Cryptanalysis and Improvement of a Dynamic ID Based Remote User Authentication Scheme Using Smart Cards

Transcription

1 Journal of Computational Information Systems 9: 14 (2013) Available at Cryptanalysis and Improvement of a Dynamic ID Based Remote User Authentication Scheme Using Smart Cards Chengbo XU 1,2,, Zhongtian JIA 3, Fengtong WEN 1, Yan MA 2 1 School of Mathematical Sciences, University of Jinan, Jinan , China 2 Institute of Network Technology Research, Beijing University of Posts and Telecommunications, Beijing , China 3 Shandong Provincial Key Laboratory of Network Based Intelligent Computing, Jinan , China Abstract Recently, Lee, Lai and Li proposed a dynamic identity based remote user authentication scheme using smart card to remedy the weaknesses of Lee-Lin-Chang s scheme. However, we find that Lee-Lai-Li s scheme is still insecure and vulnerable to offline dictionary attack. Besides, the scheme suffers from low efficiency in wrong password detection process and password change phase. To eliminate these weaknesses, we propose an improved scheme. Through comparative analysis, we illustrate that our proposed scheme is more secure and simultaneously keeps low cost. Keywords: Authentication; Dynamic Identity; Multi-server; Smart Card; Key Agreement 1 Introduction With the rapid growth of Internet, it becomes a very serious issue to authenticate the identity of a remote user in public environment before he/she can access a service [2]. To solve this problem, many authentication schemes have been proposed in literature. In 2009, Liao and Wang proposed a dynamic ID-based authentication scheme for multi-server environments [3]. They claimed that their scheme can resist various attacks and achieve mutual authentication. But Hsiang and Shih found that Liao-Wang s scheme is vulnerable to insider s attack, masquerade attack, server spoofing attack, registration center spoofing attack and is not reparable. Furthermore, Liao-Wang s scheme fails to provide mutual authentication [4]. To eliminate these weaknesses, Hsiang and Shih proposed an improved scheme [4]. Unfortunately, Hsiang-Shish s scheme was pointed out still not secure and susceptible to masquerade attack, server spoofing attack and is not easily reparable [1]. To remove these flaws, Lee, Lin and Chang proposed their improved schemes [1]. Recently, Lee, Lai and Li identified that Lee-Lin-Chang s Project partially supported by the Doctoral Fund of University of Jinan (Granted No.XBS0835), and the project of Jinan City Science and Technology Program (Granted No ). Corresponding author. address: cbqysy@gmail.com (Chengbo XU) / Copyright 2013 Binary Information Press DOI: /jcis6300 July 15, 2013

2 5514 C. Xu et al. /Journal of Computational Information Systems 9: 14 (2013) scheme still fails to achieve the anonymity and has the security weakness of a smart clone [5]. In addition, they proposed an improved scheme to remedy the weaknesses of Lee-Lin-Chang s scheme [5]. In this paper, we will show that Lee-Lai-Li s scheme suffers from offline dictionary attack, low efficiency in wrong password detection, low efficiency and inconveniency in password change phase. To remove these weaknesses, we propose an improved scheme. Through comparative analysis, we illustrate that the improved scheme is more secure and keeps low cost. The rest of this paper is organized as follows: in Section 2, we provide a brief review of Lee-Lai- Li s scheme. Section 3 points out the security weaknesses of Lee-Lai-Li s scheme. The proposed scheme and corresponding scheme analysis are presented in Sections 4 and 5 respectively. Finally, we conclude the paper in Section 6. The notations are summarized in Table 1. Table 1: Notations used in this paper U i The ith user x The master secret key maintained by RC S j The jth server b, b new Random numbers generated by user U i RC The registration center CID, CID new The dynamic identities generated by U i ID i The identity of the user U i SK A session key shared between the user and server P W i The password of the user U i h( ) A secure one-way hash function Exclusive-OR operation Message concatenation operation 2 Review of Lee-Lai-Li s Scheme In this section, we will review the Lee-Lai-Li s scheme briefly [5]. There are three entities involved in this scheme. i.e. the user (U i ), the remote server (S j ) and the registration center (RC). RC chooses the master key x which it itself knows only. And then RC computes and shares h(x) with each legal servers over a secure channel. 2.1 Registration phase Step 1 U i generates a random number b, and then chooses his/her identity ID i and password P W i. Next, U i computes CID = h(id i P W i ) b and sends it to RC. Step 2 Upon receiving CID, RC computes B i = h(cid h(x)) and sends {B i, h( )} back to U i. Step 3 When receiving {B i, h( )}, U i computes BP W = B i h(p W i ). Finally, U i stores {BP W, b, h( )} in the corresponding smart card. 2.2 Login and verification phase Step 1 U i inserts his/her smart card into a card reader and inputs the identity ID i and password P W i. Then the card computes CID = h(id i P W i ) b, B i = BP W h(p W i ) and gener-

3 C. Xu et al. /Journal of Computational Information Systems 9: 14 (2013) ates two random numbers, b new and N i. Next, U i computes CID new = h(id i P W i ) b new, V i = CID new h(b i N i ) and Q i = h(cid new B i N i ). Finally, U i submits the login request message {CID, V i, Q i, N i } to S j. Step 2 Upon receiving {CID, V i, Q i, N i }, S j computes B i = h(cid h(x)), CID new = V i h(b i N i ), and then checks Q i =?h(cid new B i N i ). If they are equal, S j generates a random number N j, computes B new = h(cid new h(x)), V j = B new h(b i N j ), Q j = h(cid B new N j ), and then sends {V j, Q j, N j } back to U i ; Otherwise, S j rejects this login request. Step 3 When receiving {V j, Q j, N j }, U i computes B new = V j h(b i N j ) and checks Q j =?h(cid B new N j ). If they are not equal, U i terminates the session; Otherwise, it means that U i authenticate S j. Then, U i computes BP W new = B new h(p W i ) and stores {BP W new, b new } for the next login. Next, U i computes the session key SK = h(n i N j B i ) and Q ij = h(n i B i N j B new ) which is sent to S j for double check. Step 4 Upon receiving Q ij, S j verifies Q ij =?h(n i B i N j B new ). If they are not equal, S j terminates the session; Otherwise, S j computes the session key SK = h(n i N j B i ). 2.3 Update session key phase Step 1 U i generates a random number Ni and computes Vi = Ni h(b i h(n i N j )), Q i = h(ni B i ). Then U i submits {Vi, Q i } to S j. Step 2 When receiving {Vi, Q i }, S j computes Ni = Vi h(b i h(n i N j )) and checks Q i =?h(ni B i ). If they are equal, S j generates a random number Nj, computes Vj = Nj h(b i h(n j N i )), Q j =?h(nj B i ), and then sends {Vj, Q j} to U i. Step 3 Upon receiving {V j, Q j}, U i computes N j = V j h(b i h(n j N i )) and checks whether Q j = h(n j B i ) or not. If they are equal, U i compute the new session key SK = h(n i N j B i ). And then U i computes Q ij = h(n i N j B i ) and sends it to S j. Step 4 When receiving Q ij, S j checks Q ij =?h(n i N j B i ). If they are equal, S j also updates the session key SK to SK = h(n i N j B i ); Otherwise, S j rejects the request. 2.4 Password change phase Step 1 U i inputs his/her identity ID i, password P W i, and chooses a new password P W new. Next, U i s smart card generates two random numbers b new and N i, and then computes CID = h(id i P W i ) b, B i = BP W h(p W i ), CID new = h(id i P W new ) b new, V i = CID new h(b i N i ), Q i = h(cid new B i N i ). Finally, U i submits message {CID, V i, Q i, N i } to S j.

4 5516 C. Xu et al. /Journal of Computational Information Systems 9: 14 (2013) Step 2 Upon receiving {CID, V i, Q i, N i }, S j computes B i = h(cid h(x)), CID new = V i h(b i N i ), and checks Q i =?h(cid new B i N i ). If they are equal, S j generates a nonce N j, computes B new = h(cid new h(x)), V j = B new h(b i N j ), Q j = h(cid B new N j ), and then sends {V j, Q j, N j } back to U i ; Otherwise, S j rejects this login request. Step 3 When receiving {V j, Q j, N j }, U i computes B new = V j h(b i N j ) and checks whether Q j = h(cid B new N j ) or not. If they are equal, it means that U i verifies the validity of S j. Then, U i computes BP W new = B new h(p W new ) and stores {BP W new, b new } for the next login. 3 Cryptanalysis of Lee-Lai-Li s Scheme In this section, we will analysis Lee-Lai-Li s scheme and point out this scheme suffers from offline dictionary attack, low efficiency in wrong password detection and password change phase. To illustrate logically, we firstly list the following three assumptions. Assumption 1. Since Internet is a public and open environment, we assume the channels between users and servers are insecure. The adversary can control the channels entirely. Assumption 2. Now, there are several methods by which an adversary can extract the information stored in smart cards, such as Kocher et al. [7]. Therefore, we assume the adversary has capability to extract the information stored in smart cards. Assumption 3. Due to the low entropy of ID i and P W i selected by U i, we assume an adversary is able to offline guess U i s identity ID i and password P W i individually. However, he/she cannot offline guess ID i and P W i simultaneously in polynomial time as pointed out by Sood et al. [6]. 3.1 Offline dictionary attack If the user U i s smart card is lost or stolen, the adversary obtains it. According to assumption 2, he/she has the capability to extract the information {BP W, b, h( )} stored in smart card. Once knowing these values, the adversary can launch an offline dictionary attack as follows: 1) Guesses a password P W i. 2) Computes B i = BP W h(p W i ) with the knowledge BP W. 3) Eavesdrops or intercepts a valid login message {CID, U i, Q i, N i } from the open channels. 4) Computes CID new = V i h(b i N i ), Q i = h(cid new B i N i ) and checks Q i =?Q i. If they are equal, it means that the guessed P W i is the real password P W i ; Otherwise, the adversary will repeat steps 1)-4) until the real password P W i is found. 5) After successfully guessing the real password P W i, the adversary computes h(id i P W i ) = CID b using the values CID and b. 6) Guesses an identity ID i. 7) Computes h(id i P W i ) and checks whether h(id i P W i ) = h(id i P W i ) or not. If they are equal, it means that the guessed identity ID i is the real identity ID i ; Otherwise, the adversary will repeat steps 6)-7) until the real identity ID i is guessed correctly. Possessing the real identity ID i and password P W i, this adversary has as same privilege as the user U i. He/She can do whatever the real user U i can do. Furthermore, the adversary can compute the real secret key B i. With the value B i, he/she can masquerade as S j to fool U i.

5 C. Xu et al. /Journal of Computational Information Systems 9: 14 (2013) Low efficiency in wrong password detection and password change phase In Lee-Lai-Li s scheme, there is no wrong password detection mechanism in smart cards. When the user U i inputs a wrong password by mistake in the login phase, the error will not be detected until the server S j checks whether Q i = Q i in the verification phase. As this, many computational and communicational resources are wasted. On the one hand, the password change phase of Lee-Lai-Li s scheme involves U i and S j two entities, instead of U i itself. So the user U i cannot finish updating his/her password offline. This is to some extent not convenient for the user U i. On the other hand, the user U i and server S j have to exchange and compute some messages when U i wants to update his/her password. This inevitably causes some additional delay and consequently decreases the scheme s efficiency. 4 Our Improved Scheme In this section, we will improve Lee-Lai-Li s scheme to eliminate all the weaknesses mentioned above. The improved scheme also involves three entities: the user (U i ), the server (S j ) and the registration center (RC), and includes five phases: the registration phase, the login phase, the verification phase, update session phase and password change phase. RC selects the master key x which is known only to RC. Next, RC computes h(x) and shares the knowledge with each legal server via a secure channel. 4.1 Registration phase Step 1 U i generates a random number b, and then chooses his/her identity ID i and password P W i. Next, U i computes CID = h(id i b) and sends it to RC. Step 2 Upon receiving CID from U i, RC computes B i = h(cid h(x)) and stores {CID, B i, h( )} in a smart card. Then RC issues the card to U i via a secure channel. Step 3 When receiving his/her smart card, U i inputs the identity ID i and password P W i. The smart card computes R i = h(p W i ID i ) and BP W = B i h(p W i ID i ). And then it stores R i and substitutes B i with BP W. Eventually, the smart card contains {CID, R i, BP W, h( )}. 4.2 Login and verification phase Step 1 U i inserts his/her smart card into a card reader and inputs the identity ID i and password P W i. Then the card computes R i = h(p W i ID i) and checks whether R i = R i or not. If they are not equal, the smart card rejects this login request; Otherwise, the card generates two random numbers b new and N i, and then computes B i = BP W h(p W i ID i ), CID new = h(cid b new ), V i = CID new h(b i N i ) and Q i = h(cid new B i N i ). Finally, U i sends {CID, V i, Q i, N i } to S j.

6 5518 C. Xu et al. /Journal of Computational Information Systems 9: 14 (2013) Step 2 Upon receiving {CID, V i, Q i, N i } from U i, S j computes B i = h(cid h(x)), CID new = V i h(b i N i ), and then checks Q i =?h(cid new B i N i ). If they are equal, S j generates a random number N j, computes B new = h(cid new h(x)), V j = B new h(b i N j ), Q j = h(cid B new N j ), and then sends {V j, Q j, N j } back to U i. Otherwise, S j rejects this login request. Step 3 When receiving {V j, Q j, N j }, U i computes B new = V j h(b i N j ) and checks whether Q j =?h(cid B new N j ) or not. If they are not equal, U i terminates the session. Otherwise, it means that U i authenticates the validity of S j. Then, U i computes BP W new = B new h(p W i ID i ) and stores {CID new, BP W new } for the next login. Next, U i computes the session key SK = h(n i N j B i ) and Q ij = h(n i B i N j B new ) which is sent to S j for double check. Step 4 Upon receiving Q ij, S j verifies Q ij =?h(n i B i N j B new ). If they are not equal, S j terminates the session; Otherwise, S j computes the session key SK = h(n i N j B i ). 4.3 Update session key phase In our scheme, this phase is same to the corresponding phase in Lee-Lai-Li s scheme, so we omit it here. 4.4 Password change phase Step 1 U i inserts his smart card and then inputs ID i, P W i and asks for changing password. Step 2 U i s smart card computes Ri = h(p Wi IDi ) and checks whether Ri = R i or not. If they are equal, U i chooses a new password P W new. Step 3 The smart card computes R new = h(p W new ID i ), BP W new = BP W h(p W i ID i ) h(p W new ID i ). And then it replaces R i and BP W with R new and BP W new respectively. 5 Security Analysis In this section, we will mainly consider the improved aspects in security of our proposed scheme. The other s security features are same to those of Lee-Lai-Li s scheme. 5.1 Resist offline dictionary attack The offline dictionary attack means that an attacker collects related information by various methods and then attempts to guess user U i s identity ID i or password P W i using these information. In our improved scheme, the values an adversary might collect are CID, CID new, R i, BP W, V i, Q i, N i,

7 C. Xu et al. /Journal of Computational Information Systems 9: 14 (2013) V j, Q j, N j and Q ij. Among them, the two values of R i and BP W might be obtained by extracting the information stored in U i s smart card which might be lost or stolen. Other seven values of V i, Q i, N i, V j, Q j, N j and Q ij can be collected by intercepting or eavesdropping the messages transmitted between U i and S j in insecure channels. Besides, the values CID and CID new can be obtained by both means above. According to assumption 3, the adversary can not successfully offline guess the identity ID i or password P W i from R i = h(p W i ID i ) and BP W = B i h(p W i ID i ) where the ID i and P W i come in pairs. The adversary also cannot get ID i from CID = h(id i b) since the random value is not stored and used only once. Besides, the dynamic identity CID is updated by the recursion CID new = h(cid b new ) in each login and verification phases. Therefore, it is hardly possible to guess ID i from CID or CID new. Finally, the adversary also can not guess ID i or P W i from other values of V i, Q i, N i, V j, Q j, N j and Q ij without the secret knowledge B i and B new. Based on analysis above, we can see the proposed scheme resist the offline dictionary attack. 5.2 Improvement of efficiency in wrong password detection and password change phase In our improved scheme, we design a mechanism in step 1 of the login phase that can be used to check validity of the inputted ID i and P W i in smart cards. Therefore, the wrong password will be quickly detected by the user U i s smart card when U i inputs a wrong password P W i by mistake. Consequently, the scheme s efficiency is improved. Compared with Lee-Lin-Chang s scheme, the Lee-Lai-Li s scheme improves the user-friendliness property of password change phase by avoiding to transmit many high secret values between U i and S j over a secure channel. However, the efficiency and conveniency are still not improved as described in subsection 3.3. In our proposed scheme, the password change phase only involves the corresponding user himself/herself without the help of S j or RC. No any message needs to be transmitted between U i and S j. As a result, the efficiency and conveniency of the proposed scheme are improved substantially. 5.3 Comparative analysis of computation overhead In Table 2, we conduct comparative analysis of computation overhead among four recently proposed scheme including our proposed scheme. Since the computation cost of exclusion-or and concatenation operations require very few computation resources, we neglect these types of computation overheads here. Besides, we denote T h as the time complexity for hash function. From Table 2, we can easily see our scheme and Lee-Lai-Li s scheme are both more efficient than other two related schemes. Even if compared with Lee-Lai-Li s scheme, the improved scheme requires only two more hash computations. One is processed in registration phase, the other is conducted in login phase. Of course, it is worth these two more hash operations to remedy those weaknesses of Lee-Lai-Li s scheme. 6 Conclusions In this paper, we show that Lee-Lai-Li s scheme suffers from offline dictionary attack, low efficiency in wrong password detection, low efficiency and inconveniency in password change phase. To

8 5520 C. Xu et al. /Journal of Computational Information Systems 9: 14 (2013) Table 2: Cost comparisons of our scheme and previously proposed schemes ours Lee-Lai-Li s scheme(2012) Lee-Lin-Chang s scheme(2011) Cost of user registration 4T h 3T h 6T h 6T h Cost of server registration 1T h 1T h 2T h 2T h Cost of login and authentication User 9T h 8T h 10T h 11T h Server 9T h 9T h 11T h 5T h RC 0T h 0T h 0T h 13T h Li et al. s scheme(2011) remedy these weaknesses, we proposed an improved scheme. Through comparative analysis, we prove that our proposed scheme is more secure and keeps low cost simultaneously. References [1] C. C. Lee, T. H. Lin, R. X. Chang. A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards[j]. Expert Systems with Applications, 2011, 38(11): [2] X. Li, Y. P. Xiong, J. Ma, W. D. Wang. An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards[j]. Journal of Network and Computer Applications, 2012, 35(2): [3] Y. P. Liao, S. S. Wang. A secure dynamic ID based remote user authentication scheme for multiserver environment[j]. Computer Standards & Interfaces, 2009, 31(1): [4] H. C. Hsiang, W. K. Shih. Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment[j]. Computer Standards & Interfaces, 2009, 31(6): [5] C. C. Lee, Y. M. Lai, and C. T. Li. An Improved Secure Dynamic ID Based Remote User Authentication Scheme for Multi-Server Environment[J]. International Journal of Security and Its Application, 2012, 6(2): pp [6] S. K. Sood, A. K. Sarje, K. Singh. A secure dynamic identity based authentication protocol for multi-server architecture[j]. Journal of Network and Computer Applications, 2011, 34(2): [7] P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis[C]. Proceeding of Advanced in Cryptology (CRYPTO 99) 2009, August 15-19, Santa Barbara, USA. [8] D. L. Guo, F. T. Wen. A More Secure Dynamic ID Based Remote User Authentication Scheme for Multi-server Environment[J], Journal of Computational Information Systems, 2013, 9(2):