Using IC cards to remotely login passwords without ... - CiteSeerX

Using IC Cards to Remotely Login Passwords without Verification Tables

Ching-Te Wang General Education Center, National Chin-Yi Institute of Technology,Taiping, Taichung, Taiwan 411, R.O.C. [email protected]

Chin-Chen Chang

Chu-Hsing Lin

Institute of Computer Science and Information Engineering, National Chung Cheng University, Taiwan, R.O.C. [email protected]

Department of Computer and Information Sciences, Tunghai University, Taichung, Taiwan 407, R.O.C. [email protected]

Abstract A new remote password authentication scheme based on IC cards is proposed in this paper. By using the scheme, a remote password can be authenticated without either a password file or a verification table. A user first applies for an account in the financial organization and then uses the given IC card to login. In the login phase, a user inputs the identity and password, transmits the generated values to the center. In the authentication phase, the system uses the secret key and remotely submitted message to verify whether the request is legal or not. A one-time-used random number and a timestamp are supplied to protect the potential attacks, which may replay a previously intercepted login request. Further, by using the characteristics of IC cards, the proposed scheme is very suitable for authenticating passwords remotely. Keywords: Password authentication, discrete logarithms, one-way function, timestamp

1. Introduction In a multi-user system, users can communicate with each other and share computing resources; but the problems of ensuring privacy and secrecy of information is becoming more and more important. In order to prevent illegal disclosure, modification, or destruction of information by the malicious users, several kinds of authentication schemes have been proposed. In those schemes, password authentication is most widely used methods because of its low cost, easy implementation and user friendliness.

In the conventional password authentication schemes, a user intends to enter the system he/she has to submit his/her identity and a password [5, 6]. For the purpose of verification, one straightforward approach is to directly store the identity ID and the password PW of users in a password table. The system then authenticates the submitted message by using information from the password file. Obviously, those schemes cannot prevent the threat of revealing passwords in tables or files. To prevent the password file from being disclosed or modified, several approaches [2, 9, 10, 11] have been proposed, which encode the passwords as the test patterns or verification tables instead of the plain password file. However, those systems may be insecure for a malicious user may intend to read and decrypt the password, delete the password or destroy the file. In [1, 3], they proposed the non-interactive password authentication schemes without verification tables. Those schemes employ ElGamal’s signature method [8] and Chinese remainder theorem. Each user’s password is combined with two numbers, which is chosen by the center. However, users are burdened with multiple inputs when requested for the password values in the login phase. Recently, Chen and Jan [4] proposed a password authentication scheme without verification tables. In the scheme, each user computes a parameter by using his/her password, which is combined with timestamp to generate the user’s account. However, user’s passwords are concealed in the account numbers. To prevent attacks from malicious users, the user’s account should be a very large integer. As stated in their scheme, the password contains at least 640 bits, and then the user’s account number may

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE

have 200 digits. It is very impractical for users to employ the accounts. On the other hand, to store the user’s account file, it always needs a large memory space. Normally, the memory space is greater than the original password table. Further, if a user needs to change his/her password for security reasons, the associated account should be changed. Inspired by Chen and Jan’s approach, we will propose an improved password authentication scheme to solve the above problems. Our scheme has the following properties: (1) The scheme is a non-interactive password authentication method. (2) The center of the financial organization does not need to store any password files or verification tables for authentication. (3) The user’s identity number and password are completely independent. The change of passwords of users does not affect the account numbers. (4) The scheme can prevent the attacks from replaying a previously intercepted login request. In the next section, we will briefly review Chen and Jan’s password authentication scheme. In Section 3, we will propose an improved scheme. Then, the security analysis and some comments will be discussed in Section 4. Finally, the conclusions are given in Section 5.

2. A Review of Chen and Jan’s Scheme In this section, we will review Chen and Jan’s remote password authentication scheme. In the scheme, every user will have an IC card, which is issued and signed by the united cards issuing center. Each user, with his/her IC card, can apply for an account from a financial organization. There are four phases in the scheme. In the first phase, the manager of the financial organization selects a large prime number P and a primitive element G over Galois field GF(P). Then, the manager selects randomly the secret key SK  [1, P  1] , and computes the corresponding public key PK G SK mod P . In the second phase, if a user ui intends to open an account, he/she takes his/her IC card to the center for registration. After checking the validity of the IC card, the center saves the timestamp TS i , public values P, G, and PK on the IC card. The user needs to select a short password kernel xi and the corresponding password PWi will be generated H (˜) by a one-way function , where PWi H (xi , Personal Information,...) . Further, by using

the password PWi , a number MEi and the user’s account IDi will be generated by the IC card and the associated terminal, where MEi G PWi mod P , IDi is formed by combining MEi with TS i , i.e. IDi (TS i , MEi ) . The message IDi is transmitted to the center, which is responsible for creating the user’s account. Then the center computes the signature SGi E SK ( IDi ) and saves it to the IC card. In the login phase, the user ui takes his/her IC card to login on the terminal as the following: Step 1. User ui inputs the password kernel xi . The corresponding password PWi is generated by the IC card, where PWi H (xi , Personal Information,...) . Step 2. User u i uses the IC card and the associated terminal to compute MEi G PWi mod P and the user’s account IDi (TS i , MEi ) . Step 3. User ui uses the IC card to generate a random number R, and with the associated terminal to compute the common key CK PK PWi ˜ G R mod P . In the same way, two numbers XR and TR are generated, where XR R † IDi † SGi , TR E CK (T , R ) and T is a current timestamp. Step 4. The message (IDi , XR, TR ) is transmitted to the center. In the authentication phase, the center checks the following steps: Step 1. The center checks the validity of IDi (TS i , MEi ) . Step 2. The center computes SGi E SK ( IDi ) and gets the random number R' XR † IDi † SGi . Step 3. The center computes the common key CK MEi SK ˜ G R mod P . Step 4. The center decrypts the number TR by using the common key CK and checks D (TR ) ? ' ) ( T ' , R if CK . That is, the center checks whether R is the same as R’ in Step 2. The center also checks whether the difference between the timestamp T and current time T’ is reasonable. However, three disadvantages in the scheme are arisen. There are: (1) the password value is concealed in the account number; (2) the account number is always very large; (3) to change passwords will result in changing of the account number. We will propose an improved password authentication scheme to solve these problems in the next section.

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE

3. The Proposed Scheme In this section, we will use an IC card to implement an improved password authentication scheme. The IC card can save the parameters on memory and execute simple operations for generating and verifying the signature. Owing to the characteristics of IC cards, it is very suitable for commercial applications such as banks, credit cards and stock exchanges. Assume that the financial organization consists of two parts, one is the IC card issuing center (ISC), another is the verification center (VC). When a user wants to create an account in the financial organization, he/she can propose an application to the VC with his/her personal information. The VC checks the user's information and his/her personal credit. Afterwards, the user's information is transmitted to the ISC. The ISC setups an IC card which is supplied to store the user's information including name, identification number, address, sex, and birthday etc.. For the purpose of security, the manager of financial organization picks up a large prime number P and a primitive element G on Galois field GF(P). Further, he selects a secret key SK  [1, P  1] , and computes the associated public key PK G SK mod P by using Diffie-Hellman's scheme [7]. The public parameters P, G, PK and the register timestamp TS i are also stored in the IC card by the ISC. After storing the information in IC card, the VC notifies the user and gives the IC card. Now, the user is able to create his account. In the proposed scheme, each user u i may freely select an identity number IDi and a password PWi . For the purpose of security and the habit of human being, users are allowed to freely select their own identity IDi and password PWi . However, the disadvantage is that it may cause the duplication of account numbers. So, we need the transformed identity TIDi , which can be generated by concatenating TS i with IDi , i.e. TIDi TS i IDi . Here TIDi is unique. On the other hand, the freely chosen password may cause the operations over Galois field GF(P) to be insecure. According to the Diffie and Hellman’s scheme, we recommend the length of transformed password to be 640 bits at least. Therefore, a one-way permutation function H (˜) is applied on the password PWi and the personal information to generate the transformed password TPWi H ( PWi , Personal Information, ...) . Through the transformation, a user can create an account

and then login to the system. The scheme is composed of three phases: the application and registration phase, login phase and authentication phase.

3.1 The Application and Registration Phase When a user u i intends to create an account in some financial organizations, he/she may apply for an IC card by the following steps. Step 1. [Apply for an IC card.] User u i selects an identity number IDi as well as his/her personal information to apply for an IC card to the financial organization. The VC checks the personal information and credit, if the user's credit is fine, then the user's information is transmitted to ISC, go to Step 2; otherwise, the VC rejects the application. Step 2. [Setup the IC card.] The ISC computes a transformed identity TIDi TS i IDi and employs it as the account number, where TSi is a timestamp and “ ” is denoted as a concatenation. The ISC saves the timestamp TS i , the user’s information and the public parameters P, G, PK on the IC card. The ISC returns the IC card to VC. The VC notifies the user u i and gives him/her the IC card. Step 3. [User selects a password and signs a message to VC.] User u i selects a password PWi and computes the transformed password TPWi H ( PWi , Personal Information, ...) , where H (˜) is a one-way function. User u i computes a number MPi G TIDi TPWi mod P by using the IC card and the terminal of the financial organization. The message (TIDi , MPi ) is transmitted to the VC. Step 4 [VC checks user’s account.] The VC checks the validity of TIDi . If the account is correct, go to Step 5; otherwise, the VC rejects the user’s login request. Step 5 [VC computes the signature.] The VC computes the signature SGi ( MPi ) SK mod P and saves SGi to the IC card. The VC is responsible for the external works including

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE

communication with users, checking the user’s credit and authentication of login procedure. The ISC is responsible for the internal works including the generation of IC card and initialization the parameters. Note that, the one-way function can expand the parameters to generate a transformed password to be at least 640 bits, including the user’s name, the user’s password, the identification number, the address and the other information. Therefore, those are available to generate a transformed password. On the other hand, it is required that a user needs to evaluate the value MPi G TIDi TPWi mod P by using the IC card. Obviously, it is difficult for the IC card to achieve the complicated computations. Therefore, we have to transfer a part of the exponential operations to the server by using server-aided computation [12]. Assume that the value Y G X mod P is to be computed on the IC card. Since the restriction on computation ability of an IC card, the large exponent X has to be divided into multiple dependent numbers. For example, we can select two random numbers X 1 and X 2 such that X 1 and ( P  1)  X 2  [1, Z ] , where [1, Z] is the range for an IC card to compute efficiently. Then, the IC card can compute Y1 G X1 mod P and Y2 G  X 2 mod P by itself. The other exponential operations Ys G X  X 1  X 2 mod P are transferred to the server, which is able to compute it fast. Finally, the value Y can be obtained by merging the numbers Y1 , Y2 and Ys to Y Y1 ˜ Y2 ˜ Ys mod P G X1 ˜ G  X 2 ˜ G X  X1  X 2 mod P X G mod P . We can reduce the computational loading of an IC card without revealing the secret value.

3.2

Login Phase

When a user u i intends to login via a terminal of the financial organization, he can plug in the IC card and does the following steps. Step 1. [User inputs an identity and a password.] User ui inputs the identity IDi and password PWi . The IC card computes the transformed identity TIDi TS i IDi and the transformed password , TPWi H ( PWi , Personal Information, ...) where TPWi  [1, P  1] . Step 2. [Selects a random number.] The IC card selects a random number R and computes I i PK TPWi ˜R  R mod P by using server-aided computation. Step 3. [Computes the parameters.]

The IC card computes a number TR by using the current timestamp T and the random number R, where TR E PK (T , R) , E (˜) is an encryption function. The IC card computes another number D i SGi R ˜ PK T mod P . Step 4. [Transmits the parameters to the VC.] The messages (TIDi , I i , TR, D i ) are transmitted to the VC. Note that the selected random number R in Step 2 is a one-time-used value. The user can select different random numbers for distinct logins. That is, the different logins will have distinct parameters I i . Further, to prevent from the attack of replaying previously intercepted message [1], the current timestamp T is required in Step 3. The values T and R can be precomputed as a number by using the concatenation or other combining methods.

3.3

Authentication Phase

When receiving the message (TIDi , I i , TR, D i ) , the VC verifies the correctness of the login by using the following steps. Step 1. [VC checks the account number.] The VC checks the validity of account number TIDi TS i IDi . If there is no such account, the login is rejected. Step 2. [VC decrypts the parameters.] The VC decrypts the parameters (T , R ) DSK (TR ) . Step 3. [VC checks the timestamp T.] The VC computes 'T T  Tnow . If 'T  [ , where [ is the acceptable time interval for transmission delay, then go to Step 4; otherwise, the login is rejected. Step 4. [VC checks the correctness of the login.] The VC checks if

I i ˜ (G TIDi ˜R T ) SK ? D i ˜ PK R mod P .

(3.1)

If it is true, the login is legal; otherwise, the login is rejected. Note that the VC decrypts the number TR by using the secret key SK and the decryption function D(˜) to obtain a value, which can further be divided into two values T and R in Step 2. In Step 3, the definition of the threshold time interval [ depends on the transmission rate. If 'T is greater than the threshold value, the messages may be intercepted and retransmitted by a malicious user. In Step

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE

4, if Eq. (3.1) is true, then ui is a legal user. This can be shown as below. I i ˜ (G TIDi ˜R T ) SK mod P PK TPWi ˜R  R ˜ G TIDi ˜R˜SK ˜ G T ˜SK mod P (G TPWi TIDi ) SK ˜R ˜ G SK ˜R ˜ PK T mod P ( SGi ) R ˜ PK T ˜ PK R mod P D i ˜ PK R mod P .

4. Security Analysis and Discussions 4.1 Security Analysis In the proposed scheme, there is no password table or verification table stored in the center. The procedure of computing the transformed password “ PWi o TPWi ” is finished inside the IC card, no one can obtain any information from user’s password. In the first login, the user transmits the message (TIDi , MPi ) to the VC of the financial organization. If a malicious user intends to derive the transformed password TPWi from the number MPi G TIDi TPWi mod P , he/she has to solve the discrete logarithms over GF(P). On the other hand, a user tries to reveal the secret key SK from the signature SGi of the center, he/she is also required to solve the discrete logarithms. In fact, the security of secret keys TPWi and SK are all based on the Diffie-Hellman’s scheme. In the remote login, an intruder may intend to intercept or eavesdrop from the communication lines between a terminal and the center. However, there is no password transmitted on the communication line. Further, the messages on the line are created randomly and encrypted as below: I i PK TPWi ˜R  R mod P , TR E PK (T , R) , and D i SGi R ˜ PK T mod P . The messages are one-time-used values generated by the random number R and timestamp T. Those messages will be different in each login.

4.2 Discussions In Chen and Jan’s scheme [4], for each user ui , the account number is generated by IDi TS i ME i , which is determined by the timestamp TS i and the parameter MEi . And the number MEi G PWi mod P is computed by the password. Then the account number IDi is transmitted to the center and stored in the account file of the financial organization. We find that the parameter MEi is an encrypted message, which is transformed from

the password value. In fact, the account file is another style of the encrypted password table. Thus their scheme cannot be seen as a type of “without password table scheme” completely. Further, the IDi ’s will always be very large numbers which contain about 200 digits. It is impractical for users to employ the account numbers. In our scheme, there are only two components TS i and IDi in the user’s account TIDi . The identity IDi is freely selected by the user, and the TS i is a timestamp by the ISC. The concatenated message is stored in the account file. Further, the user computes a number MPi G TIDi TPWi mod P in the first login, the value is transmitted to the center. The VC evaluates the signature SGi ( MPi ) SK mod P , which is stored on the IC card. The center doesn’t need to store any password table. Therefore, there is not any explicit or implicit password table or verification table kept by the center. Comparing to Chen and Jan’s scheme [1998], our scheme is a really password authentication scheme “without password tables.” In Chen and Jan’s scheme [4], if a user ui intends to change his/her password for some reasons, he/she uses the IC card and logins to the system. Then, the user has to choose a new password PWi ' and compute a new account IDi ' TS i ME i ' , where MEi ' G PWi ' mod P . Since the password has been changed, the associated account number has to be changed by the user. Therefore, if a user always changes his/her password, the account file has to be changed frequently. In our scheme, the freely chosen identity IDi and password PWi are independent. The user’s account TIDi is the concatenation of the identity IDi with the timestamp TS i . The TIDi doesn’t contain any password value. To change passwords of users doesn’t affect the account file of the financial organization. If a user ui wants to change the password for some reasons, he/she first logins to the system as stated in the previous section. User ui selects a new password PWi ' and computes the transformed password TPWi ' H ( PWi ' , Personal Information, ...) . Then, he/she computes a number MPi ' G TIDi TPWi ' mod P by using the IC card and the server of the financial organization. The message (TIDi , SGi , MPi , MPi ' ) is transmitted to the VC of the financial organization. The VC checks the validity of the account TIDi and verifies the old signature SGi by the secret key SK and MPi . If both are correct, the VC computes the new signature SG i ' ( MPi ' ) SK mod P . Finally, the old signature SGi is

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE

replaced by the new signature SGi ' on the IC card. Here, we find that users’ account numbers do not need to be changed when passwords are changed. In Chen and Jan’s scheme [4], a user wants to login the system, he/she generates a random number R by using the IC card, and then computes a common key CK. According to our observation, there is no need to generate the common key between users and center. That is, the effort of computing CK can be skipped. Since the public key PK of the financial organization is stored on the IC card. The key can be used to encrypt the message by a public key cryptosystem. On the basis of public-key cryptosystem, we can construct a non-interactive password authentication scheme without the common key. In the schemes [1, 3], the center generates the user’s password which containing multiple values. Since the user’s password is complicated, it is inconvenient for the users to manipulate or memorize his/her password. In our scheme, the freely chosen identity and password by the users can be transformed to a unique identity and a secure password, respectively. Besides, their remaining problems can be solved in our scheme.

5. Conclusions In this paper, we proposed a non-interactive password authentication scheme based on the IC cards. Instead of the conventional password verification concept, we use the characteristics of IC card to execute the operations and authenticate the password by the verification center. To verify the correctness of user’s password, the system doesn’t need to store any secret information such as password files or verification tables. Further, the freely selected identity and password by the users can be transformed to a unique identity number and a secure password, respectively. Moreover, our scheme is very suitable for remote login in network environments, even though the communications link is insecure. By the use of timestamp, the scheme is able to prevent attacks that employ the replaying of an intercepted login request.

Authentication Scheme Based upon Rabin’s Public-Key Cryptosystem”, Proc. Int. Conf. Systems Management ’90, Hong Kong, Jun. 1990, pp. 425-429. [3] C. C. Chang, and T. C. Wu, “Remote Password Authentication with Smart Cards”, IEE Proceedings –E, Vol. 138, No 3, 1991, pp. 165-168. [4] J. K. Jan, and Y. Y. Chen, “Paramita Wisdom: Password Authentication Scheme without Verification Tables”, The Journal of Systems and Software, 42 1998, pp. 45-57. [5] G. I. Davies, and W. L. Price, Security for Computer Network: Wiley-Interscience Publication, John Wiley and Sons, Ltd., Chichester, New York, Brisbane, Toronto, 1984. [6] D. E. Denning, Cryptography and Data Security, Addison-Wesley, Mass., 1982. [7] H. Diffie, and M. E. Hellman, “New Directions in Cryptography”, IEEE Trans. Inf. Theory, Vol. IT-22, No. 6, 1976, pp. 644-654. [8] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms”, IEEE Trans. Inf. Theory, Vol. IT-31, No. 4, 1985, pp. 469-472. [9] A. J. Evans, W. Kantrowitz, and E. Weiss, “A User Authentication Scheme not Requiring Secrecy in the Computer”, Comm. ACM, Vol. 17, No. 8, 1974, pp. 437-442. [10] T. Y. Hwang, “Password Authentication Using Public-Key Encryption”, Proc. Int. Carnahan Conf. Security Technology, Zurich, Switzerland, 1983, pp. 35-38. [11] C. S. Lain, L. Harn, and D. Huang, “Password Authentication Using Quadratic Residues”, Proc. 1988 Int. Computer Symp., Taipei, Taiwan, Dec. 1988, pp. 1484-1489. [12] C. H. Lin, and C. C. Chang, “A Server-Aided Computation Protocol for RSA Enciphering Algorithm”, Int. Journal Computer Math., Vol. 53, 1994, pp. 149-155.

References [1] C. C. Chang, and W. Y. Liao, “A Remote Password Authentication Scheme Based upon ElGamal’s Signature Scheme”, Computer & Security, Vol. 13, 1994, pp. 137-144. [2] C. C. Chang, and L. H. Wu, “A Password

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE