JOURNAL OF SOFTWARE, VOL. 8, NO. 4, APRIL 2013
979
Improving the Password-Based Authentication against Smart Card Security Breach Jing Shen South China Institute of Software Engineering, Guangzhou 510990, P.R.China Email:
[email protected] Yusong Du School of Information Management, Sun Yat-sen University, Guangzhou 510006, P.R.China Key Lab of Network Security and Cryptology, Fujian Normal University, Fuzhou 350007, P.R.China Email:
[email protected] Abstract—Password-based authentications using smart cards are very necessary between login users and a remote server. Smart card security breach threatens the security of password-based authentication schemes with smart cards. A password-based authentication scheme with smart cards against smart card security breach was proposed by C.T. Li et al. recently. However, it is noted that Li et al.'s scheme needs a verification table in the remote server. A verification table should not be included in a good password-based authentication scheme. In this paper, based on hash functions, a secure password-based authentication scheme against smart card security breach and without maintaining verification tables is proposed, which improves the security of Li et al.'s scheme. Index Terms—cryptology, password-based authentication, smart card, hash function
I. INTRODUCTION With the development of the computer network technologies, more and more users need to use the remote resource. Various resources are shared across the network in the form of network services provided by remote servers. Registered users (clients) request services through the network system. However, an eavesdropper may impersonate a legal user to login into the server and access the service in the public network. Therefore remote user authentication plays an important role in protecting resources against unauthorized usage. It is a procedure that allows a server to authenticate a remote user through an insecure channel [1]. The password-based authentication scheme is the most commonly used technique to provide authentication between the legal users and the remote server [2-11]. A password-based authentication scheme with smart cards can provide more secure authentication [12-15]. A legal user can succeed to login the remote server if only he/she knows the password and has the smart card for the authentication. It is interesting to design a passwordbased authentication scheme with smart cards for remote user authentication. Corresponding author: Jing Shen.
© 2013 ACADEMY PUBLISHER doi:10.4304/jsw.8.4.979-986
An important security problem about using smart cards is that smart card security breach threatens the security of password-based authentication schemes with smart cards. The secret information stored in a smart card may be extracted by some physical methods, such as timing analysis [16], power analysis [17], electronic magnetic analysis [18], and faulty induction analysis [19]. If a legal user's smart card is lost and it is picked up by a malicious attacker, or an attacker steals the user's smart card, the user's sensitive data may be derived out by the attacker. Smart card security breach sometimes was neglected when designing a password authentication scheme. K.Shim showed in [20] that three password authentication scheme with smart cards, which were proposed by S.K. Kim et al. [12], H.C. Hsiang et al. [13] and Y.Y. Wang et al. [14] in 2009 respectively, cannot resist smart card security breach attacks. In 2011 C.T. Li et al. also noted smart card security breach was not considered in S.K. Kim et al.'s scheme and they proposed an authentication scheme against smart card security breach instead of S.K. Kim et al.'s scheme [15]. However, we note that C.T. Li et al.'s scheme needs a verification table in the remote server. A verification table should not be involved in a good password authentication scheme with smart cards, since verification tables will cause potential security threatens such as stolen-verifier attacks and insider attacks. C.T. Li et al.'s scheme solves the problem on smart card security breach attacks by maintaining a verification table in the remote server. Their scheme cannot be considered as a good password authentication scheme using smart cards. In this paper, based on secure hash functions, we propose a new password-based authentication scheme using the smart card. The proposed scheme improves the security of C.T. Li et al.'s scheme, i.e., it can resist smart card security breach attacks and does not need verification tables. We also show that the proposed scheme satisfies all the main security requirements for remote user authentication. The rest of the paper is organized as follows. Section 2 gives some notations used in this paper. Section 3 recalls S.K. Kim et al.'s scheme and C.T. Li et al.'s scheme.
980
JOURNAL OF SOFTWARE, VOL. 8, NO. 4, APRIL 2013
Section 4 describes our scheme. The security analysis of our scheme is presented in Section 5 and Section 6 concludes the paper. II. PRELIMINARIES User authentication schemes can be classified into two categories: hash-function-based and encryption-based. Hash-function-based schemes have low computational cost and easier to implement, while encryption-based schemes using symmetric or public encryption algorithms have high computational cost though they can provide more security features including the remote user authentication. For the sake of self-containedness we simply recall secure hash functions. In cryptography a hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, which is called the hash value, such that an (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded is often called the "message," and the hash values are sometimes called the (message) digest [21]. Let H(⋅) be a hash function. For message m its hash value is denoted by y = H( m ) . A secure cryptographic hash function has four main or significant properties. (1) It is easy to compute the hash value for any given message, i.e., given m it is easy to compute y = H( m) . (2) It is infeasible to generate a message that has a given hash value (preimage resistance), i.e., given y it is infeasible find m such that y = H( m) . (3) It is infeasible to modify a message without changing the hash value (second-preimage resistance), i.e., given m it is infeasible find m′ such that m ≠ m′ and H( m ) = H( m′) . (4) It is infeasible to find two different messages with the same hash value (collision-resistance), i.e., it is infeasible find a pair of message ( m, m′) such that m ≠ m′ and H( m ) = H( m′) . For the convenience of description some notations used in the paper are summarized as follows: z U i : The login user. z IDi : The identity of U i . z PWi : The password of U i . z SCi : The smart card of U i . z x : The master secret key, which is kept secretly and only known by the remote server. z : A secure channel z : A public (insecure) channel ⊕ : The bitwise XOR operation. z We deal with hash-function-based authentication schemes with smart cards. All the authentication schemes mentioned in this paper are hash-function-based. Their security is based on that of secure hash functions. III. PREVIOUS WORK
© 2013 ACADEMY PUBLISHER
In this section, we recall S.K. Kim et al.'s and C.T. Li et al.'s scheme. We point out that C.T. Li et al.'s scheme needs to maintain a verification table in the remote server.
A. Kim et al.'s Scheme and Its Security Flaws The following 5 steps are the registration phase and the login phase of the Kim et al.'s scheme. For the full description of the scheme the reader is referred to [12]. 1. U i chooses his/her identity IDi and password PWi , submits {IDi , PWi } to the remote server over an secure channel, and remembers PWi . 2. Upon receiving U i 's login request, the server finishes the following steps. a. Generate a unique b as the private key of U i . b. Compute K1 = H( IDi ⊕ x ) ⊕ b K 2 = H( IDi ⊕ x ⊕ b) ⊕ H( PWi ⊕ H( PWi )) and R = K1 ⊕ H( PWi ) . c. Store {K1 , K 2 , R} into SCi and release SCi to U i over a secure channel. 3. U i enters IDi and PWi , and smart card SCi computes C1 = R ⊕ H( PWi ) and check if C1 is equal to K1 . 4. If it does not hold, SCi terminates U i ’s login request, otherwise, SCi computes C1′ = K 2 ⊕ H( PWi ⊕ H( PWi ))
and C2 = H(C1′ ⊕ TUi ) where TUi is the current 5.
timestamp SCi submits {IDi , TUi , C1 , C2 } to the server for the
login. Kim et al.'s scheme can not resist smart card security breach attacks. If a user's smart card is lost and it is picked up by an attacker or an attacker steals user's smart card. The secrets stored in the smart card may be extracted by some physical methods, then the attacker can off-line guess user's password and can impersonate a legitimate user. The security flaws appear in the registration phase of Kim et al.'s scheme, In Kim et al.'s scheme, the attacker can breach the secrets K1 = H( IDi ⊕ x ) ⊕ b , R = K1 ⊕ H( PWi ) and the secure hash function H(⋅) used in the scheme, which are stored in the smart card. Then, with K1 and R the attacker off-line guesses user's password by performing the following three steps. 1. Select a guessed password PWi ∗ . 2. Compute K1′ = R ⊕ H( PWi ∗ ) . 3. Compare K1 and K1′ A match in Step 3 above indicates the correct guess of user's password PWi . Since password PWi is usually kept in user's mind it is possible in the off-line case for
JOURNAL OF SOFTWARE, VOL. 8, NO. 4, APRIL 2013
981
the attacker to correctly guess the password because of its low-entropy. Thus Kim et al.'s scheme is vulnerable to off-line password guessing attacks. It is clear that once the attacker has correctly derived the user's password PWi , he/she can use the stored information on the stolen or lost smart card to forge a valid login request to impersonate a legal user.
a verification table should not be involved in a good password authentication scheme with smart cards. Li et al.'s scheme can not work without the verification table. Their scheme can not be considered as a good passwordbased authentication scheme using smart cards.
B. Li et al.'s Scheme After noting the security flaw of smart card security breach in Kim et al.'s scheme, C.T. Li et al. described an authentication scheme which solves the security flaw of smart card security breach. We will not give the description of Li et al.'s scheme. The reader is referred to [15]. Here we only point out that Li et al.'s scheme needs a verification table in the remote server. In the registration phase of Li et al.'s scheme, U i chooses his/her identity IDi and password PWi , and generates a random number RN1 . Then U i computes H(H( PWi ⊕ RN1 )) , and submits IDi and H(H( PWi ⊕ RN1 )) to the server over an secure channel, and remembers PWi . Upon receiving U i 's login request, the server maintains an account table (AT) for the registration service and the format of the AT is shown as follows.
In this section, we describe a password-based authentication scheme which solves security flaws related to smart card security breach and verification tables mentioned above. There are four phases in our scheme: registration, login-verification, session key agreement and password update.
IDi
N =0
A. Registration Phase
IDi
PWi
H(H( PWi ⊕ RN 2 )) after a legal login of U i , where RN 2 is a new random number generated by U i for the login request. In the password update phase the verification table is also involved. Suppose that U i 's smart card is lost and it is picked up by an attacker, or an attacker steals U i 's smart card. The secrets stored in the smart card may be extracted, i.e., {IDi , C1 , H (⋅)} are obtained by the attacker. However, the attacker is still unable to derive U i 's password PWi from {IDi , C1 , H (⋅)} . The attacker has to guess x, RN1 and PWi at the same time. The attacker faces the problem of finding an original image of a secure hash function, which is intractable. Li et al.'s scheme can resist smart card security breach attacks. Li et al.'s scheme solves the problem on smart card security breach attacks by maintaining a verification table in the remote server. However, it is well-known that
IDi , r, E , D
IDi , r, E , D, s
H(H( PWi ⊕ RN1 ))
The 2nd field of AT records N = 0 if it is U i 's initial registration, otherwise, the server sets N = N + 1 in the existing field for U i . Finally the server computes C1 = H ( IDi x N ) ⊕ H(H( PWi ⊕ RN1 )) and store {IDi , C1 , H (⋅)} into smart card SCi . The parameters in the verification table will be used in verification phase and H(H( PWi ⊕ RN1 )) will be changed into
© 2013 ACADEMY PUBLISHER
IV. THE PROPOSED SCHEME
Figure 1.
Registration Phase.
1.
U i chooses his/her identity IDi and submits the registration request to the server over an secure channel. 2. Upon receiving U i 's login request, the server finishes the following steps. a. Generate a random number r and a random number b . b. Compute E = H( IDi ⊕ x ⊕ r ) ⊕ b and D = H( IDi ⊕ x ⊕ b) .
c. Store IDi , r, E , D into smart card SCi . d. Release SCi to U i over an secure channel. 3. After receiving the smart card U i chooses and remembers his/her password PWi , then enters the password into the smart card. 4. The smart card chooses a random number s , then computes D = D ⊕ H(H( PWi ) ⊕ s ) instead of D . 5. The smart card keeps {IDi , r, E , D, s} , and disposes D and PWi securely. After the registration phase U i needs to keep smart card SCi and password PWi safely. The remote sever only keeps its master key x and does not need know any
982
JOURNAL OF SOFTWARE, VOL. 8, NO. 4, APRIL 2013
information about U i . All the login message of U i is stored in SCi . Being different with Kim et al.'s scheme and Li et al.'s scheme, in the proposed scheme, the user does not submit directly the password PWi to the server. Instead the user enters PWi after receiving the smart card. This is a necessary feature in order to guarantee the privacy of passwords.
D new = H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ r new ) ⊕ D new ⊕ H(H( PWi ) ⊕ s new ).
f. Change E , D , r and s into E new , D new , r new and s new respectively.
B. Login and Verification Phase 1. User U i enters PWi into smart card SCi . 2. With PWi smart card SCi takes current time-stamp TUi and computes M 1 = H(H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ E ) ⊕ TUi ).
3. Then SCi submits {IDi , r, E , M 1 , TUi } to the server. 4. Upon receiving the login request, the server finishes the following steps. a. Verify the validity of TUi . If it is invalid, reject U i 's login request. b. Derive b from b = E ⊕ H( IDi ⊕ x ⊕ r ) . c. Check if H(H(H( IDi ⊕ x ⊕ b) ⊕ E ) ⊕ TUi )
is equal to the received M 1 . d. If it does not hold, terminate the communication. If it holds, authenticate U i . e. Choose a new random number r new and a new random number bnew . f. Take current timestamp TS and compute E new = H( IDi ⊕ x ⊕ r new ) ⊕ bnew , D new = H(H( IDi ⊕ x ⊕ b) ⊕ r new ) ⊕ H( IDi ⊕ x ⊕ bnew ),
M 2 = H(H(H( IDi ⊕ x ⊕ b) ⊕ E new ) ⊕ TS ), and M 3 = H(H(H( IDi ⊕ x ⊕ b) ⊕ D new ) ⊕ TS ). g. Send {r new , E new , D new , M 2 , M 3 , TS } to SCi 5. Upon receiving the message from the server, SCi finishes the following steps. a. Verify the validity of TS . If it is invalid, terminate the communication. b. Check if H(H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ E new ) ⊕ TS ) is equal to the received M 2 . If it does not hold, terminate the communication. c. Check if H(H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ D new ) ⊕ TS ) is equal to the received M 3 . If it does not hold, terminate the communication. d. If both of them hold, authenticate the server. e. Choose a new random number s new instead of s and compute © 2013 ACADEMY PUBLISHER
PWi
IDi , r, E , M 1 , TUi r new , E new , D new , M 2 , M 3 , TS
Figure 2.
Login and Verification Phase.
Note that smart card SCi is not able to directly verify the validity of password PWi . The validity of password PWi will be verified by the remote server. It is easy to see that H( D ⊕ H(H( PWi ) ⊕ s ) = H( IDi ⊕ x ⊕ b). SCi computes H( D ⊕ H(H( PWi ) ⊕ s ) with PWi entered by U i while the server computes H( IDi ⊕ x ⊕ b) with b derived from b = E ⊕ H( IDi ⊕ x ⊕ r ) . The server authenticates U i essentially because of the information stored in smart card SCi and password PWi . Smart card SCi authenticates the server essentially because of master key x . The verification information stored in smart card SCi ,
IDi , r, E , M 1 , TUi , used in a current run of the protocol will be changed for the next run of the protocol. C. Session Key Agreement Phase The session key agreement phase is based on a legal login and Diffie-Hellman key exchange mechanism. Suppose that the server and smart cards share a cyclic group G of large enough order l with generator g ∈G . 1. After authenticating U i the server choose random number α with 1 ≤ α ≤ l − 1 and sends K = H(H( IDi ⊕ x ⊕ bnew ) ⊕ r new ) ⊕ g α to the smart card. 2. Upon receiving the message from the server, the smart card derive g α from g α = H( D new ⊕ H(H( PWi ) ⊕ s new ) ⊕ r new ) ⊕ K . 3. Then the smart card choose random number β with 1 ≤ β ≤ l − 1 and sends K ′ = H( D new ⊕ H(H( PWi ) ⊕ s new ) ⊕ r new ) ⊕ g β
to the server. The smart card uses g αβ as the session key.
JOURNAL OF SOFTWARE, VOL. 8, NO. 4, APRIL 2013
4. Upon receiving the message from the smart card, the server derive out g β similarly and uses g αβ as the session key.
983
e. Choose r new and b new , and compute D new = H(H( IDi ⊕ x ⊕ b) ⊕ r new ) ⊕ H(H( PWi new ) ⊕ s new ) ⊕ H( IDi ⊕ x ⊕ bnew ).
f. Compute E new , M 2 and M 3 as in the verification phase, i.e., E new = H( IDi ⊕ x ⊕ r new ) ⊕ bnew , M 2 = H(H(H( IDi ⊕ x ⊕ b) ⊕ E new ) ⊕ TS ), and M 3 = H(H(H( IDi ⊕ x ⊕ b) ⊕ D new ) ⊕ TS ).
H(H( IDi ⊕ x ⊕ bnew ) ⊕ r new ) ⊕ g α H( D new ⊕ H(H( PWi ) ⊕ s new ) ⊕ r new ) ⊕ g β Encrypted Communication using session key g
αβ
Figure 3. Session Key Agreement
In the session key agreement phase, the smart card can derive g α from K and the server can since derive g β from K ′ since D new ⊕ H(H( PWi ) ⊕ s new = H( IDi ⊕ x ⊕ bnew ) . D. Password Update Phase The password update phase includes a legal login and verification phase. 1. U i enters the old password PWi and the new
g. Send {r new , D new , E new , M 2 , M 3 , TS } to SCi . 5. Upon receiving the message from the server, SCi finishes the following steps. a. Authenticate the server via M 2 and M 3 , i.e., check if H(H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ E new ) ⊕ TS ) is equal to the received M 2 and check if H(H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ D new ) ⊕ TS ) is equal to the received M 3 . If one of them does not hold, terminate the communication. b. Compute D new = H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ r new ) ⊕ D new c. Change E , D , r and s into E new , D new , r new and s new respectively.
password PWi new to SCi . 2. According to password PWi , smart card SCi chooses s new and computes C = H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ r ) ⊕ H(H( PWi ) ⊕ s ), M 0 = H(H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ C ) ⊕ TUi ), new
new
and M 1 = H(H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ E ) ⊕ TUi ), where TUi is current timestamp.
PWi , PWi new IDi , r, E , C , M 0 , M 1 , TUi r new , E new , D new , M 2 , M 3 , TS
3. Then SCi sends {IDi , r, E , C , M 0 , M 1 , TUi } to the server. 4. Upon receiving the update request, the server finishes the following steps. a. Derive b from b = E ⊕ H( IDi ⊕ x ⊕ r ) . b. Check if H(H(H( IDi ⊕ x ⊕ b) ⊕ C ) ⊕ TUi ) is equal to the received M 0 . If it does not hold, terminate the communication. c. Check if H(H(H( IDi ⊕ x ⊕ b) ⊕ E ) ⊕ TUi ) is equal to the received M 1 . If it does not hold, terminate the communication. d. Derive H(H( PWi new ) ⊕ s new ) from C ⊕ H(H( IDi ⊕ x ⊕ b) ⊕ r ) .
© 2013 ACADEMY PUBLISHER
Figure 4. Password Update Phase.
Being different with the login and verification phase, U i need to choose new password PWi new and enter it into the smart card. Smart card SCi chooses s new before authenticating the server and generates verification information C for new password PWi new and verification information M 0 for C . Upon receiving the update request, the server generates D new , which includes the information of the new password, after the server succeed to authenticate the U i by checking M 1 . V SECURITY ANALYSIS OF THE PROPOSED SCHEME In this section, we analyze the security of the proposed scheme. We show that the proposed scheme satisfies all
984
the main security requirements for remote user authentication. It has been concluded that a good password authentication scheme with smart cards should satisfy the following requirements [2, 21]. 1. users can freely choose and update passwords; 2. low computational cost; 3. session key agreement; 4. mutual authentication between login users and remote servers; 5. prevention of all the possible attacks such as impersonation attacks, off-line password guessing attacks, replay attacks and parallel-session attacks; 6. resistance to password disclosure to the server, i.e., privacy of passwords; 7. forward security of session keys; 8. without maintaining verification tables; 9. prevention of smart card security breach attacks. We point out that the proposed scheme can satisfy 9 requirements above. The password PWi is freely chosen by U i in the registration phase. U i can update his/her password by a password update phase. The proposed scheme includes a session key agreement phase that can generate a secure session key. The proposed scheme has low computational cost since it is mainly based on operations of hash functions except the session key agreement phase. Impersonation attacks cannot work in the proposed scheme without U i 's smart card SCi . Even if the attacker steals the U i 's smart card, he/she can not impersonate U i to login the server since he/she does not know U i 's password PWi . Off-line password guessing is also impossible. Login and verification phase will be completed by the server after smart cards submit the login request and the verification information. The smart card is not able to directly verify the validity of the password. The validity of the password can be verified only by the remote server. Without the remote server smart cards are not able to determine if a guessed password is valid. The attacker cannot deceive the server by replay attacks. The verification information including IDi , r, E , M 1 , TUi or the password update information including IDi , r, E , C , M 0 , M 1 , TUi used in a previous run of the protocol is useless in a coming run of the protocol. Without smart card SCi and password PWi the attacker cannot derive the new information for a coming run of the protocol from the old information used in a previous run of the protocol. The proposed scheme achieves mutual authentication between login users and remote servers. The server authenticates the user by checking M 1 while the user authenticates the server by checking M 2 . Mutual authentication between login users and remote servers is the countermeasure for man-in-the-middle attacks.
© 2013 ACADEMY PUBLISHER
JOURNAL OF SOFTWARE, VOL. 8, NO. 4, APRIL 2013
Parallel-session attacks cannot work in the scheme. A set of verification information {IDi , E , M 1 , r, TUi } in the current run of the protocol uniquely corresponds to the user IDi and is useless for other users. The attacker cannot derive out any useful information that can be used in another run of the protocol. Suppose that the attacker has IDi′ with IDi ′ ≠ IDi and wants to derive the verification information of IDi ′ from that of IDi , i.e., {IDi , E , M 1 , r, TUi } . The attacker faces the problem of finding integer r ′ with r ′ ≠ r such that H( IDi′ ⊕ x ⊕ r ′) = H( IDi ⊕ x ⊕ r ), which is infeasible because of the collision-resistance of hash function H(⋅) . The user does not submit directly the password PWi to the server. The server cannot derive out U i 's password PWi according to the information from U i 's smart card. The verification information {IDi , E , M 1 , r, TUi } from the smart card does not include any password information. In the password update phase the server can derive H(H( PWi new ) ⊕ s new ) from C . But it is still very hard for the server to guess PWi new since the server does not know s new . We called session keys satisfy forward security in the scheme if the attacker cannot get any session key established earlier than the time point at which the master key of the server x was lost. The Diffie-Hellman key exchange mechanism guarantees the forward security of session keys. The attacker cannot compute g αβ because of the DiffieHellman intractable problem even if the master key of the server x is lost and g α and g β are derived. Moreover, the Diffie-Hellman key exchange mechanism is optional in the proposed scheme. If the system does not need the forward security of session keys, the server and the user use H(H( IDi ⊕ x ⊕ bnew ) ⊕ r new ) = H( D new ⊕ H(H( PWi ) ⊕ s new ) ⊕ r new ) directly as the session key. But such a method does not guarantee the forward security any more. It clear that there is no a verification table in the scheme. The server only need keep master key x . Except the password PWi all the verification information of
U i 's is kept by the smart card. The scheme is able to prevent smart card security breach attacks. Suppose that U i 's smart card is lost and it is picked up by an attacker, or an attacker steals U i 's smart card. The secrets stored in the smart card may be extracted, i.e., {E , D, r, s} are obtained by the attacker.
However, the attacker is still unable to derive U i 's password PWi from {E , D, r, s} . The attacker has to
JOURNAL OF SOFTWARE, VOL. 8, NO. 4, APRIL 2013
guess x, b and PWi at the same time. The attacker faces the problem of finding a preimage of a secure hash function, which is intractable. Finally, we mention a more powerful smart card security breach attack. Suppose the attacker steals a smart card whose owner is U i , the attacker may obtain the information stored in the smart card, i.e., {IDi , E , D, r , s}. After that, the attacker returns the smart card to U i without U i ’s awareness and manages to obtain the information that the server sends to the smart card, i.e., {r new , E new , D new , M 2 , M 3 , TS }, by eavesdropping the next login phase exactly. Then the attacker try to steal the smart card again and obtain the new information stored in the smart card, i.e., {IDi , E new , D new , r new , s new }. In this case, the attacker knows D new , D new , s , r new and s new , then can off-line guess user's password, i.e., select a guessed password PW ∗ such that D new = H( D ⊕ H(H( PW ∗ ) ⊕ s ) ⊕ r new ) ⊕ D new ⊕ H(H( PW ∗ ) ⊕ s new ). Such an attack is under several very strong assumptions. It is not hard to see that we can resist the attack by encrypting D new with an additional session key, which can be generated as follows. The server choose a random number α ′ and sends K = H(H( IDi ⊕ x ⊕ b) ⊕ r ) ⊕ g α ′ to the smart card. Upon receiving K from the server, the smart card derives g α ′ and chooses a random number β ′ , and sends K ′ = H( D ⊕ H(H( PWi ) ⊕ s ) ⊕ r ) ⊕ g β ′
to the server. The server and smart card uses g α ′β ′ as the session key. The procedure above is similar to the session key agreement phase. It should be carried out before the session key agreement phase. V CONCLUSION In this paper, we note that C.T. Li et al.'s scheme, which can prevent smart card security breach attacks, needs a verification table in the remote server. The existence of verification tables is not good for a secure password-based authentication scheme. Based on secure hash functions, we proposed a password-based authentication scheme against smart card security breach and without maintaining verification tables. The proposed scheme satisfies all the main security requirements for remote user authentication. ACKNOWLEDGMENT This work was supported by the Research Fund of South China Institute of Software Engineering from 2011 to 2012 and in part by the Open Funds of Key Lab of Fujian Province University Network Security and Cryptology (2011008). © 2013 ACADEMY PUBLISHER
985
REFERENCES [1] L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, 24(11), pp. 770-772, 1981. [2] I. E. Liao, C. C. Lee, and M. S. Hwang, “A password authentication scheme over insecure networks,” Journal of Computer and System Sciences, 72(4), pp. 727-740, 2006. [3] K. Helkala, “Password Education Based on Guidelines Tailored to Different Password Categories”, Journal of Computers, 6(5), pp. 969-975, 2011. [4] R. Padmavathy, and C. Bhagvati, “A Small Subgroup Attack for Recovering Ephemeral Keys in Chang and Chang Password Key Exchange Protocol,” Journal of Computers, 6(4), pp. 805-811, 2011. [5] H. B. Chen, S. S. Chang, and C. C. Yang, “An Antiphishing User Authentication Scheme without Using a Sensitive Key Table,” in 7th International Conference on Intelligent Information Hiding and Multimedia Signal Processing, X. Niu, M. Li, Y. Suzuki, J. S. Pan, and L. C. Jain, Eds. Los Alamitos: IEEE Computer Society’s Conference Publishing Services, pp.141-144, 2011. [6] W. Wang, L. Hu, and Y. Li, “How to Construct Secure and Efficient Three-Party Password-Based Authenticated Key Exchange Protocols,” in 6th International Conference on Information Security and Cryptology, Inscrypt 2010, LNCS, vol. 6584, X. Lai, M.Yung, and D. Lin, Eds. Berlin - Heidelberg: Springer-Verlag, pp. 218-235, 2011. [7] C. G. Ma, D. Wang, P. Zhao, and Y. H. Wang, “A New Dynamic ID-Based Remote User Authentication Scheme with Forward Secrecy,” in APWeb 2012 International Workshops: SenDe, IDP, IEKB, MB - Web Technologies and Applications, LNCS, vol. 7234, H. Wang, L. Zou, G. Huang, J. He, C. Pang, H. Zhang, D. Zhao, and Z. Yi, Eds. Berlin-Heidelberg: Springer-Verlag, pp. 199-211, 2012. [8] Y. F. Chang, Y. F. Li, and S. M. Pan, “A Security Enhancement on a Remote User Authentication Scheme Based on the Rabin Cryptosystem with Secure Password Updating,” in 2012 26th International Conference on Advanced Information Networking and Applications Workshops. L. Barolli, T. Enokido, F. Xhafa, and M. Takizawa, Eds. Los Alamitos: IEEE Computer Society’s Conference Publishing Services, pp.160-164, 2012. [9] Y. C. Lee, “A Secure Password-Based Authentication Scheme Against Guessing Attack,” in 2011 International Conference in Electrics, Communication and Automatic Control, R. Chen, Ed. Berlin-Heidelberg: Springer-Verlag, pp. 1255-1260, 2012. [10] J. Zhao, D. Gu, and L. Zhang, “Security analysis and enhancement for three-party password-based authenticated key exchange protocol,” Security and Communication Networks, 5(3), pp. 273–278, 2012. [11] W. Yuan, L. Hu, H. Li, J. Chu, and Y. Sun, “An Improved Dynamic Password based Group Key Agreement against Dictionary Attack,” Journal of Software, 7(7), pp. 15241530, 2012. [12] S. K. Kim and M. G. Chung, “More secure remote user authentication scheme,” Computer Communications, 32(6), pp. 1018-1021, 2009. [13] H. C. Hsiang and W. K. Shih, “Weaknesses and Improvements of the Yoon-Ryu-Yoo Remote User Authentication Scheme using Smart Cards,” Computer Communications, 32(6), pp. 649-652, 2009. [14] Y.Y. Wang, J. Y. Liu, F. X. Xiao, and J. Dan, “More Efficient and Secure Dynamic ID-Based Remote User Authentication Scheme,” Computer Communications, 32(6), pp. 583-585, 2009.
986
[15] C. T. Li and C. C. Lee, “A Robust Remote User Authentication Scheme against Smart Card Security Breach,” in 25th Annual IFIP WG 11.3 Conference, DBSec 2011, Data and Applications Security and Privacy XXV, LNCS, vol. 6818, Y. Li, Ed. Berlin-Heidelberg: SpringerVerlag, pp. 231-238, 2011. [16] J. F. Dhem, F. Koeune, P. A. Leroux, P. Mestré, J. J. Quisquater, and J. L. Willems, “A Practical Implementation of the Timing Attack,” in Third International Conference on Smart Card Research and Applications - CARDIS 1998, LNCS, vol. 1820, J. J. Quisquater and B. Schneier, Eds. Berlin-Heidelberg: Springer-Verlag, pp. 167-182, 2000. [17] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining smart-card security under the threat of power analysis attacks,” IEEE Transactions on Computers, 51(5), pp. 541-552, 2002. [18] J. J. Quisquater and D. Samyde, “Electronic Magnetic Analysis (EMA): Measures and Counter-measures for Smart Cards,” in International Conference on Research in Smart Cards, E-smart - Smart Card Programming and Security 2001, LNCS, vol. 2140, I. Attali and T. Jensen Eds. Berlin-Heidelberg: Springer-Verlag, pp. 200-210, 2001. [19] S. P. Skorobogatov and R. J. Anderson, “Optical Fault Induction Attacks,” in 4th International Workshop on Cryptographic Hardware and Embedded Systems - CHES 2002, LNCS, vol. 2523, B. S. Kaliski, C. K. Koc and C. Paar, Eds. Berlin-Heidelberg: Springer-Verlag, pp. 31-48, 2003.
© 2013 ACADEMY PUBLISHER
JOURNAL OF SOFTWARE, VOL. 8, NO. 4, APRIL 2013
[20] K. A. Shim, “Security Flaws in Three Password-Based Remote User Authentication Schemes with Smart Cards,” Cryptologia, 36(1), pp. 62-69, 2012. [21] W. Mao, Modern Cryptography: Theory and Practice. New Jersey, USA, Prentice Hall, 2003. Jing Shen was born in Junyun, Zhejiang province, China in 1980. She received her bachelor degree at Wenzhou Normal College, China in 2004 and master degree at Guangzhou University, China in 2007. Her research interest includes computer network security and cryptology. Ms. Shen now is a lecturer at South China Institute of Software Engineering in Guangzhou, China. Yusong Du was born in Xi’an, Shaanxi province in China in 1982. He received his bachelor degree, master degree, doctoral degree at Guangzhou University, China respectively in 2004, 2007 and 2010. His research interest includes cryptology and related mathematical problems. Dr. Du was postdoctoral researcher at Sun Yat-sen University in Guangzhou, China from Jun. 2010 to May. 2012. Dr. Du now is a lecturer at School of Information Management, Sun Yat-sen University in Guangzhou, China.