tion scheme is extremely error-prone. This paper discusses the security of Lee et al.'s remote user authentication scheme making use of smart cards. Lee et al.
Security Enhancement of a Remote User Authentication Scheme Using Smart Cards� Youngsook Lee, Junghyun Nam, and Dongho Won�� Information Security Group, Sungkyunkwan University, Korea {yslee, jhnam, dhwon}@security.re.kr
Abstract. Designing cryptographic protocols well suited for today’s distributed large networks poses great challenges in terms of cost, performance, user convenience, functionality, and above all security. As has been pointed out for many years, even designing a two-party authentication scheme is extremely error-prone. This paper discusses the security of Lee et al.’s remote user authentication scheme making use of smart cards. Lee et al.’s scheme was proposed to solve the security problem with Chien et al.’s authentication scheme and was claimed to provide mutual authentication between the server and the remote user. However, we demonstrate that Lee et al.’s scheme only achieves unilateral authentication — only the server can authenticate the remote user, but not vice versa. In addition, we recommend changes to the scheme that fix the security vulnerability. Keywords: Authentication scheme, password, smart card, parallel session attack, reflection attack.
1
Introduction
A mutual authentication scheme is a two-party protocol designed to allow the communicating parties to confirm each other’s identity over a public, insecure network. Authentication schemes are necessary for secure communication because one needs to know with whom he or she is communicating before sending some sensitive information. Achieving any form of authentication inevitably requires some secret information to be established between the communicating parties in advance of the authentication stage. Cryptographic keys, either secret keys for symmetric cryptography or private/public keys for asymmetric cryptography, may be one form of the underlying secret information pre-established between the parties. However, these high-entropy cryptographic keys are random in appearance and thus are difficult for humans to remember, entailing a significant amount of administrative work and costs. Eventually, it is this drawback that password-based authentication came to be widely used in reality. Passwords �
��
This work was supported by the Korean Ministry of Information and Communication under the Information Technology Research Center (ITRC) support program supervised by the Institute of Information Technology Assessment (IITA). Corresponding author.
R. Meersman, Z. Tari, P. Herrero et al. (Eds.): OTM Workshops 2006, LNCS 4277, pp. 508–516, 2006. c Springer-Verlag Berlin Heidelberg 2006 �
Security Enhancement of a Remote User Authentication Scheme
509
are drawn from a relatively small space like a dictionary, and are easier for humans to remember than cryptographic keys with high entropy. The possibility of password-based user authentication in remotely accessed computer systems was explored as early as the work of Lamport [10]. Due in large part to the practical significance of password-based authentication, this initial work has been followed by a great deal of studies and proposals, including solutions using multi-application smart cards [4,14,8,13,5,16,15]. In a typical password-based authentication scheme using smart cards, remote users are authenticated using their smart card as an identification token; the smart card takes as input a password from a user, recovers a unique identifier from the user-given password, creates a login message using the identifier, and then sends the login message to the server, who then checks the validity of the login request before allowing access to any services or resources. This way, the administrative overhead of the server is greatly reduced and the remote user is allowed to remember only his password to log on. Besides just creating and sending login messages, smart cards support mutual authentication where a challenge-response interaction between the card and the server takes place to verify each other’s identity. Mutual authentication is a critical requirement in most real-world applications where one’s private information should not be released to anyone until mutual confidence is established. Indeed, phishing attacks [1] are closely related to the deficiency of server authentication, and are a growing problem for many organizations and Internet users. The experience has shown that the design of secure authentication schemes is not an easy task to do, especially in the presence of an active intruder; there is a long history of schemes for this domain being proposed and subsequently broken by some attacks (e.g., [6,2,3,12,7,16,15,9]). Therefore, authentication schemes must be subjected to the strictest scrutiny possible before they can be deployed into an untrusted, open network. In 2000, Sun [13] proposed a remote user authentication scheme using smart cards. Compared with the earlier work of Hwang and Li [8], this scheme is extremely efficient in terms of the computational cost since the protocol participants perform only a few hash function operations. In 2002, Chien et al. [5] presented another remote user authentication scheme which improves on Sun’s scheme in two ways; it provides mutual authentication and allows users to freely choose their passwords. However, Hsu [7] has pointed out that Chien et al.’s scheme is vulnerable to a parallel session attack; an intruder can masquerade as a legitimate user by using server’s response for an honest session as a valid login message for a fake, parallel session. To patch this security vulnerability, Lee et al. [11] have recently presented a slightly modified version of Chien et al.’s scheme, and have claimed, among others, that their modified version achieves mutual authentication between the server and the remote user. But, unlike the claim, their modification only achieves unilateral authentication; only the server can authenticate the remote user, but not vice versa. In this paper, we demonstrate this by showing that Lee et al.’s revised scheme is still insecure against a reflection attack. Besides reporting the reflection attack on
510
Y. Lee, J. Nam, and D. Won
Lee et al.’s scheme, we also figure out what has gone wrong with the scheme and how to fix it. The remainder of this paper is organized as follows. We begin by reviewing Chien et al.’s remote user authentication scheme and its weakness in Section 2. We continue in Section 3 with a description of Lee et al.’s scheme. Then, we present a reflection attack on Lee et al.’s scheme in Section 4, and show how to prevent the attack in Section 5. Finally, we conclude this work in Section 6.
2
Review of Chien et al.’s Authentication Scheme and Its Weakness
This section reviews Chien et al.’s remote user authentication scheme [5] and Hsu’s parallel session attack [7] on it. Chien et al.’s scheme consists of three phases: the registration phase, the login phase, and the verification phase. The registration phase is performed only once per user when a new user registers itself with the server. The login and authentication phases are carried out whenever a user wants to gain access to the server. A pictorial view of the scheme at a high level of abstraction is given in Fig. 1, where a dashed line indicates a secure channel, and a more detailed description follows. 2.1
Chien et al.’s Authentication Scheme
Registration Phase. Let x be the secret key of the authentication server (AS), and h be a secure one-way hash function. A user Ui , who wants to register with the server AS, chooses its password P Wi at will and submits a registration request, consisting of its identity IDi and password P Wi , to the server AS via a secure channel. Then AS computes Xi = h(IDi ⊕ x)
and Ri = Xi ⊕ P Wi
and issues a smart card containing �Ri , h∗ � to Ui , where h∗ denotes the description of the hash function h. Login Phase. When Ui wants to log in to the system, he inserts his smart card into a card reader and enters his identity IDi and password P Wi . Given IDi and P Wi , the smart card computes Xi = Ri ⊕ P Wi
and C1 = h(Xi ⊕ T1 )
where T1 is the current timestamp. The smart card then sends the login reqest message �IDi , T1 , C1 � to the server AS. Verification Phase. With the login request message �IDi , T1 , C1 �, the scheme enters the verification phase during which AS and Ui perform the following steps: Step 1. Upon receiving the message �IDi , T1 , C1 �, the server AS checks that: (1) IDi is valid, (2) T2 − T1 ≤ ΔT , where T2 is the timestamp when AS
Security Enhancement of a Remote User Authentication Scheme
Ui
511
AS
�P Wi �
�x� Registration phase IDi , P Wi
Xi = h(IDi ⊕ x)
smart card : �Ri , h∗ �
R i = X i ⊕ P Wi
Login phase X i = R i ⊕ P Wi C1 = h(Xi ⊕ T1 )
IDi , T1 , C1
Verification phase Is IDi valid? ?
T2 − T1 ≤ ΔT ?
?
T4 − T3 ≤ ΔT
T3 , C2
C1 = h(h(IDi ⊕ x) ⊕ T1 ) C2 = h(h(IDi ⊕ x) ⊕ T3 )
?
C2 = h(Xi ⊕ T3 )
Fig. 1. Chien et al.’s remote user authentication scheme
received the login request message and ΔT is the maximum allowed time difference between T1 and T2 , and, finally, (3) C1 is equal to h(h(IDi ⊕ x) ⊕ T1 ). If any of these are untrue, AS rejects the login request and aborts the protocol. Otherwise, AS accepts the login request. Step 2. Now, AS obtains the current timestamp T3 , computes C2 = h(h(IDi ⊕ x) ⊕ T3 ), and sends the response message �T3 , C2 � to user Ui . Step 3. After receiving the message �T3 , C2 � from AS, user Ui checks that: (1) T4 − T3 ≤ ΔT , where T4 is the timestamp when Ui received the response message �T3 , C2 �, and (2) C2 equals h(Xi ⊕ T3 ). If both of these conditions hold, Ui believes that he is talking to the authentic server. Otherwise, Ui aborts his login attempt. 2.2
Hsu’s Attack on Chien et al.’s Scheme
As already mentioned, Hsu [7] showed that Chien et al.’s remote user authentication scheme is vulnerable to a parallel session attack through which an intruder
512
Y. Lee, J. Nam, and D. Won
E is easily able to gain access to the server by disguising herself into a legitimate user Ui . In Hsu’s attack, E simply eavesdrops on AS’s response message �T3 , C2 � for an honest session between Ui and AS, and immediately starts a parallel session sending the forged login request message �IDi , T3 , C2 � to the server AS. Since C2 equals h(h(IDi ⊕ x) ⊕ T3 ), AS believes that the login request message �IDi , T3 , C2 � comes from another instance of Ui as long as the message arrives at AS before the timer expires. The vulnerability of Chien et al.’s scheme to this parallel session attack is mainly because that two authenticators C1 and C2 exchanged between two authenticating parties are computed using the same cryptographic expression: h(h(IDi ⊕ x) ⊕ timestamp). Indeed, this is a well-known fundamental flaw of authentication schemes that allows an intruder to use messages going to one direction to construct forged — but still valid — messages going to the opposite direction [6,2].
3
Lee et al.’s Authentication Scheme
To thwart the parallel session attack, Lee et al. [11] have recently presented an improved version of Chien et al.’s scheme. The registration and login phases of Lee et al.’s scheme are the same as those of Chien et al.’s scheme. Furthermore, the only difference between the verification phases of two schemes is in the
Ui
AS
�P Wi , Ri = Xi ⊕ P Wi �
�x� Login phase
X i = R i ⊕ P Wi C1 = h(Xi ⊕ T1 )
IDi , T1 , C1
Verification phase Is IDi valid? ?
T2 − T1 ≤ ΔT ?
?
T4 − T3 ≤ ΔT
T3 , C2
C1 = h(h(IDi ⊕ x) ⊕ T1 ) C2 = h(h(h(IDi ⊕ x) ⊕ T3 ))
?
C2 = h(h(Xi ⊕ T3 )) Fig. 2. Lee et al.’s remote user authentication scheme
Security Enhancement of a Remote User Authentication Scheme
513
computation of C2 , i.e., C2 = h(h(IDi ⊕ x) ⊕ T3 ) versus C2 = h(h(h(IDi ⊕ x) ⊕ T3 )). A high level dipiction of the verification phase of Lee et al.’s scheme is given in Fig. 2 and a more detailed description follows. Verification Phase. The following steps are performed with the login request message �IDi , T1 , C1 � being sent to AS by Ui : Step 1. Upon receiving �IDi , T1 , C1 �, the server AS acquires the current timestamp T2 and verifies that: (1) IDi is valid, (2) T2 − T1 ≤ ΔT , where T1 and ΔT are as defined in Chien et al.’s scheme, and (3) C1 equals h(h(IDi ⊕ x) ⊕ T1 ). If all of these conditions hold, AS accepts the login request. Otherwise, AS rejects it and aborts the protocol. Step 2. AS generates a new timestamp T3 , computes C2 as C2 = h(h(h(IDi ⊕ x) ⊕ T3 )), and sends the response message �T3 , C2 � to user Ui . Step 3. Upon receipt of the response �T3 , C2 �, user Ui generates a new timestamp T4 and checks that: (1) T4 − T3 ≤ ΔT and (2) C2 is equal to h(h(Xi ⊕ T3 )) where Xi = h(IDi ⊕ x). If both of these conditions hold, Ui believes AS as authentic. Otherwise, Ui aborts his login attempt. It is straightforward to see that Lee et al.’s authentication scheme is secure against Hsu’s parallel session attack since the intruder can no longer use the server’s response C2 in forging a valid login request message unless she can invert the hash function h.
4
Attack on Lee et al.’s Authentication Scheme
Unfortunately, Lee et al.’s remote user authentication scheme provides only unilateral authentication. To show this, we present a reflection attack where an intruder impersonates AS to Ui . The attack scenario is outlined in Fig. 3 and is described in more detail as follows: 1. As usual, the verification phase begins when user Ui sends the login request message �IDi , T1 , C1 � to the server AS. 2. But, the intruder E intercepts this login request message and computes CE = h(C1 ). E then immediately sends the forged response message �T1 , CE � to user Ui alleging that it comes from the server AS. 3. The timestamp T1 that Ui receives from E, who is posing as AS, is in fact the timestamp sent out by Ui himself. However, Ui cannot detect this fact since the scheme does not require Ui to check whether or not the timestamp received from the server equals the one sent by Ui himself; to follow the specification of the scheme is all that he can and should do. Hence, everything proceeds as usual; Ui checks that T4 −T1 ≤ ΔT and CE equals h(h(Xi ⊕T1 )). Since CE is equal to h(h(Xi ⊕ T1 )), the forged response message �T1 , CE � will pass the verification test as long as the condition T4 − T1 ≤ ΔT holds, which is indeed the case.
514
Y. Lee, J. Nam, and D. Won
Ui
E
�P Wi , Ri = Xi ⊕ P Wi � X i = R i ⊕ P Wi C1 = h(Xi ⊕ T1 ) ?
T4 − T1 ≤ ΔT
IDi , T1 , C1
Intercepts C1
T1 , CE
CE = h(C1 )
?
CE = h(h(Xi ⊕ T1 )) Fig. 3. Attack on Lee et al.’s authentication scheme
The basic idea of our attack is essentially similar to that of Hsu’s parallel session attack on Chien et al.’s scheme — when an honest protocol participant sends a message to his authenticating party, the intruder eavesdrops or intercepts the message and sends it (or a modified version of it) back to the message originator. Note that a similar attack scenario as above can be also applied to Chien et al.’s scheme. Hence, we can say that the original Chien et al.’s scheme does not guarantee any kind of authentication, either user-to-server authentication or server-to-user authentication. The problem with Lee et al.’s authentication scheme is that it fixes only one of two problems and thus fails to achieve mutual authentication.
5
Preventing the Reflection Attack
We now figure out what is wrong with Lee et al.’s scheme and how to fix it, in the hope that no similar mistakes are made in the future. 5.1
Flaw in the Scheme
Lee et al. [11] claimed that their scheme prevents the intruder from impersonating AS to Ui . In support of this claim, they argue that the intruder cannot compute the server’s response C2 because she does not know the secret value Xi = h(IDi ⊕ x). But, this claim is flawed. To compute C2 = h(h(h(IDi ⊕ x) ⊕ timestamp)), the intruder does not need to know Xi , rather it suffices to know the value h(h(IDi ⊕ x) ⊕ timestamp). It is this flaw that has led us to present the reflection attack in which the intruder can easily succeed in impersonating AS to Ui . Using this flaw, the intruder E intercepts login request message C1 and then immediately sends �T1 , CE = h(C1 )� back to Ui . We emphasize again that CE is a valid response as long as it arrives within the time window.
Security Enhancement of a Remote User Authentication Scheme
5.2
515
Countermeasure
One obvious solution to this vulnerability is to modify the cryptographic expressions used in computing C1 and C2 so that it is infeasible for the intruder to compute C2 from C1 . We therefore change the computation of C1 and C2 to: C1 = h(IDi , h(IDi ⊕ x), T1 ) and C2 = h(IDi , C1 , h(IDi ⊕ x), T3 ). With this modification, it would be impossible for the intruder to mount the reflection attack. The intruder, who wants to impersonate AS to Ui , can no longer forge a valid server’s response from the login request message �IDi , T1 , C1 � because C2 cannot be computed from C1 without knowing the secret value h(IDi ⊕ x). Our modification also prevents Hsu’s parallel session attack. Even if the intruder eavesdrops on the server’s response message �T3 , C2 �, she is unable to construct from it a valid login request message because C1 cannot be computed from C2 without knowing h(IDi ⊕ x). Therefore, neither Hsu’s parallel session attack nor our reflection attack can be applied to the fixed scheme.
6
Conclusion
A password-based scheme for remote user authentication using smart cards was proposed in the recent work of Lee et al. [11]. Despite its many merits, Lee et al.’s scheme only achieves unilateral authentication unlike the claim that the scheme provides mutual authentication. To demonstrate this, we have shown that the scheme is vulnerable to a reflection attack in which an intruder is easily able to impersonate the authentication server to users. In addition, we have recommended a small change to the scheme that can address the identified security problem.
References 1. Anti-Phishing Working Group, http://www.antiphishing.org. 2. R. Bird, I. Gopal, A. Herzberg, P. A. Janson, S. Kutten, R. Molva, and M. Yung, “Systematic design of a family of attack-resistant authentication protocols”, IEEE Journal on Selected Areas in Communications, vol. 11, no. 5, pp. 679–693, 1993. 3. U. Carlsen, “Cryptographic protocol flaws: know your enemy”, In Proc. 7th IEEE Computer Security Foundations Workshop, pp. 192–200, 1994. 4. C.-C. Chang and T.-C. Wu, “Remote password authentication with smart cards”, IEE Proceedings E - Computers and Digital Techniques, vol. 138, no. 3, pp. 165– 168, 1991. 5. H.-Y. Chien, J.-K. Jan, and Y.-M. Tseng, “An efficient and practical solution to remote authentication: smart card”, Computers & Security, vol. 21, no. 4, pp. 372–375, 2002.
516
Y. Lee, J. Nam, and D. Won
6. W. Diffie, P. C. van Oorschot, and M. J. Wiener, “Authentication and authenticated key exchange”, Designs, Codes and Cryptography, vol. 2, no. 2, pp. 107–125, 1992. 7. C.-L. Hsu, “Security of Chien et al.’s remote user authentication scheme using smart cards”, Computer Standards and Interfaces, vol. 26, no. 3, pp. 167–169, 2004. 8. M.-S. Hwang and L.-H. Li, “A new remote user authentication scheme using smart cards”, IEEE Trans. on Consumer Electronics, vol. 46, no. 1, pp. 28–30, 2000. 9. W.-C. Ku, S.-T. Chang, and M.-H. Chiang, “Weaknesses of a remote user authentication scheme using smart cards for multi-server architecture”, IEICE Trans. on Commmunications, vol. E88-B, no. 8, pp. 3451–3454, 2005. 10. L. Lamport, “Password authentication with insecure communication”, Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981. 11. S.-W. Lee, H.-S. Kim, and K.-Y. Yoo, “Improved efficient remote user authentication scheme using smart cards”, IEEE Trans. on Consumer Electronics, vol. 50, no. 2, pp. 565–567, 2004. 12. G. Lowe, “An attack on the Needham-Schroeder public-key authentication protocol”, Information Processing Letters, vol. 56, no. 3, pp. 131–133, 1995. 13. H.-M. Sun, “An efficient remote user authentication scheme using smart cards”, IEEE Trans. on Consumer Electronics, vol. 46, no. 4, pp. 958–961, 2000. 14. W.-H. Yang and S.-P. Shieh, “Password authentication schemes with smart card”, Computers & Security, vol. 18, no. 8, pp. 727–733, 1999. 15. E.-J. Yoon, W.-H. Kim, and K.-Y. Yoo, “Security enhancement for password authentication schemes with smart cards”, In Proc. 2nd International Conference on Trust, Privacy, and Security in Digital Business (TrustBus’05), LNCS 3592, pp. 90–99, 2005. 16. E.-J. Yoon, E.-K. Ryu, and K.-Y. Yoo, “An Improvement of Hwang-Lee-Tang’s simple remote user authentication scheme”, Computers & Security, vol. 24, no. 1, pp. 50–56, 2005.
