Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Cryptanalysis on two multi-server password based authentication protocols

Cryptanalysis on two multi-server password based authentication protocols

Ratings: (0)|Views: 55|Likes:
Published by ijcsis
In 2004 and 2005, Tsaur et al. proposed two smart card based password authentication protocols for multi-server environments. They claimed that their protocols are safe and can withstand various kinds of attacks. However, after analyses, we found both of them have some security loopholes. In this article, we will demonstrate the security loopholes of the two protocols
In 2004 and 2005, Tsaur et al. proposed two smart card based password authentication protocols for multi-server environments. They claimed that their protocols are safe and can withstand various kinds of attacks. However, after analyses, we found both of them have some security loopholes. In this article, we will demonstrate the security loopholes of the two protocols

More info:

Published by: ijcsis on Jun 12, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/11/2010

pdf

text

original

 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
Cryptanalysis on Two Multi-Server Password BasedAuthentication Protocols
Jue-Sam Chou
*
 
Dept. of Information ManagementNanhua University, Taiwan jschou@mail.nhu.edu.tw
 Chun-Hui Huang
Dept. of Information ManagementNanhua University, Taiwang6451519@mail.nhu.edu.tw
 Yalin Chen
Institute of Information Systems andApplications, NTHU, Tawaind949702@oz.nthu.edu.tw
*
: corresponding author
 
 Abstract
¡In 2004 and 2005, Tsaur et al. proposed two smartcard based password authentication protocols for multi-serverenvironments. They claimed that their protocols are safe and canwithstand various kinds of attacks. However, after analyses, wefound both of them have some security loopholes. In this article,we will demonstrate the security loopholes of the two protocols.
 Keywords- multi-server; remote password authenticationl; smart card; key agreement; Lagrange interpolating polynomial 
I.
 
I
NTRODUCTION
In a traditional identity authentication mechanism, a usermust use his identity ID and password PW to register at theremote server and the server needs to employ a verificationtable to record the ID and PW. However, this approach mightmake the system suffer from the stolen verifier attack. Toaddress this problem, some researchers suggested theauthentication system adopt a non-verification-table approach.In 1990, Hwang et al. [4] first proposed a smart card basedauthentication protocol by using such a non-verification-tableway. Thereafter, many smart-card non-verification-table basedauthentication schemes [1, 2, 3, 5, 6, 7, 10-20] were proposed.In 2004 and 2005, Tsaur et al. proposed two suchauthentication schemes [8, 9] for multi-server environments.They claimed that their schemes are secure and can withstandvarious attacks. However, after analyses, we found that both of them have some security loopholes. In this article, we willdemonstrate the security flaws found in their protocols.II.
 
R
EVIEW AND ATTACK ON
T
SAUR ET AL
S FIRSTPROTOCOL
 A.
 
 Review
Tsaur et al.¡s first protocol [8] consists of next four stages.
a) The System Setup Stage:
CA defines an one-way hashfunction
h
(
 X, Y 
); he selects two large prime numbers
 p
1
,
p
2
, andcomputes
 N 
=
 p
1
¡
 p
2
; he randomly chooses the encryption key
e
satisfying gcd(
e
,
 
φ
(
 N 
)) = 1, where
φ
(
 N 
) = (
 p
1
¡ 1) ¡ (
 p
2
¡ 1),and computes his corresponding private key as
=
e
-1
mod
φ
(
 N 
). For each server
S
 j
, CA selects a random
S_SK 
 j
as theserver¡s private key and computes
S_ID
 j
=
 j
SK S
g
_
(mod
 N 
) ashis oublic identity, where
 j
= 1,2, ...,
m
.
b) The User Registration Stage:
When a new user
i
wantsto register at
m
servers,
S
1
,
S
2
, ¡, and
S
m
 
(in a multi-serversystem), he and CA together perform the registration processthrough a secure channel described as follows:
 
i
chooses his identity
U_ID
i
 
and password
U_PW 
i
,
and transmits them to CA.
 
CA randomly chooses a number
ui
, and computes twosecret keys as
)(mod_
 _
 N g R
uii
PW i
and
)(mod_S
 N g
i
ui
.
 
CA assumes that
i
wants to obtain the services of 
 servers,
S
1
,
S
2
, ¡,
S
, for 1
 
<
m
. The service periodsprovided by these servers are
 E_T 
i
1
,
E_T 
i
2
, ¡, and
 E_T 
ir 
respectively. The periods of the other
m
¡
serversare all set to zeros. CA then constructs a Lagrangeinterpolating polynomial function
 f 
i
(
 X 
)
 
for
i
as
)__( )_()__()(
1
i jiijm jii
 IDSK S  ID X  E  ID X  f 
 
m j j
SK SSK S SK S X 
,1
)__( )_(
m y yi yi
SK S ID SK S X  R
1
)__( )_(_ 
)(mod
0111
 N a X a X a X a
mmmm
 
 
CA stores
 f 
i
(
 X 
),
i
¡s identity
U_ID
i
, his two secret keys
U_S
i
,
U_R
i
, and one-way function
h
(
 X 
,
) in smart card
U_SC 
i
. Then, CA sends the card to
i
via a securechannel.
c) The Login Stage:
In this phase, when a registered user
i
 wants to login server
S
 j
 
(1
 
 j
 
m
), he inserts his smart card
 U_SC 
i
to the reader and keys in his
U_PW 
i
. Then,
U_SC 
i
 performs the following steps on behalf of 
i
:
 
U_SC 
i
gets timestamp
. Then, it generates a secretrandom number
1
and computes
16http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
)(mod
1
1
 N g
e
,
),(_ 12
11
)_(
hPW 
gS
i
 
),(_
11
hPW 
gg
uii
(mod
 N 
), and
111
__
)()_(
eSK S eSK Se j
 j j
gg IDSP
(mod
 N 
)
 
Given 1, 2, ¡,
m
, and
P
,
U_SC 
i
computes
 f 
i
(1),
 f 
i
(2), ¡,
 f 
i
(
m
), and
 f 
i
(
P
). Then, it constructs anauthentication message
 M 
= {
U_ID
i
,
,
1
,
2
,
 f 
i
(1),
 f 
i
(2), ¡,
 f 
i
(
m
),
 f 
i
(
P
)} and sends it to
S
 j
, one of the
m
 servers for, 1
 
 j
 
 
m
.
d) The Server Authentication Stage:
In this phase, afterreceiving the authentication message from
i
,
S
 j
gets currenttimestamp
now
and performs the following steps to verify thelogin message from
i
:
 
S
 j
checks
i
's identity
U_ID
i
and determines if 
now
¡
 
. If either of the two checks does nothold,
S
 j
rejects
i
's login message. Otherwise, it continues.
 
S
 j
uses value
1
 
and its secret key
S_SK 
 j
to derive thevalue
P
shown as below.
)(mod)(
_1
 N P
 j
SK S
 
)(mod)(
_
1
 N g
 j
SK Se
 
)(mod
_
1
 N g
 j
SK Se
.Then, it uses these
m
+ 1 points {(1,
 f 
i
(
1
)
), (2,
 f 
i
(
2
)
), ¡,(
m
,
 f 
i
(
m
)
), (
P
,
 f 
i
(
P
))
} to reconstruct the interpolatingpolynomial
)(mod)(
0111
 N a X a X a X a X  f 
mmmmi
 
 
He checks to see whether
1_)()(
),(12
1
ihe
 R
. If itholds, user
i
is authentic. Otherwise,
S
 j
rejects
i
'slogin message.
 B.
 
 Attack 
We show an impersonation attack on Tsaur et al.¡s firstprotocol. First, an attacker
 E 
forges a smart card as follows.
 
 E 
enters
U_ID
i
, randomly chooses a password
)(
_
 E i
PW 
and a random number
)(
 E ui
, and calculatestwo secrets:)(mod_
**_)(
)()(
 N g R
ePW   E i
 E ui E i
and)(mod_
)(
)(
 N gS
 E ui
 E i
.
 
Though,
 E 
does not know each server¡s private key, heknows these servers¡ identities. Therefore, he uses eachserver¡s identity to replace the original correspondingprivate key in polynomial
 f 
i
(
 X 
) and form anotherpolynomial
 f 
 E 
(
 X 
) as shown in following Equation (1).
)__( )_()__()(
1
i jiijm ji E 
 ID IDS  ID X  E  ID X  f 
 
m j j
 IDS IDS  IDS X 
,1
)__( )_(
 
)(mod)__( )_(_
1)(
 N  IDS ID  IDS X  R
m y yi y E i
 
)(mod
0111
 N b X b X b X b
mmmm
.
 In login stage,
 E 
performs the follows steps:
 
 E 
gets timestamp
. Then, he generates a secret randomnumber
1(
 E 
)
and computes
1
(
 E 
)
,
2(
 E 
)
, and
P
(
 E 
)
as
)(mod
)(1
)(1
 N g
 E 
e E 
,
)(mod)_(
),(* _1)(2
)(1)(1)(
 N gS
h PW  E 
 E  E  E i
,
)(1)(1
)()_(
_)(
 E  j E 
eSK Se j E 
g IDSP
 
)(1
_
 E  j
eSK S
g
(mod
 N 
).
 
Then,
 E 
computes
 f 
 E 
(1),
 f 
 E 
(2), ¡,
 f 
 E 
(
m
), and
 f 
 E 
(
P
(
 E 
)
)and sends message
 M 
(
 E 
)
 
= {
U_ID
i
,
,
1(
 E 
)
,
2(
 E 
)
,
 f 
 E 
(1),
 f 
 E 
(2), ¡,
 f 
 E 
(
m
),
 f 
 E 
(
P
(
 E 
)
)} to server
S
 j
, one of the
m
 servers for 1
 
 j
 
 
m
.When receiving message
 M 
(
 E 
)
,
S
 j
gets current timestamp
now
.It then performs the following verification steps to authenticate
 E 
.
 
S
 j
checks
 E 
's identity
U_ID
i
and determines whether
now
 
¡
 
<
Δ
. If either of the two checks dose not hold,
S
 j
rejects. Otherwise, he continues.
 
S
 j
uses the transmitted value
1(
 E 
)
and his secret key
S_SK 
 j
to derive the value
P
(
 E 
)
 ,
as shown in thefollowing equation, Equation (2).
)(mod)()(
__)(1)(
)(1
 N gP
 j E  j
SK SeSK S E  E 
 
)(mod
_
)(1
 N g
 j E 
SK Se
¡ ¡ ¡
 
Equation (2)Then, it uses these
m
+ 1 points {(1,
 f 
 E 
(1)), (2,
 f 
 E 
(2)), ¡, (
m
,
 f 
 E 
(
m
)), (
P
(
 E 
)
,
 f 
 E 
(
P
(
 E 
)
)} to reconstruct theinterpolating polynomial
)(mod)(
0111
 N b X b X b X b X  f 
mmmm E 
 
 
S
 j
verifies whether
1_)()(
)(),()(1)(2
)(1
 E ih E e E 
 R
 E 
. If itholds,
 E 
is authentic.Obviously,
 E 
can pretend as
i
successfully since thecomputation result is equal to 1, as shown in Equation (3).
17http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
)(),()(1)(2
_)()(
)(1
 E ih E e E 
 R
 E 
 
ePW  he ehPW 
 E ui E i E  E  E  E ui E i
gggg
**_),(** ),('**_
)()( )(1)(1)(11)()(
)(
 
ePW  he ehePW 
 E ui E i E  E  E  E  E ui E i
gggg
**_),(** *),(***_
)()( )(1)(1)(1)(1)()(
 = 1 (mod
 N 
)
 
¡¡¡¡¡¡¡¡¡
 
Equation (3)III.
 
R
EVIEW AND ATTACK ON
T
SAUR ET AL
S SECONDPROTOCOL
 A.
 
 Review
Tsaur et al.¡s second protocol [9] consists of four stages.They are (1) The system setup stage, (2) The user registrationstage, (3) The login stage, and (4) The server authenticationstage. We show them as follows.
1)
 
The System Setup Stage:
CA selects a large number
 p
,and publishes a generator
g
of 
*
P
 Z 
and an one-way hashfunction
h
(
 X 
,
). CA also selects a secret key
S_SK 
 j
for server
S
 j
and computes
S
 j
¡s public identity as
S_ID
 j
=
 j
SK S
g
_
(mod
 p
),1
 
 j
 
 
m
.
2)
 
The User Registration Stage:
When a new user
i
 wants to register at m servers,
S
1
,
S
2
, ¡, and
S
m
 
(in a multi-server system), he and CA together perform the registrationprocess through a secure channel described as follows:
 
i
chooses his identity
U_ID
i
and password
U_PW 
i
,and transmits them to CA.
 
CA randomly chooses a number
and computes twosecret keys:
)(mod_
 pg R
i
and
)(mod_
_
 pS
i
PW i
.
 
CA supposes that
i
 
wants to obtain the services of 
servers,
S
1
,
S
2
 , ¡
, and
S
. Assume that the serviceperiods of 
servers are
 E_T 
i
1
,
E_T 
i
2
, ¡, and
 E_T 
ir 
 respectively. The periods of the other servers
S
+1
,
S
+2
, ¡, and
S
m
are all set to zeros. CA then uses
S
 j
¡ssecret key
S_SK 
 j
to construct a Lagrange interpolatingpolynomial function
 f 
i
(
 X 
) for
i
as follows:
)__( )_()__()(
1
i jiijm jii
 IDSK S  ID X  E  ID X  f 
 
m j j
SK SSK S SK S X 
,1
)__( )_(
 
m y yi yi
SK S ID SK S X  R
1
)__( )_(_
 
)(mod
0111
 pa X a X a X a
mmmm
.
 
CA then stores
U_S
i
and
 f 
i
(
 X 
) into the storage of smartcard
U_SC 
i
, and sends the card to
i
via a securechannel.
3)
 
The Login Stage:
When a registered user
i
wants tologin to server
S
 j
, he inserts his smart card
U_SC 
i
to the readerand keys in his password
U_PW 
i
. Then,
U_SC 
i
 
performs thefollowing steps on behalf of 
i
:
 
U_SC 
i
gets timestamp
and computes
i
PW i
S
_
)_(
.Then, it generates a secret random number
1
andcomputes
1
,
2
and
P
as
)(mod
1
1
 pg
,
))(mod,(
112
 ph
, and
)(mod)_(
1
 p IDSP
 j
.
 
Given 1, 2,¡,
m
, and
P
,
U_SC 
i
computes
 f 
i
(1),
 f 
i
(2), ¡,
 f 
i
(
m
), and
 f 
i
(
P
). Then, it constructs message
 M 
={
U_ID
i
,
,
1
,
2
,
 f 
i
(1),
 f 
i
(2), ¡,
 f 
i
(
m
),
 f 
i
(
P
)} and sendsit to
S
 j
.
4)
 
The Server Authentication Stage:
When receiving theauthentication message from
i
,
S
 j
 
obtains current timestamp
now
and performs the following steps to verify
i
¡s loginmessage:
 
S
 j
checks
i
's identity
U_ID
i
and determines whether
now
 
¡
 
<
Δ
T.
If both hold,
S
 j
computes
)(mod)(
_1
 pP
 j
SK S
.
 
 
S
 j
uses the
m
+ 1 points {(1,
 f 
i
(1)), (2,
 f 
i
(2)), ¡, (
m
,
 f 
i
(
m
)), (
P
,
 f 
i
(
P
))} from
U_ID
i
to reconstruct theinterpolating polynomial
11
)(
mmmmi
 X a X a X  f 
a
1
 X 
+
a
0
(mod
 N 
)
 
S
 j
checks to see whether
1)_()(
),(1
12
hi
 Rg
. If itholds, user
i
is authentic. Otherwise,
i
is rejected.
 B.
 
 Attack 
 We show an impersonation attack on Tsaur et al.¡s secondprotocol. First, an attacker
 E 
forges a smart card as follows.
 
 E 
enters
U_ID
i
, randomly chooses a password
U_PW 
i
(
 E 
)
 and a number
(
 E 
)
, and computes two secrets as)(mod_
)(
)(
 pg R
 E 
 E i
and
)(mod_S
)(
_)(
 p
 E i
PW  E i
.
 
Though,
 E 
does not know each server¡s private key, heknows these servers¡ identities. Therefore, he uses eachserver¡s identity to replace the original correspondingprivate key in polynomial
 f 
i
(
 X 
) and form anotherpolynomial
 f 
 E 
(
 X 
) as shown in following Equation (4).
18http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->