Cryptanalysis of an Efficient and Secure Smart Card Based Password Authentication Scheme

Abstract

The user authentication scheme has been widely applied to verify the users’ legality. In order to enhance the security, the smart card has widely used in an authentication scheme. Recently, Liu et al. shown that some weaknesses exist in Li et al.’s scheme. An efficient and secure user authentication scheme with a smart card presented by them is more efficient and secure than other schemes. However, the security issues of their scheme proposed by them also exist, so we will demonstrate that their scheme is vulnerable to the replaying attack.

1 Introduction

The user authentication scheme has been widely applied to verify the users’ legality. Many password-based user authentication schemes have been proposed to verify the remote users’ identification [1–16]. However, the password is easy to be exposed by guessing attack. In order to enhance the security, the smart card has widely used in an authentication scheme [18–30].

Recently, a robust smart-card-based remote user password authentication scheme [5] was proposed by Chen et al. However, Li et al. pointed out some weaknesses (i.e., forward secrecy and wrong password login problem) in Chen et al.’s scheme [14]. Li et al. also proposed an enhanced smart card based user authentication scheme [14]. However, Liu et al. shown that Li et al.’s scheme was unable to against the man-in-the-middle and insider attacks [17]. An efficient and secure user authentication scheme with a smart card proposed by them is more efficient and secure than other schemes. However, the security issues of their scheme proposed by them also exist, so we will exhibit that, their scheme is vulnerable to the replaying attack.

The rest of this paper is organized as follows. In Sect. 2, we briefly review Liu et al.’s user authentication scheme. In Sect. 3, we analyze and show that some security weaknesses in Liu et al.’ user authentication scheme. Finally, we present our conclusions in Sect. 4.

2 Review of Liu-Chang-Chang Scheme

In this section, Liu et al.’s user authentication scheme (Liu-Chang-Chang Scheme) with a smart card [17] has been briefly reviewed. Liu-Chang-Chang’s user authentication scheme has three participants: a user (U for short), a smart card (C for short), and a server (S for short). The scheme is composed of four phases such as registration, login phase, authentication phase, and e password change phase. The notations used in this paper are listed in Table 1.

Table 1. The notations used in this paper

The Registration Phase: In this phase, the server S makes a smart card for a new user (U_i). The smart card contains four parameters, {B_i, C_i, h(.), r}, where B_i = A_i ⊕ h(r || PW_i); A_i = h(ID_i ⊕ x) || h(x); C_i = h(A_i || ID_i || h(r || PW_i)); h(.) denotes a collision-free one-way hash function; r denotes a random number; ID_i and PW_i are user’s identity and password, respectively. The registration phase is executed as follows.

The Login Phase: In this phase, a user (U_i) wants to login the server via public Internet. The login phase is executed as follows.

1. (1)

   The user Ui sends the login request parameters, IDi and PWi to the smart card.

2. (2)

   The smart card computes A’i and C’i as follows: A’I = Bi ⊕ h(r || PWi); C’I = h(A’I || IDi || h(r || PWi)). Next, the smart card checks whether C’I is equal to Ci. If C’I is equal to Ci, the smart card continues to execute Step 3, otherwise, the smart card terminates this login request.

3. (3)

   The smart card computes Di and Ei as follows: Di = h(IDi ⊕ α); Ei = A’I ⊕ α ⊕ Tc, where Tc denotes the current timestamp of the smart card and α denotes a random number.

4. (4)

   The smart card sends IDi, Di, Ei and Ti to the server S.

The Authentication Phase: Upon receiving the message, {IDi, Di, Ei, Tc}, from User (Ui), the server S executes this authentication phase as follows.

1. (1)

   The server checks IDi format and the timestamp Tc whether or not in valid time. If both conditions are not hold, the server S rejects the login request.

2. (2)

   The server computes Ai, α’, and Di’ as in Fig. 1. Next, the server checks D’I whether equals to Di. If the equation is not hold, the server S rejects the login request.

3. (3)

   The server randomly selects \( \beta \) and computes Fi and Gi as in Fig. 1. Next, the server S sends {Fi, Gi, Ti} vis public channel to user Ui.

4. (4)

   The user Ui the timestamp Ts whether or not in valid time. If this condition is not hold, the user terminates this session.

5. (5)

   The user computes \( \beta \)’and F’I. Next, the user checks F’I whether equals to Fi. If this condition is true, the user Ui confirms the server S is legit.

6. (6)

   The server S and the user Ui compute the session key sk = h(α || β || h(Ai ⊕ IDi)).

Fig. 1.

The authentication phase of Liu-Chang-Chang’s scheme

3 Cryptanalysis of Liu-Chang-Chang Scheme

In this section, it is demonstrated that the user authentication scheme proposed by Liu-Chang-Chang’s [17] cannot resist the replaying attack when the hacker intercepts {IDi, Di, Ei, Ti} between smart card and server S and {F, G, Ts} between user Ui and server S. The first replaying attack is listed as follows.

Step 1.:

When the smart card sent the message, {IDi, Di, Ei, Ti}, to the server S in the login phase, the hacker intercepts {IDi, Di, Ei, Ti} between smart card and server S via public channel.

Step 2.:

The hacker computes a new E’I as follows:

$$ \begin{aligned} {\text{E'I }} = & {\text{ Ei}} \oplus {\text{Ti}} \oplus {\text{Th}} \\ = & \, ({\text{A}}'{\text{I}} \oplus \alpha \oplus {\text{Ti}}) \oplus {\text{Ti}} \oplus {\text{Th}} \\ = & {\text{ A}}'{\text{I}} \oplus \alpha \oplus {\text{Th}} \\ \end{aligned} $$

Here, Th denotes the timestamp of Hacker’s device. Next, the hacker sends the forged message {IDi, Di, E’i, Th} to replace the intercepted {IDi, Di, Ei, Ti}.

Step 3.:

The server S will check successfully the equation in Steps (1) and (2) in the authentication phase. Thus, the server will be deceived by the hacker (Fig. 2).

Fig. 2.

The replaying attack when the hacker intercepts {IDi, Di, Ei, Ti}

The second replaying attack is similar to the first replaying attack. The attack listed as follows.

Step 1.:

When the server S sent the message, {Fi, Gi, Ts}, to the user Ui in the authentication phase, the hacker intercepts it between server S and user Ui via public channel.

Step 2.:

The hacker computes a new G’i as follows:

$$ \begin{aligned} {\text{G'i }} = & {\text{ Gi}} \oplus {\text{Ts}} \oplus {\text{Th}} \\ = & \, ({\text{Ai}} \oplus \beta \oplus {\text{Ts}}) \oplus {\text{Ts}} \oplus {\text{Th}} \\ = & {\text{ Ai}} \oplus \beta \oplus {\text{Th}} \\ \end{aligned} $$

The hacker sends the forged message {Fi, G’i, Th} to replace the intercepted {Fi, Gi, Ts}.

Step 3.:

The user Ui will check successfully the equation in Steps (4) and (5) in the authentication phase. Thus, the user Ui will be deceived by the hacker.

4 Conclusion

We have demonstrated that the user authentication scheme proposed Liu-Chang-Chang [17] have a weakness. Their scheme cannot resist the replaying attack when the hacker intercepts {IDi, Di, Ei, Ti} between smart card and server S and {F, G, Ts} between user Ui and server S.