(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
Cryptanalysis on Two Multi-Server Password BasedAuthentication Protocols
Jue-Sam Chou
*
Dept. of Information ManagementNanhua University, Taiwan jschou@mail.nhu.edu.tw
Chun-Hui Huang
Dept. of Information ManagementNanhua University, Taiwang6451519@mail.nhu.edu.tw
Yalin Chen
Institute of Information Systems andApplications, NTHU, Tawaind949702@oz.nthu.edu.tw
*
: corresponding author
Abstract
¡In 2004 and 2005, Tsaur et al. proposed two smartcard based password authentication protocols for multi-serverenvironments. They claimed that their protocols are safe and canwithstand various kinds of attacks. However, after analyses, wefound both of them have some security loopholes. In this article,we will demonstrate the security loopholes of the two protocols.
Keywords- multi-server; remote password authenticationl; smart card; key agreement; Lagrange interpolating polynomial
I.
I
NTRODUCTION
In a traditional identity authentication mechanism, a usermust use his identity ID and password PW to register at theremote server and the server needs to employ a verificationtable to record the ID and PW. However, this approach mightmake the system suffer from the stolen verifier attack. Toaddress this problem, some researchers suggested theauthentication system adopt a non-verification-table approach.In 1990, Hwang et al. [4] first proposed a smart card basedauthentication protocol by using such a non-verification-tableway. Thereafter, many smart-card non-verification-table basedauthentication schemes [1, 2, 3, 5, 6, 7, 10-20] were proposed.In 2004 and 2005, Tsaur et al. proposed two suchauthentication schemes [8, 9] for multi-server environments.They claimed that their schemes are secure and can withstandvarious attacks. However, after analyses, we found that both of them have some security loopholes. In this article, we willdemonstrate the security flaws found in their protocols.II.
R
EVIEW AND ATTACK ON
T
SAUR ET AL
.¡
S FIRSTPROTOCOL
A.
Review
Tsaur et al.¡s first protocol [8] consists of next four stages.
a) The System Setup Stage:
CA defines an one-way hashfunction
h
(
X, Y
); he selects two large prime numbers
p
1
,
p
2
, andcomputes
N
=
p
1
¡
p
2
; he randomly chooses the encryption key
e
satisfying gcd(
e
,
φ
(
N
)) = 1, where
φ
(
N
) = (
p
1
¡ 1) ¡ (
p
2
¡ 1),and computes his corresponding private key as
d
=
e
-1
mod
φ
(
N
). For each server
S
j
, CA selects a random
S_SK
j
as theserver¡s private key and computes
S_ID
j
=
j
SK S
g
_
(mod
N
) ashis oublic identity, where
j
= 1,2, ...,
m
.
b) The User Registration Stage:
When a new user
U
i
wantsto register at
m
servers,
S
1
,
S
2
, ¡, and
S
m
(in a multi-serversystem), he and CA together perform the registration processthrough a secure channel described as follows:
U
i
chooses his identity
U_ID
i
and password
U_PW
i
,
and transmits them to CA.
CA randomly chooses a number
r
ui
, and computes twosecret keys as
)(mod_
_
N g RU
uii
r PW U i
and
)(mod_S
N gU
d r i
ui
.
CA assumes that
U
i
wants to obtain the services of
r
servers,
S
1
,
S
2
, ¡,
S
r
, for 1
≤
r
<
m
. The service periodsprovided by these servers are
E_T
i
1
,
E_T
i
2
, ¡, and
E_T
ir
respectively. The periods of the other
m
¡
r
serversare all set to zeros. CA then constructs a Lagrangeinterpolating polynomial function
f
i
(
X
)
for
U
i
as
)__(
)_()__()(
1
i jiijm jii
IDU SK S
IDU X T E IDU X f
m jk k k jk
SK SSK S
SK S X
,1
)__(
)_(
m y yi yi
SK S IDU
SK S X RU
1
)__(
)_(_
)(mod
0111
N a X a X a X a
mmmm
CA stores
f
i
(
X
),
U
i
¡s identity
U_ID
i
, his two secret keys
U_S
i
,
U_R
i
, and one-way function
h
(
X
,
Y
) in smart card
U_SC
i
. Then, CA sends the card to
U
i
via a securechannel.
c) The Login Stage:
In this phase, when a registered user
U
i
wants to login server
S
j
(1
≤
j
≤
m
), he inserts his smart card
U_SC
i
to the reader and keys in his
U_PW
i
. Then,
U_SC
i
performs the following steps on behalf of
U
i
:
U_SC
i
gets timestamp
t
. Then, it generates a secretrandom number
r
1
and computes
16http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
)(mod
1
1
N gC
r e
,
),(_
12
11
)_(
t C hr PW U
gSU C
i
),(_
11
t C hr d r PW U
gg
uii
(mod
N
), and
111
__
)()_(
r eSK S
r eSK Sr e j
j j
gg IDSP
(mod
N
)
Given 1, 2, ¡,
m
, and
P
,
U_SC
i
computes
f
i
(1),
f
i
(2), ¡,
f
i
(
m
), and
f
i
(
P
). Then, it constructs anauthentication message
M
= {
U_ID
i
,
t
,
C
1
,
C
2
,
f
i
(1),
f
i
(2), ¡,
f
i
(
m
),
f
i
(
P
)} and sends it to
S
j
, one of the
m
servers for, 1
≤
j
≤
m
.
d) The Server Authentication Stage:
In this phase, afterreceiving the authentication message from
U
i
,
S
j
gets currenttimestamp
t
now
and performs the following steps to verify thelogin message from
U
i
:
S
j
checks
U
i
's identity
U_ID
i
and determines if
t
now
¡
t
>Δ
T
. If either of the two checks does nothold,
S
j
rejects
U
i
's login message. Otherwise, it continues.
S
j
uses value
C
1
and its secret key
S_SK
j
to derive thevalue
P
shown as below.
)(mod)(
_1
N C P
j
SK S
)(mod)(
_
1
N g
j
SK Sr e
)(mod
_
1
N g
j
SK Sr e
.Then, it uses these
m
+ 1 points {(1,
f
i
(
1
)
), (2,
f
i
(
2
)
), ¡,(
m
,
f
i
(
m
)
), (
P
,
f
i
(
P
))
} to reconstruct the interpolatingpolynomial
)(mod)(
0111
N a X a X a X a X f
mmmmi
He checks to see whether
1_)()(
),(12
1
it C he
RU C C
. If itholds, user
U
i
is authentic. Otherwise,
S
j
rejects
U
i
'slogin message.
B.
Attack
We show an impersonation attack on Tsaur et al.¡s firstprotocol. First, an attacker
E
forges a smart card as follows.
E
enters
U_ID
i
, randomly chooses a password
)(
_
E i
PW U
and a random number
)(
E ui
r
, and calculatestwo secrets:)(mod_
**_)(
)()(
N g RU
er PW U
E i
E ui E i
and)(mod_
)(
)(
N gSU
E ui
r E i
.
Though,
E
does not know each server¡s private key, heknows these servers¡ identities. Therefore, he uses eachserver¡s identity to replace the original correspondingprivate key in polynomial
f
i
(
X
) and form anotherpolynomial
f
E
(
X
) as shown in following Equation (1).
)__(
)_()__()(
1
i jiijm ji E
IDU IDS
IDU X T E IDU X f
m jk k k jk
IDS IDS
IDS X
,1
)__(
)_(
)(mod)__(
)_(_
1)(
N IDS IDU
IDS X RU
m y yi y E i
)(mod
0111
N b X b X b X b
mmmm
.
In login stage,
E
performs the follows steps:
E
gets timestamp
t
. Then, he generates a secret randomnumber
r
1(
E
)
and computes
C
1
(
E
)
,
C
2(
E
)
, and
P
(
E
)
as
)(mod
)(1
)(1
N gC
E
r e E
,
)(mod)_(
),(*
_1)(2
)(1)(1)(
N gSU C
t C hr
PW U E
E E E i
,
)(1)(1
)()_(
_)(
E j E
r eSK Sr e j E
g IDSP
)(1
_
E j
r eSK S
g
(mod
N
).
Then,
E
computes
f
E
(1),
f
E
(2), ¡,
f
E
(
m
), and
f
E
(
P
(
E
)
)and sends message
M
(
E
)
= {
U_ID
i
,
t
,
C
1(
E
)
,
C
2(
E
)
,
f
E
(1),
f
E
(2), ¡,
f
E
(
m
),
f
E
(
P
(
E
)
)} to server
S
j
, one of the
m
servers for 1
≤
j
≤
m
.When receiving message
M
(
E
)
,
S
j
gets current timestamp
t
now
.It then performs the following verification steps to authenticate
E
.
S
j
checks
E
's identity
U_ID
i
and determines whether
t
now
¡
t
<
Δ
T
. If either of the two checks dose not hold,
S
j
rejects. Otherwise, he continues.
S
j
uses the transmitted value
C
1(
E
)
and his secret key
S_SK
j
to derive the value
P
(
E
)
,
as shown in thefollowing equation, Equation (2).
)(mod)()(
__)(1)(
)(1
N gC P
j E j
SK Sr eSK S E E
)(mod
_
)(1
N g
j E
SK Sr e
¡ ¡ ¡
Equation (2)Then, it uses these
m
+ 1 points {(1,
f
E
(1)), (2,
f
E
(2)), ¡, (
m
,
f
E
(
m
)), (
P
(
E
)
,
f
E
(
P
(
E
)
)} to reconstruct theinterpolating polynomial
)(mod)(
0111
N b X b X b X b X f
mmmm E
S
j
verifies whether
1_)()(
)(),()(1)(2
)(1
E it C h E e E
RU C C
E
. If itholds,
E
is authentic.Obviously,
E
can pretend as
U
i
successfully since thecomputation result is equal to 1, as shown in Equation (3).
17http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
)(),()(1)(2
_)()(
)(1
E it C h E e E
RU C C
E
er PW U
t C hr e
et C hr r PW U
E ui E i E E E E ui E i
gggg
**_),(**
),('**_
)()(
)(1)(1)(11)()(
)(
er PW U
t C hr e
et C hr er PW U
E ui E i E E E E E ui E i
gggg
**_),(**
*),(***_
)()(
)(1)(1)(1)(1)()(
= 1 (mod
N
)
¡¡¡¡¡¡¡¡¡
Equation (3)III.
R
EVIEW AND ATTACK ON
T
SAUR ET AL
.¡
S SECONDPROTOCOL
A.
Review
Tsaur et al.¡s second protocol [9] consists of four stages.They are (1) The system setup stage, (2) The user registrationstage, (3) The login stage, and (4) The server authenticationstage. We show them as follows.
1)
The System Setup Stage:
CA selects a large number
p
,and publishes a generator
g
of
*
P
Z
and an one-way hashfunction
h
(
X
,
Y
). CA also selects a secret key
S_SK
j
for server
S
j
and computes
S
j
¡s public identity as
S_ID
j
=
j
SK S
g
_
(mod
p
),1
≤
j
≤
m
.
2)
The User Registration Stage:
When a new user
U
i
wants to register at m servers,
S
1
,
S
2
, ¡, and
S
m
(in a multi-server system), he and CA together perform the registrationprocess through a secure channel described as follows:
U
i
chooses his identity
U_ID
i
and password
U_PW
i
,and transmits them to CA.
CA randomly chooses a number
r
and computes twosecret keys:
)(mod_
pg RU
r i
and
)(mod_
_
pr SU
i
PW U i
.
CA supposes that
U
i
wants to obtain the services of
r
servers,
S
1
,
S
2
, ¡
, and
S
r
. Assume that the serviceperiods of
r
servers are
E_T
i
1
,
E_T
i
2
, ¡, and
E_T
ir
respectively. The periods of the other servers
S
r
+1
,
S
r
+2
, ¡, and
S
m
are all set to zeros. CA then uses
S
j
¡ssecret key
S_SK
j
to construct a Lagrange interpolatingpolynomial function
f
i
(
X
) for
U
i
as follows:
)__(
)_()__()(
1
i jiijm jii
IDU SK S
IDU X T E IDU X f
m jk k k jk
SK SSK S
SK S X
,1
)__(
)_(
m y yi yi
SK S IDU
SK S X RU
1
)__(
)_(_
)(mod
0111
pa X a X a X a
mmmm
.
CA then stores
U_S
i
and
f
i
(
X
) into the storage of smartcard
U_SC
i
, and sends the card to
U
i
via a securechannel.
3)
The Login Stage:
When a registered user
U
i
wants tologin to server
S
j
, he inserts his smart card
U_SC
i
to the readerand keys in his password
U_PW
i
. Then,
U_SC
i
performs thefollowing steps on behalf of
U
i
:
U_SC
i
gets timestamp
t
and computes
i
PW U i
SU r
_
)_(
.Then, it generates a secret random number
r
1
andcomputes
C
1
,
C
2
and
P
as
)(mod
1
1
pgC
r
,
))(mod,(
112
pt C hr r C
, and
)(mod)_(
1
p IDSP
r j
.
Given 1, 2,¡,
m
, and
P
,
U_SC
i
computes
f
i
(1),
f
i
(2), ¡,
f
i
(
m
), and
f
i
(
P
). Then, it constructs message
M
={
U_ID
i
,
t
,
C
1
,
C
2
,
f
i
(1),
f
i
(2), ¡,
f
i
(
m
),
f
i
(
P
)} and sendsit to
S
j
.
4)
The Server Authentication Stage:
When receiving theauthentication message from
U
i
,
S
j
obtains current timestamp
t
now
and performs the following steps to verify
U
i
¡s loginmessage:
S
j
checks
U
i
's identity
U_ID
i
and determines whether
t
now
¡
t
<
Δ
T.
If both hold,
S
j
computes
)(mod)(
_1
pC P
j
SK S
.
S
j
uses the
m
+ 1 points {(1,
f
i
(1)), (2,
f
i
(2)), ¡, (
m
,
f
i
(
m
)), (
P
,
f
i
(
P
))} from
U_ID
i
to reconstruct theinterpolating polynomial
11
)(
mmmmi
X a X a X f
a
1
X
+
a
0
(mod
N
)
S
j
checks to see whether
1)_()(
),(1
12
t C hiC
RU C g
. If itholds, user
U
i
is authentic. Otherwise,
U
i
is rejected.
B.
Attack
We show an impersonation attack on Tsaur et al.¡s secondprotocol. First, an attacker
E
forges a smart card as follows.
E
enters
U_ID
i
, randomly chooses a password
U_PW
i
(
E
)
and a number
r
(
E
)
, and computes two secrets as)(mod_
)(
)(
pg RU
E
r E i
and
)(mod_S
)(
_)(
pr U
E i
PW U E i
.
Though,
E
does not know each server¡s private key, heknows these servers¡ identities. Therefore, he uses eachserver¡s identity to replace the original correspondingprivate key in polynomial
f
i
(
X
) and form anotherpolynomial
f
E
(
X
) as shown in following Equation (4).
18http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Cryptanalysis on two multi-server password based authentication protocols
In 2004 and 2005, Tsaur et al. proposed two smart card based password authentication protocols for multi-server environments. They claimed that their protocols are safe and can withstand various kinds of attacks. However, after analyses, we…
(More)
362
Reads
1
Readcasts
0
Embed Views
Recommended
More From This User
Notes
Load more
