Security Flaws of Cheng et al. s Biometric-based Remote User Authentication Scheme Using Quadratic Residues

Similar documents
Robust EC-PAKA Protocol for Wireless Mobile Networks

A New Secure Mutual Authentication Scheme with Smart Cards Using Bilinear Pairings

Security Weaknesses of a Biometric-Based Remote User Authentication Scheme Using Smart Cards

Cryptanalysis and Improvement of a New. Ultra-lightweight RFID Authentication. Protocol with Permutation

A ROBUST AND FLEXIBLE BIOMETRICS REMOTE USER AUTHENTICATION SCHEME. Received September 2010; revised January 2011

Remote User Authentication Scheme in Multi-server Environment using Smart Card

Security Improvements of Dynamic ID-based Remote User Authentication Scheme with Session Key Agreement

Smart-card-loss-attack and Improvement of Hsiang et al. s Authentication Scheme

A Smart Card Based Authentication Protocol for Strong Passwords

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

On the Security of Yoon and Yoo s Biometrics Remote User Authentication Scheme

Cryptanalysis and Improvement of a Dynamic ID Based Remote User Authentication Scheme Using Smart Cards

A SMART CARD BASED AUTHENTICATION SCHEME FOR REMOTE USER LOGIN AND VERIFICATION. Received April 2011; revised September 2011

Cryptanalysis Of Dynamic ID Based Remote User Authentication Scheme With Key Agreement

Secure Smart Card Based Remote User Authentication Scheme for Multi-server Environment

Efficient password authenticated key agreement using bilinear pairings

ISSN X INFORMATION TECHNOLOGY AND CONTROL, 2011, Vol.40, No.3. ISSN X INFORMATION TECHNOLOGY AND CONTROL, 2011 Vol.?, No.?, 1?

Cryptanalysis of a Markov Chain Based User Authentication Scheme

A flexible biometrics remote user authentication scheme

An Improved Timestamp-Based Password Authentication Scheme Using Smart Cards

A Noble Remote User Authentication Protocol Based on Smart Card Using Hash Function

A robust smart card-based anonymous user authentication protocol for wireless communications

Comments on four multi-server authentication protocols using smart card

An Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings

arxiv: v1 [cs.cr] 9 Jan 2018

The Modified Scheme is still vulnerable to. the parallel Session Attack

An Improved and Secure Smart Card Based Dynamic Identity Authentication Protocol

Secure and Efficient Smart Card Based Remote User Password Authentication Scheme

Cryptanalysis of a timestamp-based password authentication scheme 1

Efficient remote mutual authentication and key agreement

An Efficient Biometrics-based Remote User Authentication Scheme Using Smart Cards

The Password Change Phase is Still Insecure

An Enhanced Dynamic Identity Based Remote User Authentication Scheme Using Smart Card without a Verification Table

An Efficient and Secure Multi-server Smart Card based Authentication Scheme

A Hash-based Strong Password Authentication Protocol with User Anonymity

Cryptanalysis on Efficient Two-factor User Authentication Scheme with Unlinkability for Wireless Sensor Networks

A Simple User Authentication Scheme for Grid Computing

An efficient and practical solution to secure password-authenticated scheme using smart card

Expert Systems with Applications

Security Analysis and Improvements of Two-Factor Mutual Authentication with Key Agreement in Wireless Sensor Networks

Improved Remote User Authentication Scheme Preserving User Anonymity

ISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 10, April 2014

Security Vulnerabilities of User Authentication Scheme Using Smart Card

Security Improvement of Two Dynamic ID-based Authentication Schemes by Sood-Sarje-Singh

Cryptanalysis of An Advanced Temporal Credential- Based Security Scheme with Mutual Authentication and Key Agreement for Wireless Sensor Networks

A New Energy-Aware Routing Protocol for. Improving Path Stability in Ad-hoc Networks

A LITERATURE SURVEY ON NOVEL REMOTE AUTHENTICATION VIA VIDEO OBJECT AND BIOMETRICS

An Enhanced Remote User Authentication Scheme with Smart Card

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

A Simple User Authentication Scheme for Grid Computing

A secure and effective anonymous user authentication scheme for roaming service in global mobility networks

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

A Novel Smart Card Authentication Scheme using Image Watermarking

Weaknesses of Temporal Credential-Based Mutual Authentication with a Multiple-Password Scheme for Wireless Sensor Networks

Available online at ScienceDirect. Procedia Computer Science 78 (2016 ) 95 99

Comparative Analysis of Smart Card Authentication Schemes

An Enhanced Two-factor User Authentication Scheme in Wireless Sensor Networks

An Enhanced Remote User Authentication Scheme with Smart Card

CS530 Authentication

Blind Signature Scheme Based on Elliptic Curve Cryptography

A Multi-function Password Mutual Authentication Key Agreement Scheme with Privacy Preservingg

A Secure and Efficient One-time Password Authentication Scheme for WSN

Cryptanalysis and improvement of passwordauthenticated key agreement for session initiation protocol using smart cards

Cryptanalysis of Two Password-Authenticated Key Exchange. Protocols between Clients with Different Passwords

Improvement of recently proposed Remote User Authentication Schemes

Cryptanalysis on Four Two-Party Authentication Protocols

Secure Password-Based Remote User Authentication Scheme with Non-tamper Resistant Smart Cards

CSE 565 Computer Security Fall 2018

Analysis and enhancements of an efficient biometricbased remote user authentication scheme using smart cards

Three Party Authentication Scheme with Privacy in Telecare Medicine Information Systems

CSC 474 Network Security. Authentication. Identification

CNT4406/5412 Network Security

IFET College of Engineering, Villupuram, India

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Secure Communication in Digital TV Broadcasting

A Simple Password Authentication Scheme Based on Geometric Hashing Function

Thumb based Biometric Authentication Scheme in WLAN using Gauss Iterated Map and One Time Password

Research Article Improvements in Geometry-Based Secret Image Sharing Approach with Steganography

On the Security of a Certificateless Public-Key Encryption

Security of the Lin-Lai smart card based user authentication scheme

The Research on PGP Private Key Ring Cracking and Its Application

Authenticated Key Agreement Without Using One-way Hash Functions Based on The Elliptic Curve Discrete Logarithm Problem

DEFENSE AGAINST PASSWORD GUESSING ATTACK IN SMART CARD

Robust Two-factor Smart Card Authentication

Cryptanalysis on Two Certificateless Signature Schemes

IJREAT International Journal of Research in Engineering & Advanced Technology, Volume 1, Issue 5, Oct-Nov, 2013 ISSN:

Journal of Computer and System Sciences. Two-factor mutual authentication based on smart cards and passwords

Code Verification Work of Sybil Attack in Wireless Sensor Network

Research Issues and Challenges for Multiple Digital Signatures

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

(In)security of ecient tree-based group key agreement using bilinear map

Some Algebraic (n, n)-secret Image Sharing Schemes

PAPER Further Improved Remote User Authentication Scheme

Java Vulnerability Analysis with JAPCT: Java. Access Permission Checking Tree

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Cryptanalysis of Some RFID Authentication Protocols

A New Group-based Secret Function Sharing with Variate Threshold

Transcription:

Contemporary Engineering Sciences, Vol. 7, 2014, no. 26, 1467-1473 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ces.2014.49118 Security Flaws of Cheng et al. s Biometric-based Remote User Authentication Scheme Using Quadratic Residues Eun-Jun Yoon 1 Department of Cyber Security, Kyungil University 33 Buho-Ri, Hayang-Ub, Kyungsan-Si Kyungsangpuk-Do 712-701, Republic of Korea Copyright c 2014 Eun-Jun Yoon. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Abstract Recently, Cheng et al. proposed a novel biometric-based remote user authentication scheme using quadratic residues. Cheng et al. claimed that their proposed scheme is secure, practical, and trustworthy remote authentication, which can be implemented on different real network environments. However, this paper points out that Cheng et al. s scheme not only suffers from stolen smart card attack and server spoofing attack, but also does not provide forward secrecy. Keywords: Cryptography; Biometrics authentication; Quadratic residue; Stolen smart card attack; Server spoofing attack; Forward secrecy 1 Introduction Remote user authentication scheme using smart cards allow remote users to communicate securely over public networks simply by using easy-to-remember passwords and smart cards for the client-server architecture[1, 2, 3, 4, 5, 6, 7]. To provide strong security, the remote user authentication scheme adopts people s biometrics information (e.g. fingerprints, faces, iris scan, voice print, hand geometry, and palm-prints) for convincing users identities[4, 5, 6, 7]. Generally, the biometric technology has three main advantages as follows[7]: 1 Corresponding author: Eun-Jun Yoon Tel.: +82-53-600-5623; Fax: +82-53-600-5579

1468 Eun-Jun Yoon 1. The personal biometric information is extremely hard to make duplicate or share biometrics. 2. The personal biometric information is extremely hard to forge or distribute. 3. The personal biometric information cannot lost or forgotten and cannot be guessed easily. In 2013, Cheng et al.[7] proposed a novel biometric based remote user authentication scheme which is based on the quadratic residues and biometric verification to achieve efficient and security requirements. Through the security analysis, Cheng et al. claimed that their proposed scheme is secure, practical, and trustworthy remote authentication, which can be implemented on different real network environments. However, this paper points out that Cheng et al. s scheme not only suffers from stolen smart card attack and server spoofing attack, but also does not provide forward secrecy. This paper is organized as follows: Section 2 briefly reviews the Cheng et al. s scheme. The security flaws of Cheng et al. s scheme are shown in Section 3. Finally, conclusions are given in Section 4. 2 Review of Cheng et al. s Scheme This section briefly reviews Cheng et al. s scheme[7]. The Cheng et al. s scheme consists of three phases: registration phase, login phase, authentication phase. 2.1 Notations We outlined some notations used in this research paper. U : the remote user R : the trusted registration center S : the server ID : the identity of remote user x : the secret information of the server S B : the biometric information of remote user n : the product of two large prime, p and q r : the random number selected by the registration center R t : the random number selected by the user U s : the random number selected by the server S

Security flaws of biometric-based remote user authentication scheme 1469 h( ) : the secure one-way hash function : the bitwise exclusive-or operation : the concatenation operation 2.2 Registration phase Figure 1 depicts the registration phase of Cheng et al. s scheme. In this phase, the user U initially registers with the trusted registration center. The following steps are executed: R1. In the beginning, the user U sends his/her identity ID and the related biometrics B to the registration center R over a secure channel. R2. After receiving the message {ID, B}, the registration center R computes f = B r, and A = x f ID, where r is a random number unique to R. And then, R stores the data {f, A, ID, r, h( )} into a smart card and issues it to U. U (ID, B) R (x) (ID, B) Select random number r Compute f = B r Compute A = x f ID SmartCard(f, A, ID, r, h( )) Figure 1: Registration phase of Cheng et al. s scheme 2.3 Login phase Figure 2 depicts the login and authentication phases of Cheng et al. s scheme. The login phase is invoked whenever the user U asks the services from the server S. L1. The user U inserts his/her smart card into the card reader, and inputs his/her identity ID and the personal biometrics B.

1470 Eun-Jun Yoon L2. The smart card checks f r? = B to verify the user U s biometrics on the specific device. If it holds, U passes the biometrics verification; otherwise, the scheme is aborted. L3. The user U randomly selects a number t to compute D = h(a f ID t), T = t 2 mod n, and M = h(t). L4. The user U forwards the message {D, T, M} to the server S. 2.4 Authentication phase After receiving the login message from the user U, both the server S and the user U perform the following steps to achieve mutual authentication. A1. The server S utilizes the Chinese Remainder Theorem[7] to solve T = t 2 mod n, since S can derive four roots (t 1, t 2, t 3, t 4 ) with two large primes p and q. A2. The server S compares h(t i ) with the received M, for i = 1 to 4, so that it can obtain the correct value of t. A3. The server S checks h(x t)? = D. If it holds, S believes the validity of U; otherwise, S rejects the user s login request. A4. The server S computes E = h(x t) s and N = h(h(x t) s), where s is a random number selected by the server S, and S forwards the message {E, N} to U. A5. After receiving the message, the user U computes s = D E. A6. The user U checks N? = h(d s ) = h(h(x t) s ) by using the derived s. If it holds, the user believes the trustworthy of S. After finishing the mutual authentication, both the user and the server compute the common session key sk = h(d s r) = h(h(x t) s r) for their subsequent communication. 3 Cryptanalysis of Cheng et al. s Scheme This section demonstrates that Cheng et al. s scheme not only suffers from stolen smart card attack and server spoofing attack, but also does not provide forward secrecy.

Security flaws of biometric-based remote user authentication scheme 1471 U S (SmartCard(f, A, ID, r, h( ))) (n) (x, p, q) Insert the smart card and B Check f r? = B Select random number t Compute D = h(a f ID t) Compute T = t 2 mod n Compute M = h(t) {D, T, M} Solve T = t 2 mod n getting (t 1, t 2, t 3, t 4 ) Compare h(t i )? = M to determine t Check h(x t)? = D, if it is, U is valid Select random number s Compute E = h(x t) s Compute N = h(h(x t) s) {E, N} Compute s = D E Check N? = h(d s ) = h(h(x t) s ), if it is, S is trustworthy Common session key sk = h(d s r) = h(h(x t) s r) Figure 2: Login and authentication phases of Cheng et al. s scheme 3.1 Stolen smart card attack Suppose that an attacker Eve obtained a legal user s smart card. We know that the smart card has the data {f, A, ID, r, h( )} for the user U. Then, the attacker Eve can perform the following stolen smart card attack. 1. Extract the biometrics B by computing f r. Because f r = B r r = B, Eve can easily obtain B. 2. Extract the secret key x of the server S by computing f A ID. Because f A ID = f x f ID ID = x, Eve can easily obtain the secret key x. By using B and x, the attacker Eve can freely perform the user impersonation attack or the server impersonation attack. Therefore, Cheng et al. s scheme is vulnerable to the above stolen smart card attack.

1472 Eun-Jun Yoon 3.2 Server spoofing attack An attacker Eve can perform the following server spoofing attack. 1. Eve intercepts {D, T, M}. 2. Eve selects a random number s. 3. Eve computes E = D s. 4. Eve computes N = h(d s). 5. Eve finally sends {E, N } to the user U. After receiving {E, N }, the user U will perform the following steps. 1. Compute s = D E. Here, we can see that D E = D D s = s. 2. Check N? = h(d s ) by using the derived s. Because N always equals h(d s ), the user U will believe the trustworthy of the attacker Eve. Therefore, Cheng et al. s scheme is vulnerable to the above server spoofing attack. 3.3 Forward secrecy problem Forward secrecy is one of the security notions addressing the session key exposure issues[7]. Without knowing the master key x, an attacker Eve can easily compute the previous session keys sk = h(d s r) = h(h(x t) s r) by using the compromised long-term random number r which generated by the registration center R. We assume that Eve gets the long-term random number r in Cheng et al. s scheme, and he/she wants to compromise the previously generated session keys sk. Eve can simply compute any past versions of session keys by computing sk = h(d s r) because D is public value and s can be obtained by computing D E. Therefore, Cheng et al. s scheme cannot provide the forward secrecy. 4 Conclusions This paper pointed out that recently proposed Cheng et al. s biometric-based remote user authentication scheme using quadratic residues not only suffers from stolen smart card attack and impersonation attacks, but also does not provide forward secrecy. Further works will be focused on improving the Cheng et al. s scheme which can be able to provide strong security.

Security flaws of biometric-based remote user authentication scheme 1473 Acknowledgements This work was supported by Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Education, Science and Technology(No. 2010-0010106). References [1] L. Lamport, Password authentication with insecure communication, Communications of the ACM, 24(11) (1993), 770-772. [2] J. Jan and Y. Chen, Paramita wisdom password authentication scheme without verification tables, The Journal of Systems and Software, 42(1) (1998), 45-57. [3] M. Hwang and L. Li, A new remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics, 46(1) ( 2000), 28-30. [4] M. Khan, J. Zhang, and X. Wang, Chaotic hash-based fingerprint biometric remote user authentication scheme on mobile devices, Chaos, Solitons and Fractals, 35(3) (2008), 519-524. [5] C. Li and M. Hwang, An efficient biometric-based remote user authentication scheme using smart cards, Journal of Network and Computer Applications, 33(1) (2010), 1-5. [6] X. Li, J. Niu, J. Ma, W. Wang, and C. Liu, Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards, Journal of Network and Computer Applications, 34(1) (2011), 73-79. [7] Z. Cheng, Y. Liu, C. Chang, and C. Liu, A novel biometric-based remote user authentication scheme using quadratic residues, International Journal of Information and Electronics Engineering, 3(4) (2013), 419-422. Received: September 4, 2014; Published: October 28, 2014

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback