Security Analysis of a Remote User Authentication Scheme with Smart Cards

Security Analysis of a Re mote User Authenticat ion Scheme with smart card s- Manoj Kuma r 1 Security Analy sis of a Rem ote User Authentication Schem e with Sm art Cards Manoj Kum ar Department of Mathematics, R.K. (P.G.) College Shamli, Muzaffarnagar, Utter Pradesh- India- 247776. E-mail- yam u_balyan@yahoo.co.in Abstract Yoon et al. proposed a new efficient remote user authenti cation scheme using smart cards to solve th e security problems of W . C. Ku and S. M. C hen’s scheme. This paper reviews Yoon et al.’s scheme and then proves that the password change phase o f Yo on et al’s sc heme is stil l insec ure. T his pap er also proves that the Yo on et al. is still vul nerable to par allel session attack. Keywords — Cr yptography , Cr yptanalysis, Net work secu rity, Authenticat ion, Smart cards, P assword, Parallel sessio n attack. I. I NTRODUCTION To gain t he access rights on an authentica tion server ( AS ), a password based remote user authentication sc hemes is used. The remote user makes a login request with the help of some secret inf orm ation which are provided by the AS. On the other side t he AS checks the validity of a login request made by a r emote user U . In these schemes, the AS and the remote user U s hare a secret, which is often called as password. With t he knowledge of this password, the remote user U uses it to create a valid login request to the AS . AS checks the validity of the login request to provide the access rights to the user U . Password authentication schem es with smart cards have a l ong history in the remote user authentication environment. So far different types of password authentication schemes with smarts cards [3,4, 5,6,12,13,14,18,20,21,2 2,23,26, 31] have been proposed. In 1981, Lamport [17] proposed the first well-k nown remote password authentication scheme using sm art car ds. In Lamport’s scheme, the AS stores a password t able at the server t o check t he val idity of the log in request made by the user. However, high hash overhead and the neces sity for password re setting decrease the suitability and practical ability of Lamport’s scheme. In addition, the Lam port scheme i s vulnerable to a small n attack [7]. Since then, many similar schemes [25,28] have been proposed. They all have a Security Analysis of a Re mote User Authenticat ion Scheme with smart card s- Manoj Kuma r 2 common feature: a ve rification password t able should be securely stored in the AS. Actually, this property is a disadvantage for the securit y point of view. Keep in mind all the sec urity requirem ents for a secure remote user authentication scheme,in 2002, Chien– Jan–Tseng [13] introduced an efficient remote user authentication scheme using s mart cards. In 2004, Ku and Chen [33] pointed out some at tacks [7,30,32] on Chi en – J an and Tseng’s scheme. Accor ding to Ku and Chen, Chien et al.’s scheme i s vulnerable t o a reflection attack [7] and an insider attack [32]. Ku and Chen claimed that Chien et al.’s scheme is also not reparable [ 32]. In addition, they also proposed an improved schem e to prevent these attacks: reflection attack and a n ins ider attack on Chien–Jan–Tseng ’s scheme. I n the same year, Hsu [10] pointed out that the Chien–Jan–Tseng ’s scheme is still vulnerabl e to a parallel session attack and Yoon et al. [11] claimed that the password change phase of improved scheme of Chien–Jan–Tseng ’s scheme is st ill insecure. This paper proves that security vulnerabilities still exit in Yoon et al.’s scheme is still vulnerable to para llel session attack. Organization Section II reviews Yoon et al.’s scheme [11]. Section III is about our obs ervatio ns on the security vulnerabilities of Yoon et al.’s scheme. Finally, comes to a conclusion in section IV. II. Y OON ET AL .’ S S CHEME This section briefly describes Yoon et al.’s scheme [11]. This scheme has f our phases: the registration phase, login phase, verifica tion phase and t he password change phase. All these four phases a re described below. A. Registration Phase This phase is i nvok ed whenever U initially or re-registers to AS. Let n denotes the number of tim es U re-registers to AS. The following st eps are involved in this phase.  User U selects a random n umber b and computes PW S = f ( b ⊕ PW ) and submits her/his identity ID an d PW S to the AS throug h a secure channel.  AS computes two secret num bers V = f ( EID ⊕ x ) and R = f ( EID ⊕ x ) ⊕ PW S , where EID = ( ID ║ n ) a nd creates an ent ry for the user U in his ac count database and stores n = 0 for i nitia l r egistration, otherwise set n= n+ 1, and n denotes the prese nt registration. Security Analysis of a Re mote User Authenticat ion Scheme with smart card s- Manoj Kuma r 3  AS provides a smart card to the user U through a secure channel. The s mart card contains two sec ret numbers V , R and a one- way function f .  User U enters her /his random number b into his smart card. B. Login Phase For login, the user U inserts her/his smart card to the smart card reader and t hen keys the identity and the password to gain access services. The smart card will perform the following opera tions:  Computes C 1 = R ⊕ f ( b ⊕ PW ) and C 2 = f ( C 1 ⊕ T U ). Here T U denotes the current date and time of the smart card read er.  Sends a login requ est C = ( ID , C 2 , T U ) to the AS . C. Verification Phase Assume AS receives the messag e C at time T S , where T S is the current date and tim e at AS . Then the AS tak es the following actions:  If t he identity ID and the time T U is invalid i.e. T U =T S , then AS will r ejects this login request.  Checks, if C 2 ? = f ( f ( EID ⊕ x ) ⊕ T U ), then the AS accepts the login request and computes C 3 = f ( f ( EID ⊕ x ) ⊕ T S ). Otherwise, the login request C will be rejected.  AS sends the pair T S and C 3 to the user U for mutual aut hentication.  If the time T S is invalid i.e. T U =T S , then U t erm inates the session. Otherwise, U verifies the equatio n C 3 ? = f ( C 1 ⊕ T S ) to authentica tes AS. D. Password Change Phase This phase is invoked whenever U wants to change his password PW with a new one, say PW new . This phase has the follow ing steps.  U i nserts her/his smart c ard to the s m art card reader and then key s her/his i dentity and the old password PW and then re quests to change t he password.  U ’s smart cards com putes V* = R ⊕ f ( b ⊕ PW ).  Compare this calculated value V* with the secret value V , which is stored in the smart card of t he user U. If they are equal, then U can select a new password PW new , otherwise the smart card re jects the password chang e request.  U ’s smart cards computes a new secret number R new = V* ⊕ f ( b ⊕ PW new ) and then replaces R with R new . Security Analysis of a Re mote User Authenticat ion Scheme with smart card s- Manoj Kuma r 4 III. S ECURITY A NALYSIS OF Y OON ET AL .’ S S CHEME Although, Ku and Chen’s scheme is modified by Yoon et al. [11] But, we analyze that Yoon et al.’ scheme is still not s ecure. This section discusses the security weaknesses of the Yoon et al.’s schem e. A. Security Analysis of the Password Change Phase This section discuss es the security weaknesses of the password change of Yoon et al.’s scheme. The discu ssion is divided into two subsections, w hich are described belo w. I. Security weaknesses in the P assword Change Phase against the Out siders Observe the password chan ge phase of Yoon el al .’s scheme, to replace/change the old password PW with a new password PW new , the user/ perfo rmer should be in possession of the old password PW . T he following section describes how any out sider /malicious user can recover t he password PW first and then apply this peace of i nform ation t o make f or the success of her/his attack. It is clear that the smart card of a legal user U in Yoon et al.’s scheme c ontai ns: the secret value V, R, and a random number b and a public hash f unction f. According to Kocher et al. [ 24] and Messerges et al. [31], for the security point of view, to store the secret information in smart cards is not a good practice. O n the basis of these assum ptions [24,31], an antagonis t is able to breach the secr ets V , R and b, which are stored i n t he smart card of the user and then he will be able t o perform a password guessing att ack to obtain t he password. For t he s uccess of this attack, by using the breached secrets R and b the adversary w ill perform the follow ing operations: • The antagonist intercepts the login request C = (ID, C 2 , T U ) and guesses a password PW * . • Computes C 1 * = R ⊕ f (b ⊕ PW * ) = f (ID ⊕ x) * and C 2 * = f (C 1 * ⊕ T U ). • Checks if C 2 * ? = C 2 , then the adversary has correctly guessed the password PW * = PW and C 1 * = C 1 . Otherwise, the adversary goe s to step: 1 . Once the adversary has correctly obtained C 1 , instantly, the password PW * corresponding to C 1 will be the correct password and then successfully, he can chang e the password of the user U . Consequently, when the smart card was stolen, t he antagonist is able t o recover the password PW of t he user and once the adversary has correctly obtain the password PW , then he wil l be able to destruct any thing of his c hoice. Since our foc us and aim is to show that the password change phase of Yoon et al.’s scheme, which is shown below that an au thorized user ( antagoni st) can easily rep lace the old pass word PW Security Analysis of a Re mote User Authenticat ion Scheme with smart card s- Manoj Kuma r 5 by a new password of her/his choice. For the succe ss, the antagonist applies the follow ing actions. • Inters the smart card into the smart card reader, e nters the identity I D and any password PW and then requests to change the password. • The smart card of the user computes V* = R ⊕ f (b ⊕ P W) and then compare the computed va lue V* with the sto red value V. Obviously, both the value will be the same, because the adversary has entered the correct password. In this way, the smart card ac cepts the password chan ge request. • Selects a new password PW * new and supplies it t o t he smart card reader and ultimately t he s mart card computes a new R* new = R ⊕ f (b ⊕ PW) ⊕ f (b ⊕ PW * new ) and then replaces R w ith R * new . Thus, if the malicious user st ole the user U ’s smart card she/he will be able to make a destructive action of her/his choice. Thus, the adversary is able to change t he password with a new password of his/his choice. Now the r egistered/ legal user U also will not be able to mak e a valid login request with he r/his valid smart card because now the her/his old password PW will not work . II. Security weaknes ses in the Password Chan ge Phase aga inst the Insider This subsection proves that t he password change phase of Yoon et al.’s scheme is not secure ag ainst an an tagonist inside r at AS . In Yoon et al.’s scheme, observe the registration phase, the User U se lects a random number b and computes PW S = f (b ⊕ PW) and submits her/his identity ID and PW S to t he AS through a secure channel. It means the insider of AS is in possessio n of the number PW S = f (b ⊕ PW ) for the legal user U. Again the AS computes two secret numbers V = f (EID ⊕ x ) and R = f (EID ⊕ x ) ⊕ PW S , where EID = (ID ║ n). T hus, the insider of AS is also in possession of the secret numbers V and R for the legal user U. Suppose the user U is using the same password PW continuously, which is supplied by the AS at the tim e of registration, then the insider at AS will be able t o change the password PW with a ne w passwor d of her/his choice. If the smart card is in possession of an antagonist insider at AS for short time, then first, the i nsider inters the smart card into the smart card reader and can directly supply the value V to the smart card reader. Eit her, he directly supplies V or in place of f ( b ⊕ PW ), he s upplies the value PW S without using the hash button. Next, the anta goni st insider enters a new pass word PW * new and then the smart card c om putes a new R new = R ⊕ f ( b ⊕ PW ) ⊕ f ( b ⊕ PW * new ) and then replaces R Security Analysis of a Re mote User Authenticat ion Scheme with smart card s- Manoj Kuma r 6 with R new . Thus, if t he malicious insider stole the user U ’s smart card once, onl y for a small time and then he can replace the user’s passwo rd forever in such a way that the user U also will not be able to m ake a valid login request wi th her/his valid smart card because now the her/his old password PW will not work properly. As a result, the Yoo n et al.’s password chang e phase is still insecure an d that is und er the threat of poor reparability. B. Parallel Session Attack on Yoon et al.’s Scheme Although, Yoon et al. [ 11] modified K u and Chen’s scheme to remove its se curity weaknesses against parallel session attack. But, we analyz e that the modified schem e of Yoon et al. is still vulnerabl e parallel session attack. This foll owing subsection pro ves our claim that the m odified schem e is still vulnerable a parallel session attack by an intruder. Since, a remote user password authentication is used to authenticat e the legitimacy of the r emote users over an insecure channel. T hus, an intruder Bob is able to intercept all the comm unication between the AS and user U and then from this intercepted information, he mak es a valid l ogin request to masquerade as a legal user. The intruder Bob applies the following steps for a successful parallel session attack on Yoon et al.’s scheme.  Intercepts the login r equest C = ( ID , C 2 , T U ) which is sent by a valid user U to AS. In this login request C , the time T U is the current time of the smart card reader, whenever the user U m akes the login request.  Intercepts the response message ( C 3 , T S ), which is sent by AS t o he us er U . In this response message, t he time T S in the current time at t he AS , when AS receives the log in request C .  Starts a new se ssion with the AS by sending a fabricated login request C f = ( ID , C 3 , T S ). Upon, receiving the fabricated login request C f = ( ID , C 3 , T S ), at ti me T S * , where T S * is the current date and time at AS . T he AS performs t he following steps to ensure the validity of the received login request.  Checks the validity of the format of the identity ID and the ti me T U i.e. T S * ≠ T S . Both these conditions hold true, because the intruder has been used a previously registered identity I D and obviously the time T S * will be different from the time T S .  Checks, the verification equation C 3 ? = f ( f ( EID ⊕ x ) ⊕ T S ), which is also holds truly. T he logic behind the successful verification of this phase is very Security Analysis of a Re mote User Authenticat ion Scheme with smart card s- Manoj Kuma r 7 interesting. If we observe login and verification phase of Yoon et al.’s scheme, then it mak es a sense t hat the second part C 2 of the l ogin request C = ( ID , C 2 , T U ) and the first part C 3 of the response message ( C 3 , T S ) are computed by the sam e procedure and w ith similar infor mation.  AS sends the pair T S and C 3 to the user U for mutual aut hentication.  If the ti me T S is invalid i.e. T U = T S , then U term inates the session. Otherwis e, U verifies the equa tion C 3 ? = f ( C 1 ⊕ T S ) to authentica te AS.  Finally, AS computes C 4 = f ( f ( EID ⊕ x ) ⊕ T * S ) and r esponses with the message pair ( C 4 , T * S ) to the user U for mutual authent ication, where T * S is the current ti mestam p of the AS. Thus, the intruder intercepts a nd drops this message In this way, t he fa bricated login re quest C f = ( ID , C 3 , T S ), which is made by the intruder, satisfies the all the requirements for a successful authentication of the intruder Bob by the AS . IV. C ONCLUSION As, we hav e observed that Yoon e t al. just consider t he security problem s in the password change phase of K u and Chen’s sc hem e and repaired that phase only . They again presented a modified scheme with same security parameters as it was with previous scheme. This paper analyzed that security weaknesses still exist i n Yoon et a l.’s scheme. The password change phase is still vulnerable to security attacks by an outsider as well a s an antagonist insider at AS . On the ot her side, Yoon et al.’s scheme is still vulnerable to the parallel session attack. Thus, the security pitfalls are still exists in Yoon et al.’s scheme. R EFERENCES [1] A. J. Meneze s, P. C. va nOorschot and S. A. Vanstone, Handb ook of Applied Cryptograph y , pp. 490 – 52 4, 1997. [2] C. C. Chang an d K. F. H w ang, “ Some forgery attac k o n a remote user authentication scheme usin g smart cards,” Informatics, vol. 14, no. 3, pp . 189 - 294, 2003. [3] C. C. Chang and S. J. H wang, “Using s mart cards to authenticate remote passwords,” Computer s a nd Mathematics with applica tions, vol. 2 6, no. 7 , pp. 19-27, 1993. [4] C. C. Cha ng and T . C. Wu, “ Remote password authenticatio n with s mart cards,” IE E Proceedings-E, vol. 138, no. 3, pp. 165 -168, 1993. [5] C. C. Lee, L. H. Li and M. S. Hwang, “A remote user authenticatio n scheme using hash functions,” ACM Op erating S ystems Revi ew, vol. 36, no. 4, pp. 23 -29, 2002. Security Analysis of a Re mote User Authenticat ion Scheme with smart card s- Manoj Kuma r 8 [6] C. C. Lee, M. S. H wang and W. P. Yang, “A fle xible remote user authentication scheme usi ng s mart ca rds,” ACM Operating S ystems Re view, vol. 36, no. 3, pp. 46-52, 20 02. [7] C. J. Mitchell and l. Chen, “Co mments o n the S/KEY user authenticatio n scheme,” ACM Operating S ystem Review, vol. 30, no. 4 , pp . 12 -16, Oct 1996. [8] C. K . Chan and L. M. Cheng, “Crypta nalysis of a remote user authentication scheme using smart car ds,” IEEE Trans. Consume r Electronic, vol. 46, no. 4, pp. 992 -993, 2000. [9] C. Mitchell, “L imitation of a challenge- response entity authentication,” Electronic Letters , vol. 25, No.17 , pp. 1195- 1196 , Aug 1989. [10] C.L Hsu, “Securit y of Chien et al. ’s re mote user au thentication scheme using s mart card s,” Compu ter S tandards and Interfaces, vol. 26 , no. 3, pp. 167 - 169, 2004. [11] E. J. Yoon, E. K . Ryu a nd K. Y. Yoo, Further i mprovement o f an efficient password based r emote user authentication sc heme usin g s mart c ards”, IEEE Trans. Consumer Electro nic, vol. 50, no. 2, pp. 612-614, Ma y 2004. [12] H. M. Sun, “An e fficient remote user authentication sche me u sing s mart cards,” I EEE Trans. Consumer Electro nic, vol. 4 6, no. 4 , pp. 958-961, Nov 2000. [13] H. Y. Chien, J.K. Jan and Y. M. T seng, “An efficient and practical solution to remote authe ntication: smart card,” Computer & Securit y, vol. 21 , no. 4, pp. 372-37 5, 2002. [14] J. J. Shen, C. W. Lin and M. S. Hwang, “A modified remote user authentication scheme using smart car ds,” IEEE Trans. Consume r Electronic, vol. 49, no. 2, pp. 414 -416, May 2003. [15] K. C. Leung, L. M. Cheng, A. S. Fo ng a nd C. K. Chen, “Cr yptanalysis of a remote user a uthentication scheme using smart cards”, IEEE Trans. Consumer Electron ic, vol. 49, no. 3, pp. 1243 -1245, Nov 2003. [16] L. H. Li, I . C. Li n a nd M. S. Hwang, “A r emote password authenticatio n scheme for multi-server architecture using neural networks,” IEEE Tran s. Neural Networks, vol. 12, no. 6, pp. 1498-1504, 2001. [17] L. Lamport, “Password authent ication with insecure communicatio n,” communica tion of the ACM, vol. 2 4, no. 11, pp. 770-772, 1981. [18] M. Ku mar, “New remote us er authentica tion sche me usi ng smart cards,” IEEE Trans. Consumer Electro nic, vol. 50, no. 2, pp. 597-600, Ma y 2004. [19] M. Kumar, “Some remark s on a remote user authe ntication scheme using smart cards with for ward secr ecy.” IEE E Trans. Consumer E lectronic, vol. 50, no. 2 , pp. 615-618, May 200 4. [20] M. Ku mar, “A ne w remote user a uthentication scheme using smart card s with forward secrec y,” Report No . 2004/192. http:// www.eprint.iacr.org [21] M. Kumar, “A for ward secure re mote user aut hentication,” Rep ort No. 2007/303 . http://www.eprint.iacr.o rg [22] M. S. H wang and L. H. Li, “A new remote user a uthentication sc heme using smart cards,” IEEE Tran s. Consumer Electronic, vol. 46, no. 1 , pp. 28-30, Feb 2000. [23] M. Udi, “A si mple scheme to make passwords b ased on the o ne-way function much harder to crack,” Computer a nd Sec urity, vol. 15, no. 2 , pp. 171 - 176, 1996. [24] P. Kocher, J. Jaffe and B. Jun, “Differential po w er anal ysis,” Proc. Advance s in Cryptography ( CRYPTO’99), pp . 388-397, 1999. [25] R. E. Le nnon, S. M . M atyas and C. H . M ayer, “Cryptographic authentication of time -variant quantities.” IEEE Trans. on C ommun.,COM - 29, no. 6 , pp. 773 - 777, 1981. Security Analysis of a Re mote User Authenticat ion Scheme with smart card s- Manoj Kuma r 9 [26] S. J. Wang, “Yet a nother login a uthentication using N-di mensional construction based on circle pr operty,” IEEE Trans. Consu mer Electronic, vol. 49, No . 2, pp. 337-341 , May 2003. [27] S. M. Yen and K.H. Liao, “Shared aut hentication token secure against replay and weak key attack,” I nformation Pro cessing Letters, pp. 7 8-80, 1997. [28] T. C. Wu, “Remote login a uthentication scheme based on a geo metric approa ch,” Computer Commun ication, vol. 18, no. 12, pp. 959 - 963, 1995. [29] T. ElGamal, “A p ublic key cryptosyste m and a signature sc heme b ased on discrete logarithms,” I EEE Tran s. on Information Theory, vol. 3 1, No. 4 , pp. 469-47 2, July 1985. [30] T. Hwang a nd W.C. Ku, “Repar able key distrib ution p rotocols for internet environments,” IEEE Trans. Commun. , vol. 43, No. 5, p p. 194 7-1950, Ma y 1995. [31] T. S. Me sserges, E. A. Dabbish and R. H. Sloan, “ Examining smart car d security under the threat o f p ower analysis attac ks,” IEE E Trans. o n Computers, vol. 5 1, no. 5, pp. 541 –552, May 2002 . [32] W. C. Ku, C. M. Chen and H. L . L ee, “ Cr yptanalysis of a variant o f Peyravian- Zunic’s password authen tication sche me,” IEICE Trans. Commun, vol. E86- B, no. 5, pp. 1682 –1684, May 2002. [33] W. C. Ku a nd S. M. Chen, “ Weaknesses a nd impro vements of a n e fficient password based u ser authentica tion scheme usi ng smart cards,” IEEE Trans. Consumer Electron ic, vol. 50, no. 1, pp. 204 –207, Feb 2004. [34] Y. L. Ta ng, M. S. H wang and C. C. Lee, “A si mple re mote user authentication sc heme,” Ma thematical and Comp uter Mod eling, vol. 36, pp. 103 - 107, 2002. Manoj Ku m ar received the B.Sc. degree in mathematics fro m Meerut University M eerut, in 1 993; the M. Sc. in Mat hematics ( Goldmedalist) from C.C.S.U niversity Meer ut, i n 1995; the M.Phil. (Goldmedalist) i n Cryptography, fro m Dr. B. R. A. Uni versity Agra, i n 199 6; the Ph.D. in Cryptography, in 200 3. He also qualified the National Eligibilit y Test (NET), c onducted by Council o f Scientif ic and Indust rial Research (CSIR), New Del hi- India, in 20 00. He also ta ught ap plied Mathematics at D. A. V. College, Muzaffarnagar, India from Sep 1999 to March 20 01; at S.D. College of Engineeri ng & Technology, Muzaf farnagar- U.P. – INDIA fro m March 2001 to Nov 2001; at Hindustan Colle ge of Science & Technology, Farah, Mathura - U.P. – INDIA, from Nov 200 1 to March 2005. In 2005, the Higher Education Co mmission of U.P. has selected him. Presently, he is working in Depart ment of Mathematics, R. K . College Shamli- Muzaffarnagar- U.P . – INDI A-247776. He is a m ember of I ndian Mat hematical Soc iety, Indian Soci ety of Mat hematics and Mat hematical Science, Raman ujan Mathematical soc iety, a nd Cryptograp hy Resear ch Societ y of Indi a. He is working as revie wer for some International peer review Jo urnals: Journal o f Syste m and Soft ware, Journal of Computer Security, International Journal o f Net work Securit y, T he Computer Journal. He is also worki ng a T echnical Editor for some Inter national peer review J ournals- Asian Journal of Mathematics & Sta tistics, Asian J ournal o f Algebra, T rends in Applied Sciences Research, Journal of Applied Sciences. His current researc h i nterests include Cr yptography a nd Applied Mathematics.