Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Comments on five smart card based password authentication protocols

Comments on five smart card based password authentication protocols

Ratings: (0)|Views: 133 |Likes:
Published by ijcsis
In this paper, we use the ten security requirements proposed by Liao et al. for a smart card based authentication protocol to examine five recent work in this area. After analyses, we found that the protocols of Juang et al., Hsiang et al., Kim et al., and Li et al. all suffer from offline password guessing attack if the smart card is lost, and the protocol of Xu et al.¡s is subjected to an insider impersonation attack.
In this paper, we use the ten security requirements proposed by Liao et al. for a smart card based authentication protocol to examine five recent work in this area. After analyses, we found that the protocols of Juang et al., Hsiang et al., Kim et al., and Li et al. all suffer from offline password guessing attack if the smart card is lost, and the protocol of Xu et al.¡s is subjected to an insider impersonation attack.

More info:

Published by: ijcsis on Jun 12, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/12/2010

pdf

text

original

 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
Comments on Five Smart Card Based PasswordAuthentication Protocols
Yalin Chen
Institute of Information Systems andApplications, NTHU, Tawaind949702@oz.nthu.edu.tw
 Jue-Sam Chou
*
Dept. of Information ManagementNanhua University, Taiwan jschou@mail.nhu.edu.tw
*
:
 
corresponding author
Chun-Hui Huang
Dept. of Information ManagementNanhua University, Taiwang6451519@mail.nhu.edu.tw
 Abstract
¡In this paper, we use the ten security requirementsproposed by Liao et al. for a smart card based authenticationprotocol to examine five recent work in this area. After analyses,we found that the protocols of Juang et al.¡s , Hsiang et al.¡s,Kim et al.¡s, and Li et al.¡s all suffer from offline passwordguessing attack if the smart card is lost, and the protocol of Xu etal.¡s is subjected to an insider impersonation attack.
 Keywords- password authentication protocol; insider attack; smart card loss problem; password guessing attack
I.
 
I
NTRODUCTION
Password authentication protocols have been widelyadopted for a user to access a remote server over an insecurenetwork. In recent, many smart card password authenticationprotocols [1-20] are proposed, which emphasizes two-factorauthentication mechanism to enhance the user end¡s security.One factor is the user-rememberable password while the otherfactor is the user-possessing smart card which is a tamper-resistant device with storage and computational power.Moreover, recent studies investigated a weakness of atraditional password authentication protocol. That is, in thetraditional one the server usually maintains a password orverification table to store user authentication data. However,this approach will make the system easily subjected toimpersonation or stolen-verifier attack if the table iscompromised.In 2006, Liao et al. [2] identified ten security requirementsto evaluate a smart card based password authentication protocol.We show them as follows.R1. It needs no password or verification table in the server.R2. The client can choose and change his password freely.R3. The client needs not to reveal their password to the servereven in the registration phase.R4. The password should not be transmitted in plaintext overthe network.R5. It can resist insider (a legal user) attack.R6. It can resist replay attack, password guessing attack,modification-verification-table attack, and stolen-verifierattack.R7. The length of a password should be appropriate formemorization.R8. It should be efficient and practical.R9. It should achieve mutual authentication.R10. It should resist offline password guessing attack even if the smart card is lost.In their article, they also proposed a protocol to satisfythese ten security requirements. But Xiang et al. [9]demonstrated that their protocol suffers from both the replayattack and the password guessing attack. Other than theirs,many efforts trying to propose a secure protocol were maderecently. For example in 2008, Juang et al. [7] proposed anefficient password authenticated key agreement using bilinearpairings. In 2009, Hsiang et al. [14], Kim et al. [16], and Xu etal. [18] each also proposed a protocol of this kind, respectively.In this year 2010, Li et al.[20] also proposed a protocol in thisarea. Although they claimed their protocols are secure.However, in this paper, we will show some weaknesses in [18],[7], [14], [16], [20], correspondingly.The remainder of this paper is organized as follows: InSection II, we review and attack on the scheme of Juang etal
.
¡s [7]. Then we review and attack on the protocols of Hsiang
 
et al. ¡s [14], Kim et al. [16], Xu
 
et al. ¡s [18], and Li etal. ¡s [20] in Section III through VI, respectively. Finally, aconclusion is given in Section VIII.II.
 
R
EVIEW AND ATTACK ON
J
UANG ET AL
.'
S SCHEME
In their scheme [7], if an attacker gets C¡s smart card, hecan successfully launch an offline password guessing attack.Hence, the scheme cannot satisfy requirement R10. In thefollowing, we first review Juang
et al.
¡s protocol and thenshow the attack on the protocol.
 A.
 
 Review
Their protocol consists of four phases: the setup phase, theregistration phase, the login and authentication phase, and thepassword changing phase.In the setup phase, server S chooses two secrets
s
,
 x
andpublishes
P
s
 
=
sP
, where
P
is a generator of an additive cyclic
129http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
group
G
1
with a prime order
q
. S also publish a secure hashfunction H(¡).In the registration phase, user i register his
 ID
i
and H(
PW 
i
,
b
)to server S. S issues a smart card which contains
b
i
(
b
i
=E
 x
[H(
PW 
i
,
b
),
ID
i
, H(H(
PW 
i
,
b
),
ID
i
)], E
 x
[M] which is aciphertext of M encrypted by S¡s secret key
 x
), and
b
(a randomnumber chosen by i).When i wants to login into S, i starts the login andauthentication phase, and sends {
aP
,
α
} to S, where
a
is arandom number chosen by i,
α
 
= E
Ka
[
b
i
],
Ka
= H(
aP
,
P
s
,
Q
,e(
P
s
,
aQ
)),
 
e:
G
1
¡
G
1
G
2
is a bilinear mapping,
Q
= h(
 ID
s
), h(¡)is a map-to-point hash function,
h:{0,1}*→
G
1
, and
 ID
s
is S¡sidentification. Subsequently, S chooses a random number
,computes the session key
sk 
= H(H(
aP
,
P
s
,
Q
, e(
aP
,
sQ
)),
,
 ID
i
,
  ID
s
) = H(
Ka
,
,
 ID
i
,
ID
s
) since e(
P
s
,
aQ
) = e(
aP
,
sQ
) , and sends{
 Auth
s
,
} to user i, where
Auth
s
= H(
Ka
, H(
PW 
i
,
b
),
,
sk 
), andH(
PW 
i
,
b
) is obtained from decrypting
α
and
b
i
. Then, icomputes the session key
sk 
. To authenticate S, user i verifies
 Auth
s
to see if it is equal to H(
Ka
, H(
PW 
i
,
b
),
,
sk 
). If it is, icomputes and sends {
 Auth
i
} to S, where
 Auth
i
 
= H(
Ka
, H(
PW 
i
,
b
),
+1,
sk 
) and H(
PW 
i
,
b
) is the hash result of 
b
stored in thesmart card with
PW 
i
inputted by i. Finally, to authenticating i, Schecks to see if 
 Auth
i
is equal to H(
Ka
, H(
PW 
i
,
b
),
+1,
sk 
).
 B.
 
 Attack 
In the protocol, supposed that user C lost his smart card andthe card is got by an insider E, E can impersonate C to logininto S without any detection. We show the attack in thefollowing.E first reads out
b
and
b
c
(which equals E
 x
[H(
PW 
c
,
b
),
ID
c
,H(H(
PW 
c
,
b
),
ID
c
)]) stored in C¡s
 
smart card but he doesn¡thave the knowledge of 
PW 
c
.In the login and authentication phase, E chooses a randomnumber
c
, computes
cP
,
Kc
= H(
cP
,
P
s
,
Q
, e(
P
s
,
cQ
)),
α
 
=E
Kc
[
b
c
], and sends {
cP
,
α
} to S. After receiving the message, Schooses a random number
, computes session key
sk 
= H(
Kc
,
,
 ID
c
,
ID
s
),
 Auth
s
= H(
Kc
, H(
PW 
c
,
b
),
,
sk 
), and sends {
 Auth
s
,
}to C. E intercepts the message and launches an off-linepassword guessing attack as follows.E chooses a candidate password
PW' 
from a dictionary,computes
Kc
= H(
cP
,
P
s
,
Q
, e(
P
s
,
cQ
)),
sk 
= H(
Kc
,
,
 ID
c
,
ID
s
),H(
Kc
, H(
PW' 
,
b
),
,
sk 
) and checks to see if it is equal to thereceived
 Auth
s
. If it is, the attacker successfully gets C¡spassword
PW 
c
which is equal to
PW' 
. Subsequently, E canmasquerade as C by using
PW' 
and C¡s smart card to log into S.That is, Juang et al.¡s cannot satisfy the security requirementR10: It should resist password guessing attack even if the smartcard is lost.III.
 
R
EVIEW AND ATTACK ON THE PROTOCOL OF
H
SIANG ETAL
.'
S SCHEME
In this section, we first review Hsiang
 
et al
.¡s protocol [14]and then demonstrate a smart card lost and offline passwordguessing attack on the protocol.
 A.
 
 Review
In the protocol, when user C wants to change his password,he inserts his card and types his
 ID
and
PW 
. The smart cardcomputes
P
* =
 R
H(
b
PW 
), and
* = H(
P
*
H(
PW 
)), andcompares
* with
, where
PW 
is C¡s old password, and
 R
,
b
,and
are stored in C¡s smart card. If they are equal, the cardverifies user C and accepts his password change request. Thecard subsequently ask C a new password
PW*
and thencomputes
 R
new
 
=
P
*
H(
b
PW 
*) and
new
 
= H(
P
*
H(
PW*
)). Finally, the card replaces
with
new
.
 B.
 
 Attack 
Assume that an attacker E who gets C¡s smart card, readsthe values of 
 R
,
b
,
 
and
,
 
and then launches an offlinepassword guessing attack as follows. E chooses a candidatepassword
PW' 
from a dictionary, computes
P' 
=
 R
H(
b
PW' 
) and
V' 
= H(
P' 
H(
PW' 
)), and checks to see if 
V' 
and
 are equal. If they are,
PW' 
is the correct password.IV.
 
R
EVIEW AND ATTACK ON THE PROTOCOL OF
K
IM ETAL
.'
S SCHEME
In this section, we first review Kim
 
et al
.¡s protocol [16]and then demonstrate a smart card lost and offline passwordguessing attack on the protocol.
 A.
 
 Review
In their protocol, when user C wants to change hispassword, he inserts his card and types his
 ID
and
PW 
. Thesmart card computes
*
1
 
=
 R
H(
PW 
) and compares
*
1
with
1
to see if they are equal, where
 R
(=
1
H(
PW 
c
)) and
1
(=H(
 ID
 x
)
 N 
) are stored in C¡s smart card,
PW 
c
is chosenby the user when he registers himself to the remote server S,and
 N 
is a random number. If they are equal, the card verifiesuser C and accepts his password change request. Csubsequently asks C a new password
PW 
*, and then computes
 R
* =
*
1
H(
PW 
*) and
*
2
 
=
2
H(
PW 
H(
PW 
))
H(
PW 
*
H(
PW 
*)), where
2
 
=
 
H(
 ID
 x
 N 
)
H(
PW 
c
H(
PW 
c
)) isalso stored in C¡s smart card. Finally, the smart card willreplace
 R
and
2
with
 R
* and
*
2
, respectively.
 B.
 
 Attack 
An attacker E who gets C¡s smart card, reads the values of 
 R
,
1
, and
2
, and then launches an offline password guessingattack as follows. E chooses a candidate password
PW' 
from adictionary, computes
K' 
1
=
 R
H(
PW' 
), and checks to see if 
K' 
1
and
1
are equal. If they are,
PW' 
is the correct password.V.
 
R
EVIEW AND ATTACK ON THE PROTOCOL OF
X
U ET AL
.'
SSCHEME
Xu
 
et al
.¡s protocol [18] can not satisfy securityrequirements R3 (The client needs not to reveal their passwordto the server) and R5 (It can resist insider attack). We showthe scheme and its violations as follows.
130http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
 A.
 
 Review
Xu
et al.
¡s protocol [18] consists of three phases: theregistration phase, the login phase, and the authenticationphase.In the registration phase, user C submits his
 ID
c
and
PW 
c
 to the server S. S issues C a smart card which stores C¡sidentity
 ID
c
, and
 B
= H(
 ID
c
)
 x
 
+ H(
PW 
c
), where
 x
is S¡s secretkey and
PW 
c
is C¡s password.In the login phase, user C inputs
 ID
c
and
PW 
c
to his smartcard. The card obtains timestamp
, chooses a random number
v
, computes
 B
c
= (
 B
¡H(
PW 
c
))
v
= H(
 ID
c
)
 x v
,
= H(
 ID
c
)
v
, and
1
= H(
,
B
c
,
,
ID
c
), and sends {
 ID
c
,
1
,
,
} to S.In the authentication phase, after receiving {
 ID
c
,
1
,
,
}at time
*, S computes
 B
s
=
x
, and checks to see if 
 ID
c
isvalid,
*
<
T, and
1
is equal to H(
,
B
s
,
,
ID
c
). If theyare, S selects a random number
m
, gets timestamp
s
,computes
 M 
= H(
 ID
c
)
m
,
s
= H(
 M 
,
B
s
,
s
,
ID
c
), and sends {
 ID
c
,
 
s
,
,
s
} to C. After receiving the message, C verifies
 ID
c
 and
s
, computes H(
 M 
,
B
c
,
s
,
ID
c
), and compares it with thereceived
s
. If they are equal, S is authentic. Then, C and Scan compute the common session key as
sk 
= H(
 ID
c
,
,
,
v
)and
sk 
= H(
 ID
c
,
,
,
m
), respectively.
 B.
 
Weaknesses
First, the scheme obviously violates security requirementR3 since the client transmits clear password in the registrationphase.Second, we show an impersonation attack on the schemebelow. Assume that a malicious insider U wants tomasquerade as C to access S¡s resources. He reads
 B
from hissmart card, obtains system¡s timestamp
u
, chooses a randomnumber
, computes
 B
u
= (
 B
¡H(
PW 
u
))
= H(
 ID
u
)
 xr 
,
= H(
 ID
c
)
,
1
= H(
u
,
B
u
,
,
ID
c
), and sends {
 ID
c
,
1
,
,
u
} to S.After receiving the message, S validates
 ID
c
and
u
,computes
 B
s
=
x
= H(
 ID
c
)
r x
, and checks to see if the received
 
1
is equal to the computed H(
u
,
B
s
,
,
ID
c
). In this case, wecan see that
1
is obviously equal to H(
u
,
B
s
,
,
ID
c
). Hence,U (who masquerades as C) is authentic. Finally, S obtainstimestamp
s
and sends {
 ID
c
,
s
,
,
s
} to U, where
 M 
=H(
 ID
c
)
m
and
m
is a random number chosen by S. U also cancompute the session key as
sk 
= H(
 ID
c
,
,
,
) shared withS. Therefore, user U¡s insider impersonation attack succeeds.VI.
 
R
EVIEW AND ATTACK ON THE PROTOCOL OF
L
I ET AL
.'
SSCHEME
In this section, we first review the registration phase, loginphase and authentication phase of the protocol in Li
et al
.¡s[20], and then present our attack on the protocol.
 A.
 
 Review
In the registration phase, user C submits his
 ID
c
,
PW 
c
, andhis personal biometric
 B
c
to the server S. S issues a smart cardfor C, which stores the values of 
 ID
c
,
 f 
c
= H(
 B
c
), and
e
c
=H(
 ID
c
,
 x
)
H(
PW 
c
,
 f 
c
), where
 x
is S¡s secret key.In the login phase, user C keys
 ID
c
and
PW 
c
to his smartcard and inputs his personal biometric
 B
c
on the specificdevice to check if H(
 B
c
) is equal to
 f 
c
stored in the smart card.If it is, the card selects a random number
 R
c
, computes
 M 
1
=
e
c
H(
PW 
c
,
 f 
c
) = H(
 ID
c
,
 x
),
2
=
1
 R
c
, and sends {
 ID
c
,
2
}to S.In the authentication phase, after receiving {
 ID
c
,
2
}, Schecks to see if 
 ID
c
is valid. If it is, S chooses a randomnumber
 R
S
, computes
 M 
3
= H(
 ID
c
,
 x
),
4
=
2
 M 
3
=
R
c
,
5
=
 M 
3
 R
S
,
= H(
 M 
2
,
4
), and sends {
 M 
5
,
} to C. Afterreceiving S¡s message, C verifies whether
is equal to H(
 M 
2
,
  R
c
). If it is, S is authentic. C then computes
 M 
=
 M 
5
 M 
1
=
 M 
3
 R
S
 M 
1
= H(
 ID
c
,
 x
)
 R
S
H(
 ID
c
,
 x
) =
 R
S
,
8
= H(
 M 
5
,
),and sends {
 M 
8
} to S. After receiving C¡s message, S verifieswhether
8
is equal to H(
 M 
5
,
R
s
). If it is, C is authentic. S thenaccepts C¡s login request.
 B.
 
 Attack 
Assume that an attacker E gets C¡s smart card and readsthe values of 
 ID
c
,
 f 
c
and
e
c
. He can launch an offline passwordguessing attack by sending only one login request to the server.We show the attack as follows.E chooses a random number
e
and sends {
 ID
c
,
 M 
e
} to S.After receiving the message, S checks to see if 
 ID
c
is valid. If it is, S chooses a random number
 R
S
, computes
 M 
3
= H(
 ID
c
,
 x
),
  M 
4
=
e
 M 
3
,
5
=
3
 R
S
,
= H(
 M 
e
,
4
), and sends {
 M 
5
,
  M 
} to E. After receiving S¡s message, E terminates thecommunication, chooses a candidate password
PW' 
from adictionary, computes
 M' 
= H(
 M 
e
,
 M 
e
e
c
H(
PW' 
,
 f 
c
)), andcompares to see if 
 M' 
is equal to
 M 
. If they are,
PW' 
is thecorrect password, since
e
e
c
H(
PW' 
,
 f 
c
) =
 M 
e
H(
 ID
c
,
 x
)
H(
PW 
c
,
 f 
c
)
H(
PW' 
,
 f 
c
). If 
PW' 
=
PW 
c
, then the equationequals to
 M 
e
H(
 ID
c
,
 x
) which equals to
 M 
e
 M 
3
=
4
. That is,
 M' 
= H(
 M 
e
,
4
) =
 M 
.VII.
 
C
ONCLUSION
Smart-card based password authentication protocolsprovide two-factor authentication mechanism to improve theuser end¡s security than the traditional ones. Liao et al.proposed ten security requirements to evaluate this kind of protocols. According these ten requirements, we investigaterecent five schemes. Juang et al.¡s scheme suffers smart cardlost and impersonation attack. Kim et al.¡s, Hsiang et al.¡s,and Li et al.¡s schemes are subjected to smart card lost andoffline password guessing attack. Finally, Xu et al.¡s schemehas weakness of insider impersonation attack.R
EFERENCES
 
[1]
 
H. Y. Chien, C. H. Chen, ¡A Remote Authentication Preserving UserAnonymity,¡
Proceedings of the 19th International Conference on Advanced Information Networking and Applications
(AINA ¡05), Vol.2,pp. 245-248, March 2005.
 
[2]
 
I. E. Liao, C. C. Lee, M. S. Hwang, ¡A password authentication schemeover insecure networks¡,
 Journal of Computer and System Sciences
, Vol.72, No. 4, pp. 727-740, June 2006.
131http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->