Security Vulnerabilities of an Enhanced Remote User Authentication Scheme

Transcription

1 Contemporary Engneerng Scences, Vol. 7, 2014, no. 26, HIKARI Ltd, Securty Vulnerabltes of an Enhanced Remote User Authentcaton Scheme Hae-Soon Ahn Faculty of Lberal Educaton, Daegu Unversty Kyungsangpuk-Do , Republc of Korea Eun-Jun Yoon 1 Department of Cyber Securty, Kyungl Unversty Kyungsangpuk-Do , Republc of Korea Copyrght c 2014 Hae-Soon Ahn and Eun-Jun Yoon. Ths s an open access artcle dstrbuted under the Creatve Commons Attrbuton Lcense, whch permts unrestrcted use, dstrbuton, and reproducton n any medum, provded the orgnal work s properly cted. Abstract In 2014, Yang et al. proposed a new dynamc ID-based user authentcaton scheme based on smart card whch s beleved to have many abltes to resst a range of network attacks. However, ths paper analyzes the securty of Yang et al. s scheme and then shows that the scheme not only s stll vulnerable to off-lne password guessng attack, but also does not provde the unlnkablty property and user anonymty because of the dentty guessng attack unlke ther clams. Keywords: User authentcaton; Dynamc dentty; Cryptanalyss; Password; Unlnkablty 1 Introducton Remote user authentcaton schemes are used to verfy the legtmacy of remote users logn request. In verfer-free authentcaton scheme, the user s logn dentty ID s always statc [1]. It means that t can be leak partal nformaton 1 Correspondng author: Eun-Jun Yoon, Fax:

2 1476 Hae-Soon Ahn and Eun-Jun Yoon related wth the user s logn messages. Furthermore, an adversary can use the nformaton to forge the user s logn messages by some subtle means. One of the solutons to elmnate ths securty problem s to employ dynamc dentty ID n dfferent logn sesson [1, 2, 3, 4]. In 2004, Das et al. [1] frst proposed a dynamc ID-based remote user authentcaton scheme whch can resst replay, masquerade, and nsder attacks. In 2007, Wang et al. [2], however, ponted out that Das et al. s scheme s susceptble to smart card attack and does not provde mutual authentcaton. Then they proposed a more effcent and secure dynamc ID-based remote user authentcaton scheme. In 2011, Khan et al. [3], however, ponted out that Wang et al. s scheme stll s susceptble to nsder attack and does not provde user s anonymty and sesson key agreement. They also proposed a new dynamc ID-based remote user authentcaton scheme. In 2014, Yang et al. [4] ponted out that prevously proposed schemes have weaknesses because of usng tmestamps and lead to serous clock synchronzaton problems and then proposed an enhanced dynamc ID-based remote user authentcaton (n short, ERUA) scheme. Yang et al. clamed that the proposed ERUA scheme provdes mutual authentcaton usng a challenge-response handshake and user s anonymty. Ths paper researches Yang et al. s ERUA scheme and then shows that the ERUA scheme not only s stll vulnerable to off-lne password guessng attack, but also does not provde the unlnkablty property [5] and user anonymty because of the dentty guessng attack [6, 7] unlke ther clams. For ths reason, Yang et al. s ERUA scheme s nsecure for practcal applcaton. The remander of ths paper s organzed as follows. We revew Yang et al. s ERUA scheme n Secton 2. The securty flaws of Yang et al. s ERUA scheme are presented n Secton 3. Fnally, we draw some conclusons n Secton 4. 2 Revew of Yang et al. s ERUA Scheme Ths secton revews the Yang et al. s ERUA scheme [4]. Throughout the paper, notatons are employed n Table 1. The ERUA scheme s dvded nto four phase: regstraton phase, logn phase, authentcaton phase, and password change phase. 2.1 Regstraton phase A user U wth dentfer ID should frst carry out ths phase once before he/she can use any of the servces provded by the server S. In ths phase, U and S need to perform the followng steps: R1. U S: {ID, h(id P W )}

3 Securty vulnerabltes of an enhanced remote user authentcaton scheme 1477 Table 1: Notatons used n ERUA scheme U A remote user. S A trusted server. ID An dentty of the user U. P W A password of the user U. h( ) A secure one-way hash functon. x A secret key of server S. A btwse excluse-or (XOR) operaton. A concatenaton operaton. User U keys hs/her dentty ID and password P W, and hs/her smart card computes and submts {ID, h(id P W )} to S through a secure channel. R2. S U : {h( ), B, C } After recevng the request, S computes A = h(h(id ) x), B = h(id P W ) A and C = h(a ), where x s the permanent secret key of S. Then, S sends {h( ), B, C } to U through a secure channel. 2.2 Logn phase Whenever U wants to logn a server S, he/she must perform the followng steps: L1. After nsertng hs/her smart card nto the card reader, U nputs the dentty ID and password P W. Then, the smart card computes D = B h(id P W ) and E = h(d ). L2. The smart card checks whether or not E and C are equal. If yes, U passes the legtmate verfcaton and performs the followng steps; otherwse, U s rejected. L3. The smart card randomly chooses a nonce R 1 and computes F = D R 1. L4. U S: {h(id ), F } U sends the logn request message {h(id ), F } to the remote server S.

4 1478 Hae-Soon Ahn and Eun-Jun Yoon 2.3 Authentcaton phase A user performs the remote authentcaton phase based on the logn message for authentcaton as long as t vsts the server. U and S perform the followng steps to acheve mutual authentcaton and to establsh a sesson key: A1. After recevng the logn message {h(id ), F }, S computes G = h(h(id ) x) and R 1 = F G. Then, S chooses a nonce R 2 and computes H = G R 2. A2. S U : {H, h(r 1)} The server S sends the mutual authentcaton message {H, h(r 1)} to the user U. A3. U S: {h(r 2)} After recevng the mutual authentcaton message {H, h(r 1)} from the server S, the user U checks whether or not h(r 1) and h(r 1 ) are equal. If no, U rejects ths message and termnates the operaton; otherwse, U authentcates S successfully and computes R 2 = H D. Then, U sends {h(r 2)} to S. A4. When the server S receves {h(r 2)}, S checks whether or not h(r 2) and h(r 2 ) are equal. If no, S sends reject message to the U ; otherwse, S authentcates U. After fnshng mutual authentcaton phase, the user U and the server S each can compute a common sesson key SK = h(r 1 R 2 ) for the next data transmsson. 2.4 Password change phase The user U can change hs/her password wthout the help of the server S, and the detals of the password change procedures are as follows: C1. U nserts the smart card, and nput hs/her old password P W and the dentty ID. C2. The smart card computes A = B h(id P W ), C = h(a ), and checks whether or not C and C are equal. If the verfcaton process s correct, the smart card asks the cardholder to resubmt a new password P W new. C3. The smart card computes B new = h(id P W new ) A. C4. The smart card replaces the values of B stored n ts memory wth B new to fnsh the password change phase.

5 Securty vulnerabltes of an enhanced remote user authentcaton scheme Securty Vulnerabltes of ERUA Scheme Ths secton demonstrates that Yang et al. s ERUA scheme [4] s stll vulnerable to off-lne password guessng attack and does not provde the unlnkablty property and user anonymty because of the dentty guessng attack unlke ther clams. The detals of these flaws are descrbed as follows: 3.1 User anonymty problem Users anonymty s an mportant securty requrement that a practcal dynamc dentty-based remote authentcaton scheme should acheve [7]. In the Yang et al.s ERUA scheme, they clamed that ther proposed scheme preserves user anonymty because a user s real dentty ID s concealed n the h(id ). However, we show that Yang et al.s ERUA scheme [4] stll fals to acheve the anonymty as follows: 1. Eve ntercepts a logn message {h(id ), F } of U of a prevous sesson. 2. Eve guesses an dentty ID and then computes h(id ). 3. Eve verfes the correctness of ID by checkng whether the h(id ) and the ntercepted h(id ) are equal. If the check passes, then Eve confrms that the guessed password ID s the correct one. 4. If t s not correct, Eve chooses another dentty ID and repeatedly performs above steps (2) and (3) untl t fnds the exact dentty ID of U. The adversary Eve can easly guess the dentty ID of U by checkng all possble denttes from the search space D ID, where ndcates the cardnalty of D ID. The runnng tme of the aforementoned procedure s O( D ID ) T h, where T h represents the executon tme of hash operaton. It can be noted that for easy memorzaton, user generally chooses hs/her dentty wth low ntensty value from the set D ID havng small number of elements. Snce D ID s not large enough n practce, for example, D ID 10 6 and the tme complextes T h are also neglgble, thus Eve can complete the above procedure n polynomal tme [6, 7]. 3.2 Lnkablty attack Unlnkablty s a property whch means an adversary cannot recognze whether outputs are from the same user, and ths property s mportant wth respect to the prvacy problem n the anonymous user dentfcaton [5]. However, Yang et al. s ERUA scheme cannot provde unlnkablty property. That s, an

6 1480 Hae-Soon Ahn and Eun-Jun Yoon adversary Eve can eavesdrop the user U s logn request message {h(id ), F } between the user U and the server S from the publc channel; h(id ) n the logn request message {h(id ), F } s kept the same n every logn sesson. In other words, a malcous adversary Eve s capable of tracng out the user U accordng to h(id ) whch s n the U s logn request message. For example, Eve can perform the followng attack to break user prvacy and anonymty. 1. In any sesson, Eve ntercepts user s logn request message {h(id ), F }. 2. Eve checks whether both h(id ) s equal to h(id ). If ths condton s true, t means that ID ID. So, the attacker can know ths logn request message {h(id ), F } s sent from the same user U. As a result, anyone can decde whether two transactons {h(id ), F } and {h(id ), F } are of the same user U or not by checkng f the followng equaton holds: h(id )? = h(id ). The above lnkablty securty problem n the ERUA scheme happens because anyone can easly check whether the ntercepted two transactons are from the same user or not. Therefore, Yang et al. s ERUA scheme fals n unlnkablty property of U durng the logn phase. 3.3 Off-lne password guessng attack Moreover, Eve can obtan the password P W of U by usng the ID. Suppose that the user U s smart card s lost or stolen, then the attacker Eve can extract the stored secret nformaton {h( ), B, C } stored n the smart card. Eve cam extract the stored secret nformaton by montorng ther tmng nformaton, power consumpton and reverse engneerng technques. Then, Eve can perform the off-lne password guessng attack as follows: 1. Eve selects a canddate password P W 2. Eve checks f the followng equaton holds or not C? = h(b h(id P W )) (1) If the check passes, then Eve confrms that the guessed password P W s the correct one. 3. If t s not correct, Eve chooses another password P W performs above step (2) untl and repeatedly C? = h(b h(id P W )) (2)

7 Securty vulnerabltes of an enhanced remote user authentcaton scheme 1481 It s clear that f P W P W, then h(b h(id P W )) = h(h(id P W ) A h(id P W )) = h(a ) (3) = C Therefore, Yang et al.s ERUA scheme s vulnerable to off-lne password guessng attack. The algorthm of the off-lne password guessng attack for gettng the password P W s as follows: Off-lne Password Guessng Attack(B, C, ID, h( ), D P W ) { for := 0 to D P W { P W D P W ; A = B h(id P W ); f C? = h(a ) then return P W } } The runnng tme of the above password guessng attack s (O( D ID ) T h ) + (O( D P W ) T c T x T h ), where T c and T x represent the executon tme of concatenaton and bt-wse XOR operatons, respectvely. The search spaces D ID and D P W are unlkely to be large enough (for example, D ID 10 6 and D P W 10 6 ), and the tme complextes T c, T h and T x all can be executed wth neglgble amount of tme, thus the polynomal tme-bounded adversary Eve can fnd the exact password P W of U easly [6, 7]. 4 Conclusons Ths paper revewed Yang et al. s ERUA scheme and then ponted out that the ERUA scheme scheme s stll vulnerable to off-lne password guessng attack and does not provde the unlnkablty property and user anonymty because of the dentty guessng attack unlke ther clams. Consequently Yang et al. s ERUA scheme s nsecure for practcal applcaton. Further works wll be focused on mprovng the ERUA s scheme whch can be able to provde greater securty and to be more effcent than the exstng dynamc ID-based remote user authentcaton schemes by an accurate performance analyss.

8 1482 Hae-Soon Ahn and Eun-Jun Yoon Acknowledgements Ths work was supported by Basc Scence Research Program through the Natonal Research Foundaton of Korea(NRF) funded by the Mnstry of Educaton, Scence and Technology(No ). References [1] M. Das, A. Saxena, P. Gulat, A dynamc ID-based remote user authentcaton scheme, IEEE Trans actons on Consumer Electroncs, 50 (2004), [2] Y. Wang, J. Lu, F. Xao, J. Dan, A more effcent and secure dynamc ID-based remote user authentcaton scheme, Computer Communcatons, 32 (2009), [3] M. Khan, K. Km, K. Alghathbar, Cryptanalyss and securty enhancement of a more effcent & secure dynamc ID-based remote user authentcaton scheme, Computer Communcatons, 34 (2011), [4] X. Yang, X. Cu, Z. Cao, Z. Hu, An enhanced remote user authentcaton scheme, Engneerng, 6(1) (2014), [5] E.Y. Yoon, K.Y. Yoo, An mprovement of the user dentfcaton and key agreement protocol wth user anonymty, Informatca, 23(1) (2012), [6] D. Florenco, C. Herley, A large-scale study of web password habts, In Proceedngs of the 16th Internatonal Conference on World Wde Web, (2007), [7] S. Islam, G. Bswas, K. Choo, Cryptanalyss of an mproved smartcardbased remote password authentcaton scheme, Informaton Scences Letters, 3(1) (2014), Receved: October 4, 2014; Publshed: October 28, 2014