A Secure Password-Authenticated Key Agreement Using Smart Cards



Similar documents
A SECURE BILLING SERVICE WITH TWO-FACTOR USER AUTHENTICATION IN WIRELESS SENSOR NETWORKS. Received March 2010; revised July 2010

A Secure Nonrepudiable Threshold Proxy Signature Scheme with Known Signers

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS

An Interest-Oriented Network Evolution Mechanism for Online Communities

Watermark-based Provable Data Possession for Multimedia File in Cloud Storage

Trivial lump sum R5.0

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks

A DATA MINING APPLICATION IN A STUDENT DATABASE

Calculating the high frequency transmission line parameters of power cables

Yixin Jiang and Chuang Lin. Minghui Shi and Xuemin Sherman Shen*

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage

"Research Note" APPLICATION OF CHARGE SIMULATION METHOD TO ELECTRIC FIELD CALCULATION IN THE POWER CABLES *

PKIS: practical keyword index search on cloud datacenter

3C-Auth: A New Scheme for Enhancing Security

Canon NTSC Help Desk Documentation

How To Understand The Results Of The German Meris Cloud And Water Vapour Product

sscada: securing SCADA infrastructure communications

Security Architecture for Sensitive Information Systems

A role based access in a hierarchical sensor network architecture to provide multilevel security

Inter-domain Alliance Authentication Protocol Based on Blind Signature

IT09 - Identity Management Policy

Forecasting the Direction and Strength of Stock Market Movement

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

A Cryptographic Key Assignment Scheme for Access Control in Poset Ordered Hierarchies with Enhanced Security

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm

A Replication-Based and Fault Tolerant Allocation Algorithm for Cloud Computing

Ad-Hoc Games and Packet Forwardng Networks

A Study on Secure Data Storage Strategy in Cloud Computing

A Performance Analysis of View Maintenance Techniques for Data Warehouses

Hollinger Canadian Publishing Holdings Co. ( HCPH ) proceeding under the Companies Creditors Arrangement Act ( CCAA )

Optimal Distributed Password Verification

An Alternative Way to Measure Private Equity Performance

To manage leave, meeting institutional requirements and treating individual staff members fairly and consistently.

What is Candidate Sampling

An RFID Distance Bounding Protocol

DEFINING %COMPLETE IN MICROSOFT PROJECT

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) , Fax: (370-5) , info@teltonika.

LIFETIME INCOME OPTIONS

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1.

Data Mining from the Information Systems: Performance Indicators at Masaryk University in Brno

INVESTIGATION OF VEHICULAR USERS FAIRNESS IN CDMA-HDR NETWORKS

Tracker: Security and Privacy for RFID-based Supply Chains

Forecasting the Demand of Emergency Supplies: Based on the CBR Theory and BP Neural Network

RESEARCH ON DUAL-SHAKER SINE VIBRATION CONTROL. Yaoqi FENG 1, Hanping QIU 1. China Academy of Space Technology (CAST)

Damage detection in composite laminates using coin-tap method

Design and Development of a Security Evaluation Platform Based on International Standards

P2P/ Grid-based Overlay Architecture to Support VoIP Services in Large Scale IP Networks

Resource Management and Organization in CROWN Grid

Scalable and Secure Architecture for Digital Content Distribution

Assessment of the legal framework

A Design Method of High-availability and Low-optical-loss Optical Aggregation Network Architecture

Oservce Vs. Sannet - Which One is Better?

A DISTRIBUTED REPUTATION MANAGEMENT SCHEME FOR MOBILE AGENT- BASED APPLICATIONS

An Efficient Recovery Algorithm for Coverage Hole in WSNs

Secure Network Coding Over the Integers

How To Get A Tax Refund On A Retirement Account

Trust Formation in a C2C Market: Effect of Reputation Management System

Can Auto Liability Insurance Purchases Signal Risk Attitude?

A Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression

Vision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION

The OC Curve of Attribute Acceptance Plans

ADVERTISEMENT FOR THE POST OF DIRECTOR, lim TIRUCHIRAPPALLI

MULTIVAC Customer Portal Your access to the MULTIVAC World

PAS: A Packet Accounting System to Limit the Effects of DoS & DDoS. Debish Fesehaye & Klara Naherstedt University of Illinois-Urbana Champaign

DP5: A Private Presence Service

LATTICE-BASED FIREWALL FOR SAFETY INTERNET ACCESS

Study on Model of Risks Assessment of Standard Operation in Rural Power Network

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

THE APPLICATION OF DATA MINING TECHNIQUES AND MULTIPLE CLASSIFIERS TO MARKETING DECISION

ThresPassport A Distributed Single Sign-On Service

SEVERAL trends are opening up the era of Cloud

A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION. Michael E. Kuhl Radhamés A. Tolentino-Peña

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters

A heuristic task deployment approach for load balancing

Traffic State Estimation in the Traffic Management Center of Berlin

FREQUENCY OF OCCURRENCE OF CERTAIN CHEMICAL CLASSES OF GSR FROM VARIOUS AMMUNITION TYPES

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12

Performance Analysis of Energy Consumption of Smartphone Running Mobile Hotspot Application

Enabling P2P One-view Multi-party Video Conferencing

Secure SIP-based Mobility Management Scheme for Cost-Optimized NEMO Environments

SPECIALIZED DAY TRADING - A NEW VIEW ON AN OLD GAME

Secure Walking GPS: A Secure Localization and Key Distribution Scheme for Wireless Sensor Networks

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol

Transcription:

A Secure Password-Authentcated Key Agreement Usng Smart Cards Ka Chan 1, Wen-Chung Kuo 2 and Jn-Chou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan, R.O.C. 2 Department of Computer Scence and Informaton Engneerng, Natonal Yunln Unversty of Scence and Technology, Yunln 64002, Tawan, R.O.C. 3 Department of Computer Scence and Informaton Engneerng, Southern Tawan Unversty of Scence and Technology, Tanan 71005, Tawan, R.O.C. chanka@mal2000.com.tw, smonkuo@yuntech.edu.tw, chou@mal.stut.edu.tw Abstract Smart card based password for authentcaton has become a common trend. Although smart card brngs convenences, t also ncreases the rsk n the case of lost cards. In other words, when the smart card s possessed by an attacker, the attacker wll possbly attempt to analyze the secret nformaton wthn the smart card to deduce the authentcaton mechansm of the server and then forge user credentals or break the entre authentcaton system. In ths paper, we analyze the lost smart card attack from Juang, et al. s scheme [9] that proposes password authentcated key agreement and propose an mproved robust and effcent user authentcaton and key agreement scheme usng smart cards. In order to bolster the securty of the entre system, we mtgated some of ts weaknesses. Keywords: Key exchange, Ellptc curve cryptosystem, Smart card, Authentcaton 1. Introducton When a user wants to obtan server-related servces, the user wll use password authentcaton to verfy dentty to the server. Untl now, many dfferent authentcaton schemes have been proposed. In 2005, Fan et al. proposed a robust remote authentcaton scheme wth smart cards [3]. They clamed that ther proposed scheme can satsfy the followng eght crtera: 1. Lower computatonal workload for smart cards. 2. Does not requre the user passwords table. 3. Users can choose ther own passwords freely. 4. Clock synchronzaton s not requred and no delay-tme lmtatons. 5. Thwarts replay attack. 6. Provdes server authentcaton. 7. Offlne dctonary attacks are neffectve. 8. Lost cards can be revoked wthout changng user denttes. The major contrbuton of Fan, et al. s scheme (for short FCZ-scheme) [3] s provdng a method for resstng offlne dctonary attack so that the scheme s secure 75

even f the attackers acqure the nformaton stored on the smart card. In 2008, Juang, et al., (for short JCL-scheme) [9] pont out the major drawbacks are loss of anonymty for the user and hgh computaton and communcaton cost n Fan, et al. s scheme. Furthermore, JCL-scheme does not provde a functon for sesson key agreement and cannot prevent nsder attack [5]. To mprove upon these drawbacks, Juang, et al., proposed a scheme that not only can provde dentty protecton but also keep lower communcaton and computaton cost by usng ellptc curve cryptosystems. They also proposed a soluton for mnmzng the rsk of lost cards. In other words, n order to avod nformaton leakage when a card s lost, the card can be revoked. Ths approach seems vable on the surface, but actually has a desgn flaw. The use of a fxed server key allows an offlne attack to be mounted aganst the server key when an attacker possesses the user card. Therefore, we propose to mprove JCL-scheme and mtgate the exposure of the entre system when a smart card s compromsed. The paper s organzed as follows: In Secton 2, we revew JCL-scheme [9] and analyze ts weaknesses. In Secton 3, we propose our scheme. In Secton 4, the securty analyss of our proposed scheme and comparson wth JCL-scheme are dscussed. Fnally, n Secton 5, we conclude the paper. 2. Revew and Analyss of the JCL-scheme In 2008, Juang, et al., proposed a robust and effcent user authentcaton and key agreement scheme whch not only satsfes all the benefts of Fan-Zhang scheme but can also provde dentty protecton and sesson key agreement. It can wthstand nsder attack and has low communcaton and computaton requrements by utlzng ellptc curve cryptosystem. A revew and analyss of the JCL-scheme s gven n ths secton. 2.1. The JCL-scheme The JCL-scheme [9] conssts of fve phases: parameter generaton, regstraton, precomputaton, log-n, and the password-changng phase. Descrptons of these phases are gven below. Parameter Generaton Phase The related parameters n ths scheme are as follows: (1) The server selects three numbers: a larger prme number P and two feld elements (a, b). 3 2 Where a ZP and b ZP must satsfy 4a 27b (modp) 0, and the ellptc curve equaton s defned as: : y 2 x 3 ax b. E P (2) The server generates a pont G from order n, and satsfes n G O. (3) The server selects a random number x s to be the prvate key, and computes the publc key P ( x G). S s (4) The server publshes the parameters ( P, P, E, G, n) S P. Regstraton Phase The user wll use the smart card to regster and send dentfcaton nformaton to the server. The server wll then verfy the user. Descrptons of these steps are as follows: 76

(1) The user wll select a random number b, and { ID, h( PW b)} wll be passed to the server. (2) After the server receves the message, t wll calculate b =E s ( h(pw b) ID CI h(id CI h(pw b)) ) and V h ID, s, CI ) where ID s the user s dentty and CI s ( { ID, CI the card number. The server wll store } n the nternal regstry. Fnally, ID, CI, b, V ) s returned to the user. ( Pre-computaton Phase The smart card chooses a random number r and calculates e ( r G) and c ( r PS ) r x G. Then (e, c) stored n card s memory. In the log-n phase, (e, c) wll also be used. Log-n Phase If the user wants to log-n to the server, he wll cooperatvely perform the followng steps: Step 1: The smart card calculates EV (e) and sends EV (e) and b to the server. The server uses the secret key s to decrypt b, n other word, Ds ( b ) ( ID CI h( PW b)), and calculates V h ID, s, CI ) to D ( E ( e)) e. Then, the server wll verfy the followng thngs: ( V V Is CI stored n the regstraton table? Is ID n the regstraton? Step 2: If any of the above checks are false, the server revokes the agreement. If the above verfcatons are true, the server chooses a random number u and calculates c ( r PS ) r x G and M S h( c u V ). Then, the server sends (c, M s ) to the smart card. Step 3: The smart card calculates and checks M S. If M s h( c u V ), the smart card calculates M U = h(h(pw b) V c u) and a sesson key S k = h(v,c,u) and then sends M U to the server. Step 4: The server checks M U. If M U = h(h(pw b) V c u), the server calculates a sesson key S k = h(v,c,u). Password-Changng Phase If the user wants to change hs password, the smart card can encrypt the password changng message usng the sesson key that s produced n the log-n phase. To do so, the smart card selects a random number b* and produces another new password PW and sends * E sk (ID,h(PW * b*)) to the server. After the server receves the message, t recalculates b =E s (h(pw* b*) ID CI h(id CI h(pw * b*))) and sends E Sk (b *) to the smart card. The smart card wll decrypt b * usng a sesson key and store t n ts memory. 2.2. Securty analyss of the JCL-scheme Juang, et al., proposed many nsghtful securty analyses to ther scheme. They also proposed a soluton for the ssue of lost cards and mnmzed system nformaton dsclosure by usng card revocaton. As mentoned before, the system may be compromsed by extractng nformaton from the smart card n order to falsfy server authentcaton. * 77

Specfcally, n the case of known ID and CI (these messages are stored on the smart card), the attacker wll attempt to solve V h( ID, s, CI ). The attacker can seek out the secret server key s usng offlne attack. After the secret value s s known, the attacker can freely tamper wth the nternal value of b, compromsng the securty of the entre system. 3. The Proposed Scheme We mprove on JCL-scheme and propose an enhanced password-authentcaton key agreement. Ths scheme not only mantans all the benefts of the JCL-scheme but also can enhance the securty of the server when the smart card contents are dsclosed. Our proposed scheme also conssts of the same fve phases: parameter generaton, regstraton, precomputaton, log-n, and password-changng. Parameter Generaton Phase In ths phase, the proposed methods modeled after JCL-scheme. (1) The server selects three numbers: a larger prme number P and two feld elements (a, b). Where a ZP and ZP equaton s defned as: 3 2 b must satsfy 4a 27b (modp) 0, and the ellptc curve E P 2 3 : y x ax b. (2) The server generates a pont G from order n, and satsfes n G O. (3) The server selects a random number x s to take the prvate key, and computes the publc key P ( x G). S s (4) The server publshes the parameters ( P, P, E, G, n) Regstraton Phase S P. The user can use the smart card to send dentfcaton nformaton for the server to authentcate. Descrptons of these steps (as depcted n Fgure 1) are as follows: Step 1: The smart card chooses a random number b and calculates Eq.(1). T 1 = h(pw b -1 ). (1) Then the smart card sends {ID,h(PW b), T 1 } to the server. Step 2: The server chooses another random number S 2 and calculates Eqs.(2-4). T 2 = T 1 S 2-1 b = E S 1 (h(pw b) T 2 ID CI h(id CI h(pw b))) (3) V h ID, T, CI ) (4) ( 1 Then, the server ssues credentals to user that contans parameters (ID,CI,b,V ). Step 3: The user receves (ID,CI,b,V ) and then stores these parameters and b nto the smart card. (2) 78

Pre-computaton Phase The smart card chooses a random number r and calculates: e ( r G) (5) c ( r PS ) r x G (6) Then (e, c) s stored n card memory for use n the log-n phase. Fgure 1. Regstraton and Pre-computaton Phase of the Proposed Scheme Log-n Phase The user wants to logn to the server and must use hs own smart card and password. Descrptons of these steps (as depcted n Fgure 2) are as follows: Step 1: After calculatng EV (e), the smart card sends EV (e) and b to the server. Step 2: The server decrypts b usng the secret key S 1 and obtans D (T 2 ID CI h(pw b)) = b, and calculates Eq.(7) and Eq.(8), respectvely. T 1 T2 S2 (7) V h ID, T, CI ) (8) ( 1 Then, the server wll verfy the followng: Is CI stored n the regstraton table? Is ID n the regstraton? If any of the above verfcatons are false, the server revokes the agreement. If the above verfcatons are true, the server chooses a random number u and calculates: Then, the server sends (c, c =(e x)=( r x G) (9) M S = h(c u V ) (10) M S ) to the smart card. S 1 79

Step 3: The smart card calculates and checks M S. If Ms s true, the smart card calculates: M U = h(h(pw b) T 1 c u) (11) S k = h(v,c,u) (12) And then the smart card sends M U to the server. Step 4: The server checks M U. If M U s true, the server calculates a sesson key S k = h(v,c,u) and accepts the log-n request. Password-Changng Phase When user wants to change hs password, the smart card can encrypt the password changng message usng the sesson key that s produced n the log-n phase. Then, the smart * card selects a random number b* and produces another new password PW and sends (ID,h(PW * b*), T 1 ) to the server. After the server receves the message, t recalculates E S k b * = E S 1 (h(pw* b*) T 2 ID CI h(id CI h(pw * b*))) and sends E S k (b *) to the smart card. The smart card wll decrypt b * usng a sesson key and store b * and b* n ts memory (as depcted n Fgure 3). Fgure 2. Log-n Phase of the Proposed Scheme Fgure 3. Password Changng Phase of the Proposed Scheme 80

4. Securty Analyss and Comparson In ths secton, we wll analyze the securty of our proposed scheme and make some comparsons wth related schemes. 4.1. Securty Analyss In ths paper, our proposed scheme provdes the same benefts as JCL-scheme [9] but also mproves upon ther scheme. Though the approaches are smlar, dsclosng the nformaton on a smart card s catastrophc to JCL-scheme leads to total compromse. We dscuss two dfferent aspects of our approach: Lost smart card Assume the attacker accesses the smart card and wants ascertan nternal value b. Value b cannot be decrypted wthout possessng the secret server key S 1. In the case of known ID and CI, f the attacker tres to calculate V h( ID, T1, CI ), the value T 1 s requred. In order to obtan T 1, the attacker needs to know the user password PW n h(pw b -1 ). Dsclosure of the nformaton on the smartcard stll requres addtonal nformaton n order to be of any value. Mutual authentcaton In the log-n phase of our proposed scheme, the server sends M s to the smart card. After recevng M s, the smart card verfes t s true or false. The server can check f h(pw b) n M U s equal to h(pw b) n b. If t s not, the server sends a wrong password message back to the user. Preventng the Replay Attack What s replay attack? That s when an attacker tres to mtate the user to log n to the server by resendng the messages transmtted between the user and the server. In our proposed scheme, we use random numbers to prevent ths knd of attack. The smart card chooses a random number r and calculates e ( r G) and c ( r PS ) r x G n the precomputaton phase and then sends t to the server n the log-n phase. The second random number u s chosen by the server. Securty of secret keys In our proposed scheme, we use two secret keys (S 1, S 2 ). The server decrypts b usng the secret key S 1, and calculates T 1 from secret key S 2 and T 2. In our scheme, assumng the attacker holds the user s card and uses offlne attack to obtan the server key, t wll not result n ncreased rsk to the entre system. For revocaton, we use Juang et al. s mechansm to revoke the card to ensure the prvacy of the user. 4.2. Comparson The followng table compares the propertes of the proposed scheme and prevous schemes [3, 4, 5, 6, 9, 10]: C1: low communcaton and computaton cost C2: no password table C3: users can choose the passwords C4: no tme-synchronzaton problem C5: mutual authentcaton C6: revokng a lost card wthout changng the user s dentty 81

C7: dentty protecton C8: sesson key agreement C9: preventng offlne dctonary attack aganst the smart card nformaton Table 1. Propertes of the Proposed Scheme versus Prevous Schemes 5. Concluson In ths paper, we revew JCL-scheme [9] and dscuss the major drawbacks of ther scheme. Then we proposed an mprovement scheme that not only mantans all the benefts of the JCL-scheme but also enhances the securty of the server when the server key s dsclosed. In our scheme, even f the attacker holds the user s card, and mounts an offlne attack to obtan the server key, t wll not result n rsk to the entre system. We use Juang, et al. s mechansm to revoke cards and ensure the prvacy of the user. Possesson of a smart card does not allow knowledge of the second secret key n the server, so the attacker cannot break the securty of the system. Acknowledgements Ths work was supported by NSC 101-2221-E-224-100. References [1] A. Jursc and A. Menezes, Ellptc Curves and Cryptography, (1997), pp. 1 13. [2] D. Nguyen, S. Oh and B. You, A framework for Internet-based nteracton of humans, robots, and responsve envronments usng agent technology, IEEE Trans. Ind. Electron., vol. 52, (2005), pp. 1521 1529. [3] Fan, Y. Chan and Z. Zhang, Robust remote authentcaton scheme wth smart cards, Computer Securty, vol. 24, (2005), pp. 619 628. [4] H. Chen, J. Jan and Y. Tseng, An effcent and practcal soluton to remote authentcaton: Smart card, Computer Securty, vol. 21, (2002), pp. 372 375. [5] H. Sun, An effcent remote use authentcaton scheme usng smart cards, IEEE Trans. Consum. Electron., vol. 46, (2000), pp. 958 961. [6] H. Hwang and L. L, A new remote user authentcaton scheme usng smart cards, IEEE Trans. Consum. Electron., vol. 46, (2000), pp. 28-30. 82

[7] K. Saeed and M. Nammous, A speech-and-speaker dentfcaton system: Feature extracton, descrpton, and classfcaton of speech-sgnal Image, IEEE Trans. Ind. Electron., vol. 54, (2007), pp. 887 897. [8] N. Kobltz, A. Menezes and S. Vanstone, The state of ellptc curve cryptography, Desgns, Codes Cryptography, vol. 19, (2000), pp. 173 193. [9] W. S. Juang, S. T. Chen and H. T. Law, Robust and Effcent Password-Authentcated Key Agreement Usng Smart Cards, IEEE Transactons on Industral Electroncs, vol. 55, (2008), pp. 2551-2556. [10] W. Juang, Effcent password authentcated key agreement usng smart cards, Computer Securty, vol. 23, (2004), pp. 167 173. [11] W. Ku and S. Chen, Weaknesses and mprovements of an effcent password based remote user authentcaton scheme usng smart cards, IEEE Trans. Consum. Electron., vol. 50, (2004), pp. 204 207. [12] W. Yang and S. Sheh, Password authentcaton schemes wth smart cards, Computer Securty, vol. 18, (1999), pp. 727 733. Authors Ka Chan He was born n Kaohsung, Tawan, on March 13, 1975. He receved the M.S. degree n Electrcal Engneerng from Natonal Tawan Unversty n 2001-2003. He s a lecturer n the Department of Computer and Informaton Scence at the Republc of Chna Mltary Academy. He s currently pursung hs Ph.D. degree n Cryptography from the Insttute of Computer Scence and Communcaton Engneerng at Natonal Cheng Kung Unversty under Profs. Ch-Sung Lah and Jar-Ferr Yang. Hs research nterests nclude Network and Informaton Securty, wth a concentraton on appled Cryptography. Wen-Chung Kuo He receved the B.S. degree n Electrcal Engneerng from Natonal Cheng Kung Unversty and M.S. degree n Electrcal Engneerng from Natonal Sun Yat-Sen Unversty n 1990 and 1992, respectvely. Then, He receved the Ph.D. degree from Natonal Cheng Kung Unversty n 1996. Now, he s an assocate professor n the Department of Computer Scence and Informaton Engneerng at Natonal Yunln Unversty of Scence & Technology. Hs research nterests nclude steganography, cryptography, network securty and sgnal processng. Jn-Chou Cheng He was born n 1961. He receved hs M.S. degree n Communcaton Engneerng from Natonal Chao Tung Unversty, Tawan, R.O.C. n 1985 and Ph.D. degree n Electrcal Engneerng form Natonal Cheng Kung Unversty n 2009. He s an assocate professor n the Department of Computer Scence and Informaton Engneerng at Southern Tawan Unversty from 1990. He s engaged n the research of applcaton of Ellptc Curve Cryptography. Hs research nterests also nclude network securty and Stegography. 83

84

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information