Chapter 3 A Secure and Efficient Password Authentication with
3.2 Discussions
In this section, we are going to explore the securities and the performances of the improved protocol.
3.2.1 Security Analysis
. In this section, we analyze the security of the improved method as follows. Based on Guo and Chang’s scheme [20], our scheme can overcome the weaknesses indicated above of Section 2.3. We summarize the comparisons of the proposed scheme with Guo and Chang’s in Table 1.The security of the proposed scheme can be shown as follows:
(1) Mutual authentication
At the beginning of authentication phase, the userU selects a random number u and i sends the message {CID T h IDi, u( ( i || )), , }d Y Ti 1 to the server S, where
( i|| ) i ( i i) userU could authenticate the server S by checking the validity ofi R . Hence, the proposed i scheme could provide mutual authentication.
(2) User anonymity
In the authentication process, the user U ’s identityi ID is included in the i messageCIDi IDi KAi, whereKAi T T xu( ( ))s i and u is a fresh random number. However, without the server’s secret key s, the adversary cannot obtain the exactID fromi CID .i Since KAi is different for each session, then, the adversary cannot trace the same user Ui from the information CIDi. It can protect the user from tracing over network. Even if the secret information Vi h ID( i|| )d h pw b( i i) and T xs( )i stored in Ui's smart card are compromised, the adversary could not easily obtain any information about the user’sID . i Therefore, the proposed scheme can achieve user anonymity property.
(3) Replay attack
The adversary may intercept the message{CID T h IDi, u( ( i|| )), , }d Y T and replay it to the i 1
server. However, the server could find the attack through checks the validity of timestampT . Similarly, the adversary may intercept the message {1 T ,2 T x ,v( )i R }and i replay it toU . The useri U could also find the attack through checks the timestampi T . 2 Therefore, our method could withstand the replay attack.
(4) Off-line password guessing attack
The proposed scheme can achieve user anonymity property. For the CIDi is different for each session, the adversary cannot trace the same user Ui from the information CIDi. Therefore, the mutual information of the interactive authentication messages does not reduce the entropy of user’s password and identity. Moreover, suppose that the adversary gets the data Vih ID( i|| )d h pw b( i i) and T x stored in s( )i Ui's smart card, where
map so as to find the system secrets d and s, respectively. In generally, the length of d and s are about 512-1024 bits. The probability of obtaining the exact d and s are equivalent to performing an exhaustive search on h ID( i|| )d andT x , respectively. Therefore, without s( )i the knowledge of d and s, it is very difficult for someone to impersonate the server and users.
(6) The insider attack
In the registration of our improved method, the userU sends the hash value i ( i i)
h pw b instead of the password pw to the server, wherei b is a random number i
generated by the user. The privileged insider A (or the server) cannot get the password since it is protected by the secure hash function and random numberb . Therefore, the i proposed scheme could against the insider attack.
(7) Forward security
After a successful mutual authentication, session key KSi T T xu( ( ))v i T T xv( ( ))u i is generated for legal user U and the server S. However, without the knowledge of i
( || )
i i
x h ID d , an adversary cannot easily to obtain the exactly nonce u and v from the transmissionT xu( )i andT xv( )i . Therefore, it is computationally intractable for the adversary to derive the session key KSi fromT x andu( )i T x . Even if an intruder v( )i obtains the current session keyKS , it is not easy for him to obtain the current value u and i v fromKS . Without knowing the random numbers u and v, it is exceedingly difficult for i an adversary to create the session keyKS . Moreover, the nonce u and v are used for only i one time. Hence, the improvement scheme can provide forward security even if the current session keyKS has been compromised. Fori KS is used for one session only, it is i not helpful for the intruder to derive from past communication or future transactions.
Table 1. Comparisons of Security Analysis for two schemes
We use the Chebyshev polynomials to achieve the mutual authentication and establish the common session key. For the Chebyshev chaotic map [15.18.19], given y, it is very time-consuming modular exponential computing and scalar multiplication on elliptic are required in our authentication processes. Furthermore, the proposed method does not need to construct public/symmetric key cryptosystem in advance.
With regard to efficiency, we define related notations to analyze the computational complexity. The notation E means the time for one symmetric encryption or decryption, T
denotes the time for one Chebyshev polynomial computation, and H denotes the time for executing the adopted one-way hash function in one’s scheme. Note that the times for computing modular addition and exclusive-or are ignored, since they are much smaller than E, T, and H.
We summarize the comparisons of the proposed scheme with Guo and Chang’s in Table 2. As shown in Table 2, in Guo and Chang’s scheme [20], both the user and the server need to perform two hash function computations (2H), three Chebyshev polynomial computations (3T), and two symmetric encryption or decryption computations (2E) for the authentication phase. In our scheme, the computation time for each user to achieve mutual authentication is two hash function computations (2H) and three Chebyshev polynomial computations (3T).Consequently, the improvement method needs three hash function computations (3H) and three Chebyshev polynomial computations (3T) to achieve mutual authentication for the server. Therefore, the proposed scheme is more efficient than Guo and Chang’s scheme.
Table 2. Comparisons of computation for two schemes
Schemes Guo and Chang’s Our improved scheme
Computations for user to achieve authentication
2H + 3T + 2E 2H + 3T
Computations for server to achieve authentication
2H + 3T + 2E 3H + 3T