A Flexible and Secure Remote Systems Authentication Scheme Using Smart Cards

A Flexible and Secure Remote System s Authentication Scheme Using Smart Cards Manik Lal Das Dhirubhai Ambani Institute of Information and Communication Technology Gandhinagar – 382007, India. Email: maniklal_das@daiict.ac.in Abstract — The paper presents an authentication schem e for remote sy stems using smart card. The schem e prevents the scenario of many logged in u sers w ith th e same login identity , and does not require passw ord/verifier table to v alidate the users’ login request. T he scheme provides a user-friendly password change option, and with stands the replay, impersonation, stolen-verifier, guessing, and denial- of -service attacks 1 . Index Te rm s — Au thenticatio n, Pass w ord, Re mo te System s, Sm art card, Tim estam p. I. I NTRODUCT ION Remote system authentication is a p rocess b y wh ich a remote system gains confidence about the identity of the comm unicating par tner. In 1981, Lamport [1] first introduced the concept of password-based authentication scheme. Afterw ards, numerous stu dies of remote system s authentication with emphases on various ty pes of mathematical prob lems (e.g. one-way hash fun ction, public-key setting) have been investigated to improve the security and efficiency of the scheme. T aking computational cost into consideratio n, remote system s authentication can be classified in to two broad categories: password-based using one-way hash function and public key [ 2] based techniques. One-way hash function based authentication technique is simple and viable for implem entation in a small handheld device li ke smart card. In contrast, the public-key based technique p rovides higher security w ith added computational cost. It is observed that Lam port’s scheme suffers high hash overhead and the necessity for passw ord resetting p roblems decrea ses its suitability for practical us e. Haller [3] proposed a modified version of Lam port’s scheme, but the modified version is vulnerable to the replay attack. Shimizu [4] proposed a one - time p assw ord auth entication scheme on eliminatin g the weak nesses of [1] and [3 ]. The one -time characteristic is gained by usin g two variable random nu mbers that are changed in every authentication. T he user has to memorize two variable random numbers or carry with some sort o f portab le storage token, e.g. smart card . In 20 00, Sandirigama et al . [5] 1 The prel iminary version of this wo rk appea red in t he Proc. of t he Workshop on Informati on S ecurity, HIT, Haldia, 200 6. proposed anoth er hash-based s trong-password au thentication scheme, but the schem e is vulnerable [6] to some security threats. Later Peyravian and Zunic [7] p roposed a hash-based password authentication schem e that requires low computational efforts. However, Hw ang and Yeh [8] showed that P eyravian- Zunic’s schem e is vulnerable to password guessing , server spoofing, and stolen-verifier attacks. In 200 4, Das et al. pro posed a scheme [9] that p rovides computational efficiency and a user-friendly of passw ord chang e option. Subsequently , a few public-key based remote system s authentication schemes and im provements [10], [ 11], [1 2], [13] have also been proposed. We observe that all these schemes provide only one -w ay authentication, that is, only remote ser ver can check the authenticity of a user. The user cannot check w hether he is commun icating with the co rrect server or not. It is a vital gap where a potential adversary can spoof the server and get valuable user information. T his motivates us to construct an authentication schem e for r emote system s that p rovides user and server authentication, and the user gets access to the remote system ’s resource only if ’s authenticity passed correctly. To co nstruct the schem e, we use a sm art card as the u se r registration token and the m erits of “ password” and “sm art card” factors for the r emote system s authentication. T he use of smart card not only make the scheme secure but also prevents users from distribution of their login identities, which effectively p rohibits the scenario of many logged in users with the same login-identity (login-ID). T his generally happ ens in digital libraries and sim ilar system s, where a subscriber can share his login-ID and password with others. The scheme is computationally efficient and the remote system does not need to maintain any password/verifier tab le for users login request validation. Furthermore, the users are allowed to choose and change their preferred p assw ords without the remote system s assistance. T he rest of the pap er is organized as follows: In Section 2, we discuss a w idely accepted list of security properties for remote systems authentication. We present the scheme in Section 3. The security and efficiency o f the scheme are analy zed in Section 4. Finally, we concl ude the p aper in Section 5. II. S ECURITY P R OPERT IES Desirable security properties of various rem ote system s authentication have been evolved over this p eriod. A widely accepted list of required properties is given below: - Repla y Attack : Replay attack is an offensive action wh ereby an adversary can intercep t a valid lo gin message and then gains access to the remote system b y replaying the intercepted information. - Imperson ation Attack : An ad versary may impersonate user login b y forging a login request and acts as a legitim ate user by logging in to the server. - Stolen -verifier Attack : In practice, it is likely that a user uses the same password to access several servers for his convenience. If an insider of a remote server obtains user password, he could impersonate user's login to access other servers. Generally , the system , w hich maintains verifier/passw ord table for user's login request verification, may suff er from this attack. - Guessing Attack : Memorized p assw ords are subject to guessing attacks. T he guessing attacks can be classified into two types: on-line p assw ord guessing attack and off- line passw ord guessing attack. a. On -line passw ord guessing attack: The adversary can try to use a guessed passw ord to pass the verification of remote server in on -line man ner. T he server could detect the attacks by n oticing continu ous authentication failu res. b. Off -line password guessing attack: The adversary can intercept a valid login req uest and store them lo cally. Then he w ould try to find out the password in trial and error method, and verify the login r equest in off - line man ners. T herefore, the remote server co uld not detect the attacks. - Denia l- of -Service Attack : A denial- of -service attack is an offensive actio n whereby the adversary could u se some method to work upon the remote server so that the server will deny the access requests issued by the leg itimate user. III. P ROPOSED S CHEME The scheme consists of three phases: registration phase, authentication phase and password change phase. The registration phase is performed only once, and the authentication phase is executed every time when a user w ants to login to the system . A. Registration Phase This phase is invoked whenever a user U i wants to register to the remote system (RS). The user chooses a password PW i and submits it to the RS. Upo n rec eiving the registration request, the RS performs the f ollowing steps: R1. Compute a nonce N i = h ( PW i , ID i )  h ( x ), where x is a primary secret key of RS, h(.) is a one-way hash function and  is a bitwis e concatenation oper ator. R2. P ersonalize a smart card with the parameters h (.), ID i , N i , h ( PW i ) and y . T he p arameter y is RS’s secondary secret number stored in each registered user’s smart card. Then, the RS sends the personalized smart card to U i in a secure mann er. B. Authentication Phase This phase is invoked wh enever U i wan ts to login to the RS. The phase is furth er divided into two parts, namely the User authentica tion and RS authen tication . The p hases work as follows : User Authentication U i inserts his smart card to a terminal, and keys his identit y ID i and password PW i . T he smart card validates the entered ID i and PW i with the stored ones in smart ca rd. If the entered ID i and PW i are correct, the smart card performs the follow ing operations: U1. Compute DID i = h ( PW i , ID i )  h ( y  T u ), where T u is timestam p of U i ’ s sy stem. U2. Compute Ci = h(N i  T u  y) . U3. Send (DID i , C i , T u ) as a login request to the RS over a public channel. Upon receiving the login request ( DID i , C i , T u ) at time T s , the RS authenticates the U i by the follow ing steps: V1. Verify the validity of the time interval between T u and T s . If ( T s - T u )   T then the remote system pr oceeds to the next step, o therw ise terminates the request. The  T denotes the expected valid time interval for the transmis sion delay. V2. Compute h(PW i ,ID i ) = DID i  h(y  T) . V3. Compute C i *=h(h(PW i , ID i )  h(x)  T u  y) . V4. If C i * = C i , the RS accep ts the login req uest, rej ects otherwise. RS Authentication If the user authenticity is passed corr ectly, the RS’s genuinen ess is ascertained by the followin g steps: S1. Compute X i = h ( h ( PW i , ID i )  h ( x )  T u  T s * ); T s * is timestam p of RS’s sy stem. S2. Send ( X i , T s * ) to the user over a public channel. Let the user receives the response at time T u * . Then the smart card validates the time interval betw een T u * and T s * . If ( T u * - T s * )   T , it computes X i * = h ( N i  T u  T s * ). If X i * = X i , then the RS is authentic and U i starts accessing the RS’s resource. C. Password Change Pha se This phase is invoked w henever U i w ants to change his password. He can easily change his passw ord w ithout taking any assis tance from the RS. The phase works as follow s: P1. U i inserts the smart card into a ter min al and submits ID i and PW i and req uests to change the p assw ord. T he smart card validates the entered ID i and PW i with the one that is stored in the smart card. If entered parameters are co rrect, the smart card pro ceeds to the next step, otherwise term inates the operation. P2. U i is pro mpted to subm it a new passw ord, and he submits PW i * . P3. The smart card computes N i *=N i  h(PW i , ID i )  h ( PW i * , ID i ). P4. The nonce N i and PW i will be replaced b y N i * and PW i * respectively, and it co mpletes the p assw ord change phase. IV. A NAL YSIS OF THE S CHEME A. Security Analy sis The replication or extraction of p arameter from the p rivate space of sm art card is quite difficu lt as per th e present literature. T hough it happ ens b y the side channel attacks [14]; howev er, the experiment cost is much higher than the cost of the intended parameter. Further, some of the smart card manu facturers co nsider the risk of the side channel attack, and provide counter m easure to d eter the rever se engin eering attempt. We cons ider a smart as a secure device. W ith this fact, the propo sed scheme with stands the following possible threats: Replay Attack: A r eplay attack (rep laying an intercepted login messag e) cannot work in th e schem e. Suppose an at tacker intercepts a valid login request ( DID , C , T u ) and tries to login to the RS by replaying the same. T he verification of this login request will fail because the interval ( T s - T u )  T , a mu tually agreed transm ission delay. Of course, the clock syn chronization at client and server needs an attention of this scheme. W e believe that this is an efficient way to resist the replay attack, and assume that clock syn chronization is being taking into account for the proposed scheme. Impersonation Attack: An attacker cannot impersonate a legal login by intercepting ( DID , C , T u ). The attacker will have DID , but this DID needs to be recomputed w ith a new timestam p T new , wh ich is not po ssible, as it requires PW and y . T o get PW and/or y from DID one has to break th e o ne-w ayness property of h (.), w hich is a hard prob lem. Now let us see, the cap ability of a valid user to forge a login req uest. In this case, the user know s PW , but o btaining y is again a hard pro blem. Thus, no one (including valid users) can forge a login request. Stolen-ve rifier Attack : In practice, it is likely that U uses the same password PW to access several servers for his convenience. If an in sider of the R S obtains PW , he could frame U’ s login to access other servers. Our scheme resists this attack b ecause the insider should need U’ s smart ca rd to frame U . I n our scheme, U initially subm its PW to the RS d uring the registration process; however, after regis tration U is free to change his password any time. Further, the RS does not maintain any verifier/password tab le to validate U’ s login request. T hus, there is no question to steal p assw ord and thereby execution of th e stolen-verifier attack is not possible. Guessing Attack : T he guessing attack is a crucial concern in any authentication scheme. We note that our scheme is free from password/verifier table, and user p assw ord is not traveled as a hash of password. Instead, we let password to travel as a digest of some other secret components. Therefore, our scheme is n ot suffered by the guess ing attacks. Denial- of -Service Attack : In the password change phase, the denial- of - service attack may occur when the RS updates the new verifier o r passw ord for the next login with out checking the validation of the entered input. T his allows the RS to rejec t all subsequent login requests o f a legal user. Therefore, it is intuitive to check the any request/input before updating the verifier or passw ord. In our scheme, w hen a user logs into RS or wants to change his p assw ord, the smart card checks the validity of the card owner passw ord before processing any instruction. Even, if a smart card is sto len or lost, the party wh o has the smart card cannot login to RS or change the password with out knowing the card owner’ s password. Therefore, denial - of - service attack is not p ossible in our scheme. B. Efficiency The smart car d per sonalization cost for the registration pro cess of o ur scheme is at p er the schem es in [10], [11], [12], [13]. The login and verif ication phases of th ese schem es require multiple modular arithm etic and hash computation; whereas the login and verification phases req uire only hash computation. T herefore, o ur scheme is computationally efficient in comparisons to the schemes [1 0], [11], [12], [13 ]. As most of the hash-based schem es [1 ]-[5], [7], [9] suffer from the security weakness and our schem e attains its security strength against the possible threats, the propo sed schem e is practical and viable in smart card based authentication schemes. V. C ONCLUSIO N We have proposed an efficient remote sy stems authentication scheme th at pro vides the follow ing characteristics: - the scheme provides mu tual authentication between user and remote server. - the scheme pr events the scenario of many logged in users with the same login identity . - the scheme provides a flexible pa ssw ord change o ption, wh ere users can change their passwords any time without any assis tance of remote server. - the remote server does not require to maintain any verifier/passw ord tab le to validate the login request. - the scheme withstan ds the r eplay, impersonation, stolen- verifier, guessin g, and denial- of -service attacks. In future, the authors will try to avoid the secure channel in the registration phase so that the propo sed construction would be purely public channel based remote sy stems authen tication, and this is an interesting and challenging extension of th e proposed work. R EFERENCES [1] L. Lampor t. Password authenticati on with insecure communication. Commun. ACM, vol. 24, no. 11, p p. 770 -77 2, 1981 . [2] IEEE P1363.2 Draft D12. Stan dard specificati ons for pa ss wor d-based public key cryptogr aphic techniques. IEEE P1363 working group, 2003. [3] N. M . Haller . A one-time passwor d system. RFC 1704,199 4. [4] A. Shimizu. A dynamic p assword auth entication method by one-way function. IEI CE Transactions on Infor mation an d Systems, Vol. J73-D-I , No. 7, pp.63 0-636, 1990. [5] M . Sandirigama, A . Shimizu and M.T. Noda. Simple and secure password auth entication protocol. IEI CE Transact ions on Communications, Vol. E83 -B, No. 6, pp. 1363 -1365, 2 000. [6] W. C. Ku a nd C. M. Chen. Cryptanalysis of a one-time passwor d authenticat ion protocol s. I n: Proceedings of National Computer Symposium, 2001. [7] M . Peyravian and N. Zunic. Methods for protecting password transmission. Comput ers & Security, Vol. 19, No. 5, pp.466 -469, 200 0. [8] J. J. Hwang and T. C. Yeh. Improve ment on Peyravian- Zunic’s password authentica tion sch emes. I EICE Transactions on Communications, Vol. E85 -B, No. 4, pp. 823 -825, 200 2. [9] M . L. Das, A. Saxe na and V. P. Gulati. A dy namic ID-based remote user authenticat ion scheme. IEEE T ransactions on Con sumer Electronics, Vol. 50, No. 2, pp. 62 9-63 1, 2004 . [10] A . K. Aw asthi, and S. Lal. A remo te user auth entication scheme using smart cards with F orwar d Secrecy . IEEE Transactions on Co nsumer Electronics, vol.49, no.4, pp.12 46 -1248, 2 003. [11] M. S. Hwang, C. C. Ch ang, and K. F. H wang. An E1G amal -like cryptosy stem for enciphering large messag es. I EEE Trans .on Know ledge and Data Engineering, vol.14, no.2, pp.44 5 -446, 20 02. [12] A . Saxena, M. L. Das, V. P. Gulati, and D. B. Phatak. Dynamic remote user authentic ation. In: International Conference on Advanced Computing and Communications (ADCOM’04), pp. 3 13 -315, 2004. [13] M. L. Das, A. Saxena, V. P. Gulati, and D. B. Phatak . A novel remote user a uthenticati on using bilinear pai rings. To appear in Computers & Security, Else vier, 2 006. [14] P. C. Kocher, J. Jaffe and B. Jun. Differe ntial power analysis: Leaking secrets. I n: Procee dings of Crypto’99, LNCS 1666, Springer -Verlag, pp.388 -397, 1 999.