On the Security of ``an efficient and complete remote user authentication scheme

On the Securit y of “an efficien t and complete remote user authen tication sc heme” Manik Lal Das Dhirubhai Am bani Institute of Information and Comm unication T ec hnology Gandhinagar - 3820 07, India. Email: maniklal das@daiict.ac.in Abstract Recently , Liaw et al. prop osed a remote user a uthentication scheme using smart cards. Their scheme has claimed a num b er of features e.g. mutual a uthen tica tion, no clo ck synchronization, no verifier table, flexible user password change, etc. W e s how that Lia w et al.’s sc heme is completely insecure. By in terc e pting a v alid login message in Liaw et al.’s scheme, any unregistered user o r adversary can easily log in to the remote system and establis h a session key . Keywords: Password, Authentication, Smar t cards, Remote system. 1 In tro d uction Remote system authen tication is a pro cess by whic h a remote system gains confidence ab out the identit y (or log in request) of the comm u n icating partn er. S ince the Lamp ort’s sc heme [1], several remote user authentic ation sc hemes and imp ro veme nts ha ve b een prop osed with and w ithout smart cards. Recen tly , Lia w et al. [2] prop osed a remote user au th en tication sc heme u sing smart cards. Their sc h eme has claimed a num b er of features e.g. m utu al authen tication, n o clo c k synchronizati on, no v erifi er table, flexible u ser password c hange, etc. W e sho w that Liaw et al.’s sc heme is completely insecure. An y unregistered user can easily log in to the remote system and establish a session k ey . 2 The Lia w et al.’s sc heme The sc heme consists of fi v e phases: registration, login, verificati on, session and passw ord c hange. R e gistr ation phase : A new user U i submits identit y I D i and password P W i to the remote system for registration. The remote s ystem computes U i ’s secret information v i = h ( I D i , x ) and e i = v i ⊕ P W i , wher e x is a s ecret k ey main tained b y the r emote system and h ( · ) is a secure one-w ay hash fun ction. Th en the remote system wr ites h ( · ) and e i in to the memory of a smart card and issu es the card to U i . L o gi n phase : Wh en U i w ants to log in to the remote system, he/she inserts th e smart card in to the terminal and ente r s I D i and P W i . The smart card then p erforms the follo wing op erations: 1 L1. Generate a rand om nonce N i and compute C i = h ( e i ⊕ P W i , N i ). L2. S end the log in message < I D i , C i , N i > to the r emote system. V erific ation phase : T o c hec k the authen ticit y of < I D i , C i , N i > , the remote system c hec ks the v alidit y of I D i . If I D i is v alid, computes v ′ i = h ( I D i , x ) and c hec ks wh ether C i = h ( v ′ i , N i ). Then generates a rand om n once N s , encryp ts the message M = E v ′ i ( N i , N s ) and s en ds it bac k to the card. The smart card decrypts the message D e i ⊕ P W i ( M ) and get s ( N ′ i , N ′ s ). Th en v erifies w hether N ′ i = N i and N ′ s = N s 1 . If these c hecks hold v alid, the m utu al auth en tication is don e. Session phase : This ph ase in v olve s t wo public parameters q and α where q is a large prime n u mb er and α is a prim itive elemen t mo d q . The p hase works as follo ws: S1. The remote system computes S i = α N s mo d q and sends S i to the smart card. The smart card computes W i = α N i mo d q and sen d s W i to the remote sys tem. S2. The remote system computes K s = ( W i ) N s mo d q and , the sm art card computes K u = ( S i ) N i mo d q . It is easy to see that K s = K u . Then, the card and the remote system exc h ange the data using the session k ey and e i . Passwor d change phase : With this p hase U i can c h ange his/her P W i b y the follo w ing steps: S1. Calculate e ′ i = e i ⊕ P W i ⊕ P W ′ i . S2. Up date e i on the memory of smart card to set e ′ i . 3 Securit y W eaknesses We akness of Authentic ation phase : The authentica tion p h ase suffers from the repla y at- tac k s . The authent icit y of the login r equ est is n ot chec ke d at all. The adversary A (or an y un registered u s er) interce p ts a v alid login request, say < I D i , C i , N i > . Later A sends < I D i , C i , N i > to the remote s y s tem, as a login request . T o v alidate < I D i , C i , N i > , the remote system do es the follo wing: 1. Chec k the v alidit y of I D i . This holds true, b ecause the adv ersary sends I D i , in ter- cepted from a v alid lo gin request. 2. Compute v ′ i = h ( I D i , x ) and chec k whether C i = h ( v ′ i , N i ). T his c hec k also passes successfully , b ecause there is no record at the serv er side whether N i w as used in some previous login message. Therefore the serv er is unable to detect w hether the C i is coming from a legitimate user or from an adve r sary . No w we see the securit y strength of the mutual authentic ation. 3. The remote system generates a nonce N ∗ s and encrypts the message M = E v ′ i ( N i , N ∗ s ), then sends < M > back to the comm un icating party (a ss umes logged in ent ity is a legitimat e user). 1 It is noted that the verificatio n of N ′ s = N s cannot b e examined b ecause th e smart card does not ha ve information about N s 2 4. A will not d o anything, simply sends a v alid signal by sa yin g that the serv er au- then ticit y is don e and th en, A gains the access to the remote sys tem. Therefore, ultimately there is no user or serv er authen ticit y c hecks at all. We akness of Session phase : Although Lia w et al.’s sc heme u sed Diffie-Hellman [3] ke y exc hange proto col for session k ey establishm ent; ho wev er, they did not consider the risk of Diffie-Hellman’s proto col (i.e., man-in-the-middle attac k) while establishing the user and serv er common session key . Let us examine the w eakness of the s ession phase. 1. The r emote sys tem computes S i = α N ∗ s mo d q and s en ds S i to the comm unicating part y . A (who already p asses the authentica tion phase and gains the access to the remote system) computes W i = α N i mo d q and s en ds W i to the remote sys tem. 2. The remote system computes K s = ( W i ) N ∗ s mo d q and A computes K a = ( S i ) N i mo d q . It is easy to see th at K s = K a . In fact, all the parameters N i , S i , W i , α, q are public, thereby an y one can compute the ses- sion key . O n ce the session ke y is established then the remote sys tem and A exc hange data in an encrypted mann er, wh ere e i acts as th e encryp tion key . Firstly , the r emote sys tem do es n ot kno w e i . Secondly , the session key nev er serv e the pur p ose of the trans action priv acy , instead it is just xor-ed with the message and e i is used for tran s action priv acy , whic h is n ot the actual scenario in the practical app lications. We akness of P asswor d change phase : Th ere is no v erification of the entered password. This effectiv ely mak es the smart card u seless. Supp ose U i en ters his passw ord whic h is actually missp elled or incorrect, th at is, instead of P W i he/she enters P W . Ho w- ev er, the smart card tak es the wron g password P W and asks for a new p assw ord. No w, U i en ters new password P W ′ i . The smart card up dates old e i b y the new e ′ i where e ′ i = e i ⊕ P W ⊕ P W ′ i = h ( I D i , x ) ⊕ P W i ⊕ P W ⊕ P W ′ i . In the n ext login time, U i cannot login to the remote system, b ecause the ve rifi cation of C i fails. In another scenario, if U i ’s smart card is lost or s tolen, then the p art y wh o got the smart card, w ould try to login and enters some random p assw ord , whic h leads to blo c k the ca rd , as there is no pro vision of c hecki n g the en tered passwo r d. 4 Conclusion W e ha ve sh o wn the securit y wea kn esses of th e Lia w et al.’s sc heme. T he d esign of the Liaw et al.’s scheme is so weak that an y one can login to the r emote sys tem by just in tercepting a v alid login message. References [1] L. Lamp ort, Passw ord authen tication w ith in s ecure communicati on. Communic ations of the ACM 24 770–77 2 (1981). [2] H. -T. Lia w , J. -F. Lin and W. -C . W u, An efficien t and complete remote user authen- ticatio n sc h eme usin g smart card s . Mathematic al and Computer Mo del ling , Elsevier 44 223-2 28 (2006). 3 [3] W. Diffie and M. E. Hellman, New d irections in cryptograph y . IEE E T r ansactions on Information The ory 22 644–6 54 (1976 ). 4