Efficient remote mutual authentication and key agreement Improvement of Chien et al. ’ s remote user authentication scheme using smart cards An efficient nonce-based authentication scheme with key agreement Efficient nonce-based remote user authentication scheme using smart cards An improvement of Hwang-Lee-Tang ’ s simple remote user authentication scheme Authors: Wen-Gong Shieh and Jian-Min Wang Source: Computers & Security, 25(1), pp , Authors: Sung-Woon Lee, Hyun-Sung Kim and Kee-Young Yoo Source: Computers Standards & Interfaces, 27(1), pp , Authors: Yen-Cheng Chen and Lo-Yao Yeh Source: Applied Mathematics and Computation, 169(1), pp , Authors: Sung-Woon Lee, Hyun-Sung Kim and Kee-Young Yoo Source: Applied Mathematics and Computation, 167(1), pp , Authors: Eun-Jun Yoon, Eun-Kyung Ryu and Kee-Young Yoo Source: Computers & Security, 24(1), pp , Reporter: Chun-Ta Li ( 李俊達 )
2 Outline Introduction Chien et al ’ s scheme and Hsu ’ s attack Juang ’ s scheme and Shieh et al. ’ s attack Shieh et al. ’ s scheme Lee et al. ’ s scheme (CSI) Chen et al. ’ s scheme Lee et al. ’ s scheme (AMC) Yoon et al. ’ s scheme Comments
3 Introduction Motivation Password-based authentication Dictionary attack Solutions: public key encryption Light computational overhead Hashing function or symmetric encryption used in an authentication protocol Smart card-based authentication scheme Well-chosen password is stored in a smart card Nonce-based or timestamp-based approaches
4 Introduction (cont.) History In 1981, Lamport proposed first password-based remote user authentication scheme over an insecure channel (store verification table) In 1993, Chang-Wu introduced remote password authentication scheme with smart cards (can ’ t freely change passwords) In 2000, Hwang-Li proposed a password-based remote user authentication scheme using smart cards (no verification or password table) In 2002, Hwang-Lee-Tang proposed a simple remote authentication scheme (freely change passwords)
5 Introduction (cont.) Requirements No verification and password table Freely changing password Mutual authentication Low computation Without synchronized clock Key agreement Some security issues
6 Introduction (cont.) Classification Password-based user authentication Smart cards Without using smart cards timestampnonce mutual authentication without mutual authentication . Yoon 2004 without mutual authentication mutual authentication . Awasthi 2004 . Chen 2005 . Shieh 2006 . Lee 2005 . Chien 2002 . Juang 2004 . Wang 2005 . Lee 2005 . Yoon 2005 . Ku 2004 . Kwon 2005 . Lamport 1981 . Peyravian 2006 Share ID and PW No verification and password table
7 Chien et al ’ s scheme and Hsu ’ s attack Registration phase Login/verification phase UserServer 1. ID i, PWi 2. Ri = h(ID i ⊕ x) ⊕ PWi 3. Smart card{Ri, h(.)} UserServer 3. ID i, T, C2 1. C1 = Ri ⊕ PWi 2. C2 = h(C1 ⊕ T) 4. Check ID i and T 5. C1 ’ = h(ID i ⊕ x) 6. Check h(C1 ’ ⊕ T) ?= C2 7. C3 = h(C1 ’ ⊕ T ” ) 8. T ”, C3 9. Check T ” 10. Check h(C1 ⊕ T ” ) ?= C3
8 Chien et al ’ s scheme and Hsu ’ s attack (cont.) Hsu ’ s parallel session attack (2004) // C2 = h(C1 ⊕ T) // Ri = h(IDi ⊕ x) ⊕ PWi // C1 = Ri ⊕ PWi // C3 = h(C1 ’ ⊕ T ” )
9 Juang ’ s scheme and Shieh et al. ’ s attack Registration phase Login/verification phase UserServer 1. ID i, PWi 2. Vi = h(ID i, x) 4. Smart card{Wi, ID i, h(.)} 3. Wi = Vi ⊕ PWi // C i = h(ID i || N 1 ) // V i = Wi ⊕ PWi Decrypt E V i (ru j, C i ) Check Ci ?= h(ID i || N 1 ) // session key K j = h(rs j, rs u, V i )
10 Juang ’ s scheme and Shieh et al. ’ s attack (cont.) Shieh et al. ’ s off-line plain-text attack (2006) // C i = h(ID i || N 1 ) // V i = Wi ⊕ PWi = h(ID i, x)
11 Shieh et al. ’ s scheme Registration phase: the same as that of Chien et al. ’ s scheme Login/key agreement phase UserServer 3. ID i, T u, MAC u 11. T u, T s, MAC s 16. T s, MAC u ” 1. ai = Ri ⊕ PWi = h(ID i ⊕ x) 2. MAC u = h(T u || ai) and store T u temporarily until the end of the session 4. Check T u is fresh or not 5. ai ’ = h(ID i ⊕ x) and 6. MAC u ’ = h(T u || ai ’ ) 7. Check MAC u ’ ?= MAC u 8. Temporarily store (T u, T s ) and ID i 9. MAC s = h(T u || T s || ai ’ ) 10. Session key K s = h((T u || T s ) ⊕ ai ’ ) 12. MAC s ’ = h(T u || T s || ai) 13. Check MAC s ’ ?= MAC s 14. MAC u ” = h(T s || (ai+1)) 15. Session key K s = h((T u || T s ) ⊕ ai) 17. Check T s and MAC u ” 18. If above holds, accept user ’ s login
12 Shieh et al. ’ s scheme (cont.) Messages transmitted in proposed scheme using synchronized clock // MAC u = h(T u || ai) // ai = Ri ⊕ PWi = h(ID i ⊕ x) // MAC s = h(T u || T s || ai ’ )
13 Shieh et al. ’ s scheme (cont.) Messages transmitted in parallel session attack
14 Lee et al. ’ s scheme (CSI) Registration/Login phase: the same as that of Chien et al. ’ s scheme Verification phase: UserServer 4. Check IDi and T 5. C1 ’ = h(ID i ⊕ x) 6. Check h(C1 ’ ⊕ T) ?= C2 7. C3 = h(h(C1 ’ ⊕ T ” )) 8. T ”, C3 9. Check T ” 10. Check h(h(C1 ⊕ T ” )) ?= C3
15 Chen et al. ’ s scheme Registration phase: the same as that of Chien et al. ’ s scheme Login/Authentication phase: UserServer 1. ai = Ri ⊕ PWi = h(ID i ⊕ x) 2. M1= h 2 (ID i ⊕ x) ⊕ N 1 3. ID i, M1 4. Compute h 2 (ID i ⊕ x) and extract N 1 by computing M1 ⊕ h 2 (ID i ⊕ x) 5. M2 = h(h(ID i ⊕ x)||N 1 ) ⊕ N 2 and M3 = h(h(ID i ⊕ x)||N 1 ||N 2 ) 6. M2, M3 7. Compute h(h(ID i ⊕ x)||N 1 ) and extract N 2 by computing M2 ⊕ h(h(ID i ⊕ x)||N 1 ) 8. Verifies M3 ?= h(h(IDi ⊕ x)||N 1 ||N 2 ) 9. M4 = h(h 2 (ID i ⊕ x)||N 1 +1||N 2 +1) 10. M4 11. Verifies M4 ?= h(h 2 (ID i ⊕ x)||N 1 +1||N 2 +1) 12. Session key K s = h(h 3 (ID i ⊕ x)||N 1 +2 || N 2 +2)
16 Lee et al. ’ s scheme (AMC) Parallel session attack
17 Yoon et al. ’ s scheme Registration phase: Login/Authentication phase:
18 Comments Comparison Mutual authentication (steps) Session key agreement Use of timestamp Computation load Shieh et al. Lee et al. (CSI) Chen et al. Lee et al. (AMC)No Yes Yes/NoYes (3) Yes (2) Yes (3) No Yes No Yes 10H + 6 ⊕ 7H + 8 ⊕ 19H + 15 ⊕ 6H + 7 ⊕ Yoon et al. Yes (2)No 6H + 2 ⊕ Yes
19 Comments (cont.) Forward secrecy When compromise of the secret key x, the agreed session key can be constructed by the attacker Solutions: Diffie-Hellman key exchange algorithm Let N 1 = g x and N 2 = g y Session key = g xy
20 Comments (cont.) Identity problems No verification tables in remote server Impersonation attack A legitimate user can purposely obtain another valid (ID, PW) by the following tricks: The user declared that he lost his smart card To register a new valid (ID, PW) The original smart card is still legal to use