Efficient password authenticated key agreement using bilinear pairings

Transcription

1 Mathematical and Computer Modelling ( ) Efficient password authenticated key agreement using bilinear pairings Wen-Shenq Juang, Wei-Ken Nien Department of Information Management, Shih Hsin University, No. 1, Lane 17, Section 1, Mu-Cha Road, Taipei 11604, Taiwan Received 19 June 2006; received in revised form 10 August 2007; accepted 21 August 2007 Abstract For providing a secure distributed computer environment, efficient and flexible user authentication and key agreement is very important. In addition to user authentication and key agreement, identity privacy is very useful for users. In this paper, we propose an efficient and flexible password authenticated key agreement scheme using bilinear pairings. The main merits include: (1) there is no need for any password or verification table in the server; (2) users can choose or change his own password freely; (3) both the server and a user can authenticate each other; (4) it can protect the user s privacy; (5) the user and the server can generate a session key; (6) it does not have a serious synchronization-clock problem; (7) even if the secret information stored in a smart card is compromised, it can prevent the offline dictionary attack. c 2007 Elsevier Ltd. All rights reserved. Keywords: User authentication; Session key agreement; Identity protection; Bilinear pairings; Smart cards 1. Introduction In order to authenticate users, password-based security techniques have been widely used in many remote login systems because they are easily implemented. In 1981, Lamport [1] proposed a password authentication scheme to realize user authentication. Later, Shimizu [2] pointed out the weakness of Lamport s scheme [1] and proposed a modified scheme. Then, many improved remote user authentication schemes [3 10] have been proposed. In 2006, Das et al. [11] proposed a remote user authentication scheme using bilinear pairings. They claimed that their proposed scheme using smart cards can prevent many logged-in users with the same login-id, and provision the users to change the passwords without the support of the server. In addition, they claimed that their proposed scheme is secure against the replay attack, the forgery attack and the insider attack. In [12], Chou et al. pointed out a replay attack for Das et al. s scheme and gave a simple improvement to fix this weakness. Also, in [13], Goriparthi et al. pointed out that Das et al. s scheme will suffer the replay attack and the forgery attack. We find that Das et al. s scheme is easily vulnerable to another replay attack. This replay attack can also be applied to the improvement scheme mentioned in [12]. We also find that Das et al. s scheme is vulnerable to the offline dictionary attack with or without a smart card. Also, their proposed scheme lacks many nice properties, such as, identity protection, mutual authentication, and session key agreement, etc. Corresponding author. address: wsjuang@cc.shu.edu.tw (W.-S. Juang) /$ - see front matter c 2007 Elsevier Ltd. All rights reserved. doi: /j.mcm

2 2 W.-S. Juang, W.-K. Nien / Mathematical and Computer Modelling ( ) In this paper, we use bilinear pairings to propose an efficient and flexible password authenticated key agreement scheme. Our proposed scheme can provide many nice properties, such as, identity protection, session key agreement, no synchronization-clock problem, mutual authentication, and revoking a smart card without changing user s identity, etc. This paper is organized as follows. In Section 2, we review Das et al. s scheme. In Section 3, we point out the security weaknesses of Das et al. s scheme. In Section 4, we describe our proposed scheme. In Section 5, we analyze the security of our scheme. In Section 6, we compare our proposed scheme with the related schemes. Finally, we make a conclusion in Section Review of Das et al. s scheme A remote authentication scheme using bilinear pairings was proposed by Das et al. [11]. Their method consists of four phases: (1) the setup phase, (2) the registration phase, (3) the authentication phase, and (4) the password changing phase. In the setup phase, the server first setups the system parameters, and publishes the public information. In the registration phase, a user gives his identity information to the server for registration. In the authentication phase, a user uses his smart card to send a login request message to the server and if the submitted request message is valid, the server will accept it. In the password changing phase, the user can change his password The setup phase Let G 1 be an additive cyclic group of a prime order q, and G 2 be a multiplicative cyclic group of the same order. Let P be a generator of G 1, ê : G 1 G 1 G 2 be a bilinear mapping and H : {0, 1} G 1 be a cryptographic one-way hash function which maps a string to a point of the additive cyclic group G 1 [11,12]. The server chooses a secret key s and computes the corresponding public key Pub RS = s P. The server publishes the system parameters G 1, G 2, ê, q, P, Pub RS, H and keeps s secret The registration phase Assume that user i submits his identity ID i and his password PW i to the server for registration. If the server accepts this request, he will perform the following steps: Step R1: Compute Reg IDi = s H(ID i ) + H(PW i ). Step R2: Store (ID i, Reg IDi, H) to the memory of a smart card and issue this smart card to user i The authentication phase If user i wants to log into the server, he must insert his smart card to a card reader. Then, he inputs his identity ID i and the password PW i to this device. The smart card then performs the following steps: Step L1: Compute DID i = T Reg IDi, where T is the user system s timestamp. Step L2: Compute V i = T H(PW i ). Step L3: Send the message (ID i, DID i, V i, T ) to the server. Assume that the server receives the login message (ID i, DID i, V i, T ) at time T ( T ). The server authenticates the user with the following steps: Step V1: The server verifies if the time difference between T and T is less than the maximum transmission latency T. If no, he rejects the request. Step V2: The server verifies if ê(did i V i, P) = ê(h(id i ), Pub RS ) T. If no, the server rejects the request. Otherwise, the server accepts the user s request The password changing phase When the user needs to change his password, he can perform the following steps: Step P1: The user inserts the smart card to a card reader and inputs his ID i and PW i. Step P2: The user inputs a new password PW i. Step P3: The smart card computes Reg ID i = Reg IDi H(PW i ) + H(PW i ) = s H(ID i) + H(PW i ).

3 3. Weaknesses of Das et al. s scheme 3.1. Suffering the replay attack ARTICLE IN PRESS W.-S. Juang, W.-K. Nien / Mathematical and Computer Modelling ( ) 3 In the replay attack [12 15], an adversary can deceive or impersonate another eligible user through the reuse of information obtained in a previous session. In Das et al. s authentication scheme, if an adversary can tap the used message (ID i, DID i, V i, T ) sent by an eligible user to the server in Step L3 of the authentication phase, he can use this information to generate a valid request message for impersonating eligible user i with the identification ID i. We now show how to use this information in the replay attack. If an adversary can get the message (ID i, DID i, V i, T ) sent to the server in the previous login request, he can forge another valid message (ID i, DIDi, V i, T ) to impersonate user i via the following steps: The login phase: Step 1: Get the current timestamp T, and compute c = T /T = T T 1 (mod q), DID i = c DID i, and Vi = c V i. Step 2: Send the message (ID i, DIDi, V i, T ) to the server. The authentication phase: Upon receiving the message (ID i, DIDi, V i, T ) at the time T, the server authenticates the user with the following steps: Step 1: The server checks if the time difference between T and T is less than the maximum transmission latency. Since T is the current timestamp of the user system, the server will not reject this request. Step 2: The server verifies if ê(didi V i, P) = ê(h(id i), Pub RS ) T. Since ê(didi V i, P) = ê(c DID i c V i, P) = ê(c T Reg IDi c V i, P) = ê(c T (s H(ID i ) + H(PW i )) c (T H(PW i )), P) = ê(s H(ID i ), P) ct = ê(h(id i ), Pub RS ) ct = ê(h(id i ), Pub RS ) T, the server will accept the adversary s request. In [12], Chou et al. pointed out a replay attack for Das et al. s scheme and gave a simple improvement to fix this weakness. Their improvement is just modifying the verification equation ê(did i V i, P) = ê(h(id i ), Pub RS ) T to ê(did i, P) = ê(t s H(ID i ) + V, i P). This improvement cannot prevent the replay attack mentioned in this paper. The reason is as follows. After the server receiving the the message (ID i, DIDi, V i, T ) at the time T, the server first checks whether the time difference (T T ) is less than the maximum transmission latency and then verifies if ê(didi, P) = ê(t s H(ID i ) + Vi, P). Since ê(did i, P) = ê(c DID i, P) = ê(c T Reg IDi, P) = ê(c T (s H(ID i ) + H(PW i )), P) = ê(c T s H(ID i ) + (c T H(PW i )), P) = ê(t s H(ID i ) + c V i, P) = ê(t s H(ID i ) + Vi, P), the server will accept the adversary s request. So the improvement scheme in [12] cannot prevent the replay attack proposed in this paper Suffering the offline dictionary attack with or without the smart card In Das et al. s authentication scheme [11], if a malicious person taps the message (ID i, DID i, V i = T H(PW i ), T ) transmitted in Step L3 of the authentication phase, he can use (V i = T H(PW i ), T ) to do the offline dictionary attack for the weak password PW i since the entropy of PW i is small. Their scheme is also suffering the offline dictionary attack with the smart card [3] Suffering the insider attack If the password of a user can be derived by the server in the registration protocol, it is called the insider attack [4]. In Das et al. s scheme [11], the server can get all the users passwords in the registration phase. The insider of the server can use these passwords to access other servers with the same passwords [5] Poor repairability In Das et al. s authentication scheme [11], since the shared key Reg IDi = s H(ID i )+ H(PW i ) depends on the user s identification, the repairability property is not enough [5,16]. 4. Our proposed scheme There are two entities in our scheme including a user s smart card and the server. The scheme consists of four phases: the setup phase, the registration phase, the login phase, and the password changing phase.

4 4 W.-S. Juang, W.-K. Nien / Mathematical and Computer Modelling ( ) Table 1 Notations used in our proposed scheme G 1 An additive cyclic group of a prime order q G 2 A multiplicative cyclic group of the same prime order q P A generator of the group G 1 ê A bilinear mapping, which maps two points in G 1 to a point in G 2 H A cryptographic one-way hash function which maps a string to a point of the additive cyclic group G 1 h A secure one-way hash function which maps a string to a 160 bits string E x A secure symmetric encryption algorithm with the secret key x D x A secure symmetric decryption algorithm with the secret key x The ordinary string concatenation operation ID s The identification of the server ID i The identification of user i b A 64 bits random number s A secret key chosen by the server PW i A password chosen by the user Let G 1 be an additive cyclic group of a prime order q, and G 2 be a multiplicative cyclic group of the same order. Let P be a generator of G 1 and ê : G 1 G 1 G 2 be a bilinear mapping [11,12]. Let H : {0, 1} G 1 be a cryptographic one-way hash function which maps a string to a point of the additive cyclic group G 1 [12,13]. Let h( ) be a secure one-way hash function [17]. Let E x ()/D x () be a secure symmetric encryption/decryption algorithm with the secret key x [18], and be the ordinary string concatenation operation. Let ID s be the identification of the server and ID i be the identification of user i. We summarize the notations in Table The setup phase The server selects a secret key s and computes the public key as s P. He also randomly chooses a master symmetric secret key x and keeps it secret. Then the server publishes the public information P s = s P, P and keeps s, x secret The registration phase If user i with the identity ID i would like to register with the server, she/he performs the following protocol with the server. R1. The server verifies user i through a secure identification scheme. If user i is eligible, then user i selects her/his password PW i and a random number b, computes h (PW i b), and sends {ID i, h (PW i b)} to the server in a secure channel. R2. The server encrypts the hashed password by computing b i = E x (h (PW i b) ID i h(h(pw i b) ID i )). R3. The server stores b i in a smart card and delivers it to user i in a secure channel. The user conserves PW i and the smart card secretly for future login processes. R4. After user i receives the smart card, he inputs b into the smart card. The memory of the smart card contains b i, b. For each user, the registration phase is performed once. If the user loses his/her smart card, he/she can perform the registration protocol with the server again The login phase Once user i wants to login to the server, she/he first inserts her/his smart card into a card reader and inputs his identity ID i and the password PW i. The login protocol is shown in Fig. 1. The smart card and the server cooperate to perform the following operations. L1. Choose a random number a and compute a P. L2. Compute k a = h(a P P s Q ê (P s, aq)), where Q = H(ID s ). L3. Use the secret key k a to encrypt b i as α = E Ka (b i ). L4. Send a P, α to the server over a public channel. Let the server receive the message a P, α.

5 W.-S. Juang, W.-K. Nien / Mathematical and Computer Modelling ( ) 5 Fig. 1. The login phase of our proposed scheme. L5. The server computes k a = h(a P P s Q ê (a P, s Q)), uses the private key k a to decrypt α via b i = D Ka (α) and decrypts b i via D x (b i ) = (h (PW i b) ID i h(h(pw i b) ID i )). L6. The server chooses a random number r, computes sk = h (k a r ID i ID s ), and Auth s = h (k a h (PW i b) r sk). L7. The server sends Auth s, r to user i over a public channel. Let user i receive the message Auth s, r from the server. L8. User i computes sk = h (k a r ID i ID s ) and h (PW i b). He then verifies if Auth s = h (k a h (PW i b) r sk). If no, the protocol stops. If yes, user i computes Auth i = h (k a h (PW i b) r +1 sk). L9. User i sends Auth i to the server over a public channel. Let the server receive the message Auth i from user i. L10. The server then verifies if Auth i = h (k a h (PW i b) r + 1 sk). If no, the protocol stops. If yes, user i is authenticated. Then the server and user i can use the session key sk in the subsequent secure communications The password changing phase If user i wants to change his password, he needs to agree on a session key with the server via the login phase in advance. Then he uses the session key sk to encrypt the changing password message {ID i, h(pwi b )} and sends E sk (ID i N h(pwi b ) h(id i N h(pwi b ))) to the server, where N is a nonce for freshness checking. After receiving the message, the server decrypts the message and checks if the authentication tag h(id i N h(pwi b )) is valid. If yes, he computes the new secret information bi = E x (h(pwi b ) ID i h(h(pwi b ) ID i )) and sends E sk (bi h(id s N + 1 bi )) to user i. User i then decrypts the message and checks if the authentication tag h(id s N + 1 bi ) is valid. If yes, user i stores b i and b in his smart card. 5. Security analysis In this section, we examine the security of our propose scheme. (1) Preventing the insider attack The insider of the server can use this password to impersonate the user to login another server. In our scheme, the user will choose a random number b and generate h (PW i b). Then he sends h (PW i b) to the server for registration. The server cannot know the password PW i since the entropy of b is very large. (2) Preventing the replay attack In order to prevent the replay attack [4,14,15], the nonces a and r are used in our scheme to prevent this kind of attacks. In our scheme, user i first chooses a nonce a, computes a P, and sends it to the server. The second nonce r is chosen by the server and embedded in the session key sk and the authenticator Auth s = h (k a h (PW i b) r sk).

6 6 W.-S. Juang, W.-K. Nien / Mathematical and Computer Modelling ( ) Table 2 Efficiency comparison between our scheme and related schemes in the login protocol Ours Das et al. s [11] Communication cost (bits) No. of scalar multiplication operations of elliptic curve point 3 3 No. of hash operations 10 2 No. of bilinear pairing operations 2 2 No. of point addition operations of elliptic curve point 0 1 No. of symmetric encryption or decryption operations 2 0 (3) Preventing the forgery attack A valid user s login message comprises b i and b, where b i = E x (h (PW i, b) ID i h(h(pw i b) ID i )) and b are stored in smart card by user i at the registration phase. An attacker cannot make a valid b i without the information of the server s secret key x and the user s password PW i. (4) Preventing the offline dictionary attack without the smart card In order to prevent this attack [3], the transmitted messages of our scheme do not have enough information to check the validability of the password. The first message between a user and the server of our scheme is {a P, α}. If the attacker intercepts this message, the attacker also cannot derive PW i because the attacker do not know the secret key x. The attacker cannot decrypt b i to get h (PW i b). So it is impossible for the attacker to do the offline dictionary attack by this message. If the attacker intercepts the message Auth i, the attacker also does not have enough information to derive the password since the entropy of k a, b, r, and sk are all very large. (5) Preventing the offline dictionary attack with the smart card This attack is similar to the offline dictionary attack without the smart card, but the attacker can get the smart card and acquire the secret information stored in a smart card [3]. In our scheme, the password stored in a smart card is embedded in b i. Only the valid server can use the master secret key x to decrypt b i to acquire the hashed password h (PW i b). If the attacker gets the smart card and acquires the secret information stored in the smart card, before the attacker can forge the valid user, he must generate Auth i = h (k a h (PW i b) r + 1 sk). In this situation, the attacker can obtain the correct k a, r and sk, but the attacker cannot generate the correct h (PW i b) since h (PW i b) can only be generated by the eligible user online or be derived by the server by decrypting b i = E x (h (PW i, b) ID i h(h(pw i b) ID i )). So the attacker cannot get the correct password and create the authenticator Auth i. 6. Performance considerations The performance consideration of our scheme and related schemes is shown in Table 2. There are many articles addressing the implementation of elliptic curve cryptosystems and bilinear pairing on elliptic curve [19]. At the 163 bit elliptic curve cryptosystems and 1024 bit RSA security level, one scalar multiplication of elliptic curve point is roughly 5 15 times as fast as the RSA signing operation depending on the optimization and platform. Also, as mentioned in [20], one MD5/SHA operation is roughly 10 times as fast as one DES encryption/decryption operation and one DES encryption/decryption operation is roughly 1000 times as fast as the 1024 bit RSA signing operation. We assume that the identifications can be represented with 32 bits, a point in an elliptic curve can be represented with = 326 bits, the output size of secure one-way hash functions is 160 bits, the size of a timestamp is 32 bits, and the size of a random number is 64 bits. In the login phase of our proposed scheme, user i needs to send the message a P, α to the server. It contains ( ) = 678 bits. The server then sends Auth s, r back to user i. It contains = 224 bits. Finally, user i sends Auth i to the server. It is of 160 bits. The communication cost of the login phase in our proposed scheme is of = 1062 bits. In the login phase of Das et al. s scheme, user i needs to send the message (ID i, DID i, V i, T ) to the server. The communication cost of the login phase in Das et al. s scheme is of = 716 bits. The login phase in Das et al. s scheme [11] needs three scalar multiplications in elliptic curve, two hashings to point operations, two bilinear pairing operation, and one point addition. Our scheme requires three scalar multiplications

7 W.-S. Juang, W.-K. Nien / Mathematical and Computer Modelling ( ) 7 Table 3 The functionality comparison between our scheme and related schemes Ours Das et al. s [11] No password table Yes Yes Choosing passwords by themselves Yes Yes Changing passwords Yes Yes No synchronization-clock problem Yes No Identity protection Yes No Revoking smartcard without changing user s identity Yes No Session key agreement Yes No Preventing the offline dictionary attack with/without the smart card Yes No Preventing the replay attack Yes No in elliptic curve, ten hashing operations, two bilinear pairing operations, and two symmetric encryption or decryption operations in the login phase. We summarize the functionality of our scheme and related schemes in Table 3. If the authentication scheme is a password-table-based, the server needs to store a password table including the passwords or the hashed passwords of all registered users for verification and the server needs to keep the table in secret. In our scheme, the hashed password is embedded in b i = E x (h (PW i b) ID i h(h(pw i b) ID i )). After receiving b i in the login protocol, the server can decrypt it to get the hashed password of the user without keeping the password table. In our scheme, the server necessitates keeping a registration table. It does not need to be kept secret and it is smaller than the password table and the table is easily maintained. In our scheme, each user can choose her/his favorite password in the registration phase. It will make users easy to remember their own passwords. We provide the mechanism of changing password. It seems impossible to change passwords without the help of the server when the function of preventing the offline dictionary attack with the smart card is provided. The reason is that the hashed password stored in the smart card must be encrypted by the server s secret key. Only the server can decrypt it and then change it. In the login phase, our scheme is based on nonces, instead of timestamps. Das et al. s scheme [11] is based on timestamps and has a serious time-synchronization problem. In our scheme, the identity of user iid i is embedded in b i and is encrypted by the one-time secret key k a. Only the server can decrypt the message to get ID i. Thus, our scheme provides identity protection. In Das et al. s scheme [11], the user s identity ID i is sent to the server in plaintext. Anyone can know ID i easily. In our scheme, if a user loses his smart card, he can revoke his smart card. The server can issue a new smart card to the user and cancel the lost card. For easily identifying the new card, b i = E x (h (PW i b) ID i h(h(pw i b) ID i )) can be replaced as b i = E x (h (PW i b) ID i j h(h(pw i b) ID i )), where j is the number of cards revoked for user i. The server needs to record j for each user i in a registration table. In Das et al. s scheme [11], they cannot revoke a lost card without changing the user s identity. In our scheme, both user i and the server can agree a session key sk = h (k a r ID i ID s ) in the login phase. But in Das et al. s scheme [11], they do not provide the key agreement mechanism. 7. Conclusion In this paper, we use bilinear pairings to propose an efficient and flexible password authenticated key agreement scheme. Our scheme can provide many nice properties, such as, identity protection, mutual authentication, revoking a smart card without changing user s identity, session key agreement, and no synchronization-clock problem. Also, if the secret information stored in a smart card is compromised, our scheme can prevent the offline dictionary attack. Acknowledgments This work was supported in part by the National Science Council of the Republic of China under the Grant NSC E MY2, and by the Taiwan Information Security Center (TWISC), National Science Council under the Grants NSC P Y02, NSC P Y, NSC E , and NSC E

8 8 W.-S. Juang, W.-K. Nien / Mathematical and Computer Modelling ( ) References [1] L. Lamport, Password authentication with insecure communication, Communications of ACM 24 (1981) [2] A. Shimizu, T. Horioka, H. Inagaki, A password authentication method for contents communication on the Internet, IEICE Transactions on Communications E81-B (8) (1998) [3] C. Fan, Y. Chan, Z. Zhang, Robust remote authentication scheme with smart cards, Computers & Security 24 (2005) [4] W. Juang, Efficient password authenticated key agreement using smart card, Computer & Security 23 (2004) [5] W. Ku, S. Chen, Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (1) (2004) [6] C. Lee, L. Li, M. Hwang, A remote user authentication scheme using hash functions, ACM Operating Systems Review 36 (4) (2002) [7] M. Peyravian, N. Zunic, Methods for protecting password transmission, Computers & Security 19 (5) (2000) [8] W. Ku, A hash-based strong-password authentication scheme without using smart cards, ACM Operating Systems Review 38 (1) (2004) [9] W. Ku, C. Chen, H. Lee, Weaknesses of Lee Li Hwang s hash-based password authentication scheme, ACM Operating Systems Review 37 (4) (2003) [10] H. Wen, T. Lee, T. Hwang, Provably secure three-party password-based authenticated key exchange protocol using Weil pairing, IEE Proceedings of Communications 152 (2) (2005) [11] M. Das, A. Saxena, V. Gulati, D. Phatak, A novel remote user authentication scheme using bilinear pairings, Computers & Security 25 (3) (2006) [12] J. Chou, Y. Chen, J. Lin, Improvement of Manik et al. s remote user authentication scheme. [13] T. Goriparthi, Manik L. Das, A. Negi, A. Saxena, Cryptanalysis of recently proposed remote user authentication schemes. [14] T. Kwon, M. Kang, S. Juang, J. Song, An improvement of the password-based authentication protocol on security against replay attacks, IEICE Transactions on Communications E82-B (7) (1999) [15] W. Ku, C. Chen, H. Lee, Cryptanalysis of a variant of Peyravian Zunic s password authentication scheme, IEICE Transactions on Communications E86-B (5) (2003) [16] T. Hwang, W. Ku, Repairable key distribution protocols for internet environments, IEEE Transactions on Communications 43 (5) (1995) [17] NIST FIPS PUB 180-2, Secure Hash Standard, National Institute of Standards and Technology, U.S. Department of Commerce, DRAFT, [18] NIST FIPS PUB 197, Announcing the Advanced Encryption Standard (AES), National Institute of Standards and Technology, U.S. Department of Commerce, Nov [19] K. Lauter, The advantages of elliptic curve cryptography for wireless security, IEEE Wireless Communications 11 (2004) [20] M. Hwang, I. Lin, L. Li, A Simple micro-payment scheme, Journal of Systems and Software 55 (3) (2001) Wen-Shenq Juang received his masters degree in Computer Science from the National Chiao Tung University in 1993, and his Ph.D. degree in electrical engineering from National Taiwan University in He joined the Department of Information Management, Shih Hsin University, Taipei, Taiwan, in 2000 as an assistant professor. Now, he is an associate professor at the same department. He is also the deputy Secretary-General of the Chinese Cryptology and Information Security Association and a core member of the Taiwan Information Security Center (TWISC) since Dr. Juang s current research interests include ubiquitous applications, cryptography, information security, and electronic commerce. Wei-Ken Nien received his M.S. degree in Information Management from the Shih Hsin University in His current interests include network security, ubiquitous applications, and electronic commerce.