A New Scheme for Remote User Authentication with Smart Cards Jue-Sam Chou*, Chu-Hsing Lin** and Jia-Ie Shiue** [email protected], [email protected], [email protected] *Department of Computer Science and Information Engineering, Hung Kuang University Taichung, 433 Taiwan, R.O.C **Department of Computer Science and Information Engineering, Tunghai University Taichung, 407 Taiwan, R.O.C

Abstract In 2003, Wu and Chieu [1] proposed a user friendly remote authentication scheme with smart cards to improve the method in Sun’s [2]. Although the scheme does allow users to choose and change their passwords freely and friendly, but there are still some weaknesses when we go a further step to analyze. We find that an intruder can easily construct a valid login by using a previously intercepted information to pass the server’s authentication. In this article, we propose a new scheme to solve the problem in their method. Keywords: Smart card, Password, Friendly remote authentication. 1. Introduction Password authentication is a scheme to verify the legality of a user to prevent any kind of possible malicious depredations. It provides the basic security protections and becomes popular because of its simplicity and convenience. And for the smart card’s safety, convenience and portability, usually the usage of the password authentication scheme is combined with it. We list the merits of the password authentication scheme based on smart card as follows.

(1). User can freely choose their preferred password. (2). The remote server does not need tables for the verifications of identifies and passwords. (3). It can withstand the guess attack, replay attack and forgery attack. In 2000, Sun [2] proposed a password-based authentication scheme using smart cards. In their scheme, the users are not allowed to choose and change passwords freely. In 2003, Wu and Chieu [1] proposed a scheme which has the following two advantages over Sun’s [2] as claimed. Firstly, a variable-length password can be chosen and changed freely by the user. Secondly, it is secure. However, we find thet here are still some weaknesses exist in their scheme. In this paper, we focus on the Wu-Chieu’s method and propose a new scheme to solve the problem. We organize our article as below. Section 2 is the review of the Wu-Chieu’s scheme. In Section 3, we show the weakness of the Wu-Chieu’s scheme. In Section 4, we propose our scheme. After that, we analyze the security of our method in Section 5. Finally, a brief conclusion will be given in Section 6.

~ 1353 ~

in GF(n). 2. Overview of the Wu-Chieu’s method In this section, we review the user friendly remote authentication scheme proposed in [1]. We depict the scheme as in Figure 1.There are three phases to perform the secure network access: the registration phase, the login phase and the authentication phase. The three phases are listed as follows.

Remote Server (RS)

Ui

IDi , PWi m1

B. Login phase: In the login phase, the user Ui inserts his smart card into a card reader, then input his PIN-Code which can let the smart card authenticate the legal user and seek for the user’s IDi with the corresponding PWi. The smart card will perform the following operations: Step1. It calculates the following two integers,

Registration Phase 1.IDi , PWi

Step4. The RS personalizes the smart card with the secure information m1 = {IDi, Ai, Bi, h, n, g}.

Computes 2. Ai = h(IDi ⊕ x) 3. Bi = gAi •h(PWi ) 4. m1 = (IDi , Ai , Bi , h, n, g)

Bi= gAi · h(PWi) and C1= h(T♁Bi), where T is the current time of the input device.

Login Phase Computes 1. C1 = h(T ⊕ Bi ) 2. m2 = (IDi ,Bi ,C1,T)

Step2. It sends the message m2 = {IDi, Bi, C1, T} to the RS.

m2

Authentication Phase

Computes C1* = h(T ⊕ Bi ) Verifies ?

C. Authentication phase:

C1 =C

* 1

In third phase, assuming that the time the server receives the login request message from RS is T ′, then the RS will perform the following steps.

Figure 1. Wu-Chieu's method [1].

Step1. It verifies the format of IDi. If the format was not correct, the RS would rejects the login.

A. Registration phase: In the registration phase, the user Ui and the remote server (RS) performs the following steps: Step1. The user Ui submits his identifier IDi and chooses his password PWi for authentication in the RS through a secure channel. Step2. The RS calculates Ai= h(IDi ♁ x), where x is a secret key maintained by the server and h is a collision resistant one-way hash function. Step3. The RS calculates, Bi= gAi · h(PWi), where g is a public, primitive element

Step2. It verifies the validity of the time interval between T and T ′. If (T ′-T) > ∆T, then the RS rejects the login, where ∆T denotes the expected time interval for transmission delay. Step3. Calculate C1*= h(T ♁ Bi) and then compare C1 with C1*. If they are equal, it indicates that the password PWi* the user login is equal to PWi. The RS will accept the login, otherwise it rejects. 3. Our attack

~ 1354 ~

message for the RS, where

In the Wu-Chieu’s method, if an invader Eve wants to impersonate Ui to communicate with the RS, he will intercept the message m2 transmitted between Ui and the RS and replace it with his own forged messages m′ as shown in Figure 2, where message m2 = {IDi, Bi, C1, T } and the forged message m′ = {IDi, Bi, Ce, Te }. Eve works as follows to obtain the message m′.

Ce= h(Te♁Bi) • = h(Te♁gh(IDi, x) h(PWi)). (2).The user changes his password. In this situation, the invader Eve can forge a message m′ to login to the RS successfully as follows: The invader Eve can intercept two messages m1 = {IDi, B1, C1, T1} and m2 ={IDi, B2, C2, T2} from different login phase under the assumption that m1 is obtained before the user changing his password and m2 is obtained after the user’s password changed.

Remote Server (RS)

Ui Eve

Registration Phase 1.IDi , PWi

IDi , PWi

Computes 2. Ai = h(IDi ⊕ x) 3. Bi = g Ai •h(PWi ) 4. m1 = (IDi , Ai , Bi , h, n, g)

m1

Login Phase Computes 1. C1 = h(T ⊕ Bi ) 2. m2 = (IDi ,Bi ,C1,T )

Then Eve can forges m′ which is equal to {IDi, Be, Ce, Te}. The Be and Ce in m′ are calculated as below:

m2

Authentication Phase m'

m2

Eve intercept m2 , computes Ce and replaces m2 with m', where Ce = h(Te ⊕ Bi ) m' = (IDi , Bi , Ce ,Te )

Computes Ce* = h(Te ⊕ Bi ) Verifies

Be = (B1•B2)

?

Ce =Ce*

= (gh(IDi, x)•h(PW1)•gh(IDi, x)•h(PW2)) = (gh(IDi, x) (h(PW1)+h(PW2))

Figure 2. Weaknesses in Wu-Chieu's method [1].

= (g (h(PW1)+h(PW2)) h(IDi, x) and Ce =h(Te♁Be)

In forging a valid verification message m′, there are two situations happening either (1). the user doesn’t change his password or (2). the user changes his password. We state them both as follows: (1).The user password.

does

not

change

Eve will then send the message m′ ={IDi, Be, Ce, Te} to the RS. By login the message m′, Eve can easily impersonate any user successfully.

his

4. Our scheme

In this situation, in order to forge a message m′ to login to the RS successfully, Eve calculates Ce = h(Te ♁Bi), where Te is the current time of Eve’s input device. Then Eve can produce m′ = {IDi, Bi, Ce, Te} and replace m2 with m′. In this way, the message m′ is also a valid login

In this section, we propose a scheme. Which not only solves the problems of the Wu-Chieu’s method but also improve Sun’s. Our scheme contains four phases. We describe it as follows. Note that all of the exponential operations are done with modulus n. A. Set up phase:

~ 1355 ~

In this phase, the RS performs the following steps.

Figure 4 shows the login phase of our password authentication protocol.

Step1. Generate two large prime numbers p and q and calculate n = p•q. p and q must both be large enough to resist against known RSA attacks and be kept secret.

In this phase, the user and the RS have to exchange three messages totally. They perform the following steps:

Step2. Choose a prime number e as his public key and calculate the corresponding d as his private key such that e•d mod φ(n) = 1.

Ui

When a user Ui wants to register to the RS, the user Ui and the RS then perform the following steps. (The procedure of registration phase is shown in Figure 3.)

1 {IDi, PWi} 2

Remote Server (RS)

R em ote Server (R S)

1.U i → R S : m 1 ( = { ID i }) 2 .R S → U i : m 2 ( = { R , r }) 3.U i → RS : m 3 ( = { X i , S i })

B. Registration Phase:

Ui

1 m 1 ={ID i } 2 m 2 ={ R, r} 3 m 3 = {X i , S i }

F igu re 4. L ogin P hase.

Step1.

The user inputs his identify information IDi to login to the RS.

Step2.

After receiving the identify information from the user, the RS will generate a new random number r and sign on it to get a value R (= rd ) and then send message m2={R, r} back to the user.

{ n, e, Si, h} 1.U i → RS : {IDi , PWi } 2.RS → U i : a smart card containing {n, e, S i , h} Figure 3. Registration Phase in a secure channel.

Step1. Ui must first submit his/her identity IDi and PWi to the RS through a secure channel.

Step3. After receiving the message m2 from the RS, the user checks on the validity of the RS’s signature. If it is valid, he calculates the message m3 and sends it to the RS.

Step2. The RS signs the user’s secret information and obtains Si, where Si = (h(IDi♁PWi)♁h(d))d . The RS then issues a smart card containing message {n, e, Si, h} to the user. C. Login Phase:

~ 1356 ~

In order to obtain m3, the user first calculates Xi, Xi =((h(IDi♁PWi))R), and then colloects Xi and Si to form the message m3 = {Xi, Si}.

D. Authentication Phase: In the authentication phase, after the RS receiving the message m3 (={Xi, Si}) from Ui, the RS will verify whether or not the message m3 is from a legal user. The verification protocol is as follows: Step1. The RS checks the validity of the user identify information IDi. If it is incorrect, then the RS rejects the login. Step2. After the user receiving the message m2 from the RS, he checks the validity of the RS’s signature R. He calculates (R)e to see whether (R)e equals to r. If so, the user accepts the message m2, else he rejects. Step3. The RS calculates Si = ((Si ) ⊕ h(d )) If Si* equal to (Xi)e, the RS accepts the login, else he rejects. The processes of computing Si* and (Xi)e are as follows: *

e

r

S i* = (( S i ) e ⊕ h(d )) r = (( h( IDi ⊕ PWi ) ⊕ h(d ) d ) e ⊕ h(d )) r = (h ( IDi ⊕ PWi )) r

1. It is impossible for anyone to forge m2 (={R, r}). Because, if Eve forges R, he will be detected in step 2 of the authentication phase. 2. When an invader Eve uses the replaying attacks on the message m3 in the step3 of the login phase, he will fail. Since its component Xi=(h(IDi♁PWi))R is protected by the random number r (for R= rd) which is different each time the protocol is executed. Furthermore, the value Xi should be examined in the authentication phase. 3. No one can forge Xi (=(h(IDi♁PWi))R) and Si (=(h(IDi♁PWi)♁h(d))d ) due to the fact that the one-way hash function is computationally infeasible to invert and the factorization problem can not be solved in polynomial time. That is, even if the smart card of the Ui is obtained by an intruder, it is difficult for the intruder to derive h(IDi♁PWi) for only the RS knows the factors of n ( Even the RS can hardly obtain the value h(IDi♁PWi) ). And even if the attacker can obtain h(IDi♁PWi), he can not obtain the user’s password for the one-way property of the hash function. To sum up, we illustrate our scheme in Figure 5.

and ( X i )e = (( h( IDi ⊕ PWi ) R ) e d = (( h( IDi ⊕ PWi )) r ) e = (h ( IDi ⊕ PWi )) r

Remote Server (RS)

Ui Registration Phase

IDi , PWi

1.IDi , PWi

m1

If the user Ui wants to change his password, he can submit his new password PWi′ to the RS through a secure channel as in the Wu-Chieu’s method. The RS will compute the new Si′= ((h(IDi ♁ PWi′) ♁ h(d))d ). Then the RS replaces Si with Si′ in the smart card memory for the user Ui. 5. Security analysis In this section, we examine the security of our scheme as follows.

Login Phase 1.IDi

IDi ?

m2

4.Verifies ( R) e = r, if yes, 5.Computes X i = h( IDi ⊕ PWi ) R 6.Transmit m3 = ( X i , Si ) Authentication Phase

2.Computes S i = (h( IDi ⊕ PWi ) ⊕ h(d )) d 3.m1 = ( IDi , S i , e, h, n)

2.Computes R = r d 3.Transmit m2 = ( R, r )

m3 Verifies

?

( X i ) e =((S i ) e ⊕ h(d )) r = Si*

e ⋅ d mod φ ( n) = 1, h is a one way hash function, ID i is the user' s identity, PW i is the user' s password, r is a random number chosen by RS, R = r d

~ 1357 ~

Figure 5. Our's Scheme.

passwords,” Computers and Mathematical Applications, Vol. 26, No.7, 1993, pp.19-27.

6. Conclusion We have proposed a new method by using a smart card as before for a remote password authentication protocol. The security of our scheme is based on the factoring problem and the computationally infeasible property of one-way hash function. Besides, the nonce-based scheme is immune from the replay attack, guess attack and forgery attack. Moreover, it allows a user to freely change and choose his/her own password. Thus, our proposed remote password authentication protocol not only solves the problems in the Wu-Chieu’s but also easy to be implemented for practical use in electronic commerce.

[6] Cheng-Chi Lee, Min-Shiang Hwang and Wei-Peng Yang, “A Flexible Remote User Authentication Scheme Using Smart Card,” ACM Operating Systems Review, Vol. 36, No. 3, 2002, pp. 46-52.

Acknowledgement: This research is partially supported by the National Science Council, TAIWAN, under grand NSC:-92-2622-E-029-006-CC3. References [1] Shyi-Tsong Wu and Bin-Chang Chieu, “A user friendly remote authentication scheme with smart cards,” Computers & Security 22 (6) 2003, pp. 547-550. [2] Hung-Min Sun, “An efficient remote use authentication scheme using smart card,” IEEE Transactions on Consumer Electronics, Vol. 46, November, 2000, pp.958-961. [3] M. S. Hwang and L. H. Li, “A new remote user authentication scheme using smart cards,” IEEE Transactions on consumer Electronics, Vol. 46, No. 1, February, 2000, pp. 28-30. [4] M. S. Hwang, “A remote password authentication scheme based on the digital signature method,” International Journal of Calculater Mathematics, Vol. 70, 1999, pp. 657-666. [5] C. C. Chang and S. J. Hwang, “Using smart cards to authenticate remote

~ 1358 ~