Weaknesses of a dynamic ID-based remote user authentication. He Debiao*, Chen Jianhua, Hu Jin

Transcription

1 Weaknesses of a dynamc -based remote user authentcaton scheme He Debao, Chen anhua, Hu n School of Mathematcs Statstcs, Wuhan nversty, Wuhan, Hube , Chna Abstract: he securty of a password authentcaton scheme usng smart cards proposed by Khan et al s analyzed Four knds of attacks are presented n dfferent scenaros he analyses show that the scheme s nsecure for practcal applcaton Key words: Authentcaton; Securty; Cryptanalyss; Smart card; Attacks Introducton ser authentcaton s the essental securty mechansm for remote logn systems n whch a password-based authentcaton scheme s the most commonly used technque to provde authentcaton between the legal users the remote server In 98, Lamport [] proposed a password-based authentcaton scheme usng password tables to authentcate remote users over nsecure network In Lamport's scheme, password table s used to verfy the legtmacy of users In 2000, Hwang et al ponted out that once the password table was stolen or modfed n ths scheme, the whole authentcaton system wll be affected [2] herefore, they proposed a remote user authentcaton scheme usng smartcard wthout mantanng a password table Afterwards, many schemes have been proposed to enhance the securty practcablty [3-] A common feature among most of the publshed schemes s that the user s dentty s statc n Correspondng author E-mal: hedebao@63com, el: , Fax:

2 all the transacton sessons, whch may leak some nformaton about that user can create rsk of -theft durng the message transmsson over an nsecure channel o overcome ths rsk, Das et al proposed a dynamc -based remote user authentcaton scheme [2] Compared wth other authentcaton schemes, ths scheme has many advantages In the scheme, the server does not mantan any verfer table, moreover, the scheme s based on the one-way secure hash functon, so ts realzaton s smple relable However, Das et al s scheme s completely nsecure [3] It faled to protect the anonymty of a user [4] s susceptble to the mpersonaton attack [5], the guessng attack [6] o overcome the securty ptfalls of Das et al s scheme, Lao et al proposed an mproved scheme Msbahuddn et al [7] demonstrated that Lao et al s scheme cannot wthst mpersonaton attack, reflecton attack s completely nsecure as a user can successfully log on to a remote system wth a rom password In 2009, Wang et al [8] proposed a dynamc -based remote user authentcaton scheme clamed that ther scheme s more effcent secure than Das et al s scheme However, Khan et al [9] dentfy that Wang et al s scheme has the followng flaws: no provson of user s anonymty durng authentcaton, nablty to offer user free choce n choosng hs password, vulnerablty to nsder attack, no provson for revocaton of lost or stolen smart card, does provde sesson key agreement o remedy these securty flaws, they proposed an enhanced authentcaton scheme hey clamed ther scheme covers all the dentfed weaknesses of Wang et al s scheme s more secure effcent for practcal applcaton envronment However, n ths paper, we show Khan et al s scheme suffers from three weaknesses: ) nablty to protect the user s anonymty; 2) the sesson-key problem; 3) neffcency of the double 2

3 secret keys; 4) other drawbacks hat s, t fals to fully meet the securty requrements that ths type of scheme should acheve he rest of the paper s organzed as follows: Secton 2 brefly revews Khan et al's scheme, Secton 3 elaborates on the weakness of ther scheme, Secton 4 concludes ths paper 2 Revew of Khan et al s scheme he notatons used throughout ths paper are descrbed as n the followng : a user, PW : s dentfer, password respectvely S : a remote server x, y : S s secret keys, : s current tmestamp, S s current tmestamp, respectvely S h() : a hash functon : btwse XOR operaton : concatenaton operaton Khan et al's scheme nvolves fve phases, the regstraton phase, the logn phase, the authentcaton phase, the password change phase, the lost smart card revocaton phase We ust gve the frst four phases here, snce the last phase has nothng about our analyss Regstraton phase In ths phase, the user ) chooses hs ntally regsters wth the server S PW, generates a rom number r, computes RPW h( r PW ) At last, sends {, RPW } to the server S 2) pon recevng{, RPW }, S checks the valdty of If s not vald, S 3

4 reects the regstraton Otherwse, S computes N, h( x ) L RPW, where N equals 0 f s a new user, otherwse N equals At last, S delvers the smart card contanng L y to 3) pon recevng the smart card, stores r n the smart card completes the regstraton whenever Logn phase In ths phase, the user wants to access some resources upon S sends a logn request message to the server S ) nserts hs smart card nto a smart card reader then nputs hs PW 2) s smart card generates a rom number d computes RPW h( r PW ), L RPW, c h( ), A h( y d) where s the current tme stamp 3) s smart card sends the message M { A,, d, c} to the server S Verfcaton phase In ths phase, the server S verfes the authentcty of the logn message requested by the user ) pon recevng the message M, S checks the freshness of he freshness of s checked by performng, where s the tme when S receves the above message s a vald tme nterval If s not fresh, S aborts the current sesson 2) S computes A h( y d) checks the valdty of If s not vald, S stops the sesson 3) S computes N, h( x ) c h( ) S checks f c equals c If c does not equal c, S stops the sesson Otherwse s authentcated S computes c 2 h( c S) the sesson key SK h( c2 ) At last, S sends 4

5 the message M 2 { c2, S } to s smart card 4) pon recevng the message, s smart card checks the freshness of S he freshness of S s checked by performng S, where s the tme when s smart card receves the above message s a vald tme nterval 5) s smart card computes c 2 h( c S ) checks f c equals c If c does not equal c, s smart card stops the sesson Otherwse, S s authentcated smart card computes the sesson key SK h( c2 ) Password change phase In ths phase, the user he/she wants s changes hs/her password any tme ) nserts hs/her smart card nto a smart card reader then nputs hs/her, PW the new password PW 2) s smart card computes RPW h( r PW ), L RPW checks f equals If does not equal, s smart card reect the phase 3) s smart card computes L RPW h( r PW ) replaces the value L 3 Weaknesses of Khan et al s scheme 3 Inablty to anonymty Khan et al clamed that ther scheme can protect the anonymty of the user However, we show that the dentty of the target user may be guessed by another user who s an nsder wth hs or her own password smart card Our attack s based on the observaton that A s the XOR-ed value of a dgest of other secret components he problem s that the secret components are commonly shared among all the users o be more precse, the attack can 5

6 be mplemented as follows: ) he attacker (say, user ) eavesdrops the vctm s (say, user s) authentcaton sesson from whch A, d can be extracted 2) he attacker computes hs own A wth are the captured sesson, PW, d, where d 3) A h( y d) can be prepared because PW are the attacker s password, respectvely 4) Now the attacker can get by computng A A In the followng, why ths attack works s demonstrated can control hs smart card completely, certanly he can also control the value of the rom number d, then he lets ther value be d separately, computes A h( y d ) A A ( h( y d )) ( h( y d )) In fact, f the adversary can get any legal user s smart card, then he can carry out the attack he adversary can obtan the secret nformaton y stored n the stolen smart card by montorng the power consumpton [20] or by analyzng the leaked nformaton [2], then he can compute A h( y d ) h( y d ) h( y d ) 6

7 32 he sesson-key problem As noted by Blake-Wlson et al [22], a number of securty propertes of key agreement have been proposed the propertes have been used to analyze the securty of key agreement he propertes nclude known-key secrecy, unknown key-share reslence, no key control, key-compromse mpersonaton reslence perfect forward secrecy Forward secrecy requres that, f long-term prvate keys of one or more enttes are compromsed, the secrecy of prevous sesson keys establshed by honest enttes can be unaffected When analyzng the forward secrecy, Khan et al clamed even f the server s secret keys x y happens to be compromsed, an adversary cannot mpersonate legtmate users by usng the revealed keys, concluded ther scheme can preserve the forward secrecy of secret keys x y hey made a mstake n understng the mean of forward secrecy In fact, ther scheme can t provde the forward secrecy Once the adversary get the value x, y some cphertext translated c between the user the server, he can compute the sesson key through the followng method ) he attacker gets the value usng the method descrbed above let 2) he attacker computes h( x ), where equals N 3) he attacker computes the sesson key SK h( c2 ) N be zero 4) he attacker gets the plantext m by decryptng c usng the sesson key S K If m s meanngful, the attacker get the correct sesson key Otherwse, he lets N ncrement by one repeats steps 2), 3) 4) untl get the correct sesson key From the above descrpton, we can conclude the attacker can get the correct sesson by testng the possble value N hen the search space s N, where N s the set of possble N 7

8 represents the cardnalty of a set In fact, even though the attacker can t get the value, he can guess the value to carry out the attack, the search space s N, where s the set of possble s, Note that generally N are not very bg, unlke a space for cryptographc key 33 Ineffcency of the double secret keys We can see that the scheme of Khan et al requres S to keep two keys secret, e, the secret key x y In common sense, t s possble to acheve the user authentcaton key agreement servce by usng only one secret key herefore, two secret keys mean more overheads wthout the securty enhancement for the whole authentcaton system 34 Other drawbacks In the step 2) of password change phase n Khan et al s scheme, the smart card checks f equals But, n the regstraton phase, s not stored n the smart card We thnk Khan et al s may make a mstake when desgn the regstraton phase the password change phase We demonstrate the drawbacks as follows s not stored n the smart card If s not stored n the smart card, then the step 2) of password change phase n Khan et al s scheme must be canceled, then Khan et al s scheme s vulnerable to the Denal-of-servce (DoS) attack In password authentcaton, DoS attack can cause permanent error on authentcaton by ntroducng unexpected data durng the procedures of authentcaton he most vulnerable procedure s the password changng phase snce t usually refreshes the data n storage If an 8

9 attacker can modfy the password, or tamper the message contanng password wth vald data format, the updated password or ts related verfcaton data wll then be dfferent from what the user expects he user can never pass the subsequent authentcaton thereby In Khan et al s scheme, the password changng phase s performed on the user termnal wth smart cards, e, the user can change hs password wthout communcatng wth the server [9] hs enhances the securty of password changng as no senstve message needs to be transmtted over the nsecure network Meanwhle, t releves the overhead of the/a server However, due to the drawbacks of desgn, t s stll possble to load a DoS attack on password changng n ther scheme Suppose an attacker temporarly gets access to the user s smart card, he then nserts the card n a termnal devce performs the followng operatons He romly selects two dfferent passwords PW PW as the old the new password, respectvely hen he sends a changng password request to the smart card Snce s not stored n the smart card, then the smart card wll not check f equals, t ust computes RPW h( r PW ), L RPW h( r PW ) replaces the value L From then on, the logn phase, can never pass the server s password authentcaton hs s because n cannot verfy the legal server n the second step Moreover, he cannot be verfed by the server n the last step of authentcaton phase s stored n the smart card If s not stored n the smart card, then the step 2) of password change phase n Khan et al s scheme must be canceled, then Khan et al s scheme s vulnerable to the password guessng attack In Khan et al s scheme r,, L are stored n the smart card after regstraton It s easy 9

10 to say that there s the followng relaton between r,, L about PW L h( r PW)) hen the adversary can carry out the off-lne password guessng attack usng the relaton he detaled descrpton of the attack s as follows he adversary can obtan the secret nformaton r,, L stored n the stolen smart card by montorng the power consumpton [20] or by analyzng the leaked nformaton [2] hen he can carry out the password guess attack usng r,, L ) he adversary selects a password PW s from a unformly dstrbuted dctonary 2) he adversary computes L h( r PW )) 3) A then verfes the correctness of PW s by checkng f s equal to 4) A repeats steps, 2, 3 of ths phase untl the correct password s found 4 Concluson Smart card-based user authentcaton technology has been wdely deployed n varous knds of applcatons, such as remote host logn, wthdrawals from automated cash dspensers, physcal entry to restrcted areas In [9], Khan et al proposed a password authentcaton scheme usng smart cards demonstrated ts mmunty aganst varous attacks However, by revewng of ther scheme analyzng ts securty, four knds of weakness, e, ) nablty to protect the user s anonymty; 2) the sesson-key problem; 3) neffcency of the double secret keys; 4) other drawbacks are presented n dfferent scenaros he analyses show that the scheme s nsecure for practcal applcaton 0

11 Reference [] L Lamport, Password authentcaton wth nsecure communcaton, Communcatons of the ACM 24 () (98) [2] MS Hwang, LH L, A new remote user authentcaton scheme usng smart cards, IEEE ransactons on Consumer Electroncs 46 () (2000) [3] WH Yang, SP Sheh, password authentcaton schemes wth smart cards, Computers & Securty 8 (8) (999) [4] HM Sun, An effcent remote user authentcaton scheme usng smart cards, IEEE ransactons on Consumer Electroncs 46 (4) (2000) [5] CC Lee, MS Hwang, WP Yang, A flexble remote user authentcaton scheme usng smart cards, ACM Operatng Systems Revew 36 (3) (2002) [6] Shen, CW Ln, MS Hwang, A modfed remote user authentcaton scheme usng smart cards, IEEE ransactons on Consumer Electroncs 49 (2) (2003) [7] M Kumar, New remote user authentcaton scheme usng smart cards, IEEE ransactons on Consumer Electroncs 50 (2) (2004) [8] WC Ku, S Chang, MH Chang, Further cryptanalyss of fngerprnt-based remote user authentcaton scheme usng smartcards, IEE Electroncs Letters 4 (5) (2005) [9] MK Khan, Zhang, Improvng the securty of a flexble bometrcs remote user authentcaton scheme, Computer Stards & Interfaces 29 (2007) [0] SK Km, MG Chung, More secure remote user authentcaton scheme, Computer Communcatons 32 (2009) [] H Yang, CC Chang, An -based remote mutual authentcaton wth key agreement

12 scheme for moble devces on ellptc curve cryptosystem, Computers & Securty 28 (2009) [2] ML Das, A Saxena, VP Gulat, A dynamc -based remote user authentcaton scheme, IEEE ransactons on Consumer Electroncs 50 (2) (2004) [3] AK Awasht, Comment on a dynamc -based remote user authentcaton scheme, ransactons on Cryptology l (2) (2004) 5 6 [4] HY Chen, CH Chen, A remote authentcaton scheme preservng user anonymty, n: Internatonal Conference on AINA 05, vol 2, 2005, p 2005 [5] WC Ku, S Chang, Impersonaton attack on a dynamc -based remote user uthentcaton scheme usng smart cards, IEICE ransactons on Communcaton E88-B (5) (2005) [6] I Lao, CC Lee, MS Hwang, Securty enhancement for a dynamc -based remote user authentcaton scheme, n: Proceedngs of the Natonal Conference on Next Generaton Web Servces Practces, 2005, p 4 [7] M Msbahuddn, CS Bndu, Cryptanalyss of Lao Lee Hwang s dynamc scheme, Internatonal ournal of Network Securty 6 (2008) 2 23 [8] YY Wang, Y Ku, FX Xao, Dan, A more effcent secure dynamc -based remote user authentcaton scheme, Computer Communcatons 32 (2009) [9] MK Khan et al, Cryptanalyss securty enhancement of a more effcent & secure dynamc -based remote user authentcaton scheme, Computer Communcatons (200), do:006/comcom [20] P Kocher, affe, B un, Dfferental power analyss, Proc Advances n Cryptology 2

13 (CRYPO'99), 999, pp [2] S Messerges, EA Dabbsh, RH Sloan, Examnng smart-card securty under the threat of power analyss attacks, IEEE ransactons on Computers 5 (5) (2002) [22] Blake-Wlson S, ohnson D, Menezes A Key agreement protocols ther securty analyss In Proc the Sxth IMA Internatonal Conference on Cryptography Codng, Crencester, K, LNCS 355, Sprnger-Verlag, 997, pp