Journal of Global Research in Computer Sciences
MenuISSN: 2229-371X
ISSN: 2229-371X
Chandra Sekhar Vorugunti*1, Mrudula Sarvabhatla2
|
| Corresponding Author: Chandra Sekhar Vorugunti, E-mail: vorugunti_chandra_sekhar@daiict.ac.in |
| Related article at Pubmed, Scholar Google |
Visit for more related articles at Journal of Global Research in Computer Sciences
To ensure secure transmission of data and to authenticate remote user while accessing server resources, smart card based remote user authentication schemes have been widely adopted. In 2004, Das et al proposed first of its kind of protocol for remote user authentication with smart cards using Dynamic Id to protect user anonymity. In 2005, Chien et al pointed out that Das et al scheme failed to preserve user anonymity and the scheme is equivalent to open access without any password and proposed a new scheme to remedy of Das et al. In 2008 Bindu et al pointed out that Chien et al scheme is insecure against Insider attack and Man in the Middle attack and proposed a new scheme to remedy of Chien et al. In this paper we will show that Bindu et al scheme cannot preserve user anonymity under their assumption. In addition their scheme is vulnerable to user-impersonation attack, server-masquerading attack, Man in the Middle attack, stolen smart card attack, password guessing attack, replay attack, fails to achieve mutual authentication and perfect forward secrecy (PFS). We then present our improved scheme to overcome the vulnerabilities stated in Bindu et al?s scheme while preserving all the merits of their scheme.
Keywords |
| Smart card, Authentication , Authentication protocols, Remote Server Access |
INTRODUCTION |
| Remote user authentication is a mechanism in which a remote user is validated to access remote server resources or services over an insecure communication channel. Smart card based password authentication scheme is one of the most widely used technique for various kinds of authentication applications such as online banking, online shopping etc. password authentication with smart cards is an efficient two-factor authentication mechanism. Due to their various advantages like flexibility, low computational cost, smart cards are widely deployed in various E-Commerce applications to validate the legitimacy of a user. Due to their wide spread usage various researchers proposed user authentication schemes using smart cards. |
| Most of the proposed schemes many of them [1,6,9,16,20] assume that the smart card is tamper resistant i.e. (not possible to extract the protected software and data from smartcard processors). Some schemes [2,5,17,18] shown that the secret data stored in the smart card can be extracted by some means such as Micro probing, Software attacks, Eaves dropping, Fault generation and monitoring the power consumption etc. The above mentioned attacks clears that the adversary can tamper and extract the data from the tamper-resistant smart cards and can perform various vulnerability attacks such as user-impersonation attack, server masquerading attack Man in the Middle attack etc. In addition most of the schemes proposed [6, 7, 8, 12, 14, 20] do not preserve user anonymity i.e., preserving user identity, which is critical source of information. An adversary can perform various attacks like [3, 19] traffic analysis attack, java script attack, cookie stealing attack etc. to intercept user id. Along with other intermediate transmitted messages an adversary can create a legal forged login messages. Once an adversary intercepts user identity, he can track user login history and current location [15]. |
| In 2004, Das et al [9] proposed a Dynamic Id based remote user authentication scheme based on smart cards to protect user anonymity. The Dynamic Id scheme allows user to choose and change their passwords freely and do not maintain verifier table to validate the legitimacy of a user. However various researchers [4, 10, 11] have shown that Das et al scheme is insecure against various attacks like impersonation attack, insider attack etc. The researchers also showed that Das et al scheme fails to protect user anonymity and it is password independent. In 2005 Chien and Chen [7], pointed out that Das et alâÂÂs scheme fails to protect user anonymity and then proposed a new scheme to overcome the weakness in Das et al scheme. The Chien et al claim that their scheme preserves the merits of Das et al scheme and provides user anonymity. |
| In 2008 Bindu et al [13] showed that Chien et al scheme is vulnerable to Insider attack and Man in the Middle attack, if the smart card is no longer tamper resistant i.e. the secret information stored in the smart card can be extracted. Therefore Bindu et al proposed an improved scheme and claimed that improved scheme eliminates the security flaws in Chien et al. In this paper, we will show that the Bindu et al scheme is still vulnerable to the Impersonation attack, server masquerade attack, stolen smart card attack, password guessing attack. We then propose an improvement scheme over Bindu et al„s scheme to remedy their drawbacks, while preserving all the merits of their schemes. In summary, our scheme has the following advantages: 1) the server does not need password or verification tables for user validity checking. 2) users can freely choose and change their passwords 3) User anonymity is maintained.4) Mutual Authentication is achieved 5) Session key exchange with perfect forward secrecy is provided 6) The scheme can resist various kinds of attacks such as smart card stolen verifier attack, password guessing attack, replay attacks and server impersonation attacks, all these are achieved even if the smart card is non-tamper resistant. |
| The rest of the paper is organized as follows. In section II a brief review of Bindu et alâÂÂs scheme is given. Section III describes the security weakness of Bindu et al scheme. In section IV our improved scheme is proposed and its security analyses are discussed in section V. The comparison of the both the protocols are given in section VI and section VII provides the conclusion of the paper. |
REVIEW OF BINDU ET AL.’S SCHEME |
| In this section, we examine the improved remote user authentication scheme proposed by Bindu et al in 2008.The scheme is composed of three phases: the registration, login, and authentication phase .The notations used in Bindu et al.âÂÂs scheme are listed below: |
| U: the user |
| ID: the identity of U. |
| PW: the password of U. |
| S: the remote server. |
| x: the secret key of S |
| h(.) : a secure one-way and collision resistant hash function. ER[M] : a symmetric encryption of message M using secret key R. p, g : the parameters of Diffie–Hellman key exchange protocol ⊕: the exclusive – OR (XOR) operation. |
| Registration Phase: |
| This phase is invoked whenever a user U registers with the remote system for the first time. |
| (R1) U selects his user identity ID, password PW, and then computes h(PW). User submits the ID and h(PW) to the system for registration. (R2) U to S: {ID, h(PW)} (R3) S Computes m=h(ID ⊕ x) ⊕ h(x) ⊕ h(PW) and I = h(ID ⊕ x) ⊕ x. (R4) S issues a smart card containing m, I, h(.), g, p |
| Login Phase: |
| Whenever the user wants to login to remote server S, the following procedure is performed. |
| (L1) U inserts his smart card into the card reader of a terminal and inputs his ID and PW. |
| (L2) The smart card generate a random number ru = gu mod p |
| Compute M = m ⊕ h(PW) |
| Compute C = M ⊕ ru |
| Compute R = I⊕ ru = h(ID ⊕ x) ⊕ x ⊕ ru |
| (L3) Smart card sends {C, T, ER [ru, ID, T]} to the server where T is the timestamp and the ER [ru, ID, T] is the cipher text encrypted with „RâÂÂ. |
| Authentication Phase: |
| After receiving UâÂÂs login request message, the server S performs the following steps: |
| (A1) S computes R= C ⊕ h(x) ⊕ x then decrypts the message ER [ru, ID, T] using R to obtain the plain text [ru, ID, T]. |
| A2) Test the validity of time interval between T and Tâ where Tâ is a time stamp when server received the message. |
| (A3) The server S computes R = h(ID ⊕ x ) ⊕ x ⊕ ru. If they are equal, S accepts the login request else rejects request. |
| (A4) S to U: {T1, ER{rs,ru+1,T1}} ,where rs = gs mod p and T1 is the server current time stamp. (A5) On receiving the reply message {T1, ER{rs,ru+1,T1}} user tests the validity of the time intervals and checks whether the decrypted data contains the value ru+1. If so user can generate the session key Kus = (rs) u mod p = gus mod p and the server is authenticated to the user. (A6) Then the user delivers the message E: Kus [rs+1] to the server. (A7) Server decrypts the received message and checks whether it is equal to rs+1, if yes, the user is authenticated and the server can be assured of a session key established between server and the user. |
WEAKNESS OF BINDU ET AL. ‘S SCHEME |
| In Bindu et al scheme, they concluded that their scheme counters the weakness in chien et al scheme[7] i.e. insider attack and man in the middle attack and they claimed that their scheme could also prevent 1) replay attack, 2) guessing attack. In this section, we will show that Bindu et al.âÂÂs scheme is still vulnerable to revealing of secret key of server to legal user, user-impersonation attack, server-masquerading attack, Man in the Middle attack, stolen smart card attack, password guessing attack, replay attack, fails to achieve mutual authentication and perfect forward secrecy (PFS). |
| Revealing of Secret Key of Server to Legal User: |
| Assume that an adversary „Eâ is a legal user. He can extract the secret data stored in his smart card by some means [12,13] then he can derive the secret key „xâ of server as follows . |
| m = h(ID ⊕ x) ⊕ h(x) ⊕ h(PW). |
| I = h(ID ⊕ x) ⊕ x. (2) |
| A legal user already knows his ID and extracted „Iâ stored in his smart card can perform guessing attack for „xâÂÂ. Guess a secret value x* and check h(ID ⊕ x*) ⊕ x* = I. If they are equal then the secret value of server S is x*. Otherwise he can repeat the process to get correct value x*. Once he knows the „xâÂÂ, then can find out h(x) as h(.) is available on this smart card by substituting the values in (1) . |
| A legal user without performing the above attacks can simply find out x ⊕ h(x) value as follows. (x ⊕ h(x) value is used by Server in A1 to authenticate user). m ⊕ I = x ⊕ h(x) ⊕ h (PW) (3) m ⊕ I ⊕ h (PW) = x ⊕ h(x) (4) a legal user knows m, I, h(.) and PW, he will substitute in (4) and gets the value for x ⊕ h(x) . |
| User Impersonation Attack: |
| User/Server Impersonation means that if an adversary „Eâ who is a legal user of the system has obtained the secret information stored in a legal user smart card or some intermediate computational results which a smart card sends to server, then he can crash the mutual authentication scheme by masquerading as user/server. An adversary E who is a legal user can impersonate another legal user U of Server S as follows. |
| a. Intercept the UâÂÂs login request message {C, T, ER[ru,ID,T]}. |
| b. Compute R = C ⊕ x ⊕ h(x). x ⊕ h(x) can be calculated as specified in A of section III, Equation (4) without doing any complex calculations by an adversary. |
| c. Decrypt ER[ru,ID,T] using R, Then the adversary E comes to know the ID. (Hence in Bindu et al.âÂÂs scheme user anonymity is not preserved.), ru, T. |
| d. Whenever E wants to impersonate U he can send a fake login request message {C, T*, ER[ru, ID, T*]} to S with proper T*. It will pass the authentication process (A1) of S. C, R, ID, ru can be replayed and they are fixed values (doesnâÂÂt changes with time). only value adversary needs to take care is T*. E can find out the valid T* by eaves dropping the communication between U and S. |
| Server Masquerade Attack: |
| An adversary E can impersonate Server S as follows. |
| a. Intercept UâÂÂs login request message {C, T, ER[ru,ID,T]}. b. Compute R = C⊕ x⊕h(x) .x⊕h(x) can be calculated as specified in equation (4) of A of section III without doing any attacks by an adversary. Now E came to know the secret key R through which the User and Server encrypts and decrypts the message. Hence now any message to U from S can be easily intercepted and decrypted by E. c. Now, whenever U sends a new login request message {C*, T*, ER*[ru*, ID, T*]}. E intercepts the login request message from U. Computes C* ⊕ x ⊕ h(x) to obtain R*. Then decrypts the message to get ru*, ID, T*. d. E can impersonate S by sending {T1, ER*[rs, ru*+1, T1]} where rs = gs mod p. e. As mentioned In B of section III, E can get correct T1 by eaves dropping the messages from U to S. f. U will decrypt the message and checks whether the decrypted message contains ru*+1. If so U proceeds to create session key with the E assuming it S. |
| Stolen SmartCard Attack: |
| In case a legal user UâÂÂs smart card is stolen by an adversary E who is also a legal user of S, then as mentioned in A of section III, E can extract the secret data stored in the smart card by any means [12,13]. Once E gets m, I stored in UâÂÂs smart card then E can get ID and PW of U as follows |
| m = h(ID ⊕ x) ⊕ h(x) ⊕ h(PW). (1) |
| I = h(ID ⊕ x) ⊕ x. (2) |
| As E is legal user he knows „xâ the secret key of S as discussed in A of section III. He performs guessing attack using equation (2). He guess an ID of U as ID* and checks whether h(ID* ⊕ x) ⊕ x is equal to I . If they are equal then ID* is the ID of U else he select another ID* and repeats the above guessing attack until the match is found. Once he gets the correct ID of U, He performs similar attack on equation (1) to get PW of U. This is one of severe vulnerability in Bindu et al.âÂÂs scheme. Once a valid user smart card is lost then the legitimate adversary can use the card as his own. |
| Man in the Middle Attack: |
| A Man-in-the-Middle attack is an attack in which the adversary gets in the middle of a valid user U and S while running of the scheme. He imitates as user while talking to server and vice versa. |
 |
| Failure to Achieve Mutual Authentication: |
| As shown in B, C, and E of section III Bindu et alâÂÂs scheme suffer from user impersonation attack, server masquerade attack, man in the middle attack. Hence their scheme has failed to achieve mutual authentication among user U and remote server S [21]. |
| Failure to Achieve Secure Session Key Agreement with Perfect Forward Secrecy(PFS): |
| The purpose of PFS is that even if an adversary records all the cipher text messages sent by the user U to S, and later he come to know the secret session key used for encrypting the cipher text, It must not possible for him to decrypt the recorded cipher texts. In E of section III, we showed that Bindu et alâÂÂs scheme suffers from man in the middle attack. In this attack an adversary creates a session key with both user (Kau) and system (Kus). Hence the adversary can able to decrypt all the messages encrypted by user with secret session key (Kau) and the messages encrypted by server S with secret session key (Kus). Hence Bindu et alâÂÂs scheme has failed to achieve perfect forward secrecy [21]. |
| OUR IMPROVED SCHEME |
| In this section, we present an improved scheme over Bindu et al.âÂÂs scheme to remedy their security flaws (i.e vulnerabilities to Revealing of secret key of server to legal user, User impersonation attack, Server masquerading attack, Stolen smart card attack, Man in the middle attack, preserving user anonymity etc) while preserving their merits. The proposed scheme is divided in to four phases: the registration, login, authentication, and password change phases. |
| Registration Phase: |
| This phase is invoked whenever a user U wants to register first time with the remote server S. The following steps are performed. |
| (R1) The user U first chooses his Identity ID and password PW, and a random number b. |
| (R2) U to S: {ID, h(b || PW)} |
| (R3) S computes: |
| W = h(ID || x) ⊕ h(b||PW) |
| where „xâ is the secret of S. |
| (R4) S to U, a smart card containing W and the public parameters {h(.), p, g} |
| Login Phase: |
| Whenever user wants to login into the remote server S, he inserts his smart card into the terminal and inputs his ID, PW and b. Then the smart card performs the following tasks. |
| (L1) Compute I = W ⊕ h(b || PW) = h(ID || x ) |
| (L2) : Generate random numbers a , u ≠ 0. |
| (L3) : Compute : |
| ru = gu mod p |
 |
| Authentication Phase: |
| On receiving the login request message from U, S performs the following tasks (A1) Compute R from C, which is in login request message sent by U and server secret key x. R = C h(x) mod p. (A2) Test the validity of time interval between T and T* where T* is the Server time on which the login message is received. (A3) Verify whether the following equation holds |
 |
SECURITY ANALYSIS OF IMPROVED SCHEME |
| In this section we discuss and demonstrate how our proposed scheme fixes the vulnerabilities found in Bindu et al.âÂÂs scheme while preserving the merits of their scheme. |
| User Anonymity: |
| To preserve user anonymity in our scheme we are sending ID of a user in an encrypted form using the one-time secret key R. To know the user who sent the login request, the remote server S must decrypt the message ER[ru,ID,T] using R, To calculate R, S stores data in Smart card of the user such that it can calculate R on swipe of the smart card by the user. In Bindu et al.âÂÂs scheme once the legitimate adversary E gets the secret data stored in the smart card by some means [2,5,17,18], As discussed in A of section III, the adversary E can find out the secret key x of the server and once he obtain the intermediate computation result, he can derive secret key R, R = C ⊕ x⊕ h(x), E gets x, h(x) from data stored in smart card as discussed in A of section III and C from intermediate computational result. |
| To resolve this problem the secret key x, R must not be derived from either the secret data stored in the smart card or the intermediate computational result. In our scheme we stored only W= h(ID||x) ⊕ h( b || PW) on the smart card. It is computationally infeasible for an adversary E who is a legal user, even he knows ID, PW, b to calculate x, which is secret key of remote system S this is due to one-way and collision resistant properties of hash function. It is also computationally infeasible to calculate I = h(ID ||x) for a legal user even he knows ID, as itâÂÂs not possible for him to get x as discussed above. Similarly, if E obtains the intermediate computational result C, It is computationally in feasible to get h(x) from the formula C h(x) mod p, owing to discrete logarithm properties. |
| As discussed above in our scheme itâÂÂs not possible even for an adversary who is a legal user to know the secret key of server x from the data stored in the smart card (which is not the case with Bindu et al.âÂÂs scheme as discussed in A of section III) and itâÂÂs not possible to calculate the secret key R from the intermediate computational result. Same is the case when a legal user intercepts other user login messages. Hence in our system based on hash function and discrete logarithm property we protected the user anonymity. |
| Resistance to User Impersonation Attack: |
| To impersonate a user U, an adversary E who is also a legal user must fake a login message C,T,ER[ru,ID,T] and a reply message M = h( rs || Kus) (A6) to the remote server S. To impersonate U, E must know the ID of U to create a fake message, As shown in A of section V itâÂÂs not possible for E to get R, so he cannot decrypt the login message sent by U and get UâÂÂs Identity i.e ID. Another way, E can replay a valid login message from U but still he needs to forge a valid reply message to S i.e M = h( rs || Kus) (A6). To send a forged reply M = h( rs || Kus), E must know rs sent by S to U. S sent rs to U in A4. The adversary to get rs, must decrypt ER[rs,h(ID||ru||T||T1||Kus)] but as discussed in A of section V its not computationally feasible to derive R even for a legal adversary E. Hence in our scheme it is impossible for anyone to impersonate a legal user U in our scheme. |
| Resistance to Server Masquerade attack: |
| To masquerade as remote server S, An adversary E has to send U, a forged reply message {T1,ER[rs,h(ID||ru||T||T1||Kus)]} as in A4 once E received the login message from U. As shown in A of section V it is computationally infeasible for E to derive R to decrypt the login message {C,T,ER[ru,ID,T]} to obtain ru, ID.In A4 remote server S sends {T1,ER[rs,h(ID||ru||T||T1||Kus)]} to U. To get rs, Kus, E must derive R, which we shown in A of V as computationally infeasible. Hence E cannot obtain rs, Kus to forge the reply message from remote server S. Hence in our scheme it is impossible for anyone to masquerade as server. |
| Resistance to Offline Password Guessing Attack and Stolen smartCard Attack: |
| In our scheme we stored only W = h(ID || x) ⊕ h(b||PW) in the smart card. As demonstrated in A of section V an adversary E who is a legal user of the remote server S, doesnâÂÂt obtains ID and x. As b is a random number chosen by the user U, E doesnâÂÂt knows it. Without knowing ID,x,b it is computationally infeasible to calculate PW after obtaining W from the UâÂÂs smart card, owing to hash function properties. ItâÂÂs not the case with Bindu et al.âÂÂs scheme in which an adversary who is a legal user from the stolen smart card can able to obtain both the ID and PW as discussed in C of section III. Hence our scheme provides resistant to offline password guessing attacks and stolen smart card attack. |
| Mutual Authentication: |
| In our proposed scheme, To authenticate U, the server S will validate U by comparing R in A1 equals to A3 and the message sent by U in A6 i.e h(rs|| Kus) = M. In A of V we shown that in our scheme itâÂÂs not possible to obtain ID, R,x,h(x) by an adversary even he is a legal user. In B of section V we have shown that our scheme provides resistant to user impersonation attack. ItâÂÂs not possible for E to forge login messages sent by U. To send a fake login message to S by E, E needs to compute C, I. To calculate I, E needs UâÂÂs PW and ID. As shown in A of section V our scheme preserves user anonymity hence itâÂÂs not possible for E to get ID of U. In D of section V we shown that our scheme resists offline password attacks, hence E cannot obtain PW of U without ID and PW, E cannot create a forge login message. On the other hand, U authenticates S by checking the cipher text ER[rs,h(ID||ru||T||T1||Kus)]. In C of section V we shown that itâÂÂs not possible for E to forge ER[rs,h(ID||ru||T||T1|| Kus)] to masquerade as S. Only the legal server S who knows the x,h(x) can derive R from Ch(x) mod p to decrypt the login message sent by U. Then S can extract ru,ID and computer rs and Kus can able to frame a valid ER[rs,h(ID||ru||T||T1||Kus)] message . |
| Secure Session Key Agreement with Perfect Forward Secrecy: |
| In Bindu et al scheme as discussed in E of section III, MiM attack causes the revealing of secret shared session key between U and S to adversary. In our proposed scheme, User and Server send ru and rs in an encrypted format using „RâÂÂ. In A of section V we shown that itâÂÂs computationally infeasible to calculate R by an adversary, hence itâÂÂs not possible for an adversary, even he is legal user to perform man in the middle attack and decrypt the cipher text containing ru and rs. Hence our proposed scheme provides secure session key agreement with perfect forward secrecy (PFS). |
COMPARISON OF SECURITY FEATURES |
 |
CONCLUSION |
| In 2008 Bindu et al.âÂÂs proposed an improved remote user authentication scheme preserving user anonymity which is an improved version of the scheme proposed by chien et al in 2004. However in this paper we shown that Bindu et al.âÂÂs scheme doesnâÂÂt preserve user anonymity as they claim to be. In addition we have shown that Bindu et al.âÂÂs scheme is vulnerable to numerous attacks like user impersonation attack, server masquerade attack, man in the middle attack, stolen smart card attack and fails to provide with perfect forward secrecy. In addition we proposed our scheme which is an improved version over Bindu et al.âÂÂs scheme while preserving all their merits. Our proposed scheme doesnâÂÂt compromise on any attack even the secret information stored in the smart cards are revealed. We also provided the comparison of various authentication protocols with our proposed one. The comparison table suggests that our protocol is more secure compared to other similar protocols. |
References |
|