Applying LU Decomposition of Matrices to Design Anonymity Bilateral Remote User Authentication Scheme
We apply LU decomposition of matrices to present an anonymous bilateral authentication scheme. This paper aims at improving security and providing more excellent performances for remote user authentication scheme. The proposed scheme can provide bilateral authentication and session key agreement, can quickly check the validity of the input password, and can really protect the user anonymity. The security of the proposed scheme is based on the discrete logarithm problem (DLP), Diffie-Hellman problem (DHP), and the one-way hash function. It can resist various attacks such as insider attack, impersonation attack, server spoofing attack, and stolen smart card attack. Moreover, the presented scheme is computationally efficient for real-life implementation.
The remote user authentication scheme allows the user and the remote server to mutually authenticate each other over public network environments, and then the authorized user can access the services and resources which are provided by the remote server. Generally, the password-based authentication scheme provides an efficient and secure way for mutual authentication and allows the user and the server to establish a shared session key for future secret communication after the mutual authentication process. In 1981, Lamport  first proposed a password-based remote user authentication scheme for the insecure communication. Since then, the researchers have proposed many password-based remote user authentication schemes [2–7] to ensure the secure communication through the public network, and also many studies [8–18] have been presented to enhance the security or improve the computation and communication costs of the remote user authentication scheme.
In the public network environments, it is important to ensure user anonymity such that the user’s real identity can only be revealed by authorized entities. In 2000, Lee and Chang  proposed a user identification scheme with key distribution preserving user anonymity for the distributed computer network. However, Wu and Hsu  pointed out that Lee and Chang’s scheme cannot protect user anonymity as they claimed, and they proposed an enhanced scheme. Later, Yang et al.  showed that Wu and Hsu’s scheme cannot resist impersonation attack and proposed an improved scheme which is more secure and efficient. Unfortunately, Mangipudi and Katti  presented that Yang et al.’s protocol is vulnerable to a Denial-of-Service (DoS) attack and proposed a secure identification and key agreement protocol with user anonymity. Recently, Wang et al.  presented a secure and efficient identification and key agreement protocol with user anonymity based on the difficulty of computing the elliptic curve Diffie-Hellman. Their scheme’s computation cost is lower and is suitable for applications in low power computing environments.
In 2004, Choi and Youn  proposed a novel data encryption and distribution approach using LU decomposition of matrices. Then, Pathan et al. [25, 26] proposed two efficient bilateral remote user authentication schemes based on LU decomposition of matrices. Nevertheless, these schemes have several weaknesses, such as they cannot resist replay attacks, they cannot preserve the user anonymity, the server and users cannot agree on a session key, and so forth. To address these issues, Tseng et al.  proposed a user authentication scheme based on LU decomposition of matrices. They claimed that their scheme can resist replay attack, forgery attack, and insider attack and provide user anonymity. Whereas, after careful analysis, we find that Tseng et al.’s scheme is still vulnerable to insider attack, stolen smart card attack and inefficient for wrong password login and does not provide user anonymity. To overcome these existed weaknesses of Tseng et al.’s scheme, we propose a novel bilateral authentication scheme with user anonymity using LU decomposition of matrices. Analysis shows that our scheme not only can provide better security properties but also is more efficient than the other authentication schemes.
The rest of this paper is organized as follows: Section 2 introduces the necessary preliminaries of this paper. The brief review of Tseng et al.’s scheme is provided in Section 3. Section 4 describes a cryptanalysis of Tseng et al.’s scheme. The proposed scheme and the corresponding analysis are presented in Sections 5 and 6, respectively. Finally, we conclude this paper in Section 7.
In this section, we introduce some basic information about the LU decomposition of matrices and Discrete logarithm problem, and they are the mathematical basis of our proposed bilateral remote user authentication protocol with user anonymity.
2.1. LU Decomposition of Matrices
From the matrix theory, LU decomposition factorizes a matrix as the product of a lower triangular matrix and an upper triangular matrix. Let be a square matrix; an LU decomposition of matrix is the form , where is a lower triangular matrix and is an upper triangular matrix. This means that has only zeros above the diagonal and has only zeros below the diagonal. For example, for a matrix , its LU decomposition looks like
If is a singular matrix of rank , it admits an LU decomposition if all the -leading principal minors are nonzero.
In the identity authentication system, we assume that is the number of users the system can support. We can introduce the LU decomposition into the user authentication system to ensure the security of the system. In the system initialization phase, the remote server generates a symmetric matrix as his/her master secret key. With the LU decomposition, the server can separate the symmetric key matrix to the product of a lower triangular matrix and an upper triangular matrix , that is, , and stores these matrices in other servers.
Since is a symmetric matrix, we have that , for and , and the product of the th row of matrix and the th column of matrix is equal to the product of the th row of matrix and the th column of matrix . For example, suppose is a symmetric matrix with LU decomposition as follows: We can perform elementary row operations to get the lower matrix and upper matrix as follows: Given and , we can compute and as follows: where denotes the 3rd row of the matrix and denotes the column of the matrix , and we have that .
2.2. Discrete Logarithm Problem
The detailed information about discrete logarithm problem can be found in the literature , and we briefly introduce the discrete logarithm problem as follow. In a multiplicative group of order , where is the modulus for the group, both and are public large prime numbers. This implies(1), for is a finite set of size , where and .(2)Given and , computing the modular exponentiation is relatively easy. However, given and , it is computationally infeasible to find such that ; namely, in , the discrete logarithm problem is intractable .(3)Moreover, given , , ??and , computing ?mod?, which is known as the Diffie-Hellman problem, is also intractable .
3. Review of Tseng et al.’s Scheme
In this section, we briefly review Tseng et al.’s scheme, and more details can be found in . Tseng et al.’s scheme contains four phases, that is, the registration phase, the login phase, the authentication phase, and the password change phase. The notations used throughout this paper are listed in Table 1.
3.1. Registration Phase
Suppose a new user with the identity wants to register himself/herself with the server for access the remote services. randomly chooses his/her password and sends to the server through a secure channel. Upon receiving the registration request message, the server takes the following steps:(1) generates two random numbers between and . Then selects the th row from the matrix (denoted as ), the th column from matrix (denoted as ), and the th column from the matrix (denoted as ;(2) computes as follows:??,??,??and ;(3) stores into a smart card and submits the smart card to via a secure channel.
3.2. Login Phase
When wants to login into the system, first inserts the smart card to the card reader and inputs his/her password . The smart card performs the following steps to generate the login request message:(1)Generates a random number ;(2)computes and , where is the current timestamp;(3)generates a random number and then computes and ;(4)encrypts with and computes ;(5)sends the login request message to the server.
3.3. Authentication Phase
Upon receiving the login request message , the server and the user perform the following operations for mutual authentication.(1)The server computes and decrypts with .(2)The server checks the validity of . If is invalid, the server rejects the login request.(3)The server verifies whether the time interval , where is the current timestamp when the server received the message. If , the login request is considered out of date and is rejected.(4)The server computes .(5)The server computes , , and???.(6)The server verifies whether equals . If not, the server rejects the login request. Otherwise, it proceeds to the next steps.(7)The server generates a random number and computes .(8)The server computes the authenticated session key .(9)At last, the server sends to , where is the current timestamp.(10)When receiving the message , decrypts the message, gets , and verifies whether , where is the current timestamp. If so, proceeds to the next steps.(11) checks whether decrypted data contain the value . If so, uses to compute .(12) generates the authenticated session key as . Then can communicate with the server secretly by using .
3.4. Password Change Phase
When wants to change his password to , he sends to the server. Upon receiving the password-changing message, the server takes the following steps:(1)computes ;(2)replaces with in the smart card.
4. Cryptanalysis of Tseng et al.’s Scheme
Tseng et al. claimed that their scheme can protect user anonymity and can resist various known attacks. However, after careful analysis, we find that their scheme cannot really protect the user anonymity and is vulnerable to insider attack, server spoofing attack. Besides, their scheme is inefficient for wrong password login. We analyze the security weaknesses of Tseng et al.’s scheme as below.
4.1. Attacks against the User Anonymity
In order to prevent the attacker from tracking the user’s movements, it is important to ensure user anonymity such that the user’s real identity can only be recognized by the server.
Kocher et al.  and Messerges et al.  have pointed out that the confidential information stored on the smart card can be extracted by physically monitoring its power consumption. So, in Tseng et al.’s scheme, a legal but malicious user can extract information from his/her own smart card, and with his/her own identity and password , he/she can compute the value of . When the valid login request message of a legal user was to be intercepted by this malicious user from the public communication channel, the malicious user can compute , and then he/she can decrypts using to obtain of the user . Obviously, the malicious user can obtain the real identity of the user . From the above discussion, we can see that Tseng et al.’s scheme cannot really protect user anonymity.
4.2. Insider Attack
In the registration phase of Tseng et al.’s scheme, the user sends to the server for registration, and these information can be acquired by the privileged insider. However, in password change phase, the server simply not checks the validity of user ’s and . So, this privileged insider of the remote system can masquerade as the user to send the triple to the server to perform the password-changing phase. Upon receiving the password-changing message, the server takes the following steps:(1)computes ;(2)replaces with in the smart card.
Therefore, since the server does not check the validity of the user’s identity and password when the user wants to change his/her password, Tseng et al.’s scheme is vulnerable to insider attack, and the privileged insider can easily change the legal user’s password.
4.3. Stolen Smart Card Attack
Stolen smart card attack is that if the user’s smart card is lost or stolen, the attacker can extract the information stored in the smart card and can easily change the password of the smart card, can guess the password of the user by using password guessing attacks, or can impersonate the user to login to the system.
In Tseng et al.’s scheme, a legal but malicious user having his own smart card can gather information from his own smart card, and he/she can get the value of as shown in Section 4.1. Now the malicious user can intercept a valid login request message of the legal user from the public communication channel. Then the malicious user can compute and can get the identity of user by decrypt using . In case the user ’s smart card is stolen by this malicious user , he/she can extract the information from the memory of the smart card. With the information , , , and , the malicious user can guess ’s password by the following processes.(1)The attacker computes .(2)The attacker chooses a password from a uniformly scattered dictionary.(3)The attacker computes and verifies the correctness of password by checking whether equals or not.(4)The attacker repeats steps (2) and (3) until equals to guess a correct password.
After getting the correct , and , the malicious user can easily change the password of user and can impersonate to login to the system.
4.4. Inefficient for Wrong Password Login
Generally speaking, in practical applications, the user may keep different passwords for different applications to ensure security. Users are easy to confuse the password such that the user cannot match the application with the correct password; in other words, it is possible that the user enters a wrong password in the login phase.
In the login phase, the smart card does not verify the correctness of the entered password by the user. If the user inputs a wrong password by mistake, the smart card and the server will perform the following steps:(1)generates a random number , gets the current timestamp , and computes and ;(2)generates a random number and computes and ;(3)encrypts with and computes ;(4)sends the login request message to the server;(5)when the server receives the login request message , the server computes . It is obvious that , since ;(6)when the server decrypts using , the server will find that the user ’s identity is invalid. Thus, the server rejects the user ’s login request.
In this case, the user is unaware of the fact that he/she has entered his/her password incorrectly in the login phase, which results in unnecessary extra communication and computation costs.
5. The Proposed Scheme
In this section, we apply the LU decomposition of matrices to design a novel bilateral remote user authentication scheme with user anonymity, where LU decomposition of matrices ensures secretly information exchange between the user and the server, and enhances the security of the authentication scheme. To initiate the scheme, the server chooses a symmetric matrix with LU decomposition as and secretly stores these matrices as his/her secret key in other servers, where is the number of users the system can support. The server chooses a secret key with 256 bits, which makes the have a high entropy and can resist brutal force attack. The proposed scheme also contains four phases, that is, the registration phase, the login phase, the authentication and key agreement phase, and the password change phase. The proposed scheme contains the timestamps, so the authentication system needs to deploy a mechanism such as NTP (Network Time Protocol) to ensure clock synchronization between the user and the remote server. The detailed information about these phases are described as follows and also shown in Figure 1.
5.1. Registration Phase
When a user wants to become a legal user of the system, generates his own identity and easy-to-remember password and selects and remembers a random number (the bit length of is assumed to be 128). Then, computes and submits and to the server over a secure communication channel for registration. used throughout the proposed scheme is a collision-free one-way hash function such as SHA-1 , which maps any message with the length less than 264 bit to a 160-bit message digest. Upon receiving the registration request message, the server and the user take the following steps.(1)The server computes , , and .(2)The server chooses two random numbers and computes , , , where the meaning of symbols and are the same as in Section 3.1.(3)The server stores into a smart card and issues the smart card to via a secure channel, where is a big prime and , is also a big prime, and is a primitive element with .(4)At last, in order to facilitate the subsequent verification, the user enters the remembered random number into the smart card, and the smart card contains .
5.2. Login Phase
When the user wants to login to the system, inserts his/her smart card into the card reader and inputs his/her identity , password . Then the smart card performs the following operations:(1)computes , , and and compares . If they are equal, it means the user inputs the right identity and password. Otherwise, the input identity or password is not valid, and the smart card terminates the session;(2)generates a random number , gets current timestamp , and computes , , , and ;(3)generates a random number and computes , , and , where is used to resist the forgery attack such that any change of the login request message is invalid login message;(4)submits the login request message to the server.
5.3. Verification and Key Agreement Phase
Upon receiving the login request message , the server performs the following steps for mutual authentication and key agreement.(1)The server verifies the validity of the time interval between and . If , rejects the login request. Here is the timestamp, when the login request message was received, and is the expected valid time interval for transmission delay.(2)The server computes , .(3)The server computes , , and and checks whether is the registered identity of a valid user. If so, the server performs the following steps. Otherwise, the session is terminated.(4)The server computes and checks . If they are equal, the validity of the user is authenticated by the server . Otherwise, the session is terminated by the server .(5)For achieving mutual authentication, the server chooses a random number , gets the current timestamp , and computes , , and .(6)The server submits the reply message to the user for mutual authentication.(7)After receiving the mutual authentication message , the smart card verifies the validity of the time interval between and . If , the user terminates the session. Here is the timestamp, when the mutual authentication message was received.(8)The smart card computes , and checks . If they are equal, the server is authenticated by the user , and the server and user achieve mutual authentication. Otherwise, the smart card terminates this session.(9)At last, the user and the server can compute and =, respectively, as their shared session key for future secret communication.
5.4. Password Change Phase
When the user wants to renew his/her password to , the user can update his/her password by performing the following steps without communicating with the server .(1)The user inserts his smart card into a card reader and inputs his identity and old password and requests to change his/her password.(2)The smart card computes , , and compares . If they are not equal, the password change request is rejected. Otherwise the user inputs a new password .(3)The smart card computes , , and .(4)Finally, the smart card replaces and with and , respectively, to update his/her password.
6. Analysis of the Proposed Scheme
In this section, we first discuss the security features of the proposed anonymity bilateral authentication scheme. Then we evaluate the performance and functionality of our proposed scheme and make comparisons with Tseng et al.’ scheme.
6.1. Security of Session Key
6.1.1. Known-Key Secrecy
Known-key secrecy means that compromise of one session key should not compromise other session keys. In our scheme, the session key is associated with , and . According to discrete logarithm problem (DLP) and Diffie-Hellman problem (DHP), knowing a session key and the random number , is useless for computing the other session keys without knowing and . It is impossible for an attacker to compute the other session key , and the proposed scheme provides known-key security.
6.1.2. Forward Secrecy
Forward secrecy means that if the long-term secret keys (e.g., the server’s secret key and user’s password ) are compromised, the secrecy of previously established session keys should not be affected. In our scheme, we assume that the master secret key and the password of user are compromised for some reasons, and the attacker gets the previous communication message and from the public channel; then the attacker can get . However, since the secret matrix has been maintained only by the server , the attacker cannot compute , and has no way to know , , , and . Therefore, the attacker has no way to get the previous session key ?mod?, and our scheme can ensure perfect forward secrecy.
6.2. Protect User Anonymity
In the login phase and authentication phase of the proposed scheme, the real identity of user is not transmit via plain text form. If the login request message and the mutual authentication message are eavesdropped by an attacker from the public channel, the attacker has to get the random number to compute the real identity . However, the attacker has no way to know and , so he/she has no valid method to get the random number and cannot reveal the real identity of the user . Therefore, our scheme can really protect user anonymity.
6.3. Resist Impersonation Attack
In this type of attack, in order to impersonate as a legitimate user, the attacker or a malicious user has to forge a valid login request message using the previously eavesdropped messages or the information obtained from the lost smart card. However, in the proposed scheme, the attacker and any malicious user cannot forge a valid login request message, since he/she has no knowledge of , , , and , so he/she cannot impersonate as the legitimate user .
In addition, even if the adversary or a malicious user has obtained the smart card of user and extracts the parameters which are stored in the smart card by some way, he/she still cannot forge a valid login request message, since he/she have no way to get the valid , , where they are all protected by the one-way hash function.
Therefore, the proposed protocol is secure against impersonation attack. At the same time, the attacker cannot get the valid , , so the proposed protocol can resist the denial of service attack.
6.4. Resist Insider Attack
In the registration phase of the proposed scheme, the user freely selects his/her password and submits the masked password instead of to the server for registration. In the proposed scheme, the password must first be verified by the smart card in login and password change phase, only the adversary gets the valid password of the user , and he/she can impersonate the user to access service. However, if the insider of the remote system gets the information and , he/she cannot obtain the password since it is protected by the one-way hash function and cannot impersonate the user to login to the system or change the user’s password. Therefore, the proposed scheme can resist insider attack properly.
6.5. Resist Stolen Smart Card Attack
Assume that the user ’s smart card has been lost or stolen, the attacker can extract the stored information from the smart card using differential power analysis  and simple power analysis . Even after gathering these information, in order to change the user’s password or login into the system by using the lost smart card, the attacker has to get real identity and the password correctly at the same time. However, because the attacker has not the knowledge of the master secret key and meanwhile the and the are protected by one-way hash function, it is not possible for an attacker to guess the and the correctly at the same time in real polynomial time. Therefore, the proposed scheme is secure against stolen smart card attack.
6.6. Resist Server Spoofing Attack
In the proposed scheme, in order to masquerade as the remote server to cheat the user , the attacker has to get the secret information and to compute the valid reply mutual authentication message. However, the secret matrix is only maintained by the server such that the attacker has no way to recover the information . On the other hand, even if the malicious user has got his own smart card information and other users’ communication messages and , he/she still has no way to get since it is protected by the one-way hash function. So the attacker cannot get the required information and , and the proposed scheme can resist the server spoofing attack.
6.7. Efficient for Wrong Password Verification
In the login and password change phase of the proposed scheme, the validity of the password can quickly be verified by the smart card, when the user inputs his/her password. If the user inputs a wrong password , the smart card computes , and gets . So, the wrong password can quickly be checked by the smart card, and the server does not need to waste unnecessary communication and computation cost to verify the validity of the password. Thus, the proposed scheme is efficient for wrong password verification.
6.8. Performance and Functionality Analysis
In this section, we evaluate the performance and functionality of our proposed scheme and make comparisons with Tseng et al.’s scheme. In order to facilitate the computational complexity analysis of the scheme, we define the following notations.: the time for executing a one-way hash function ,: the time for performing a vector multiplication operation,: the time for performing an exponentiation operation,: the time for performing a symmetric encryption operation, and: the time for performing a symmetric decryption operation.
Because exclusion-OR operation requires very few computations, we neglect considering its computational cost in this paper. We list the result of performance comparison in Table 2, and we can see that the total computational cost of our scheme and Tesng et al.’s scheme are and , respectively. Since the symmetric cryptosystem needs more computational costs than the one-way hash functions, our scheme is more efficient than Tseng et al.’s scheme.
Table 3 shows the functional comparison of our proposed scheme and Tseng et al.’s scheme. Compared with Tseng et al.’s scheme, our scheme can resist various attacks and can really protect user anonymity. Besides, our scheme can quickly check the validity of the password in the very beginning of login phase. Therefore, our scheme is more secure and efficient than Tseng et al.’s scheme.
In this paper, we have applied the LU decomposition of matrices to present a novel anonymity bilateral authentication scheme. First, we pointed out the security weaknesses of Tseng et al.’s scheme, that is, their scheme is vulnerable to insider attack and stolen smart card attack, is inefficient for wrong password login, and does not really provide user anonymity. To surmount these identified weaknesses, we have proposed a novel scheme using the LU decomposition of matrices to reduce computational complexity and improve security, where LU decomposition of matrices ensures secretly information exchange between the user and the server, and enhances the security of the authentication scheme. Hence, our proposed protocol is more efficient and practical.
The authors are grateful to the editor and anonymous reviewers for their valuable suggestions which improved the paper. This work was supported by the Research Fund of the State Key Laboratory of Software Development Environment under Grant no. BUAA SKLSDE-2012ZX-17, the National Natural Science Foundation of China under Grant no. 61271041, 61170296, and 61190120, and the Program for New Century Excellent Talents in University under Grant no. NECT-09-0028.
H. J. Jeong, D. G. Won, and S. J. Kim, “Weaknesses and improvement of secure hash-based strong-password authentication protocol,” Journal of Information Science and Engineering, vol. 26, no. 5, pp. 1845–1858, 2010.View at: Google Scholar
A. S. K. Pathan, “A review and cryptanalysis of similar timestamp-based passwordauthentication schemes using smart cards,” International Journal of Communication Networks and Information Security, vol. 2, no. 1, pp. 15–20, 2010.View at: Google Scholar
H. Jung and H. S. Kim, “Secure hash-based password authentication protocol using smartcards,” in Proceedings of the International Conference on Computational Science and Its Applications (ICCSA '11), vol. 6786 of Lecture Notes in Computer Science, pp. 593–606, Springer, 2011.View at: Google Scholar
X. Li, Y. P. Xiong, J. Ma, and W. D. Wang, “An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards,” Journal of Network and Computer Applications, vol. 35, no. 2, pp. 763–769, 2012.View at: Google Scholar
W. B. Lee and C. C. Chang, “User identification and key distribution maintaining anonymity for distributed computer networks,” Computer Systems Science and Engineering, vol. 15, no. 4, pp. 211–214, 2000.View at: Google Scholar
S. J. Choi and H. Y. Youn, “A novel data encryption and distribution approach for high security and availability using LU decomposition,” in Proceedings of the International Conference on Computation Science and Its Application (ICCSA '04), vol. 3046 of Lecture Notes in Computer Science, pp. 637–646, May 2004.View at: Google Scholar
A. S. K. Pathan and C. S. Hong, “An efficient bilateral remote user authenticationscheme with smart cards,” in Proceedings of the 33rd Korea Information Science Society Fall Conference, vol. 33, no. 2(D), pp. 132–134, October 2006.View at: Google Scholar
H. R. Tseng, R. H. Jan, and W. Yang, “A bilateral remote user authentication scheme that preserves user anonymity,” Security and Communication Networks, vol. 1, no. 4, pp. 301–308, 2008.View at: Google Scholar
B. Schneier, Applied Cryptography, John Wiley & Sons, New York, NY, USA, 2nd edition, 1996.
P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '99), vol. 1666 of Lecture Notes in Computer Science, pp. 388–397, 1999.View at: Google Scholar
National Institute of Standards and Technology, US Department of Commerce, Secure Hash Standard, US Federal Information Processing Standard Publication 180-2, 2002.