Weaknesses of a Multi-Server Password Authenticated Weaknesses of a Multi-Server Password Authenticated

全文

(1)2005 National Computer Symposium. Weaknesses of a Multi-Server Password Authenticated Key Agreement Scheme 一個多重伺服器架構下的通行碼身份認證與金鑰協議設計之弱點. Wei-Chi Ku (顧維祺) Dept of Computer Sci. and Info. Engineering Fu Jen Catholic University 輔仁大學資訊工程學系 E-mail: [email protected]. Hsiu-Mei Chuang (莊秀美) Dept of Computer Sci. and Info. Engineering Fu Jen Catholic University 輔仁大學資訊工程學系 E-mail: [email protected]. Min-Hung Chiang (江旻紘) Dept of Computer Sci. and Info. Engineering Fu Jen Catholic University 輔仁大學資訊工程學系 E-mail: [email protected]. Kuo-Tsai Chang (張國財) Dept of Computer Sci. and Info. Engineering Fu Jen Catholic University 輔仁大學資訊工程學系 E-mail: [email protected]. 摘要. Keywords: key agreement, multi-server architecture, mutual authentication, password, smart card.. 最近，Juang 在多重伺服器的架構下提出了一個使用智慧卡的通行碼身份認證與金鑰協議設計，並宣稱其設計可以提供雙向身份認證與交談金鑰協議服務。在本文中，我們將指出 Juang 的設計仍無法抵擋內部特權者攻擊且系統可回復性較差，此外，Juang 的設計亦未能提供 forward secrecy。. 1. Introduction A common feature of conventional password authentication schemes is that a verification table, which c on t a i n st h ev e r i f i e r sofu s e r s ’pa s s wor ds ,s h ou l dbe securely stored in the server. If the verifier is stolen or modified by the adversary, the system will be breached. In 1990, Hwang, Chen, and Laih [5] initially proposed a non-interactive password authentication scheme and its enhanced version, which additionally uses smart cards. Their schemes are novel because the server does not require storing verifiers and the server does not need to keep any secret of the user. However, Hwang-Chen-Laih’ s enhanced scheme still has several drawbacks and weaknesses, e.g., passwords are difficult to memorize, and users can not freely choose and change passwords. Since then, many verifier-free password authentication schemes using smart cards have been proposed, e.g., [1]–[3], [7], [8], [10], [13], [16]–[19], and each has. 關鍵詞：金鑰協議、多重伺服器架構、雙向身份認證、通行碼、智慧卡。. Abstract Recently, Juang proposed an efficient password authenticated key agreement scheme using smart cards for the multi-server architecture, and claimed that his scheme was intended to provide mutual authentication and session key agreement. In this paper, wes h ow t h a tJ u a n g ’ ss c h e mei sstill vulnerable to a pr i v i l e g e di n s i de r ’ sa t t a c ka n di sn otr e pa r a bl e .Fu rthermore, it does not provide forward secrecy.. 1.

(2) 2005 National Computer Symposium its pros and cons. However, all these schemes are designed for the single-server architecture. If there are multiple servers to access, the user has to register with each server individually and possibly should remember different identifications and passwords for accessing different servers.. Table 1. Notations of Juang’ s scheme Notation. In 2001, Li, Lin, and Hwang [14] described a verifier-free password authentication scheme for the multi-server architecture by using neural networks. Their scheme has the merit that the user does not need to individually register with each server. However, Li-Lin-Hwa n g ’ ss c h e mei si n e f f icient for largescale environments because it spends too much time training neural networks. In 2003, Lin, Hwang, and Li [12] proposed an efficient verifier-free password authentication scheme using smart cards for the multiserver architecture based on the geometric property of the Euclidean plane, and claimed that their scheme is secure against the replay attack, the forgery attack, the guessing attack, and the modification attack. In addition, the user can freely choose/change password. However, Lin-Hwang-Li ’ ss c h e medoe sn otpr ov i de mutual authentication and session key agreement, and thus its application is restricted.. RC. the registration center. Ui. the user i. Sj. the server j. UIDi. the unique identification of Ui. SIDj. the unique identification of Sj. PWi. the password of Ui the secret key secretly selected and kept by RC. x. Recently, Juang [9] proposed an efficient password authenticated key agreement scheme using smart cards for the multi-server architecture. The merits of J u a n g ’ sscheme are: (1) the user only has to register with the registration center once and can access all the servers within the system; (2) no verification table or password table is stored in the server; (3) the user can freely choose password; (4) the computation and communication cost is low; (5) the user and the server can authenticate each other; (6) a session key is established between the user and the server for each session; and (7) system clock synchronization is not required. Unfortunately, we find that Juang’ s scheme is vulnerable to a privileged insider’ s attack and is not reparable [6]. Additionally, J u a n g ’ ss c h e me does not provide forward secrecy [4]. In this paper, we will describe the weaknesses of J u a n g ’ ss c h e me .. Description. Ek( ). the encryption function of a symmetric cryptosystem with secret key k. Dk( ). the decryption function corresponding to Ek( ). h( ). a secure one-way hash function. ⊕. the bitwise exclusive-or operation. ║. the string concatenation operator. ‘ A → B : m’. A sends m to B through a common communication channel. Initially, for each server, say Sj, RC computes wj = h(x, SIDj) and then sends wj to Sj through a secure channel. The secret key wj is securely shared between RC and Sj. The scheme involves the registration phase, the login and session key agreement phase, and the shared key inquiry phase, which can be described as in the following. Registration Phase This phase is invoked when Ui requests to register with RC. Step R1. Ui submits UIDi and PWi to RC for registration. Step R2. RC computes vi = h(x, UIDi). i = vi ⊕ PWi.. 2. Re vi e wofJuang’ sSc he me In the multi-server architecture of Juang’ ss c h e me [9], there are three kinds of participants: users, servers, and a registration center. The user only has to register with the registration center once and then can obtain the services from a set of servers, i.e., the user does not need to individually register with each of these servers. The registration center is responsible for setting up several public/secret parameters and publishing some system information. The notations used throughout this paper are summarized in Table 1.. Step R3. RC delivers a smart card containing UIDi and i to Ui through a secure channel. Step R4. For each server, say Sj, RC computes vi, j = h(vi, SIDj) ai, j = Ewj(vi, j, UIDi) and sends ai, j to Sj. Then, Sj can choose to either store ai, j in his encrypted keys table or ignore it according to whether he has maintained an encrypted keys table or not.. 2.

(3) 2005 National Computer Symposium Step S1. Sj generates a random value N3, which is used as Sj’ s nonce, and then computes h(UIDi║SIDj║N3) and c4 = Ewj(h(UIDi ║SIDj║N3)).. Login and Session Key Agreement Phase This phase is invoked whenever Ui requests to login Sj. Step L1. Ui inserts his smart card into the smart card reader of a terminal, and then enters UIDi and PWi into his smart card. Next, Ui’ ss ma r tc a r dg e n e r a t e st wo r a n dom values ru and N1, where ru is used for generating the session key and N1 is used as Ui’ sn on c e ,a n dt h e nc ompu t e s vi = i ⊕ PWi. Step S2. Sj → RC : N3, UIDi, SIDj, c4. Step S3. Upon receiving Sj’ ss h a r e dk e yi n qu i r y message, RC computes Dwj(c4) to derive h(UIDi║SIDj║N3), and uses the received N3, UIDi, and SIDj to compute h(UIDi║SIDj║N3). If the computed h(UIDi║SIDj║N3) equals the decrypted one and N3 is fresh, RC computes vi, j = h(vi, SIDj). vi, j = h(vi, SIDj) c1 = Evi, j(ru, h(UIDi║N1)).. c5 = Ewj(vi, j, N3+1).. Step L2. Ui → Sj : N1, UIDi, c1.. Step S4. RC→ Sj : c5.. Step L3. If Sj has not maintained an encrypted keys table, the shared key inquiry phase is invoked. Otherwise, Sj retrieves ai, j = Ewj(vi, j, UIDi) from his encrypted keys table and computes Dwj(ai, j) to derive vi,j and UIDi. Then, Sj uses vi, j to compute Dvi, (c ), which yields ru and h(UIDi║N1). In j 1 addition, Sj uses UIDi and N1 to compute h(UIDi║N1). If the computed h(UIDi║N1) equals the decrypted one and N1 is fresh, Sj generates two random values rs and N2, where rs is used for generating the session key and N2 is used as Sj’ sn on c e .Ne x t ,Sj computes sk = h(rs, ru, vi, j). Step S5.Sj computes Dwj(c5) to derive vi, j and N3+1. If the second decrypted item equals the expected N3+1, Sj authenticates vi, j. Next, Step L3 is resumed.. 3. We akne s s e sofJuang’ sSc he me In this section, we will show the weaknesses of J u a n g ’ sscheme [9]. Poor Reparability Although the tamper resistance of smart cards was widely assumed in their applications, such an assumption may be problematic in practice. Many researches have demonstrated that the secrets stored in a smart card can be breached by monitoring the power consumption, e.g., [11], or analyzing the leaked information, e.g., [15]. Suppose that the adversary has obtained the i stored in Ui’ s smart card and also has intercepted the message transmitted in Step L2, i.e., {N1, UIDi, c1}, during one of Ui’ s past logins. Then, the adversary can guess a candidate password PWi and compute. c2 = Evi, j(rs, N1+1, N2), where sk is used as the session key between Ui and Sj. Step L4. Sj → Ui : c2. Step L5. Ui’ ssmart card computes Dvi, j(c2). If the second decrypted item equals the expected N1+1, Ui’ ssmart card computes sk = h(rs, ru, vi, j). vi= i ⊕ PWi vi, j= h(vi , SIDj). c3 = Esk(N2+1).. ru , h(UIDi║N1) } = Dvi, j(c1).. Step L6. Ui → Sj : c3. Step L7. Sj computes Dsk(c3), and if the decrypted item equals the expected N2+1, Sj successfully authenticates Ui. Then, Sj and Ui can use sk to secure subsequent messages exchanged in this session.. Next, the adversary computes h(UIDi║N1) and compares the result to h(UIDi║N1) . If they are equal, the adversary has obtained vi, j= vi, j, which also implies that he has obtained vi= vi and PWi= PWi. Otherwise, the adversary tries another candidate password. After obtaining vi, the adversary can generate vi, k = h(vi, SIDk) for any k such that Sk is within the system, and then use vi, k to impersonate Ui to login Sk or impersonate Sk to fool Ui. Additionally, the adversary can use vi, k to perform a man-in-the-middle attack by. Shared Key Inquiry Phase This phase is invoked in the beginning of Step L3 in the case that Sj has not maintained an encrypted keys table.. 3.

(4) 2005 National Computer Symposium establishing parallel sessions with Ui and Sk, respectively. Unfortunately, the above described impersonation attack and man-in-the-middle attack can not be stopped even if Ui has detected that vi has been compromised and then used a new password to re-register with RC. As the value of vi is unrelated to Ui’ spa s s wor da n di n s t e a di sdetermined only by Ui’ s identification UIDi and RC’ s permanent secret key x, RC can not change vi for Ui unless UIDi or x can be changed. However, since x is commonly used for all users rather than specifically used for only Ui, it is unreasonable and inefficient if x should be changed to recover the security of Ui only. In addition, it is also impractical to change UIDi, which should be tied to Ui in most application systems. Hence, Juang’ s scheme is not reparable [6].. Ui does not use the same password to access several servers, the implementers and the users of the scheme should be aware of such a potential weakness. For this reason, in many password authentication schemes, e.g., [1], [8], [10], [13], [17], t h eu s e r ’ spa s s wor di s not revealed to others including the registration center and the servers.. 4. Misleading Claims Next, we will address the misleading security rel a t e dc l a i msma dei nJ u a n g ’ ss c h e me .In Step L3 of the login and session key agreement phase, it is claimed that Sj can verify the freshness of the N1 received in Step L2. However, since Sj has not recorded all the nonces received from Ui, he can not judge whether N1 is fresh or not. Actually, Sj can only be assured after successfully verifying c1 (= Evi, j(ru,. Lack of Forward Secrecy. h(UIDi║N1))) that N1 is or was ever sent by Ui. Similarly, the claim made in Step S3 that RC can verify the freshness of the N3 received in Step S2 is also inappropriate. It should be noted that these two wrong claims may be employed by the adversary to carry out some subtle attacks to the application systems.. Suppose that vi, j, which is shared by Ui and Sj, has been compromised by the adversary. As previously described, the adversary can impersonate Ui to login Sj or impersonate Sj to fool Ui. Furthermore, we will show that the adversary can derive the session key used in any previous session between Ui and Sj as follows. By using vi, j to decrypt c1(= Evi, j(ru ,. 5. Conclusion. h(UIDi║N1 ))), which was intercepted in Step L2 of any previous session, the adversary can obtain ru . Similarly, by using vi, j to decrypt c2(= Evi, j(rs , N1 +1,. Juang’ sv e r i f i e r -free password authentication scheme using smart cards for the multi-server architecture is novel and interesting in that it additionally provides mutual authentication and key agreement. In comparison with similar schemes, the involved compu t a t i ona n dc ommu n i c a t i onc os tofJ u a n g ’ ss c h e me i sl ow.Howe v e r ,t h es e c u r i t ys t r e n g t h ofJ u a n g ’ s scheme is not ideal enough. In this paper, we have demonstrated that Juang’ ss c h e mei svulnerable to a privileged insider’ s attack and is not reparable. Furt h e r mor e ,J u a n g ’ ss c h e medoe sn otpr ov i deforward secrecy.. N2 )), which was intercepted in Step L4 of the corresponding session, the adversary can obtain rs . Next, the aversary can compute the session key sk= h(ru , rs , vi, j), and then use skto decrypt all the messages exchanged between Ui and Sj in the corresponding session. Therefore, Juang’ s scheme fails to provide forward secrecy [4]. Note that if Diffie-Hellman key exchange scheme is employed in establishing the session key to achieve forward secrecy, the expected advantages of Juang’ s scheme over similar schemes with respect to computation overhead and implementation cost vanish.. Acknowledgment This work was partly supported by the National Science Council, R.O.C., under Grant NSC-93-2213E-030-017.. Vul ne r abi l i t yt oPr i vi l e ge dI ns i de r ’ sAt t ac k In practice, it is likely that the user uses the same password to access several servers for his convenience. In Step R1 of the registration phase, Ui’ spa s sword PWi will be revealed to RC. Then, the privileged insider of RC may try to use PWi to impersonate Ui to access the servers outside this system. If the targeted outside server adopts the normal password authentication scheme, it is possible that the privileged insider of RC can successfully impersonate Ui to login it by using PWi. Although it is also possible that all the privileged insiders of RC are trusted and. References [1] H. Y. Chien, J. K. Jan, a n dY.M.Ts e n g ,“ Amodified remote login authentication scheme based on g e ome t r i ca ppr oa c h , ”The Journal of Systems and Software, vol. 55, no. 3, pp. 287-290, Jan. 2001. [2] H. Y. Chien, J. K. Jan, a n dY.M.Ts e n g ,“ Ane fficient and practical solution to remote authenticat i on :s ma r tc a r d, ”Compu t e r s& Se c u r i t y ,v ol .21, no. 4, pp. 372-375, Aug. 2002. [3] C.C.Ch a n ga n dT.C.Wu ,“ Re mot epa s s wor d. 4.

(5) 2005 National Computer Symposium aut h e n t i c a t i on wi t hs ma r tc a r ds , ”I EE Pr oc e e dings-E, vol. 138, no. 3, pp. 165-168, May 1991.. 2000.. [17] T.C.Wu ,“ Re mot el og i na u t h e n t i c a t i ons c h e me [4] W. Diffie, P. C. van Oorschot, and M. J. Wiener, basedonag e ome t r i ca ppr oa c h , ”Compu t .Com“ Au t h e n t i c a t i on a n d a u t h e n t i c a t e d k e y e xmun., vol. 18, no. 12, pp. 959-963, Dec. 1995. c h a n g e s , ”De s i g n s ,Code sa n dCr y pt og r a ph y ,v ol . [18] S.J .Wa n ga n dJ .F.Ch a n g ,“ Sma r tc a r dba s e d 2, no. 2, pp. 107-125, June 1992. s e c u r e pa s s wor da u t h e n t i c a t i on s c h e me , ” Com[5] T.Hwa n g ,Y.Ch e n ,a n d C.S.La i h ,“ Non puters & Security, vol. 15, no. 3, pp. 231-237, interactive password authentications without 1996. pa s s wor dt a bl e s , ”I EEERe g i on10Con f e r e n c eon [19] W. H. Yang and S. P. Shieh ,“ Pa s s wor dauthentiComputer and Communication Systems, Hong cation schemes with smart ca r ds , ”Compu t e r s& Kong, pp. 429-431, Sept. 1990. Security, vol. 18, no. 8, pp. 727-733, 1999. [6] T.Hwa n ga n dW.C.Ku ,“ Re pa r a bl ek e ydi s t r i but i onpr ot oc ol sf orI n t e r n e te n v i r on me n t s , ”I EEE Trans. Commun., vol. 43, no. 5, pp. 1947-1949, May 1995. [7] M.S.Hwa n ga n dL.H.Li ,“ An e wr e mot eu s e r a u t h e n t i c a t i on s c h e meu s i n gs ma r tc a r d, ”I EEE Trans. Consumer Electron., vol. 46, no. 1, pp. 2830, Feb. 2000. [8] M.S.Hwa n g ,C.C.Le e ,a n dY.L.Ta n g ,“ As i mple remote user authentication sche me , ”Ma t h ematical and Comput. Modelling, vol. 36, no. 1-2, pp. 103-107, July 2002. [9] W.S.J u a n g ,“ Ef f i c i e n tmu l t i -server password aut h e n t i c a t e dk e ya g r e e me n tu s i n gs ma r tc a r ds , ” IEEE Trans. Consumer Electron., vol. 50, no. 1, pp. 251-255, Feb. 2004. [10] W. C.Kua n dS.M.Ch e n ,“ We a k n e s s e sa n di mprovements of an efficient password based remote u s e ra u t h e n t i c a t i on s c h e meu s i n gs ma r tc a r ds , ” IEEE Trans. Consumer Electron., vol. 50, no. 1, pp. 204-207, Feb. 2004. [11] P. Kocher, J. Jaffe, and B. Jun, “ Differential power analysis,”Proc. Advances in Cryptology (CRYPTO’ 99), pp. 388-397, 1999. [12] I. C. Lin, M. S. Hwang, and L. H. Li,“ A new remote user authentication scheme for multi-server architecture, ”Future Generation Comput. Systems, vol. 19, no. 1, pp. 13-22, Jan. 2003. [13] C.C.Le e ,M.S.Hwa n g ,a n dW.P.Ya n g ,“ A flexible remote user authentication scheme using s ma r tc a r ds , ”ACM Ope r a t .Sy s t .Re v . ,v ol .36,n o. 3, pp. 46-52, July 2002. [14] L. H. Li, I. C. Lin, and M. S. Hwang,“ A remote password authentication scheme for multiserver architecture using neural networks, ”IEEE Trans. Neural Networks, vol. 12, no. 6, pp. 1498-1504, Nov. 2001. [15] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “ Examining smart-card security under the threat of power analysis attacks,”IEEE Trans. Comput., vol. 51, no. 5, pp. 541-552, May 2002. [16] H.M.Su n ,“ Ane f f i c i e n tr e mot eu s e ra u t h e n t i c at i ons c h e meu s i n gs ma r tc a r ds , ”I EEETr a n s .Consumer Electron., vol. 46, no. 4, pp. 958-961, Nov.. 5.

(6)