Revisiting the “An Improved Remote User Authentication Scheme with Key Agreement”

Yalin Chen¹ and Jue-Sam Chou*² and I - Chiung Liao³

¹Institute of information systems and applications, National Tsing Hua University, Taiwan.

²Department of Information Management, Nanhua University, Taiwan.

Corresponding Author Email: jschou@nhu.edu.tw

DOI : http://dx.doi.org/10.13005/ojcst11.04.03

ABSTRACT:

Recently, Kumari et al., pointed out that Chang et al.’s scheme “Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update” has several drawbacks and does not provide any session key agreement. Hence, they proposed an improved remote user authentication scheme with key agreement based on Chang et al.’s protocol. They claimed that the improved method is secure. However, we found that their improvement still has both anonymity breach and smart card loss password guessing attack which cannot be violated in the ten basic requirements advocated for a secure identity authentication using smart card by Liao et al. Thus, we modify their protocol to encompass these security functionalities which are needed in a user authentication system using smart card.

KEYWORDS: Anonymity; Cryptanalysis; Dynamic Identity; Key Agreement; Password Change; Remote User Authentication; Smart Card; Untraceable; User Authentication

Copy the following to cite this article: Chen Y, Chou J. S, Liao I – C. Revisiting the “An Improved Remote User Authentication Scheme with Key Agreement”. Orient.J. Comp. Sci. and Technol;11(4)

Copy the following to cite this URL: Chen Y, Chou J. S, Liao I – C. Revisiting the “An Improved Remote User Authentication Scheme with Key Agreement”. Orient.J. Comp. Sci. and Technol;11(4). Available from: https://bit.ly/2CVDkf9

Introduction

There have been many cryptographic scientists working within the field of remote user authentication using smart card system design.^1-22 A user authentication system using smart card contains two roles: the user and the server; and three protocols: registration, login and authentication, and password change. In the design principle, the user’s identity cannot be revealed to a third party to ensure the login privacy. In 2014,Kumari et al.,¹⁴ found that Chang et al.,s scheme¹⁵ has some shortcoming, including (1) offline password guessing attack, (2) impersonation attacks, (3) insider attack, (4) anonymity violation when the smart card is obtained by a legal user, (5) suffering the denial of service attack, and (6) doesn’t provide session key agreement. Hence, they overcome the security weaknesses by proposing a new one. It possesses user anonymity property and mutual authentication, and offers a secure password change, without demanding any database kept on the server. They claimed that the proposed scheme resists various attacks, including those existed in Chang et al.s’, and outperforms the other six related schemes in the aspect of security demands. Yet, upon a closer examination, we discovered that it suffers from the security weaknesses of (1) anonymity violation, and (2)the password guessing attack when the smart card is lost, still. To enhance, we modified their scheme to include these features. We will demonstrate the enhancement in this article.

Besides, In 2018, Gupta et al.,²² propose a lightweight anonymous user authentication and key establishment scheme for wearable devices, which is a good design; however, we found the scheme needs to store a verifier table on the server’s side. This violates one of the ten security requirements for an authentication scheme advocated by Liao et al. In addition, the two parameters MGID_i, MSID_i keep unchanged forever, which might incur some malicious attempts. Meanwhile, each GWN_i can launch an offline X_ser (the server’s secret) guessing attack, because e_i equals to h (MI_u∥X_ser) ⊕ h (MP_u∥X_GWNi).

The rest of this article is organized as follows. In Section 2, we briefly introduce Kumari et al.’s Scheme. Section 3 analyzes the weaknesses of the scheme. The modifications and the security issues are demonstrated and discussed in Section 4 and 5, respectively. Finally, we give a conclusion in Section 6.

Review of Kumari et al.’s Scheme

Kumari et al.’s improved protocol is based on Chang et al.’s protocol.¹⁵ It also consists of two roles: the user and remote server; and three phases: registration, login, authentication, and password change phase. They claimed that their scheme not only eliminates all security vulnerabilities in Chang et al.’s scheme, but also introduces the session key agreement. In this article, we only review the registration phase, and login and authentication phase to illustrate their weaknesses. As for the definitions of use notations, please refer to the original article.

Registration Phase

When user Ui registers at server Si, both sides perform the followings.

1. The user U_i picks his identity ID_i, password PW_i, and selects a random nonce b. He then calculates RPW_i = h(b∥PW_i) and transmits the registration message {ID_i, RPW_i} over a secure channel to Si.
2. After acquirig the registration message sent by Ui, Si randomly chooses a number yi, which is different from the other users’.
3. Si counts the value N_i = h (ID_i∥x) ⊕ RPW_i, Y_i = y_i ⊕ h (ID_i||x), D_i = h (ID_i||y_i||RPw_i) and E_i = y_i ⊕ h (y||x)
4. Si deposits the values {Y_i, D_i, E_i, h(.)} into U_i’s smart card SC_i and delivers {SC_i and N_i}to U_i through a safe passage.
5. After obtaining the message from SC_i, U_i calculates A_i = (ID_i||Pw_i) ⊕ b, M_i = N_i ⊕ b, and stores A_i, M_i into SC_i which now contains the parameters {Y_i, D_i, E_i, h (.), A_i and M_i} in its storage. After that, U_i needs not bear in mind the random number b anymore.

Login Phase

This phase is to enable Ui access the needed resources from a server. Firstly, U_i plugs in his SC_i into a card reader and infiltrates his username ID_i and password PW_i. SC_i then verifies its real owner with the secret data it stored by using the following steps.

1. First, computes b = A_i ⊕ (ID_i||Pw_i), RPw_i = h(b||Pw_i), h(ID_i||x) = M_i ⊕ RPw_i ⊕ b, and y_i = Y_i ⊕ h (ID_i||x), then calculates D_i*= h (ID_i||y_i||RPw_i).
2. Examines whether the equation D_i*= D_i holds, if it does not hold, SC_i drops the session. U_i then needs to enter PUK (Private Unblocking Key) to re-initialize his SC_i
3. If D_i*= D_i holds, SCi reckons B_i = N_i ⊕ RPw_i =h (ID_i||x), h (y||x) = y_i ⊕ E_i, N_i = M_i ⊕b, CID_i = ID_i ⊕ h (N_i||y_i||T_i), N_i’ = N_i ⊕ h(y_i||T_i), C_i = h (N_i||y_i||B_i||T_i), and F_i = y_i ⊕ (h(y||x)||T_i), where T_i is the system’s current timestamp T_i.
4. SC_i transfers the login postulate {CID_i, N_i’, C_i, F_i, T_i} to S_i.

Authentication Phase

After receiving the login request, S_i and U_i together perform the following steps to authenticate each other:

1. S_i verifies to see whether (T_s – T_i) ＜△T holds, where T_s is the current timestamp of S_i. If it does, S_i accesses y_i = F_i ⊕ (h(y||x)||T_i), N_i = N_i’ ⊕ h (y_i||T_i), and ID_i = CID_i ⊕ h (N_i||y_i||T_i). It then counts B_i*= h (ID_i||x), C_i*= h (N_i||y_i||B_i*||T_i) and contrasts C_i* with C_i.
2. If C_i*=C_i holds, S_i confirms the legality of U_i. It then calculates a = h (B_i*||y_i||Tss) and issues {a, T_ss} to SC_i, where T_ss is the server’s current timestamp.
3. On acquiring {a, T_ss}, SC_i examines T_ss to see if it is fresh. If T_ss is latest, SC_i counts a*= h (B_i||y_i||T_ss) and checks to see whether a*= a holds. If it holds, SC_i confirms the legality of the server.
4. After completing mutual authentication, U_i and S_i both calculate the common session key as Sessku = h (B_i||y_i||T_i||T_ss||h(y||x)) and Sessks= h (B_i*||y_i||T_i||T_ss||h(y||x)), respectively.

Weakness of the Scheme

Due to the parameters {Y_i, D_i, E_i, h(.), A_i and M_i} are stored in the smart card and Ui himself may compute RPw_i = h (b||Pw_i), b = A_i ⊕ (ID_i||Pw_i), h(ID_i||x)= M_i ⊕ RPw_i ⊕ b, and y_i = Y_i ⊕ h (ID_i||x), an insider can compute his own h(y||x)= y_i ⊕ E_i. That is, each user can know the value h(y||x). Under this situation, we can see that their scheme has two weaknesses: (1) Anonymity gap, and (2)The password guessing attack when the smart card is lost. We describe them below.

The Insider Attacks on the Protocol’s Anonymity Property

If a user Bob’s login requisition {CID_i, N_i’, C_i, F_i, T_i} sent to S_i is intercepted by an insider attacker Alice, Alice can know Bob’s y_i by calculating y_i = F_i⊕ (h(y||x)||T_i) and then computing ID_i = CID_i ⊕ h(N_i||y_i||T_i). That is, Alice can get the user’s identity ID_i which now is Bob. Therefore, the anonymity property is violated.

The Smart Card Loss Password Guessing Attack

From the collected login postulating messages {CID_i, N_i’, C_i, F_i, T_i}, and from the equations y_i=F_i ⊕ (h(y||x)||T_i) and h(y||x) = y_i⊕E_i, an insider Alice can calculate the corresponding E_is of each login request by computing E_i = y_i ⊕h(y||x). Therefore, once Bob, who has ever logged into the server, loses his smart card and obtained by Alice, then by comparing the value E_i stored in the lost card with the calculated corresponding E_is. Alice canidentify which login request intercepted is Bob’s. After obtaining the knowledge of Bob’s ID_i, and the stored values A_i, D_i, Alice can successfully launch a smart card loss password guessing attack as follows.

She first guesses the lost card owner’s password as pw_i’, then computes RPw_i’= h (b’||pw_i’), b’ = A_i⊕(ID_i||pw_i’), and D_i’ = h (ID_i||y_i||RPw_i’). Obviously, we can see that if D_i’= D_i, then pw_i’ is Bob’s password. Therefore, the attack succeeds.

Modification

From the weaknesses found in Section 3, we note that the key point is the insider can obtain the value h(y||x). To disguise it, we modify the messages in the registration phase and the login and authentication phases as follows.

Registration Phase

When a user Ui registers to the service provider server Si, both sides cooperatively perform the following steps:

1. The user U_i picks his identifier ID_i, passphrase PW_i, and randomly selects a nonce b. He then calculates RPW_i= h(b∥PW_i) and sends {ID_i, RPW_i} to S_i over a safe route.
2. After obtaing the registration message from U_i, S_i picks two random numbers r_i, y_i, which are different from the other users’.
3. S_i counts the values H_i = y_i ⊕ h (y|| r_i), G_i = r_i ⊕ h (x), E_i = y_i ⊕ h (y||x||y_i), W_i = y_i ⊕ RPW_i, N_i = h (ID_i∥x) ⊕ RPW_i, Y_i = y_i ⊕ h (ID_i||x), and D_i = h (ID_i||y_i||RPw_i)
4. Si deposits the values { G_i, H_i, W_i, Y_i, D_i, E_i, h(.)} to U_i’s smart card SC_i and delivers {SC_i and N_i} to U_i through a secure path.
5. After getting the message from SC_i, U_i calculates A_i = (ID_i||Pw_i) ⊕ b, M_i = N_i ⊕ b, and saves A_i, M_i into the storage of SC_i, which now contains the parameters {G_i, H_i, W_i, Y_i, D_i, E_i, h(.), A_i and M_i}. After that, U_i needs not keep in mind the random number b anymore.

From the above-mentioned, we know that we add three values G_i, H_i,W_i and replace E_i with y_i ⊕ h (y||x|| y_i). The others are the same as the original scheme.

Login and Authentication Phase

This phase is to enable a user U_i access the needed resources from a server. U_i plugs in his SC_i into a card reader and infiltrates his username ID_i and password PW_i. SC_i then verifies its real owner with the secret data stored by using the following steps.

1. First, SC_i computes b = A_i ⊕ (ID_i||Pw_i), RPw_i = h (b||Pw_i), h (ID_i||x)= M_i ⊕ RPw_i ⊕ b, and y_i = Y_i ⊕ h (ID_i||x). It then reckons D_i*= h (ID_i||y_i||RPw_i)
2. SC_i checks whether the equation D_i*= D_i holds, if it does not hold, drops the session. After that, U_i needs to enter PUK (Private Unblocking Key) to re-activate his SC_i
3. In the case of D_i*= D_i holds, SC_i computes y_i = W_i ⊕ RPw_i, h (y||x||y_i)= y_i ⊕ E_i, N_i = M_i ⊕b, CID_i = ID_i ⊕ h (N_i||y_i||T_i), N_i’ = N_i ⊕ h (y_i||T_i), B_i = N_i ⊕ RPw_i =h (ID_i||x), C_i = h (N_i||y_i||B_i||T_i) and F_i = y_i ⊕ (h(y||x||y_i)||T_i), where T_i is the system’s current timestamp T_i.
4. SC_i transfers the login requisition { G_i, H_i, CID_i, N_i’, C_i, F_i, T_i} to the server S_i.

Authentication Phase

After obtaining the login demand, S_i and U_i together exercise the following steps to authenticate each other:

1. S_i verifies to see whether (T_s – T_i) ＜△T holds, where Ts is the server’s current timestamp. If it does, S_i computes r_i = G_i ⊕ h(x), y_i = H_i⊕h(y|| r_i). Then, calculates h(y||x||y_i) to retrieve y_i = F_i ⊕ (h(y||x||y_i)||T_i), N_i = N_i’ ⊕ h(y_i||T_i) and ID_i = CID_i ⊕ h (N_i||y_i||T_i). It then calculates B_i*= h (ID_i||x), C_i*= h (N_i||y_i||B_i*||T_i) and contrasts C_i* with C_i.
2. If C_i*=C_i holds, S_i confirms the legality of U_i. It then counts a = h (B_i*||y_i||Tss) and transfers {a, T_ss} to SC_i, where T_ss is the server’s current timestamp.
3. After getting {a, T_ss}, SC_i dertermines T_ss‘s freshness. If T_ss is latest, SC_i computes a*= h (B_i||y_i||T_ss) and examines to see whether a*= a holds. If it holds, SC_i confirms the legality of the server.
4. After completing mutual authentication, U_i and S_i both calculate the common session key Sessku = h (B_i||y_i||T_i||T_ss||h(y||x)) and Sessks= h (B_i*||y_i||T_i||T_ss||h(y||x)), respectively.

Security Analysis

After the above modification, we can see that without the knowledge of server’s secrets x and y, an insider cannot calculate the value of h(y||x||y_i) due to the one-way hash and the unknown value of y_i. Hence, the insider attack fails. About the lost card password guessing attack, even if an insider obtains a lost card and knows all the parameters stored, however, without the knowledge of y, y_i, b and ID_i, he cannot launch a password guessing attack. Therefore, both attacks in the original article have been resolved.

Conclusion

In this article, we showed that Kumari et al.’s scheme is flawed, because it suffers from (1) The smart card loss password guessing attack, and (2) Anonymity breach. We, therefore, modify the scheme to avoid these weaknesses. From the analysis shown in Section 5, we see that we have corrected the security issues.

References

1. Chun-Ta Li., Min-Shiang Hwang., “An efficient biometrics-based remote user authentication Scheme using smart cards”, Journal of Network and Computer Applications. January 2010; Volume 33, Issue 1: 1–5
2. Wen-Chung Kuo., Hong-Ji Wei., Jiin-Chiou Cheng., “An efficient and secure anonymous mobility network authentication Scheme”, journal of information security and applications. (2014); 19: 18-24
3. Jue-Sam Chou., Yalin Chen., “An Efficient Two-Pass Anonymous Identity Authentication Protocol Using a Smart Card”, Aug 2013; Vol 63, No. 8.
4. Ding Wang., Ping Wang., “Understanding security failures of two-factor authentication Schemes for real-time applications in hierarchical wireless sensor networks”, Ad Hoc Networks. (2014); 20: 1–15
5. “Preserving privacy for free: Efficient and provably secure two-factor authentication Scheme with user anonymity”, Ding Wang, Nan Wang b, Ping Wang, Sihan Qing, Information Sciences. (2015); 321:162–178
6. Muhamed Turkanovic´., Boštjan Brumen., Marko Hölbl., “A novel user authentication and key agreement Scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion”, Ad Hoc Networks (2014); 20: 96–112
7. Kaiping Xue, Peilin Hong, Changsha Ma, “A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture”, Journal of Computer and System Sciences. (2014); 80: 195–206
8. Ding Wang., Ping Wang., “On the anonymity of two-factor authentication Schemes for wireless sensor networks: Attacks, principle and solutions” Computer Networks. (2014); 73: 41–57
9. Chun-Ta Li., Cheng-Chi Lee., “A novel user authentication and privacy preserving Scheme with smart cards for wireless communications”, Mathematical and Computer Modelling. (2012); 55: 35–44.
10. Ding Wang., Ping Wang., “Understanding security failures of two-factor authentication Schemes for real-time applications in hierarchical wireless sensor networks”, Ad Hoc Networks (2014); 20: 1–15.
11. Mohammad Sabzinejad Farasha., Muhamed Turkanovic., Saru Kumaric., Marko Hölblb.,“An efficient user authentication and key agreement Scheme for heterogeneous wireless sensor network tailored for the Internet of Things environment” Ad Hoc Networks (2016); 36: 152–176
12. Celia Li., Uyen Trang Nguyen., Hoang Lan Nguyen., Nurul Huda., “Efficient authentication for fast handover in wireless mesh networks”, computers & security (2013) ; 37: I 24 -I 42
13. I-En Liao., Cheng-Chi Lee., Min-Shiang Hwang., “A password authentication Scheme over insecure networks”, Journal of Computer and System Sciences. 2006; Vol. 72, No. 4: 727-740.
14. Kumari Saru., Muhammad Khurram Khan., and Xiong Li. “An improved remote user authentication Scheme with key agreement.” Computers & Electrical Engineering (2014); 40.6: 1997-2012.
15. Chang., Ya‐Fen., Wei‐Liang Tai., and Hung‐Chin Chang. “Untraceable dynamic‐identity‐based remote user authentication Scheme with verifiable password update.” International Journal of Communication Systems 27.11 (2014): 3430-3440.
16. M.-C. Chuang and M. C. Chen, “An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics,” Expert Systems with Applications. 2014; vol. 41: 1411-1418.
17. M. Karuppiah and R. Saravanan, “A secure remote user mutual authentication scheme using smart cards,” Journal of Information Security and Applications. 2014; vol. 19: 282-294.
18. D. Mishra, A. K. Das, and S. Mukhopadhyay, “A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards,” Expert Systems with Applications, 2014; vol. 41: 8129-8143.
19. A. K. Das., and A. Goswami., “A robust anonymous biometric-based remote user authentication scheme using smart cards,” Journal of King Saud University – Computer and Information Sciences. 2015; vol. 27: 193-210.
20. V. Odelu, A. K. Das, and A. Goswami, “An efficient ECC-based privacy-preserving client authentication protocol with key agreement using smart card,” Journal of Information Security and Applications. 2015;vol. 21: 1-19.
21. D. Wang, N. Wang, P. Wang, and S. Qing, “Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity,” Information Sciences, 2015.
22. Gupta A., Tripathi M., Shaikh T. J., & Sharma A., “A Lightweight Anonymous User Authentication and Key Establishment Scheme for Wearable Devices”, Computer Networks, 2018.

---

This work is licensed under a Creative Commons Attribution 4.0 International License.