2607_kumar_gupta_kumari_v.final_
advertisement
Information & Security: An International Journal
Manoj Kumar, Mridul Kumar Gupta & Saru
Kumari, vol.26:2, 2013, 79-97
http://dx.doi.org/10.11610/isij.2607
A ROBUST REMOTE USER AUTHENTICATION
SCHEME USING SMART CARD
Manoj KUMAR, Mridul Kumar GUPTA and Saru KUMARI
Abstract: With the fast growth of e-commerce and enormous demand from
numerous internet based applications, strong privacy protection and robust system
security have become essential requirements for an authentication scheme or for a
universal access control mechanism. The vision to ease functionality and achieve
computation efficiency, design issues for efficient and secure remote user
authentication scheme have been a preferred field of investigation by the research
community in these two decades. In 2005, Liao et al. improved the dynamic IDbased scheme of Das et al. to achieve mutual authentication and also withstand
various attacks. More recently, in 2009, Wang et al. crypt analysed Das et al.’s
scheme and also proposed another remote user authentication scheme to eradicate
pitfalls. Unfortunately both improvements have been found to be vulnerable and
inefficient for real life implementation. The main goal of this paper is to propose a
robust remote user authentication scheme using smart card that could not only
withstand the traditional attacks, such as the man-in-the-middle attack, the replay
attack, the forgery attack, the stolen smart card attack, and the denial of service
attack, but also overcomes YLY attacks: perfect forward secrecy, the guessing
attack, and the Denning- Sacco attack. Our scheme also establishes session key for
secure communication between user and server and rules out possibility of
reflection attack and replay attack through its design.
Keywords: Forward secrecy, Guessing attack, Remote authentication, Smart card,
Timestamp.
Introduction
With rapid development of computer and communication technologies, people
depend more and more on networks to communicate with others and have their jobs
run on remote hosts. On one hand, networks provide convenient procedures for users
to corporate with others at remote places, but on the other hand, with the distributed
nature of computer network systems, an eavesdropper can easily access and intercept
the information transmitted. So the achievement of privacy and security has become
increasingly important. Since 1981, when Lamport 1 proposed the first password
based remote authentication scheme to identify the legal user within an insecure
© ProCon Ltd., www.procon.bg. This article cannot be reprinted, published on-line or sold without written permission by ProCon.
80
A Robust Remote User Authentication Scheme Using Smart Card
communication environment, a series of relevant studies and authentication
mechanisms 2 have been conducted in these two decades. However, most of the
previously published schemes cannot achieve computational efficiency and system
security at the same time.
In 2004, Das, Saxena and Gulati 3 proposed a dynamic ID-based remote user
authentication scheme to authenticate users that preserves the user’s anonymity. They
claimed that their scheme is secure against stolen verifier attack, replay attack,
forgery attack, guessing attack, insider attack, and identity theft. However, many
researchers 4 exposed vulnerabilities of Das, Saxena and Gulati’s scheme to different
attacks. In 2005, Chien and Chen 5 pointed out that Das et al.’s scheme fails to
preserve the user’s anonymity because the authentication messages belonging to the
same user can be identified. They proposed an authentication scheme and claimed
that their scheme preserves the user’s anonymity more efficiently. Though their
scheme indeed preserves the user’s anonymity and is secure against various attacks, it
is also highly computation intensive. In 2005, Liao, Lee, and Hwang 6 proposed an
improved scheme that enhances the security of Das et al.’s scheme and achieves
mutual authentication. In 2006, Yoon and Yoo 7 demonstrated a reflection attack on
Liao et al.’s scheme that breaks the mutual authentication. They also proposed an
improved dynamic identity-based mutual authentication scheme that eliminates the
security flaws of Liao et al.’s scheme. Later, in 2008, Xie, Wang, Chen and Yu 8
pointed out that Liao et al.’s protocol is insecure against user impersonation attack
and thereby developed a countermeasure. Nevertheless, in their scheme the remote
user requires maintaining an extra high-entropy secret number issued by the server.
This design reduces the protocol’s practicality. More recently, Wang, Liu, Xiao and
Dan 9 showed that Das et al.’s scheme is completely insecure for its independence of
using passwords, does not provide mutual authentication, and cannot resist fake
server attack. Wang et al. proved that Das et al.’s scheme performs only unilateral
authentication (only client authentication) and remote user has no information about
the authenticity of the remote authentication system, thus Das et al.’s scheme is
susceptible to the server spoofing attack. Wang et al. then proposed a dynamic IDbased remote user authentication scheme and claimed that their scheme is more
efficient and secure than Das et al.’s scheme. Afterwards, in 2010 Khan, Kim and
Alghathbar 10 pointed out that Wang et al.’s scheme lacks user anonymity, session key
establishment, revocation of lost smart card, and also deprives the user of choosing
his own password. In the same year, Yeh, Su, Lo, Li, and Hung 11 also showed that
Wang et al.’s scheme is vulnerable to ID-theft attack, user impersonation attack,
server counterfeit attack, man-in the middle attack, undetectable on line password
guessing attacks and off line password guessing attack.
80
Manoj Kumar, Mridul Kumar Gupta and Saru Kumari
81
As regards improved system efficiency, studies 12 demonstrated that one-way hash
functions are more suitable in a password based authentication scheme owing to its
operation efficiency. So using one-way hash functions in this paper we propose a
robust remote user authentication scheme using smart card which not only enables
users to update their password freely and withstand the traditional attacks mentioned
in the former discussion but also overcomes YLY attacks:13 perfect forward secrecy,
the guessing attack, and the Denning-Sacco attack.14 Our scheme also establishes
session key for secure communication between user and server and rules out
possibility of reflection attack and replay attack through its design.
The rest of the paper is organised as follows: The article first proposes a robust
scheme. Then the proposed scheme is analysed and the achievements of the proposed
protocol are discussed. Then our proposed scheme is compared to other similar
schemes. Finally, we conclude the article.
The Proposed Protocol
First of all we display the notations and their description used throughout the paper.
U: the user.
ID: the identity of U.
PW: the password of U.
b: fingerprint of U.
BPW: = h(b || PW) biometric password of U.
SC: the smart card of U.
TR: the registration timestamp of U.
TL: login timestamp of U.
S: the remote server.
ADB: the account-database maintained by S.
LF: login field for U’s log-on-entry in ADB.
x: permanent secret key of S.
h(.): a cryptographic hash function.
KSESS: the session key.
UK: the malicious user
UA: the attacker.
: the bitwise Xor operation.
: the bitwise Nor operation.
Δt: the maximum time interval for communication delay.
81
82
A Robust Remote User Authentication Scheme Using Smart Card
: a secure channel.
: a common channel.
||: the string concatenation.
In this section, we propose a remote user authentication and key agreement scheme
using smart card with secure one-way hash function.
Assumptions: The following are the assumptions of our proposed scheme.
Assumption 1): Only the legal users could access the secure channel to communicate
with the server and to receive the smart card issued from the server in the registration
phase.
Assumption 2): There is an ADB on the server and the server could protect and
maintain the ADB correctly and efficiently. The ADB is signed by the private key of
S. In addition, S will routinely and frequently make offsite back up of the ADB.
System implementers use high security measures, e.g. strong administration policies
and procedures, firewalls, intrusion detection software to protect the sensitive data on
server.
Our proposed protocol consists of five phases: the registration phase, the login phase,
the authentication phase, the password change phase and the revocation phase. We
illustrate the detailed processes in sequence along with the figure depicting the entire
protocol structure of the proposed scheme. In the ADB, server creates three fields for
each user, first field stores hash of user’s identity, h(ID), second field stores the
registration timestamp TR encrypted with private key of S, and third field LF is to
store user’s log-on-entry. The entry in LF is filled up by the current timestamp as
soon as the login request of the user is received, and the entry from LF is discarded as
soon as U is provided services after its successful authentication. Thus LF remains
empty if U is not undergoing login authentication phase.
Registration phase
R1) U freely chooses ID & PW and generates his fingerprint b.
R2) Computes h(ID) and BPW = h(b || PW).
R3) U S: {h(ID), BPW}.
R4) On receiving U’s registration request, S acquires TR, searches the ADB to check
if h(ID) is unique. If not, S drops the message and asks U re-do from R1.
R5) S stores h(ID) and encrypted TR in first and second field of ADB respectively.
R6) S computes P = h((x || h(ID)) TR), M = P BPW, N = h (h(ID) || BPW) h(P).
R7) S U: smart card = {M, N, h(.)}.
82
Manoj Kumar, Mridul Kumar Gupta and Saru Kumari
83
User / Server
Registration Phase:
Selects ID & PW
Generates b
{h(ID), BPW}
Computes h(ID),BPW=h(b||PW)
{SC}
Login Phase:
U: Generates b; inputs ID, PW & b
SC: h(h(ID) || BPW) = K
Verification Phase:
Acquires TS
Aborts if h(ID) is not in ADB or/and
LF is not empty
Enters TS in LF
P = h((x || h(ID)) TR)
TU HT P, Aborts if (TS -TU)
Δt
h(h(ID) || BPW) CID h(P || TU)
P M BPW, L N h(P)
Aborts if K ≠ L
HT = P TU,
CID = h(h(ID) || BPW) h(P || TU)
NU = h(h(ID) || BPW)
TU
{h(ID),HT,CID,NU}
NU* = h(h(ID)|| BPW)
TU
Aborts if NU* ≠ NU
KSESS = h(P || TU || h(h(ID) || BPW))
Discards TS from LF
{PWNEW and/or bNEW}
h(h(ID) || BPW) = K
P M BPW, L N h(P),
KSESS = h(P || TU || h(h(ID) || BPW))
Password change Phase:
Generates b
Inputs ID, PW & b
Stores h(ID), x + TR, in ADB
P = h((x || h(ID)) TR), M= P
BPW and
N = h(h(ID) || BPW) h(P)
Stores M, N & h(.) in SC
Aborts if K ≠ L
Asks U for PWNEW and/or bNEW
BPWNEW = h(bNEW || PWNEW)
MNEW = M BPW BPWNEW
NNEW = N h(h(ID) || BPW)
h(h(ID) || BPWNEW)
MNEW M, NNEW N
Revocation Phase:
Lost smart card
{SC is lost}
TC TR in ADB,
Revocation accomplished
Sends re-registration request
Figure 1: Proposed scheme.
Login phase
To login S, U inserts the SC into a card reader, generates his fingerprint b and inputs
ID, PW and b. Then SC performs the following steps:
L1) Computes h(ID), BPW= h(b || PW) and h(h(ID)|| BPW) = K.
L2) Extracts P = M BPW and L = h(h(ID)|| BPW) = N h(P). If K = L then U is
authenticated successfully by the SC.
83
84
A Robust Remote User Authentication Scheme Using Smart Card
L3) Acquires the current time stamp T U, computes hidden time stamp HT = P TU
and CID = h(h(ID)|| BPW) h(P || TU), NU = h(h(ID) || BPW) TU.
L4) U S: {h(ID), HT, CID, NU}
Note: SC halts and displays a need for re-registration if U fails to enter ID, PW and b
correctly over certain number of times.
Verification phase
After the login request is received by S, following steps are performed by S and U:
V1) S acquires the current time-stamp TS.
V2) Checks whether h(ID) is on ADB and T L field is empty. If one of them is
negative S drops the login request; otherwise enters TS in LF of ADB.
V3) Extracts TR and computes P = h((x || h(ID)) TR).
V4) Extracts TU = HT P and checks if (TS -TU) Δt. If true, S drops the login
request.
V5) Extracts h(h(ID) || BPW) = CID h(P || TU), computes NU* = h(h(ID) || BPW)
TU and checks if NU*? = NU. This equivalence authenticates the legality of U and
the login request is accepted else the connection is interrupted.
V6) U and S agree on common KSESS = h(P || TU || h(h(ID) || BPW)). Afterwards all
the subsequent messages between U and S are XoR-ed with session key KSESS.
V7) S discards entry TS from LF.
Password change phase
This procedure is invoked if U wants to change his password. Suppose U want to
select a new password PWNEW and/or a new fingerprint bNEW to replace original
password and/or original fingerprint b. Then U and SC perform the following steps.
P1) First SC authenticates U in similar way as in login phase up to step L2. If U is
authenticated successfully then SC asks U to enter PWNEW and/or bNEW.
P2) SC computes BPWNEW = h(bNEW || PWNEW), MNEW = M BPW BPWNEW,
NNEW = N h(h(ID)|| BPW) h(h(ID)|| BPWNEW).
P3) Replace M and N by MNEW and NNEW, respectively.
Revocation phase
In case of lost/stolen SC, U, requests S for its revocation for which S replaces T R in
the ADB with the current timestamp T C. Later on U can register to S without
changing his ID and with a new password and new fingerprint. Here U is strongly
84
Manoj Kumar, Mridul Kumar Gupta and Saru Kumari
85
recommended not to use any previous values new registration to avoid the
impersonation by UA.
Security Analysis
Malicious user attack
A malicious privileged user UK having his own SC can extract the value P. But this
value P varies from one user to another as it contains identity and registration
timestamp corresponding to the concerned user. So it can’t be used to create a valid
login request to impersonate another valid user. Using his own identity, U K cannot
guess the secret key x of S included in P because it is not possible to guess two
parameters x and TR correctly at the same time in real polynomial time as T R
corresponding to himself is not known to UK. Therefore the proposed protocol is
secure against malicious user attack.
Impersonation attack
UA may attempt to impersonate U from some previously intercepted login request
{h(ID), HT, CID, NU}, so as to succeed in the verification phase. For this he may
acquire the current time stamp T A and computes HT* = HT TA = P TU TA,
CID* = CID TA = h(h(ID) || BPW) h(P || TU) TA, NU* = NU TA. On receiving
{h(ID), HT*, CID*, NU*} and after completing steps V1 and V2, S extracts T U TA =
HT* P. Then in step V4, (T U TA) will fail in freshness test. Since UA does not
know TU so he don’t have the option to choose T A in such a way so that TU TA pass
the timestamp freshness test, nor he can extract T U from HT and CID to append some
new time stamp unless he knows the correct P. Even then we suppose that somehow
UA passes the timestamp freshness test, then in step V5, S computes CID * h (P || TU
TA) and extracts h(h(ID) || BPW) h(P || TU) TA h (P || TU TA), in no way
UA can pass step V5. This is because whatever efforts UA applies to construct CID*
and NU*, all his efforts are futile without knowing P and due to the presence of
bitwise NoR operator rather than bitwise XoR operator in NU. Thus, the
proposed protocol is secure against impersonation attack.
Stolen smart card attack
Without the correct password and provided a correct fingerprint, no one could access
SC in our proposed protocol. Even if UA could obtain the secret information stored in
stolen SC by monitoring the power consumption 15 or by analysing the leaked
information,16 without the link between the SC and the credentials {h(ID), b, PW} of
the corresponding user, UA cannot forge a valid login request correctly. Furthermore,
it is not possible to guess out two parameters correctly at the same time and b the
fingerprint of U is an additional problem for U A. Besides SC contains only M & N
85
86
A Robust Remote User Authentication Scheme Using Smart Card
but the combination M N yields nothing fruitful for UA. Therefore the proposed
protocol is secure against stolen SC attack.
Offline dictionary attack/guessing attack
UA first tries to obtain U’s verification information {h(ID), HT, CID, N U} and then
tries to guess ID, BPW, P by offline guessing. For this UA has to guess at least two
parameters correctly at the same time out of T U, P, and BPW and it is not possible to
guess two parameters correctly at the same time in real polynomial time. Also no
combination of the values included in U’s login request proves to be helpful for U A in
this guessing. Therefore, the proposed protocol is secure against offline dictionary
attack/guessing attack.
Denial of service (DoS) attack
In this type of attack, an attacker updates password verification information on SC to
some arbitrary value and hence legal user cannot login successfully in subsequent
login request to the server. In the proposed protocol, SC checks the validity of ID,
PW and b before password update procedure. It is not possible to guess out ID and
PW correctly at the same time and the fingerprint b of U can be generated by no one
other than U.
On the server side there is an ADB in our proposed protocol. The server could check
the legality of users by checking the field of the hash value of U’s identity in ADB.
Moreover S will drop the replay message if the legal user is logged on by checking LF
for user’s log-on-entry. Therefore the proposed protocol is secure against denial of
service attack.
DoS attack can also be mounted by UA by simply tampering and then destroying any
packets of sent messages at its will. For example after sending a valid login request U
may not receive an expected response from S within the expected time interval.
Consequently U would believe that his login request is lost and therefore he would
launch a retransmission. In our proposed protocol this retransmission will be treated
as a replayed login request by UA and will be rejected by S because LF corresponding
to U in ADB of S will not be empty in this case. Thus U will have to face DoS attack.
Therefore we make the following assumption:
Assumption 3): An attacker has only limited capability to interfere with the
communication between U and S. If an attacker can tamper any packets at will, then
he/she can mount a DoS attack simply by destroying these packets. This assumption
and similar discussion also exists in Wang and Reiter.17
Replay Attack
86
Manoj Kumar, Mridul Kumar Gupta and Saru Kumari
87
Replaying a login request {h(ID), HT, CID, NU} of one session into another session
is useless because the client’s SC uses current timestamp TU in a hidden manner as
hidden timestamp HT = P TU in each new session, which makes the messages CID
and NU to be dynamic and valid for small interval of time. Old messages cannot be
replayed successfully in other sessions and messages replayed within short span of its
generation are dropped by S on checking LF for user’s log-on-entry. Hence the
proposed protocol is secure against replay attack.
Leak of verifier attack/Modification of ADB attack
In this type of attack, the attacker may be able to steal verification table from the
server. If the attacker steals the verification table from S, he can use stolen verifiers to
impersonate a participant of the authentication protocol. In the proposed protocol, S
knows the secret key x and stores x TR corresponding to h(ID) of U in its ADB. U A
has no technique to find out the value P because P includes x and T R separately rather
than the combined form x TR. If UA performs any tampering with the ADB of S, it
is detectable because the ADB is signed by the private key of S and is regularly
verified by S. In addition, S routinely and frequently makes offsite backup of the
ADB. If S detects any unauthorised modification within ADB, then S can restore
ADB using the offsite backup, which is assumed to be well protected. Thus the
proposed protocol is secure against leak of verifier attack/modification of ADB
attack.
Server spoofing attack
In the proposed protocol, malicious server cannot compute the session key K SESS =
h(P|| TU || h(h(ID) || BPW)) because the malicious server does not know the value P,
TU, and h(h(ID) || BPW). In addition KSESS is different for same user in different login
sessions. Hence the proposed protocol is secure against server spoofing attack.
Online dictionary attack/Online guessing attack
In this type of attack, the attacker pretends to be the legitimate user and attempts to
login on to the server by guessing different words as password from a dictionary. In
the proposed protocol, the attacker has to get the valid smart card and then has to
guess U’s ID and PW correctly at the same time which is not possible in real time
polynomial. Besides no one but U can generate the valid fingerprint b. Moreover, U A
cannot try endlessly as SC halts, denies working further and displays a need for reregistration even if the valid user fails to insert the required information correctly a
certain number of times. Therefore the proposed protocol is secure against online
dictionary attack.
Man in the middle attack/Parallel session attack
87
88
A Robust Remote User Authentication Scheme Using Smart Card
We have seen earlier that UA cannot masquerade as U neither by replaying a valid
intercepted login request {h(ID), HT, CID, N U} nor by forging a valid login request
because of the following reasons.
Timestamp TU is hidden inside HT.
CID consists of TU.
UA has no way to correctly know P and PW of U.
No one other than U can generate fingerprint b of U.
If LF field in ADB of S is not empty then S rejects the login request.
Additionally, UA cannot compute the agreed KSESS = h(P || TU || h(h(ID) || BPW))
between U and S because UA does not know any of the values included in KSESS.
Therefore the proposed protocol is secure against man in the middle attack/parallel
session attack.
Reflection attack
Yoon and Yoo 18 demonstrated reflection attack on Liao, Lee, and Hwang’s 19 scheme
by reusing U’s login messages as the response message of a fake server. In the
proposed protocol only U authenticates itself to S. After successful authentication U
and S agree on the common session key KSESS = h(P || TU || h(h(ID) || BPW))and
afterwards S authenticates itself to U using KSESS. Therefore, there is no possibility of
reflection attack in the proposed protocol.
Forgery attack
For the reasons given in support of the resistance to reflection attack, server cannot be
impersonated by UA in our proposed protocol. And due to the points given in man-inthe-middle attack/parallel session attack, UA cannot be successful in impersonating U.
Thus the proposed model resists the forgery attack.
Denning-Sacco attack
This attack is that an attacker tries to discover a long term private key (e.g uses
password or server secret key) or other session keys by using an old session key
information 20 As we have analysed our proposed protocol through various attacks
(e.g. guessing attack, stolen smart card attack, etc.) mentioned above, it is apparent
that Denning-Sacco attack is not applicable to it.
Insider attack
During the registration phase if U’s password is revealed to S, the insider of S may
impersonate U to access other servers if same password is used for them. Our
proposed protocol sends biometric password BPW = h(b || PW) making use of the
88
Manoj Kumar, Mridul Kumar Gupta and Saru Kumari
89
fingerprint b of U. In addition instead of sending ID of U, h(ID) is sent to S.
Therefore neither password nor identity of U is revealed to S. Thus the proposed
protocol is secure against insider attack.
Server’s secret key(x) guessing attack
To guess the secret key x of S firstly UA must know the correct value of P. But there
is no way with which UA can obtain P. Only a malicious privileged user UK can
extract P from his own SC. But even after knowing P it is not possible to guess the
secret key x of S. Even UK who knows his identity ID, cannot guess x from P because
it is not possible to guess the two values x and T R correctly at the same time in real
time polynomial.
Achievements
Mutual authentication and session key establishment
S checks the validity of U by verifying the equality of NU (sent by U to S) = h(h(ID)||
BPW)
TU and NU* calculated by S). After this both U and S establish and agree
upon a session key KSESS = h(P || TU || h(h(ID) || BPW)). This session key
establishment is very efficient as it does not require any extra calculations or
transmissions. Authentication of S to U is not a problem after the successful
establishment of secret KSESS because then U and S can secretly communicate with
each other at their own will, for instance S may authenticate itself to U by sending
h(KSESS TU). Thus our proposed protocol provides session key establishment in a
very simple way and which is also useful in accomplishing the mutual authentication.
Perfect forward secrecy
Suppose the long term secret key x of S is compromised by some means, UA cannot
compute P = h((x || h(ID) TR) without knowing the correct ID and T R corresponding
to U. Moreover UA still cannot recover the old session key KSESS = h(P || TU || h(h(ID)
|| BPW)) unless he knows correct values of P, T U, ID, b and PW.
Efficient password authentication
In the proposed protocol, the ownership check procedure runs every time when SC is
inserted in to the card reader. SC drops or rejects the request if the user fails to insert
the three correct values ID, b, & PW, simultaneously.
Secure password change phase
89
90
A Robust Remote User Authentication Scheme Using Smart Card
U can freely choose and change password at his will without the help of S. The phase
could also avoid easy modification of the password of U by any unauthorised user if
he obtains the SC of U by some means. No one having SC can update the password
without the ID, PW, and fingerprint b corresponding to the SC.
Identity protection/User anonymity
Instead of using ID our proposed protocol uses the hash value of user’s identity h(ID)
in transaction. Also there is no identity information about U corresponding to SC
during authentication.
Efficiency and practicability
The SC needs only six hash operations during the login phase, verification phase and
session key generation. Due to low computation cost in SC, our scheme guarantees
user efficiency. Also, S uses only three hash operations, thus server efficiency is also
guaranteed. These low computation costs in both, SC and S, make the scheme more
efficient and practical. Besides our proposed scheme is user friendly because user can
choose and change password at its will.
Revocation facility
The value TR is used in constructing P = h((x || h(ID)) TR), which is stored inside SC
embedded within M = P BPW and N = h(h(ID) || BPW) h(P) and has key role
throughout the scheme. At the SC loss/theft/when essential, S revokes the SC of U by
replacing the stored TR with the current time stamp TC. Since the revoked SC contains
TR, therefore SC will not pass the verification phase performed by S. However U’s
account is still kept in the database, U can re-register to S to obtain a new SC
involving a new registration timestamp.
Easily reparable
If U finds or suspects that M or N has been compromised, he can change his
password or re-registers to S by submitting his identity. Upon receiving U’s
registration request at TC, S updates the value of TR with the current time stamp TC in
the existing entry for U and then computes MNEW = PNEW BPWNEW, NNEW =
h(h(ID) || BPWNEW) h(PNEW), where PNEW = h((x || h(ID) TR = TC) and BPWNEW =
h(b || PWNEW). Next S stores MNEW and NNEW in U’s new SC. From now, U can
securely login S by using his new SC and PWNEW, the compromised M and N have
been revoked automatically, that is UA’s login request which is derived from M and N
will be rejected. Thus the proposed protocol is easily reparable.
90
Manoj Kumar, Mridul Kumar Gupta and Saru Kumari
91
Comparison
In this section we compare Das, Saxena and Gulati’s scheme,21 Liao, Lee and Hwang
scheme,22 Wang, Kiu, Xiao and Dan scheme 23 and our proposed scheme in terms of
attacks, goals achieved and computational complexity and cost through table 1, table
2 and table 3, respectively. Assume that the identity ID, password PW, server’s secret
key x values and output of secure one-way hash function are all 128-bit long. In our
proposed protocol the parameters stored in SC are M and N, and the memory needed
(C1) in SC is 256 bits. The communication cost of authentication (C2 = 4128)
includes the capacity of transmitting message involved in the authentication scheme.
The computation cost of registration (C3 = 5h(.) + 2) is the total time of all
operations executed in the registration phase. The computation cost of SC in login
phase and session key establishment (C4 = 6h(.) + 4 + 1 ) and S during
authentication phase and session key establishment (C5 = 3h(.) + 2 + 1 ) is the
time spent by U and S during the process of authentication. Table 1 and table 2 show
the robustness and extra achievements of our scheme. Our scheme achieves more
features which were not considered in the related schemes and are essentially
required in implementing a practical and universal remote user authentication scheme
using smart cards. Besides, it can be seen from table 3 that our scheme neither
overheads SC nor S with high hash, yet provides secure user authentication by SC
and session key establishment which are indispensable for implementing a reliable
and trustworthy remote user authentication system.
Table 1. Comparison of security features.
Attacks &
Schemes
Das et al. [24]
Liao et al.[14]
Wang et al.[40]
Our Protocol
Malicious user
Yes
Yes
Yes
No
Impersonation
No
Yes
Yes
No
Stolen SC
Yes
Yes
No
No
Offline guessing
Yes
Yes
Yes
No
Denial of
service
No
No
Yes
No
Replay
No
No
No
No
Leak of verifier
No
No
No
No
Online guessing
Yes
Yes
Yes
No
91
92
A Robust Remote User Authentication Scheme Using Smart Card
Man-in the
middle
No
Yes
Yes
No
Parallel session
No
Yes
Yes
No
Reflection
No
Yes
No
No
Forgery
Yes
Yes
Yes
No
Insider
Yes
No
Yes
No
Guessing secret
key x
Yes
Yes
Yes
No
Table.2. Comparison of achievements.
Attacks &
Schemes
Das et al. [24]
Liao et al.[14]
Wang et al.[40]
Our Protocol
Mutual
authentication
No
Yes
Yes
Yes
KSESS
establishment
No
No
No
Yes
Perfect forward
secrecy
Yes
Yes
Yes
Yes
Efficient PW
authentic.
No
No
No
Yes
Secure PW
changing
No
No
No
Yes
Identity
protection
Yes
Yes
No
Yes
Revocation
facility
No
No
No
Yes
Easy
reparability
No
No
No
Yes
User chosen
PW
Yes
Yes
No
Yes
92
Manoj Kumar, Mridul Kumar Gupta and Saru Kumari
93
Table.3. Comparison of communication/computational cost and complexity.
Attacks &
Schemes
Das et al. [24]
Liao et al.[14]
Wang et al.[40]
Our Protocol
C1
256 bits
256 bits
256 bits
256 bits
C2
4128
6128
6128
4128
C3
2h(.) + 1
2h(.) + 1
2h(.) + 2
5h(.) + 2
C4
4h(.) + 7
5h(.) + 10
3h(.) + 6
6h(.) + 4 +
1
C5
3h(.) + 7
4h(.) + 10
3h(.) + 8
3h(.) + 2 +
1
Sum
9h(.) + 15
11h(.)+21
8h(.) + 16
14h(.) + 8 +
2
Conclusions
We propose a robust remote user authentication protocol using smart cards to resolve
the problems like offline password guessing attack, denial of service attack, malicious
user attack, impersonation attacks, stolen smart card attack, online guessing attacks,
and forgery attacks. Our scheme also achieves features like freely choosing and
securely changing passwords, mutual authentication, session key generation, identity
protection/user anonymity, revocation facility, easy reparability, perfect forward
secrecy. We also evaluate our scheme by comparing it with some related schemes in
terms of security features, achievements and communication/computational cost and
complexity. Security analysis, achievements analysis and comparison analysis proved
that without adding much of communication/computational cost and complexity our
proposed protocol is quite robust and practical.
Notes:
1
2
Leslie Lamport, “Password Authentication with Insecure Communication,” Communication
of the ACM 24(11), 1981, available at: http://tnlandforms.us/cns06/lamport.pdf.
Patroklos Argyroudis, Raja Verma, Hitesh Tewari and Donal O’Mahoni, “Performance
Analysis of Cryptographic Protocols on Handhled Devices,” Proceedings of the 3rd
93
94
A Robust Remote User Authentication Scheme Using Smart Card
International Symposium on Network Computing and Applications, 2004, doi:
10.1109/NCA.2004.1347774;
Amit Kumar Awasthi and Sunder Lal, “A Remote User Authentication Scheme Using Smart
Cards with Forward Secrecy,” IEEE Transactions on Consumer Electronics 49(4), 2003,
doi: 10.1109/TCE.2003.1261225.
Amit Kumar Awasthi and Sunder Lal, “Security Analysis of a Dynamic I-Based Remote User
Authentication Scheme,” available at http://eprint.iacr.org/ 2004/238.pdf.
Mihir Bellare and Phillip Rogaway, “Entity Authentication and Key Distribution,” Advances
in
cryptology
CRYPTO’93,
1993,
available
at:
https://cseweb.ucsd.edu/~mihir/papers/eakd.pdf.
Hung-Yu Chien and Che-Hao Chen, “A Remote Authentication Scheme Preserving User
Anonymity,” Proceedings of 19th International Conference on Advanced Information
Networking and Applications, 2005, doi: 10.1109/AINA.2005.54.
Manik Lal Das, Ashutosh Saxena, and V.P. Gulati, “A Dynamic ID-based Remote User
Authentication Scheme,” IEEE Transactions on Consumer Electronics 50(2), 2004,
available at: http://arxiv.org/ftp/arxiv/papers/0712/0712.2235.pdf.
Yun Ding and Patrick Horster, “Undetectable On-Line Password Guessing Attacks,” ACM
SIGOPS Operating System Review 29(4), 1995, doi: 10.1145/219282.219298.
Xiaoyi Duan, JianWei Liu and Qishan Zhang, “Security Improvement on Chien Et al.’s
Remote User Authentication Scheme Using Smart Cards,” The 2006 IEEE International
Conference on Computational Intelligence and Security (CIS 2006) 2, 2006, doi:
10.1109/ICCIAS.2006.295440.
Zhengxian Gao and Yaqing Tu, “An Improvement of Dynamic ID-Based Remote User
Authentication Scheme with Smart Card,” Proceedings of the 7 th World Congress on
Intelligent Control and Automation, 2008, doi: 10.1109/WCICA.2008.4593658.
Li Gong, “A Security Risk of Depending on Synchronized Clocks,” ACM SIGOPS Operating
Systems
Review
26(1),
1992,
available
at:
http://citeseer.ist.psu.edu/viewdoc/download;jsessionid=0BFA313DF3219A69454B0A8E8
26BDA75?doi=10.1.1.54.7643&rep=rep1&type=pdf.
Han-Cheng Hsiang and Wei-Kuan Shih, “Weaknesses and Improvements of the Yoon-RyuYoo Remote User Authentication Scheme Using Smart Cards,” Computer Communications
32(4), doi:10.1016/j.comcom.2008.11.019.
Tzonelih Hwang, Yihwa Chen and Chi Sung Laih, “Non-Interactive Password Authentication
without Password Tables,” IEEE 10th Regional Conference on Computer and
Communication Systems, 1990, doi: 10.1109/TENCON.1990.152647.
Min-Shiang Hwang and Li-Hua Li, “A New Remote User Authentication Scheme Using Smart
Cards,” IEEE Transactions on Consumer Electronics 46(1), 2000, doi: 10.1109/30.826377.
Paul Kocher, Joshua Jaffe and Bejamin Jun, “Differential Power Analysis,” Proceedings of
Advances
in
Cryptology:
CRYPTO’99,
1999,
available
at:
http://www.cryptography.com/public/pdf/DPA.pdf.
Wei-Chi Ku and Shen-Tien Chang, “Impersonation Attack on a Dynamic ID-Based Remote
User Authentication Scheme Using Smart Cards,” IEICE Transactions on communications
E88-B(5), 2005, available at: http://ci.nii.ac.jp/ naid/110003222893/en.
Cheng-Chi Lee, Min-Shiang Hwang and Wei-Peng Yang, “A Flexible Remote User
Authentication Scheme with Smart Cards,” ACM Operating System Review 36(3), 2002: 4652.
94
Manoj Kumar, Mridul Kumar Gupta and Saru Kumari
95
I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic IDBased Remote User Authentication Scheme,” Proceedings of International Conference on
Next Generation Web Services Practices, 2005, doi: 10.1109/NWESP.2005.67.
Nai Wei Lo and Kuo-Hui Yeh, “Cryptanalysis of Two Three-Party Encrypted Key Exchange
Protocols,”
Computer
Standards
&
Interfaces
31(6),
2009,
doi:
doi:10.1016/j.csi.2009.03.002.
Thomas Messerges, Ezzat Dabbish and Robert Sloan, “Examining Smart-Card Security Under
the Threat of Power Analysis Attacks,” IEEE Transactions on Computers 51(5), 2002, doi:
10.1109/TC.2002.1004593.
Yan-Yan Wang, Jia-Yong Liu, Feng-Xia Xiao and Jing Dan, “A More Efficient and Secure
Dynamic ID-Based Remote User Authentication Scheme,” Computer Communication 32(4),
2009, doi:10.1016/j.comcom.2008.11.008.
Kuo-Hui Yeh, Nai Wei Lo and Enrico Winata, “Cryptanalysis of an Efficient Remote User
Authentication Scheme with Smart Cards,” International Journal of Innovative Computing,
Information and Control 6(6), 2010, available at: http://www.ijicic.org/08-1246-1.pdf.
Eun-Jun Yoon, Eun-Kung Ryu and Kee-Young Yoo, “Further Improvement of an Efficient
Password Based Remote User Authentication Scheme Using Smart Cards,” IEEE
Transactions on Consumer Electronics 50(2), 2004, doi: 10.1109/TCE.2004.1309437.
Xin Zhang, Quan Yuan Feng and Miao Li, “A Modified Dynamic ID-Based Remote User
Authentication Scheme,” Proceedings of International Conference on Communications,
Circuits and Systems, 2006, doi: 10.1109/ICCCAS.2006.284979.
3 Manik Lal Das, Ashutosh Saxena, and Ved Gulati, “A Dynamic ID-Based Remote User
Authentication Scheme,” IEEE Transactions on Consumer Electronics 50(2), 2004,
available at: http://arxiv.org/ftp/arxiv/papers/0712/0712.2235.pdf.
4 Amit Kumar Awasthi, “Comment on a dynamic ID-based remote user authentication
scheme,”
Transaction
on
Cryptology
1(2),
2004,
available
at:
http://www.researchgate.net/publication/1957471_Comment_on_A_dynamic_IDbased_Remote_User_Authentication_Scheme.
Eun-Jun Yoon and Kee Young Yoo, “Improving the Dynamic ID-Based Remote Mutual
Authentication Scheme,” Proccedings of “On the Move to Meaningful Internet Systems
2006,” OTM 2006 Workshops, 2006, doi: 10.1007/11915034_73.
Hsi-Chang Shih, “Cryptanalysis on Two Password Authentication Schemes,” Master's Thesis,
Laboratory of Cryptography and Information Security, National Central University, Taiwan,
2008.
Hung-Yu Chien and Che-Hao Chen, “A Remote Authentication Scheme Preserving User
Anonymity.”
I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic IDBased Remote User Authentication Scheme.”
Wei-Chi Ku and Shen-Tien Chang, “Impersonation Attack on a Dynamic ID-Based Remote
User Authentication Scheme Using Smart Cards.”
Y. P. Liou, Jay Lin and Shuenn-Shyang Wang, “A New Dynamic ID-Based Remote User
Authentication Scheme Using Smart Cards,” Proceedings of the 16th Information Security
Conference, 2006: 198-205.
5 Hung-Yu Chien and Che-Hao Chen, “A Remote Authentication Scheme Preserving User
Anonymity.”
95
96
A Robust Remote User Authentication Scheme Using Smart Card
I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic
ID-Based Remote User Authentication Scheme.”
7 Eun-Jun Yoon and Kee Young Yoo, “Improving the Dynamic ID-Based Remote Mutual
Authentication Scheme.”
8 Qi Xie, Ji-Lin Wang, De-Ren Chen and Xiu-Yuan Yu, “A novel user authentication scheme
using smart cards,” Proceedings of the 2008 International Conference on Computer Science
and Software Engineering 3, 2008, doi: 10.1109/CSSE.2008.1043.
9 Yan-Yan Wang, Jia-Yong Liu, Feng-Xia Xiao and Jing Dan, “A More Efficient and Secure
Dynamic ID-Based Remote User Authentication Scheme.”
10 Muhammad Khurram Khan, Soo-Kyun Kim, and Khaled Alghathbar, “Cryptanalysis and
Security Enhancement of a “More Efficient & Secure Dynamic ID-Based Remote User
Authentication
Scheme,”
Computer
Communications
34(3),
2011,
doi:
10.1016/j.comcom.2010.02.011.
11 Kuo-Hui Yeh, Chunhua Su, Nai Wei Lo, Yingjiu Li, and Yi-Xiang Hung, “Two Robust
Remote User Authentication Protocols Using Smart Cards,” The Journal of Systems and
Software 83(12), 2010, doi:10.1016/j.jss.2010.07.062.
12 Patroklos Argyroudis, Raja Verma, Hitesh Tewari and Donal O’Mahoni, “Performance
Analysis of Cryptographic Protocols on Handhled Devices.”
Ralph C. Merkle, “One Way Hash Function and DES,” Advances in Cryptology: Proceedings
of CRYPTO 89, 435, 1989, 428-446.
Martin Passing and Falko Dressler, “Experimental Performance Evaluation of Cryptographic
Algorithms on Sensor Nodes,” Proceedings of the 3rd International Conference on Mobile
Adhoc and Sensor Systems, 2006, doi: 10.1109/MOBHOC.2006.278669.
13 Eun-Jun Yoon, Ein-Jung Lee, and Kee-Young Yoo, “Cryptanalysis of Wang et al.’s Remote
User Authentication Scheme Using Smart Cards,” Proceedings of 5th International
Conference
on
Information
Technology:
New
Generations,
2008,
doi:
10.1109/ITNG.2008.100.
14 Dorothy E. Denning and Giovanni Maria Sacco, “Timestamps in Key Distribution System,”
Communications of the ACM 24(8), 1981, doi: 10.1145/358722.358740.
15 Paul Kocher, Joshua Jaffe and Bejamin Jun, “Differential Power Analysis.”
16 Thomas Messerges, Ezzat Dabbish and Robert Sloan, “Examining Smart-Card Security
Under the Threat of Power Analysis Attacks.”
17 Xiaofeng Wang and Michael K. Reiter, “Defending Against Denial-of-Service Attacks with
Puzzle Auctions,” Proceedings of the 2003 IEEE Symposium on Security and Privacy,
2003, doi: 10.1109/SECPRI.2003.1199329.
18 Eun-Jun Yoon and Kee Young Yoo, “Improving the Dynamic ID-Based Remote Mutual
Authentication Scheme.”
19 I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic
ID-Based Remote User Authentication Scheme.”
20 Dorothy E. Denning and Giovanni Maria Sacco, “Timestamps in Key Distribution System.”
21 Manik Lal Das, Ashutosh Saxena, and V.P. Gulati, “A Dynamic ID-based Remote User
Authentication Scheme.”
22
I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic
ID-Based Remote User Authentication Scheme.”
6
96
Manoj Kumar, Mridul Kumar Gupta and Saru Kumari
23
97
Yan-Yan Wang, Jia-Yong Liu, Feng-Xia Xiao and Jing Dan, “A More Efficient and Secure
Dynamic ID-Based Remote User Authentication Scheme.”
MANOJ KUMAR is an Assistant Professor at the Department of Mathematics,
Rashtriya Kishan Post Graduate College Shamli, Muzaffarnagar, Chaudhary Charan
Singh University in Meerut, India. He is a member of the Indian Mathematical
Society, the Indian Society of Mathematics and Mathematical Science, the
Ramanujan Mathematical Society, and the Cryptography Research Society of India.
He is working as a reviewer for various international peer review journals: Journal of
System and Software, Journal of Computer Security, International Journal of Network
Security, The Computer Networks, Computer and Security, The Computer Journal
and Applied Mathematics Journal of Chinese University etc. Manoj Kuma is also
working as a Technical Editor for some international peer review journals – Asian
Journal of Mathematics & Statistics, Asian Journal of Algebra, Trends in Applied
Sciences Research, Journal of Applied Sciences. He is member of the technical
programme committee of various national and international conferences. He has
published his research works at national and international level. His current research
interests include Cryptography and Applied Mathematics.
MRIDUL KUMAR GUPTA received his Ph.D in Mathematics in 1998 from Agra
University, India. Currently he is a professor & Head of the Mathematics Department
at the Institute of Advanced Studies, Chaudhary Charan Singh University in Meerut,
India. He is also Dean of the Faculty of Engineering & Technology of the same
university. He worked as recorder of the Section of Information and Communication
Science & Technology for the years 2004-2005 and 2005-2006 of the Indian Science
Congress Association. He has 25 years of teaching experience. He is life member of
the Indian Mathematical Society, the Indian Science Congress Association, the
Ramanujan Mathematical Society and the Bharata Ganita Parisad, India. His more
than 35 research papers are published in international journals. His research interests
include general topology, approximation theory and cryptography.
SARU KUMARI received her M.Sc, M.Phil degrees in mathematics from the
Institute of Advanced Studies, Chaudhary Charan Singh University in Meerut, India
in 2000, and 2005 respectively. Currently she is an Assistant Professor at the
Department of Mathematics, Agra College Agra, India. She is also pursuing her Ph.D
Degree in mathematics from the Institute of Advanced Studies, Chaudhary Charan
Singh University. Saru Kumari served as an Assistant Professor at the Department of
Mathematics, Vijay Singh Pathik Government P.G. College and the Government
Polytechnic in India. She is life member of the Indian Mathematical Society and the
Indian Science Congress Association. Her research interests include cryptography,
information security, and applied mathematics.
97
