User Authentication Scheme with Privacy-Preservation for Multi-Server ...

5 downloads 14407 Views 285KB Size Report
traced by any users (we call it Merit 6). ... and SC denote the registration center and the smart card; .... Authentication Server and Registration Center Phase.
IEEE COMMUNICATIONS LETTERS, VOL. 13, NO. 2, FEBRUARY 2009

157

User Authentication Scheme with Privacy-Preservation for Multi-Server Environment Ren-Chiun Wang, Wen-Shenq Juang, and Chin-Laung Lei, Member, IEEE Abstract—New user authentication schemes for multipleservers environment were proposed by Liao-Wang and Tsai. In their schemes, application servers do not need to maintain a verification table and this admired merit is not addressed by previous scholarship. Besides, the privacy of users is also addressed in Liao-Wang’s scheme. In this article, we show that their schemes are not secure against the server spoofing and the impersonation attacks. Then we propose a robust user authentication scheme to withstand these attacks and keep the same merits.

Login Phase

Index Terms—Authentication, multi-server architecture, password, privacy, smart card.

Mutual Verification and Session Key Agreement Phase

User Ui

Smart Card (1) IDi* , SID j , PWi* (2)T* V † h(ID* || PW*) and H* i i i i i * i

Check H

M

II. R EVIEW OF T WO AUTHENTICATION S CHEMES A. Notations Ui and Sj denote the ith user and the jth server; RC and SC denote the registration center and the smart card; Manuscript received November 9, 2008. The associate editor coordinating the review of this letter and approving it for publication was D. Kundur. R.-C. Wang and C.-L. Lei (corresponding author) are with the Department of Electrical Engineering, National Taiwan University (e-mail: [email protected], [email protected]). W.-S. Juang is with the Department of Information Management, National Kaohsiung First University of Science and Technology (e-mail: [email protected]). This work is supported in part by National Science Council under the Grant NSC 96-2628-E-002-182-MY3, NSC 97-2221-E-327-036, and Taiwan Information Security Center (TWISC), NSC 97-2219-E-001-001. Digital Object Identifier 10.1109/LCOMM.2009.081884

? Hi and Generate Ni

(3)CIDi h(PWi ) † h(Ti || y || Ni ) Pij Ti † h( y || Ni || SIDj ) = h(IDi || xRC ) † h( y || Ni || SIDj ) Qi h(Bi || y || Ni ) Smart Card

Server Sj

(1)CIDi , Pij

I. I NTRODUCTION ANY smart card-based user authentication with key agreement schemes for multiple-servers were proposed to keep the following merits [1]: (1) single registration; (2) user friendly; (3) preventing the replay, the password guessing without smart cards, the impersonation and the stolen-verifier attacks [2]; (4) keeping free from the serious time synchronization problem; (5) preventing the servers from impersonating other servers to cheat users or from masquerading some users to obtain the services of other servers. Recently, Tsai [3] proposed a user authentication scheme for multi-server architecture. In his scheme, the application servers do not need to maintain a verification table and the computation cost is low. At the same time, Liao and Wang [4] proposed a user authentication to meet the same merits. Besides, in their scheme, the identities of users will not be traced by any users (we call it Merit 6). In this article, we show that those schemes still suffer from the server spoofing and the impersonation attacks. Then we propose a user identification scheme to keep the privacy of users and the above merits at the same time for multiserver environment. Also, in our scheme, even if the secret information stored in a smart card is compromised [5], the off-line password guessing attack is still not successful (we call it Merit 7).

h(Ti*)

, Qi , Ni

(2)Ti Pij † h( y || Ni || SIDj ) h(PWi ) CIDi † h(Ti || y || Ni ) Bi h(PWi ) † h(xRC )

(5)Check h(Bi || y || Ni || SIDj ) ? Mij1 Mij2 h(Bi || y || Nj || SIDj )

(4)N j , Mij1

? Qi

Mij1 h(Bi || y || Ni || SIDj ) and Generate N j

(6)Mij2 (7)Check h(Bi || y || N j || SIDj ) ? Mij 2

(8)SK h(Bi || Ni || Nj || y || SIDj )

Fig. 1.

(3)Check h(Bi || y || Ni )

(8)SK h(Bi || Ni || N j || y || SIDj )

Liao and Wang’s scheme.

IDi and SIDj denote the identities of Ui and Sj ; P Wi and CIDi denote the password and the dynamic identity of Ui ; h(·) denotes a one-way hash function; xRC and yRC are two master secret keys and are hold by RC; y is a secret number and pre-shared between RC and all servers; Ni , Nj and NRC are random nonces and are chosen by Ui , Sj and RC respectively; ⊕ denotes the exclusive-OR operation;  denotes the concatenation of two strings; EK (M ) means that a symmetric encryption algorithm encrypts a plaintext M by using a key K; DK (C) means that a symmetric decryption algorithm decrypts a ciphertext C by using a key K. B. Liao-Wang’s scheme [4] The authors claimed that their scheme provides two admired merits. The real identities of users are not exposed over networks and the application servers do not need to maintain a verification table. In the registration phase, Ui submits IDi and P Wi to RC. Then RC calculates Ti = h(IDi  xRC ), Hi = h(Ti ), Vi = Ti ⊕ h(IDi  P Wi ) and Bi = h(P Wi ) ⊕ h(xRC ), and writes (Vi , Bi , Hi , h(·), y) into SC. RC sends SC back to Ui via a secure channel. We use Figure 1 to introduce the other phases. C. Tsai’s scheme [3] In Tsai’s scheme, the computation cost is low since only one-way hash operations are required and the application servers do not need to maintain a verification table. In the user registration phase, Ui submits (IDi , P Wi ) to RC. RC calculates Ri = h(IDi xRC ) and C0 = h(P Wi )⊕Ri and writes (C0 , h(·)) into SC. RC sends SC back to Ui via a secure

c 2009 IEEE 1089-7798/09$25.00 

Authorized licensed use limited to: National Chung Hsing University. Downloaded on July 7, 2009 at 01:26 from IEEE Xplore. Restrictions apply.

158

IEEE COMMUNICATIONS LETTERS, VOL. 13, NO. 2, FEBRUARY 2009 Login Phase

Impersonation Attack

User Ui

Server Sj

Smart Card

(1)IDi , PWi

(2) Ri

(1)CIDi , Pij , Qi , Ni

C0 † h( PWi )

Generate N i C1

(3)IDi , C1

Ri † Ni

Server Sj

C2

(5)NRC h(SIDj || yRC) †C3 C4

(2) IDi , C1 , SID j , C2

h(h(SIDj || yRC)|| Nj ) †NRC

(3) N j C2 † h(SIDj || yRC ) and Generate NRC C3 Ni

(6)C 4

h(h(SIDj || yRC)|| Nj || NRC) (8)C5 , C 6

(9)C5'

NRC † h(SIDj || yRC )

(7)Check C4

( 4 )C 3

? h(h(SIDj || yRC ) || N j ) † NRC

C5

h(h(SIDj || yRC ) || N j || NRC )

C6

h(h(SIDj || yRC ) || N j  1|| NRC  2)

Authentication Server and User Phase Smart Card

Server Sj

(1)C7

C6 †h(h(SIDj || yRC )|| Nj 1|| NRC  2) h(h(IDi || xRC)|| Ni )

(3)C7' h(Ri || Ni )

Generate Nij

C9 ' h(C7 '|| Nij ) †C8 '

C8 C1 †C7 h(IDi || xRC ) † Ni †h(h(IDi || xRC )|| Ni )

Check C9 ' ? C9 C10

Fig. 2.

Fig. 4.

j 1

j

ij 2

h( Bi || Ni || N j 1 || y || SID j )

Believe S j is a valid user

Impersonation attack on Liao’s scheme.

Login Phase User Ui

Valid Malicious Server Sj+1

Server Sj

C0 † h ( PWi )

C1

C9 h(C7 || Nij ) †C8 and V2 C7 † Nij

Ri † N i

(2)Intercept ID i , C1

Authentication Server and Registration Center Phase Registration Center

Valid Malicious Server Sj+1 (1)Generate N j 1

SK h(C7 1|| C8  2|| Nij  3)

SK h(C7 '1|| C8 ' 2|| Nij  3)

(8)SK h(Bi || Ni || N j1 || y || SIDj )

Generate N i

(5)Check C10 ? h(C7 || C8 || Nij )

h(C7 '|| C8 '|| Nij )

i

(8)SK

(1) Ri

Nij C7 '†V2 and C8 ' C7 '†C1 (2)V2 , C9 (4)C10

(1)Replay CIDi (2)Ti Pij † h( y || Ni || SID j ) h( PWi ) CIDi † h(Ti || y || Ni ) , Pij , Qi , Ni Bi h( PWi ) † h( xRC ) (3)Check h( Bi || Ni || y ) ? Qi (5)Check h(Bi || y || Ni || SIDj ) ? Mij1 (4)N j 1, Mij1 M h( Bi || y || Ni || SID j ) ij1 Mij 2 h(Bi || y || N j1 || SIDj ) (7)Check h( B || y || N || SID ) ? M (6)M ij2

h(IDi || xRC ) † C1

† h(h(IDi || xRC ) || Ni )

Check C5 ' ? C5

Server Sj+1

Server Sj Registration Center

h(SID j || y RC ) † N j

(2)Get(Ti , h(PWi ),Bi h(PWi ) † h(xRC)

Mutual Verification and Session Key Agreement Phase

Authentication Server and Registration Center Phase

(1)Generate N j

Server Sj

User Ui

(2) IDi , C1 , SID j 1 , C2 C2 h ( SID j 1 || y RC ) † N j 1 (3) After the phase is finished, S j 1 can get C5 h ( h ( SID j 1 || y RC ) || N j 1 || N RC ),

Tsai’s scheme.

C6

h ( h ( SID j 1 || y RC ) || N j 1  1 || N RC  2) † h (h ( IDi || x RC ) || N i ).

Authentication Server and User Phase

Server Spoofing Attack

Smart Card

Smart Card (Ui)

A Valid Malicious User Ui+1

(1)CIDi , P ij , Qi , Ni (6)h( Bi || y || Ni || SIDj )

h(PWi ) CIDi † h(Ti || y || Ni )

? Mij1

M ij 2 h( Bi || y || Ni1 || SIDj ) (9)SK h( Bi || Ni || Ni1 || y || SIDj )

(3)h(xRC ) Bi1 † h(PWi1) from SC

(5)Ni 1,M ij1

Believe the communcated party is S j

Fig. 3.

(2)Retrieve y from SC h( y || Ni || SIDj ), Ti Pij † h( y || Ni || SIDj )

Bi h(xRC ) † h(PWi )

Nij 1

Valid Malicious Server Sj+1

h( Ri || Ni )

(1)C7

C7 '† V2 and C8 ' C7 '† C1

C9 ' h(C7 ' || N ij 1 ) † C8 ' Check C9 ' ? C9

(2)V2 , C9

C10

h(C7 ' || C8 ' || N ij 1 )

SK

h(C7 ' 1|| C8 ' 2 || N ij 1  3) (4)C10

Believe the communicated

(4)Mij1 h(Bi || y || Ni || SIDj ) and Generate Ni1

(7)Mij2 (8)h(B || y || N || SID ) i 1 j i

(3)C7'

party is S j

C6 † h(h(SIDj1 || yRC )|| Nj1 1|| NRC  2) h(h(IDi || xRC )|| Ni )

Generate Nij1 C8 C1 †C7 h(IDi || xRC ) † Ni † h(h(IDi || xRC )|| Ni ) C9 h(C7 || Nij1) †C8 and V2 C7 † Nij1 (5)Check C10 ? h(C7 || C8 || Nij1) SK h(C7 1|| C8  2|| Nij1  3)

? Mij 2

(9)SK h(Bi || Ni || Ni1 || y || SIDj )

Fig. 5.

Server spoofing attack on Tsai’s scheme.

Server spoofing attack on Liao’s scheme.

channel. RC shares secret keys h(SIDj yRC ) with all servers Sj in advance. The other phases are introduced in Figure 2. III. S ECURITY A NALYSIS OF T WO AUTHENTICATION S CHEMES A. Liao-Wang’s scheme Server spoofing attack: When a valid user Ui wants to obtain the service of Sj , other valid users Ui+1 can impersonate Sj to cheat Ui after intercepting the login request {CIDi , Pij , Qi , Ni }. We demonstrate the attack in Figure 3. Impersonation attack: After User Ui logs into Server Sj , Sj can impersonate this user to obtain the services from other servers Sj+1 . We demonstrate the attack in Figure 4. B. Tsai’s scheme Server spoofing attack: A valid malicious server Sj+1 stands in the middle of Ui and Sj . When Ui logs into Sj , Sj+1

can imitate Sj to communicate with Ui . We demonstrate the attack in Figure 5. Impersonation attack: After Ui logs into Sj , Sj can imitate this user to get the services from other servers Sj+1 without the knowledge of the secret random number Ni . We demonstrate the attack in Figure 6. IV. O UR S CHEME We proposes a privacy-preservation user authentication scheme based on the quadratic residue [6] for multi-server architecture. Before the system starts, RC selects two large prime numbers p and q to calculate the public key n = p × q. In the user registration phase, upon receiving a registration request from Ui , RC employs the master key xRC to calculate Ui ’s secret key SKi = h(IDi  xRC ) and issues a SC to Ui , where SC includes (IDi , SKi , h(·), n). After receiving SC, Ui calculates SKi = h(P Wi ) ⊕ SKi and replaces SKi with SKi . Finally, SC includes (IDi , SKi , h(·), n). Similarly, RC pre-shares the secret keys SKj = h(SIDj  xRC ) with all servers Sj . We use Figure 7 to demonstrate the other phases.

Authorized licensed use limited to: National Chung Hsing University. Downloaded on July 7, 2009 at 01:26 from IEEE Xplore. Restrictions apply.

WANG et al.: USER AUTHENTICATION SCHEME WITH PRIVACY-PRESERVATION FOR MULTI-SERVER ENVIRONMENT Impersonation Attack Valid Malicious Server Sj

User Ui

Server Sj+1

TABLE I C OMPARISONS OF SATISFACTION OF THE CRITERIA

(1)After U i has logged into S j , S j can get (C1 R i † N i , C7

(2)Replay IDi , C1

h(h( IDi || x RC ) || N i ))

Authentication Server and Registration Center Phase Server Sj+1

Registration Center

(1)IDi ,C1, SIDj 1,C2 (3)After the phase is finished, S j 1 can get C5 C6

h (h ( SID j 1 || y RC ) || N j 1 || N RC ),

h (h ( SID j 1 || y RC ) || N j 1  1 || N RC  2) † h (h ( IDi || xRC ) || N i ).

Authentication Server and User Phase Valid Malicious Server Sj

Server Sj+1

(1)C7

(2)V2, C9 (3)Nij1 C7 †V2 and C8 ' C7 †C1 C9 ' h(C7 || Nij1) †C8 ' C10

C9 SK

SK h(C7 1|| C8 ' 2|| Nij1  3)

h( IDi || xRC ) † Ni † h(h( IDi || xRC ) || Ni )

h(C7 || Nij 1 ) † C8 and V2

(5)Check C10

h(C7 || C8 || Nij1)

Fig. 6.

Generate Nij 1 C8 C1 † C7

(4)C10

Check C9 ' ? C9

C6 † h(h( SID j 1 || yRC ) || N j  1|| N RC  2) h(h( IDi || xRC ) || Ni )

C7 † Nij 1

? h(C7 || C8 || Nij 1 )

h(C7  1|| C8  2 || Nij 1  3)

Believe the communication party is U i

Impersonation attack on Tsai’s scheme.

Login Phase User Ui

Smart Card

Server Sj

(1) IDi , PWi

(3) Reqi

(2)Generate N i Re qi

( IDi || SKi || SID j || N i ) 2 mod n

Authentication Server and Registration Center Phase Registration Center

Server Sj

(3)D ecrypt R eq i

(1)Generate N j Re q j

SK j † N j

(2) Reqi , SIDj , Req j

Ÿ ( ID i || SK i || SID j || N i ) C heck SK i

? h ( ID i || x RC )

C heck SID j in R e q i

(5)Retrieve

(4) ResRC1, ResRC2 SK j h ( SID j || x RC ) ResRC3, ResRC4 R etrieve N j ' SK j † R e q j G enerate N RC

NRC ' h(SK j || N j ) † Re sRC1

R es RC 1

KSC h(SK j || N j || NRC ')

K SC

Rij ' KSC † Re sRC2

R ij

Check h(KSC || Rij '|| Re sRC3) ?Re sRC4

h ( SK j || N j ') † N RC h ( SK j || N j ' | | N RC )

h ( ID i || SID j || N i )

R e s RC 2

K SC † R ij

R e s RC 3

h ( SK i || N i || h ( N j '))

R e s RC 4

h ( K SC || R ij || R e s RC 3 )

Authentication Server and User Phase Smart Card

Server Sj

(3)Retrieve h(N j ') h(IDi || SIDj || Ni ) † Re s j 2 (2)Re s j 2 , (1) Re s j 2 Re sRC3 Check h(SKi || Ni || h( N j ')) ? Re sRC3 Re si h(h(N j ') 1) SK h(SIDj || h( N j ')|| h(IDi || SIDj || Ni ))

Fig. 7.

Rij '†h( N j )

(4) Re si (5)Check Re si ? h(h( N j )  1) SK h(SIDj || h( N j ) || Rij ' )

Our proposed scheme.

V. A NALYSIS We analyze that well-known security threats cannot work in our scheme and compare the satisfaction of the merits with Liao-Wang [4] and Tsai’s schemes [3] in Table I. Server spoofing attack: (1) No valid malicious Sj can imitate users Ui to create a new request without knowing SKi . (2) Malicious Sj+1 replays the used request Resi to Sj and will get Sj ’s response (Resj2 , ResRC5 ). Sj+1 cannot derive h(Nj ) and send the response Resi without Rij . (3) After Ui logs into Sj , Sj cannot employ the used Reqi to launch any well-known attacks. (a) If Sj replays Resi to other servers Sj+1 , RC will

159

Single registration User friendly Preventing the various attack1 No serious time synchronization problem Preventing the server’s impersonation attack2 User anonymity Off-line password guessing attack with smart cards

Our Yes Yes Yes Yes Yes Yes Yes

Liao-Wang Yes Yes No Yes No Yes No∗

Tsai Yes Yes No Yes No No No∗

∗ : Even if the scheme follows our idea, the scheme still suffers from the off-line password guessing attack. 1: The attacks include the replay, the password guessing without smart cards, the impersonation and the stolenverifier attacks. 2: Preventing the servers from impersonating other servers to cheat users or from masquerading some users to obtain the services of other servers.

deny it since SIDj+1 is not included in Reqi . (b) Sj+1 cannot imitate Sj to cheat Ui since he does not have the capability to forge the response (Resj2 , ResRC3 ) from the tapped messages (ResRC1 , ResRC2 , ResRC3 , ResRC4 ) without knowing (SKj , Nj ). Impersonation attack: No adversary can imitate Ui to pass the verification of RC without the secret key SKi , and then to obtain services of the application servers Sj . Offline password guessing attack with smart cards: Assume that the adversary has tapped the communication channel and can extract the information (IDi , SKi , h(), n) stored in the smart card. Then the adversary guesses a candidate password h(P Wi ) and extracts SKi = h(P Wi ) ⊕ SKi . The adversary will try to verify SKi using the tapped messages (Reqi , Reqj , ResRC1 , ResRC2 , ResRC3 , ResRC4 , Resj1 , Resj2 , Resi ) in local computer. If he can do that, the secret key SKi is known and the password P Wi is guessed. (1) Under the concept of the quadratic residue, since the adversary does not know the secret key (p, q) of the system, the adversary cannot derive the content of Reqi . If the adversary wants to verify if the guessed SKi is correct, the adversary must guess the high entropy random number Ni . The adversary cannot correctly guess Ni in a polynomial time. (2) Since SKj is unknown to the adversary and NRC and Nj are high entropy random numbers, the adversary is also hard to guess or to derive them from (Reqj , ResRC1 , Resj1 , Resi ) in a polynomial time. (3) Based on the same reason, without the knowledge of SKj , Nj , NRC and Ni , the adversary is still hard to verify if the guessed SKi is valid from (ResRC2 , ResRC3 , ResRC4 , Resj2 ). R EFERENCES [1] W.-S. Juang, “Efficient multi-server password authenticated key agreement using smart cards,” IEEE Trans. Consum. Electron., vol. 50, no. 1, pp. 251-255, 2004. [2] T. Cao and D. Lin, “Cryptanalysis of two password authenticated key exchange protocols based RSA,” IEEE Commun. Lett., vol. 10, no. 8, pp. 623-625, 2006. [3] J.-L. Tsai, “Efficient multi-server authentication scheme based on oneway hash function without verification table,” Computers & Security, vol. 27, no. 3-4, pp. 115-121, 2008. [4] Y.-P. Liao and S.-S. Wang, “A secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, vol. 31, no. 1, pp. 24-29, 2009. [5] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proc. Advances in Cryptology, CRYPTO’99, pp. 388-397, 1999. [6] C.-I Fan and C.-L. Lei, “Low-computation blind signature schemes based on quadratic residues,” Electron. Lett., vol. 32, no. 17, pp. 1569-1570, 1996.

Authorized licensed use limited to: National Chung Hsing University. Downloaded on July 7, 2009 at 01:26 from IEEE Xplore. Restrictions apply.