A Secure Password-Authenticated Key Agreement Using Smart Cards

Transcription

1 A Secure Password-Authentcated Key Agreement Usng Smart Cards Ka Chan 1, Wen-Chung Kuo 2 and Jn-Chou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan, R.O.C. 2 Department of Computer Scence and Informaton Engneerng, Natonal Yunln Unversty of Scence and Technology, Yunln 64002, Tawan, R.O.C. 3 Department of Computer Scence and Informaton Engneerng, Southern Tawan Unversty of Scence and Technology, Tanan 71005, Tawan, R.O.C. [email protected], [email protected], [email protected] Abstract Smart card based password for authentcaton has become a common trend. Although smart card brngs convenences, t also ncreases the rsk n the case of lost cards. In other words, when the smart card s possessed by an attacker, the attacker wll possbly attempt to analyze the secret nformaton wthn the smart card to deduce the authentcaton mechansm of the server and then forge user credentals or break the entre authentcaton system. In ths paper, we analyze the lost smart card attack from Juang, et al. s scheme [9] that proposes password authentcated key agreement and propose an mproved robust and effcent user authentcaton and key agreement scheme usng smart cards. In order to bolster the securty of the entre system, we mtgated some of ts weaknesses. Keywords: Key exchange, Ellptc curve cryptosystem, Smart card, Authentcaton 1. Introducton When a user wants to obtan server-related servces, the user wll use password authentcaton to verfy dentty to the server. Untl now, many dfferent authentcaton schemes have been proposed. In 2005, Fan et al. proposed a robust remote authentcaton scheme wth smart cards [3]. They clamed that ther proposed scheme can satsfy the followng eght crtera: 1. Lower computatonal workload for smart cards. 2. Does not requre the user passwords table. 3. Users can choose ther own passwords freely. 4. Clock synchronzaton s not requred and no delay-tme lmtatons. 5. Thwarts replay attack. 6. Provdes server authentcaton. 7. Offlne dctonary attacks are neffectve. 8. Lost cards can be revoked wthout changng user denttes. The major contrbuton of Fan, et al. s scheme (for short FCZ-scheme) [3] s provdng a method for resstng offlne dctonary attack so that the scheme s secure 75

2 even f the attackers acqure the nformaton stored on the smart card. In 2008, Juang, et al., (for short JCL-scheme) [9] pont out the major drawbacks are loss of anonymty for the user and hgh computaton and communcaton cost n Fan, et al. s scheme. Furthermore, JCL-scheme does not provde a functon for sesson key agreement and cannot prevent nsder attack [5]. To mprove upon these drawbacks, Juang, et al., proposed a scheme that not only can provde dentty protecton but also keep lower communcaton and computaton cost by usng ellptc curve cryptosystems. They also proposed a soluton for mnmzng the rsk of lost cards. In other words, n order to avod nformaton leakage when a card s lost, the card can be revoked. Ths approach seems vable on the surface, but actually has a desgn flaw. The use of a fxed server key allows an offlne attack to be mounted aganst the server key when an attacker possesses the user card. Therefore, we propose to mprove JCL-scheme and mtgate the exposure of the entre system when a smart card s compromsed. The paper s organzed as follows: In Secton 2, we revew JCL-scheme [9] and analyze ts weaknesses. In Secton 3, we propose our scheme. In Secton 4, the securty analyss of our proposed scheme and comparson wth JCL-scheme are dscussed. Fnally, n Secton 5, we conclude the paper. 2. Revew and Analyss of the JCL-scheme In 2008, Juang, et al., proposed a robust and effcent user authentcaton and key agreement scheme whch not only satsfes all the benefts of Fan-Zhang scheme but can also provde dentty protecton and sesson key agreement. It can wthstand nsder attack and has low communcaton and computaton requrements by utlzng ellptc curve cryptosystem. A revew and analyss of the JCL-scheme s gven n ths secton The JCL-scheme The JCL-scheme [9] conssts of fve phases: parameter generaton, regstraton, precomputaton, log-n, and the password-changng phase. Descrptons of these phases are gven below. Parameter Generaton Phase The related parameters n ths scheme are as follows: (1) The server selects three numbers: a larger prme number P and two feld elements (a, b). 3 2 Where a ZP and b ZP must satsfy 4a 27b (modp) 0, and the ellptc curve equaton s defned as: : y 2 x 3 ax b. E P (2) The server generates a pont G from order n, and satsfes n G O. (3) The server selects a random number x s to be the prvate key, and computes the publc key P ( x G). S s (4) The server publshes the parameters ( P, P, E, G, n) S P. Regstraton Phase The user wll use the smart card to regster and send dentfcaton nformaton to the server. The server wll then verfy the user. Descrptons of these steps are as follows: 76

3 (1) The user wll select a random number b, and { ID, h( PW b)} wll be passed to the server. (2) After the server receves the message, t wll calculate b =E s ( h(pw b) ID CI h(id CI h(pw b)) ) and V h ID, s, CI ) where ID s the user s dentty and CI s ( { ID, CI the card number. The server wll store } n the nternal regstry. Fnally, ID, CI, b, V ) s returned to the user. ( Pre-computaton Phase The smart card chooses a random number r and calculates e ( r G) and c ( r PS ) r x G. Then (e, c) stored n card s memory. In the log-n phase, (e, c) wll also be used. Log-n Phase If the user wants to log-n to the server, he wll cooperatvely perform the followng steps: Step 1: The smart card calculates EV (e) and sends EV (e) and b to the server. The server uses the secret key s to decrypt b, n other word, Ds ( b ) ( ID CI h( PW b)), and calculates V h ID, s, CI ) to D ( E ( e)) e. Then, the server wll verfy the followng thngs: ( V V Is CI stored n the regstraton table? Is ID n the regstraton? Step 2: If any of the above checks are false, the server revokes the agreement. If the above verfcatons are true, the server chooses a random number u and calculates c ( r PS ) r x G and M S h( c u V ). Then, the server sends (c, M s ) to the smart card. Step 3: The smart card calculates and checks M S. If M s h( c u V ), the smart card calculates M U = h(h(pw b) V c u) and a sesson key S k = h(v,c,u) and then sends M U to the server. Step 4: The server checks M U. If M U = h(h(pw b) V c u), the server calculates a sesson key S k = h(v,c,u). Password-Changng Phase If the user wants to change hs password, the smart card can encrypt the password changng message usng the sesson key that s produced n the log-n phase. To do so, the smart card selects a random number b* and produces another new password PW and sends * E sk (ID,h(PW * b*)) to the server. After the server receves the message, t recalculates b =E s (h(pw* b*) ID CI h(id CI h(pw * b*))) and sends E Sk (b *) to the smart card. The smart card wll decrypt b * usng a sesson key and store t n ts memory Securty analyss of the JCL-scheme Juang, et al., proposed many nsghtful securty analyses to ther scheme. They also proposed a soluton for the ssue of lost cards and mnmzed system nformaton dsclosure by usng card revocaton. As mentoned before, the system may be compromsed by extractng nformaton from the smart card n order to falsfy server authentcaton. * 77

4 Specfcally, n the case of known ID and CI (these messages are stored on the smart card), the attacker wll attempt to solve V h( ID, s, CI ). The attacker can seek out the secret server key s usng offlne attack. After the secret value s s known, the attacker can freely tamper wth the nternal value of b, compromsng the securty of the entre system. 3. The Proposed Scheme We mprove on JCL-scheme and propose an enhanced password-authentcaton key agreement. Ths scheme not only mantans all the benefts of the JCL-scheme but also can enhance the securty of the server when the smart card contents are dsclosed. Our proposed scheme also conssts of the same fve phases: parameter generaton, regstraton, precomputaton, log-n, and password-changng. Parameter Generaton Phase In ths phase, the proposed methods modeled after JCL-scheme. (1) The server selects three numbers: a larger prme number P and two feld elements (a, b). Where a ZP and ZP equaton s defned as: 3 2 b must satsfy 4a 27b (modp) 0, and the ellptc curve E P 2 3 : y x ax b. (2) The server generates a pont G from order n, and satsfes n G O. (3) The server selects a random number x s to take the prvate key, and computes the publc key P ( x G). S s (4) The server publshes the parameters ( P, P, E, G, n) Regstraton Phase S P. The user can use the smart card to send dentfcaton nformaton for the server to authentcate. Descrptons of these steps (as depcted n Fgure 1) are as follows: Step 1: The smart card chooses a random number b and calculates Eq.(1). T 1 = h(pw b -1 ). (1) Then the smart card sends {ID,h(PW b), T 1 } to the server. Step 2: The server chooses another random number S 2 and calculates Eqs.(2-4). T 2 = T 1 S 2-1 b = E S 1 (h(pw b) T 2 ID CI h(id CI h(pw b))) (3) V h ID, T, CI ) (4) ( 1 Then, the server ssues credentals to user that contans parameters (ID,CI,b,V ). Step 3: The user receves (ID,CI,b,V ) and then stores these parameters and b nto the smart card. (2) 78

5 Pre-computaton Phase The smart card chooses a random number r and calculates: e ( r G) (5) c ( r PS ) r x G (6) Then (e, c) s stored n card memory for use n the log-n phase. Fgure 1. Regstraton and Pre-computaton Phase of the Proposed Scheme Log-n Phase The user wants to logn to the server and must use hs own smart card and password. Descrptons of these steps (as depcted n Fgure 2) are as follows: Step 1: After calculatng EV (e), the smart card sends EV (e) and b to the server. Step 2: The server decrypts b usng the secret key S 1 and obtans D (T 2 ID CI h(pw b)) = b, and calculates Eq.(7) and Eq.(8), respectvely. T 1 T2 S2 (7) V h ID, T, CI ) (8) ( 1 Then, the server wll verfy the followng: Is CI stored n the regstraton table? Is ID n the regstraton? If any of the above verfcatons are false, the server revokes the agreement. If the above verfcatons are true, the server chooses a random number u and calculates: Then, the server sends (c, c =(e x)=( r x G) (9) M S = h(c u V ) (10) M S ) to the smart card. S 1 79

6 Step 3: The smart card calculates and checks M S. If Ms s true, the smart card calculates: M U = h(h(pw b) T 1 c u) (11) S k = h(v,c,u) (12) And then the smart card sends M U to the server. Step 4: The server checks M U. If M U s true, the server calculates a sesson key S k = h(v,c,u) and accepts the log-n request. Password-Changng Phase When user wants to change hs password, the smart card can encrypt the password changng message usng the sesson key that s produced n the log-n phase. Then, the smart * card selects a random number b* and produces another new password PW and sends (ID,h(PW * b*), T 1 ) to the server. After the server receves the message, t recalculates E S k b * = E S 1 (h(pw* b*) T 2 ID CI h(id CI h(pw * b*))) and sends E S k (b *) to the smart card. The smart card wll decrypt b * usng a sesson key and store b * and b* n ts memory (as depcted n Fgure 3). Fgure 2. Log-n Phase of the Proposed Scheme Fgure 3. Password Changng Phase of the Proposed Scheme 80

7 4. Securty Analyss and Comparson In ths secton, we wll analyze the securty of our proposed scheme and make some comparsons wth related schemes Securty Analyss In ths paper, our proposed scheme provdes the same benefts as JCL-scheme [9] but also mproves upon ther scheme. Though the approaches are smlar, dsclosng the nformaton on a smart card s catastrophc to JCL-scheme leads to total compromse. We dscuss two dfferent aspects of our approach: Lost smart card Assume the attacker accesses the smart card and wants ascertan nternal value b. Value b cannot be decrypted wthout possessng the secret server key S 1. In the case of known ID and CI, f the attacker tres to calculate V h( ID, T1, CI ), the value T 1 s requred. In order to obtan T 1, the attacker needs to know the user password PW n h(pw b -1 ). Dsclosure of the nformaton on the smartcard stll requres addtonal nformaton n order to be of any value. Mutual authentcaton In the log-n phase of our proposed scheme, the server sends M s to the smart card. After recevng M s, the smart card verfes t s true or false. The server can check f h(pw b) n M U s equal to h(pw b) n b. If t s not, the server sends a wrong password message back to the user. Preventng the Replay Attack What s replay attack? That s when an attacker tres to mtate the user to log n to the server by resendng the messages transmtted between the user and the server. In our proposed scheme, we use random numbers to prevent ths knd of attack. The smart card chooses a random number r and calculates e ( r G) and c ( r PS ) r x G n the precomputaton phase and then sends t to the server n the log-n phase. The second random number u s chosen by the server. Securty of secret keys In our proposed scheme, we use two secret keys (S 1, S 2 ). The server decrypts b usng the secret key S 1, and calculates T 1 from secret key S 2 and T 2. In our scheme, assumng the attacker holds the user s card and uses offlne attack to obtan the server key, t wll not result n ncreased rsk to the entre system. For revocaton, we use Juang et al. s mechansm to revoke the card to ensure the prvacy of the user Comparson The followng table compares the propertes of the proposed scheme and prevous schemes [3, 4, 5, 6, 9, 10]: C1: low communcaton and computaton cost C2: no password table C3: users can choose the passwords C4: no tme-synchronzaton problem C5: mutual authentcaton C6: revokng a lost card wthout changng the user s dentty 81

8 C7: dentty protecton C8: sesson key agreement C9: preventng offlne dctonary attack aganst the smart card nformaton Table 1. Propertes of the Proposed Scheme versus Prevous Schemes 5. Concluson In ths paper, we revew JCL-scheme [9] and dscuss the major drawbacks of ther scheme. Then we proposed an mprovement scheme that not only mantans all the benefts of the JCL-scheme but also enhances the securty of the server when the server key s dsclosed. In our scheme, even f the attacker holds the user s card, and mounts an offlne attack to obtan the server key, t wll not result n rsk to the entre system. We use Juang, et al. s mechansm to revoke cards and ensure the prvacy of the user. Possesson of a smart card does not allow knowledge of the second secret key n the server, so the attacker cannot break the securty of the system. Acknowledgements Ths work was supported by NSC E References [1] A. Jursc and A. Menezes, Ellptc Curves and Cryptography, (1997), pp [2] D. Nguyen, S. Oh and B. You, A framework for Internet-based nteracton of humans, robots, and responsve envronments usng agent technology, IEEE Trans. Ind. Electron., vol. 52, (2005), pp [3] Fan, Y. Chan and Z. Zhang, Robust remote authentcaton scheme wth smart cards, Computer Securty, vol. 24, (2005), pp [4] H. Chen, J. Jan and Y. Tseng, An effcent and practcal soluton to remote authentcaton: Smart card, Computer Securty, vol. 21, (2002), pp [5] H. Sun, An effcent remote use authentcaton scheme usng smart cards, IEEE Trans. Consum. Electron., vol. 46, (2000), pp [6] H. Hwang and L. L, A new remote user authentcaton scheme usng smart cards, IEEE Trans. Consum. Electron., vol. 46, (2000), pp

9 [7] K. Saeed and M. Nammous, A speech-and-speaker dentfcaton system: Feature extracton, descrpton, and classfcaton of speech-sgnal Image, IEEE Trans. Ind. Electron., vol. 54, (2007), pp [8] N. Kobltz, A. Menezes and S. Vanstone, The state of ellptc curve cryptography, Desgns, Codes Cryptography, vol. 19, (2000), pp [9] W. S. Juang, S. T. Chen and H. T. Law, Robust and Effcent Password-Authentcated Key Agreement Usng Smart Cards, IEEE Transactons on Industral Electroncs, vol. 55, (2008), pp [10] W. Juang, Effcent password authentcated key agreement usng smart cards, Computer Securty, vol. 23, (2004), pp [11] W. Ku and S. Chen, Weaknesses and mprovements of an effcent password based remote user authentcaton scheme usng smart cards, IEEE Trans. Consum. Electron., vol. 50, (2004), pp [12] W. Yang and S. Sheh, Password authentcaton schemes wth smart cards, Computer Securty, vol. 18, (1999), pp Authors Ka Chan He was born n Kaohsung, Tawan, on March 13, He receved the M.S. degree n Electrcal Engneerng from Natonal Tawan Unversty n He s a lecturer n the Department of Computer and Informaton Scence at the Republc of Chna Mltary Academy. He s currently pursung hs Ph.D. degree n Cryptography from the Insttute of Computer Scence and Communcaton Engneerng at Natonal Cheng Kung Unversty under Profs. Ch-Sung Lah and Jar-Ferr Yang. Hs research nterests nclude Network and Informaton Securty, wth a concentraton on appled Cryptography. Wen-Chung Kuo He receved the B.S. degree n Electrcal Engneerng from Natonal Cheng Kung Unversty and M.S. degree n Electrcal Engneerng from Natonal Sun Yat-Sen Unversty n 1990 and 1992, respectvely. Then, He receved the Ph.D. degree from Natonal Cheng Kung Unversty n Now, he s an assocate professor n the Department of Computer Scence and Informaton Engneerng at Natonal Yunln Unversty of Scence & Technology. Hs research nterests nclude steganography, cryptography, network securty and sgnal processng. Jn-Chou Cheng He was born n He receved hs M.S. degree n Communcaton Engneerng from Natonal Chao Tung Unversty, Tawan, R.O.C. n 1985 and Ph.D. degree n Electrcal Engneerng form Natonal Cheng Kung Unversty n He s an assocate professor n the Department of Computer Scence and Informaton Engneerng at Southern Tawan Unversty from He s engaged n the research of applcaton of Ellptc Curve Cryptography. Hs research nterests also nclude network securty and Stegography. 83

10 84