Cryptanalysis of a Remote User Authentication Protocol Using Smart Cards

R. Madhusudhan Department of Mathematical and Computational Sciences

National Institute of Technology Karnataka Surathkal, India

madhu_nitks@yahoo.com

Rohith Kumar S Department of Mathematical and Computational Sciences

National Institute of Technology Karnataka Surathkal, India

rohithskumar16@gmail.com

Abstract— Remote user authentication using smart cards is a

method of verifying the legitimacy of remote users accessing the server through insecure channel, by using smart cards to increase the efficiency of the system. During last couple of years many protocols to authenticate remote users using smart cards have been proposed. But unfortunately, most of them are proved to be unsecure against various attacks. Recently this year, Yung-Cheng Lee improved Shin et al.’s protocol and claimed that their protocol is more secure. In this article, we have shown that Yung-Cheng-Lee’s protocol too has defects. It does not provide user anonymity; it is vulnerable to Denial-of-Service attack, Session key reveal, user impersonation attack, Server impersonation attack and insider attacks. Further it is not efficient in password change phase since it requires communication with server and uses verification table.

Keywords—authentication; smart card; cryptanalysis; dynamic id

1 INTRODUCTION Nowadays, accessing the remote resources through

networks has become a common technology being used to perform many tasks. Here security is a main issue to be considered since all use the same public network to get the services from the remote server. One of the main tasks is to authenticate the user accessing the server i.e. to verify that the user is a legal user to request for the service.

Smart card based remote user authentication is one of the widely used method of authentication. These methods are used because of their low computational cost. Smart card is a integrated circuit card with memory to store personal data and processor capable of performing computations. Authentication based on smart cards usually consists of 4 main operations: registration, login, verification and password change. In most of the protocols password verification takes place in login phase. In verification phase mutual authentication between user and server takes place and even a session key agreement takes place in most of the secure protocols in same phase.

2 LITERATURE REVIEW Creative computing, which is any computing that is new, surprising and useful [10,11], in the area of remote user

authentication has resulted the proposal of many remote user authentication protocols since Lamport proposed a remote user authentication protocol using password tables[12]. Creative computing resulted in the use of smart cards in remote user authentication protocols to avoid having password verification tables in server and the use of Dynamic identity for the users in public network to prevent tracking of users activities from public network. In 2004 Das et al proposed a dynamic Id based remote user authentication protocol [1]. But it had many flaws proved later on by others. First, Awasti (2004) identified that Das et al.’s protocol is completely insecure and using of this protocol is like an open server access without password [9]. Liao et al. also analyzed Das et al.’s protocol and identified that it is vulnerable to guessing attack and does not provide mutual authentication [12]. To overcome these, Liao et al. proposed an improved protocol. Later on, Misbahuddin and Bindu showed that even Liao et al.’s protocol is not secure [13]. In 2005, Yoon and Yoo proposed a protocol [14].However it too had vulnerabilities and an improved protocol was proposed by Kim-Chung [15]. Kim-Chung claimed that there protocol can prevent masquerading attack and resist other malicious attacks. But it was identified by C.T. Li, Horng and Quiyan et al. that Kim-Chung protocol is not secure enough, especially in preventing password guessing attack [16, 17, 18]. In 2009 Wang et al showed that Das et al.’s protocol is completely insecure and proposed a dynamic id based protocol [2]. But M.K. Khan et al. showed that even Wang et al.’s protocol suffers from attacks and proposed an improved protocol [3]. However Sun and Cao’s demonstrated that even Khan et al protocol has weaknesses and proposed their own protocol [4]. Dheerendra Mishra identified that Sun and Cao’s protocol does not resist password guessing attack, does not provide forward secrecy and fails to propose efficient login phase [5]. In 2012, Shin et al. proposed a remote user authentication protocol with the merits of mutual authentication and user anonymity [6]. This protocol overcame the weaknesses of das et al and Liao et al.’s protocol

2014 IEEE 8th International Symposium on Service Oriented System Engineering

978-1-4799-3616-8/14 $31.00 © 2014 IEEE

DOI 10.1109/SOSE.2014.84

474

[7]. But this protocol too has weaknesses as proved by Yung-Cheng-Lee in 2013 [8]. Yung-Cheng-Lee proposed a improved protocol to overcome the weaknesses. Here we show that even Yung-Cheng-Lee’s protocol is not secure. It does not provide user anonymity.

The remainder of the article is organized as follows: Yung-Cheng-Lee’s remote user authentication protocol is described in section 3. Security analysis of Yung-Cheng-Lee’s protocol is given section 4 and section 5 gives conclusion.

3 YUNG-CHENG-LEE’S REMOTE USER AUTHENTICATION PROTOCOL

Recently, Yung-Chen-Lee proposed a remote user authentication protocol [8]. His protocol consists of 5 phases. Detailed description of these phases is given in this section. The notations used throughout this paper are given in Table 1.

3.1 Registration Phase If a user wants to join the system, he/she should

register himself/herself to the server. The server sends a smart card to the user after registration steps are completed. Step R1: Ui=> S: {IDi, h(PWi) , r}.

Firstly, the user Ui chooses identity IDi and password PWi. Then he/she sends {IDi, h(PWi), r} along with the registration request to the server S via a secure channel, where r is a random number. Step R2: The server computes user’s TIDi and Ai

After receiving {IDi, h(PWi), r}, the server checks the uniqueness of the IDi. The server asks the user to select a new identity if IDi is already existed in the database. Then S computes Ui’s transform identity TIDi and Ai by: TIDi=h(IDi||r||h(PWi)), Ai=h(KS) h(PWi). Where KS is the server’s secret. The server stores TIDi in the database. Step R3: S =>U: Smart card.

The server installs {TIDi, h(), Ai, r} into a smart card and sends it to the user.

TABLE I. NOTATIONS USED IN THIS PAPER

Notations Description Ui A legitimate user IDi Identity of user Ui S The server

TIDi The transform identity of user Ui PWi The password of user Ui Ks The server’s secrete key h(.) A one-way hash function

ESK(M) To encrypt message M by secrete key SK using symmetric cryptosystem

T A timestamp

An exclusive-OR operation

|| The concatenation operation A=>B: {M} A sends Message M to B via a secure channel A->B: {M} A sends Message M to B via a public channel

3.2 Login Phase If the user wants to acquire services from the server,

he/she should log into the system. The login steps are as follows. Step L1: Ui=> S: {CTIDi, Bi, Ci, Ti, Ri}.

The user attaches his/her smart card to a card reader and keys in IDi and PWi. The smart card computes TIDi'=h(IDi||r||h(PWi)) and checks whether TIDi'=TIDi holds. If TIDi'=TIDi, the smart card obtains h(KS)=Ai h(PWi) and computes {CTIDi, Bi, Ci} as follows after generating two nonce ni and Ri. CTIDi=TIDi h(ni), Bi=h(Ri h(KS)) ni, Ci=h(TIDi h(KS) Ti) Where Ti is the current timestamp. Then the user sends {CTIDi, Bi, Ci, Ti, Ri} along with the login request to the server.

3.3 Authentication Phase Step A1: The server authenticates the user.

Upon receiving {CTIDi, Bi, Ci, Ti, Ri}, the server checks whether Ti is in a valid time interval to ensure the freshness. If Ti is not fresh, the server rejects the login request; otherwise, the server obtains ni by: ni=Bi h(Ri h(KS)). Thereby the transform identity TIDi can be recovered by:TIDi=CTIDi h(ni). The server checks whether the transform identity TIDi is in the database. If it isn’t, the server terminates the login steps; otherwise, the server computes Ci' by: Ci'=h(TIDi h(KS) Ti). The server checks whether Ci' is equal to Ci. If Ci'=Ci, the server will authenticate the user. Otherwise, the server rejects the user’s login request. Step A2: S->Ui: {Di, TS}.

After the user Ui is authenticated, the server computes Di by: Di=h(TIDi ni TS). Where TS is the current timestamp. Next, the server sends {Di, TS} to the user. Step A3: The user authenticates the server.

After receiving {Di, TS}, the user computes Di'=h(TIDi ni TS). The server is authenticated if Di'=Di. Thereby, the mutual authentication between the server and the user is obtained.

3.4 Key Agreement Phase After mutual authentication is obtained, the user’s

smart card and the server compute the common session key SKi and SKS , respectively, by: SKi=h(h(KS) TIDi ni) and SKS=h(h(KS) TIDi ni). Hereafter, the user can use the common session key to communicate with the server securely.

3.5 Password Change Phase When the user wants to change his/her password, the

steps are as follows. Step P1: The smart card checks IDi and PWi

475

The user keys in IDi and PWi to the smart card. The smart card computes TIDi'=h(IDi||r||h(PWi)) and compares it with the stored transform identity TIDi. The password updating steps continued if TIDi'=TIDi; otherwise, the server denies the password updating request. Step P2: Ui->S: {F, G, Ti'}

The user selects a new password PWi_new. Then, the smart card obtains h(KS) as the Step L1 and computes TIDi_new

and Ai_new by: TIDi_new=h(IDi||r||h(PWi_new)), Ai_new=Ai h(PWi) h(PWi_new). Next, Ui sends {F, G, Ti'} to the server after computing F and G as follows, where Ti' is the current timestamp. F=ESKi(TIDi_new||h(KS)), G=h(TIDi_new h(h(KS) Ti')) Step P3: S ->Ui: {H, TS'}.

Upon receiving {F, G, Ti'}, the server checks the freshness of the timestamp Ti'. If Ti' is in a valid time interval, the server obtains TIDi_new and h(KS) by decrypting F with the session key SKS. Then the server computes G'=h(TIDi_new h(h(KS) Ti')). The server checks whether G= G' holds. If G= G', the server replaces TIDi with TIDi_new. Next, the server computes H by: H=h(h(TIDi_new) h(KS) TS'). Where, TS' is the current timestamp. The server sends {H, TS'} to the user. Step P4: The user updates TIDi_new and Ai_new.

Upon receiving {H, TS'}, the user checks the freshness of the timestamp TS'. If TS' is in a valid time interval, the user computes H'=h(h(TIDi_new) h(KS) TS'). If H'= H, the user replaces TIDi and Ai with TIDi_new and Ai_new, respectively.

4 SECURITY ANALYSIS OF YUNG-CHENG-LEE’S PROTOCOL

In this section, we will discuss the security flaws of Yung-Cheng Lee’s smart card based remote user authentication protocol. We will show that Yung-Cheng Lee’s protocol is vulnerable to different attacks and it is possible to get the static id associated with user in each session. Further we show that an insider can even get the ID associated with each session i.e. this protocol does not provide perfect anonymity and this protocol is not efficient in password change phase.

4.1 Static Id associated with each user can be derived. Yung-Cheng-Lee protocol is dynamic id based

authentication protocol but it is possible to get the static information associated with each user i.e. TIDi from the messages being transmitted in public channel.

In Yung-Cheng-Lee’s protocol CTIDi is computed as CTIDi=TIDi h(ni). So we can rewrite it as TIDi=CTIDi h(ni). This equation can be used to get some

useful information from the eavesdropped messages. Suppose the adversary manages to get Ri, CTIDi, Bi from login message and the corresponding servers reply {Di ,TS } then, Di =h(TIDi

ni TS ) here replace TIDi by CTIDi h(ni) then, Di

=h(CTIDi h(ni) ni TS ). Here CTIDi, Di and TS are known so the adversary can guess a value for ni and verify if the guess is right by checking the equation: Di

=h(CTIDi h(ni) ni TS ). If this equation holds then right ni is guessed and the adversary can proceed to get TIDi as described next. If the equation doesn’t hold, the adversary repeats the guess-then-verify process until the adversary finds the correct value of ni. Knowing CTIDi and ni, adversary can get TIDi which is constant for each user, since TIDi=CTIDi h(ni), thus the adversary will be able to track the transactions belonging to a particular user.

4.2 Session key can be computed by the adversary and No forward secrecy

Suppose the adversary gets ni by the method followed in 4.1 then he can use the equation Bi=h(Ri h(KS)) ni to guess h(KS), Since Bi and Ri can be obtained from the messages being transmitted in public channel for that session. Adversary can guess a value for h(KS) and verify if the guess is right by using the equation: Bi=h(Ri h(KS)) ni. If this equation holds then h(KS) is guessed right and the adversary can proceed next. If the equation doesn’t hold, the adversary repeats the guess-then-verify process until the adversary finds the correct value of h(KS) . Once the adversary gets h(KS), he can get the session key as SK=h(h(KS) TIDi ni). Similar approach can be used for any old messages got by the adversary by eavesdropping. Then he can get the old session keys and decrypt the old messages too. Therefore this protocol does not provide forward secrecy.

4.3 Login message can be forged/Vulnerable to user impersonation attack

Suppose the adversary manages to get TIDi and h(KS) as mentioned in 4.1 and 4.2. Then, TIDi and h(KS) are constants for a particular user so the adversary once gets these information from any eavesdropped messages then he can forge the login message by using any random numbers Ri’ and ni’ as, CTIDi'= TIDi h(ni'), Bi'= h(Ri' h(KS)) ni', Ci'=h(TIDi h(KS) Ti'). At any time Ti'. Then the login message { CTIDi', Bi', Ci', Ri', Ti'} will be sent to the server.

Upon receiving {CTIDi', Bi', Ci', Ri' , Ti' }, the server checks whether Ti' is in a valid time interval to ensure the freshness. Then server obtains ni by: ni=Bi h(Ri h(KS)) and computes transform identity TIDi as TIDi=CTIDi h(ni)

476

The server will find TIDi in database since it is a valid TIDi of user derived from previous session. Then the server computes Ci'' by: Ci''= h(TIDi h(KS) Ti'). Since Ci''= Ci', the server will authenticate the user as a legal user with transform identity TIDi.

4.4 Vulnerable to Denial-of-Service attack The adversary can impersonate a legal user without

knowing his ID and PW as mentioned in 4.3 and then can send the password change message to server since the message {F, G, Ti} (as specified in section 3.5, step P2 ) can be constructed as, F=ESKi(TIDi_new||h(KS)), G=h(TIDi_new h(h(KS) Ti')). With any random TIDi_new at time Ti' . Server will accept this request and change the verification table. This will result in denial of service for the legal user since the TID in smart card of user and verification table in server are different.

4.5 Vulnerable to insider attack and uses Verification table Since Yung-Cheng-Lee’s scheme uses verification table,

a malicious insider can change the verification table content resulting in denial of service for legal users. Further if the insider manages to get the ID’s corresponding to a TID’s from registration phase then this information along with attack 4.1 will enable the adversary to track the transactions of a particular user with given ID. This implies that Yung-Cheng-Lee’s protocol does not provide perfect anonymity.

4.6 Low efficiency in password change phase Password change phase requires communication with

server and establishment of session key to encrypt, F=ESKi(TIDi_new||h(KS)), as described in section 3.5. Therefore this phase is not efficient.

4.7 Vulnerable to server impersonation attack Suppose the adversary manages to get h(KS) as mentioned

in 4.2 from old session messages. Then he can impersonate server as follows, Since h(KS) is constant.

Upon receiving the login message {CTIDi, Bi, Ci, Ti, Ri}, adversary can get ni as, ni=Bi h(Ri h(KS)) and get TIDi as TIDi= CTIDi h(ni). Then he can construct a valid reply to the user, {Di',TS'}, by computing, Di'= h(TIDi ni TS'). Where, TS' is the current timestamp. Thus the server is impersonated. The user and impersonated server will share the session key SK= h(h(KS) TIDi ni).

5 CONCLUSION Cryptanalysis of Yung-Cheng-Lee’s Dynamic id

based remote user authentication protocol has been done. Since this protocol is based on hash functions and exclusive-OR operations it is computationally less expensive. Therefore

these attacks can be referenced while designing such low computational cost remote user authentication protocols so that the new protocols will not be vulnerable to such attacks and thus will be more secure.

REFERENCES [1] Das ML, Saxena A, Gulati VP, “A dynamic ID-based remote user

authentication scheme,” IEEE Transactions on Consumer Electronics, 2004,50(2):629–31.

[2] Y.Y. Wang, J.Y. Kiu, F.X. Xiao, J. Dan, “A more efficient and secure dynamic IDbased remote user authentication scheme,” Computer Communications 32 ,2009, 583–585

[3] Khan, M.K., Kim, S.K., Alghathbar, K., “Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme,” Computer Communications,2011, 34(3), 305–309.

[4] Sun, D.Z., Cao, Z.F., “On the privacy of khan et al.’s dynamic idbased remote authentication scheme with user anonymity,” Cryptologia,2013, 37(4), 345–355.

[5] Dheerendra Mishra, “Cryptanalysis of Sun and Cao's Remote Authentication Scheme with User Anonymity,” CoRR,2013,abs/1310.6422.

[6] S. Shin, K. Kim, K. H. Kim, and H. Yeh, “A remote user authentication scheme with anonymity for mobile devices,” International Journal of Advanced Robotic Systems, 2012,Vol. 9, pp. 1-7.

[7] C. H. Liao, H. C. Chen, and C. T. Wang, “An exquisite mutual authentication schemes with key agreement using smart card,” Informatica, Vol. 33, 2009, pp. 125-132.

[8] Yung-Cheng-Lee, “Weakness and Improvement of the Smart Card Based Remote User Authentication Scheme with Anonymity,” Journal of Information Science &Engineering , Nov2013, Vol. 29 Issue 6, p1121-1134. 14p.

[9] Amit K. Awasthi, “Comment on A dynamic ID-based Remote User Authentication Scheme,” CoRR,2004,cs.CR/0410011.

[10] M. A. Boden, “The Creative Mind: Myths and Mechanisms”, London: Routledge, 2003.

[11] J. Sternberg, “Handbook of Creativity,” Cambridge University Press, 1999.

[12] L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, 24 (11) (1981), pp. 770–772

[13] Misbahuddin M, Bindu CS. “Cryptanalysis of Liao–Lee–Hwang’s dynamic ID scheme,” International Journal of Network Security 2008;6(2):211–3.

[14] E. Yoon and K. Yoo, “More efficient and secure remote user authentication scheme using smart cards,” Proceedings of 11th International Conference on Parallel and Distributed System, vol 2,2005,pp.73-77.

[15] S. K. Kim and M. G. Chung, “More secure remote user authentication scheme,” Computer Communications, vol. 32, no. 6, 2009, pp.1018-1021.

[16] C. T. Li, C. C. Lee, C. J. Liu and C. W. Lee, “A Robust Remote User Authentication Scheme against Smart Card Security Breach,” Data and Applications Security and Privacy XXV, LNCS 6818,2011.c_IFIP International Federation for Information Processing, 2011, pp. 231-238.

[17] W. B. Horng, C. P. Lee and J. W. Peng, “Cryptanalysis of a More Secure Remote User Authentication Scheme,” 2010 International Computer Symposium (ICS), December 2010 , pp. 284-287.

[18] Jin Qiuyan, Kwangwoo Lee and Dongho Won, “Study on a Secure Remote User Authentication Scheme Using Smart Cards,” International Journal of Security and Its Applications, 2013, Vol.7,No.2

477