Cryptanalysis of Three Password-Based Remote User Authentication Schemes with Non-Tamper-Resistant Smart Card

Wang, Chenyu; Xu, Guoai

doi:https://doi.org/10.1155/2017/1619741

Security and Communication Networks

On this page

Abstract Introduction Conclusion Abbreviations Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 1619741 | https://doi.org/10.1155/2017/1619741

Cryptanalysis of Three Password-Based Remote User Authentication Schemes with Non-Tamper-Resistant Smart Card

Chenyu Wang¹and Guoai Xu¹

Academic Editor: Alessandro Barenghi

Received08 Feb 2017

Accepted29 Mar 2017

Published17 Jul 2017

Abstract

Remote user authentication is the first step to guarantee the security of online services. Online services grow rapidly and numerous remote user authentication schemes were proposed with high capability and efficiency. Recently, there are three new improved remote user authentication schemes which claim to be resistant to various attacks. Unfortunately, according to our analysis, these schemes all fail to achieve some critical security goals. This paper demonstrates that they all suffer from offline dictionary attack or fail to achieve forward secrecy and user anonymity. It is worth mentioning that we divide offline dictionary attacks into two categories: (1) the ones using the verification from smart cards and (2) the ones using the verification from the open channel. The second is more complicated and intractable than the first type. Such distinction benefits the exploration of better design principles. We also discuss some practical solutions to the two kinds of attacks, respectively. Furthermore, we proposed a reference model to deal with the first kind of attack and proved its effectiveness by taking one of our cryptanalysis schemes as an example.

1. Introduction

These days an increasing number of online services (E-Health, E-Banking, and E-Shopping) have been provided for people’s daily life with the rapid development of the Internet. Moreover, modern terminal equipment, like smartphones, smartwatches, and Google’s Project Glass glasses, has become widespread. The growth of online services and terminal equipment makes the authentication process more important and difficult. Remote authentication is an essential part to guarantee both the claimed user and server are legitimate. In other words, authentication ensures that only the legitimate users can access the resources on the target server. And authentication protocols have been widely used for various fields, including cloud computing, E-Health, and wireless sensor [1–4].

In 1981, Lamport [5] designed the first authentication scheme based on password, while this scheme was pointed out as being insecure shortly: () the server having to maintain a password table and () high hash overhead. Therefore, many advanced schemes [6–8] were proposed with a lower overhead for the hash function to improve the computing performance of Lamport’s scheme, while most of them still require a verification table.

To tackle this problem, Hwang et al. [9] developed a noninteractive password authentication scheme which discards the verification table but using smart card instead in 1990. The main drawback lies in the hardship of changing password. Because the password is related to the ID, for the sake of security, the ID has to be changed once the password is changed. However, it is not easy to change the ID. In 1991, Chang and Wu [10] also developed a scheme using smart card for storing sensitive information to help the authentication. Since then, smart cards have been applied to user authentication schemes widely, and some notable ones include [11–14]. Furthermore, these years many schemes used biometrics characteristic as an additional factor to provide the authentication [15–17].

From 1990 to 2004, numerous remote user authentication schemes with smart card were designed, while almost all were proved to be flawed. However after these years of research, remote user authentication has made great progress: on the one hand, the problem of maintaining the verification table was almost settled, and smart cards got widely used; on the other hand, the authentication schemes became more sophisticated to withstand the increasing new attacks or to meet more requirements (setting and changing the password freely, no verification table, etc.). Furthermore, ID protection was regarded as an important attribute to be noticed by researchers around 2000. In fact, in this period, most of the proposed schemes used a static user identity in the open communication channel, thus resulting in the ID theft problem. To deal with this problem, in 2004, Das et al. [18] designed a dynamic ID-based scheme, which became a landmark in the history of remote user authentication. The dynamic ID technique is able to conceal the real ID by using random numbers to generate a pseudo identity. As a good and new method to deal with ID theft, Das’s scheme draws much attention. However, from then on, many authors raised concerns [19, 20] about Das’s scheme and devised a variety of improved schemes. In 2005, Chien and Chen [21] criticized Das’s scheme of its incapability of preserving user anonymity and proposed an enhanced one. In 2009, Wang et al. [22] also revealed that Das’s scheme was completely insecure for its incapability of password-dependent goal, mutual authentication, and resistance of impersonation attack. In this period, most of the schemes (before or around 2004) assumed the smart cards are tamper resistant; that is, the parameters in the smart cards are unaccessible to adversaries.

Later, however, researchers demonstrated that the message stored in smart card can be easily extracted by reverse engineering techniques [23, 24] and power analysis [25, 26], which becomes another important landmark in remote user authentication area. Since then, most of schemes prefer to use non-tamper-resistant smart cards.

In 2010, Li et al. [27] proposed a password-authenticated key agreement scheme, while Tasi et al. [28] demonstrated it cannot be resistant to desynchronization attack and thus developed a new one. Unfortunately, in 2015 Wang et al. [29] showed Tsai’s scheme suffers from smart card loss attack. Song [30] in 2010 revealed that the scheme [31] of Xu et al.’s is vulnerable to impersonation attack and thus designed a new one using symmetric key cryptosystem. Sandeep et al. [32], in the same year, also proved that Xu et al.’s scheme is not resistant to impersonation attack and offline dictionary attack and then devised a new enhanced one. Shortly after, however, Chen et al. [33] found that both the schemes of Song and Stood et al. are not secure: the scheme of Song cannot be resistant to smart card loss attack and offline dictionary attack; the scheme of Stood et al. fails to achieve mutual authentication. So Chen et al. designed an enhanced remote user authentication scheme. While this scheme was also proved by Kumari and Khan [34] it suffered from insider attack and impersonation attack. Li et al. [35], in 2013, reanalyzed Chen et al.’s scheme and then indicated that it cannot promise forward secrecy.

Till recent years, remote user authentication schemes display several distinctive features:(1)Some attacks, including parallel session attacks, have stolen verifier attacks, and replay attacks are rarely mentioned, which means most schemes can resist these attacks.(2)Smart card loss attack and offline dictionary attack draw more and more attentions:(i)Ma et al. [36] showed that the public key algorithm is required to resist offline dictionary attack (also called offline-password guessing attack). It is worth mentioning that we will show the following in later section: here the method is specifically applied to the offline dictionary attack using the verification from the open channel, while it is not applied to the offline dictionary attack using the verification from the smart card;(ii)Wang et al. [29] demonstrated that there is an unavoidable trade-off between changing password locally and resisting smart card loss attack (including offline-password attack). As shown in [37], here the offline dictionary attack should be specific to the offline dictionary attack using the verification from the smart card, but not to offline dictionary attack using the verification from the open channel;(iii)in [38], Wang gave an analysis to offline dictionary attack and proposed several security models.(3)User anonymity and forward secrecy attract many discussions: Ma et al. [36] proved that public key algorithm is necessary to protect user anonymity; to achieve forward secrecy, the server side needs to conduct two exponentiation operations at least [36].

Although numerous user remote schemes were proposed, people are still confused about how to assess which scheme is better or whether a scheme is secure enough. Thus Madhusudhan and Mittal [39] tried to answer the question by giving nine security requirements and ten desirable attributes of a sound smart card-based authentication scheme, which we think is another landmark in the history of remote user authentication. Those security requirements and desirable attributes are shown in Tables 1 and 2. They have become an important criterion of an ideal remote authentication scheme. Most of remote user authentication schemes [4, 40–42] are designed and evaluated according to them, while none of the schemes could actually satisfy them simultaneously. Therefore, many researchers begin to pay more attention to exploring the design principles and assessment criteria of authentication schemes. The most recent one is from Wang et al. [29, 37]. These two papers explored the relationship between the security requirements and desirable attributes and gave two significant tables to show the relationships. However, how to assess an authentication scheme is still an unsettled issue. Furthermore, in [11], D. Wang and P. Wang for the first time integrated “honeywords” and “fuzzy-verifiers” to settle a long-standing security-usability conflict (i.e., the trade-off between changing password locally and resisting smart card loss attack). It is a remarkable breakthrough in this area, and we will give more details in later section.

Throughout the history of two-factor authentication, it is easy to find the following: although there have been dozens of works endeavored to construct practical remote user authentication schemes, no one has succeeded in withstanding various attacks or satisfying various desirable attributes. The main reason is the chaos of some essential issue, for example, the sound assessment criterion, the reasonable classification, and definition of attacks in smart card-based scheme. Our work tries to give some inspiration on exploring better proposals.

1.1. Our Contributions

Most recently, Yeh [43] proved Chang et al.’s scheme [20] is vulnerable to replay attack, user impersonation attack, and so on and therefore proposed a new authentication scheme with user untraceability. In 2016, Kang et al. [44] showed that Djellali et al.’s scheme [45] suffers from offline dictionary attack, impersonation attack, and replay attack and then developed an enhanced scheme that achieves user anonymity with a Markov chain; and Kaul et al. [46] also designed an improved authentication scheme based on Kumari et al.’s scheme [34]. These schemes all claim to be resistant to various attacks, such as offline dictionary attack and impersonation attack. Unfortunately, according to our analysis, they fail to withstand those attacks as claimed. We summarize our contributions as follows:(1)This paper demonstrates that the three schemes all suffer from offline dictionary attack, man-in-the-middle attack, and impersonation attack, as well as failing to preserve user anonymity or forward secrecy.(2)Furthermore, we for the first time divide offline dictionary attacks into two categories: (1) the ones using the verification from smart cards and (2) the ones using the verification from the open channel. The second is more complicated and intractable than the first type. We show that treating them with no difference arouses confusion and misleads the related research. Such distinction which benefits the exploration of better design principles is requisite and significant.(3)Remarkably, we explore the solution to such two kinds of attacks and propose a reference model to settle the offline dictionary attack using the verification from the open channel and then use Yeh’s scheme to check the effectiveness of our reference model; the result shows that our reference model actually works.

The remainder of this paper is organized as follows: in Section 2, the system architecture and the capacities of adversary are explained. In Section 3, we give a cryptanalysis of Yeh’s scheme. We review Kang et al.’s scheme in Section 4 and Kaul et al.’s scheme in Section 5. Section 6 analyzes the two kinds of offline-password guessing attacks. And Section 7 gives a conclusion.

2. System Architecture and the Capacities of Adversary

In this section, we first list the notations used in the three schemes and then briefly introduce the system architecture and the capacities of the adversary in the schemes.

2.1. Notations and Abbreviations

The notations in the three schemes are shown in Notations and Abbreviations at the end of the paper.

2.2. System Architecture

Like many other smart card-based authentication methods, the three schemes involve a set of users and a single server. Users access the resources by mutual authentication with server. The authentication usually includes four basic phases: registration, login, authentication, and password change. Firstly, a user submits personal information to the server to register. Then the server issues the user a smart card with security parameters. The registration phase is only performed once unless the user reregisters for special reasons. After that, in the login phase, the user will send the access request. Then the server and the user authenticate each other in verification phase to finish the authentication. The phases of login and verification usually will be carried out many times. A sound two-factor authentication schemes should ensure that only the user who owns the smart card and submits the corresponding password can access the server successfully. As a realistic problem, the password change phase attracts more and more attention these years where the user can change his/her password locally or remotely.

2.3. The Capacities of Adversary

In the cryptanalysis of the two-factor authentication schemes, the adversary is also supposed to have the following capacities [29, 47–49]:(1) can fully control the open communication channel; that is, can modify, intercept, delete, and resend the eavesdropped messages over an open channel.(2) can enumerate all the items in in polynomial time, where and denote the password space and the identity space, respectively.(3) can acquire the password of a legitimate user by a malicious card reader or get the parameters in smart card but cannot achieve both.(4)When evaluating forward secrecy, can get the server’s secret key.

3. Cryptanalysis of Yeh’s Scheme

3.1. Review of Yeh’s Scheme

This section gives a brief review of Yeh’s [43] scheme with user untraceability (shown in Figure 1).

3.1.1. Registration Phase

Step 1 (). chooses , , and two random numbers , and then sends to via a secure channel.

Step 2 (). computes and and then sends a smart card with security parameters via a secure channel and stores in a table.

3.1.2. Login Phase and Authentication Phase

Step 1 (). inputs , . The smart card generates a random number , computes = = , , = = , = , = , and = , and then sends to .

Step 2 (). traverses the in table , computes = , = , , , and , and then checks . If none of the value satisfies the equation, end the session. Otherwise, examines the freshness of and whether has been received before. If one of the conditions is invalid, terminate the session. Otherwise, generates a random number , computes , and sends to .

Step 3. The smart card firstly checks , then computes , and checks whether equals . If true, authenticates .

3.1.3. Password Change Phase

If wants to change the password, he/she inserts the smart card to the card reader and inputs , , and a new password . Then the smart card computes and and then replaces and with and .

3.2. Cryptanalysis of Yeh’s Schemes

In this section we show that Yeh’s scheme cannot resist various attacks, such as password guessing attack, impersonation attack, and desynchronization attack.

3.2.1. Offline Dictionary Attack via Verification Value in Channel

Supposing the adversary stole ’s smart card and then got security parameters , , and from the smart card, also has through eavesdropping the open channel between and ; then can perform the attack by the following steps:(1)Guess the value of to be from the password dictionary space .(2)Compute = ; and are extracted from the smart card.(3)Compute ; is eavesdropped from the open channel.(4)Compute ; and are extracted from the smart card.(5)Compute ; is extracted from the smart card.(6)Verify the correctness of by checking if , is from the open channel.(7)Repeat Steps (1), (2), (3), (4), (5), and (6) until the correct value of is found.

The time complexity of the above attack is . is the running time for hash computation. is the running time for exclusive-or operation. denotes the number of passwords in , and is very limited in practice [49, 50]; usually ; so the above attack is quite efficient.

Remark 1. The offline dictionary attack here uses the verification from the open channel. The inherent reason for this attack is that (1) the adversary can find a verification to check whether the guessing value is correct; (2) the password is the only unknown value to the adversary; that is, the adversary can get other parameters consisting of the verification, except the password or the identity. To such attack, the lightweight public key algorithm is the necessary condition, as explained in [36].

3.2.2. User Anonymity

Once the adversary gets the password through “offline dictionary attack,” he can get the user’s ID by the following steps:(1)Compute ; and are from the smart card.(2)Compute ; is from open channel.(3)Compute ; is from smart card; is from open channel.

In computing , what the server knows more than the adversary is , while, after getting the , the adversary can get by , so in fact the adversary has the same capacity as the server; thus can get according to the way the server does.

3.2.3. User Impersonation Attack

With the and the , the adversary can impersonate as follows:(1)Compute ; and are from the smart card.(2)Generate a random number .(3)Compute .(4)Compute =.(5)Compute ; is extracted from the smart card.(6)Compute .(7)Compute .(8)Interrupt ; send , to to impersonate .

As for the server , it computes , , , , and and then checks (1) ; (2) the freshness of ; and (3) whether has ever been received before. All of them are satisfied, so is authenticated by successfully.

With , , and smart card, the adversary has the same capacity as the legitimate user; that is, can impersonate the user to the server successfully. The original reason for this attack is the offline dictionary attack.

3.2.4. Server Impersonation Attack

With the , can impersonate as follows:(1)Compute ; and are extracted the from smart card.(2)Compute ; is extracted from the smart card.(3)Generate a random number ; compute .(4)Interrupt , and send to the user to impersonate the server .

On the user side, computes = , as = ; is authenticated by the user successfully.

In most cases, the capacity of legitimate user and remote server is the same; to be more precise, what the legitimate user knows can transform into what the remote server knows. So if the user impersonation attack can be performed, the server impersonation attack can be performed too.

3.2.5. Man-in-the-Middle Attack

With and that have been got from “password guessing attack” and “user anonymity,” respectively, can execute a man-in-the-middle attack as follows:(1)Interrupt that sends to .(2)Compute as in “user impersonation attack,” and send them to .(3)Interrupt from via an open channel.(4)Compute as in “server impersonation attack,” and send them to .

Through above attack procedures, the adversary can execute a man-in-the-middle attack without being noticed by or .

In fact, man-in-the-middle attack usually is a result of “server impersonation attack” and “user impersonation attack,” while offline dictionary attack is the original reason of these three attacks.

3.2.6. Desynchronization Attack

As there is no any verification in password change phase, an adversary can execute desynchronization attack easily: stealing ’s smart card and inputting a random , , and a new password . According to the scheme, and will be replaced by and , respectively, where and . As a result, even the legitimate user cannot login successfully.

Desynchronization attack often happens in password change phase where the user, without inputting the correct and , can change the password successfully. This results in the that legitimate user with correct old password cannot login successfully. So if a user wants to change the password, he should be authenticated firstly, and there are usually two ways: interacting with the remote server like the authentication phase and interacting with the smart card. The second way requires a verification value from the smart card; thus such scheme is vulnerable to offline dictionary attack, but it helps detect wrong password input, which saves user’s time. The first one requires costing more time to make the user change the password and detect wrong password input.

3.2.7. Insider Attack

In this scheme, the user submits a pair of and to the server without any transformation or protection; thus the server can get the and and carries out an insider attack to impersonate the user .

Insider attack is quite easy to deal with: do some transformation to the and , such as and ( is a random number).

4. Cryptanalysis of Kang et al.’s Scheme

4.1. Review of Kang et al.’s Scheme

This section gives a brief review of Kang et al.’s scheme [44] (Figure 2). As little relevance as password change phase, we omit it.

4.2. Registration Phase

Step 1 (). chooses , , and a random number and computes and then sends to the server via a secure channel.

Step 2 (). generates and , where , , and is a small number, computes from and , computes , = , = , , and , and then issues the user a smart card containing via a secure channel.

Step 3. inputs into the smart card.

4.2.1. Login Phase and Authentication Phase

Step 1 (). inserts his smart card and inputs , . The smart card computes and and then checks . If not satisfied, reject the request. Otherwise, the smart card computes , , and , generates a random number and time stamp , computes , , and , and finally sends to .

Step 2 (). firstly checks the freshness of , then calculates , , and = , and compares with . If their values are not the same, reject the request; else generate a random number and then compute , and the session key , where is the time stamp, , and . After that sends to .

Step 3. firstly checks the freshness of and then computes , , and and verifies through comparing with . If the values of them are the same, authenticates , and accepts as the session key. Otherwise, end the session.

4.3. Cryptanalysis of Kang et al.’s Schemes

4.3.1. Offline Dictionary Attack via Verification Value in Channel

Supposing the adversary got ’s smart card and then acquired security parameters , , , and from the smart card, also has through eavesdropping the open channel between and ; then can perform the attack by the following steps:(1)Guess to be and to be .(2)Compute = , = , = , = , and = ; , , , are extracted from the smart card.(3)Compute = and = , and is from the channel.(4)Verify the correctness of and by checking ; is from the channel.(5)Repeat Steps (1), (2), (3), and (4) until the correct values of and are found.

The time complexity is , so the above attack is quite efficient. Once has the , he/she also can carry out user impersonation attack, server impersonation attack, and man-in-the-middle attack. And as the methods to those attacks are similar to the methods in Yeh’s schemes, it is unnecessary to go into details here.

4.3.2. Offline Dictionary Attack via Verification Value in Smart Card

Supposing an adversary got ’s smart card and then acquired security parameters , , , and from the smart card, then can perform the attack as follows:(1)Guess the value of to be from the password dictionary space and to be from the identity dictionary space .(2)Compute = and = ; is from the smart card.(3)Verify the correctness of and by checking whether ; is extracted from the smart card.(4)Repeat Steps (1), (2), and (3) until the and are found.

Remark 2. The time complexity is , so the above attack is quite efficient. This kind of offline dictionary attack above uses the verification from the smart card, while with the verification the user can change password locally. This is exactly what Wang et al. [29] demonstrated which is the trade-off between changing password locally and resisting offline-password attack. Luckily, in [11], D. Wang and P. Wang for the first time integrated “honeywords” and “fuzzy-verifiers” to settle such a long-standing security-usability conflict. So according to [11], we simply give an improved way to avoid such conflict. Let the verification = mod , where and determines the capacity of the pool of the . So now there are candidates of pair for adversary to guess when and . For these candidates, the adversary can only guess the right one from online guessing, while there is also a way called “honeywords” to avoid such online dictionary guessing; “honeywords” in fact is a word list to timely detect whether the smart card is extracted.

4.3.3. Forward Secrecy

Supposing knew ’s secret key , then he can calculate the session key as follows:(1)Interrupt that sends to .(2)Compute ; is from smart card.(3)Compute .(4)Interrupt that sends to .(5)Compute .(6)Compute ; at this point the user gets successfully.

In this scheme, the session key consists of a random number from , a random number from , and two open time stamps and . The key parameters are the two random number, while, compared to the adversary, what the server only knows more is the secret key , so once the adversary knows the secret key , he can compute the random number chosen by as the way the server does. On the other hand, in computing , what the user only knows more than the adversary is the random number . While the adversary has known now, thus the adversary also can compute the random number chosen by the server as the user does. With and , the adversary gets . Furthermore, it proves that “more than two exponentiation operations conducted on the server side are necessary to achieve forward secrecy” [36].

5. Cryptanalysis of Kaul et al.’s Schemes

5.1. Review of Kaul et al.’s Scheme

This section gives a brief review of Kaul et al.’s scheme [46] (Figure 3), and password change phase is also omitted.

5.1.1. Registration Phase

Step 1 (). chooses , , and a random number , then computes = , and submits via a secure channel.

Step 2 (). chooses a unique random number for and computes , , , and . Then issues a smart card with via a secure channel.

Step 3. enters to the smart card.

5.1.2. Login Phase and Authentication Phase

Step 1 (). User inserts the smart card and inputs and . Smart card computes = , = , , = , and = . If , the smart card declines the request, otherwise it computes = and = and sends to .

Step 2 (). Server first checks whether , then computes = , = , and = , and further checks computed . If the verification passed, it computes = , where is ’s current time, and sends to .

Step 3. Smart card first checks the freshness of , then computes = , and then verifies to authenticate server.

Step 4. Both and accept the common session key = .

5.2. Cryptanalysis of Kaul et al.’s Schemes

5.2.1. User Anonymity

User anonymity preserves an adversary from acquiring user’s privacy message including lifestyle, habit, and hobbies by analyzing the login history, communications, and services request. In an era of big data, user anonymity has a profound significance. A well-designed protocol needs to keep the identity notion not only unexposed, but also untraceable. The former requires that even if an adversary eavesdrops the message via the open channel, he still cannot know whose communication message it is; the latter requires that the adversary does not know whether the eavesdropped message is from the same user. In fact, the latter is more restrictive than the former. However, in this scheme the user identity was exposed in the open channel; the adversary just needs to eavesdrop the open channel to get the user . With the , every time the user logs in, the adversary can know. So the privacy of the user was revealed.

5.2.2. Offline Dictionary Attack via Verification Value in Channel

who extracts , from smart card, and can perform an offline dictionary attack as follows:(1)Guess the value of to be from the password dictionary space .(2)Compute = , = , = , = , and = , and , are from smart card and is from the open channel.(3)Verify the correctness of by checking whether , and is from smart card.(4)Repeat Steps (1), (2), and (3) until the correct is found.

The time complexity is , so the above attack is quite efficient. With and , can conduct further attack such as impersonation attack, man-in-the-middle attack, and getting session key by the ways described in Sections 3.2.3, 3.2.4, 3.2.5, and 4.3.3. Thus, the whole security of the system is compromised.

5.2.3. Offline Dictionary Attack via Verification Value in Smart Card

An adversary who gets the smart card from extracts security parameters , , , . Further as shown in the previous paragraph, also can easily get . So now the adversary can perform an offline dictionary attack by the following steps:(1)Guess the value of to be from the password dictionary space .(2)Compute = , = , = , = , and = ; , , , and are extracted from ’s smart card.(3)Verify the correctness of by checking whether ; is extracted from the smart card.(4)Repeat Steps (1), (2), and (3) until the is found.

The time complexity is , so the above attack is quite efficient.

6. A Deep Exploration to Offline Dictionary Attack

The scheme of Yeh, Kang et al., and Kaul et al. cannot resist offline-password guessing attacks, while this is exactly what most two-factor remote authentication schemes actually suffer from. As we mentioned before, such attack is also one of the original reasons for other attacks. In this section, we try to explain why it is so hard to avoid offline dictionary attack. Furthermore, we for the first time recommend distinguishing offline dictionary attack via verification value in smart card (hereafter called Attack I) from offline dictionary attack via verification value in channel (hereafter called Attack II). When talking about offline dictionary attack, most papers [36, 51, 52] ignore the difference between them and collectively call them as offline dictionary attack (offline-password guessing attack). Although the basic principles of these two attacks are the same, the key parameters transmitted in the insecure channel or in smart card, having no “camouflage” by random numbers or other special parameters only owned by the user or the server, the adversary can get a verification (usually it is the key parameter for the server or the user to verify the validity of the other one) to perform dictionary attack. Where the verifications come from is different, Attack I uses the verification from the smart card and Attack II from the channel. Do not overlook this little difference; this results in the quite slight difference in the corresponding solutions. Distinguishing them contributes to in-depth analysis of design principles. In this section, we analyze these two attacks thoroughly.

6.1. Solutions to Offline Dictionary Attack via Verification Value in Smart Card

In the schemes of Kang et al. and Kaul et al., to achieve better user-friendliness, that is, changing password locally and detecting the wrong password-inputting timely, a verification for a smart card to authenticate the user is stored in smart card. This results in getting the key parameters and in smart card, which leads to Attack I. What if there was no such verification parameters? Then the password change phase may be influenced, such as Yeh’s scheme which changes password remotely and fails to detect wrong password input timely. In fact, [29] points out that “there is an unavoidable trade-off when achieving the password change locally and resisting offline dictionary attack.” More specifically and accurately, the offline dictionary attack here should be specific to Attack I; it usually can be avoided by two ways:(i)A new approach called “a fuzzy verifier” and “honeywords” [11], which is a new solution to such problem. This approach can greatly increase the cost of guessing password in respect of . And we have given a simple application case in Section 4.3.2.(ii)Sacrificing certain performance (e.g., not providing the attribute of changing password locally). In other words, it is a problem of the trade-off between security and effectiveness. According to this principle, some schemes [43, 53, 54] just simply remove the authentication between the user and the smart card. Therefore, this scheme is secure to Attack II, while the cost is failing to detect the wrong password input timely (costing more time).

Obviously, Attack II is not included in the above situation. So just collectively calling the two attacks as offline dictionary attack will result in confusion and making the problem more complicated.

6.2. Solutions to Offline Dictionary Attack via Verification Value in Channel

In Yeh’s scheme, if we regard the parameters in smart card as opened, then the key parameters (i.e., the verification refers to the parameters used to verify the validity of the participants, and we use to represent it) , where refers to a series of cryptographic operations in the protocol, and means that those cryptographic operations are actually only related to . On the face of it, the is protected by the random number . While with in-depth examination, it is clear that can be computed by . So in fact, the . Then if an adversary guesses the and to be and , he/she can use to check the correct guessed value and thus carry out an offline dictionary attack, that is, Attack II.

Typically, only when the was “camouflaged” by random numbers or other special parameters which only the user and the server can get can the scheme resist Attack II, such as [11, 14, 55]. So how can we conceal the and those sensitive parameters?

Naturally, someone may think of a symmetric cryptography way: if the message transmitted in the open channel is encrypted, then only the one owning the key can read the message. It seems a good solution. However, it is far from practical: how can the key be distributed and stored? Especially to the users, where can they store that private key securely? Furthermore, with the number of servers accessed increasing, the number of the keys which the user needs to store increases too; for the servers, the storage of those keys is also a big problem; it will consume a lot of storage space, and once the storage space is leaked, the security of the system will run down. Anyway, symmetric cryptography is beyond our consideration. In this work, we focus on what Ma et al. [36] advised, that is, the public key algorithm to deal with Attack II. And here is our brief explanation about the necessary public-key algorithm (for more detail please refer to [36]).

Getting a verification () by the adversary in open channel is the main reason for Attack II. So a well-designed scheme has to protect the in the open channel. Then how can we protect them? On the one hand, the parameters in the smart card can be captured by the adversary. So if we do not consider a symmetric cryptography, the only way is to use random numbers as a camouflage to protect the . What is more, the random number cannot be exposed to the open channel and cannot be computed only with and . On the other hand, the server needs to know the random number to compute the . So based on the two points, the public key algorithm is a necessary approach. Moreover, smart cards always have limited memory and computing power; thus the lightweight public key operations are good choices.

However, many schemes though equipped with a public key algorithm still fail to resist Attack II, such as [52, 56, 57]. The inherent reason is the incorrectness of deploying the public key algorithm. So how can we correctly apply the public key algorithm to a authentication protocol? We will give one of the solutions, although it is not the only one, but it actually is one of the many effective solutions. Furthermore, we will give an reference model of such solution (see Figure 4) and use Yeh’s scheme as an example to verify its feasibility.

As we all know, the nature of a authentication protocol is to provide a secure mutual authentication. And the basis for authentication in a password-based scheme with smart card is “what you know” and “what you have.” To a user, the and are what they know; the smart card is what they have. While as the parameters in the card can be extracted by the adversary and the card itself can easily be stolen, so it seems that the smart card acts as an assistant. To a server, the long term key is what they know. The verifier table is what they have. Similarly, the verifier table actually also acts as an assistant.

So when the server authenticates the user, the user has to prove that he really knows and and has the corresponding smart card, while, in order to prevent inside attack and eavesdropping attack, the user cannot tell the server the value of directly. Then a good way to solve such conflict is to negotiate an intermediate parameter as a key evidence of authentication, where . This step is finished in registration phase and the related auxiliary parameters are stored in the smart card. So if a user has the corresponding smart card, then he/she can computes the as . Therefore, with the , we can verify not only whether the user knows about the and , but also whether the user has the corresponding smart card. However, as in helping with the smart card, if , then once the adversary gets the smart card, he/she can guess the and to be and , respectively, then intercept the to check the correctness of the guessed value, and thus carry out Attack II. Take Yeh’s scheme as an example, in this scheme, the . To , , where and are from smart card, , and thus an adversary with the card conducts Attack II successfully.

Therefore, besides the , there should be other key parameters which only and can compute. As , , and smart card have been used for , it makes no sense to use them again. Thus now, to a user, he/she has no more things which can be used as evidence. The one good choice seems to initiate a challenge for the server to respond. Actually, the challenge is a random number, and the transmission and response to the challenge require the help of a public key algorithm. All in all, the other key parameters which consist of should be equipped with a public key algorithm; then the should be , where the refers to the parameters deploying a public key algorithm. To , with the knowledge of the random number , , where is the public key and refer to a series of public key operations; to , with the knowledge of private key , , where . All in all, to resist Attack II, the should satisfy ; the , , , , and cannot be exposed to the open channel; furthermore, should be transmitted to the server. When authenticates , if only considering resisting Attack II, only requires proving that it knows about the and . Furthermore, the parameters transmitted in the open channel follow the same principles as above.

Now, we take Yeh’s scheme as an example to check the effectiveness of our reference model. And we select the Computational Diffie-Hellman problem to construct the public key algorithm. In Yeh et al.’s scheme, the has been designed well, so we only need to apply the Computational Diffie-Hellman problem to this scheme. The definition of the Computational Diffie-Hellman problem is as follows.

is the generator of a cyclic group ; then, given and where , it is hard to compute within a polynomial time.

According to this, we can design a lightweight public key algorithm for the user and the server: selects a larger prime , a generator of cyclic group , and a secret key and computes the public key mod . Then if selects a random number , it computes mod and mod and sends to . can compute as mod . Here, and ; even the adversary intercepts the ; he/she still cannot compute the . So then only needs to prove that it knows about the . Furthermore, to , and ; to , ; it also follows the principles mentioned above. In short, we improve Yeh’s scheme as shown in Figure 5.

In the improved scheme, , ; even the adversary guesses the and to be and , while without , he/she cannot find a verification to check the correctness of the guessed value and thus fails to perform Attack II. It should be noted that we only improve Yeh’s scheme to be secure to Attack II, and the reference model can only be applied to resisting Attack II.

It is generally accepted that public key algorithm is necessary for resisting offline dictionary attack, while, according to our analysis, the offline dictionary attack here should be specific to Attack II, and Attack I is not included in it: the public key algorithm consists of a private key and a public key. In Attack II, the vulnerability takes place in the authentication between the server and the smart card. So the public key algorithm acts on the server and the smart card. Usually the server takes the responsibility to keep private key , while, in Attack I, the vulnerability takes place in the authentication between the user and the smart card. But it makes no sense to both of them to own such private key for two reasons at least:(i) To the users: he always uses the password as the unique parameter to get authenticated, and the private key plays the same role as the password. Moreover, the private key is too long for the user to remember or preserve.(ii) Smart card: as we have stated before, the parameters in the smart card can be easily obtained by an adversary.

7. Conclusion

In this paper, we demonstrated that the schemes of Yeh, Kang et al., and Kaul et al. all suffer from various attacks, such as offline dictionary attack and impersonation attack. Furthermore, we showed that offline dictionary attack is the original reason of many other attacks. Remarkably, we divide offline dictionary attacks into two categories: (1) the ones using the verification from smart cards and (2) the ones using the verification from the open channel. The solution to the first type involves the trade-off between the security and effectiveness, or “a fuzzy verifier” + “honeywords” as suggested in [11]. While the solution to the second is using a public key algorithm as advised by Ma et al. [36], this solution is not applicable to the first type. Furthermore, even many schemes using a public key algorithm still suffer from Attack II. The original reason is incorrectly deploying the public key algorithms. Thus, we proposed a reference model to guide the protocol designers to deploy the public key algorithms correctly. Our reference model is not the only way to deal with such problem, but it really is one of them. We hope that this work provides new insights into future research.

Notations and Abbreviations

:	th user
:	Remote server
:	Malicious adversary
:	Identity of
:	Password of
:	The secret key of
:	The secret number of
:	Collision-free one-way hash function
:	The bitwise XOR operation
:	The string concatenation operation
:	An insecure channel
:	A secure channel.

Conflicts of Interest

There are no conflicts of interest regarding the publication of this paper.

Acknowledgments

The authors thank Dr. Wang Ding at Peking University for invaluable help. This research is supported by the National Natural Science Foundation of China (NSFC) under Grant no. 61401038 and 2016 Guangdong Provincial Science and Technology Department Frontier and Key Technology Innovation Project under Grant no. 2016B010110002.

References

Z. Xia, Y. Zhu, X. Sun, Z. Qin, and K. Ren, “Towards Privacy-preserving Content-based Image Retrieval in Cloud Computing,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 11, pp. 2594–2608, 2016.
View at: Publisher Site | Google Scholar
Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, “Enabling personalized search over encrypted outsourced data with efficiency improvement,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 9, pp. 2546–2559, 2016.
View at: Publisher Site | Google Scholar
Z. Fu, X. Sun, S. Ji, and G. Xie, “Towards efficient content-aware search over encrypted outsourced data in cloud,” in Proceedings of the 35th Annual IEEE International Conference on Computer Communications (INFOCOM '16), pp. 1–9, San Francisco, Calif, USA, April 2016.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ma, F. Wei, Y. Tian, J. Shen, and Y. Yang, “An untraceable temporal-credential-based two-factor authentication scheme using ecc for wireless sensor networks,” Journal of Network & Computer Applications, vol. 76, pp. 37–48, 2016.
View at: Google Scholar
L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981.
View at: Publisher Site | Google Scholar
A. Shimizu, “Dynamic password authentication method using a one-way function,” Systems and Computers in Japan, vol. 22, no. 7, pp. 32–40, 1991.
View at: Publisher Site | Google Scholar
S.-P. Shieh, W.-H. Yang, and H.-M. Sun, “An authentication protocol without trusted third party,” IEEE Communications Letters, vol. 1, no. 3, pp. 87–89, 1997.
View at: Publisher Site | Google Scholar
T. Hwang, “Password authentication using public-key encryption,” in Proceedings of IEEE Int. Carnahan Conf. Security Technol., pp. 141–144, 1983.
View at: Google Scholar
T. Hwang, Y. Chen, and C. J. Laih, “Non-interactive password authentications without password tables,” in Proceedings of IEEE Region 10 Conference on Computer and Communication Systems Conference, pp. 429–431, Hong Kong.
View at: Publisher Site | Google Scholar
C.-C. Chang and T.-C. Wu, “Remote password authentication with smart cards,” IEE Proceedings E: Computers and Digital Techniques, vol. 138, no. 3, pp. 165–168, 1991.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound,” IEEE Transactions on Dependable and Secure Computing, pp. 1–1.
View at: Publisher Site | Google Scholar
X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, “A generic framework for three-factor authentication: Preserving security and privacy in distributed systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 8, pp. 1390–1397, 2011.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, B. Xu, and X. Huang, “An Efficient Identity-Based Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015.
View at: Publisher Site | Google Scholar
D. Wang, N. Wang, P. Wang, and S. Qing, “Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity,” Information Sciences, vol. 321, Article ID 11496, pp. 162–178, 2015.
View at: Publisher Site | Google Scholar
V. Odelu, A. K. Das, and A. Goswami, “A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1953–1966, 2015.
View at: Publisher Site | Google Scholar
C. Yuan, X. Sun, and R. Lv, “Fingerprint liveness detection based on multi-scale LPQ and PCA,” China Communications, vol. 13, no. 7, pp. 60–65, 2016.
View at: Publisher Site | Google Scholar
D. He and D. Wang, “Robust Biometrics-Based Authentication Scheme for Multiserver Environment,” IEEE Systems Journal, vol. 9, no. 3, pp. 816–823, 2015.
View at: Publisher Site | Google Scholar
M. L. Das, A. Saxena, and V. P. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, vol. 50, no. 2, pp. 629–631, 2004.
View at: Publisher Site | Google Scholar
M. Khan and S. Kim, “Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme,” Computer Communications, vol. 34, no. 3, pp. 305–309, 2011.
View at: Google Scholar
Y.-F. Chang, W.-L. Tai, and H.-C. Chang, “Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update,” International Journal of Communication Systems, vol. 27, no. 11, pp. 3430–3440, 2014.
View at: Publisher Site | Google Scholar
H.-Y. Chien and C.-H. Chen, “A remote authentication scheme preserving user anonymity,” in 19th International Conference on Advanced Information Networking and Applications, AINA 2005, pp. 245–248, twn, March 2005.
View at: Publisher Site | Google Scholar
Y.-Y. Wang, J.-Y. Liu, F.-X. Xiao, and J. Dan, “A more efficient and secure dynamic ID-based remote user authentication scheme,” Computer Communications, vol. 32, no. 4, pp. 583–585, 2009.
View at: Publisher Site | Google Scholar
T. H. Kim, C. Kim, and I. Park, “Side channel analysis attacks using AM demodulation on commercial smart cards with SEED,” Journal of Systems and Software, vol. 85, no. 12, pp. 2899–2908, 2012.
View at: Publisher Site | Google Scholar
K. Nohl, D. Evans, S. Starbug, and H. Plötz, “Reverse-engineering a cryptographic rfid tag,” in Proceedings of USENIX Security, pp. 185–193, San Jose, CA, USA.
View at: Google Scholar
T. S. Messerges, E. A. Dabbish, and R. . Sloan, “Examining smart-card security under the threat of power analysis attacks,” Institute of Electrical and Electronics Engineers. Transactions on Computers, vol. 51, no. 5, pp. 541–552, 2002.
View at: Publisher Site | Google Scholar | MathSciNet
A. Moradi, A. Barenghi, T. Kasper, and C. Paar, “On the vulnerability of FPGA bitstream encryption against power analysis attacks: Extracting keys from Xilinx Virtex-II FPGAs,” in 18th ACM Conference on Computer and Communications Security, CCS'11, pp. 111–123, usa, October 2011.
View at: Publisher Site | Google Scholar
X. Li, W. Qiu, D. Zheng, K. Chen, and J. Li, “Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards,” IEEE Transactions on Industrial Electronics, vol. 57, no. 2, pp. 793–800, 2010.
View at: Publisher Site | Google Scholar
J. L. Tsai, N. W. Lo, and T. C. Wu, “Novel anonymous authentication scheme using smart cards,” IEEE Transactions on Industrial Informatics, vol. 9, no. 4, pp. 2004–2013, 2013.
View at: Publisher Site | Google Scholar
D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 428–442, 2015.
View at: Publisher Site | Google Scholar
R. Song, “Advanced smart card based password authentication protocol,” Computer Standards and Interfaces, vol. 32, no. 5-6, pp. 321–325, 2010.
View at: Publisher Site | Google Scholar
J. Xu, W.-T. Zhu, and D.-G. Feng, “An improved smart card based password authentication scheme with provable security,” Computer Standards and Interfaces, vol. 31, no. 4, pp. 723–728, 2009.
View at: Publisher Site | Google Scholar
K. S. Sandeep, K. S. Anil, and S. Kuldip, “An improvement of xu et al.’s authentication scheme using smart cards,” in Proceedings of the ACM 3th Bangalore Conference, vol. 1, pp. 240–245, Bangalore, India, 2010.
View at: Google Scholar
B.-L. Chen, W.-C. Kuo, and L.-C. Wuu, “Robust smart-card-based remote user password authentication scheme,” International Journal of Communication Systems, vol. 27, no. 2, pp. 377–389, 2014.
View at: Publisher Site | Google Scholar
S. Kumari and M. K. Khan, “Cryptanalysis and improvement of a robust smart-card-based remote user password authentication scheme',” International Journal of Communication Systems, vol. 27, no. 12, pp. 3939–3955, 2014.
View at: Publisher Site | Google Scholar
X. Li, J. Niu, M. Khurram Khan, and J. Liao, “An enhanced smart card based remote user password authentication scheme,” Journal of Network and Computer Applications, vol. 36, no. 5, pp. 1365–1371, 2013.
View at: Publisher Site | Google Scholar
C.-G. Ma, D. Wang, and S.-D. Zhao, “Security flaws in two improved remote user authentication schemes using smart cards,” International Journal of Communication Systems, vol. 27, no. 10, pp. 2215–2227, 2014.
View at: Publisher Site | Google Scholar
D. Wang, Q. Gu, H. Cheng, and P. Wang, “The request for better measurement: A comparative evaluation of two-factor authentication schemes,” in Proceedings of 11th ACM Asia Conference on Computer and Communications Security, ASIA CCS, pp. 475–486, China, June 2016.
View at: Publisher Site | Google Scholar
Y. Wang, “Password protected smart card and memory stick authentication against off-line dictionary attacks,” IFIP Advances in Information and Communication Technology, vol. 376, pp. 489–500, 2012.
View at: Publisher Site | Google Scholar
R. Madhusudhan and R. C. Mittal, “Dynamic ID-based remote user password authentication schemes using smart cards: a review,” Journal of Network and Computer Applications, vol. 35, no. 4, pp. 1235–1248, 2012.
View at: Publisher Site | Google Scholar
X. Li, Y. Xiong, J. Ma, and W. Wang, “An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards,” Journal of Network & Computer Applications, vol. 35, no. 2, pp. 763–769, 2012.
View at: Google Scholar
D. He, S. Zeadally, N. Kumar, and W. Wu, “Efficient and Anonymous Mobile User Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server Architectures,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 9, pp. 2052–2064, 2016.
View at: Publisher Site | Google Scholar
S. Kumari, M. K. Khan, X. Li, and F. Wu, “Design of a user anonymous password authentication scheme without smart card,” International Journal of Communication Systems, vol. 29, no. 3, pp. 441–458, 2016.
View at: Publisher Site | Google Scholar
K.-H. Yeh, “A lightweight authentication scheme with user untraceability,” Frontiers of Information Technology and Electronic Engineering, vol. 16, no. 4, pp. 259–271, 2015.
View at: Publisher Site | Google Scholar
D. Kang, J. Jung, J. Mun, D. Lee, Y. Choi, and D. Won, “Efficient and robust user authentication scheme that achieve user anonymity with a markov chain,” Security & Communication Networks, 2016.
View at: Google Scholar
B. Djellali, K. Belarbi, A. Chouarfia, and P. Lorenz, “User authentication scheme preserving anonymity for ubiquitous devices,” Security and Communication Networks, vol. 8, no. 17, pp. 3131–3141, 2015.
View at: Publisher Site | Google Scholar
S. D. Kaul and A. K. Awasthi, “Security Enhancement of an Improved Remote User Authentication Scheme with Key Agreement,” Wireless Personal Communications, pp. 1–17, 2016.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ma, and F. Wei, “On the security of a privacy-aware authentication scheme for distributed mobile cloud computing services,” IEEE Systems Journal, 2016.
View at: Publisher Site | Google Scholar
X. Huang, Y. Xiang, E. Bertino, J. Zhou, and L. Xu, “Robust multi-factor authentication for fragile communications,” IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 6, pp. 568–581, 2014.
View at: Publisher Site | Google Scholar
D. Wang, Z. Zhang, P. Wang, J. Yan, and X. Huang, “Targeted Online Password Guessing,” in Proceedings of ACM CCS 16, pp. 1242–1254, Vienna, Austria, October 2016.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “On the implications of zipfs law in passwords,” Proceedings of ESORICS, pp. 111–131, 2016.
View at: Google Scholar
S. H. Islam, “Design and analysis of an improved smartcard-based remote user password authentication scheme,” International Journal of Communication Systems, vol. 29, no. 11, pp. 1708–1719, 2016.
View at: Publisher Site | Google Scholar
D. Wang, C. Ma1, and P. Wu, “Secure password-based remote user authentication scheme with non-tamper resistant smart cards,” in Proceedings of DBSec, vol. 7371, pp. 114–121, France, Paris, 2012.
View at: Google Scholar
H. Zhu, “Cryptanalysis and Improvement of a Mobile Dynamic ID Authenticated Key Agreement Scheme Based on Chaotic Maps,” Wireless Personal Communications, vol. 85, no. 4, pp. 2141–2156, 2015.
View at: Publisher Site | Google Scholar
J. Wei, W. Liu, and X. Hu, “Secure and efficient smart card based remote user password authentication scheme,” International Journal of Network Security, vol. 18, no. 4, pp. 782–792, 2016.
View at: Google Scholar
Q. Jiang, J. Ma, and Y. Tian, “Cryptanalysis of smart-card-based password authenticated key agreement protocol for session initiation protocol of Zhang et al.,” International Journal of Communication Systems, vol. 28, no. 7, pp. 1340–1351, 2015.
View at: Publisher Site | Google Scholar
K. Marimuthu and R. Saravanan, “A secure remote user mutual authentication scheme using smart cards,” Journal of Information Security & Applications, vol. 19, no. (4-5), pp. 282–294, 2014.
View at: Google Scholar
T. Maitra, M. Obaidat, R. Amin, S. Islam, S. Chaudhry, and D. Giri, “A robust elgamal-based password-authentication protocol using smart card for client-server communication,” International Journal of Communication Systems, 2016.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2017 Chenyu Wang and Guoai Xu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2085

Downloads

939

Citations