Password Authentication
Schemes with Smart Cards*
Wen-Her Yang and Shiuh-Pyng Shieh
Department of Computer Science and Information Engineering, College of Electrical Engineering and Computer
Science, National Chiao Tung University, Hsinchu, Taiwan 30010.
In this paper, two password authentication schemes with smart cards are proposed. In the schemes, users can change their pass- words freely, and the remote system does not need the directory of passwords or verification tables to authenticate users. Once the secure network environment is set up, authentication can be han- dled solely by the two parties involved. For a network without synchronized clocks, the proposed nonce-based authentication scheme is able to prevent malicious reply attacks.
Keywords: password authentication, smart card, ID-based scheme, clock synchronization.
1. Introduction
The rapid progress of networks facilitates more and more computers connecting together to exchange great information and share system resources. Security is then an important issue for computer networks. There are two basic requirements for network securi- ty: secrecy and authentication. Secrecy protects sensi- tive data against eavesdropping and modification. Authentication prevents forgery and unauthorized network access. The common approach to provide authenticity is the use of passwords. Password authen- tication has been used for a long time, mainly because it is easy to implement and use.
In conventional password authentication schemes, each user has an identifier (ID) and a secret password (PW). If a user requests to enter a network system, he
* This work was supported by the National Science Council, Taiwan under contract NSC86-NSPO(A)-PC-FA06-02.
must enter his ID and PW to pass the system authen- tication. A possible verification approach is to directly store and maintain a directory of users’ IDS and PWs in the network system. Upon receipt of a user’s login request, the network system searches the password directory table to verifjr whether or not the submitted password matches with the one stored in the table. If they match, the user is regarded as an authorized user and is permitted to enter the system. Otherwise, the login request is denied. Since the password is stored in plain-text form, this approach is clearly under the threat of revealing the password.
There are many schemes [Evans74, Lennon pro- posed to resolve the password revealing problem. These schemes often hash the password with a one- way function and store the hash value, instead of the plain password, in the directory table. In this way, the secrecy of passwords can be ensured even if contents of the directory table are disclosed. However, in the schemes, the system must protect the directory table against intruders’ modification. Otherwise, the direc- tory table may be replaced and users may be mas- queraded.There are a number of authentication pro- tocols [Kehne92, Koh193, Neuman93, 0tway87, Shieh96, Syverson931 which use a trusted third party to ensure authentication and security in an open net- work system. In these authentication protocols, secret information, such as secret keys, must be stored in a directory table on the authentication server. Therefore, the attacks to the directory table still exist in these authentication systems.
Password Authentication
Schemes with Smart Cards/Yang and Shieh
Recently some enhanced authentication schemes [Chang93, Chang93, 0kamoto89, Shieh97, Tsujii78, Wang961 are proposed to eliminate the drawback of using directory tables. These schemes all adopt the concept of ID-based signature scheme [Shamir851 in conjunction with smart cards [Peyret90]. The ID- based schemes have the following advantages: (1) nei- ther secret nor public keys need be exchanged, (2) the public key directory table is not needed, and (3) the assistance of a third party is not needed.The first ID- based signature scheme was proposed by Shamir [Shamir85]. He uses the well-known public-key encryption algorithm RSA [Rivest78] with smart cards to implement ID-based signature. Shamir’s ID- based scheme enables communicating parties to veri- fy each other’s signature without exchanging private or public keys.
In Shamir’s ID-based scheme, the secret key corre- sponding to an ID is fixed, and cannot be changed. Thus, a user with an assigned ID cannot choose his secret key by himself. Since the concept of timestamps [Denning81] is not employed, the scheme is weak against the attack of replaying previously intercepted signature. It is hence not suitable for user authentica- tion in network systems. Chang and Wu’s scheme [Chang91] has a similar problem. A user’s password is generated by the password generation center, rather than by the user himself. However, users are used to choosing their own passwords.This approach is against users’ habit and may not be accepted by many users. Furthermore, the scheme suffers from the threat of password leakage [Chang93].
Based on Elgamal’s signature [Elgama185] and Shamir’s ID-based schemes, Wang and Chang include the con- cept of timestamps in an improved authentication scheme [Wang96]. In their scheme, however, replay attacks cannot be avoided completely and user’s iden- tities may be forged. A legitimate user can imperson- ate other users and pass the system authentication. That is because the information about user identities is not included in the verification procedure of their scheme.The remote system can only determine valid- ity of the authentication message, but cannot identify who really sent this message. Furthermore, these schemes are all based on ID-based schemes, they share
the problem that a user cannot change his password after registration. If a user’s password is compromised, he can no longer use his current ID, but needs to apply for a new one.This makes users inconvenient to use in a real network system. Since some weaknesses exist in these schemes, a more secure and practical authentica- tion scheme for network systems is proposed in the following section.
In this paper, We propose two new password authen- tication schemes with smart cards. The proposed schemes can resolve the security problems in the above schemes [Chang91, Shamir85, Wang96]. Our method keeps the merits of ID-based schemes, but eliminates the weakness that users cannot change their passwords. In the new schemes, a user can freely choose and change his password at will. If his password is accidentally revealed, he can simply change it to another secure password without re-registering for a new ID. This paper is organized as follows. A new timestamp-based password authentication scheme is presented in section 2, which only needs one message for authentication. For the networks that clocks can- not be easily synchronized, we propose a nonce-based password authentication scheme in section 3. The security of our schemes will be analyzed in section 4. Finally, a conclusion is given in section 5.
2. Timestamp-Based
Password
Authentication
Scheme
In the proposed scheme, we assume the existence of a trusted key information center in the network to issue personalized smart cards to users when joining the system. The proposed timestamp-based password authentication scheme can be divided into three phas- es. In the re,@trution &se, the key information center sets up the authentication system and issues smart cards to the users who request registration. In the login phuse, a user attaches his smart card to a terminal and keys in his identifier (ID) and password (PW). Then the terminal sends a login request message to the remote host. In the vet$ication yhuse, the remote host
verities the correctness of submitted message and determines whether the login request should be accepted or not.
Registration Phase
The key information center is not responsible for authenticating users, but for generating key informa- tion, issuing smart cards to new users and serving pass- word-changing request for registered users. Let Ui denote the ith user who submits his identifier ID; and chosen password PI%‘,, to the key information center to request for registration. Here, PW must be sent over a secure channel. Upon receipt of the request, the key information center will perform the following steps:
1.
2.
3.
4.
Generate two large prime numbers p and 4, and let y1 = p q. For security reasons, the length ofp and q is recommended to be 512 bits at least.
Choose a prime number e and an integer A which satisfy
Once the authentication system is set up, the key information center is not needed except when new users request to join, or registered users request to change passwords.The integer pairp and 4 will not be used any more and should be thrown away secretlywhen a new user requests to join, the center repeats step 4 through 6. The procedure of
registration phase is shown in Figure 1.
e . d (mod( p - 1) . (q - 1)) = 1. (1.) Here e is the public key of the key information center that should be published, and d is the secret key that must be kept privately
Find an integer g which is a primitive element in both GF(p) and GF(q), where g is the system’s pub- lic information.
~++z~
1.
ui -
>KZC : IDi, PWi2. KIC - >Ui : a smartcard containing { IDi,
CIDi 12, e, 8, Si, hi } Calculate the user’s secret information Si as Figure 1. Registration Phase
Si = ID,,d (mod n). (2.1
According to the encryption algorithm RSA [Rivest78], the following equation would be obtained.
ID; = Sic (mod n) (3.1
Even if one knows IDj, e, and ~1, it is hard to crack Si without the knowledge of d. This is a discrete logarithm problem [Adleman79]. The integer
d can be evaluated only when y1 is factorized to
p and 2, which is very difficult because the length of n is 1024 bits.
Login Phase
When Ui wishes to login a remote host, he must insert the smart card into a card reader and enter his identi- ty Di and password PI%‘,‘. If IDi’ is identical to the IDi which is kept in the memory of the smart card, the smart card will perform the following steps:
1. Generate a random number ri and calculate the following two integers:
Xi G g” p&’ (mod a) (5.1
yi Si. h;“‘i icIDcT) (mod n) (6.1 Generate the smart card’s identifier CID, of Ui and compute hi by
hi =gpw d (mod n) (4.1
Here CD, is for validating the legality of smart cards in the verijkation phase.
Write n, e,g, IDi, CID, Si and hi to the memory of smart card and issue the card to Ui.
Password Authentication
Schemes with Smart Cards/Yang and Shieh
2.
Where T is the current time used as a time-stamp and
f(x,
y) is a one-way function. The one-wayfunction is a function relatively easy to compute but significantly harder to undo or reverse.That is, given (x, y) it is easy to computef(x, y), but given AX, y) it is very difficult to compute 3~.
Send a login request message h/l containing ZDj, CDi, Xi, yi, YZ, e,g and T to the remote host.
In Figure 2, the transaction of login phase is depicted.
1. Ui - > host : M = { IDi, CIDi, Xi, Yi, n, e, g, T}
Xi G g” py’ (mod n)
Figure 2. Log-in Phase
Verification Phase
The vev$cation phase is executed by the remote host to determine whether Ui is allowed to login or not. Let T’ be the time when the remote host receives the message M. Upon receipt of message M, the remote host will perform the following steps to verify the correctness of M.
1.
2.
Verify that IDi is a valid user identity and CID, is a legal smart card identity. If not, the log-in request is rejected.
Compare T with T’, if the difference between T and T’ is longer than the valid period, M is con- sidered as an invalid message and the host com- puter will reject the login request. According to different network environments, the length of the valid period can be adjusted.
Check whether the following equation holds: yi’ = IDi . Xif CC’DijT) (7.)
The equation will hold when the password PW’, keyed in by Ui, matches PW registered in the key information center. That is because:
= ID,, @.d) ri~PWi~f(CIDi,T) = 1~: . 8 ri &‘bf$ ._f (CIDi, T)
I
and
ZDi . XiS CC’Di, Ti = IDi fi ‘WI .f CC’Di> V
(8.)
(9.)
If the equation holds, the remote host believes that the message M is sent by Ui, and the password PW matches PW;.Therefore, U, is allowed to log in the remote host, otherwise the login request is rejected.
Comparing to other schemes, our authentication scheme allows users to freely change their passwords at will. If a user Vi wants to change his password, he can submit his smart card and newly chosen password PW,* to the key information center over a secure channel.The center will compute the new hi’ as
hi’= g ‘? *. d (mod n) (10.)
and write it into Ui’s smart card to replace the origi- nal hi. After getting the updated smart card, Vi is able to use the new password PW,” to login the network system.
The proposed password authentication scheme can withstand the problems that have appeared in other schemes [Chang91, Shamir85, Wang96]. With the timestamp T, the attack of replaying previ- ously intercepted messages is avoided. However, note that if system clocks are not well synchronized, and transmission delay is long and unpredictable in a network environment (e.g., a wide area net- work) [Gong92], a potential replay attack exists in all schemes that employ the concept of times- tamps. In the next section, we will propose a nonce- based authentication scheme to protect users against this attack in this network environment.
3. Nonce-Based Password
Authentication
Scheme
The nonce-based password authentication scheme is an extended version of the timestamp-based scheme. In the nonce-based scheme, the timestamp T is replaced with a nonce number N to withstand the replay attack. The nonce-based scheme consists of three phases. The registration phase is the same as the timestamp-based scheme described in the previous section, hence the description of the phase is skipped. The login phase and verijkation phase are described as follows respectively.
Login Phase
In order to login a remote host, Vi inserts his smart card into a terminal and enters his identity IDi and password PWi’. If IDi matches the one kept in the memory of smart card, the following steps will be performed.
1.
2.
3.
4.
The smart card sends an initial message M, = { IDi,
CIDi} to request for a login session.
Upon receipt of the message M,, the remote host verities the validity of IDi and CID,. If any one of these two is not valid, the login request is rejected and the connection will be closed. Otherwise, the remote host reserves IDi and CD, for the veri&u-
tion phase, and then evaluates a session nonce N =
f(CiD,, n’) and sends it back to the smart card. Here, rj is a random number andf(x,y) is a one-way hash function. The session nonce N will be kept for future use.
Upon receipt of the session nonce N, the smart card generates another random number ri and cal- culates the following two integers:
Xi E g ri ‘Wi’ (mod n) (11.)
Yi = Si ahi ‘. N (mod n) (12.)
The smart card sends an authentication message
M2 containing Xi, Yi, n,e and g to the remote host.
In the nonce-based scheme, three message trans- missions are required to complete the login phase. The transaction of the new log-in phase is depicted in Figure 3. 1. 2. 3. Ui - > host : Ml = { IDi, CK+} host - > Ui : N =f(CID, 7) Ui->host:Mz= (Xi,Yi,n,e,g) Xi E g” pwi’ (mod n) yi = Si . h: N (mod n)
Figure 3. Log-in phase in the nonce-based scheme
Verification Phase
Upon receipt of message M,, the remote host will do the following steps to decide whether Ui is permitted to log in or not.
1. Check whether the following equation holds:
yi’ = IDi . XiN (13.)
Where IDi and CID, are derived from the smart card and N is the session nonce generated by the remote host in the login phase.
2. If the equation holds, the remote host believes that: (a) the authentication message M2 is truly sent by
ui,
(b) the password PPV;‘, keyed in by U;, matches
(4
PWi-registered in the key information center, and the session nonce N that the smart card used to evaluate Yi is identical to the one the remote host generated. That is, message M2 is fresh and is not a replay message.
Since h/l2 is proved as a legal and fresh authentication message, U, is allowed to login the remote host. With the session nonce N, the nonce-based password
Password Authentication
Schemes with Smart Cards/Yang and Shieh
authentication scheme can protect users against the replay attack even if the system clocks are not syri- chronized. In the next section, we will analyze the security of the two proposed schemes.
phuse, because the verification equation does not hold as follows:
Yic=IDi.xi”#IDi.xi~~’ (15.)
4. Security Analysis and
Discussions
The authentication message A42 that the intruder replayed is considered invalid. Consequently, the login request is rejected and the attack fails.
The strength of our schemes can be demonstrated by the following security attacks. In the proposed times- tamp-based scheme, if a forger wants to masquerade
Vi to pass the system authentication, he must find two integers x and Y that satisfy the following equation.
y’ = ID,
xf
(CIDi,TjI
(14.)
Although the forger can get a pair of integers (Ye, x .fccrDti “) that make the equation hold. The pair (y, x) is unattainable because computing (Y, x) from (Y’J x .ficroiJq) is a discrete logarithm problem. In another case, assume that the smart card CIDi of U, is
exposed to an intruder, say Uj ($i). In this case, uj can- not access the network systems since he does not have PWi. One possible way for Uj to acquire PIWi is to crack hi = 8 pW. d (mod n). This is infeasible, because
hi is stored in the tamper-proof smart card and cannot be retrieved directly. Even if Uj can compromise /li, PWi remains secure because of the discrete logarithm problem. As to Ui, he can use the same ZDi to re-reg-
ister a new smart card CID,’ to the key information center. From then on, the old smart card CID, that vj
obtained is automatically disabled.
In the nonce-based scheme, the potential replay attack will not succeed. Considering the following scenario, an intruder eavesdropped an old authentication mes- sage from a login session of U, associated with a ses- sion nonce A? He may replay the old authentication message to request for a new log-in session. Following the steps of login phase, the intruder first sends M, = {IDi, CIDi} to the remote host. Upon receipt of M,,
the remote host generates a new session nonce N’ and replies it to the intruder. Then the intruder replays intercepted authentication message M2 to the remote host. The login procedure will fail in the ver[$cation
Exponential computation is considered to be very time-consuming. In our schemes, only two exponen- tial computations are needed for the smart card to ini- tialize a login sessionThis feature makes our schemes effective, since the smart cards usually do not support powerful computation capability. It is noticeable that the remote host performs the verification of users without any prior knowledge, and all the elements used in the verijkation phase are generated or provided on users’ side. It means that the remote host does not need to register in the same key information center as users. Therefore, our authentication schemes are suit- able for cross-domain network applications, such as electronic commerce systems.
5. Conclusions
In this paper, two practical password authentication schemes are proposed which are based on the con- cepts of ID-based schemes and the smart cards.These schemes do not need the directory of passwords or verification tables to authenticate users. Their security is based on the difficulty of factoring a large number and the discrete logarithm problem. Once the secure network system is set up, the authentication can be handled solely by the two parties involved. Unlike in other ID-based authentication schemes, users are per- mitted to choose and change their passwords freely in the two proposed schemes.
The proposed timestamp-based scheme needs only one message for authentication, but requires syn- chronous clocks. And the proposed nonce-based scheme is immune from the replay attack, but requires three authentication messages. In the net- works with tightly synchronized system clocks, such as local area networks, the timestamp-based scheme is advised. On the other hand, the nonce-based
scheme is suitable for a large network where clock synchronization is difficult, such as wide area net- works, mobile communication networks, and satellite communication networks.
References
[Adlernan 791 [Chang 911 [Chang 931 [Denning 8 11 [Elgamal 851 [Evans 741 [Gong 921 ]Kehne 921 [Kohl 931 ]Lennon 811L. Adleman, “A subexponential algorithm for the discrete logarithm problem with applica- tions to cryptography,” in Prac. 20th IEEE
Syrnp. Foundations of Computer Science, pp. 55-
60, 1979.
C. C. Chang and T. C. Wu, “Remote password authentication with smart cards,” IEE
Proceeding-E, Vol. 138, No. 3, pp. 165-168,
1991.
C. C. Chang and S. J. Hwang, “Using smart cards to authenticate remote passwords,”
Computers and Mathcmaticaf Applications, Vol.
26, No. 7, pp. 19-27,1993.
D. E. Denning and G. M. Sacco, “Timestamps in key distribution protocols,” Communications
aj theACA4,Vol. 24, No. 8, pp. 533-536, 1981.
T. Elgamal, “A public key cryptosystem and a signature scheme based on discrete loga- rithms,” IEEE Transactions an Information
Theory, IT-31(4), pp. 469-472, 1985.
A. Jr Evans, W. Kantrowitz and E. Weiss, “A user authentication system not requiring secrecy in the computer,” Communications aj
the ACM,Vol. 17, pp. 437-442,1974.
L. Gong, “A security risk of depending on synchronized clocks,” ACM Operating System Review,Vol. 26, No. 1, 1992.
A. Kehne, J. Schonwalder and H. Langendorfer, “A nonce-based protocol for multiple authentication,” ACM Operating
Systems Review,Vol. 26, No. 4, pp. 84-89, Oct.
1992.
J. Kohl, C. Neuman, “The Kerberos network authentication service (V5),” Internet RFC
1510, Sep. 1993.
R. E. Lennon, S. M. Matyas and C. H. Meyer, “Cryptographic authentication of time- invariant quantities,” IEEE Transactions an Communications, COM-29, No. 6, pp. 773- 777,198l. [Neuman 931 [Okamoto 891 [Otway 871 [Peyret 901 [Rivest 781 [Shamir 851 [Shieh 961 [Shieh 971 [Syverson 99 [Tsujii 781 Iwang 961
B. C. Neuman, and S. G. Stubblebine, “A note on the use of timestamps as nonces,” ACM
Operating Systems Review, Vol. 27, No. 2, pp.
IO-14,April 1993.
E. Okamoto, and K. Tanaka, “identity-based information security management system for personal computer networks,” IEEEjournai au
Selected AWAS in Communications,Vol. 7, No. 2,
pp. 290-294, Feb. 1989.
D. Otway and 0. Rees, “Efficient and timely mutual authentication,” ACM Operating
Systems Reviews,Vol. 21, No. 1, pp. 8-10, Jan.
1987.
P Peyret, G. Lisimaque and T.Y. Chua, “Smart cards provide very high security and flexibili- ty in subscribers management,” IEEE
Transactions on Consumer Electronics, Vol. 36,
No. 3, pp. 744-752, 1990.
R. L. Rivest, A. Shamir and L. Adleman, “A method for obtaining digital signature and public-key cryptosystem,” Communications a/
the ACM,Vol. 21, No. 2, pp. 120-126, 1978.
A., Shamir, “Identity-based cryptosystems and signature schemes,” Proceedings CRYPT0’84, pp. 47-53, Springer, Berlin, 1985.
S. P Shieh and W. H.Yang, “An authentication and key distribution system for open network system,” ACM Operating Systems Review, Vol. 30, No. 2, pp. 32-41, 1996.
S. P Shieh, W. H.Yang and H. M. Sun, “An authentication protocol without trusted third party,” IEEE Communications Letters, Vol. 1, No. 3, May 1997.
P Syverson, “On key distribution protocols for repeated authentication,” ACM Operating
Systems Review,Vol. 27, No. 4, pp. 24-30,1993.
S. Tsujii, T. Itho, and K. Kurosawa, “ID-based cryptosystem using discrete logarithm prob- lem,” Electronic I.etters,Vol. 23, pp. 1318-l 320,
Nov. 1978.
S. J. Wang and J. E Chang, “Smart card based
secure password authentication scheme,” Cumtluters and Security,Vol. 15, No. 3, pp. 231- 237.A1996
