Cryptanalysis of a more efficient and secure dynamic id-based remote user authentication scheme

International J ournal of Netw ork Securit y & Its Applications (IJ NSA), Vol.1, No. 3, October 2009 32 C R YP TA N A L YS I S O F A M O RE E F FI CI E N T A N D S E CU R E D YN A MI C I D -B AS E D R E MO TE U S E R A U TH E NT I CA T IO N S C HE M E Mohammed Aijaz A h med 1 , D. Rajya Lakshmi 2 and Sa yed Abdul S attar 3 1 Department of Computer S cience a nd Engineering , GITAM University, Vishakapatnam mohd_aij az@yahoo.com 2 Department of Information Technolog y , G ITAM University, Vishakapatnam rdavulur i@yahoo.com 3 Department of Computer Science a nd Engineering, J.N.T. University, Hyderabad syed49in @yahoo.com A BSTRACT In 2004, Das, Saxena and Gulati proposed a dynamic ID-based remote user a uthentication sc heme whi ch has m any advantage such as no verifier table, user freedom to choose and change pass word and so o n. However the subsequent pa pers have shown that this scheme is completely insec ur e a nd v ulnerable to many attacks. S ince then ma ny schemes wi th improvement s to Das et al’s scheme has been propo sed but each h as its pros and c ons. Rece ntl y Yan-yan Wang et al. have proposed a schem e to ove rcome secur ity weaknesses of D as et al.’s sc heme. Howev er this scheme t oo is vulnerable t o various security attacks s uch as password g uessing attack, mas querading attack, d enial of service a ttack. K EYWORDS Password, Authe ntication, Smartc ard, Remote User, Masquerade At tack 1. I NTRODUC TION In ord er t o prevent the in vas ion of privacy and solve security p roblems, a remote us e r would need to provide proof to a sy s tem that he/she is a legitimate use r before he/she logs onto the remote system. There are many methods prop ose d to verify the legitimacy of a remote user such as password, fingerprint, typing sequence, and so for th. Among them, password based re mote user authentication is e x tensively u sed and easily impl e mented to authenticate a legitimate user. In 1981, L amport [3] propos ed a pa ssw ord base d aut hentication scheme that could authe nticate remote users over a insec ur e channel. Since than m a ny schemes [6, 7, 8, 9] have bee n proposed to improve sec urity, efficiency, and cost. In 2004, Das, Saxena and Gulati proposed a dynamic ID-based remote user authentication scheme [2] which h as many advantage such as no ve rif ier table, user freedom to choose and change password and so on. However t he subsequent papers [4,5] have shown that this sche me is completely insecure a nd vulnerable to many attacks. Since then many schemes[1,4] with improveme nts to Das et al’s scheme has been proposed but each has its pros and cons. R ece ntly Yan-yan Wang et al. [1] have p roposed a scheme to overcome security weaknesses of Da s et al.’s scheme. Howeve r in this paper we state that th is scheme too is vulnerable to few s e curity a ttacks such as password guessing attack, masquerading attack, denial of serv ice attack. International J ournal of Netw ork Securit y & Its Applications (IJ NSA), Vol.1, No. 3, October 2009 33 The rest of the paper is organized a s f ollows. In section 2 we present review of Ya n-yan Wang et al.’s scheme. The section 3 describes cryptanalysis of Yan-yan Wa ng et al.’s sc heme. And finally some concluding comments are included in the las t section. 2. Review O F Y AN -Y AN W ANG ET AL .’ S S CHEME The scheme c onsists of four phases, the re g istration phase, the l ogin phase, t he verif ica tion phase a nd password change phase. The notations used in the sc heme are as follows: U The user PW The password of U ID The identity of U S The remo te ser v er h(.) A one- way hash function ⊕ Bitwise XOR operation → A common cha nnel ═ => A sec ure channel A → B: M A sends M to B through common c hannel A ═ => B: M A sends M to B thro ug h secure channel 2.1. Registration Phase The user Ui sen ds the registration request to the remote se rver S: 1) Ui submits IDi to S 2) S computes: Ni = h(PWi) ⊕ h(x) ⊕ IDi Where x is secret of remote server, PWi is the password of Ui chos en by S. 3) S personalizes the smartcard with the parameters [h(.), Ni, y ], where y is the remote serve r’s se cret number stored in each registere d user’s s martcard. 4) S ═ => Ui: PWi a nd smartcard. 2.2. Login Phase W h e n a user wants to l og in the remote server, h e/she inserts the smart card to the terminal and keys the identit y I Di and the password PWi , then the smartca rd performs the foll o wing steps: 1) Computes dynamic ID: CIDi = h(PWi) ⊕ h(Ni Θ y Θ T) ⊕ I Di W h e re T is the current date and time. 2) Ui → S: IDi, CIDi,Ni,T International J ournal of Netw ork Securit y & Its Applications (IJ NSA), Vol.1, No. 3, October 2009 34 2.3. Verification Phase W h e n the remote server S receives the reques t (IDi,CIDi,Ni ,T) a t time T’ , S verifies as: 1) checks the validity of t ime interval, if T’ – T ≤ ∆ T holds, S accepts the login request o f Ui, otherwise the login requ est will be rejected, where ∆ T is v alid time interval. 2) S computes: h’(PWi) = CIDi ⊕ h(Ni Θ y Θ T) ⊕ IDi 3) and computes IDi’ = Ni ⊕ h’(PW i) ⊕ h(x) and verif ies whether it is equal to IDi in the login request of Ui. If it does not hold S r eje cts the login request of Ui, otherwis e accepts it. Then S computes a’ using the result of step 2. a’ = h (h’(PWi) ⊕ y ⊕ T’) 4) S sends (a’,T) to Ui. Upon receiving the reply message (a’,T) at time T*, Ui v erifies as: 5) Ui chec ks wheth er T* – T’ ≤ ∆ T, if it does then Ui computes a = h(h(PWi) ⊕ y ⊕ T’ ) , and compa res it wit h the received a’ , if it holds, Ui confirms that S is valid. 2.4. Passwor d Change Phase W h e n the user wants to change the password, he/she inserts the smartcard into the terminal device , k eys the password P W i and request to change the password to new one PW new, then the smartca rd computes: Ni* = Ni ⊕ h(PW i) ⊕ h(PWnew), and replaces the Ni with th e new Ni*, password gets changed. 3. C RYPTANAL YSIS O F Y AN -Y AN W ANG ET AL .’ S S CHEME In this section we wil l s how that Yan-yan Wang et a l.’s sc heme is vulnerable to masquerade attack , password guessing attack, d en ial of service attack. Al though tam per resistant smartca rd widely assumed i n most of the authentication sc heme, but such an a ss umptio n is difficult in practice . Many researchers have shown that the se c ret stor e d in a smartcard can be breached b y analyz ing the leaked information or by monitoring t he power con sump tion [10,1 1]. An att a cker can extract secret y stored in the Ui’s sm a rtc a rd either by stealing the smartcard or b y registe ring to th e server (as each registered user has same value of y stored in their smartcard). 3.1. Passwor d guessing attack Assuming t hat the attacker h as extracted the secret y from Ui’s smartcard a nd a lso he/sh e ha s the intercepted pa rameters, CIDi, Ni, T and IDi. Then the a ttacker can proceed as follows: h(PWi)= CIDi ⊕ h(Ni ⊕ y ⊕ T) ⊕ IDi International J ournal of Netw ork Securit y & Its Applications (IJ NSA), Vol.1, No. 3, October 2009 35 Now att acke r can g uess different pas swords until the hash value o f t he guessed password matches with h(PWi) computed by the attacker. 3.2. User Masquerade Attack In the second step of r e gistration phase S computes: Ni = h(PWi) ⊕ h(x) ⊕ IDi The a ttacker can now extract h(x) fro m Ni by using h(PWi) compute d in ‘ A ’ : h(x) = h(PWi) ⊕ Ni ⊕ IDi now attac ker can calculate new Ni* with his/her choosen passw ord PW* as follows: Ni* = h(PW i*) ⊕ h(x) ⊕ IDi Attacke r can now create and send a for ged login request t o the r em ote server S, without knowing the original pass word: CIDi* = h(P W i*) ⊕ h(Ni* ⊕ y ⊕ T* ) ⊕ IDi where T* is fres h time stamp. Attacke r sends to the server S, {C IDi*,N i *,T *, IDi}. Upon receiving l ogin r e q ue st Server S successfully verifies va lidity of timestamp T *and identity ID i, hence accepting the request. 3.3. Server M asquerade Attack The a ttacker can masquerade server by using the h(PW i) c omputed in ‘ A ‘ a nd : a* = h (h(PWi) ⊕ y ⊕ T” ) Attacke r t hen sends (a*,T” ) to Ui, which the us er successfull y verifies. 3.4. Denial of Ser vic e Attack The password chang e phase of Yan-yan Wang et al.’s scheme is same as that of Das et al.’s scheme and it has a serious weakness. The pas swo rd change phase does not verify wheth e r the input old passw ord matches with the original password. An attacker can use Ui’s sma rtcard i n his abse nce and can invoke p a ssword change phase by in putting an arbitrary password PW ’ in place of original passwo rd PWi a long with a new passw ord PWnew. Then the smartcard updates Ni with out ve rifying the old password as follows: Ni* = Ni ⊕ h(PW’ ) ⊕ h(P Wnew) That wi l l result in some arbitrary va lue Ni*.Now the original user Ui can not log onto the remote server even by using his correct pas s word as t he Ni has been changed to some arbitrary value. International J ournal of Netw ork Securit y & Its Applications (IJ NSA), Vol.1, No. 3, October 2009 36 3. C ONCLUSION In this paper, we briefly rev iewed Yan-yan Wang et al.’s scheme and shown t hat this improved scheme too i s vulnerable to various security a ttacks such as p assw ord guessing attack, user masquerade attack, server masque rade attack, denial of service attack. In addition t o this the passwo rd change phase updates smartcard parameter even if wrong pass word is given as input. R EFEREN CES [1] Yan-yan Wa ng, Jia- yong Liu, Feng-xia Xia, Ji ng Dan, (2009) “A more efficient a nd secure dynamic ID-ba sed remote us e r authentication scheme”, Com puter communicati ons , Vol. 32, pp. 583-585. [2] M. L. Das, A. Saxena, V . P. Gulati, (2004) “A dynamic ID -ba sed remote u ser authentica tion scheme”, IEEE Trans. Consumer Electron ., Vol. 50, No. 2, pp. 629-63. [3] L. Lamp o rt, (1981), “pa ssword aut hentication wit h insecur e c o mmunica tion”, Comm unications of the ACM , Vol . 24, No. 11, pp. 770-772. [4] I-En Liao, C. C. Lee and M. S. Hwan g, (2005), “Security enhancement f or a dynamic ID-based remote user a uth entic ation scheme”, in IEEE CS Press, NWeSP’05 , pp. 4 37 - 440, Seoul, K orea. [5] A. K. Awasthi, S. Lal, ( 2004), “ Security anal y sis of a d y na mic ID based r emote user authentication sc heme”, http://e print.iacr.org/2004/ 238.pdf . [6] H. M. Sun, ( 2000), “An eff icient remote user authenticati on scheme using smart card”, IEEE Trans. Consume r Elec. , Vol. 46, no. 1, pp. 28-30. [7] W. C. Ku, S. M . Ch en, (2004), “weaknesses and impro v e ments of an efficie nt password base d remote user authenticati on sc h eme usi ng smartc ards”, IEEE Trans. on Consumer Electr on. , Vol. 50, No. 1, pp. 204-206. [8] Y. L. Tang, M. S. H wang, C. C. L ee, ( 2002), “A simple remote user authenticati on sc heme”, Mathematical an d Computer Mo deling, Vol. 36, p p. 103-107. [9] C. C. L ee, L . H . Lee, M. S. H wang, (200 2 ), “A remote u ser authenticati on scheme using hash functions”, A CM Operating S y ste m Review, vol. 36, N o. 4. [10] P. Koch er, J. Jaff e, B. B. J un, (1999), “Differential powe r anal y si s”, Procee dings of Advances in Cryptology (CRY PTO ’99) , pp. 388-397. [11] T. S. Messerges, E.A. D abbish, R.H. Sloan,(2002), “E xamining smartca rd securit y under the threat of power a nalysis attac k s”, IE EE Trans. on Com puters , V ol . 51, N o. 5, pp. 541-552. International J ournal of Netw ork Securit y & Its Applications (IJ NSA), Vol.1, No. 3, October 2009 37 Authors 1 Md. Ai j az Ah med r eceived his B.E. De gree in Computer Science & Engineer ing fr om , M.B.E.S’ Colle g e of En gin eeri ng, Ambe jogai, Mahar ashtra, India in 2003; He has obtained M.E. in Com puter Science & Engineering fr om, M.G.M’s C ollege of Engineeri ng, S.R.T.M. Universit y , Nanded, Maharashtr a, India. He is curr ently pur su in g Ph.D. in Computer Science & Engi neering fr om GITA M Universit y Vishaka p at nam, Andhra Pradesh, I ndia. His ar ea of intere st includes Network S ecurity and Cr y ptograph y , Di screte Mathematics, A utomata Theory. 2 Dr. D. Rajya Lakshmi is w orking prese ntly as profess o r in Department of Information Technolog y at GITAM U n iversit y , Vi sakhapatnam, AP , INDIA. Professor Raj y a Laksh mi was awarded Ph.d i n CSE from JN TU, H yderabad. She has 16 years of teachin g ex perience. Her resea rch areas includes Image pr o ce ssing, Data minin g, Network securit y. 3 Dr . Syed A bdul Sattar r eceived B.E . (Electronics) from Marathwa da Universit y , A urangabad, Maharashtr a, India , in 1990. He received M.Tech. in D igital s ystem a nd Comp u te r Scienc e from J.N.T. Universit y , H y dera bad, And hra Pr adesh , India, in 2002. He recei ved Ph.D. in Electr onics & Communica tion Engg. from J.N. T. Universit y , H y derabad, in 2007. H is area of interest i nclude Computer Communicati ons, Net work Securi ty, Image Pr ocessing.