Secure Remote Login Scheme with Password and Smart Card Update Facilities Rajeev Kumar, Ruhul Amin, Arijit Karati and G.P. Biswas
Abstract Smart card and password-based user authentication scheme is popular for accessing remote services from the remote server over insecure communication. In this regard, numerous user authentication protocols have been proposed in the literature. However, we have observed that still none of the protocols provide complete facilities such as password change process, password recover process, and smart card revocation process to the registered user. The main aim of this paper is to design a secure user authentication protocol which provides complete facilities to the registered user. The security analysis of the protocol is presented which confirms that the same protocol is secure against various common attacks. Our protocol is not only provide complete facilities to the registered user, but also provides session key agreement as well as mutual authentication between the Ui and RS. The performance of the proposed scheme is relatively better than existing related schemes. Keywords Authentication ⋅ Security attacks ⋅ Security attributes ⋅ Smart card
1 Introduction In the client–server environment, many password-based user authentication schemes using smart card are widely used to exchange confidential data by encrypting using the generated session key. The concept of the remote user authentication scheme was R. Kumar (✉) ⋅ R. Amin ⋅ A. Karati ⋅ G.P. Biswas Department of Computer Science and Engineering, Indian School of Mines, Dhanbad, Jharkhand, India e-mail:
[email protected] R. Amin e-mail:
[email protected] A. Karati e-mail:
[email protected] G.P. Biswas e-mail:
[email protected] © Springer India 2016 S. Das et al. (eds.), Proceedings of the 4th International Conference on Frontiers in Intelligent Computing: Theory and Applications (FICTA) 2015, Advances in Intelligent Systems and Computing 404, DOI 10.1007/978-81-322-2695-6_41
495
496
R. Kumar et al.
first proposed by Lamport [24] based on the one-way hash function and thereafter many password-based authentication protocols [1, 2, 4, 6, 7, 10, 14–16, 18–21] have been proposed in the literature. It has been observed that many schemes [17, 23, 27] suffer from smart card stolen attack resulting in offline password guessing. In 2007, Wang et al. [29] illustrated that the schemes [27, 32] cannot withstand forgery attack, offline password guessing attack, and denial-of-service attack and presented better solutions to fix the problems. Later, Awasthi et al. [11] pointed out that Shen et al.’s scheme [26] cannot withstand user impersonation attack, and also proposed an improved protocol. In 2012, Wang et al. [28] pointed out that the Yang et al. [31] and Hsieh-Leu [17] schemes are insecure against smart card loss attack and subsequently proposed an efficient scheme to thwart the problems of smart card security breach. In 2013, Ruhul et al. [10] pointed out that the scheme [28] suffers from offline identity-password guessing attack, user-server impersonation attack, and also proposed an improved protocol to fix the Wang et al. [28] scheme. In this paper, we have designed a secure user authentication protocol using smart card, which is not only efficient in terms of complexities, but also provides essential facilities to the registered user.
1.1 Road Map of the Paper In Sect. 2, we address our proposed protocol and the security analysis of the proposed scheme appears in Sect. 3. Section 4 measures the performance of this protocol and the conclusion is given in Sect. 5. We complete the paper with several related references.
2 Proposed Protocol This section presents the smart card-based user authentication and key agreement protocol using the cryptographic one-way hash function. We have listed all the notations used throughout this paper in Table 1. Our proposed protocol has several processes such as registration, login and authentication, password change, password recovery, and smart card revocation, each of which is discussed below.
2.1 Registration Process In this phase, a new user chooses an identity IDi and sends registration message ⟨IDi , MOB⟩ along with personal credential information UCi to the remote server through the insecure channel in order to get remote services, where MOB is the valid mobile number of the user. After getting the registration message, the RS computes Regi = h(IDi ∥ Xrs ) and sends it to the mobile number securely. Then the remote
Secure Remote Login Scheme . . . Table 1 List of notations used
497 Symbol
Description
SC Ui RS IDi PWi Xs Ri Rrs SK ⊕ ∥ h(⋅)
Smart card User/client Remote server Attacker/adversary Identity of user Ui User’s password Secret key of the RS Random number generated by the user Random number generated by the RS Session key of the protocol The bitwise exclusive or operation The concatenation operation One-way hash function, h ∶ (0, 1)∗ → (0, 1)n
server maintains a table (say, User Table) containing attributes ⟨IDi , MOB⟩ and personal credentials. After receiving Regi , the Ui computes Ai = h(IDi ∥ PWi ∥ Regi ), Bi = Regi ⊕ PWi and issues a smart card after storing ⟨IDi , Ai , Bi ⟩ into the memory of smart card. After that, the Ui sends ⟨IDi , SCNi , Bi ⟩ to the remote server through open networks. After receiving the message, the RS first checks whether the IDi exists in the database. If it exists, the RS further stores ⟨SCNi , Bi ⟩ into the user table (See Table 2) and completes the registration process, where SCNi is the unique number of the smart card.
2.2 Login and Authentication Process In this process, Ui and RS perform several operations in order to negotiate a session key over insecure networks. The steps of this process are discussed below. Table 2 User table Identity Parameter ID1 ID2 ID3 ID4 .. IDn
B1 B2 B3 B4 .. Bn
Mobile number
SCN
User credential
9804557 9868754 9878712 9878712 .... 6668712
SCN1 SCN2 SCN3 SCN4 .... SCNn
UC1 UC2 UC3 UC4 .... UCn
498
R. Kumar et al.
Step 1. Ui initially inserts the smart card into the card reader and provides high entropy password PWi . The term high entropy means that the attacker cannot guess user’s password in polynomial time. After getting PWi , the card reader computes Reg∗i = Bi ⊕ PWi , A∗i = h(IDi ∥ PWi ∥ Reg∗i ) and verifies whether A∗i = Ai or not. If the verification holds, Ui has provided correct PWi ; otherwise, it aborts the connection. After that, the card reader generates a 128-bit random number Ri and computes Ci = h(IDi ∥ Ri ∥ PWi ), Di = Ri ⊕ PWi . Finally, the card reader sends ⟨IDi , Ci , Di ⟩ to the remote server over insecure networks. Step 2. After receiving the login message, RS first checks whether IDi exists in the database. If it does not exist, RS immediately rejects the login message; otherwise, the RS securely sends one-time password (OTP) to the registered mobile number. On receiving OTP, the Ui submits it to the RS and after that RS checks the OTP verification. If the verification does not hold, it immediately rejects the session; otherwise, it computes Reg∗i = h(IDi ∥ Xs ), PWi∗ = Bi ⊕ Reg∗i , R∗i = Di ⊕ PWi , Ci∗ = h(IDi ∥ R∗i ∥ PWi∗ ) and checks ?
the condition Ci∗ = Ci . If the condition does not hold, RS rejects the session; otherwise, it believes that the sender of the login message is registered. Step 3. The RS now generates a 128-bit random number Rrs and computes Gi = Ri ⊕ Rrs , Fi = h(IDi ∥ R∗i ∥ Rrs ∥ Regi ), and then sends ⟨Fi , Gi ⟩ to the user through open networks. Step 4. After receiving the message ⟨Fi , Gi ⟩, the user computes Rrs = Gi ⊕ Ri , Fi∗ = ?
h(IDi ∥ Ri ∥ Rrs ∥ Regi ) and checks the correctness as Fi∗ = Fi . If it does not hold, it terminates the connection; otherwise, the user believes that the remote server is authentic. Now, both parties compute the session key SK = h(IDi ∥ Regi ∥ Ri ∥ Rrs ) and start secure communication in future.
2.3 Password Change Process It is possible that the password of the user may be leaked by someone and hence the user should change the password. In any password-based authentication system, the protocol should provide password change facility. The description of password change procedure is as follows. Step 1. The Ui initially inserts the smart card into the card reader and provides high entropy password PWi . After getting PWi , the card reader computes ?
Reg∗i = Bi ⊕ PWi , A∗i = h(IDi ∥ PWi ∥ Reg∗i ) and verifies A∗i = Ai . If the verification holds, the card reader asks to enter new password PWinew to the user.
Secure Remote Login Scheme . . .
499
User Ui /Smartcard Inserts SC and provides P Wi SC computes Regi = Bi ⊕ P Wi , A∗i = h(IDi P Wi Regi ) If(A∗i = Ai ) Rejects Else Computes Binew = Regi ⊕ P Winew , Anew = h(IDi P Winew Regi ). i Replace Ai , Bi with new information Anew , Binew respectively. i Fig. 1 Password change process
Step 2. After getting the PWinew , the card reader computes Bnew = Regi ⊕ PWinew , i new new Ai = h(IDi ∥ PWi ∥ Regi ) and replaces the old information ⟨Ai , Bi ⟩ , Bnew ⟩ into the memory of smart card. Thus, with the new information ⟨Anew i i the Ui can easily change his/her password without taking any assistance from the remote server. We further describe password change phase in Fig. 1.
2.4 Forgot Password Recover Process It is a common problem with many users that they forget their password due to either accessing several web servers or rarely use them. Therefore, it is an important desirable property of the authentication protocol to provide password recover facility. The proposed protocol provides password recover facility to the user. We further describe this process in Fig. 2. Step 1. User initially submits ⟨IDi , MOB⟩ to the remote server. Step 2. On getting it, RS checks whether the IDi and the corresponding MOB exists in the user table. If it exists, the RS computes PWi = Bi ⊕ Regi ; otherwise, it terminates the request. Step 3. Finally, the RS sends PWi to the registered MOB securely. Thus, our protocol provides password recover facility to the registered user.
Fig. 2 Forgot password recovery process
500
R. Kumar et al.
Fig. 3 Smart card revocation process
2.5 Smart Card Revocation Process It is possible that the user’s smart card may have got lost. As a result, the user is unable to access the remote server. In order to get new smart without re-registration, our protocol provides smart card revocation facility to the registered user. We further describe this process in Fig. 3. Step 1. The user submits ⟨IDi , MOB⟩ along with personal credential information to the remote server. Step 2. After receiving the request, RS first verifies the legitimacy of the user based on the personal credential along with ⟨IDi , MOB⟩. If the verification holds, RS computes Regi = h(IDi ∥ Xs ) and sends it to the registered mobile number securely. Step 3. After getting Regi information, Ui computes Ai = h(IDi ∥ PWinew ∥ Regi ), Bi = Regi ⊕ PWinew . Step 4. Then the Ui produces a new smart card after storing ⟨IDi , Ai , Bi ⟩ into the memory of smart card. Finally, Ui sends ⟨IDi , SCNi , Bi ⟩ to the remote server through open networks. Step 5. After receiving the message, RS first checks whether the IDi exists in the database. If it exists, RS further stores ⟨SCNi , Bi ⟩ into the user table.
3 Security Analysis and Discussion In this section, we cryptanalyze the proposed protocol against various attacks. It is well known that an attacker has extreme capabilities over insecure networks, this means he/she can trap, delete, regenerate, reroute the login-reply message and try to authenticate him/herself to the server or the user for retrieving the confidential information(s). In this paper, we have assumed that the user always uses high entropy
Secure Remote Login Scheme . . .
501
password which cannot be guessed in polynomial time. The high entropy password includes lower–upper character, special symbol, and numeric character and it should not be trouble-free for guessing the high entropy password [3].
3.1 Smart Card Stolen Attack We assumed that the attacker has obtained the legal user smart card and extracted smart card information ⟨IDi , Ai , Bi ⟩ using power analysis attack [22, 25], where Ai = h(IDi ∥ PWi ∥ Regi ), Bi = Regi ⊕ PWi . Then tries to extract confidential information ⟨PWi , Xs ⟩. is unable to extract P⟨Wi , Xs ⟩ using Ai , as it is protected by the cryptographic one-way hash function. Furthermore, he/she cannot extract PWi without the knowledge of Regi from Bi . Similarly, is unable to extract PWi after intercepting login message during protocol execution. The above discussion not only resists the smart card stolen attack, but also provides strong security protection on the user’s password.
3.2 User Impersonation Attack In this attack, tries to impersonate as a valid user after intercepting login request message. We suppose that has trapped ⟨IDi , Ci , Di ⟩ during protocol execution and tries to compute another valid message, where Ci = h(IDi ∥ Ri ∥ PWi ), Di = Ri ⊕ PWi . However, is unable to compute valid ⟨Ci , Di ⟩ without knowledge of ⟨Regi , PWi ⟩. Therefore, we claim that the proposed protocol can withstand user impersonation attack.
3.3 Server Impersonation Attack Resembling user impersonation attack [8], the attacker tries to impersonate as valid server after providing valid reply message ⟨Fi , Gi ⟩ to the user, where Gi = Ri ⊕ Rrs , Fi = h(IDi ∥ R∗i ∥ Rrs ∥ Regi ). It is noticeable that the cannot compute valid reply message without knowledge of Regi . Therefore, cannot impersonate as valid remote server.
3.4 Session Key Computation Attack In this attack model, attempts to compute valid session key during protocol execution, so that can extract confidential information after decrypting the ciphertext.
502
R. Kumar et al.
Therefore, needs the session key SK = h(IDi ∥ Regi ∥ Ri ∥ Rrs ) parameters. It is noted that the computation of the session key of the proposed protocol depends on the non-invertible cryptographic one-way hash function. We have demonstrated earlier that cannot compute Regi from the protocol description. Additionally, the random numbers ⟨Ri , Rrs ⟩ used in our protocol are secure. Therefore, is not able to compute valid session key of the proposed protocol.
3.5 Known Session Specific Temporary Information Attack We assume that the short-term information ⟨Ri , Rrs ⟩ used in our protocol has leaked in some way and been obtained by the attacker. Now tries to compute valid session key of the proposed protocol. Since the session key depends on another secret information Regi , the attacker is not able to launch such type of attack [5, 9].
3.6 Mutual Authentication Our protocol provides mutual authentication property between Ui and RS. After getting the login message, RS verifies the legitimacy of Ui , and Ui also verifies the authenticity of RS after receiving the reply message. Therefore, the proposed protocol provides mutual authentication property.
3.7 Fast Error Detection During the login phase, the smart card first verifies the authenticity of Ui based on the user’s PWi . It is noted that if Ui provides wrong password by mistake or nonregistered user tries to access stolen smart card, the system quickly detects Ui . Therefore, the protocol provides fast error detection mechanism which reduces network congestion as well as communication and computation cost of the protocol.
4 Performance Comparison This section evaluates the performance of the proposed scheme with several related competitive schemes. In order to measure performance of the protocol, computation and communication cost are the two main important attributes and should be as minimum as possible. In Table 3, we have provided computation and communication cost of the proposed scheme with several related schemes, where Th and T⊕ indicate hash function and X-or operations respectively. It is noticeable that the
Secure Remote Login Scheme . . .
503
Table 3 Computation cost and communication cost comparison of the proposed scheme with related schemes Scheme Communication cost Computation cost Ruhul et al. [10] Saru et al. [23] Wang et al. [29] Chou et al. [13] Chang et al. [12] Wen and Li [30] Our
640 bits 768 bits 768 bits 1080 bits 768 bits 1152 bits 640 bits
14Th + 5Te 15Th + 18T⊕ 11Th + 13T⊕ 29Th + 24T⊕ 12Th + 6T⊕ 25Th + 22T⊕ 10Th + 7T⊕
communication cost is reasonable compared to the other schemes, but the computation cost is better. The proposed scheme is not only relatively better in terms of complexity, but also provides strong security protection against common attacks.
5 Conclusion This paper contributes an efficient and practical smart card-based user authentication along with session key agreement protocol usable in client–server environment. The protocol not only negotiates session key agreement, but also provides most important desirable facilities such as password change process, password recovery process, and smart card recovery process to the registered user. The security analysis ensures that the proposed protocol provides good security protection against several common attacks and achieves mutual authentication property. The performance of the proposed scheme is also relatively better than existing schemes. The overall efficiency of the proposed protocol claims that it should be applicable in the client– server environment.
References 1. Amin, R.: Cryptanalysis and an efficient secure id-based remote user authentication scheme using smart card. In: IJCA. vol. 75, pp. 1149–1157. Citeseer (2013) 2. Amin, R., Biswas, G.P.: Anonymity preserving secure hash function based authentication scheme for consumer usb mass storage device. In: IEEE 2015 Third International Conference on Computer, Communication, Control and Information Technology (C3IT), pp. 1–6. (2015) 3. Amin, R., Biswas, G.P.: Cryptanalysis and design of a three-party authenticated key exchange protocol using smart card. Arab. J. Sci. Eng. 1–15 (2015). http://dx.doi.org/10.1007/s13369015-1743-5 4. Amin, R., Biswas, G.P.: Design and analysis of bilinear pairing based mutual authentication and key agreement protocol usable in multi-server environment. Wireless Pers. Commun. 1–24 (2015)
504
R. Kumar et al.
5. Amin, R., Biswas, G.P.: An improved rsa based user authentication and session key agreement protocol usable in tmis. J. Med. Syst. 39(8), 79 (2015). http://dx.doi.org/10.1007/s10916-0150262-y 6. Amin, R., Biswas, G.P.: A novel user authentication and key agreement protocol for accessing multi-medical server usable in tmis. J. Med. Syst. 39(3), 1–17 (2015) 7. Amin, R., Biswas, G.P.: Remote access control mechanism using rabin public key cryptosystem. In: Information Systems Design and Intelligent Applications, pp. 525–533. Springer (2015) 8. Amin, R., Biswas, G.P.: A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Netw. (2015) 9. Amin, R., Biswas, G.P.: A secure three-factor user authentication and key agreement protocol for tmis with user anonymity. J. Med. Syst. 39(8), 78 (2015). http://dx.doi.org/10.1007/s10916015-0258-7 10. Amin, R., Maitra, T., Rana, S.P.: An improvement of wang. et. al.s remote user authentication scheme against smart card security breach. Int. J. Comput. Appl. 75(13), 37–42 (2013) 11. Awasthi, A.K., Srivastava, K., Mittal, R.: An improved timestamp-based remote user authentication scheme. Comput. Electr. Eng. 37(6), 869–874 (2011) 12. Chang, Y.F., Tai, W.L., Chang, H.C.: Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update. Int. J. Commun. Syst. 27(11), 3430–3440 (2014) 13. Chou, J.S., Huang, C.H., Huang, Y.S., Chen, Y.: Efficient two-pass anonymous identity authentication using smart card. IACR Cryptology ePrint Archive 2013, 402 (2013) 14. Giri, D., Maitra, T., Amin, R., Srivastava, P.: An efficient and robust rsa-based remote user authentication for telecare medical information systems. J. Med. Syst. 39(1), 1–9 (2015) 15. He, D., Kumar, N., Chilamkurti, N.: A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Information Sciences 321, 263–277 (2015), security and privacy information technologies and applications for wireless pervasive computing environments 16. He, D., Kumar, N., Chilamkurti, N., Lee, J.H.: Lightweight ecc based rfid authentication integrated with an id verifier transfer protocol. J. Med. Syst. 38(10), 116 (2014) 17. Hsieh, W.B., Leu, J.S.: Exploiting hash functions to intensify the remote user authentication scheme. Comput. Secur. 31(6), 791–798 (2012) 18. Islam, S.H.: A provably secure id-based mutual authentication and key agreement scheme for mobile multi-server environment without esl attack. Wireless Pers. Commun. 79(3), 1975– 1991 (2014) 19. Islam, S.H.: Design and analysis of a three party password-based authenticated key exchange protocol using extended chaotic maps. Inf. Sci. 312, 104–130 (2015) 20. Islam, S., Gosta Pada Biswas, K.K.C.: Cryptanalysis of an improved smartcard-based remote password authentication scheme. Inf. Sci. Lett. 3(1), 35–40 (2014) 21. Islam, S., Khan, M.K., Obaidat, M., Muhaya, F.: Provably secure and anonymous password authentication protocol for roaming service in global mobility networks using extended chaotic maps. Wireless Pers. Commun. 1–22 (2015) 22. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Advances in Cryptology CRYPTO99. pp. 388–397. Springer (1999) 23. Kumari, S., Khan, M.K., Li, X.: An improved remote user authentication scheme with key agreement. Comput. Electr. Eng. 40(6), 1997–2012 (2014) 24. Lamport, L.: Password authentication with insecure communication. Commun. ACM 24(11), 770–772 (1981) 25. Messerges, T.S., Dabbish, E., Sloan, R.H., et al.: Examining smart-card security under the threat of power analysis attacks. Comput. IEEE Trans. 51(5), 541–552 (2002) 26. Shen, J.J., Lin, C.W., Hwang, M.S.: Security enhancement for the timestamp-based password authentication scheme using smart cards. Comput. Secur. 22(7), 591–595 (2003) 27. Ku, W.C.: S.M.C. Weakness and improvement of an efficient password based remote user authentication scheme using smart cards. IEEE Trans. Consum. Electron. 50(1), 204–207 (2004)
Secure Remote Login Scheme . . .
505
28. Wang, D., Ma, C.G., Zhang, Q.M., Zhao, S.: Secure password-based remote user authentication scheme against smart card security breach. J. Netw. 8(1), 148–155 (2013) 29. Wang, X.M., Zhang, W.F., Zhang, J.S., Khan, M.K.: Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards. Comput. Stan. Interfaces 29(5), 507–512 (2007) 30. Wen, F., Li, X.: An improved dynamic id-based remote user authentication with key agreement scheme. Comput. Electr. Eng. 38(2), 381–387 (2012) 31. Yang, G., Wong, D.S., Wang, H., Deng, X.: Two-factor mutual authentication based on smart cards and passwords. J. Comput. Syst. Sci. 74(7), 1160–1172 (2008) 32. Yoon, E.J., Ryu, E.K., Yoo, K.Y.: Further improvement of an efficient password based remote user authentication scheme using smart cards. Consum. Electron. IEEE Trans. 50(2), 612–614 (2004)
