A simple remote user authentication scheme 1. M. S. Hwang, C. C. Lee and Y. L. Tang, “A simple remote user authentication scheme,” Mathematical and Computer Modelling, Vol. 36, No. 1-2, pp , July E. J. Yoon, E. K. Ryu and K. Y. Yoo, “An improvement of Hwang–Lee–Tang's simple remote user authentication scheme,” Computers & Security, In Press. Presented by Hsing-Bai Chen ( 陳星百 ) 17 Sep. 2004

Outline Introduction Design goals Hwang-Lee-Tang’s scheme (HLT’s scheme) Discussions on HLT’s scheme Improved scheme (YRY’s scheme) Security analysis Conclusion Comments

Introduction UserPublic channel ID, PW Remote server

Brief summary Remote user authentication Lamport, 1981 Hwang-Li, 2000 Modification attacks EfficiencySecurity Using smart cards to eliminate the risk and cost of maintaining verification tables.

Design goals Require no password or verification tables in the server side Solve replay attacks Choose and change users password freely Reveal no passwords to the server

HLT's scheme (1/3) Registration phase: U i Server Choose ID i, PW i ID i, h(PW i ) Compute A i = h(ID i  x)  h(PW i ) Smart card (stored h( ), A i ) Compute h(PW i )

HLT's scheme (2/3) Login phase: U i Server Compute B i = A i  h(PW i ) = h(ID i  x) ID i, C i, T Verify C i = h(h(ID i  x)  T) Compute C i = h(B i  T) Authentication phase: Check (T  T)   T Check ID i

HLT’s scheme (3/3) Password change phase: U i Server Compute B i = A i  h(PW i ) = h(ID i  x) Compute A i = B i  h(PW i new ) Select PW i new and compute h(PW i new ) Store A i

Discussions on HLT’s scheme Suppose the intruder has stolen x expensive to re-compute the secret hash value Suppose the smart card is stolen Altered password B i = A i  h(PW) = h(ID i  x)  h(PW i )  h(PW) A i = B i  h(PW  ) Denial of service attack Speed of detecting wrong password is slow No mutual authentication

YRY’s scheme (1/3) Registration phase: U i Server Choose ID i, PW i ID i, PW i Compute A i = h(ID i, T TSA, x)  PW i Smart card (stored h( ), ID i, V i, A i ) Compute V i = h(ID i, T TSA, x)

YRY’s scheme (2/3) Login phase: U i Server Compute B i = A i  PW i = h(ID i, T TSA, x) Verify B i = V i Compute C 1 = h(B i, T) ID i, C 1, T Authentication phase: Compute B i  = h(ID i, T TSA, x) Check (T  T)   T Check ID i Verify C 1 = h(B i , T) Compute C 2 = h (B i , C 1, T  ) C 2, T  Check (T  T  )   T Verify C 2 = h(B i, C 1, T  )

YRY’s scheme (3/3) Password change phase: U i Server Compute B i = A i  PW i = h(ID i, T TSA, x) Compute A i = B i  PW i new Select PW i new Store A i Verify B i = V i

Security analysis Protect from Forgery attacks Replay attacks Impersonation attacks Deniable of service attacks Spoofing attacks No body can compute B i = h(ID i, T TSA, x) even if x is revealed

Conclusion Achieve No verification table Freedom in changing password Elimination of denial of service attacks Secure hash value Mutual authentication Fast detection of wrong input password Less computational cost