Weaknesses of a Secure Dynamic ID Based Remote User

Weaknesses of a Secure Dynamic ID Based Remote User Authentication Scheme Bae-Ling Chen, Wen-Chung Kuo, Yu-Shuan Chu

Weaknesses of a Secure Dynamic ID Based Remote User Authentication Scheme† 1

Bae-Ling Chen, 2Wen-Chung Kuo, 3Yu-Shuan Chu Graduate School of Engineering Science and Technology, National Yunlin University of Science and Technology, Douliou, Yunlin 640, Taiwan, [email protected] *2, Corresponding Author, 3 Department of Computer Science and Information Engineering, National Formosa University, Huwei, Yunlin 632, Taiwan, {2simonkuo, 3s49343101}@nfu.edu.tw 1, First Author

doi: 10.4156/jcit.vol5.issue4.9

Abstract In 2009, Liao and Wang proposed a secure dynamic ID based remote user authentication scheme for multi-server environments. They achieved user anonymity by using secure dynamic IDs instead of static IDs. Recently, Hsiang and Shih proposed an improved scheme to fix the security flaws found in Liao-Wang’s scheme. Hsiang and Shih claimed that their scheme maintains the benefits and increases the security of Liao-Wang’s scheme, while providing mutual authentication that Liao-Wang’s scheme lacks. In this paper, however, it is shown that Hsiang-Shih’s scheme cannot withstand user and server impersonation attacks. Their scheme is thus vulnerable to malicious users and insecure for practical applications.

Keywords: cryptanalysis, authentication, smart card, dynamic id, multi-server 1. Introduction With the increasing number of systems that provide services over open networks, remote authentication [5] is critical for preventing unauthorized parties from accessing remote system resources. Smart card based authentication schemes [1-4, 6-8] are the most commonly used mechanism in remote user authentication schemes. System resources or services are often provided by many servers distributed over a network to make remote user access efficient and convenient. The authentication protocols for multi-server environment are required evidently. Most traditional authentication schemes use real IDs or static IDs for multi-server environments [6]. However, this allows malicious users to trace and identify user requests by monitoring the communication between servers. Therefore, employing a dynamic ID for each login can avoid the risk of ID-theft [1, 4, 6-7]. In 2009, Liao and Wang proposed a secure dynamic ID based remote user authentication scheme for multi-server environments [7]. Their scheme uses only hashing functions in mutual authentication and session key agreement and dynamic IDs instead real or static IDs to achieve user anonymity. They claimed that their scheme can get service granted from multi-server environments. Recently, Hsiang and Shih proposed an improved scheme [2] to fix the security flaws found in Liao-Wang’s scheme. Hsiang and Shih, and they claimed that their scheme maintains the benefits and increases the security of Liao-Wang’s scheme, while providing mutual authentication that Liao-Wang’s scheme lacks. In this paper, however, it is shown that Hsiang-Shih’s scheme cannot withstand user and server impersonation attacks. Their scheme is thus vulnerable to malicious users and insecure for practical applications. The rest of this paper is organized as follows. In Section 2, Hsiang-Shih’s scheme is briefly reviewed. In section 3, we analyze the weaknesses of Hsiang-Shih’s scheme. The conclusions are given in Section 4.

2. Review of Hsiang-Shih’s Scheme †

This work was supported by the National Science Council of Taiwan under grant NSC 98-2219-E150-001.

84

Journal of Convergence Information Technology Volume 5, Number 4, June 2010

Hsiang-Shih’s scheme is briefly reviewed in this section. For convenience, the notations used in Hsiang-Shih’s scheme are listed below. * RC registration center *x master secret key of RC * r, y secret numbers of RC * Ui i-th user * IDi identification of Ui * CIDi dynamic ID of U i * pwi password of Ui * bi blind factor of U i * Sj j-th remote server * SIDj identification of Sj * h(·) secure one-way hash *⊕ bitwise XOR operation * || string concatenation operation Hsiang-Shih’s scheme assumes that only RC knows the master secret key x and two secret numbers r, y. There are four phases in Hsiang-Shih’s scheme: the registration phase, the login phase, the mutual authentication and session key agreement phase, and the password change phase.

2.1. Registration Phase In the registration phase, user Ui initially registers with registration center RC. Ui submits his identity IDi and password pwi to registration center RC, then, Ui and RC performs the following steps: Step R1. Ui chooses his password pwi and arbitrary number bi, and then, computes h(bi⊕pwi). Step R2. Ui sends {IDi, h(bi⊕pwi)} to RC over a secure channel. Step R3. Upon receiving the registration information, RC performs the following computations: Ti = h(IDi || x) Vi = Ti⊕h(IDi || h(bi⊕pwi)) Ai = h(h(bi⊕pwi) || r)⊕h(x⊕r) Bi = Ai⊕h(bi⊕pwi) Ri = h(h(bi⊕pwi) || r) Hi = h(Ti). Step R4. RC issues a smart card containing {Vi, Bi, Hi, Ri, h(·)} to Ui over a secure channel. Step R5. Upon receiving the smart card, Ui enters bi into his smart card. Note that Ui’s smart card contains {Vi, Bi, bi, Ri, Hi, h(·)}.

2.2. Login Phase This phase is invoked whenever Ui requests to log into Sj. Ui inputs his identity IDi, password pwi, and the identity of target server SIDj into his smart card, and the smart card performs the following steps: Step L1. Ui’s smart card computes Ti = Vi⊕h(IDi || h(bi⊕pwi)) and Hi* = h(Ti), and then checks whether Hi* and Hi are identical. If they are not equal, the smart card rejects Ui; otherwise, the credentials of Ui are assured. Step L2. The smart card generates nonce Ni and performs the following computations: Ai = Bi⊕h(bi⊕pwi) CIDi = h(bi⊕pwi)⊕h(Ti || Ai || Ni) Pij = Ti⊕h(Ai || Ni || SIDj) Qi = h(Bi || Ai || Ni)

85

Weaknesses of a Secure Dynamic ID Based Remote User Authentication Scheme Bae-Ling Chen, Wen-Chung Kuo, Yu-Shuan Chu Di = Ri⊕SIDj⊕Ni C0 = h(Ai || Ni + 1 || SIDj). Step L3. The smart card sends Ui’s login request {CIDi, Pij, Qi, Di, C0, Ni} to Sj.

2.3. Mutual Verification and Session Key Agreement Phase In this phase, user Ui and server Sj authenticate each other. After the mutual authentication protocol has been completed, Ui and Sj compute their session key SK, respectively. Ui and Sj perform the following steps: Step V1. Upon receiving the login request, Sj generates nonce Nrj and computes Mjr = h(SIDj || y) ⊕Nrj, and then sends the message {Mjr, SIDj, Di, C0, Ni} to registration center RC. Step V2a. Upon receiving Sj’s message, RC computes Nrj’ = Mjr⊕h(SIDj || y), Ri’ = Di⊕SIDj⊕ Ni, and Ai’ = Ri’ h(x⊕r). Step V2b. RC computes C0’ = h(Ai || Ni + 1 || SIDj) and compares it with C0. If they are not equal, RC terminates the authentication protocol. Step V2c. RC generates nonce Nrj and computes C1 = h(Nrj’ || h(SIDj || y) || Nrj) and C2 = Ai⊕ h(h(SIDj || y) || Nrj), and sends {C1, C2, Nrj} back to Sj. Step V3. Upon receiving RC’s reply, Sj computes C1’ = h(Nrj || h(SIDj || y) || Nrj) and compares it with C1. If they are not equal, Sj reports an RC authentication error and terminates the authentication protocol. Step V4. Sj computes Ai = C2⊕h(h(SIDj || y) || Nrj), Ti = Pij⊕h(Ai || Ni || SIDj), h(bi⊕pwi) = CIDi

⊕h(Ti || Ai || Ni), and Bi = Ai⊕h(bi⊕pwi). Step V5. Sj computes h(Bi || Ai || Ni) and compares it with Qi. If they are not equal, Sj terminates the authentication protocol. Step V6. Sj generates nonce Nj, computes Mij’ = h(Bi || Ni || Ai || SIDj), and sends {Mij’, Nj} back to Ui. Step V7. Upon receiving Sj’s reply, Ui computes h(Bi || Ni || Ai || SIDj) and compares it with Mij’. If they are not equal, Ui aborts the connection; otherwise Sj is authenticated by Ui. Step V8. Ui computes Mij” = h(Bi || Nj || Ai || SIDj) and sends Mij” back to Sj. Step V9. Upon receiving Ui’s reply, Sj computes h(Bi || Nj || Ai || SIDj) and compares it with Mij”. If they are not equal, Sj terminates the authentication protocol; otherwise Ui is authenticated by Sj and the mutual authentication is completed. Ui and Sj then compute h(Bi || Ai || Ni || Nj || SIDj) as their session key SK.

2.4. Password Change Phase In this phase, user Ui can update his password without the help of registration center RC. Ui and his smart card perform the following steps: Step C1. Ui inserts his smart card to his card reader, inputs {IDi, pwi}, and requests to change password. Step C2. Upon receiving Ui’s request, the smart card computes Ti = Vi  h(IDi || h(bi  pwi)) and Hi * = h(Ti) and checks whether Hi* and Hi are equal. If not, the smart card rejects Ui; otherwise, Ui is asked to choose new password pwinew. Step C3. After Ui inputs pwinew, Ui’s smart card computes Vinew = Ti  h(IDi || h(bi  pwinew)) and Binew = Bi  h(bi  pwi)  h(bi  pwinew). Finally, Vinew and Binew are stored back to the smart card to replace Vi and Bi respectively.

3. Weaknesses of Hsiang-Shih’s Scheme

86

Journal of Convergence Information Technology Volume 5, Number 4, June 2010 Hsiang and Shih claimed that their scheme is secure and provides mutual authentication. In this section, however, we show that Hsiang-Shih’s scheme cannot withstand user and server impersonation attacks. Their scheme is thus vulnerable to malicious users and insecure for practical applications.

3.1. User Impersonation Attack First, we show that a malicious user can easily impersonate another user without his password and smart card in Hsiang-Shih’s scheme. Suppose that there is a malicious user with identity Ua in HsiangShih’s scheme. Since Ua is authenticated by remote server Sj, Ua holds a smart card containing {Va, Ba, ba, Ra, Ha, h(·)}, and those authentication information are known by Ua. Ua manipulates both of the authentication information stored on the smart card and the collected communication flows of target user Ui to impersonate Ui by the following steps: Step U1. Ua first obtains h(x⊕r) = Ra⊕Aa by computing Aa = Ba⊕h(ba⊕pwa). Step U2. Then, Ua retrieves Ui’s login request {CIDi, Pij, Qi, Di, C0, Ni} from the collected communication flows of user Ui, and performs the following computations: Ri = Di⊕SIDj⊕Ni Ai = Ri⊕h(x⊕r) Ti = Pij⊕h(Ai || Ni || SIDj) h(bi⊕pwi) = CIDi⊕h(Ti || Ai || Ni) Bi = Ai⊕h(bi⊕pwi). Step U3. Ua pickups a nonce Na and performs the following computations: CIDi* = h(bi⊕pwi)⊕h(Ti || Ai || Na) Pij* = Ti⊕h(Ai || Na || SIDj) Qi* = h(Bi || Ai || Na) Di* = Ri⊕SIDj⊕Na C0* = h(Ai || Na + 1 || SIDj). Step U4. Ua sends the forged login request {CIDi*, Pij*, Qi*, Di*, C0*, Na} to Sj. Step U5. Upon receiving the login request, Sj pickups a nonce Nrj and computes Mjr = h(SIDj || y) ⊕Nrj, and then sends the message {Mjr, SIDj, Di*, C0*, Na} to registration center RC. Step U6a. Upon receiving Sj’s message, RC computes Nrj* = Mjr⊕h(SIDj || y), Ri* = Di*⊕SIDj⊕ Na, and Ai* = Ri* h(x⊕r). Step U6b. RC computes C0* = h(Ai* || Na + 1 || SIDj) and checks C0* = C0. Step U6c. RC pickups a nonce Nrj and computes C1* = h(Nrj || h(SIDj || y) || Nrj) and C2* = Ai* h(h(SIDj || y) || Nrj), and then sends {C1*, C2*, Nrj} back to Sj. Step U7. Upon receiving RC’s reply, Sj computes C1’ = h(Nrj || h(SIDj || y) || Nrj) and checks C1’ = C1*. Step U8. Sj computes Ai’ = C2* h(h(SIDj || y) || Nrj), Ti’ = Pij* h(Ai’ || Na || Sj), h(bi⊕pwi)’ = CIDi* h(Ti’ || Ai’ || Na), and Bi’ = Ai’ h(bi⊕pwi)’. Step U9. Sj computes Qi’ = h(Bi’ || Ai’ || Na) and verifies Qi’ = Qi. Step U10. Sj pickups a nonce Nj, computes Mij* = h(Bi’ || Na || Ai’ || SIDj), and sends {Mij*, Nj} back to Ua. Step U11. Upon receiving Sj’s reply, Ua computes h(Bi || Na || Ai || SIDj) and checks whether it equals Mij*. Step U12. Ua computes Mij** = h(Bi || Nj || Ai || SIDj) and sends Mij** back to Sj. Step U13. Upon receiving Ua’s reply, Sj computes h(Bi’ || Nj || Ai’ || SIDj) and checks whether it equals Mij**. Since the equation holds, Ua is authenticated as Ui by Sj and the mutual

87

Weaknesses of a Secure Dynamic ID Based Remote User Authentication Scheme Bae-Ling Chen, Wen-Chung Kuo, Yu-Shuan Chu authentication is completed. Ua and Sj also establish their common session key SK = h(Bi || Ai || Na || Nj || SIDj). As shown above, Ua’s forged login request is accepted by Sj, and Sj is fooled into believing that malicious user Ua is authenticated user Ui. Ua is permitted to access Sj’s resource as Ui. Ua is able to impersonate Ui without Ui’s password and smart card, and therefore, Hsiang-Shih’s scheme is vulnerable to user impersonation attacks.

3.2. Server Impersonation Attack In this subsection, it is shown that a malicious user can easily impersonate a remote server without the secret information sharing between servers and the registration center in Hsiang-Shih’s scheme. Suppose that there is a malicious user with identity Ua in Hsiang-Shih’s scheme. Ua is trying to impersonate remote server Sj to cheat user Ui. Ui sends his login request {CIDi, Pij, Qi, Di, C0, Ni} to Ua. Using h(x⊕r) = Ra⊕Aa and the procedure discussed in the previous subsection (Section 3.1), Ua can get: Ri = Di⊕SIDj⊕Ni Ai = Ri⊕h(x⊕r) Ti = Pij⊕h(Ai || Ni || SIDj) h(bi⊕pwi) = CIDi⊕h(Ti || Ai || Ni) Bi = Ai⊕h(bi⊕pwi). Since Ua has Ai, Ti, h(bi⊕pwi), and Bi, Ua compute h(Bi || Ai || Ni) directly without registration center RC’s help. Ua pickups Na, compute Mij’ = h(Bi || Ni || Ai || SIDj), and challenge Ui with message {Mij’, Na}. Note that Ua and Ui establish their common session key SK = h(Bi || Ai || Ni || Na || SIDj) at the end of Hsiang-Shih’s protocol. As shown above, Ui is fooled into believing that malicious user Ua is authenticated server Sj, and Ua is to play Sj and to control Ui’s request to Sj. Ua is able to impersonate Sj without the help of RC, and therefore, Hsiang-Shih’s scheme is vulnerable to server impersonation attacks.

3.3. Security Flaw From the results in the above two subsection, it shows that in Hsiang-Shih’s scheme, a legitimate user can easily compute h(x⊕r), so any legitimate user in their scheme is able to perform user/server impersonation attacks. Hsiang-Shih’s scheme thus fails to provide mutual authentication.

4. Conclusions In this paper, we demonstrate that Hsiang-Shih’s scheme is vulnerable to user and server impersonation attacks. They claimed that their scheme maintains the benefits and increases the security of Liao-Wang’s scheme, while providing mutual authentication that Liao-Wang’s scheme lacks. However, our studies show that a malicious user in Hsiang-Shih’s scheme can not only easily impersonate another user to access remote servers without the correct password, but also can masquerade any remote server to cheat another user without secret information issued from the registration center. Thus their scheme is insecure for practical applications.

5. References [1] M.L. Das, A. Saxena, V.P. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, Vol. 50, No. 2, pp. 629–631, 2004.

88

Journal of Convergence Information Technology Volume 5, Number 4, June 2010 [2] H.C. Hsiang, W.K. Shih, “Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, Vol. 31, No. 6, pp. 1118–1123, 2009. [3] T.L. Hwang, Y.H. Chen, C.S. Laih, “Non-interactive password authentication without password tables,” IEEE Region 10 Conference on Computer and Communication System, Vol. 1, pp. 429– 431, 1990. [4] W.S. Juang, “Efficient multi-server password authenticated key agreement using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 50 No. 1, pp. 251–255, 2004. [5] L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, Vol. 24, No. 11, pp.770–772, 1981. [6] W.B. Lee, C.C. Chang, “User identification and key distribution maintaining anonymity for distributed computer network,” Computer Systems Science and Engineering, Vol. 15, No. 4, pp. 211–214, 2000. [7] Y.P. Liao, S.S. Wang, “A secure dynamic ID based remote user authentication scheme for multiserver environment,” Computer Standards & Interfaces, Vol. 31, No. 1, pp. 24–29, 2009. [8] W.J. Tsuar, C.C. Wu, W.B. Lee, “A flexible user authentication for multi-server internet services,” Networking-JCN2001, Lecture Notes in Computer Science, Vol. 2093, pp. 174–183, SpringerVerlag, 2001.

89