2014 National Computer Symposium Template Cryptanalysis of Anonymous Authenticated and Key Agreement Scheme Based on Biometric for Multi-Server Environment Yu-Hui Chen1,* Hong-Ji Wei2 Jiin-Chiou Cheng3 Wen-Chung Kuo4 1,3 Southern Taiwan University of Science and Technology Computer Science and Information Engineering 2 University of Kang Ning Library and Information Center 4 National Yunlin University of Science and Technology Computer Science and Information Engineering *E-mail: mit029@hotmial.com Abstract In 2014, Choi proposed a security enhanced anonymous multi-server authenticated key agreement scheme using smart card and biometrics and claimed that their scheme could overcome all of security issues in Chuang-Chen’s scheme, such as impersonation attack, smart card loss attack, denial of service attack and perfect forward secrecy. Although Choi’s scheme solves the impersonation and denial of service attack, we discover that their scheme is not only still vulnerable to smart card loss attack and lack of perfect forward secrecy, but also contains a flaw in design for authentication phase after our analysis in detail. Keywords: multi-server architecture, authentication protocol, smart card, biometrics, anonymous 1. Introduction With the rapid development of the Internet, more and more services such as online shopping, online transactions, online stock, etc. are provided through the Internet. In order to prevent unauthorized users to access resources, many service 1 providers utilize the password-base authentication scheme to verify the legality of user. For security considerations, many authors proposed the password authentication scheme which is combined with biometric to enhance overall security [1-14]. Biometric has the following four characteristics: (a) Universality: Universality means that every person should possess the trait. (b) DistinctivenessοΌBiometric features of any two people are different. (c) Permanence: Biometric features do not change over time. (d) Collectability: Measurable with simple technical instruments. (e) Uniqueness: Biometrics is unique. Biometric including face, fingerprint, iris, hand geometry, palm print, voice pattern…etc. Recent years, some anonymous authentication scheme using the smart card and biometric for multi-server environment have been proposed [4, 8, 10, 13, 14] because user requirements for diversification of services. In 2014, Chuang and Chen [10] proposed the anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. At the same year, Choi [13] analyzes and discovers that Chuang-Chen’s scheme includes several types of weaknesses. Simultaneously, Choi also proposed an enhanced anonymous authentication scheme for overcoming all of weaknesses in Chuang-Chen’s scheme. In this paper, we investigate the Choi’s scheme and discover that their proposed scheme is still failed to withstand smart card loss attack and provide perfect forward secrecy. Moreover, Choi’s scheme also contains a flaw in design for authentication phase. The rest of this paper is organized as follows: Section 2 reviews Choi’s proposed scheme. Section 3 demonstrates all of weaknesses in Choi’s scheme. Finally, conclusions are given in Section 4. 2. Review of Choi’s scheme In this section, we review the Choi’s proposed scheme. Their proposed scheme consists of three phases: the registration phase, the login phase and the authentication phase. The notations used in Choi’ scheme are shown in Table 1. Table 1 Notations of Choi’s scheme π₯ π πΆ ππΌπ·π A secret value of the registration center The registration center The identification of user i 2 ππΌπ·π π΄ππΌπ·π π΄ππΌπ·π The identification of server j The anonymous identification of user i The anonymous identification of server j πππ π΅πΌππ β(. ) The password of user i ππ πππΎ || A random number ⊕ The biometrics information of user i A secure one-way hash function A secure pre-shared key among RC and authenticated servers A string concatenation operation A string XOR operation 2.1. Registration phase step 1. ππ → ππ : {ππΌπ·π , β(πππ β¨π΅πΌππ )} The user ππ selects ππΌπ·π , πππ and π΅πΌππ . Then, ππ computes β(πππ β¨π΅πΌππ ) and transmits ππΌπ·π and β(πππ β¨π΅πΌππ ) to ππ through a secure channel. step 2. ππ → ππ : {ππΌπ·π , β(. ), π΅π , πΆπ , π·π , πΈπ , πΉπ } After receiving the message from ππ , ππ starts to compute following operations. 1. π΄π = β(ππΌπ·π ||π₯) 2. 3. 4. 5. 6. π΅π = β2 (ππΌπ·π ||π₯) = β(π΄π ) πΆπ = β(πππ β¨π΅πΌππ )β¨π΅π π·π = πππΎβ¨π΄π πΈπ = β(πππΎ)β¨β(πππ β¨π΅πΌππ ) πΉπ = [ππΌπ·1 , ππΌπ·2 , ππΌπ·3 , … ππΌπ·π ] After computing all of parameters, the server ππ transmits the smart card with ππΌπ·π , β(. ), π΅π , πΆπ , π·π , πΈπ and πΉπ to ππ via a secure channel. 2.2. Login phase ππ → πππππ‘ πΆπππ: {ππΌπ·π , πππ , π΅πΌππ } The user ππ inserts the smart card and inputs ππΌπ·π , πππ and π΅πΌππ . step 2. Upon receiving the message from ππ , the smart card first checks ππΌπ·π and π΅π = β(πππ β¨π΅πΌππ )β¨πΆπ . If they are equal, the smart card generates a new random number π1 and computes π΄ππΌπ·π , π1 and π2 as follows. step 1. 1. π1 = β(π΅π )β¨π1 β¨β(πππΎ) 3 π2 2. π΄ππΌπ·π = β(π1 ||ππΌπ·π ||ππΌπ·π ) 3. π2 = β(π΄ππΌπ·π ||ππΌπ·π ||π·π ||π1 ||ππ ) After computing operations above, the smart card of ππ sends π΄ππΌπ·π , π1 , and π·π to ππ through a public channel. 2.3. Authentication phase ππ → πππππ‘ πΆπππ: {π΄ππΌπ·π , π3 , π4 , π2 } After receiving the π΄ππΌπ·π , π1 , π2 and π·π from the smart card of ππ , ππ first checks timestamp π2 − π1 β¦β³ π . If timestamp is valid, ππ computes step 1. following operations. 1. 2. 3. π΄π = π·π β¨πππΎ π1 = π1 β¨β2 (π΄π )β¨β(πππΎ) π2 ′ = β(π΄ππΌπ·π ||ππΌπ·π ||π·π ||π1 ||π1 ) If π2 ′ is equal to received π2 , ππ recognizes that ππ is a legal user. Then, ππ generates a new random number π2 and continues to calculate π3 , π4 , π΄ππΌπ·π and ππΎππ as follows. 1. 2. π3 = π2 β¨β2 (π1 ) π4 = β(π΄ππΌπ·π ||π΄ππΌπ·π ||π·π ||π1 ||π1 ) 3. 4. π΄ππΌπ·π = β(π2 ||ππΌπ·π ||ππΌπ·π ) ππΎππ = β(π1 ||π2 ||π΄ππΌπ·π ||π΄ππΌπ·π ) Then, ππ returns π΄ππΌπ·π , π3 , π4 and π2 to the smart card of ππ . step 2. πππππ‘ πΆπππ → ππ : {π5 , π3 } After receiving the π΄ππΌπ·π , π3 , π4 and π2 from ππ , the smart card of ππ checks timestamp π3 − π2 β¦β³ π. If timestamp is valid, the smart card of ππ calculates π4 ′ = β(π΄ππΌπ·π ||ππΌπ·π ||π·π ||π2 ||π2 ) and checks whether it is equal to received π4 . If they are equal, the smart card of ππ continues to calculate following operations. 1. 2. ππΎππ = β(π1 ||π2 ||π΄ππΌπ·π ||π΄ππΌπ·π ) π5 = β(ππΎππ ||β(π2 )||π3 ) After calculating above operations, the smart card of ππ transmits π5 and π3 to ππ via a public channel. step 3. When receiving the π5 and π3 from the smart card of ππ , ππ first checks π4 − π3 β¦β³ π. Then, ππ computes π5 ′ = β(ππΎππ ||β(π2 )||π3 ) and compares it 4 with received π5 . If they are equal, ππ verifies ππ and the session key between ππ and ππ is ππΎππ . 3. Weaknesses of Choi’s scheme Choi’s [5] proposed scheme still contains two security issues, which is failed to prevent the smart card loss attacks and provide perfect forward secrecy. Therefore, their scheme also contains a flaw in design for authentication phase. In this section, we make overall analysis and describe as follows. 3.1 Smart card loss attack In the Choi’s scheme, ππ stores ππΌπ·π , β(. ), π΅π , πΆπ , π·π , πΈπ and πΉπ into the smart card of ππ while finishing the procedure of registration. We assume that the attacker picks up ππ′ π smart card and gets ππΌπ·π , β(. ), π΅π , πΆπ , π·π , πΈπ and πΉπ from it. Then, the attacker intercept the π΄ππΌπ·π , π΄ππΌπ·π , π1 and π3 from the ππ ′π smart card to ππ , he/she can compute following operations to obtain the session key ππΎππ . 1. 2. 3. 4. 5. β(πππ β¨π΅πΌππ ) = πΆπ β¨π΅π β(πππΎ) = πΈπ β¨β(πππ β¨π΅πΌππ ) π1 = π1 β¨β(π΅π )β¨β(πππΎ) π2 = π3 β¨β2 (π1 ) ππΎππ = β(π1 ||π2 ||π΄ππΌπ·π ||π΄ππΌπ·π ) From the result above, it proves that Choi’s proposed scheme is vulnerable to smart card loss attack. 3.2 Lack of perfect forward secrecy In the Choi’s scheme, all of users share the same β(πππΎ). We suppose that the attacker obtains the π΅π which is stored in the smart card of ππ and intercepts the π΄ππΌπ·π , π΄ππΌπ·π , ππ1 and ππ3 in the previous public channel. Then, the attacker can calculate the ππΎπ−ππ by following steps. 1. 2. 3. ππ1 = ππ1 β¨β(π΅π )β¨β(πππΎ) ππ2 = ππ3 β¨β2 (ππ1 ) ππΎπ−ππ = β(ππ1 ||ππ2 ||π΄ππΌπ·π ||π΄ππΌπ·π ) As described above, it proves that Choi’s scheme is still lack of perfect forward secrecy. 5 3.3 Flaw in design for authentication phase In the authentication phase, the smart card of ππ sends π΄ππΌπ·π , π1 , π2 and π·π to server ππ . While receiving the message, ππ first checks the legality of ππ and then calculates π΄ππΌπ·π = β(π2 ||ππΌπ·π ||ππΌπ·π ), π3 and π4 . Because Choi claimed that ππ does not maintain the verification table, ππ is failed to calculate π΄ππΌπ·π with ππΌπ·π . As mentioned above, it demonstrates that Choi’s scheme includes a flaw in design for authentication phase. 4. Conclusions In this paper, we analyze Choi’s proposed scheme in detail and point out that their scheme is still vulnerable to smart card loss attack and lack of perfect forward secrecy. Furthermore, we also discover that Choi’s scheme contains a flaw in design for authentication phase. References [1] B.T. Hsieh, H.T. Yeh, H.M. Sun and C.T. Lin, “Cryptanalysis of a fingerprint-based remote user authentication scheme using smart cards,” In Proceedings of 37th IEEE conference on security technology, pp. 349-350, [2] [3] [4] [5] 2003. C.C. Chang and I.C. Lin, “Remarks on fingerprint-based remote user authentication scheme using smart cards,” ACM SIGOPS Operating Systems Review, Vol. 38, No. 4, pp. 91-96, 2004. C.H. Lin and Y.Y. Lai, “A flexible biometrics remote user authentication scheme,” Computer Standards & Interfaces, Vol. 27, No. 1, pp. 19-23, 2004. D. Yang and B. Yang, “A biometric password-based multi-server authentication scheme with smart card,” IEEE International Conference on Computer Design and Applications, Vol. 5, pp. 554-559, 2010. E.J. Yoon and C.J. Yoo, “A robust and flexible biometrics remote user authentication scheme,” International Journal of Innovative Computing, Vol. 8, No. 5(A), pp. 3173-3188, 2012. [6] H.K. Yang and Y.H. An, “Security Weaknesses and Improvements of a Fingerprint-based Remote User Authentication Scheme Using Smart Cards,” International Journal of Advancements in Computing Technology(IJACT), Vol. 4, No. 1, pp. 15-23, 2012. [7] J.K. Lee, S.R. Ryu and K.Y. Yoo, “Fingerprint-based remote user authentication scheme using smart cards,” Electronics Letters, Vol. 38, No. 12, pp. 554-555, 6 2002. [8] J.L. Tsai, “Efficient multi-server authentication scheme based on one-way hash function without verification table,” computers & security, Vol. 21, pp. 115-121, 2008. [9] J. Xu, W.T. Zhu and D.G. Feng, “Improvement of a fingerprint-based remote user authentication scheme,” International Journal of Security and its Aplications(IJNSA), Vol. 2, No. 3, pp. 208, 2008. [10] M.C. Chuang and M.C. Chen, “An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics,” Expert Systems with Applications, Vol. 41, No. 4, pp. 1411-1418, 2014. [11] M.K. Khan and J. Zhang, “An efficient and practical fingerprint-based remote user authentication scheme with smart cards,” Springer Lecture Notes in Computer Science, Vol. 3903, pp. 260-268, 2006. [12] M. Liu and W.G. Shieh, “On the Security of Yoon and Yoo’s Biometrics Remote User Authentication Scheme,” WSEAS Transactions on Information Science and Applications, Vol. 11, pp. 94-103, 2014 [13] Y. Choi, “Security enhanced anonymous multi-server authenticated key agreement scheme using smart card and biometrics,” Cryptology ePrint Archive, 2014. [14] Y.P. Liao and S.S Wang, “A secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, Vol. 31, pp. 24-29, 2009. 7