Abstract
Password-based authentication schemes have been widely adopted to protect resources from unauthorized access. In 2008, Liu et al. proposed a new mutual authentication scheme using smart cards which can withstand the forgery attack. In this paper, we analyze the security of Liu et al.’s scheme, and we show that Liu et al.’s scheme is still vulnerable to the various attacks. Also, we propose the enhanced scheme to overcome these security weaknesses and provide mutual authentication between the user and the server, even if the secret information stored in the smart card is revealed by an attacker. As a result of security analysis, the enhanced scheme is more secure than Liu et al.’s scheme.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
With the rapid development of network technology, the user authentication scheme using smart card has been becoming one of important security issues. Due to the careless password management and the sophisticated attack techniques, the remote user authentication scheme has been exposed seriously to the menace of an attacker. Several enhanced authentication schemes using smart card have been proposed [1–10].
Yang et al. [1], in 1999, proposed a timestamp-based password authentication scheme using smart card which does not need to store the passwords or verification tables for user’s authentication. In 2003, Shen et al. [2] pointed out that Yang et al.’s scheme does not resist the forgery attack, and proposed an improved scheme providing mutual authentication. But, in 2005, Yoon et al. [6] pointed out that the improved Shen et al.’s scheme was vulnerable to the forgery attack. In 2008, Liu et al. [10] also pointed out that Shen et al.’s scheme allowed an attacker to perform the forgery attack, and proposed a new nonce-based mutual authentication scheme which can withstand the forgery attack.
In this paper, we analyze the security of Liu et al.’s scheme and we show that Liu et al.’s scheme is still vulnerable to the forgery attack, the password guessing attack and the insider attack. To analyze the security of Liu et al.’s scheme, we assume that an attacker can extract the values stored in the smart card by monitoring the power consumption or analyzing the leaked information [11–13] and intercept messages communicating between the user and the server. Also, we propose the enhanced scheme to overcome these security weaknesses, even if the secret information stored in the smart card is revealed.
This paper is organized as follows. In Sect. 2, we briefly review Liu et al.’s scheme. In Sect. 3, we describe the attacks against Liu et al.’s scheme. The enhanced mutual authentication scheme is presented in Sect. 4, and its security analysis is given in Sect. 5. Finally, conclusions are made in Sect. 6.
2 Reviews of Liu et al.’s Scheme
Liu et al. proposed a nonce-based mutual authentication scheme using smart cards, in 2008. This scheme is composed of four phases: initialization, registration, login and authentication phase. The notations used in this paper are as shown in Table 1.
2.1 Initialization Phase
The KIC, which is responsible for generating parameters and providing a smart card to a new user, performs the following steps.
-
I1.
The KIC generates two large primes p and q, and computes n = p · q.
-
I2.
The KIC chooses a prime e and an integer d such as e · d = 1 mod (p − 1) (q − 1), where e is the system’s public key and d is the system’s private key. The cryptographic parameters should be provided to the server through a secure channel.
-
I3.
The KIC finds an integer g, which is a primitive element in both GF (p) and GF (q) and the public information in the system.
2.2 Registration Phase
A new user Ui submits his identifier IDi and password PWi to the KIC through a secure channel. Then, the KIC performs the following steps.
-
R1.
The KIC computes the user’s secret information Si = ID di mod n.
-
R2.
The KIC computes CIDi = h(IDi ⊕ d) and hi = gPWi·d mod n.
-
R3.
The KIC issues the smart card to the user through a secure channel, where the smart card contains the secret values such as n, e, g, IDi, CIDi, Si and hi.
2.3 Login Phase
The user Ui inserts his smart card into a card reader and keys in his IDi and PWi when he wants to login to the remote server S. Then, the smart card performs the following steps.
-
L1.
The smart card computes SIDi = h(CIDi), and sends a message M1 = {IDi, SIDi} to the remote server.
-
L2.
Upon receiving the message M1, the remote server computes CIDi = h(IDi ⊕ d). If the computed value h(CIDi) equals SIDi, the login request is accepted.
-
L3.
The remote server generates a random session nonce Ns as a challenge to the user and computes Sn = Ns ⊕ CIDi. Then the remote server sends it back to the smart card.
-
L4.
Upon receiving Sn, the smart card gets the session nonce Ns by computing (Sn⊕CIDi) and generates a random number rc as a challenge to the server.
-
L5.
The smart card computes the message M2 = {Xi, Yi} where Xi = grc·PWi mod n and Yi = Si · h rc·Nsi mod n, and then sends it to the remote server S.
2.4 Authentication Phase
After receiving the message M2, the remote server S performs the following steps.
-
A1.
The remote server checks whether Y ei = IDi · Xi Ns mod n or not. If it holds, the smart card is authenticated to the remote server.
-
A2.
To perform mutual authentication, the remote server computes M3 = (h(CIDi, Xi))d mod n and sends M3 to the smart card.
-
A3.
Upon receiving the message M3, the smart card checks whether M e3 = h(CIDi, Xi) mod n or not. If it holds, the remote server is authenticated to the smart card.
3 Attacks Against Liu et al.’s Scheme
To analyze the security of Liu et al.’s scheme, we assume that an attacker can extract the secret values (CIDi, Si, hi) stored in the legal smart card by monitoring the power consumption or analyzing the leaked information [11–13].
3.1 User Impersonation Attack
With the extracted secret values, an attacker can perform the user impersonation attack in the following steps. The procedure of the user impersonation attack is illustrated in Fig. 1.
-
UA1.
An attacker computes SIDia = h(CIDi) and sends the forged message M1a = {IDi, SIDia} to the remote server S.
-
UA2.
Upon receiving the message M1a, the remote server computes CIDi = h(IDi ⊕ d). If the computed value h(CIDi) equals SIDia, the remote server accepts the login request. Then, the remote server computes Sn = Ns ⊕ CIDi and sends it back to the attacker, where Ns is a random session nonce.
-
UA3.
Upon receiving Sn, the attacker computes the following forged login request message M2a = {Xia, Yia} without the legal user’s password and sends it to the remote server, where ra is a random number generating by the attacker.
$$ \begin{array}{*{20}l} {{\text{N}}_{\text{s}} = {\text{S}}_{\text{n}} \oplus {\text{CID}}_{\text{i}} } \hfill \\ {{\text{g}}^{\text{PWi}} = ({\text{h}}_{\text{i}} )^{\text{e}} \,\bmod {\text{n}}} \hfill \\ {{\text{X}}_{\text{ia}} = \left( {{\text{h}}_{\text{i}}^{\text{e}} } \right)^{\text{ra}} \,\bmod {\text{n}}} \hfill \\ {{\text{Y}}_{\text{ia}} = {\text{S}}_{\text{i}} \cdot {\text{h}}_{\text{i}}^{{{\text{ra}} \cdot {\text{Ns}}}} \,\bmod {\text{n}}} \hfill \\ \end{array} $$ -
UA4.
Upon receiving the message M2a, the attacker is authenticated as the legal user by the remote server if the equation (Yia)e = IDi·(Xia)Ns mod n holds.
3.2 Password Guessing Attack
Generally, most of users tend to select a password that is easily remembered for his convenience. Hence, these passwords are potentially vulnerable to password guessing attack.
With the extracted secret values, an attacker can perform the password guessing attack in the following steps.
-
PA1.
The attacker computes (gPWi* mod n) = (hi)e from the registration phase as the following equation, where PW *i is a guessed password.
-
PA2.
The attacker verifies a correctness of user’s password PW *i .
-
PA3.
The attacker repeats the above steps by replacing a guessed password PW *i until the correct password PWi is found.
3.3 Insider Attack
The user who wants to be authenticated from the remote server has to submit his password to the KIC in the registration phase. If the user’s password PWi is revealed to the server, the insider of the server may directly obtain the user’s password PWi. With the obtained password, the attacker as an insider can impersonate as the legal user to access the user’s other accounts in other server if the user uses same password for the other accounts.
4 The Enhanced Mutual Authentication Scheme
In this section, we propose an enhanced authentication scheme which not only can provide mutual authentication between the user and the server, but also withstand the various attacks. The enhanced scheme is divided into four phases: initialization phase, registration phase, login phase and authentication phase. In this section, these remarks regarding the initialization phase are omitted as they are described in Sect. 2.1. The login and authentication phase are illustrated in Fig. 2.
4.1 Registration Phase
This phase works whenever the user Ui initially registers to the KIC. A user submits his identifier IDi and password information h(b ⊕ PWi) to the KIC through a secure channel, where a random number b is chosen by the user. The KIC performs the following steps.
-
R1.
The KIC computes the smart card’s identifier CIDi and the secret values k, hi.
$$ \begin{array}{*{20}l} {{\text{CID}}_{\text{i}} = {\text{h}}({\text{ID}}_{\text{i}} \oplus {\text{d}})} \hfill \\ {{\text{k}} = {\text{ CID}}_{\text{i}} \oplus {\text{h}}({\text{b}} \oplus {\text{PW}}_{\text{i}} )} \hfill \\ {{\text{h}}_{\text{i}} = {\text{g}}^{{{\text{h}}({\text{b}} \oplus {\text{PWi}})\cdot{\text{CIDi}}\cdot{\text{e}}}} \,\bmod \,{\text{n}}} \hfill \\ \end{array} $$ -
R2.
The KIC issues the smart card to the user through a secure channel, where the smart card contains the secret values such as n, e, g, k and hi.
-
R3.
The user Ui stores b into his new smart card so that the user does not need to remember b.
4.2 Login Phase
This phase works whenever the user Ui wants to login to the remote server S. The user Ui inserts his smart card into a card reader and inputs in his identifier IDi and password PWi. The smart card performs the following steps.
-
L1.
The smart card computes CIDi = k ⊕ h(b ⊕ PWi) and SIDi = h(CIDi). And the smart card sends a message M1 = {IDi, SIDi} to the remote server.
-
L2.
Upon receiving the message M1, the remote server computes CID *i = h(IDi ⊕ d) and SID *i = h(CID *i ). If the SID *i equals SIDi, the login request is accepted.
-
L3.
The remote server computes Si = (CID *i ⊕ d)e mod n as a challenge to the user and Sn = Si ⊕ SID *i . Then the remote server sends {Sn} back to the smart card.
-
L4.
Upon receiving {Sn}, the smart card computes the message M2 = {Xi, Yi} and sends it to the remote server.
$$ \begin{array}{*{20}l} {{\text{S}}_{\text{i}}^{*} = {\text{S}}_{\text{n}} \oplus {\text{SID}}_{\text{i}} } \hfill \\ {{\text{X}}_{\text{i}} = {\text{g}}^{{{\text{h}}({\text{b}} \oplus {\text{PWi}})\cdot{\text{CIDi}}}} \,\bmod \,{\text{n}}} \hfill \\ {{\text{Y}}_{\text{i}} = {\text{S}}_{\text{i}}^{*} \cdot {\text{h}}_{\text{i}}^{{{\text{Si}}*}} \,\bmod \,{\text{n}}} \hfill \\ \end{array} $$
4.3 Authentication Phase
This phase works whenever the remote server S received the user Ui’s login request. After receiving the message M2, the remote server performs the following steps.
-
A1.
The remote server checks whether (Yi)d = (CID *i ⊕ d) · X Sii mod n or not. If it holds, the smart card is authenticated to the remote server.
-
A2.
To perform mutual authentication, the remote server computes M3 = (CID *i ⊕ X Sii )d mod n and sends M3 to the smart card.
-
A3.
Upon receiving the message M3, the smart card checks whether (M3)e = (CID *i ⊕ X Si*i ) mod n or not. If it holds, the remote server is authenticated to the smart card.
5 Security Analysis of the Enhanced Mutual Authentication Scheme
In this section, we have the security analysis of the enhanced mutual authentication scheme based on the difficulty of factoring a large number and the discrete logarithm problem.
5.1 Security Analysis
To analyze the security of the enhanced scheme, we assume that an attacker can extract the values (k, hi) stored in the smart card by monitoring the power consumption or analyzing the leaked information [11–13] and intercept the messages (M1, M2, Sn) communicating between the user and the remote server.
User impersonation attack: To impersonate as the legal user, an attacker attempts to make a forged login request message which can be authenticated to the server. However, the attacker cannot make the forged login request message even if the attacker can extract the secret values (k, hi) stored in the user’s smart card and intercept the messages (M1, M2, Sn) communicating between the user and the server, because the attacker cannot compute the forged messages (M1a, M2a) sending to the server without knowing the secret key d kept by the server.
Password Guessing Attack: With the extracted secret values (k, hi) stored in the user’s smart card illegally, the attacker attempts to guess the user’s password PWi computing k = CIDi ⊕ h(b ⊕ PWi) repeatedly in the registration phase. However, the attacker cannot guess the user’s password PWi, because the attacker does not know the secret key d kept by the server.
Insider Attack: If the user’s password PWi is revealed to the server in the registration phase, the insider of the server may directly obtain the user’s password and try to access the user’s accounts in other server using the same password. In the enhanced scheme, the attacker as an insider cannot obtain the user’s password PWi directly, because the user submits the user’s password information h(b ⊕ PWi) instead of the user’s password PWi to the server.
Mutual Authentication: To provide mutual authentication, the user and the server have to authenticate each other. In the enhanced scheme, the user can make the login request message (M1, M2) sending to the server and the reply message (M3) sending to the user. But the attacker cannot make the forged login request message (M1a, M2a) and the forged reply message (M3a) without knowing the secret key d kept by the server, even if the attacker can extract the secret values (k, hi) stored in the user’s smart card.
5.2 Security Comparison of the Enhanced Scheme and Liu et al.’s Scheme
In this section, the security analysis of Liu et al’s scheme and the enhanced scheme are summarized in Table 2. As a result of comparison, the enhanced scheme is relatively more secure than Liu et al.’s scheme. In addition, the enhanced scheme provides secure mutual authentication between the user and the server.
6 Conclusions
In this paper, we discussed the security of Liu et al.’s scheme. Although Liu et al.’s scheme improved more secure than Shen et al.’s scheme, we showed that Liu et al.’s scheme is still vulnerable to the user impersonation attack, the password guessing attack and the insider attack. Also, we proposed the enhanced scheme to overcome these security weaknesses and provide mutual authentication between the user and the server while preserving all their merits, even if the secret information stored in the smart card is revealed. As a result of security analysis, the enhanced scheme is relatively more secure than Liu et al.’s scheme in terms of the security.
References
Yang, W.H., Shieh, S.P.: Password authentication with smart cards. Comput. Secur. 18(8), 727–733 (1999)
Shen, J.J., Lin, C.W., Hwang, M.S.: Security enhancement for the timestamp-based password authentication scheme using smart cards. Comput. Secur. 22(7), 591–595 (2003)
Wu, S.T., Chieu, B.C.: A user friendly remote authentication scheme with smart cards. Comput. Secur. 22(6), 457–550 (2003)
Das, M.L., Sxena, A., Gulathi, V.P.: A dynamic ID-based remote user authentication scheme. IEEE Trans. Consum. Electron. 50(2), 629–631 (2004)
Chien, H.Y., Chen, C.H.: A remote password authentication preserving user anonymity. In: Proceedings of the 19th International Conference on Advanced Information Networking and Applications, (AINA ‘05) (2005)
Yoon, E.J., Ryu, E.K., Yoo, K.Y.: Attack on the Shen et al.’s timestamp-based password authentication scheme using smart cards. IEICE Trans. Fundam. E88-A(1), 319–321 (2005)
Lin, C.W., Tsai, C.S., Hwang, M.S.: A new strong-password authentication scheme using one-way hash functions. J. Comput. Syst. Sci. Int. 45(4), 623–626 (2006)
Bindu, C.S., Reddy, P.C.S., Satyanarayana, B.: Improved remote user authentication scheme preserving user anonymity. Int. J. Comput. Sci. Netw. Secur. 8(3), 62–66 (2008)
Chang, C.C., Lee, C.Y.: A friendly password mutual authentication scheme for remote login network systems. Int. J. Multimedia Ubiquit. Eng. 3(1), 59–63 (2008)
Liu, J.Y., Zhou, A.M., Gao, M.X.: A new mutual authentication scheme based on nonce and smart cards. Comput. Commun. 31, 2205–2209 (2008)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Proceedings of Advances in Cryptology, pp. 388–397 (1999)
Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5), 541–552 (2002)
Brier, E., Clavier, C., Oliver, F.: Correlation power analysis with a leakage model. Lect. Notes Comput. Sci. 3156, 135–152 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media Dordrecht
About this paper
Cite this paper
An, Y., Joo, Y. (2013). Security Enhancements of a Mutual Authentication Scheme Using Smart Cards. In: Han, YH., Park, DS., Jia, W., Yeo, SS. (eds) Ubiquitous Information Technologies and Applications. Lecture Notes in Electrical Engineering, vol 214. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-5857-5_77
Download citation
DOI: https://doi.org/10.1007/978-94-007-5857-5_77
Published:
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-007-5856-8
Online ISBN: 978-94-007-5857-5
eBook Packages: EngineeringEngineering (R0)