Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Cryptanalysis on four two-party authentication protocols

Cryptanalysis on four two-party authentication protocols

Ratings: (0)|Views: 79 |Likes:
Published by ijcsis

More info:

Published by: ijcsis on Jun 12, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/13/2010

pdf

text

original

 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
Cryptanalysis on Four Two-Party AuthenticationProtocols
Yalin Chen
Institute of Information Systems andApplications, NTHU, Tawaind949702@oz.nthu.edu.tw
 Jue-Sam Chou
*
Dept. of Information ManagementNanhua University, Taiwan jschou@mail.nhu.edu.tw
*
: corresponding author
Chun-Hui Huang
Dept. of Information ManagementNanhua University, Taiwang6451519@mail.nhu.edu.tw
 Abstract
¡In this paper, we analyze four authentication protocolsof Bindu et al., Goriparthi et al., Wang et al. and Holbl et al..After investigation, we reveal several weaknesses of theseschemes. First, Bindu et al.¡s protocol suffers from an insiderimpersonation attack if a malicious user obtains a lost smart card.Second, both Goriparthi et al.¡s and Wang et al.¡s protocolscannot withstand a DoS attack in the password change phase, i.e.an attacker can involve the phase to make user¡s password neverbe used in subsequent authentications. Third, Holbl et al.¡sprotocol is vulnerable to an insider attack since a legal butmalevolent user can deduce KGC¡s secret key.
 Keywords- password authentication protocol; insider attack; denial-of-service attack; smart card lost problem; mutual  authentication; man-in-the-middle attack
I.
 
I
NTRODUCTION
Authentication protocols provide two entities to ensure thatthe counterparty is the intended one whom he attempts tocommunicate with over an insecure network. These protocolscan be considered from three dimensions: type, efficiency andsecurity.In general, there are two types of authentication protocols,the password-based and the public-key based. In a password-based protocol, a user registers his account and password to aremote server. Later, he can access the remote server if he canprove his knowledge of the password. The server usuallymaintains a password or verification table but this will makethe system easily subjected to a stolen-verifier attack. Toaddress this problem, recent studies suggest an approachwithout any password or verification table in the server.Moreover, to enhance password protection, recent studies alsointroduce a tamper-resistant smart card in the user end. In apublic key-based system, a user should register himself to atrust party, named KGC (Key Generation Center) to obtain hispublic key and corresponding private key. Then, they can berecognized by a network entity through his public key. Tosimplify the key management, an identity-based public-keycryptosystem is usually adopted, in which KGC issues user¡sID as public key and computes corresponding private key for auser.Considering computational efficiency in an authenticationprotocol, researchers employs low computational techniquessuch as secure one-way hash functions or symmetric keyencryptions rather than much expensive computation likeasymmetric key encryptions (i.e., RSA, ECC, ElGamal, andbilinear pairings). As considering communication efficiency, itusually to reduce the number of passes (rounds) of a protocolsince the round efficiency is more significant than thecomputation efficiency.The most important dimension of an authenticationprotocol is its security, and it should ensure securecommunications for any two legal entities over an insecurenetwork. Attackers easily eavesdrop, modify or intercept thecommunication messages on the open network. Hence, anauthentication protocol should withstand various attacks, suchas password guessing attack, replay attack, impersonationattack, insider attack, and man-in-the-middle attack.In recent decade, many secure authentication protocols [1-41] were proposed. In 2008, Bindu et al. [14] proposed animprovement from Chien and Chen¡s work [3]. Their protocolis a smart-card based password authentication protocol andemploys symmetric key cryptosystem. They claimed that theirprotocol is secure, provides user anonymity, and prevent fromvarious attacks: replay attack, stolen-verifier attack, passwordguessing attack, insider attack, and man-in-the-middle attack.In 2009, Goriparthi et al. proposed a scheme [27] based onDas et al.¡s protocol [2] and can avoid the weakness existingin Chou et al.¡s [5]. Goriparthi et al.¡s protocol is also a smartcard based password authentication protocol and bases onbilinear pairings. They claimed that their protocol is secureand can withstand replay attack and insider attack. In the sameyear, Wang et al. [31] also proposed an improvement based onDas et al.¡s protocol [2]. Their scheme is a smart card basedpassword authentication protocol as well and uses secure one-way hash function. Also in 2009, Holbl et al. [40] improvedfrom two identity-based authentication protocols, Hsieh et al.[1] and Tseng et al. [8]. Their protocols are neither password-based nor smart card based protocols. They employ identity-based ElGamal cryptosystem. Although all of the aboveschemes claimed that they are secure; however, in this paper,we will demonstrate some security vulnerabilities of theseprotocol in Bindu et al.¡s [14], Goriparthi et al.¡s [27], Wang etal.¡s [31], and Holbl et al.¡s work, correspondingly.
133http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
II.
 
R
EVIEW AND ATTACK ON
B
INDU ET AL
.'
S PROTOCOL
In this section, we first review Bindu et al.¡s protocol[14]and then show an insider attack launched by an insider who issupposed to have obtained another legal user¡s smart card.
 A.
 
 Review
There are three phases in Bindu et al.¡s protocol: theregistration phase, the login phase, and the authenticationphase.In the registration phase, server S issues to user i a smartcard which contains
m
i
 
and
 I 
i
, where
m
i
=H(
 ID
i
)
H(
)
H(
PW 
i
),
 I 
i
=H(
 ID
i
)
, and
is S¡s secret key.When i wants to login to S, he starts the login phase andcomputes
i
=
g
 x
(
 x
is a random number chosen by i),
 M 
=
m
i
H(
PW 
i
),
=
 M 
i
,
 R
=
 I 
i
i
= H(
 ID
i
)
i
, and E
 R
[
i
,
 ID
i
,
] (
is a timestamp, and E
 R
[
i
,
 ID
i
,
] is a ciphertextencrypted by the secret key
 R
). He then sends {
,
, E
 R
[
i
,
 ID
i
,
]} to S.In the authentication phase, after receiving {
,
, E
 R
[
i
,
 ID
i
,
]} at time
s
, S computes
 R
=
H(
)
=
 M 
i
H(
)
=
m
i
H(
PW 
i
)
i
H(
)
= H(
 ID
i
)
H(
)
H(
PW 
i
)
H(
PW 
i
)
i
H(
)
= H(
 ID
i
)
i
, decrypts E
 R
[
i
,
 ID
i
,
], checks to see if 
s
is less than
, and compares R withH(
 ID
i
)
i
to see if they are equal. If they are, he sends{
s
, E
 R
[
s
,
i
+1,
s
]} to i, where
s
=
g
 y
and
 y
is a randomnumber chosen by S. After that, i verifies the validity of thetimestamp
s
, decrypts E
 R
[
s
,
i
+1,
s
], and checks to see if 
i
+1 is correct or not. If it is, S is authentic. Then, i sends{E
Kus
[
s
+1]} to S, where
us
=
s x
=
g
 xy
. Finally, S decrypts thereceived message {E
Kus
[
s
+1]} and checks to see if the valueof 
s
+1 is correct or not. If it is, i is authentic.
 B.
 
 Attack 
If C lost his smart card and the card is got by an insider E,E can impersonate C to log into S. We show the attack in thefollowing.For that C¡s smart card stores
m
c
=H(
 ID
c
)
H(
)
H(
PW 
c
) and
 I 
c
=H(
 ID
c
)
, and E¡s smart card stores
m
e
=H(
 ID
e
)
H(
)
H(
PW 
e
) and
 I 
e
=H(
 ID
e
)
, supposeE gets C¡s smart card but doesn¡t have the knowledge of 
PW 
c
,E can choose a random number
 x
and computes
c
=
g
 x
,
=
m
e
 I 
e
H(
PW 
e
)=H(
)
,
 
 M 
=
 I 
c
= H(
 ID
c
)
H(
)
=H(
 ID
c
)
H(
) which equals
m
c
H(
PW 
c
),
=
 M 
c
, and
 R
=
c
c
. Then, E masquerades as C by sending {
,
, E
 R
[
c
,
 ID
c
,
]} to S. After receiving the message, S computes
 R
=
H(
)
 
and compares
 R
with H(
 ID
c
)
c
. If they areequal, S sends C the message {
s
, E
 R
[
s
,
c
+1,
s
]}. Eintercepts the message, decrypts E
 R
[
s
,
c
+1,
s
], and uses
s
tocompute
us
=
s x
=
g
 xy
. E then can send a correct message{E
Kus
[
s
+1]} to S, to let S authenticate him as C. In otherwords, insider E can successfully launch an insider attack if the user¡s smart card is lost.More clarity, we demonstrate why
 R
=
H(
)
 
is equalto H(
 ID
c
)
c
by the following equations.
 R
=
H(
)
 
=
c
H(
)
(
 
=
 M 
c
)
 
=
c
c
H(
)
(
 
 M 
=
 I 
c
)
 
= H(
 ID
c
)
c
H(
)
(
 
 I 
c
=H(
 ID
c
)
)
 
= H(
 ID
c
)
H(
)
c
H(
)
(
 
=H(
)
)= H(
 ID
c
)
c
 III.
 
R
EVIEW AND ATTACK ON
G
ORIPARTHI ET AL
.'
SPROTOCOL
 In this section, we first review Goriparthi
 
et al.¡s scheme[27] and then demonstrate a DoS attack on the passwordchange phase of the protocol, which will make user¡spassword never be used in subsequent authentications.
 A.
 
 Review
In the password change phase of Goriparthi et al.¡sprotocol, when client C wants to change his password
PW 
, hekeys his
 ID
and
PW 
to his smart card. According their protocol,the smart card only checks
 ID
while no mechanism to verifythe validity of 
PW 
. If the
 ID
is matched with the one stored inthe smart card, the smart card will continuously ask C a newpassword
PW*
, and then compute
 Reg
* ID
=
 Reg
 ID
¡ h(
PW 
) +h(
PW*
) =
s
¡h(
 ID
) + h(
PW*
), where
Reg
 ID
=
s
¡h(
 ID
) + h(
PW 
) isissued by the server and stored in C¡s smart card in theregistration phase, h(¡) is a map-to-point hash function,h:{0,1}*
G
1
, and
G
1
is a group on an elliptic curve. Finally,the smart card will replace
 Reg
 ID
with
 Reg
* ID
.
 B.
 
 Attack 
In the protocol, assume that an attacker temporarily getsC¡s smart card. He arbitrarily selects two passwords
PW' 
and
PW'' 
as the old and the new ones, respectively. The smart cardwill then compute
 Reg' 
 ID
=
 Reg
 ID
 
¡ h(
PW' 
) + h(
PW'' 
) = s¡h(
 ID
)+ h(
PW 
) ¡ h(
PW' 
) + h(
PW'' 
) and replace
 Reg
 ID
with
 Reg' 
 ID
.This will make C¡s original password
PW 
never be used insubsequent authentications and thus cause denial of service.IV.
 
R
EVIEW AND ATTACK ON THE PROTOCOL OF
 
W
ANG ETAL
S PROTOCOL
 In this section, we first review Wang et al.¡s protocol [31]and then show the protocol has the same weakness ¡ it suffersa DOS attack in password change phase ¡ like Goriparthi etal.¡s work [27].
 A.
 
 Review
In Wang
 
et al.¡s protocol , C inserts his smart card, keys
PW 
, and requests to change the password
PW 
to a new one
PW*
. On receiving the request, the smart card computes
 N 
i
* =
  N 
i
H(
PW 
)
H(
PW*
) and replaces
 N 
i
with
i
*, where
 N 
i
=H(
PW 
i
)
H(
 x
) is stored in C¡s smart card,
PW 
i
is chosen by
134http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
the user when he registers himself to the remote server S, and
 x
is S¡s secret key..
 B.
 
 Attack 
Obviously, this protocol also exits the same weakness likeGoriparthi et al.¡s work [27]. Since if an attacker temporarilygets C¡s smart card, he can use two arbitrary values
PW' 
and
PW'' 
to ask the smart card to update its storage throughpassword change protocol. The smart card will compute
 N 
i
=
  N 
i
H(
PW' 
)
H(
PW'' 
) and replace
 N 
i
with
i
. From then on,client C can never pass the subsequent authentications.V.
 
R
EVIEW AND ATTACK ON THE PROTOCOL OF
H
OLBL ETAL
.'
S PROTOCOL
 Holbl et al. [40] proposed two improvements of two-partykey agreement and authentication protocols. In the following,we first briefly review their schemes and then present theirweaknesses.
 A.
 
 Review
 
of Holbl et al.¡s First Protocol
Holbl
 
et al.¡s first protocol consists of three phases: thesystem setup phase, the private key extraction phase, and thekey agreement phase.In the system setup phase, KGC chooses a random number
 x
s
and keeps it secret. He computes
 y
s
=
g
 x
s
as public key.In the private key extraction phase, for each user who hasidentity
ID
i
, KGC selects a random number
i
, and calculateshis private key
v
i
=
 I 
i
i
+
 x
s
u
i
(mod
 p
¡1) and correspondingpublic key
u
i
=
g
i
(mod
 p
), where
 I 
i
= H(
 ID
i
).In the key agreement phase, user A chooses a randomnumber
a
, computes
a
 
=
g
a
, and then sends {
u
a
,
a
,
ID
a
} touser B. After receiving {
u
a
,
a
,
ID
a
}, B chooses a randomnumber
b
, calculates
b
=
g
b
, and then sends {
u
b
,
b
,
ID
b
} back to A. Finally, A and B can respectively compute their commonsession key,
 AB
 
= (
u
b
 I 
b
.
 y
s
u
b
.
b
)
(
v
a
+
a
)
 =
g
(
v
b
+
b
)
.
(
v
a
+
a
)
and
 BA
 
= (
u
a
 I 
a
.
 y
s
u
a
.
a
)
(
v
b
+
b
)
 =
g
(
v
a
+
a
)
.
(
v
b
+
b
)
, where
 I 
a
 
= H(
 ID
a
) and
 I 
b
 
= H(
 ID
b
).
 B.
 
 Attack on Holbl et al.¡s first protocol
Assume that an insider C calculates
 I 
c
= H(
 ID
c
) and
q
=gcd(
 I 
c
,
u
c
), and computes
w
=
 I 
c
 / 
q
,
 z
=
u
c
 / 
q
, and
 j
=
v
c
 / 
q
, where
v
c
is C¡s private key. Hence, gcd(
w
,
 z
) = 1. Then, he can usethe extended Euclid¡s algorithm to find
α
and
 β 
both satisfyingthat
α
¡
w
+
 β 
¡
 z
= 1. As a result, he can obtain both
x
s
and
c
,since
v
c
 
= 1¡
 j
c
¡
q
c
= (
α
¡
w
+
 β 
¡
 z
 j
c
¡
q
c
= (
α
¡
 I 
c
 / 
q
+
 β 
¡
u
c
 / 
q
 j
¡
q
= (
α
¡
 I 
c
+
 β 
¡
u
c
 j
=
 I 
c
¡(
α
¡
 j
) + (
 β 
¡
 j
u
c
 
and
 
v
c
 
=
 I 
c
¡
c
+
 x
s
¡
u
c
, where
 x
s
isKGC¡s secret key and
c
is a random number selected by KGCsatisfying
u
c
 
=
g
c
.
 
More clearly, the value
 x
s
he obtains isequal to
 
 β 
¡
 j
.After obtaining
 x
s
, C can deduce any user¡s private key inthe same manner. As an
 
example, in the following, wedemonstrate how C can deduces user i¡s private key,
i
. Ccalculates
 I 
i
 
= H(
 ID
i
) and
q
i
= gcd(
 I 
i
,
u
i
), computes
w
i
=
 I 
i
 / 
q
i
 and
 z
i
=
u
i
 / 
q
i
, and then uses the extended Euclid¡s algorithm tocompute
γ
and
ε
satisfying that
γ
¡
w
i
 
+
ε
¡
 z
i
= 1. Finally, since
v
i
 
= 1¡
 j
i
¡
q
i
 
= (
γ
¡
w
i
 
+
ε
¡
 z
i
 j
i
¡
q
i
 
= (
γ
¡
 I 
i
 / 
q
i
 
+
ε
¡
u
i
 / 
q
i
)
.
 j
i
¡
q
i
= (
γ
¡
 I 
i
+
ε
¡
u
i
 j
i
 
=
 I 
i
¡(
γ
¡
 j
i
) + (
ε
¡
 j
i
u
i
and
v
i
 
=
 I 
i
¡
i
 
+
 x
s
¡
u
i
, he can calculate
 j
i
 
=
 x
s
 / 
ε
 
and thus obtains i¡s private key by computing
v
i
 
=
.
 j
i
¡
q
i
. Withthe knowledge of i¡s private key, insider C can impersonateuser i to communicate with any other legal user.
C.
 
 Review of Holbl et al.¡s second protocol
Holbl
 
et al.¡s second protocol consists of three phases: thesystem setup phase, the private key extraction phase, and thekey agreement phase.The system setup phase of this protocol is the same as theone in the first protocol.In the private key extraction phase, with each user havinghis identity
ID
, KGC selects a random number
i
, andcalculates i¡s private key
v
i
 
=
i
+
 x
s
¡H(
 ID
i
,
u
i
) and public key
u
i
=
g
i
.In the key agreement phase, user A chooses a randomnumber
a
, computes
a
=
g
a
, and then sends {
u
a
,
a
,
ID
a
} touser B. After receiving {
u
a
,
a
,
ID
a
}, B chooses a randomnumber
b
, calculates
b
 
=
g
b
, and then sends {
u
b
,
b
,
ID
b
} to A.Finally, A and B can compute their common session key,
 AB
 
= (
u
b
¡
 y
s
H(
 ID
b
,
u
b
)
.
b
)
(
v
a
+
a
)
 =
g
(
v
b
+
b
)(
v
a
+
a
)
and
 BA
 
=(
u
a
¡
 y
s
H(
 ID
a
,
u
a
)
¡
a
)
(
v
b
+
b
)
 =
g
(
v
a
+
a
)(
v
b
+
b
)
, respectively.
 D.
 
 Attack on Holbl et al.¡s secondprotocol
Likewise, we can launch the same attack, as do in the firstone, on this scheme. Since gcd(1, H(
 ID
c
,
u
c
)) = 1, an insider Ccan use the extended Euclid¡s algorithm to find
α
and
 β 
bothsatisfying that
α
¡1 +
 β 
¡H(
 ID
c
,
u
c
) = 1. And since
v
c
=
c
+
 x
s
¡H(
 ID
c
,
u
c
) and 1 = (
c
 / 
v
c
)¡1 + (
 x
s
 / 
v
c
)¡H(
 ID
c
,
u
c
), he can obtainboth
 x
s
and
c
by letting
 x
s
 
=
 β 
¡
v
c
and
c
=
α
¡
v
c
 
, where
v
c
is C¡sprivate key,
 x
s
is KGC¡s secret key and
c
is a random numberselected by KGC satisfying
u
c
=
g
c
. Consequently, similar tothe result as shown in the attack of the first protocol, insider Ccan impersonate user i to communicate with any other legaluser.VI.
 
C
ONCLUSION
In the paper we have investigate four authenticationprotocols. In Bindu et al.¡s scheme [14], an insider can employhis own secrecy in the smart card issued from the server tosuccessfully impersonate another user by getting the victim¡ssmart card. In both Goriparthi et al.¡s and Wang et al.¡sschemes, their password change phases are easily subjected toa DOS attack, because no proper mechanism to verify user¡sinput password. Finally, in Holbl et al.¡s scheme, any legaluser can extract KGC¡s private key.R
EFERENCES
 
[1]
 
B. T. Hsieh, H. M. Sun, T. Hwang, C. T. Lin, ¡
 An Improvement of Saeednia¡s Identity-based Key Exchange Protocol
¡, InformationSecurity Conference 2002, pp. 41-43, 2002.
135http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->