Escolar Documentos
Profissional Documentos
Cultura Documentos
org
Published in IET Information Security
Received on 25th June 2012
Revised on 1st March 2013
Accepted on 30th June 2013
doi: 10.1049/iet-ifs.2012.0206
ISSN 1751-8709
Abstract: In a distributed environment, a fundamental concern is authentication of local and remote users in insecure
communication networks. Absolutely, legitimate users are more powerful attackers, since they possess internal system
information not available to an intruder. Therefore many remote user authentication schemes for distributed systems have
been proposed. These schemes claimed that they could resist various attacks. However, they were found to have some
weaknesses later. Lee et al. proposed a secure dynamic ID-based remote user authentication scheme for the multi-server
environment using smart cards and claimed that their scheme could protect against masquerade attacks, server spoong
attack, registration server spoong attack and insider attack. In this study, the authors show that Lee et al.s scheme is still
vulnerable to password guessing attack, server spoong attack and masquerade attack. To propose a viable authentication
scheme for distributed systems, we remedy the aws of Lee et al.s scheme and propose an efcient improvement over Lee
et al.s scheme. Furthermore, we compare the proposed scheme with related ones to prove that the computation cost, security
and efciency of the proposed scheme are well suitable for practical applications in a distributed system.
Introduction
104
& The Institution of Engineering and Technology 2014
www.ietdl.org
new remote user authentication scheme utilising the simple
geometric properties of the Euclidean [20]. Later, Juang
[24] showed that Lin et al.s scheme is inefcient and
proposed a new efcient multi-server user authentication
and key agreement based on hashing function and
symmetric key cryptosystem. However, Juangs scheme was
pointed out to suffer from online guessing attack, ofine
password guessing attack and is not repairable. Chang et al.
[25] proposed a novel remote user authentication scheme to
remedy these weaknesses. In Chang et al.s scheme, the
registration server distributed the secret keyx to each
register server via a secure channel. Nevertheless, their
scheme is still vulnerable to insider attack, spoong attack
and registration server spoong attack. In 2008, Tsai [26]
used the nonce and one-way hashing function to propose an
efcient multi-server authentication scheme without a
verication table. Owing to low computation costs, Tsais
scheme is very suitable for distributed networks.
The foregoing schemes are based on static ID which might
be intercepted by an adversary from the public network and
be used to trace the legal user. In 2009, Liao and Wang
[27] rst proposed a dynamic ID-based remote user
authentication scheme for multi-server environment.
However, Hsiang and Shih [28] found that Liao et al.s
scheme is vulnerable to insider attack, masquerade attack,
server spoong attack, registration server spoong attack
and is not repairable. Moreover, Liao et al.s scheme cannot
provide mutual authentication. Therefore Hsiang et al.
proposed an improved scheme to solve these problems. In
2011, Lee et al. [29] pointed out that Hsiang et al.s
scheme is still vulnerable to a masquerade attack, server
spoong attack and is not easily repairable. Furthermore,
Hsiang et al.s scheme cannot provide mutual
authentication. Thus, Lee et al. proposed a secure dynamic
ID-based remote user authentication scheme for
||
ith user
jth service providing server
the server which is responsible for processing users
registrations
user Uis identity
user Uis password
a secret number
the master secret key
a random number chosen by the user Ui for authentication
the dynamic identity of the user Ui
a session key shared among the user, the service
providing server and the control server
a secure channel
a common channel
exclusive-OR operation
message concatenation operation
Registration phase
105
www.ietdl.org
Fig. 3 Password change phase and verication phase of Lee et al.s scheme
Bi = h h b PWi ||h(x||y)
Hi = h Ti
Step R3. RC Ui: The register server RC stores (Vi, Bi, Hi,
h(), h(y)) into Uis smart card and submits the smart card to
Ui via a secure channel.
Step R4: On receiving the smart card, the user Ui enters b
into the smart card. At last, the smart card contains (Vi, Bi, Hi,
h(), h(y), b).
2.2
Ai = h Ti h(y)Ni
Pij = Ti h h(y)Ni SIDj
CIDi = h b PWi h Ti ||Ai ||Ni
Qi = h Bi ||Ai ||Ni
Step L3: Ui Sj: (Qi, Ni, Pij, CIDi)
2.3
Login phase
When the user Ui wants to log into the server Sj, the user Ui
inserts his smart card into a card reader and enters his identity
IDi and password PWi.
Step L1: The smart card computes
Ti = Vi h IDi ||h b PWi
Hi = h Ti
Checks Hi = Hi , if they are equal, Ui is the legal user.
106
& The Institution of Engineering and Technology 2014
Verication phase
Step V1: Upon receiving the login request (Qi, Ni, Pij and
CIDi), Sj computes Pij h(h(y)||Ni||SIDj) to obtain Ti, then
obtains Ai by computing h(Ti||h(y)||Ni). Next, Sj computes h
(b PWi) = CIDi h(Ti||Ai||Ni) and Bi = h(h(b PWi)||h(x||y)).
Step V2: Sj computes h(Bi||Ai||Ni) and compares it with Qi.
If they are not equal, Sj rejects the login request and
terminates this session. Otherwise, Sj accepts the login
request and generates a nonce Nj to compute Mij = h(Bi||Ni||
Ai||SIDj). Finally, Sj Ui: Mij, Nj.
Step V3: After receiving the message (Mij, Nj ), the smart
card computes Mij = h(Bi||Ni||Ai||SIDj ) and compares it with
the received message Mij. If they are not equal, Ui rejects
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206
www.ietdl.org
these messages and nishes this session. Otherwise, Sj is
authenticated successfully and Ui computes Mij = h(Oi||Nj||
Ai||SIDj). Next, Ui sends the message Mij back to Sj.
Step V4: Upon receiving this message Mij, Sj computes Mij =
h(Bi||Nj||Ai||SIDj) and checks it with the received message Mij.
If they are equivalent, Sj authenticates Ui successfully. After
nishing the verication phase, Ui and Sj can compromise a
session
key
SK = h(Bi||Ni||Nj||Ai||SIDj)
for
securing
communications.
2.4
Step P1: Ui inserts his/her smart card into a card reader and
enters his/her identity IDi and password PWi. The smart card
computes
Ti = Vi h IDi ||h b PWi
Hi = h Ti
Checks Hi? = Hi, if they are equal, Ui is asked to input a new
password PWnew and a new random number bnew. Then, the
smart card computes h(bnew PWnew) and Vnew = Ti h
(IDi||h(bnew PWnew)). Finally, Ui sends IDi and h(bnew
PWnew) to RC in the secure channel.
Step P2: After receiving IDi and h(bnew PWnew), the RC
computes
Bnew = h h bnew PWnew h(xy
RC sends Bnew back to Ui.
Step P3: Finally, the smart card replaces Vi and Bi with
Vnew and Bnew.
3.1
Masquerade attack
Proposed scheme
www.ietdl.org
shares them with Sj through a secure channel. The master
secret key x and secret number y are known to RC only.
The proposed scheme has four phases: the registration
phase, the login phase, the verication phase and the
password change phase. The registration phase of our
protocol is presented in Figs. 4 and 5 which illustrate the
detailed steps of the login phase and the verication phase.
Finally, the password change phase is shown in Fig. 6.
4.1
Registration phase
Vi = Ti h IDi ||h b PWi
Bi = h b PWi IDi h h b PWi Ri h(xy)
Hi = h Ti
We use Ri to represent the user instead of using IDi directly,
thus an adversary cannot identify what Ri is. Moreover, since
Ri is a random number, it is more difcult to guess Ri than a
logic identity IDi.
Step R3: RC Ui: RC issues a smart card to Ui, and the card
contains (Zi, Vi, Bi, Hi, h() and h(y)).
Step R4: Then, Ui enters b into his/her smart card, the smart
card contains (Zi, Vi, Bi, Hi, b, h() and h(y)).
4.2
Login phase
When the user Ui wants to log into the server Sj, the user
inserts his/her smart card into the card reader and then
inputs his/her identity IDi, password PWi and the servers
identity SIDj.
Step L1: Then, the smart card computes
Ri = Zi IDi h b PWi
Ti = Vi h IDi ||h b PWi
www.ietdl.org
Hi = h Ti
Checks Hi? = Hi, if they are equal, the smart card proceeds to
the next step. Otherwise, the smart card terminates this
session.
Step L2: The smart card generates a random number Ni and
computes
Oi = h b PWi IDi Bi
= h h b PWi Ri h(xy)
Ai = h Ti h(y)Ni
CIDi = h b PWi Ri h Ti Ai Ni
Pij = Ti h h(y)Ni SIDj
Qi = h Oi Ai Ni
Step R3: Ui Sj: CIDi, Pij, Qi and Ni
4.3
Verication phase
After receiving the login request sent from Ui, Sj performs the
following tasks to authenticate the users login request. The
steps of the verication phase are as follows:
Step V1: Upon receiving the login request (CIDi, Pij,
Qi and Ni), Sj computes Pij h(h(y)||Ni||SIDj) to obtain Ti,
then obtains Ai by computing h(Ti||h(y)||Ni)). Next, Sj
computes h(b PWi Ri) = CIDi h(Ti||Ai||Ni) and Oi = h
(h(b PWi Ri)||h(x||y))
Step V2: Sj computes h(Oi||Ai||Ni) and compares it with Qi.
If they are not equal, Sj rejects the login request and
terminates this session. Otherwise, Sj accepts the login
request and generates a nonce Nj to compute Mij = h(Oi||Ni||
Ai||SIDj). Finally, Sj Ui: Mij, Nj.
Step V3: After receiving the message (Mij, Nj ), Ui
computes Mij = h(Oi||Ni||Ai||SIDj) and compares it with the
received message Mij. If they are not equal, Ui rejects these
messages and terminates this session. Otherwise, Ui
authenticates Sj successfully and computes Mij = h(Oi||Nj||
Ai||SIDj). Next, Ui sends the message Mij back to Sj.
Step V4: Upon receiving this message Mij, Sj computes Mij
h(Oi||Nj||Ai||SIDj ) and checks it with the received message M
ij. If they are equal, Sj authenticates Ui successfully. After
nishing the verication phase, Ui and Sj can compromise a
session key SK = h(Oi||Ni||Nj||Ai||SIDj ) for securing
communications.
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206
4.4
www.ietdl.org
Table 2 Cryptanalysis of our proposed scheme
Functionalities
users anonymity
computation cost
single registration
no time synchronisation
resist replay attack
resist impersonation attack
resist leak-of-verifier attack
resist server spoofing attack
resist password guessing attack
correct password update
correct mutual authentication
correct session key agreement
Sood et al.
Lee et al.
Proposed scheme
yes
high
yes
yes
yes
no
no
yes
yes
yes
no
no
yes
medium
yes
yes
no
no
yes
no
yes
no
yes
yes
yes
low
yes
yes
no
no
yes
no
no
yes
yes
yes
yes
low
yes
yes
yes
no
yes
no
no
yes
yes
yes
yes
low
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
P|;P Q, P {X }K
P | ;Q | X
If the principal P believes that the secret key K is shared
with the principal Q and P receives the message X
encrypted with K then, P believes that the principal Q once
sent the message X.
110
& The Institution of Engineering and Technology 2014
P|;P O
If the principal P believes that the session key K is fresh
and the principal Q believes X, which are the necessary
elements for a key, then P believes that he/she shares the
session key K with Q.
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206
www.ietdl.org
To implement BAN logic to prove an authentication
scheme, the following processes should be performed:
1. Idealise the proposed scheme in the language of formal logic.
2. Identify the assumptions about the initial state of the
proposed scheme.
3. Use the productions and rules of the logic to deduce new
predicates.
4. Use logic to discover the beliefs held by the parties in the
proposed scheme.
In the BAN logic, the goals of our scheme can be presented
as follows:
Goal
Goal
Goal
Goal
1:
2:
3:
4:
SK
Ui |; Ui Sj SK
Ui |; Sj |;
U Sj
SK i
Si |; Ui Sj SK
Si |; Uj |; Ui Sj
A1:
A2:
A3:
A4:
Sj | #(Ni)
Sj | #(Nj )
Ui | #(Ni)
Ui | #(Nj)
h(y)
A5: Sj |; Sj RC
h(y)
A6: Ui |; Ui RC
h(xverty)
h(xverty)
A7: Sj |; Sj RCA8: Ui |; Ui RCA9: Sj |
Ui Ti, which means that Sj believes that the user Ui has
complete control over Ti
A10: Ui | (b, PWi and Ri)
A11: Si | Ui (b, PWi and Ri)
A12: Ui | SIDj
A13: Sj | SIDj
Based on the aforementioned assumptions, the preliminary
procedures of BAN logic have been well prepared. The
following presents the main steps of the proof.
The smart card rst generates a random number Ni.
According to the assumptions A1A4, Sj and Ui believe Ni
denitely. Then, the user Ui sends the message M1 to
server Sj.
M1:
Ui Sj :Pij :kTi l(h(y)||Ni||SIDj) , CIDi :kb, PWi, Ri l(Ti) ,
Qi : Oi ||Ni (Oi)
S1.
S Pij :kTi l(h(y)||Ni||SIDj) , CIDi :kb, PWi , Ri l(Ti) ,
j
Qi : Oi ||Ni (Oi) //By seeing rule
S2. Sj | Ui| Ti//By A5, S1 and the message meaning rule
S3. Sj | Ui | Ti //By A1, S2, the freshness-conjuncatenation
rule and the nonce-verication rule
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206
5.2
Security analysis
www.ietdl.org
without the knowledge of the users identity IDi, the users
password PWi and the secrets x, y, where they are all well
protected by a one-way hashing function. Thus, the attacker
cannot forge a valid login request (CIDi, Pij, Qi and Ni).
Context: A(SC, (Zi, Vi, Bi, Hi, b, h() and h(y))), which means
that the adversary A has the smart card (SC) and knows the
parameters (Zi, Vi, Bi, Hi, b, h() and h(y)).
Intention: REVEALA(Ti, Ri and h(h(b PWi Ri)||h(x||y))),
which means that the adversary A wants to reveal the
values of Ti, Ri and h(h(b PWi Ri)||h(x||y)).
Result: SuccA[Pr(PW) Pr(x) Pr(y)], which means
that the adversary As success probability of obtaining the
values is equal to nding out the password PW, the master
secret key x and a random number y at the same time. It is
extremely infeasible.
It is obvious that the proposed scheme can resist an
impersonation attack. Besides, the attacker cannot obtain
any information about IDi in the transmitted information,
since Ri is to substitute the real identity. Therefore the
proposed scheme can protect against the denial of service
attack.
5.2.3 Ofine password guessing attack: If an attacker
has intercepted the information CIDi, Pij, Qi and Ni and stolen
the user Uis smart card to obtain Zi, Vi, Bi and Hi, he/she may
compute Pij h(h(y)||Ni||SIDj) to obtain Ti, then obtain Ai by
computing h(Ti||h(y)||Ni)). Next, the attacker computes h(b
PWi Ri) = CIDi h(Ti||Ai||Ni). However, the attacker
cannot guess PWi without knowing Ri. Even the attacker
wants to utilise Zi to nd Ri, he/she cannot guess PWi and
IDi at the same time.
Context: A(CIDi, Pij, Qi, Ni)
Intention: REVEALA(Ri)
Result: SuccA[Pr(ID) Pr(PW)], which means that the
adversary As success probability to nd the value Ri is
equal to guessing the identity ID and password PW at one
time. Also, it is very difcult to conduct the attack.
5.2.4 Server spoong attack: If an attacker wants
to launch a server spoong attack, he/she has to compute
Mij = h(Oi||Ni||Ai||SIDj ) rst. However, there is no way to
nd Oi since the attacker cannot compute h(b PWi)
IDi Bi without the knowledge of IDi and PWi, even the
attacker has extracted Bi form the users smart card.
Context: A(SC, Bi)
Intention: REVEAL(Oi)
Result: SuccA[Pr(ID) Pr(PW)],
success probability of obtaining the
nding the identity ID and password
Also, it is impossible to implement the
the adversary As
value Oi equals to
PW simultaneously.
attack.
smart card and can extract the information (Zi, Vi, Bi, Hi, b,
h() and h(y)) from the smart card. Since x, y and Ri are
unknown to the attacker, he/she cannot guess IDi and PWi
from the breached information. Therefore the attacker
cannot acquire or change the users password. In addition,
since he/she cannot compute Ai, Bi and Ti, he/she cannot
launch an impersonation attack using the lost or stolen
smart card. Therefore the stolen smart card attack cannot
work on the proposed scheme.
5.2.7 User anonymity: In the registration phase, the
users identity is well protected by a secure communication
channel among the user and the registration server. In the
login phase of the proposed scheme, the user Uitransmits
the dynamic identity CIDi = h(b PWi Ri) h(Ti||Ai||Ni)
as a substitute for the real identity IDi for its authentication
to the service providing server Sj. When the user wants to
login to the server, the dynamic CIDi is different for each
session. Besides, instead of the real identity IDi, the
substitute information Ri is used. Thus, the attacker cannot
distinguish between different sessions corresponding to a
certain user and cannot obtain any clue to the real identity.
According to the above analysis, the proposed scheme can
provide the users anonymity.
5.2.8 Mutual authentication: In our scheme, when the
user Ui wants to access the services, he/she transmits the
login request to the service providing server Sj. Sj will
accept the login request in Step V2, and then respond to the
message Mij and Nj to Ui. On receiving Mij and Nj from Sj,
Ui computes Mij = h(Bi||Ni||Ai||SIDj) and compares Mij with
Mij to authenticate Sj. Then, the user responds Mij to Sj in
Step 3. Upon receiving the message Mij, Sj computes h(Bi||
Nj||Ai||SIDj ) to authenticate Ui in Step V4. When Ui and Sj
successfully authenticate each other, the session key SK =
h(Bi||Ni||Nj||Ai||SIDj ) will be computed to secure the
subsequent
communications.
Therefore
mutual
authentication is achieved in the proposed scheme.
www.ietdl.org
Table 3 Performance analysis of our proposed scheme
Scheme
Lee et al.
Sood et al.
Hsiang and Shih
Liao and Wang
proposed scheme
Login phase
Verification phase
Total
7Thash
7Thash
7Thash
6Thash
8Thash
8Thash
18Thash
17Thash
9Thash
9Thash
15Thash
25Thash
20Thash
15Thash
17Thash
Conclusion
References