Information & Security: An International Journal Manoj Kumar, Mridul Kumar Gupta & Saru Kumari, vol.26:2, 2013, 79-97 http://dx.doi.org/10.11610/isij.2607 A ROBUST REMOTE USER AUTHENTICATION SCHEME USING SMART CARD Manoj KUMAR, Mridul Kumar GUPTA and Saru KUMARI Abstract: With the fast growth of e-commerce and enormous demand from numerous internet based applications, strong privacy protection and robust system security have become essential requirements for an authentication scheme or for a universal access control mechanism. The vision to ease functionality and achieve computation efficiency, design issues for efficient and secure remote user authentication scheme have been a preferred field of investigation by the research community in these two decades. In 2005, Liao et al. improved the dynamic IDbased scheme of Das et al. to achieve mutual authentication and also withstand various attacks. More recently, in 2009, Wang et al. crypt analysed Das et al.’s scheme and also proposed another remote user authentication scheme to eradicate pitfalls. Unfortunately both improvements have been found to be vulnerable and inefficient for real life implementation. The main goal of this paper is to propose a robust remote user authentication scheme using smart card that could not only withstand the traditional attacks, such as the man-in-the-middle attack, the replay attack, the forgery attack, the stolen smart card attack, and the denial of service attack, but also overcomes YLY attacks: perfect forward secrecy, the guessing attack, and the Denning- Sacco attack. Our scheme also establishes session key for secure communication between user and server and rules out possibility of reflection attack and replay attack through its design. Keywords: Forward secrecy, Guessing attack, Remote authentication, Smart card, Timestamp. Introduction With rapid development of computer and communication technologies, people depend more and more on networks to communicate with others and have their jobs run on remote hosts. On one hand, networks provide convenient procedures for users to corporate with others at remote places, but on the other hand, with the distributed nature of computer network systems, an eavesdropper can easily access and intercept the information transmitted. So the achievement of privacy and security has become increasingly important. Since 1981, when Lamport 1 proposed the first password based remote authentication scheme to identify the legal user within an insecure © ProCon Ltd., www.procon.bg. This article cannot be reprinted, published on-line or sold without written permission by ProCon. 80 A Robust Remote User Authentication Scheme Using Smart Card communication environment, a series of relevant studies and authentication mechanisms 2 have been conducted in these two decades. However, most of the previously published schemes cannot achieve computational efficiency and system security at the same time. In 2004, Das, Saxena and Gulati 3 proposed a dynamic ID-based remote user authentication scheme to authenticate users that preserves the user’s anonymity. They claimed that their scheme is secure against stolen verifier attack, replay attack, forgery attack, guessing attack, insider attack, and identity theft. However, many researchers 4 exposed vulnerabilities of Das, Saxena and Gulati’s scheme to different attacks. In 2005, Chien and Chen 5 pointed out that Das et al.’s scheme fails to preserve the user’s anonymity because the authentication messages belonging to the same user can be identified. They proposed an authentication scheme and claimed that their scheme preserves the user’s anonymity more efficiently. Though their scheme indeed preserves the user’s anonymity and is secure against various attacks, it is also highly computation intensive. In 2005, Liao, Lee, and Hwang 6 proposed an improved scheme that enhances the security of Das et al.’s scheme and achieves mutual authentication. In 2006, Yoon and Yoo 7 demonstrated a reflection attack on Liao et al.’s scheme that breaks the mutual authentication. They also proposed an improved dynamic identity-based mutual authentication scheme that eliminates the security flaws of Liao et al.’s scheme. Later, in 2008, Xie, Wang, Chen and Yu 8 pointed out that Liao et al.’s protocol is insecure against user impersonation attack and thereby developed a countermeasure. Nevertheless, in their scheme the remote user requires maintaining an extra high-entropy secret number issued by the server. This design reduces the protocol’s practicality. More recently, Wang, Liu, Xiao and Dan 9 showed that Das et al.’s scheme is completely insecure for its independence of using passwords, does not provide mutual authentication, and cannot resist fake server attack. Wang et al. proved that Das et al.’s scheme performs only unilateral authentication (only client authentication) and remote user has no information about the authenticity of the remote authentication system, thus Das et al.’s scheme is susceptible to the server spoofing attack. Wang et al. then proposed a dynamic IDbased remote user authentication scheme and claimed that their scheme is more efficient and secure than Das et al.’s scheme. Afterwards, in 2010 Khan, Kim and Alghathbar 10 pointed out that Wang et al.’s scheme lacks user anonymity, session key establishment, revocation of lost smart card, and also deprives the user of choosing his own password. In the same year, Yeh, Su, Lo, Li, and Hung 11 also showed that Wang et al.’s scheme is vulnerable to ID-theft attack, user impersonation attack, server counterfeit attack, man-in the middle attack, undetectable on line password guessing attacks and off line password guessing attack. 80 Manoj Kumar, Mridul Kumar Gupta and Saru Kumari 81 As regards improved system efficiency, studies 12 demonstrated that one-way hash functions are more suitable in a password based authentication scheme owing to its operation efficiency. So using one-way hash functions in this paper we propose a robust remote user authentication scheme using smart card which not only enables users to update their password freely and withstand the traditional attacks mentioned in the former discussion but also overcomes YLY attacks:13 perfect forward secrecy, the guessing attack, and the Denning-Sacco attack.14 Our scheme also establishes session key for secure communication between user and server and rules out possibility of reflection attack and replay attack through its design. The rest of the paper is organised as follows: The article first proposes a robust scheme. Then the proposed scheme is analysed and the achievements of the proposed protocol are discussed. Then our proposed scheme is compared to other similar schemes. Finally, we conclude the article. The Proposed Protocol First of all we display the notations and their description used throughout the paper. U: the user. ID: the identity of U. PW: the password of U. b: fingerprint of U. BPW: = h(b || PW) biometric password of U. SC: the smart card of U. TR: the registration timestamp of U. TL: login timestamp of U. S: the remote server. ADB: the account-database maintained by S. LF: login field for U’s log-on-entry in ADB. x: permanent secret key of S. h(.): a cryptographic hash function. KSESS: the session key. UK: the malicious user UA: the attacker. : the bitwise Xor operation. : the bitwise Nor operation. Δt: the maximum time interval for communication delay. 81 82 A Robust Remote User Authentication Scheme Using Smart Card : a secure channel. : a common channel. ||: the string concatenation. In this section, we propose a remote user authentication and key agreement scheme using smart card with secure one-way hash function. Assumptions: The following are the assumptions of our proposed scheme. Assumption 1): Only the legal users could access the secure channel to communicate with the server and to receive the smart card issued from the server in the registration phase. Assumption 2): There is an ADB on the server and the server could protect and maintain the ADB correctly and efficiently. The ADB is signed by the private key of S. In addition, S will routinely and frequently make offsite back up of the ADB. System implementers use high security measures, e.g. strong administration policies and procedures, firewalls, intrusion detection software to protect the sensitive data on server. Our proposed protocol consists of five phases: the registration phase, the login phase, the authentication phase, the password change phase and the revocation phase. We illustrate the detailed processes in sequence along with the figure depicting the entire protocol structure of the proposed scheme. In the ADB, server creates three fields for each user, first field stores hash of user’s identity, h(ID), second field stores the registration timestamp TR encrypted with private key of S, and third field LF is to store user’s log-on-entry. The entry in LF is filled up by the current timestamp as soon as the login request of the user is received, and the entry from LF is discarded as soon as U is provided services after its successful authentication. Thus LF remains empty if U is not undergoing login authentication phase. Registration phase R1) U freely chooses ID & PW and generates his fingerprint b. R2) Computes h(ID) and BPW = h(b || PW). R3) U S: {h(ID), BPW}. R4) On receiving U’s registration request, S acquires TR, searches the ADB to check if h(ID) is unique. If not, S drops the message and asks U re-do from R1. R5) S stores h(ID) and encrypted TR in first and second field of ADB respectively. R6) S computes P = h((x || h(ID)) TR), M = P BPW, N = h (h(ID) || BPW) h(P). R7) S U: smart card = {M, N, h(.)}. 82 Manoj Kumar, Mridul Kumar Gupta and Saru Kumari 83 User / Server Registration Phase: Selects ID & PW Generates b {h(ID), BPW} Computes h(ID),BPW=h(b||PW) {SC} Login Phase: U: Generates b; inputs ID, PW & b SC: h(h(ID) || BPW) = K Verification Phase: Acquires TS Aborts if h(ID) is not in ADB or/and LF is not empty Enters TS in LF P = h((x || h(ID)) TR) TU HT P, Aborts if (TS -TU) Δt h(h(ID) || BPW) CID h(P || TU) P M BPW, L N h(P) Aborts if K ≠ L HT = P TU, CID = h(h(ID) || BPW) h(P || TU) NU = h(h(ID) || BPW) TU {h(ID),HT,CID,NU} NU* = h(h(ID)|| BPW) TU Aborts if NU* ≠ NU KSESS = h(P || TU || h(h(ID) || BPW)) Discards TS from LF {PWNEW and/or bNEW} h(h(ID) || BPW) = K P M BPW, L N h(P), KSESS = h(P || TU || h(h(ID) || BPW)) Password change Phase: Generates b Inputs ID, PW & b Stores h(ID), x + TR, in ADB P = h((x || h(ID)) TR), M= P BPW and N = h(h(ID) || BPW) h(P) Stores M, N & h(.) in SC Aborts if K ≠ L Asks U for PWNEW and/or bNEW BPWNEW = h(bNEW || PWNEW) MNEW = M BPW BPWNEW NNEW = N h(h(ID) || BPW) h(h(ID) || BPWNEW) MNEW M, NNEW N Revocation Phase: Lost smart card {SC is lost} TC TR in ADB, Revocation accomplished Sends re-registration request Figure 1: Proposed scheme. Login phase To login S, U inserts the SC into a card reader, generates his fingerprint b and inputs ID, PW and b. Then SC performs the following steps: L1) Computes h(ID), BPW= h(b || PW) and h(h(ID)|| BPW) = K. L2) Extracts P = M BPW and L = h(h(ID)|| BPW) = N h(P). If K = L then U is authenticated successfully by the SC. 83 84 A Robust Remote User Authentication Scheme Using Smart Card L3) Acquires the current time stamp T U, computes hidden time stamp HT = P TU and CID = h(h(ID)|| BPW) h(P || TU), NU = h(h(ID) || BPW) TU. L4) U S: {h(ID), HT, CID, NU} Note: SC halts and displays a need for re-registration if U fails to enter ID, PW and b correctly over certain number of times. Verification phase After the login request is received by S, following steps are performed by S and U: V1) S acquires the current time-stamp TS. V2) Checks whether h(ID) is on ADB and T L field is empty. If one of them is negative S drops the login request; otherwise enters TS in LF of ADB. V3) Extracts TR and computes P = h((x || h(ID)) TR). V4) Extracts TU = HT P and checks if (TS -TU) Δt. If true, S drops the login request. V5) Extracts h(h(ID) || BPW) = CID h(P || TU), computes NU* = h(h(ID) || BPW) TU and checks if NU*? = NU. This equivalence authenticates the legality of U and the login request is accepted else the connection is interrupted. V6) U and S agree on common KSESS = h(P || TU || h(h(ID) || BPW)). Afterwards all the subsequent messages between U and S are XoR-ed with session key KSESS. V7) S discards entry TS from LF. Password change phase This procedure is invoked if U wants to change his password. Suppose U want to select a new password PWNEW and/or a new fingerprint bNEW to replace original password and/or original fingerprint b. Then U and SC perform the following steps. P1) First SC authenticates U in similar way as in login phase up to step L2. If U is authenticated successfully then SC asks U to enter PWNEW and/or bNEW. P2) SC computes BPWNEW = h(bNEW || PWNEW), MNEW = M BPW BPWNEW, NNEW = N h(h(ID)|| BPW) h(h(ID)|| BPWNEW). P3) Replace M and N by MNEW and NNEW, respectively. Revocation phase In case of lost/stolen SC, U, requests S for its revocation for which S replaces T R in the ADB with the current timestamp T C. Later on U can register to S without changing his ID and with a new password and new fingerprint. Here U is strongly 84 Manoj Kumar, Mridul Kumar Gupta and Saru Kumari 85 recommended not to use any previous values new registration to avoid the impersonation by UA. Security Analysis Malicious user attack A malicious privileged user UK having his own SC can extract the value P. But this value P varies from one user to another as it contains identity and registration timestamp corresponding to the concerned user. So it can’t be used to create a valid login request to impersonate another valid user. Using his own identity, U K cannot guess the secret key x of S included in P because it is not possible to guess two parameters x and TR correctly at the same time in real polynomial time as T R corresponding to himself is not known to UK. Therefore the proposed protocol is secure against malicious user attack. Impersonation attack UA may attempt to impersonate U from some previously intercepted login request {h(ID), HT, CID, NU}, so as to succeed in the verification phase. For this he may acquire the current time stamp T A and computes HT* = HT TA = P TU TA, CID* = CID TA = h(h(ID) || BPW) h(P || TU) TA, NU* = NU TA. On receiving {h(ID), HT*, CID*, NU*} and after completing steps V1 and V2, S extracts T U TA = HT* P. Then in step V4, (T U TA) will fail in freshness test. Since UA does not know TU so he don’t have the option to choose T A in such a way so that TU TA pass the timestamp freshness test, nor he can extract T U from HT and CID to append some new time stamp unless he knows the correct P. Even then we suppose that somehow UA passes the timestamp freshness test, then in step V5, S computes CID * h (P || TU TA) and extracts h(h(ID) || BPW) h(P || TU) TA h (P || TU TA), in no way UA can pass step V5. This is because whatever efforts UA applies to construct CID* and NU*, all his efforts are futile without knowing P and due to the presence of bitwise NoR operator rather than bitwise XoR operator in NU. Thus, the proposed protocol is secure against impersonation attack. Stolen smart card attack Without the correct password and provided a correct fingerprint, no one could access SC in our proposed protocol. Even if UA could obtain the secret information stored in stolen SC by monitoring the power consumption 15 or by analysing the leaked information,16 without the link between the SC and the credentials {h(ID), b, PW} of the corresponding user, UA cannot forge a valid login request correctly. Furthermore, it is not possible to guess out two parameters correctly at the same time and b the fingerprint of U is an additional problem for U A. Besides SC contains only M & N 85 86 A Robust Remote User Authentication Scheme Using Smart Card but the combination M N yields nothing fruitful for UA. Therefore the proposed protocol is secure against stolen SC attack. Offline dictionary attack/guessing attack UA first tries to obtain U’s verification information {h(ID), HT, CID, N U} and then tries to guess ID, BPW, P by offline guessing. For this UA has to guess at least two parameters correctly at the same time out of T U, P, and BPW and it is not possible to guess two parameters correctly at the same time in real polynomial time. Also no combination of the values included in U’s login request proves to be helpful for U A in this guessing. Therefore, the proposed protocol is secure against offline dictionary attack/guessing attack. Denial of service (DoS) attack In this type of attack, an attacker updates password verification information on SC to some arbitrary value and hence legal user cannot login successfully in subsequent login request to the server. In the proposed protocol, SC checks the validity of ID, PW and b before password update procedure. It is not possible to guess out ID and PW correctly at the same time and the fingerprint b of U can be generated by no one other than U. On the server side there is an ADB in our proposed protocol. The server could check the legality of users by checking the field of the hash value of U’s identity in ADB. Moreover S will drop the replay message if the legal user is logged on by checking LF for user’s log-on-entry. Therefore the proposed protocol is secure against denial of service attack. DoS attack can also be mounted by UA by simply tampering and then destroying any packets of sent messages at its will. For example after sending a valid login request U may not receive an expected response from S within the expected time interval. Consequently U would believe that his login request is lost and therefore he would launch a retransmission. In our proposed protocol this retransmission will be treated as a replayed login request by UA and will be rejected by S because LF corresponding to U in ADB of S will not be empty in this case. Thus U will have to face DoS attack. Therefore we make the following assumption: Assumption 3): An attacker has only limited capability to interfere with the communication between U and S. If an attacker can tamper any packets at will, then he/she can mount a DoS attack simply by destroying these packets. This assumption and similar discussion also exists in Wang and Reiter.17 Replay Attack 86 Manoj Kumar, Mridul Kumar Gupta and Saru Kumari 87 Replaying a login request {h(ID), HT, CID, NU} of one session into another session is useless because the client’s SC uses current timestamp TU in a hidden manner as hidden timestamp HT = P TU in each new session, which makes the messages CID and NU to be dynamic and valid for small interval of time. Old messages cannot be replayed successfully in other sessions and messages replayed within short span of its generation are dropped by S on checking LF for user’s log-on-entry. Hence the proposed protocol is secure against replay attack. Leak of verifier attack/Modification of ADB attack In this type of attack, the attacker may be able to steal verification table from the server. If the attacker steals the verification table from S, he can use stolen verifiers to impersonate a participant of the authentication protocol. In the proposed protocol, S knows the secret key x and stores x TR corresponding to h(ID) of U in its ADB. U A has no technique to find out the value P because P includes x and T R separately rather than the combined form x TR. If UA performs any tampering with the ADB of S, it is detectable because the ADB is signed by the private key of S and is regularly verified by S. In addition, S routinely and frequently makes offsite backup of the ADB. If S detects any unauthorised modification within ADB, then S can restore ADB using the offsite backup, which is assumed to be well protected. Thus the proposed protocol is secure against leak of verifier attack/modification of ADB attack. Server spoofing attack In the proposed protocol, malicious server cannot compute the session key K SESS = h(P|| TU || h(h(ID) || BPW)) because the malicious server does not know the value P, TU, and h(h(ID) || BPW). In addition KSESS is different for same user in different login sessions. Hence the proposed protocol is secure against server spoofing attack. Online dictionary attack/Online guessing attack In this type of attack, the attacker pretends to be the legitimate user and attempts to login on to the server by guessing different words as password from a dictionary. In the proposed protocol, the attacker has to get the valid smart card and then has to guess U’s ID and PW correctly at the same time which is not possible in real time polynomial. Besides no one but U can generate the valid fingerprint b. Moreover, U A cannot try endlessly as SC halts, denies working further and displays a need for reregistration even if the valid user fails to insert the required information correctly a certain number of times. Therefore the proposed protocol is secure against online dictionary attack. Man in the middle attack/Parallel session attack 87 88 A Robust Remote User Authentication Scheme Using Smart Card We have seen earlier that UA cannot masquerade as U neither by replaying a valid intercepted login request {h(ID), HT, CID, N U} nor by forging a valid login request because of the following reasons. Timestamp TU is hidden inside HT. CID consists of TU. UA has no way to correctly know P and PW of U. No one other than U can generate fingerprint b of U. If LF field in ADB of S is not empty then S rejects the login request. Additionally, UA cannot compute the agreed KSESS = h(P || TU || h(h(ID) || BPW)) between U and S because UA does not know any of the values included in KSESS. Therefore the proposed protocol is secure against man in the middle attack/parallel session attack. Reflection attack Yoon and Yoo 18 demonstrated reflection attack on Liao, Lee, and Hwang’s 19 scheme by reusing U’s login messages as the response message of a fake server. In the proposed protocol only U authenticates itself to S. After successful authentication U and S agree on the common session key KSESS = h(P || TU || h(h(ID) || BPW))and afterwards S authenticates itself to U using KSESS. Therefore, there is no possibility of reflection attack in the proposed protocol. Forgery attack For the reasons given in support of the resistance to reflection attack, server cannot be impersonated by UA in our proposed protocol. And due to the points given in man-inthe-middle attack/parallel session attack, UA cannot be successful in impersonating U. Thus the proposed model resists the forgery attack. Denning-Sacco attack This attack is that an attacker tries to discover a long term private key (e.g uses password or server secret key) or other session keys by using an old session key information 20 As we have analysed our proposed protocol through various attacks (e.g. guessing attack, stolen smart card attack, etc.) mentioned above, it is apparent that Denning-Sacco attack is not applicable to it. Insider attack During the registration phase if U’s password is revealed to S, the insider of S may impersonate U to access other servers if same password is used for them. Our proposed protocol sends biometric password BPW = h(b || PW) making use of the 88 Manoj Kumar, Mridul Kumar Gupta and Saru Kumari 89 fingerprint b of U. In addition instead of sending ID of U, h(ID) is sent to S. Therefore neither password nor identity of U is revealed to S. Thus the proposed protocol is secure against insider attack. Server’s secret key(x) guessing attack To guess the secret key x of S firstly UA must know the correct value of P. But there is no way with which UA can obtain P. Only a malicious privileged user UK can extract P from his own SC. But even after knowing P it is not possible to guess the secret key x of S. Even UK who knows his identity ID, cannot guess x from P because it is not possible to guess the two values x and T R correctly at the same time in real time polynomial. Achievements Mutual authentication and session key establishment S checks the validity of U by verifying the equality of NU (sent by U to S) = h(h(ID)|| BPW) TU and NU* calculated by S). After this both U and S establish and agree upon a session key KSESS = h(P || TU || h(h(ID) || BPW)). This session key establishment is very efficient as it does not require any extra calculations or transmissions. Authentication of S to U is not a problem after the successful establishment of secret KSESS because then U and S can secretly communicate with each other at their own will, for instance S may authenticate itself to U by sending h(KSESS TU). Thus our proposed protocol provides session key establishment in a very simple way and which is also useful in accomplishing the mutual authentication. Perfect forward secrecy Suppose the long term secret key x of S is compromised by some means, UA cannot compute P = h((x || h(ID) TR) without knowing the correct ID and T R corresponding to U. Moreover UA still cannot recover the old session key KSESS = h(P || TU || h(h(ID) || BPW)) unless he knows correct values of P, T U, ID, b and PW. Efficient password authentication In the proposed protocol, the ownership check procedure runs every time when SC is inserted in to the card reader. SC drops or rejects the request if the user fails to insert the three correct values ID, b, & PW, simultaneously. Secure password change phase 89 90 A Robust Remote User Authentication Scheme Using Smart Card U can freely choose and change password at his will without the help of S. The phase could also avoid easy modification of the password of U by any unauthorised user if he obtains the SC of U by some means. No one having SC can update the password without the ID, PW, and fingerprint b corresponding to the SC. Identity protection/User anonymity Instead of using ID our proposed protocol uses the hash value of user’s identity h(ID) in transaction. Also there is no identity information about U corresponding to SC during authentication. Efficiency and practicability The SC needs only six hash operations during the login phase, verification phase and session key generation. Due to low computation cost in SC, our scheme guarantees user efficiency. Also, S uses only three hash operations, thus server efficiency is also guaranteed. These low computation costs in both, SC and S, make the scheme more efficient and practical. Besides our proposed scheme is user friendly because user can choose and change password at its will. Revocation facility The value TR is used in constructing P = h((x || h(ID)) TR), which is stored inside SC embedded within M = P BPW and N = h(h(ID) || BPW) h(P) and has key role throughout the scheme. At the SC loss/theft/when essential, S revokes the SC of U by replacing the stored TR with the current time stamp TC. Since the revoked SC contains TR, therefore SC will not pass the verification phase performed by S. However U’s account is still kept in the database, U can re-register to S to obtain a new SC involving a new registration timestamp. Easily reparable If U finds or suspects that M or N has been compromised, he can change his password or re-registers to S by submitting his identity. Upon receiving U’s registration request at TC, S updates the value of TR with the current time stamp TC in the existing entry for U and then computes MNEW = PNEW BPWNEW, NNEW = h(h(ID) || BPWNEW) h(PNEW), where PNEW = h((x || h(ID) TR = TC) and BPWNEW = h(b || PWNEW). Next S stores MNEW and NNEW in U’s new SC. From now, U can securely login S by using his new SC and PWNEW, the compromised M and N have been revoked automatically, that is UA’s login request which is derived from M and N will be rejected. Thus the proposed protocol is easily reparable. 90 Manoj Kumar, Mridul Kumar Gupta and Saru Kumari 91 Comparison In this section we compare Das, Saxena and Gulati’s scheme,21 Liao, Lee and Hwang scheme,22 Wang, Kiu, Xiao and Dan scheme 23 and our proposed scheme in terms of attacks, goals achieved and computational complexity and cost through table 1, table 2 and table 3, respectively. Assume that the identity ID, password PW, server’s secret key x values and output of secure one-way hash function are all 128-bit long. In our proposed protocol the parameters stored in SC are M and N, and the memory needed (C1) in SC is 256 bits. The communication cost of authentication (C2 = 4128) includes the capacity of transmitting message involved in the authentication scheme. The computation cost of registration (C3 = 5h(.) + 2) is the total time of all operations executed in the registration phase. The computation cost of SC in login phase and session key establishment (C4 = 6h(.) + 4 + 1 ) and S during authentication phase and session key establishment (C5 = 3h(.) + 2 + 1 ) is the time spent by U and S during the process of authentication. Table 1 and table 2 show the robustness and extra achievements of our scheme. Our scheme achieves more features which were not considered in the related schemes and are essentially required in implementing a practical and universal remote user authentication scheme using smart cards. Besides, it can be seen from table 3 that our scheme neither overheads SC nor S with high hash, yet provides secure user authentication by SC and session key establishment which are indispensable for implementing a reliable and trustworthy remote user authentication system. Table 1. Comparison of security features. Attacks & Schemes Das et al. [24] Liao et al.[14] Wang et al.[40] Our Protocol Malicious user Yes Yes Yes No Impersonation No Yes Yes No Stolen SC Yes Yes No No Offline guessing Yes Yes Yes No Denial of service No No Yes No Replay No No No No Leak of verifier No No No No Online guessing Yes Yes Yes No 91 92 A Robust Remote User Authentication Scheme Using Smart Card Man-in the middle No Yes Yes No Parallel session No Yes Yes No Reflection No Yes No No Forgery Yes Yes Yes No Insider Yes No Yes No Guessing secret key x Yes Yes Yes No Table.2. Comparison of achievements. Attacks & Schemes Das et al. [24] Liao et al.[14] Wang et al.[40] Our Protocol Mutual authentication No Yes Yes Yes KSESS establishment No No No Yes Perfect forward secrecy Yes Yes Yes Yes Efficient PW authentic. No No No Yes Secure PW changing No No No Yes Identity protection Yes Yes No Yes Revocation facility No No No Yes Easy reparability No No No Yes User chosen PW Yes Yes No Yes 92 Manoj Kumar, Mridul Kumar Gupta and Saru Kumari 93 Table.3. Comparison of communication/computational cost and complexity. Attacks & Schemes Das et al. [24] Liao et al.[14] Wang et al.[40] Our Protocol C1 256 bits 256 bits 256 bits 256 bits C2 4128 6128 6128 4128 C3 2h(.) + 1 2h(.) + 1 2h(.) + 2 5h(.) + 2 C4 4h(.) + 7 5h(.) + 10 3h(.) + 6 6h(.) + 4 + 1 C5 3h(.) + 7 4h(.) + 10 3h(.) + 8 3h(.) + 2 + 1 Sum 9h(.) + 15 11h(.)+21 8h(.) + 16 14h(.) + 8 + 2 Conclusions We propose a robust remote user authentication protocol using smart cards to resolve the problems like offline password guessing attack, denial of service attack, malicious user attack, impersonation attacks, stolen smart card attack, online guessing attacks, and forgery attacks. Our scheme also achieves features like freely choosing and securely changing passwords, mutual authentication, session key generation, identity protection/user anonymity, revocation facility, easy reparability, perfect forward secrecy. We also evaluate our scheme by comparing it with some related schemes in terms of security features, achievements and communication/computational cost and complexity. Security analysis, achievements analysis and comparison analysis proved that without adding much of communication/computational cost and complexity our proposed protocol is quite robust and practical. Notes: 1 2 Leslie Lamport, “Password Authentication with Insecure Communication,” Communication of the ACM 24(11), 1981, available at: http://tnlandforms.us/cns06/lamport.pdf. Patroklos Argyroudis, Raja Verma, Hitesh Tewari and Donal O’Mahoni, “Performance Analysis of Cryptographic Protocols on Handhled Devices,” Proceedings of the 3rd 93 94 A Robust Remote User Authentication Scheme Using Smart Card International Symposium on Network Computing and Applications, 2004, doi: 10.1109/NCA.2004.1347774; Amit Kumar Awasthi and Sunder Lal, “A Remote User Authentication Scheme Using Smart Cards with Forward Secrecy,” IEEE Transactions on Consumer Electronics 49(4), 2003, doi: 10.1109/TCE.2003.1261225. Amit Kumar Awasthi and Sunder Lal, “Security Analysis of a Dynamic I-Based Remote User Authentication Scheme,” available at http://eprint.iacr.org/ 2004/238.pdf. Mihir Bellare and Phillip Rogaway, “Entity Authentication and Key Distribution,” Advances in cryptology CRYPTO’93, 1993, available at: https://cseweb.ucsd.edu/~mihir/papers/eakd.pdf. Hung-Yu Chien and Che-Hao Chen, “A Remote Authentication Scheme Preserving User Anonymity,” Proceedings of 19th International Conference on Advanced Information Networking and Applications, 2005, doi: 10.1109/AINA.2005.54. Manik Lal Das, Ashutosh Saxena, and V.P. Gulati, “A Dynamic ID-based Remote User Authentication Scheme,” IEEE Transactions on Consumer Electronics 50(2), 2004, available at: http://arxiv.org/ftp/arxiv/papers/0712/0712.2235.pdf. Yun Ding and Patrick Horster, “Undetectable On-Line Password Guessing Attacks,” ACM SIGOPS Operating System Review 29(4), 1995, doi: 10.1145/219282.219298. Xiaoyi Duan, JianWei Liu and Qishan Zhang, “Security Improvement on Chien Et al.’s Remote User Authentication Scheme Using Smart Cards,” The 2006 IEEE International Conference on Computational Intelligence and Security (CIS 2006) 2, 2006, doi: 10.1109/ICCIAS.2006.295440. Zhengxian Gao and Yaqing Tu, “An Improvement of Dynamic ID-Based Remote User Authentication Scheme with Smart Card,” Proceedings of the 7 th World Congress on Intelligent Control and Automation, 2008, doi: 10.1109/WCICA.2008.4593658. Li Gong, “A Security Risk of Depending on Synchronized Clocks,” ACM SIGOPS Operating Systems Review 26(1), 1992, available at: http://citeseer.ist.psu.edu/viewdoc/download;jsessionid=0BFA313DF3219A69454B0A8E8 26BDA75?doi=10.1.1.54.7643&rep=rep1&type=pdf. Han-Cheng Hsiang and Wei-Kuan Shih, “Weaknesses and Improvements of the Yoon-RyuYoo Remote User Authentication Scheme Using Smart Cards,” Computer Communications 32(4), doi:10.1016/j.comcom.2008.11.019. Tzonelih Hwang, Yihwa Chen and Chi Sung Laih, “Non-Interactive Password Authentication without Password Tables,” IEEE 10th Regional Conference on Computer and Communication Systems, 1990, doi: 10.1109/TENCON.1990.152647. Min-Shiang Hwang and Li-Hua Li, “A New Remote User Authentication Scheme Using Smart Cards,” IEEE Transactions on Consumer Electronics 46(1), 2000, doi: 10.1109/30.826377. Paul Kocher, Joshua Jaffe and Bejamin Jun, “Differential Power Analysis,” Proceedings of Advances in Cryptology: CRYPTO’99, 1999, available at: http://www.cryptography.com/public/pdf/DPA.pdf. Wei-Chi Ku and Shen-Tien Chang, “Impersonation Attack on a Dynamic ID-Based Remote User Authentication Scheme Using Smart Cards,” IEICE Transactions on communications E88-B(5), 2005, available at: http://ci.nii.ac.jp/ naid/110003222893/en. Cheng-Chi Lee, Min-Shiang Hwang and Wei-Peng Yang, “A Flexible Remote User Authentication Scheme with Smart Cards,” ACM Operating System Review 36(3), 2002: 4652. 94 Manoj Kumar, Mridul Kumar Gupta and Saru Kumari 95 I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic IDBased Remote User Authentication Scheme,” Proceedings of International Conference on Next Generation Web Services Practices, 2005, doi: 10.1109/NWESP.2005.67. Nai Wei Lo and Kuo-Hui Yeh, “Cryptanalysis of Two Three-Party Encrypted Key Exchange Protocols,” Computer Standards & Interfaces 31(6), 2009, doi: doi:10.1016/j.csi.2009.03.002. Thomas Messerges, Ezzat Dabbish and Robert Sloan, “Examining Smart-Card Security Under the Threat of Power Analysis Attacks,” IEEE Transactions on Computers 51(5), 2002, doi: 10.1109/TC.2002.1004593. Yan-Yan Wang, Jia-Yong Liu, Feng-Xia Xiao and Jing Dan, “A More Efficient and Secure Dynamic ID-Based Remote User Authentication Scheme,” Computer Communication 32(4), 2009, doi:10.1016/j.comcom.2008.11.008. Kuo-Hui Yeh, Nai Wei Lo and Enrico Winata, “Cryptanalysis of an Efficient Remote User Authentication Scheme with Smart Cards,” International Journal of Innovative Computing, Information and Control 6(6), 2010, available at: http://www.ijicic.org/08-1246-1.pdf. Eun-Jun Yoon, Eun-Kung Ryu and Kee-Young Yoo, “Further Improvement of an Efficient Password Based Remote User Authentication Scheme Using Smart Cards,” IEEE Transactions on Consumer Electronics 50(2), 2004, doi: 10.1109/TCE.2004.1309437. Xin Zhang, Quan Yuan Feng and Miao Li, “A Modified Dynamic ID-Based Remote User Authentication Scheme,” Proceedings of International Conference on Communications, Circuits and Systems, 2006, doi: 10.1109/ICCCAS.2006.284979. 3 Manik Lal Das, Ashutosh Saxena, and Ved Gulati, “A Dynamic ID-Based Remote User Authentication Scheme,” IEEE Transactions on Consumer Electronics 50(2), 2004, available at: http://arxiv.org/ftp/arxiv/papers/0712/0712.2235.pdf. 4 Amit Kumar Awasthi, “Comment on a dynamic ID-based remote user authentication scheme,” Transaction on Cryptology 1(2), 2004, available at: http://www.researchgate.net/publication/1957471_Comment_on_A_dynamic_IDbased_Remote_User_Authentication_Scheme. Eun-Jun Yoon and Kee Young Yoo, “Improving the Dynamic ID-Based Remote Mutual Authentication Scheme,” Proccedings of “On the Move to Meaningful Internet Systems 2006,” OTM 2006 Workshops, 2006, doi: 10.1007/11915034_73. Hsi-Chang Shih, “Cryptanalysis on Two Password Authentication Schemes,” Master's Thesis, Laboratory of Cryptography and Information Security, National Central University, Taiwan, 2008. Hung-Yu Chien and Che-Hao Chen, “A Remote Authentication Scheme Preserving User Anonymity.” I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic IDBased Remote User Authentication Scheme.” Wei-Chi Ku and Shen-Tien Chang, “Impersonation Attack on a Dynamic ID-Based Remote User Authentication Scheme Using Smart Cards.” Y. P. Liou, Jay Lin and Shuenn-Shyang Wang, “A New Dynamic ID-Based Remote User Authentication Scheme Using Smart Cards,” Proceedings of the 16th Information Security Conference, 2006: 198-205. 5 Hung-Yu Chien and Che-Hao Chen, “A Remote Authentication Scheme Preserving User Anonymity.” 95 96 A Robust Remote User Authentication Scheme Using Smart Card I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic ID-Based Remote User Authentication Scheme.” 7 Eun-Jun Yoon and Kee Young Yoo, “Improving the Dynamic ID-Based Remote Mutual Authentication Scheme.” 8 Qi Xie, Ji-Lin Wang, De-Ren Chen and Xiu-Yuan Yu, “A novel user authentication scheme using smart cards,” Proceedings of the 2008 International Conference on Computer Science and Software Engineering 3, 2008, doi: 10.1109/CSSE.2008.1043. 9 Yan-Yan Wang, Jia-Yong Liu, Feng-Xia Xiao and Jing Dan, “A More Efficient and Secure Dynamic ID-Based Remote User Authentication Scheme.” 10 Muhammad Khurram Khan, Soo-Kyun Kim, and Khaled Alghathbar, “Cryptanalysis and Security Enhancement of a “More Efficient & Secure Dynamic ID-Based Remote User Authentication Scheme,” Computer Communications 34(3), 2011, doi: 10.1016/j.comcom.2010.02.011. 11 Kuo-Hui Yeh, Chunhua Su, Nai Wei Lo, Yingjiu Li, and Yi-Xiang Hung, “Two Robust Remote User Authentication Protocols Using Smart Cards,” The Journal of Systems and Software 83(12), 2010, doi:10.1016/j.jss.2010.07.062. 12 Patroklos Argyroudis, Raja Verma, Hitesh Tewari and Donal O’Mahoni, “Performance Analysis of Cryptographic Protocols on Handhled Devices.” Ralph C. Merkle, “One Way Hash Function and DES,” Advances in Cryptology: Proceedings of CRYPTO 89, 435, 1989, 428-446. Martin Passing and Falko Dressler, “Experimental Performance Evaluation of Cryptographic Algorithms on Sensor Nodes,” Proceedings of the 3rd International Conference on Mobile Adhoc and Sensor Systems, 2006, doi: 10.1109/MOBHOC.2006.278669. 13 Eun-Jun Yoon, Ein-Jung Lee, and Kee-Young Yoo, “Cryptanalysis of Wang et al.’s Remote User Authentication Scheme Using Smart Cards,” Proceedings of 5th International Conference on Information Technology: New Generations, 2008, doi: 10.1109/ITNG.2008.100. 14 Dorothy E. Denning and Giovanni Maria Sacco, “Timestamps in Key Distribution System,” Communications of the ACM 24(8), 1981, doi: 10.1145/358722.358740. 15 Paul Kocher, Joshua Jaffe and Bejamin Jun, “Differential Power Analysis.” 16 Thomas Messerges, Ezzat Dabbish and Robert Sloan, “Examining Smart-Card Security Under the Threat of Power Analysis Attacks.” 17 Xiaofeng Wang and Michael K. Reiter, “Defending Against Denial-of-Service Attacks with Puzzle Auctions,” Proceedings of the 2003 IEEE Symposium on Security and Privacy, 2003, doi: 10.1109/SECPRI.2003.1199329. 18 Eun-Jun Yoon and Kee Young Yoo, “Improving the Dynamic ID-Based Remote Mutual Authentication Scheme.” 19 I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic ID-Based Remote User Authentication Scheme.” 20 Dorothy E. Denning and Giovanni Maria Sacco, “Timestamps in Key Distribution System.” 21 Manik Lal Das, Ashutosh Saxena, and V.P. Gulati, “A Dynamic ID-based Remote User Authentication Scheme.” 22 I-En Liao, Cheng-Chi Lee and Min-Shiang Hwang, “Security Enhancement for a Dynamic ID-Based Remote User Authentication Scheme.” 6 96 Manoj Kumar, Mridul Kumar Gupta and Saru Kumari 23 97 Yan-Yan Wang, Jia-Yong Liu, Feng-Xia Xiao and Jing Dan, “A More Efficient and Secure Dynamic ID-Based Remote User Authentication Scheme.” MANOJ KUMAR is an Assistant Professor at the Department of Mathematics, Rashtriya Kishan Post Graduate College Shamli, Muzaffarnagar, Chaudhary Charan Singh University in Meerut, India. He is a member of the Indian Mathematical Society, the Indian Society of Mathematics and Mathematical Science, the Ramanujan Mathematical Society, and the Cryptography Research Society of India. He is working as a reviewer for various international peer review journals: Journal of System and Software, Journal of Computer Security, International Journal of Network Security, The Computer Networks, Computer and Security, The Computer Journal and Applied Mathematics Journal of Chinese University etc. Manoj Kuma is also working as a Technical Editor for some international peer review journals – Asian Journal of Mathematics & Statistics, Asian Journal of Algebra, Trends in Applied Sciences Research, Journal of Applied Sciences. He is member of the technical programme committee of various national and international conferences. He has published his research works at national and international level. His current research interests include Cryptography and Applied Mathematics. MRIDUL KUMAR GUPTA received his Ph.D in Mathematics in 1998 from Agra University, India. Currently he is a professor & Head of the Mathematics Department at the Institute of Advanced Studies, Chaudhary Charan Singh University in Meerut, India. He is also Dean of the Faculty of Engineering & Technology of the same university. He worked as recorder of the Section of Information and Communication Science & Technology for the years 2004-2005 and 2005-2006 of the Indian Science Congress Association. He has 25 years of teaching experience. He is life member of the Indian Mathematical Society, the Indian Science Congress Association, the Ramanujan Mathematical Society and the Bharata Ganita Parisad, India. His more than 35 research papers are published in international journals. His research interests include general topology, approximation theory and cryptography. SARU KUMARI received her M.Sc, M.Phil degrees in mathematics from the Institute of Advanced Studies, Chaudhary Charan Singh University in Meerut, India in 2000, and 2005 respectively. Currently she is an Assistant Professor at the Department of Mathematics, Agra College Agra, India. She is also pursuing her Ph.D Degree in mathematics from the Institute of Advanced Studies, Chaudhary Charan Singh University. Saru Kumari served as an Assistant Professor at the Department of Mathematics, Vijay Singh Pathik Government P.G. College and the Government Polytechnic in India. She is life member of the Indian Mathematical Society and the Indian Science Congress Association. Her research interests include cryptography, information security, and applied mathematics. 97