Cryptanalysis of Anonymous Authenticated and Key Agreement
advertisement
2014 National Computer Symposium
Template
Cryptanalysis of Anonymous Authenticated and Key Agreement
Scheme Based on Biometric for Multi-Server Environment
Yu-Hui Chen1,* Hong-Ji Wei2 Jiin-Chiou Cheng3 Wen-Chung Kuo4
1,3
Southern Taiwan University of Science and Technology
Computer Science and Information Engineering
2
University of Kang Ning
Library and Information Center
4
National Yunlin University of Science and Technology
Computer Science and Information Engineering
*E-mail: mit029@hotmial.com
Abstract
In 2014, Choi proposed a security enhanced anonymous multi-server
authenticated key agreement scheme using smart card and biometrics and claimed that
their scheme could overcome all of security issues in Chuang-Chen’s scheme, such as
impersonation attack, smart card loss attack, denial of service attack and perfect
forward secrecy. Although Choi’s scheme solves the impersonation and denial of
service attack, we discover that their scheme is not only still vulnerable to smart card
loss attack and lack of perfect forward secrecy, but also contains a flaw in design for
authentication phase after our analysis in detail.
Keywords: multi-server architecture, authentication protocol, smart card, biometrics, anonymous
1. Introduction
With the rapid development of the Internet, more and more services such as
online shopping, online transactions, online stock, etc. are provided through the
Internet. In order to prevent unauthorized users to access resources, many service
1
providers utilize the password-base authentication scheme to verify the legality of
user. For security considerations, many authors proposed the password authentication
scheme which is combined with biometric to enhance overall security [1-14].
Biometric has the following four characteristics: (a) Universality: Universality
means that every person should possess the trait. (b) DistinctivenessοΌBiometric
features of any two people are different. (c) Permanence: Biometric features do not
change over time. (d) Collectability: Measurable with simple technical instruments. (e)
Uniqueness: Biometrics is unique. Biometric including face, fingerprint, iris, hand
geometry, palm print, voice pattern…etc.
Recent years, some anonymous authentication scheme using the smart card and
biometric for multi-server environment have been proposed [4, 8, 10, 13, 14] because
user requirements for diversification of services. In 2014, Chuang and Chen [10]
proposed the anonymous multi-server authenticated key agreement scheme based on
trust computing using smart cards and biometrics. At the same year, Choi [13]
analyzes and discovers that Chuang-Chen’s scheme includes several types of
weaknesses. Simultaneously, Choi also proposed an enhanced anonymous
authentication scheme for overcoming all of weaknesses in Chuang-Chen’s scheme.
In this paper, we investigate the Choi’s scheme and discover that their proposed
scheme is still failed to withstand smart card loss attack and provide perfect forward
secrecy. Moreover, Choi’s scheme also contains a flaw in design for authentication
phase.
The rest of this paper is organized as follows: Section 2 reviews Choi’s proposed
scheme. Section 3 demonstrates all of weaknesses in Choi’s scheme. Finally,
conclusions are given in Section 4.
2. Review of Choi’s scheme
In this section, we review the Choi’s proposed scheme. Their proposed scheme
consists of three phases: the registration phase, the login phase and the authentication
phase. The notations used in Choi’ scheme are shown in Table 1.
Table 1 Notations of Choi’s scheme
π₯
π
πΆ
ππΌπ·π
A secret value of the registration center
The registration center
The identification of user i
2
ππΌπ·π
π΄ππΌπ·π
π΄ππΌπ·π
The identification of server j
The anonymous identification of user i
The anonymous identification of server j
πππ
π΅πΌππ
β(. )
The password of user i
ππ
πππΎ
||
A random number
⊕
The biometrics information of user i
A secure one-way hash function
A secure pre-shared key among RC and authenticated servers
A string concatenation operation
A string XOR operation
2.1. Registration phase
step 1.
ππ → ππ : {ππΌπ·π , β(πππ β¨π΅πΌππ )}
The user ππ selects ππΌπ·π , πππ and π΅πΌππ . Then, ππ computes
β(πππ β¨π΅πΌππ ) and transmits ππΌπ·π and β(πππ β¨π΅πΌππ ) to ππ through a secure
channel.
step 2. ππ → ππ : {ππΌπ·π , β(. ), π΅π , πΆπ , π·π , πΈπ , πΉπ }
After receiving the message from ππ , ππ starts to compute following
operations.
1.
π΄π = β(ππΌπ·π ||π₯)
2.
3.
4.
5.
6.
π΅π = β2 (ππΌπ·π ||π₯) = β(π΄π )
πΆπ = β(πππ β¨π΅πΌππ )β¨π΅π
π·π = πππΎβ¨π΄π
πΈπ = β(πππΎ)β¨β(πππ β¨π΅πΌππ )
πΉπ = [ππΌπ·1 , ππΌπ·2 , ππΌπ·3 , … ππΌπ·π ]
After computing all of parameters, the server ππ transmits the smart card
with ππΌπ·π , β(. ), π΅π , πΆπ , π·π , πΈπ and πΉπ to ππ via a secure channel.
2.2. Login phase
ππ → πππππ‘ πΆπππ: {ππΌπ·π , πππ , π΅πΌππ }
The user ππ inserts the smart card and inputs ππΌπ·π , πππ and π΅πΌππ .
step 2. Upon receiving the message from ππ , the smart card first checks ππΌπ·π and
π΅π = β(πππ β¨π΅πΌππ )β¨πΆπ . If they are equal, the smart card generates a new
random number π1 and computes π΄ππΌπ·π , π1 and π2 as follows.
step 1.
1.
π1 = β(π΅π )β¨π1 β¨β(πππΎ)
3
π2
2.
π΄ππΌπ·π = β(π1 ||ππΌπ·π ||ππΌπ·π )
3.
π2 = β(π΄ππΌπ·π ||ππΌπ·π ||π·π ||π1 ||ππ )
After computing operations above, the smart card of ππ sends π΄ππΌπ·π , π1 ,
and π·π to ππ through a public channel.
2.3. Authentication phase
ππ → πππππ‘ πΆπππ: {π΄ππΌπ·π , π3 , π4 , π2 }
After receiving the π΄ππΌπ·π , π1 , π2 and π·π from the smart card of ππ , ππ
first checks timestamp π2 − π1 β¦β³ π . If timestamp is valid, ππ computes
step 1.
following operations.
1.
2.
3.
π΄π = π·π β¨πππΎ
π1 = π1 β¨β2 (π΄π )β¨β(πππΎ)
π2 ′ = β(π΄ππΌπ·π ||ππΌπ·π ||π·π ||π1 ||π1 )
If π2 ′ is equal to received π2 , ππ recognizes that ππ is a legal user.
Then, ππ generates a new random number π2 and continues to calculate
π3 , π4 , π΄ππΌπ·π and ππΎππ as follows.
1.
2.
π3 = π2 β¨β2 (π1 )
π4 = β(π΄ππΌπ·π ||π΄ππΌπ·π ||π·π ||π1 ||π1 )
3.
4.
π΄ππΌπ·π = β(π2 ||ππΌπ·π ||ππΌπ·π )
ππΎππ = β(π1 ||π2 ||π΄ππΌπ·π ||π΄ππΌπ·π )
Then, ππ returns π΄ππΌπ·π , π3 , π4 and π2 to the smart card of ππ .
step 2.
πππππ‘ πΆπππ → ππ : {π5 , π3 }
After receiving the π΄ππΌπ·π , π3 , π4 and π2 from ππ , the smart card of ππ
checks timestamp π3 − π2 β¦β³ π. If timestamp is valid, the smart card of ππ
calculates π4 ′ = β(π΄ππΌπ·π ||ππΌπ·π ||π·π ||π2 ||π2 ) and checks whether it is equal to
received π4 . If they are equal, the smart card of ππ continues to calculate
following operations.
1.
2.
ππΎππ = β(π1 ||π2 ||π΄ππΌπ·π ||π΄ππΌπ·π )
π5 = β(ππΎππ ||β(π2 )||π3 )
After calculating above operations, the smart card of ππ transmits π5 and
π3 to ππ via a public channel.
step 3. When receiving the π5 and π3 from the smart card of ππ , ππ first checks
π4 − π3 β¦β³ π. Then, ππ computes π5 ′ = β(ππΎππ ||β(π2 )||π3 ) and compares it
4
with received π5 . If they are equal, ππ verifies ππ and the session key between
ππ and ππ is ππΎππ .
3.
Weaknesses of Choi’s scheme
Choi’s [5] proposed scheme still contains two security issues, which is failed to
prevent the smart card loss attacks and provide perfect forward secrecy. Therefore,
their scheme also contains a flaw in design for authentication phase. In this section,
we make overall analysis and describe as follows.
3.1 Smart card loss attack
In the Choi’s scheme, ππ stores ππΌπ·π , β(. ), π΅π , πΆπ , π·π , πΈπ and πΉπ into the smart
card of ππ while finishing the procedure of registration.
We assume that the attacker picks up ππ′ π smart card and gets ππΌπ·π , β(. ), π΅π ,
πΆπ , π·π , πΈπ and πΉπ from it. Then, the attacker intercept the π΄ππΌπ·π , π΄ππΌπ·π , π1 and
π3 from the ππ ′π smart card to ππ , he/she can compute following operations to
obtain the session key ππΎππ .
1.
2.
3.
4.
5.
β(πππ β¨π΅πΌππ ) = πΆπ β¨π΅π
β(πππΎ) = πΈπ β¨β(πππ β¨π΅πΌππ )
π1 = π1 β¨β(π΅π )β¨β(πππΎ)
π2 = π3 β¨β2 (π1 )
ππΎππ = β(π1 ||π2 ||π΄ππΌπ·π ||π΄ππΌπ·π )
From the result above, it proves that Choi’s proposed scheme is vulnerable to
smart card loss attack.
3.2 Lack of perfect forward secrecy
In the Choi’s scheme, all of users share the same β(πππΎ). We suppose that the
attacker obtains the π΅π which is stored in the smart card of ππ and intercepts the
π΄ππΌπ·π , π΄ππΌπ·π , ππ1 and ππ3 in the previous public channel. Then, the attacker can
calculate the ππΎπ−ππ by following steps.
1.
2.
3.
ππ1 = ππ1 β¨β(π΅π )β¨β(πππΎ)
ππ2 = ππ3 β¨β2 (ππ1 )
ππΎπ−ππ = β(ππ1 ||ππ2 ||π΄ππΌπ·π ||π΄ππΌπ·π )
As described above, it proves that Choi’s scheme is still lack of perfect forward
secrecy.
5
3.3 Flaw in design for authentication phase
In the authentication phase, the smart card of ππ sends π΄ππΌπ·π , π1 , π2 and π·π
to server ππ . While receiving the message, ππ first checks the legality of ππ and then
calculates π΄ππΌπ·π = β(π2 ||ππΌπ·π ||ππΌπ·π ), π3 and π4 . Because Choi claimed that ππ
does not maintain the verification table, ππ is failed to calculate π΄ππΌπ·π with ππΌπ·π .
As mentioned above, it demonstrates that Choi’s scheme includes a flaw in design for
authentication phase.
4. Conclusions
In this paper, we analyze Choi’s proposed scheme in detail and point out that
their scheme is still vulnerable to smart card loss attack and lack of perfect forward
secrecy. Furthermore, we also discover that Choi’s scheme contains a flaw in design
for authentication phase.
References
[1] B.T. Hsieh, H.T. Yeh, H.M. Sun and C.T. Lin, “Cryptanalysis of a
fingerprint-based remote user authentication scheme using smart cards,” In
Proceedings of 37th IEEE conference on security technology, pp. 349-350,
[2]
[3]
[4]
[5]
2003.
C.C. Chang and I.C. Lin, “Remarks on fingerprint-based remote user
authentication scheme using smart cards,” ACM SIGOPS Operating Systems
Review, Vol. 38, No. 4, pp. 91-96, 2004.
C.H. Lin and Y.Y. Lai, “A flexible biometrics remote user authentication
scheme,” Computer Standards & Interfaces, Vol. 27, No. 1, pp. 19-23, 2004.
D. Yang and B. Yang, “A biometric password-based multi-server authentication
scheme with smart card,” IEEE International Conference on Computer Design
and Applications, Vol. 5, pp. 554-559, 2010.
E.J. Yoon and C.J. Yoo, “A robust and flexible biometrics remote user
authentication scheme,” International Journal of Innovative Computing, Vol. 8,
No. 5(A), pp. 3173-3188, 2012.
[6] H.K. Yang and Y.H. An, “Security Weaknesses and Improvements of a
Fingerprint-based Remote User Authentication Scheme Using Smart Cards,”
International Journal of Advancements in Computing Technology(IJACT), Vol. 4,
No. 1, pp. 15-23, 2012.
[7] J.K. Lee, S.R. Ryu and K.Y. Yoo, “Fingerprint-based remote user authentication
scheme using smart cards,” Electronics Letters, Vol. 38, No. 12, pp. 554-555,
6
2002.
[8] J.L. Tsai, “Efficient multi-server authentication scheme based on one-way hash
function without verification table,” computers & security, Vol. 21, pp. 115-121,
2008.
[9] J. Xu, W.T. Zhu and D.G. Feng, “Improvement of a fingerprint-based remote
user authentication scheme,” International Journal of Security and its
Aplications(IJNSA), Vol. 2, No. 3, pp. 208, 2008.
[10] M.C. Chuang and M.C. Chen, “An anonymous multi-server authenticated key
agreement scheme based on trust computing using smart cards and biometrics,”
Expert Systems with Applications, Vol. 41, No. 4, pp. 1411-1418, 2014.
[11] M.K. Khan and J. Zhang, “An efficient and practical fingerprint-based remote
user authentication scheme with smart cards,” Springer Lecture Notes in
Computer Science, Vol. 3903, pp. 260-268, 2006.
[12] M. Liu and W.G. Shieh, “On the Security of Yoon and Yoo’s Biometrics Remote
User Authentication Scheme,” WSEAS Transactions on Information Science and
Applications, Vol. 11, pp. 94-103, 2014
[13] Y. Choi, “Security enhanced anonymous multi-server authenticated key
agreement scheme using smart card and biometrics,” Cryptology ePrint Archive,
2014.
[14] Y.P. Liao and S.S Wang, “A secure dynamic ID based remote user authentication
scheme for multi-server environment,” Computer Standards & Interfaces, Vol. 31,
pp. 24-29, 2009.
7
