(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
Comments on Five Smart Card Based PasswordAuthentication Protocols
Yalin Chen
Institute of Information Systems andApplications, NTHU, Tawaind949702@oz.nthu.edu.tw
Jue-Sam Chou
*
Dept. of Information ManagementNanhua University, Taiwan jschou@mail.nhu.edu.tw
*
:
corresponding author
Chun-Hui Huang
Dept. of Information ManagementNanhua University, Taiwang6451519@mail.nhu.edu.tw
Abstract
¡In this paper, we use the ten security requirementsproposed by Liao et al. for a smart card based authenticationprotocol to examine five recent work in this area. After analyses,we found that the protocols of Juang et al.¡s , Hsiang et al.¡s,Kim et al.¡s, and Li et al.¡s all suffer from offline passwordguessing attack if the smart card is lost, and the protocol of Xu etal.¡s is subjected to an insider impersonation attack.
Keywords- password authentication protocol; insider attack; smart card loss problem; password guessing attack
I.
I
NTRODUCTION
Password authentication protocols have been widelyadopted for a user to access a remote server over an insecurenetwork. In recent, many smart card password authenticationprotocols [1-20] are proposed, which emphasizes two-factorauthentication mechanism to enhance the user end¡s security.One factor is the user-rememberable password while the otherfactor is the user-possessing smart card which is a tamper-resistant device with storage and computational power.Moreover, recent studies investigated a weakness of atraditional password authentication protocol. That is, in thetraditional one the server usually maintains a password orverification table to store user authentication data. However,this approach will make the system easily subjected toimpersonation or stolen-verifier attack if the table iscompromised.In 2006, Liao et al. [2] identified ten security requirementsto evaluate a smart card based password authentication protocol.We show them as follows.R1. It needs no password or verification table in the server.R2. The client can choose and change his password freely.R3. The client needs not to reveal their password to the servereven in the registration phase.R4. The password should not be transmitted in plaintext overthe network.R5. It can resist insider (a legal user) attack.R6. It can resist replay attack, password guessing attack,modification-verification-table attack, and stolen-verifierattack.R7. The length of a password should be appropriate formemorization.R8. It should be efficient and practical.R9. It should achieve mutual authentication.R10. It should resist offline password guessing attack even if the smart card is lost.In their article, they also proposed a protocol to satisfythese ten security requirements. But Xiang et al. [9]demonstrated that their protocol suffers from both the replayattack and the password guessing attack. Other than theirs,many efforts trying to propose a secure protocol were maderecently. For example in 2008, Juang et al. [7] proposed anefficient password authenticated key agreement using bilinearpairings. In 2009, Hsiang et al. [14], Kim et al. [16], and Xu etal. [18] each also proposed a protocol of this kind, respectively.In this year 2010, Li et al.[20] also proposed a protocol in thisarea. Although they claimed their protocols are secure.However, in this paper, we will show some weaknesses in [18],[7], [14], [16], [20], correspondingly.The remainder of this paper is organized as follows: InSection II, we review and attack on the scheme of Juang etal
.
¡s [7]. Then we review and attack on the protocols of Hsiang
et al. ¡s [14], Kim et al. [16], Xu
et al. ¡s [18], and Li etal. ¡s [20] in Section III through VI, respectively. Finally, aconclusion is given in Section VIII.II.
R
EVIEW AND ATTACK ON
J
UANG ET AL
.'
S SCHEME
In their scheme [7], if an attacker gets C¡s smart card, hecan successfully launch an offline password guessing attack.Hence, the scheme cannot satisfy requirement R10. In thefollowing, we first review Juang
et al.
¡s protocol and thenshow the attack on the protocol.
A.
Review
Their protocol consists of four phases: the setup phase, theregistration phase, the login and authentication phase, and thepassword changing phase.In the setup phase, server S chooses two secrets
s
,
x
andpublishes
P
s
=
sP
, where
P
is a generator of an additive cyclic
129http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
group
G
1
with a prime order
q
. S also publish a secure hashfunction H(¡).In the registration phase, user i register his
ID
i
and H(
PW
i
,
b
)to server S. S issues a smart card which contains
b
i
(
b
i
=E
x
[H(
PW
i
,
b
),
ID
i
, H(H(
PW
i
,
b
),
ID
i
)], E
x
[M] which is aciphertext of M encrypted by S¡s secret key
x
), and
b
(a randomnumber chosen by i).When i wants to login into S, i starts the login andauthentication phase, and sends {
aP
,
α
} to S, where
a
is arandom number chosen by i,
α
= E
Ka
[
b
i
],
Ka
= H(
aP
,
P
s
,
Q
,e(
P
s
,
aQ
)),
e:
G
1
¡
G
1
→
G
2
is a bilinear mapping,
Q
= h(
ID
s
), h(¡)is a map-to-point hash function,
h:{0,1}*→
G
1
, and
ID
s
is S¡sidentification. Subsequently, S chooses a random number
r
,computes the session key
sk
= H(H(
aP
,
P
s
,
Q
, e(
aP
,
sQ
)),
r
,
ID
i
,
ID
s
) = H(
Ka
,
r
,
ID
i
,
ID
s
) since e(
P
s
,
aQ
) = e(
aP
,
sQ
) , and sends{
Auth
s
,
r
} to user i, where
Auth
s
= H(
Ka
, H(
PW
i
,
b
),
r
,
sk
), andH(
PW
i
,
b
) is obtained from decrypting
α
and
b
i
. Then, icomputes the session key
sk
. To authenticate S, user i verifies
Auth
s
to see if it is equal to H(
Ka
, H(
PW
i
,
b
),
r
,
sk
). If it is, icomputes and sends {
Auth
i
} to S, where
Auth
i
= H(
Ka
, H(
PW
i
,
b
),
r
+1,
sk
) and H(
PW
i
,
b
) is the hash result of
b
stored in thesmart card with
PW
i
inputted by i. Finally, to authenticating i, Schecks to see if
Auth
i
is equal to H(
Ka
, H(
PW
i
,
b
),
r
+1,
sk
).
B.
Attack
In the protocol, supposed that user C lost his smart card andthe card is got by an insider E, E can impersonate C to logininto S without any detection. We show the attack in thefollowing.E first reads out
b
and
b
c
(which equals E
x
[H(
PW
c
,
b
),
ID
c
,H(H(
PW
c
,
b
),
ID
c
)]) stored in C¡s
smart card but he doesn¡thave the knowledge of
PW
c
.In the login and authentication phase, E chooses a randomnumber
c
, computes
cP
,
Kc
= H(
cP
,
P
s
,
Q
, e(
P
s
,
cQ
)),
α
=E
Kc
[
b
c
], and sends {
cP
,
α
} to S. After receiving the message, Schooses a random number
r
, computes session key
sk
= H(
Kc
,
r
,
ID
c
,
ID
s
),
Auth
s
= H(
Kc
, H(
PW
c
,
b
),
r
,
sk
), and sends {
Auth
s
,
r
}to C. E intercepts the message and launches an off-linepassword guessing attack as follows.E chooses a candidate password
PW'
from a dictionary,computes
Kc
= H(
cP
,
P
s
,
Q
, e(
P
s
,
cQ
)),
sk
= H(
Kc
,
r
,
ID
c
,
ID
s
),H(
Kc
, H(
PW'
,
b
),
r
,
sk
) and checks to see if it is equal to thereceived
Auth
s
. If it is, the attacker successfully gets C¡spassword
PW
c
which is equal to
PW'
. Subsequently, E canmasquerade as C by using
PW'
and C¡s smart card to log into S.That is, Juang et al.¡s cannot satisfy the security requirementR10: It should resist password guessing attack even if the smartcard is lost.III.
R
EVIEW AND ATTACK ON THE PROTOCOL OF
H
SIANG ETAL
.'
S SCHEME
In this section, we first review Hsiang
et al
.¡s protocol [14]and then demonstrate a smart card lost and offline passwordguessing attack on the protocol.
A.
Review
In the protocol, when user C wants to change his password,he inserts his card and types his
ID
and
PW
. The smart cardcomputes
P
* =
R
⊕
H(
b
⊕
PW
), and
V
* = H(
P
*
⊕
H(
PW
)), andcompares
V
* with
V
, where
PW
is C¡s old password, and
R
,
b
,and
V
are stored in C¡s smart card. If they are equal, the cardverifies user C and accepts his password change request. Thecard subsequently ask C a new password
PW*
and thencomputes
R
new
=
P
*
⊕
H(
b
⊕
PW
*) and
V
new
= H(
P
*
⊕
H(
PW*
)). Finally, the card replaces
V
with
V
new
.
B.
Attack
Assume that an attacker E who gets C¡s smart card, readsthe values of
R
,
b
,
and
V
,
and then launches an offlinepassword guessing attack as follows. E chooses a candidatepassword
PW'
from a dictionary, computes
P'
=
R
⊕
H(
b
⊕
PW'
) and
V'
= H(
P'
⊕
H(
PW'
)), and checks to see if
V'
and
V
are equal. If they are,
PW'
is the correct password.IV.
R
EVIEW AND ATTACK ON THE PROTOCOL OF
K
IM ETAL
.'
S SCHEME
In this section, we first review Kim
et al
.¡s protocol [16]and then demonstrate a smart card lost and offline passwordguessing attack on the protocol.
A.
Review
In their protocol, when user C wants to change hispassword, he inserts his card and types his
ID
and
PW
. Thesmart card computes
K
*
1
=
R
⊕
H(
PW
) and compares
K
*
1
with
K
1
to see if they are equal, where
R
(=
K
1
⊕
H(
PW
c
)) and
K
1
(=H(
ID
⊕
x
)
⊕
N
) are stored in C¡s smart card,
PW
c
is chosenby the user when he registers himself to the remote server S,and
N
is a random number. If they are equal, the card verifiesuser C and accepts his password change request. Csubsequently asks C a new password
PW
*, and then computes
R
* =
K
*
1
⊕
H(
PW
*) and
K
*
2
=
K
2
⊕
H(
PW
⊕
H(
PW
))
⊕
H(
PW
*
⊕
H(
PW
*)), where
K
2
=
H(
ID
⊕
x
⊕
N
)
⊕
H(
PW
c
⊕
H(
PW
c
)) isalso stored in C¡s smart card. Finally, the smart card willreplace
R
and
K
2
with
R
* and
K
*
2
, respectively.
B.
Attack
An attacker E who gets C¡s smart card, reads the values of
R
,
K
1
, and
K
2
, and then launches an offline password guessingattack as follows. E chooses a candidate password
PW'
from adictionary, computes
K'
1
=
R
⊕
H(
PW'
), and checks to see if
K'
1
and
K
1
are equal. If they are,
PW'
is the correct password.V.
R
EVIEW AND ATTACK ON THE PROTOCOL OF
X
U ET AL
.'
SSCHEME
Xu
et al
.¡s protocol [18] can not satisfy securityrequirements R3 (The client needs not to reveal their passwordto the server) and R5 (It can resist insider attack). We showthe scheme and its violations as follows.
130http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
A.
Review
Xu
et al.
¡s protocol [18] consists of three phases: theregistration phase, the login phase, and the authenticationphase.In the registration phase, user C submits his
ID
c
and
PW
c
to the server S. S issues C a smart card which stores C¡sidentity
ID
c
, and
B
= H(
ID
c
)
x
+ H(
PW
c
), where
x
is S¡s secretkey and
PW
c
is C¡s password.In the login phase, user C inputs
ID
c
and
PW
c
to his smartcard. The card obtains timestamp
T
, chooses a random number
v
, computes
B
c
= (
B
¡H(
PW
c
))
v
= H(
ID
c
)
x v
,
W
= H(
ID
c
)
v
, and
C
1
= H(
T
,
B
c
,
W
,
ID
c
), and sends {
ID
c
,
C
1
,
W
,
T
} to S.In the authentication phase, after receiving {
ID
c
,
C
1
,
W
,
T
}at time
T
*, S computes
B
s
=
W
x
, and checks to see if
ID
c
isvalid,
T
*
−
T
<
∆
T, and
C
1
is equal to H(
T
,
B
s
,
W
,
ID
c
). If theyare, S selects a random number
m
, gets timestamp
T
s
,computes
M
= H(
ID
c
)
m
,
C
s
= H(
M
,
B
s
,
T
s
,
ID
c
), and sends {
ID
c
,
C
s
,
M
,
T
s
} to C. After receiving the message, C verifies
ID
c
and
T
s
, computes H(
M
,
B
c
,
T
s
,
ID
c
), and compares it with thereceived
C
s
. If they are equal, S is authentic. Then, C and Scan compute the common session key as
sk
= H(
ID
c
,
M
,
W
,
M
v
)and
sk
= H(
ID
c
,
M
,
W
,
W
m
), respectively.
B.
Weaknesses
First, the scheme obviously violates security requirementR3 since the client transmits clear password in the registrationphase.Second, we show an impersonation attack on the schemebelow. Assume that a malicious insider U wants tomasquerade as C to access S¡s resources. He reads
B
from hissmart card, obtains system¡s timestamp
T
u
, chooses a randomnumber
r
, computes
B
u
= (
B
¡H(
PW
u
))
r
= H(
ID
u
)
xr
,
W
= H(
ID
c
)
r
,
C
1
= H(
T
u
,
B
u
,
W
,
ID
c
), and sends {
ID
c
,
C
1
,
W
,
T
u
} to S.After receiving the message, S validates
ID
c
and
T
u
,computes
B
s
=
W
x
= H(
ID
c
)
r x
, and checks to see if the received
C
1
is equal to the computed H(
T
u
,
B
s
,
W
,
ID
c
). In this case, wecan see that
C
1
is obviously equal to H(
T
u
,
B
s
,
W
,
ID
c
). Hence,U (who masquerades as C) is authentic. Finally, S obtainstimestamp
T
s
and sends {
ID
c
,
C
s
,
M
,
T
s
} to U, where
M
=H(
ID
c
)
m
and
m
is a random number chosen by S. U also cancompute the session key as
sk
= H(
ID
c
,
M
,
W
,
M
r
) shared withS. Therefore, user U¡s insider impersonation attack succeeds.VI.
R
EVIEW AND ATTACK ON THE PROTOCOL OF
L
I ET AL
.'
SSCHEME
In this section, we first review the registration phase, loginphase and authentication phase of the protocol in Li
et al
.¡s[20], and then present our attack on the protocol.
A.
Review
In the registration phase, user C submits his
ID
c
,
PW
c
, andhis personal biometric
B
c
to the server S. S issues a smart cardfor C, which stores the values of
ID
c
,
f
c
= H(
B
c
), and
e
c
=H(
ID
c
,
x
)
⊕
H(
PW
c
,
f
c
), where
x
is S¡s secret key.In the login phase, user C keys
ID
c
and
PW
c
to his smartcard and inputs his personal biometric
B
c
on the specificdevice to check if H(
B
c
) is equal to
f
c
stored in the smart card.If it is, the card selects a random number
R
c
, computes
M
1
=
e
c
⊕
H(
PW
c
,
f
c
) = H(
ID
c
,
x
),
M
2
=
M
1
⊕
R
c
, and sends {
ID
c
,
M
2
}to S.In the authentication phase, after receiving {
ID
c
,
M
2
}, Schecks to see if
ID
c
is valid. If it is, S chooses a randomnumber
R
S
, computes
M
3
= H(
ID
c
,
x
),
M
4
=
M
2
⊕
M
3
=
R
c
,
M
5
=
M
3
⊕
R
S
,
M
6
= H(
M
2
,
M
4
), and sends {
M
5
,
M
6
} to C. Afterreceiving S¡s message, C verifies whether
M
6
is equal to H(
M
2
,
R
c
). If it is, S is authentic. C then computes
M
7
=
M
5
⊕
M
1
=
M
3
⊕
R
S
⊕
M
1
= H(
ID
c
,
x
)
⊕
R
S
⊕
H(
ID
c
,
x
) =
R
S
,
M
8
= H(
M
5
,
M
7
),and sends {
M
8
} to S. After receiving C¡s message, S verifieswhether
M
8
is equal to H(
M
5
,
R
s
). If it is, C is authentic. S thenaccepts C¡s login request.
B.
Attack
Assume that an attacker E gets C¡s smart card and readsthe values of
ID
c
,
f
c
and
e
c
. He can launch an offline passwordguessing attack by sending only one login request to the server.We show the attack as follows.E chooses a random number
M
e
and sends {
ID
c
,
M
e
} to S.After receiving the message, S checks to see if
ID
c
is valid. If it is, S chooses a random number
R
S
, computes
M
3
= H(
ID
c
,
x
),
M
4
=
M
e
⊕
M
3
,
M
5
=
M
3
⊕
R
S
,
M
6
= H(
M
e
,
M
4
), and sends {
M
5
,
M
6
} to E. After receiving S¡s message, E terminates thecommunication, chooses a candidate password
PW'
from adictionary, computes
M'
= H(
M
e
,
M
e
⊕
e
c
⊕
H(
PW'
,
f
c
)), andcompares to see if
M'
is equal to
M
6
. If they are,
PW'
is thecorrect password, since
M
e
⊕
e
c
⊕
H(
PW'
,
f
c
) =
M
e
⊕
H(
ID
c
,
x
)
⊕
H(
PW
c
,
f
c
)
⊕
H(
PW'
,
f
c
). If
PW'
=
PW
c
, then the equationequals to
M
e
⊕
H(
ID
c
,
x
) which equals to
M
e
⊕
M
3
=
M
4
. That is,
M'
= H(
M
e
,
M
4
) =
M
6
.VII.
C
ONCLUSION
Smart-card based password authentication protocolsprovide two-factor authentication mechanism to improve theuser end¡s security than the traditional ones. Liao et al.proposed ten security requirements to evaluate this kind of protocols. According these ten requirements, we investigaterecent five schemes. Juang et al.¡s scheme suffers smart cardlost and impersonation attack. Kim et al.¡s, Hsiang et al.¡s,and Li et al.¡s schemes are subjected to smart card lost andoffline password guessing attack. Finally, Xu et al.¡s schemehas weakness of insider impersonation attack.R
EFERENCES
[1]
H. Y. Chien, C. H. Chen, ¡A Remote Authentication Preserving UserAnonymity,¡
Proceedings of the 19th International Conference on Advanced Information Networking and Applications
(AINA ¡05), Vol.2,pp. 245-248, March 2005.
[2]
I. E. Liao, C. C. Lee, M. S. Hwang, ¡A password authentication schemeover insecure networks¡,
Journal of Computer and System Sciences
, Vol.72, No. 4, pp. 727-740, June 2006.
131http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Comments on five smart card based password authentication protocols
In this paper, we use the ten security requirements proposed by Liao et al. for a smart card based authentication protocol to examine five recent work in this area. After analyses, we found that the protocols…
(More)
716
Reads
1
Readcasts
0
Embed Views
More From This User
Notes
Load more
