# Welcome back

## Find a book, put up your feet, stay awhile

Sign in with Facebook

Sorry, we are unable to log you in via Facebook at this time. Please try again later.

or

Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more

Download

Standard view

Full view

of .

Look up keyword

Like this

Share on social networks

1Activity

×

0 of .

Results for: No results containing your search query

P. 1

Cryptanalysis on two multi-server password based authentication protocols Ratings: (0)|Views: 55|Likes: 1

Published by ijcsis

In 2004 and 2005, Tsaur et al. proposed two smart card based password authentication protocols for multi-server environments. They claimed that their protocols are safe and can withstand various kinds of attacks. However, after analyses, we found both of them have some security loopholes. In this article, we will demonstrate the security loopholes of the two protocols

In 2004 and 2005, Tsaur et al. proposed two smart card based password authentication protocols for multi-server environments. They claimed that their protocols are safe and can withstand various kinds of attacks. However, after analyses, we found both of them have some security loopholes. In this article, we will demonstrate the security loopholes of the two protocols

See more

See less

https://www.scribd.com/doc/32928464/Cryptanalysis-on-two-multi-server-password-based-authentication-protocols

06/11/2010

text

original

(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010

Cryptanalysis on Two Multi-Server Password BasedAuthentication Protocols

Jue-Sam Chou

*

Dept. of Information ManagementNanhua University, Taiwan jschou@mail.nhu.edu.tw

Chun-Hui Huang

Dept. of Information ManagementNanhua University, Taiwang6451519@mail.nhu.edu.tw

Yalin Chen

Institute of Information Systems andApplications, NTHU, Tawaind949702@oz.nthu.edu.tw

*

: corresponding author

Abstract

¡In 2004 and 2005, Tsaur et al. proposed two smartcard based password authentication protocols for multi-serverenvironments. They claimed that their protocols are safe and canwithstand various kinds of attacks. However, after analyses, wefound both of them have some security loopholes. In this article,we will demonstrate the security loopholes of the two protocols.

Keywords- multi-server; remote password authenticationl; smart card; key agreement; Lagrange interpolating polynomial

I.

I

NTRODUCTION

In a traditional identity authentication mechanism, a usermust use his identity ID and password PW to register at theremote server and the server needs to employ a verificationtable to record the ID and PW. However, this approach mightmake the system suffer from the stolen verifier attack. Toaddress this problem, some researchers suggested theauthentication system adopt a non-verification-table approach.In 1990, Hwang et al. [4] first proposed a smart card basedauthentication protocol by using such a non-verification-tableway. Thereafter, many smart-card non-verification-table basedauthentication schemes [1, 2, 3, 5, 6, 7, 10-20] were proposed.In 2004 and 2005, Tsaur et al. proposed two suchauthentication schemes [8, 9] for multi-server environments.They claimed that their schemes are secure and can withstandvarious attacks. However, after analyses, we found that both of them have some security loopholes. In this article, we willdemonstrate the security flaws found in their protocols.II.

R

EVIEW AND ATTACK ON

T

SAUR ET AL

.¡

S FIRSTPROTOCOL

A.

Review

Tsaur et al.¡s first protocol [8] consists of next four stages.

a) The System Setup Stage:

CA defines an one-way hashfunction

h

(

X, Y

); he selects two large prime numbers

p

1

,

p

2

, andcomputes

N

=

p

1

¡

p

2

; he randomly chooses the encryption key

e

satisfying gcd(

e

,

φ

(

N

)) = 1, where

φ

(

N

) = (

p

1

¡ 1) ¡ (

p

2

¡ 1),and computes his corresponding private key as

d

=

e

-1

mod

φ

(

N

). For each server

S

j

, CA selects a random

S_SK

j

as theserver¡s private key and computes

S_ID

j

=

j

SK S

g

_

(mod

N

) ashis oublic identity, where

j

= 1,2, ...,

m

.

b) The User Registration Stage:

When a new user

U

i

wantsto register at

m

servers,

S

1

,

S

2

, ¡, and

S

m

(in a multi-serversystem), he and CA together perform the registration processthrough a secure channel described as follows:

U

i

chooses his identity

U_ID

i

and password

U_PW

i

,

and transmits them to CA.

CA randomly chooses a number

r

ui

, and computes twosecret keys as

)(mod_

_

N g RU

uii

r PW U i

and

)(mod_S

N gU

d r i

ui

.

CA assumes that

U

i

wants to obtain the services of

r

servers,

S

1

,

S

2

, ¡,

S

r

, for 1

≤

r

<

m

. The service periodsprovided by these servers are

E_T

i

1

,

E_T

i

2

, ¡, and

E_T

ir

respectively. The periods of the other

m

¡

r

serversare all set to zeros. CA then constructs a Lagrangeinterpolating polynomial function

f

i

(

X

)

for

U

i

as

)__(
)_()__()(

1

i jiijm jii

IDU SK S
IDU X T E IDU X f

m jk k k jk

SK SSK S
SK S X

,1

)__(
)_(

m y yi yi

SK S IDU
SK S X RU

1

)__(
)_(_

)(mod

0111

N a X a X a X a

mmmm

CA stores

f

i

(

X

),

U

i

¡s identity

U_ID

i

, his two secret keys

U_S

i

,

U_R

i

, and one-way function

h

(

X

,

Y

) in smart card

U_SC

i

. Then, CA sends the card to

U

i

via a securechannel.

c) The Login Stage:

In this phase, when a registered user

U

i

wants to login server

S

j

(1

≤

j

≤

m

), he inserts his smart card

U_SC

i

to the reader and keys in his

U_PW

i

. Then,

U_SC

i

performs the following steps on behalf of

U

i

:

U_SC

i

gets timestamp

t

. Then, it generates a secretrandom number

r

1

and computes

16http://sites.google.com/site/ijcsis/ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010

)(mod

1

1

N gC

r e

,

),(_
12

11

)_(

t C hr PW U

gSU C

i

),(_

11

t C hr d r PW U

gg

uii

(mod

N

), and

111

__

)()_(

r eSK S
r eSK Sr e j

j j

gg IDSP

(mod

N

)

Given 1, 2, ¡,

m

, and

P

,

U_SC

i

computes

f

i

(1),

f

i

(2), ¡,

f

i

(

m

), and

f

i

(

P

). Then, it constructs anauthentication message

M

= {

U_ID

i

,

t

,

C

1

,

C

2

,

f

i

(1),

f

i

(2), ¡,

f

i

(

m

),

f

i

(

P

)} and sends it to

S

j

, one of the

m

servers for, 1

≤

j

≤

m

.

d) The Server Authentication Stage:

In this phase, afterreceiving the authentication message from

U

i

,

S

j

gets currenttimestamp

t

now

and performs the following steps to verify thelogin message from

U

i

:

S

j

checks

U

i

's identity

U_ID

i

and determines if

t

now

¡

t

>Δ

T

. If either of the two checks does nothold,

S

j

rejects

U

i

's login message. Otherwise, it continues.

S

j

uses value

C

1

and its secret key

S_SK

j

to derive thevalue

P

shown as below.

)(mod)(

_1

N C P

j

SK S

)(mod)(

_

1

N g

j

SK Sr e

)(mod

_

1

N g

j

SK Sr e

.Then, it uses these

m

+ 1 points {(1,

f

i

(

1

)

), (2,

f

i

(

2

)

), ¡,(

m

,

f

i

(

m

)

), (

P

,

f

i

(

P

))

} to reconstruct the interpolatingpolynomial

)(mod)(

0111

N a X a X a X a X f

mmmmi

He checks to see whether

1_)()(

),(12

1

it C he

RU C C

. If itholds, user

U

i

is authentic. Otherwise,

S

j

rejects

U

i

'slogin message.

B.

Attack

We show an impersonation attack on Tsaur et al.¡s firstprotocol. First, an attacker

E

forges a smart card as follows.

E

enters

U_ID

i

, randomly chooses a password

)(

_

E i

PW U

and a random number

)(

E ui

r

, and calculatestwo secrets:)(mod_

**_)(

)()(

N g RU

er PW U
E i

E ui E i

and)(mod_

)(

)(

N gSU

E ui

r E i

.

Though,

E

does not know each server¡s private key, heknows these servers¡ identities. Therefore, he uses eachserver¡s identity to replace the original correspondingprivate key in polynomial

f

i

(

X

) and form anotherpolynomial

f

E

(

X

) as shown in following Equation (1).

)__(
)_()__()(

1

i jiijm ji E

IDU IDS
IDU X T E IDU X f

m jk k k jk

IDS IDS
IDS X

,1

)__(
)_(

)(mod)__(
)_(_

1)(

N IDS IDU
IDS X RU

m y yi y E i

)(mod

0111

N b X b X b X b

mmmm

.

In login stage,

E

performs the follows steps:

E

gets timestamp

t

. Then, he generates a secret randomnumber

r

1(

E

)

and computes

C

1

(

E

)

,

C

2(

E

)

, and

P

(

E

)

as

)(mod

)(1

)(1

N gC

E

r e E

,

)(mod)_(

),(*
_1)(2

)(1)(1)(

N gSU C

t C hr
PW U E

E E E i

,

)(1)(1

)()_(

_)(

E j E

r eSK Sr e j E

g IDSP

)(1

_

E j

r eSK S

g

(mod

N

).

Then,

E

computes

f

E

(1),

f

E

(2), ¡,

f

E

(

m

), and

f

E

(

P

(

E

)

)and sends message

M

(

E

)

= {

U_ID

i

,

t

,

C

1(

E

)

,

C

2(

E

)

,

f

E

(1),

f

E

(2), ¡,

f

E

(

m

),

f

E

(

P

(

E

)

)} to server

S

j

, one of the

m

servers for 1

≤

j

≤

m

.When receiving message

M

(

E

)

,

S

j

gets current timestamp

t

now

.It then performs the following verification steps to authenticate

E

.

S

j

checks

E

's identity

U_ID

i

and determines whether

t

now

¡

t

<

Δ

T

. If either of the two checks dose not hold,

S

j

rejects. Otherwise, he continues.

S

j

uses the transmitted value

C

1(

E

)

and his secret key

S_SK

j

to derive the value

P

(

E

)

,

as shown in thefollowing equation, Equation (2).

)(mod)()(

__)(1)(

)(1

N gC P

j E j

SK Sr eSK S E E

)(mod

_

)(1

N g

j E

SK Sr e

¡ ¡ ¡

Equation (2)Then, it uses these

m

+ 1 points {(1,

f

E

(1)), (2,

f

E

(2)), ¡, (

m

,

f

E

(

m

)), (

P

(

E

)

,

f

E

(

P

(

E

)

)} to reconstruct theinterpolating polynomial

)(mod)(

0111

N b X b X b X b X f

mmmm E

S

j

verifies whether

1_)()(

)(),()(1)(2

)(1

E it C h E e E

RU C C

E

. If itholds,

E

is authentic.Obviously,

E

can pretend as

U

i

successfully since thecomputation result is equal to 1, as shown in Equation (3).

17http://sites.google.com/site/ijcsis/ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010

)(),()(1)(2

_)()(

)(1

E it C h E e E

RU C C

E

er PW U
t C hr e
et C hr r PW U

E ui E i E E E E ui E i

gggg

**_),(**
),('**_

)()(
)(1)(1)(11)()(

)(

er PW U
t C hr e
et C hr er PW U

E ui E i E E E E E ui E i

gggg

**_),(**
*),(***_

)()(
)(1)(1)(1)(1)()(

= 1 (mod

N

)

¡¡¡¡¡¡¡¡¡

Equation (3)III.

R

EVIEW AND ATTACK ON

T

SAUR ET AL

.¡

S SECONDPROTOCOL

A.

Review

Tsaur et al.¡s second protocol [9] consists of four stages.They are (1) The system setup stage, (2) The user registrationstage, (3) The login stage, and (4) The server authenticationstage. We show them as follows.

1)

The System Setup Stage:

CA selects a large number

p

,and publishes a generator

g

of

*

P

Z

and an one-way hashfunction

h

(

X

,

Y

). CA also selects a secret key

S_SK

j

for server

S

j

and computes

S

j

¡s public identity as

S_ID

j

=

j

SK S

g

_

(mod

p

),1

≤

j

≤

m

.

2)

The User Registration Stage:

When a new user

U

i

wants to register at m servers,

S

1

,

S

2

, ¡, and

S

m

(in a multi-server system), he and CA together perform the registrationprocess through a secure channel described as follows:

U

i

chooses his identity

U_ID

i

and password

U_PW

i

,and transmits them to CA.

CA randomly chooses a number

r

and computes twosecret keys:

)(mod_

pg RU

r i

and

)(mod_

_

pr SU

i

PW U i

.

CA supposes that

U

i

wants to obtain the services of

r

servers,

S

1

,

S

2

, ¡

, and

S

r

. Assume that the serviceperiods of

r

servers are

E_T

i

1

,

E_T

i

2

, ¡, and

E_T

ir

respectively. The periods of the other servers

S

r

+1

,

S

r

+2

, ¡, and

S

m

are all set to zeros. CA then uses

S

j

¡ssecret key

S_SK

j

to construct a Lagrange interpolatingpolynomial function

f

i

(

X

) for

U

i

as follows:

)__(
)_()__()(

1

i jiijm jii

IDU SK S
IDU X T E IDU X f

m jk k k jk

SK SSK S
SK S X

,1

)__(
)_(

m y yi yi

SK S IDU
SK S X RU

1

)__(
)_(_

)(mod

0111

pa X a X a X a

mmmm

.

CA then stores

U_S

i

and

f

i

(

X

) into the storage of smartcard

U_SC

i

, and sends the card to

U

i

via a securechannel.

3)

The Login Stage:

When a registered user

U

i

wants tologin to server

S

j

, he inserts his smart card

U_SC

i

to the readerand keys in his password

U_PW

i

. Then,

U_SC

i

performs thefollowing steps on behalf of

U

i

:

U_SC

i

gets timestamp

t

and computes

i

PW U i

SU r

_

)_(

.Then, it generates a secret random number

r

1

andcomputes

C

1

,

C

2

and

P

as

)(mod

1

1

pgC

r

,

))(mod,(

112

pt C hr r C

, and

)(mod)_(

1

p IDSP

r j

.

Given 1, 2,¡,

m

, and

P

,

U_SC

i

computes

f

i

(1),

f

i

(2), ¡,

f

i

(

m

), and

f

i

(

P

). Then, it constructs message

M

={

U_ID

i

,

t

,

C

1

,

C

2

,

f

i

(1),

f

i

(2), ¡,

f

i

(

m

),

f

i

(

P

)} and sendsit to

S

j

.

4)

The Server Authentication Stage:

When receiving theauthentication message from

U

i

,

S

j

obtains current timestamp

t

now

and performs the following steps to verify

U

i

¡s loginmessage:

S

j

checks

U

i

's identity

U_ID

i

and determines whether

t

now

¡

t

<

Δ

T.

If both hold,

S

j

computes

)(mod)(

_1

pC P

j

SK S

.

S

j

uses the

m

+ 1 points {(1,

f

i

(1)), (2,

f

i

(2)), ¡, (

m

,

f

i

(

m

)), (

P

,

f

i

(

P

))} from

U_ID

i

to reconstruct theinterpolating polynomial

11

)(

mmmmi

X a X a X f

a

1

X

+

a

0

(mod

N

)

S

j

checks to see whether

1)_()(

),(1

12

t C hiC

RU C g

. If itholds, user

U

i

is authentic. Otherwise,

U

i

is rejected.

B.

Attack

We show an impersonation attack on Tsaur et al.¡s secondprotocol. First, an attacker

E

forges a smart card as follows.

E

enters

U_ID

i

, randomly chooses a password

U_PW

i

(

E

)

and a number

r

(

E

)

, and computes two secrets as)(mod_

)(

)(

pg RU

E

r E i

and

)(mod_S

)(

_)(

pr U

E i

PW U E i

.

Though,

E

does not know each server¡s private key, heknows these servers¡ identities. Therefore, he uses eachserver¡s identity to replace the original correspondingprivate key in polynomial

f

i

(

X

) and form anotherpolynomial

f

E

(

X

) as shown in following Equation (4).

18http://sites.google.com/site/ijcsis/ISSN 1947-5500

- Read and print without ads
- Download to keep your version
- Edit, email or read offline

© Copyright 2015 Scribd Inc.

Language

Choose the language in which you want to experience Scribd:

Sign in with Facebook

Sorry, we are unable to log you in via Facebook at this time. Please try again later.

or

Password Reset Email Sent

Join with Facebook

Sorry, we are unable to log you in via Facebook at this time. Please try again later.

or

By joining, you agree to our

read free for one month

Personalized recommendationsbased on books you love

Syncing across all your devices

Join with Facebook

or Join with EmailSorry, we are unable to log you in via Facebook at this time. Please try again later.

Already a member? Sign in.

By joining, you agree to our

to download

Personalized recommendationsbased on books you love

Syncing across all your devices

Continue with Facebook

Sign inJoin with emailSorry, we are unable to log you in via Facebook at this time. Please try again later.

By joining, you agree to our

Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

CANCEL

OK

You've been reading!

NO, THANKS

OK

scribd