On the Security of Liaw et al.s Scheme

On the Securit y of Lia w et al.’s Sc heme Amit K Aw asthi Departmen t of Mat hematics, Pran v eer Singh Institute of T ec hnology Kanpur-20802 0, UP , India. Email: a w a sthi@psit.in Abstract Recently , Lia w et al. proposed a remote user auth entica tion scheme using smartcards. They claimed a n u mber of features of their sc heme, e.g. a dictionary of verificatio n tables is not re- quired to au thenticate users; users can choose t heir passw ord f reely; mutual authentication is provided b etw een the user and the remote system; the communicatio n cost and the computa- tional cost are very low; users can up date their passw ord after the registration phase; a session key agreed b y the user a n d the remote system is generated in every session; and the n once- based scheme whic h does not require a timesta mp (to solv e the serious time syn chroniza tion problem) etc. In this paper W e show that Liaw et al.’s scheme do es not stand with v arious securit y requirements and is completely insecure. Keywo rd s: Auth entica tion, Smartcards, Remote system, Attac k. 1 In tro d u ction In insecur e co mmunication netw or k a r emote user authen tication is a tool t o authen ticate remote users. Remote user authen ticatio n is a pro cess b y which a remote system gains access to the remo te resource s. In 198 1 ,Lamp ort [5] prop osed a password bas ed remote user authentication s cheme using pas s- word tables to verify the re mote us er ov er insecur e c ommunication channel. That scheme was not fulfilling the security requirements in current senario . Since the Lamp ort’s scheme , several remote user a uthent ica tion schemes and improvemen ts [1], [3], [4], [6], [8] hav e b een pr op osed with and without smart cards. Some o f these schemes are a lso discussed in a survey [7]. Recen tly , Liaw et al. [6] pr o p osed a remote user authentication scheme using smar t car ds . Their scheme has claimed a nu mber o f feature s , e.g. a dictio nary o f verification ta bles is no t require d to authenticate users; users can choose their password freely; mutual authentication is provided b etw een the user and the remote s ystem; the commun ica tion cost and the computationa l cos t are very low; users ca n up date their pas sword after the r egistratio n phase; a ses sion key agreed by the user and the re mo te system is generated in every se s sion; and the no nce-based scheme which do es not requir e a timestamp (to so lve the serious time sy nchronization pr o blem) etc. In this pap er W e show that Liaw et al.’s scheme has many security holes and is c ompletely insecur e. 2 The Lia w et al.’s sc heme The s cheme consists of five phas e s : reg istration, login, verification, session and password change. 1 2.1 Registration phase A new user U i submits iden tity I D i and password P W i to the r emote sy stem for registr a tion. The remote system computes U i ’s secret info r mation v i = h ( I D i , x ) and e i = v i ⊕ P W i , where x is a secret key maint a ined by the remote sy s tem a nd h ( · ) is a se c ur e one- way hash function. Then the remote sy s tem wr ites h ( · ) and e i int o the memory o f a smart card a nd issues the ca rd to U i . 2.2 Login phase When U i wan ts to log into the r emote system, he/ she inserts the smart card into the terminal and ent er s I D i and P W i . The sma rt car d then pe r forms the following op erations: L1. Gener ate a random nonce N i and compute C i = h ( e i ⊕ P W i , N i ). L2. Send the login mes sage < I D i , C i , N i > to the remote s ystem. 2.3 V erification phase T o chec k the a uthent icity of < I D i , C i , N i > , the remote system chec ks the v alidit y of I D i . If I D i is v alid, computes v ′ i = h ( I D i , x ) and chec ks whether C i = h ( v ′ i , N i ). Then gener ates a rando m nonce N s , encrypts the mess age M = E v ′ i ( N i , N s ) and sends it back to the card. The smart card decrypts the message D e i ⊕ P W i ( M ) and gets ( N ′ i , N ′ s ). Then verifies whether N ′ i = N i and N ′ s = N s . If these chec ks hold v alid, the mutual authentication is done. 2.4 Session phase This phase inv olves tw o public parameters q and α where q is a lar g e prime num ber and α is a primitive element mo d q . The phase works a s follows: S1. The remote system co mputes S i = α N s mo d q and sends S i to the smart card. The sma r t card co mputes W i = α N i mo d q and sends W i to the remote s ystem. S2. The remote system co mputes K s = ( W i ) N s mo d q and, the smart card co mputes K u = ( S i ) N i mo d q . It is easy to see that K s = K u . Then, the card a nd the remote system exchange the data using the s ession key and e i . 2.5 P assword c hange phase With this phas e U i can change his/her P W i by the following s teps : S1. Calc ulate e ′ i = e i ⊕ P W i ⊕ P W ′ i . S2. Up date e i on the memory of s mart car d to s et e ′ i . 3 Securit y W eaknesse s 1. In r egistra tion phase user U i submits its identit y I D i and Password P W i to the remote system. Medium of co mm unica tion is not describ ed. Is it secur e o r insecure. In r eal problems , user normally uses insecure channel. In s uch case pa ssword P W i is reveled to adversar y A in betw ee n. 2. In Login phas e, when user U i keys his identit y I D i and Password P W i , sma rtcard computes a lo gin messag e < I D i , C i , N i > , Where N i is a ra ndom nonce and C i = h ( e i ⊕ P W i , N i ). This login messag e trav els throug h ins ecure public channels. The a dversary A can intercepts the v alid lo gin req uest < I D i , C i , N i > . 2 Now, with this infomatio n, advesary A can play replay a ttack. He sends < I D i , C i , N i > to the remote system a t any time, as a login r equest . T o v alidate < I D i , C i , N i > , the remo te system do es the fo llowing: - Checks the v alidit y of I D i . - Computes v ′ i = h ( I D i , x ) and chec ks whether C i = h ( v ′ i , N i ). Note this p oint, ther e is no chec k at the server side which prevent s the reus e of nonce N i , which was already used in some previo us lo gin. Thus the server is unable to decide whether the C i is coming from a legitimate user or from an adversar y . It is obvious that system authenticates the login r e quest. - The remote system gener ates a nonce N ∗ s and encrypts the mess a ge M = E v ′ i ( N i , N ∗ s ), then s ends < M > back to the communicating par t y (that is advesary A her e and is imper sonating the leg timate user). - Now, A will just reply ’OK’ and will enjoy the acces s to the remo te sy stem. Therefore , ultimately the conce pt of m utual authentication fails on b o th side. 3. In a bove par agra ph, adversary A , has knowledge o f log in r e quest < I D i , C i , N i > . If he is able to access user’s smartcar d any how, he can recov er the infomation e i , which is stored o n smartcar d. Now having knowledge of C i and e i , the a dversary can p erform offline attack, as he knows Three v aria ble s o f the equation C i = h ( e i ⊕ P W i , N i ). He can hit and try v arious combination o f passwords. 4. Sess ion phase of Liaw et al.’s scheme is suffered fro m man-in-the-middle attack while the user and server are establishing common ses sion key . It works as - 1. The r emote system computes x S = α N ∗ s mo d q and communicates x S . The a dversar y A computes x A = α N i mo d q and sends x A to the remo te system. 2. The r emote system computes K s = ( x A ) N ∗ s mo d q and A computes K a = ( x S ) N i mo d q . It is easy to see that K s = K a . Now with the help of o ther public para meters adversary can communicate with ser ver in encry pted way . 4 Conclusion In this pap er, we have shown v arious se c urity hole s of the Liaw et al.’s scheme. References [1] A. K. Awasthi a nd S. Lal, A r emote user authentication scheme using smar t car ds with forward secrecy , IE EE T ransactions on Consumer Electro nics, 49(4) , 1 2 46–1 248 (20 03). [2] W. Diffie and M. E. Hellman, New dire c tio ns in cryptogr a phy . IEEE T r ansactions on In forma- tion The ory 22 644 –654 (1976). [3] M. S. Hwang, C. C. L e e a nd Y. L . T ang, A simple remo te user a uthent ica tion scheme, Mathe- matical and Computer Mo delling, 36(1-2) , 103- 1 07 (20 02). [4] M. S. Hwang and L. H. Li , A new remote user a uthen tica tio n scheme using smart c a rds IEEE T ra nsactions on Consumer E lectronics, 24(1 ) ,28–30 (200 0). [5] L. Lamp ort, P a ssword a uthen tica tion with insecure co mmunication. Commun ic ations of the ACM 24 7 7 0–77 2 (1981 ). 3 [6] H. T. Liaw, J. F. Lin a nd W. C. W u, An efficient and complete remote user authentication scheme using sma rt car ds. Mathematic al and Computer Mo del ling , Elsev ie r 44 223- 228 (20 06). [7] C. S. Tsa i, C. C. Lee and M. S. Hwang, Password a uthent ica tion schemes: C ur rent status a nd key iss ues, International Jo urnal of Netw or k Security , 3 (2 ), 101 -115 (2006 ). [8] E . J. Y oon, E. K. Ryuand and K. Y. Y o o , An improvemen t of HwangLeeT a ng ’s simple remote user authentication s cheme, Computer s and Se c urity , 24 (1) , 50- 5 6 (2005 ). 4