Two-Factor User Authentication in Multi-Server Networks

Transcription

1 Internatonal Journal of ecurty and Its Applcatons Vol. 6, No., Aprl, 0 Two-Factor ser Authentcaton n Mult-erver Networks Chun-Ta L, Ch-Yao Weng,* and Chun-I Fan Department of Informaton Management, Tanan nversty of Technology 59 Zhongzheng Road, Tanan Cty 700, TAIWAN (R.O.C.) th0040@mal.tut.edu.tw Department of Computer cence and Engneerng, Natonal un Yat-sen nversty 70 Lenha Road, Kaohsung Cty 8044, TAIWAN (R.O.C.) * Correspondng author: cyweng@mal.cse.nsysu.edu.tw Abstract Recently, Chang and Cheng proposed a robust mechansm for smart card based remote logns n a mult-server archtecture. However, based on the securty analyzes conducted by us, we fnd ther mechansm s vulnerable aganst smart card lost problems, leak-of-verfer attack and sesson key dsclosure attack. To elmnate all dentfed securty threats n ther mechansm, we further proposed an mproved verson of two-factor based user authentcaton protocol n mult-server networks. Keywords: Informaton securty; Key agreement; Mult-server archtecture; Password; mart card. Introducton In order to frustrate llegal users attempts of gettng the servceable resources mantaned n remote servers, two-factor (password and smart card) user authentcaton s the wdely accepted and most adopted method n clent-server archtecture [5, 6, 7, 8]. However, n tradtonal remote logn mechansms for a mult-server archtecture [], [9], a user needs to regster wth dfferent servce provders and remember the varous denttes and passwords for ensurng hgher securty. Therefore, sngle regstraton s the most mportant feature n a mult-server archtecture and any user can take desred servces from varous network servers wthout repeatng regstraton to each servce provder. Password authentcaton wth smart card s one of the mechansms that were wdely used to authentcate the valdty of partcpants between a logn user, the servce provders and a trusted regstraton center. In 00, L, Ln and Hwang proposed an authentcaton scheme [4] usng neural networks and asymmetrc key cryptosystems. In 004, Juang proposed an effcent and smart card based mult-server authentcaton scheme [3] for enhancng the system performance. In 008, Tsa proposed a mult-server authentcaton scheme [] based on one-way hash functon wthout verfcaton table. In 0, Chang and Cheng developed a more robust and effcent smart card based remote logn mechansm [] n whch only lghtweght one-way hash functon and exclusve OR operaton are requred durng mult-server authentcaton processes. nfortunately, based on the securty analyses conducted by us, Chang-Chengs logn mechansm s stll vulnerable aganst the smart card lost problems, leak-of-verfer attack and sesson key dsclosure attack. In ths paper, we wll demonstrate a seres of steps to show how the above-mentoned attacks can be nvoked on ther mechansm n the presence of a malcous adversary. 6

2 Internatonal Journal of ecurty and Its Applcatons Vol. 6, No., Aprl, 0. Revew of Chang-Cheng s Mechansm Chang-Chengs mechansm conssts of one trusted regstraton center (RC), servce provders (P j ) and logn users ( ). RC s responsble for regstraton of P j and. When P j regster wth RC use dentfer ID j, RC computes a secret key KR j = H(ID j k) and shares t wth P j, where s the strng concatenaton symbol, k s the prvate key of RC and H(.) s a prvate one-way hash functon only known by RC... Regstraton Phase When a user wants to get the servce granted n ths system, must perform regstraton wth RC. Frst, chooses hs/her dentfer d and password pw and sends the regstraton message {d, pw, Personal Informaton} to RC through a secure channel. Then, RC checks s personal nformaton and credt. If above does not hold, RC rejects s regstraton; otherwse, RC computes a transformed dentfer TID = T d as s account number and saves t n the database, where T s the regstraton tme. The mechansm concatenates T wth d can prevent the duplcaton of account numbers and can freely select hs/her own d and pw. In addton, RC computes TPW = h(pw ) and = H(TID k) pw, stores (TID, h(.), TPW ) nto s smart card and ssues ths smart card to, where s the exclusve-or symbol and h(.) s a publc one-way hash functon... Logn Phase In ths phase, we assume that wants to log n the server P j and asks a servce from P j. * nserts hs/her smart card to a nput devce and enters password pw. Then the smart card performs the flowng steps: * * tep : The smart card computes h( pw ) and checks whether h( pw ) = TPW. If t does not hold, the smart card stops the logn procedure; otherwse, t goes to tep. tep : The smart card computes = h( pw * N ID j ) and sends the logn message {TID, N } to P j, where N s a nonce chosen by s smart card. tep 3: pon recevng the logn message from, P j computes = h(kr j N ) and sends {TID, N, ID j, N } to RC, where N s a nonce chosen by P j..3. Authentcaton and Key Agreement Phase pon recevng the message from P j, RC, P j and perform the followng steps to acheve mutual authentcaton and construct a common sesson key shared between and P j. tep : RC checks the freshness of N and N and the valdty of s account number TID. If they does not hold, RC rejects ths logn; otherwse, t goes to tep. tep : RC checks whether h(h(tid k) N ID j ) = and h(h(id j k) N ) =. If ether one does not hold, RC rejects ths connecton; otherwse, RC convnces that and P j are legal partcpants and goes to tep 3. tep 3: RC chooses a random number ran and computes =h(h(id j k) N R ), h(h(tid k) N R ) =h(h(id j k)) (ran h(h(tid k))) and (h(h(id j k)) ran), where N R s a nonce chosen by RC. Fnally RC sends { } to P j. = =h(h(tid k)), N R,, 6

3 Internatonal Journal of ecurty and Its Applcatons Vol. 6, No., Aprl, 0 tep 4: pon recevng the message from RC, P j checks the freshness of N R. If t s nvald, P j termnates the connecton; otherwse, t goes to tep 5. tep 5: P j checks whether h(kb j N R ) =. If t holds, t goes to tep 6; otherwse, P j stops the procedure. tep 6: P j computes s = h(kr j ) and K = h((h(kr j ) s) N N N R ) and sends {, N R } to, where K s the common sesson key shared between P j and. tep 7: pon recevng the response message from P j, the smart card checks the freshness of N R and verfes whether h( pw N R ) =. If they are nvald, then authentcaton fals; * otherwse, convnces that P j s a legal partcpant and computes u = h( pw * ) and the common sesson key K = h((u h( pw * )) N N N R ). 3. Attacks on Chang-Cheng s Mechansm Although Chang and Cheng clamed that ther mechansm can resst many types of attacks and satsfy all the essental requrements for mult-server archtecture authentcaton. However, the actual stuaton s not the case and the cryptanalyss of Chang-Chengs mechansm has been made n ths secton. The detaled cryptanalyss s presented as follows. 3.. mart Card Lost Problems In ths attack, we assume that s smart card s stolen by an adversary a and the secret nformaton (TID, h(.), TPW ) whch s stored n the smart card can be extracted by montorng ts power consumpton [0]. Off-lne password guessng attack: As we know, the content of the smart card s (TID = T d ; h(.); TPW =h(pw ); = H(TID k) pw ). Wth ths nformaton, a can select a guessable password pw and compute h( pw ). If h( pw ) s equal to TPW, t ndcates the correct guess of s low-entropy password and Chang-Chengs mechansm cannot wthstand off-lne password guessng attack. Impersonaton attack: Once the adversary a got the secret nformaton (TID, h(.), TPW, ) and correctly derved s password pw, he/se can make a vald logn request wth ease. For example, a computes = h( pw N A ID j ) and makes a vald logn message to mpersonate by sendng {TID, N A } to the servce provder P j, where N A s a nonce chosen by a. 3.. Leak-of-Verfer Attack In Chang-Chengs mechansm, we found that ther mechansm may suffer from leak-ofverfer attack and any legtmate user who possesses the smart card can easly derve servce provder P j s secret h(h(id j k)) by performng the followng steps: tep : In tep 7 of authentcaton and key agreement phase, receves the response message {, N R } from P j. tep : Then, computes u = h( pw * )= h(h(id j k)) ran and removes ran from h(h(id j k)) ran. Fnally, derves P j s secret h(h(id j k)). 63

4 Internatonal Journal of ecurty and Its Applcatons Vol. 6, No., Aprl, esson Key Dsclosure Attack In case of P j s secret h(h(id j k)) s successfully derved by a, a can use t to derve the prevous and subsequent sesson keys whch are constructed by other users and P j. We assume that some vctm user s logn message {TID, N A }, P j s authentcaton message {TID, N, ID j, N } and RCs response message {, N R } are collected by a. Then, the sesson key dsclosure attack can be launched by performng the followng steps: tep : a eavesdrops above-mentoned messages and obtans three nonces N, N, and N R from, P j, and RC, respectvely. tep : a uses P j s secret h(h(id j k)) to derve s by computng s = h(h(id j k)) = ran h(h(tid k)). tep 3: a derves the sesson keys of past and future sessons by computng K = h((h(h(id j k)) s) N N N R ). 4. The Proposed Protocol Accordng to our cryptanalyss, we proposed a more secure remote logn protocol to remove the securty weaknesses exstng n Chang-Chengs mechansm. 4.. Regstraton Phase When a user wants to get the servce granted n ths system, must perform regstraton wth RC as follows. tep : chooses hs/her dentfer d and password pw and generates a random number b. Then, computes h((d pw ) b) and sends the regstraton message {d, h((d pw ) b), Personal Informaton} to RC through a secure channel. tep : pon recevng the regstraton message from, RC checks s personal nformaton and credt. If above does not hold, RC rejects s regstraton; otherwse, t goes to tep 3. tep 3: RC computes a transformed dentfer TID = T d as s account number and saves t n the database, where T s the regstraton tme of. tep 4: RC computes = H(TID k) h((d pw ) b) and stores (, h(tid ), h(.), T ) nto s smart card and ssues ths smart card to. tep 5: pon recevng the smart card, stores the random number b nto the smart card and does not need to remember b after fnshng the phase. 4.. Logn Phase In case of wants to log n the server P j and asks a servce from P j, nserts hs/her smart card to a nput devce and enters dentfer d, password pw, and ID j. Then the smart card performs the flowng steps: tep : The smart card retreves T and b to compute TID = T d and h((d pw ) b), respectvely. Then, the smart card checks whether h( TID ) =h(tid ). If t does not hold, the smart card termnates ths logn; otherwse, the smart card generates a nonce N and sends the logn message {TID } to P j, where = h((d pw ) b) N and = h((tid ID j ) N ). 64

5 Internatonal Journal of ecurty and Its Applcatons Vol. 6, No., Aprl, 0 tep : pon recevng the logn message from, P j computes = KR j N and sends {TID, ID j } to RC, where N s a nonce chosen by P j and = h((id j TID ) N ) Authentcaton and Key Agreement Phase pon recevng the message from P j, RC, P j and perform the followng steps to acheve mutual authentcaton and construct a common sesson key shared between and P j. tep : RC checks the valdty of s account number TID and P j s dentfer ID j. If they does not hold, RC rejects ths logn; otherwse, t goes to tep. tep : RC computes N = H(TID k) and checks the freshness of N and the valdty of h((tid ID j ) N )=. If ether one does not hold, RC rejects ths connecton; otherwse, RC convnces that s a legal user and goes to tep 3. tep 3: RC computes N = H(ID j k) and checks the freshness of N and the valdty of h((id j TID ) N ) =. If ether one does not hold, RC rejects ths connecton; otherwse, RC convnces that P j s a legal servce provder and goes to tep 4. tep 4: RC computes = h( N ) N N R = h(h(tid k) K) = h( N ) N N R and = h(h(id j k) K), where N R s a nonce chosen by RC and K s a common sesson key whch s constructed by computng K = h( N N N R ). Fnally RC sends {, } to P j. tep 5: pon recevng the message from RC, P j computes " = h(n )and K = h( " N ) and checks whether h(h(id j k) K ) =. If t s nvald, P j termnates the connecton; otherwse, P j convnces that RC and are legal partcpants and sends { } to. Note that K = K s the common sesson key shared between P j, and RC. tep 6: pon recevng the response message from P j, the smart card computes " = h(n ) and K = h( " N ) and checks whether h(h(tid k) K )=. If t s nvald, termnates the connecton; otherwse, convnces that RC and P j are legal partcpants and K = K = K s the common sesson key shared between, P j and RC. 5. ecurty Analyss Here we manly dscussed and analyzed the securty of the proposed protocol on varous known cryptographc attacks and demonstrated ts strength n terms of securty. Off-lne password guessng attack: In case of s smart card s stolen by an adversary a and he/she has the ablty to obtan the contents of the smart card (, h(tid ), h(.), T, b). It does not help a to derve or modfy s password wthout knowng s dentty d and password pw. In addton, from the proposed protocol, we can see that the logn messages {TID } and {TID, ID j } only contan nformaton about H(TID k), H(ID j k), N and N. They do not nclude any nformaton about the password. Therefore, ths desgn of the proposed protocol can protect the system aganst off-lne password guessng attack. 65

6 Internatonal Journal of ecurty and Its Applcatons Vol. 6, No., Aprl, 0 Impersonaton attack: The proposed protocol must protect the system aganst mpersonaton attacks on both the user, servce provder and the regstraton center sde. Frst, on the user and servce provder sde, t s dffcult for a to create correct and wthout the users secret token H(TID k) and the servce provders secret token H(ID j k). Moreover, t s dffcult for a to get the regstraton centers secret key k. On the regstraton center sde, a cannot derve the random nonces N and N wthout H(TID k) and H(ID j k), whch means a cannot compute the correct hash values h(n ) and h(n ) n order to mpersonate the regstraton center. Leak-of-verfer attack: In our proposed protocol, a regstered user may try to obtan the secret token H(TID k) from hs/her smart card by extractng and b and computng H(TID k) = h((d pw ) b). However, t does not help to obtan P j s secret token H(ID j k) and nonce N from the logn parameters and due to the protecton of oneway hash functon and the securty of large nonce (e.g., bgger than 56 bts). On the other hand, the random nonce N R s known to only regstraton center RC and t s masked by =h(n ) N N R and = h(n ) N N R. Therefore, and P j cannot derve N R from and wthout knowng P j s N and s N, respectvely. esson key dsclosure attack: After the successful user authentcaton, the user, the servce provder and the regstraton center computes the common sesson key K= h(n N N R ) and an adversary a may try to derve K to damage the later communcatons between them. However, n tep 4 of authentcaton and key agreement phase, a cannot obtans N N R and N N R wthout knowng h(n ) and h(n ), respectvely. As a result, a cannot get success n the proposed protocol by sesson key dsclosure attack. 6. Conclusons In ths paper, we showed that Chang and Chengs two-factor based mult-server authentcaton protocol s nsecure. To offset these securty weaknesses found n Chang- Chengs protocol, we have proposed an mproved verson of two-factor based mult-server authentcaton protocol. ecurty analyss shows that our proposed protocol s reslent to varous attacks and acheves mutual authentcaton and sesson key agreement. References [] C. C. Chang and T. F. Cheng, A robust and effcent smart card based remote logn mechansm for multserver archtecture, Internatonal Journal of Innovatve Computng, Informaton and Control, 7(8), (0), pp [] H. C. Hsang and W. K. hh, Improvement of the secure dynamc ID based remote user authentcaton scheme for mult-server envronment, Computer tandards & Interfaces, 3(6), (009), pp [3] W. Juang, Effcent mult-server password authentcated key agreement usng smart cards, IEEE Transactons on Consumer Electroncs, 50(), (004), pp [4] L. H. L, I. C. Ln and M.. Hwang, A remote password authentcaton scheme for mult-server archtecture usng neural networks, IEEE Transactons on Neural Network, (6), (00), pp [5] C. T. L and C. C. Lee, A robust remote user authentcaton scheme usng smart card, Informaton Technology and Control, 40(3), (0), pp [6] C. T. L and C. C. Lee, A novel user authentcaton and prvacy preservng scheme wth smart cards for wreless communcatons, Mathematcal and Computer Modellng, 55(-), (0), pp [7] C. T. L and M.. Hwang, A lghtweght anonymous routng protocol wthout publc key en/decryptons for wreless ad hoc networks, Informaton cences, 8(3), (0), pp

7 Internatonal Journal of ecurty and Its Applcatons Vol. 6, No., Aprl, 0 [8] C. T. L, C. C. Yang and M.. Hwang, A secure routng protocol wth node selfshness resstance n MANETs, Internatonal Journal of Moble Communcatons, 0(), (0), pp [9] X. L, Y. Xong, J. Ma and W. Wang, An effcent and securty dynamc dentty based authentcaton protocol for mult-server archtecture usng smart cards, Journal of Network and Computer Applcatons, 35(), (0), pp [0] T.. Messerges, E. A. Dabbsh and R.H. loan, Examnng smart-card securty under the threat of power analyss attacks, IEEE Transactons on Computers, 5(5), (00), pp [] J. L. Tsa, Effcent mult-server authentcaton scheme based on one-way hash functon wthout verfcaton table, Computers & ecurty, 7(3-4), (008), pp

8 Internatonal Journal of ecurty and Its Applcatons Vol. 6, No., Aprl, 0 68