon–Ryu–Yoo’s scheme. In Section 4, our improved scheme is proposed. The security analysis of the proposed improved scheme is presented in Section 5. Finally, several concluding comments are included in the last section.

2. Review of Yoon–Ryu–Yoo’s scheme The notations used throughout this paper can be summarized as follows:        

U: the user. ID: the identity of U. PW: the password of U. S: the remote server. x: the permanent secret key of S. h(): a cryptographic hash function. ): a secure channel. ?: a common channel.

There are four phases in Yoon et al.’s scheme [9] – registration, login, verification and password change. Different phases work as follows.

0140-3664/$ - see front matter Crown Copyright Ó 2008 Published by Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2008.11.019

650

H.-C. Hsiang, W.-K. Shih / Computer Communications 32 (2009) 649–652

2.1. Registration phase This phase is invoked whenever U initially registers or re-registers to S. Let n denote the number of times U re-registers to S. The following steps are involved in this phase: 1. U selects a random number b and computes h(b  PW). 2. U ) S:ID, h(b  PW). 3. If it is U’s initial registration, S creates an entry for U in the account database and stores n = 0 in this entry. Otherwise, S sets n = n + 1 in the existing entry for U. Next, S performs the following computations: V ¼ hðEID  xÞ. R ¼ hðEID  xÞ  hðb  PWÞ; where EID ¼ ðIDknÞ. 4. S ) U: a smart card containing V, R and h(). 5. U enters b into his smart card. Note that U’s smart card contains V, R, b, and h(), and U does not need to remember b after finishing the phase. 2.2. Login phase When U wants to login S, the following operations will perform: 1. U inserts his smart card into the smart card reader, and then enters ID and PW. 2. U’s smart card performs the following computations: C 1 ¼ R  hðb  PWÞ. C 2 ¼ hðC l  T U Þ; where T U denotes U’s current timestamp. 3. U? S: C = {ID, TU, C2}. 2.3. Verification phase After the message C is received, S and the smart card execute the following operations: 1. If either ID or TU is invalid or TS = TU, S rejects U’s login request. Otherwise, S computes h(h(EID  x)  TU). If the computed result equals the received C2, S accepts U’s login request and computes C3 = h(h(EID  x)TS), where TS denotes S’s current timestamp. Otherwise, S rejects U’s login request. 2. S ? U: TS, C3. 3. If either TS is invalid or TS = TU, U terminates this session. Otherwise, U computes h(C1  TS) and then compares the result to the received C3. If equal, U successfully authenticates S. 2.4. Password change phase This phase is invoked whenever U wants to change his password PW with a new one, say PWnew. 1. U inserts his smart card into the smart card reader, enters ID and PW, and requests to change password. 2. U’s smart card computes V* = R  h(b  PW). 3. U’s smart card verify V* and stored V in smart card. 4. If they are equal, then U select a new password PWnew, otherwise the smart card rejects the password change request. 5. U’s smart card computes Rnew = V*  h(b  PWnew) which yields h(EID  x)  h(b  PWnew), and then replaces R with Rnew. 3. Cryptanalysis of Yoon–Ryu–Yoo’s scheme In this section, we show some issues in Yoon–Ryu–Yoo’s scheme. If a user loses his/her smart card and it is found out by

an attacker or an attacker steals user’s smart card, and extracts the stored values through some ways [12,13], then the attacker can easily impersonate legitimate user Ui without knowing any password. 3.1. Masquerading attack We observe that, in step 2 of the login phase of Yoon et al.’s scheme, C1 should be equal to V in the smart card. This means that an attacker Bob needs not to know PW to calculate C1, if Bob had known V from the smart card. Now, the attacker can easily go through the steps in the login phase to forge a valid login request. Because, a valid login message is {IDi, TU, C2}, where TU is a current timestamp and C2 = h(Cl  TU) = h(V  TU). Hence, the attacker can successful makes a valid login request to masquerade as a legal user. 3.2. Password guess attack When the user U’s smart card was stolen, Bob can breach the secrets V, R, h() and b are stored in the smart card. The attacker uses the breached secretsV, R, h() and b, and performs the following operations:  Computes Y = R  V = h(b  PW).  Guess all possible values of the password, PWi, and then verify if h(b  PWi) equals Y.  If equal, PWi = PW. Once the attacker has correctly obtained the password PW, he can change the password of the user U by applying the following steps:  Inserts the smart card into the smart card reader, keys ID and PW.  The smart card computes V* = R  h (b  PW) and then compare the computed value V* with the stored value V. Obviously, both the value will be the same. The smart card accepts the password change request.  Selects a new password PWnew and the smart card computes a new Rnew ¼ R  hðb  PWÞ  hðb  PW new Þ and then replaces R with Rnew . Now the registered legal user U also cannot make a valid login request, since her/his old password PW is not worked. 3.3. Parallel session attack According to [11], an intruder Bob without knowing user’s passwords wants to masquerade as a legal user U by creating a valid login message from the eavesdropped communication between S and U. Bob performs the following steps can successful makes a valid login request: Intercepts the login request C = {ID, Tu, C2} which is sent by a valid user U to S. Intercepts the response message {C3, Ts}, which is sent by S to the user U. Starts a new session with the S by sending a fabricated login request C f ¼ fID; C 2 ; T u g, where C 2 ¼ C 3 and T u ¼ T s . After receiving Bob’s login request, the S performs the following steps: 1. Check the valid of ID and the T u , and T s ¼ T u , where T u denotes U’s timestamp, Ts denotes S’s current timestamp. Because of the transmission delay or the intruder on purpose delay, the T u is not equal to Ts. The S will continue process the following steps.   2. S computes C  2 ¼ hðhðEID  xÞ  T u Þ. Check C2 and C 2 . Because   C 2 ¼ hðhðEID  xÞ  T u Þ, the verification is success, S receive Bob’s login request. Then S computes C 3 ¼ hðhðEID  xÞ  T s Þ, and sends {Ts, C3} to U.

H.-C. Hsiang, W.-K. Shih / Computer Communications 32 (2009) 649–652

As a result, Yoon et al.’s scheme cannot resist parallel session attack. 4. Our improved scheme In this section, we improve the Yoon–Ryu–Yoo’s scheme to remedy their weaknesses. Our improved scheme enhances the security of their scheme; the proposed scheme performs as follows. There are four phases in our scheme – registration, login, verification and password change. 4.1. Registration phase This phase is invoked whenever U initially registers or re-registers to S. Let n denote the number of times U re-registers to S. 1. U selects a random number b and computes h(b  PW). 2. U ) S:ID, h(PW), h(b  PW). 3. If it is U’s initial registration, S creates an entry for U in the account database and stores n = 0 in this entry. Otherwise, S sets n = n + 1 in the existing entry for U. Next, S performs the following computations: P ¼ hðEID  xÞ. R ¼ P  hðb  PWÞ; where EID ¼ ðIDknÞ. V ¼ hðP  hðPWÞÞ. 4. S ) U: a smart card containing V, R and h(). 5. U enters b into his smart card. Note that U’s smart card contains V, R, b and h(), and U does not need to remember b after the phase. 4.2. Login phase When U wants to login S, the following operations will perform: 1. U inserts his smart card into the smart card reader, and then enters ID and PW. 2. U’s smart card performs the following computations: C 1 ¼ R  hðb  PWÞ. C 2 ¼ hðC l  T U Þ; where T U denotes U ’ s current timestamp.

651

2. U’s smart card computes P* = R  h(b  PW) and V* = h(P*  h(PW)). 3. U’s smart card verify V* and stored V in smart card. 4. If they are equal, then U select new password PWnew, otherwise the smart card rejects the password change request. 5. U’s smart card computes Rnew = P*  h(b  PWnew) which yields h(EID  x)  h(b  PWnew), and then replaces R with Rnew. 6. Compute Vnew = h(P*  h(PWnew)) which yields h(h(EID  x)  h(PWnew)), and then replaces V with Vnew. 5. Security analysis In this section, we shall only discuss the enhanced security features. The others are the same as original Yoon–Ryu–Yoo’s scheme in literature [9]. 1. In the proposed scheme, we note that an attacker must have the value V to masquerade as a legal user Ui to forge a valid login request to the server. Since the computes C2 and R all use the same factor h(EID  x), and V = h(EID  x). Hence, our scheme let V = h(P  h (PW)), then the attacker cannot get R and C2 from V. Because R and C2 can only be deduced from the server’s secret value x and EID = (IDkn). 2. When the user U’s smart card was stolen, the attacker Bob can breach the secrets V, R, h() and b are stored in the smart card. But Bob cannot use the breached secrets V, R, h() and b to conduct h (b  PW), hence he cannot execute the password guess attack. 3. An attacker Bob eavesdropped communication between S and Ui. Bob intercepts the response message {TS, C3}, which is sent by S to the user U. Case1: Starts a new session with the S by sending a fabricated login request {ID, C3, Ts}. After receiving Bob’s login request, S checks the valid of ID and the Ts. Then computes C4 = h(h(EID  x)  Ts). Because C3 = h(h(EID  x)  h(Ts)), C3 – C4, S reject U’s login request. Case 2: Starts a new session with the S by sending a fabricated login request fID; C 3 ; T s g, where T s ¼ hðT s Þ. After receiving Bob’s login request, S checks the valid of ID and the Ts. Because T s is not valid, S reject U’s login request.

3. U ? S: C = {ID, TU, C2}. 4.3. Verification phase After the authentication request message {ID, TU, C2} is received, the remote system and the smart card execute the following operations: 1. If either ID or TU is invalid or TS  TU 6 0, S rejects U’s login request. Otherwise, S computes h(h(EID  x)  TU). If the computed result equals the received C2, S accepts U’s login request and computes C3 = h(h(EID x)  h(TS)), where TS denotes S’s current timestamp. Otherwise, S rejects U’s login request. 2. S ? U: TS, C3. 3. If either TS is invalid or TS = TU, U terminates this session. Otherwise, U computes h(C1  h(TS)) and then compares the result to the received C3. If equal, U successfully authenticates S. 4.4. Password change phase This phase is invoked whenever U wants to change his password PW with a new one, say PWnew. 1. U inserts his smart card into the smart card reader, enters ID and PW, and requests to change password.

6. Conclusion In the paper, we present a cryptanalysis of Yoon–Ryu–Yoo’s scheme by showing that their scheme is vulnerable to parallel session attack, masquerading attack and password guess attack. An enhancement to Yoon–Ryu–Yoo’s scheme was proposed. The proposed scheme inherits the merits of their scheme and enhances the security of their scheme. References [1] L. Lamport, Password authentication with insecure communication, Communications of the ACM 24 (11) (1981) 770–772. [2] R.E. Lennon, S.M. Matyas, C.H. Mayer, Cryptographic authentication of timeinvariant quantities, IEEE Transactions on Communications 29 (6) (1981) 773– 777. [3] S.M. Yen, K.H. Liao, Shared authentication token secure against replay and weak key attack, Information Processing Letters (1997) 78–80. [4] M.S. Hwang, L.H. Li, A new remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (1) (2000) 28–30. [5] H.Y. Chien, J.K. Jan, Y.M. Tseng, An efficient and practical solution to remote authentication smart card, Computers & Security 21 (4) (2002) 372–375. [6] W.C. Ku, S.M. Chen, Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (1) (2004) 204–207. [7] C. Mitchell, Limitations of challenge-response entity authentication, Electronic Letters 25 (17) (1989) 1195–1196.

652

H.-C. Hsiang, W.-K. Shih / Computer Communications 32 (2009) 649–652

[8] W.C. Ku, C.M. Chen, H.L. Lee, Cryptanalysis of a variant of Peyravian–Zunic’s password authentication scheme, IEICE Transactions on Communication E86-B (5) (2003) 1682–1684. [9] E.J. Yoon, E.K. Ryu, K.Y. Yoo, Further improvement of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (2) (2004) 612–614. [10] C.L. Hsu, Security of Chien et al.’s remote user authentication scheme using smart cards, Computer Standards and Interfaces 26 (3) (2004) 167– 169.

[11] X. Duan, J.W. Liu, Q. Zhang, Security improvement on Chien Et Al.’s remote user authentication scheme using smart cards, the 2006, IEEE International Conference on Computational Intelligence and Security (CIS 2006) 2 (2006) 1133–1135. [12] P. Kocher, J. Jaffe, B. b Jun, Differential power analysis, in: Proceedings of Advances in Cryptology (CRYPTO’99), 1999, pp. 388–397. [13] T.S. Messerges, E.A. Dabbish, R.H. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Transactions on Computers 51 (5) (2002) 541–552.