Efficient User Authentication and Key Agreement With Privacy Protection

全文

(1)Efficient User Authentication and Key Agreement With Privacy Protection Wen-Shenq Juang Department of Information Management Shih Hsin University Taipei, Taiwan, 116, R.O.C. Email:[email protected]. Jing-Lin Wu Department of Information Management Shih Hsin University Taipei, Taiwan, 116, R.O.C. Email:[email protected]. Abstract. 1. Introduction. For obtaining permitted services by service providers in a network environment, the user must legally login to the provider’s server. In general, the user transmits a message of user authentication to the server, and then the server must be able to verify the identity of the user and give him the right of using permitted services. Typically, the user passes a password as a secret token to the server. The server first checks if the user’s identity and the password are matching. The server rejects the user’s request if his identity or the password is not matching. If the password is matching, the server give the user the right for using the permitted services.. Using smart cards, remote user authentication and key agreement can be simplified, flexible, and efficient for creating a secure distributed computers environment. Addition to user authentication and key distribution, it is very useful for providing identity privacy for users. In this paper, we propose novel user authentication and key agreement schemes with privacy protection. We first propose a single-server scheme and then apply this scheme to a multi-server environment. The main merits include: (1) the privacy of users can be ensured; (2) a user can freely choose his own password; (3) the computation and communication cost is very low; (4) servers and users can authenticate each other; (5) it generates a session key agreed by the server and the user; (6) our proposed schemes are nonce-based schemes which does not have a serious timesynchronization problem.. In 1981, Lamport [8] first proposed a password authentication scheme at the both ends of the communication. Since then, many schemes have been proposed to point out its drawback and improve the security and efficiency of Lamport’s scheme [8]. Only passing a password for authenticating between the user and the server is not enough, since it is less safety and is easily tapped by the adversary. Before two parties can do secure communication,. Keywords: User Authentication, Session Key, Privacy Protection, Smart Card, Network Security.. 1.

(2) with our proposed multi-server scheme and Yang et al.’s scheme [19], our scheme is more efficient since our scheme only uses the symmetric cryptosystems and hashing functions. Our proposed schemes satisfy all above five criteria. In addition, Yang et. al.’s scheme [19] has a serious time-synchronization problem, since their scheme is timestamp-based. Our proposed schemes have not this problem at all since our schemes are based on nonces. The remainder of this paper is organized as follows: In Section 2, a brief review of related user authentication and key agreement schemes is given. In Section 3, we present our single server scheme with privacy protection. In Section 4, a multiserver scheme with privacy protection is given. In Section 5, we make a discussion. Finally, a concluding remark is given in Section 6.. a session key is needed for protecting subsequence communications [2, 6, 7, 19]. Also, using smart cards [6, 7, 19], remote user authentication and key agreement can be simplified, flexible and efficient for creating a secure distributed computers environment. It is also useful for providing identity privacy for the users [19]. In 2004, Juang proposed two efficient authentication and key agreement schemes [6, 7] for single server, and multi-server environments. But both Juang’s schemes [6, 7] have no ability of anonymity for the user. Yang et. al. [19] proposed user identification and key distribution scheme with the ability of privacy protection but we point out it is less efficient because of using public-key cryptosystems. For basically security and efficient requirements, the following criteria are important for remote user authentication and key agreement schemes with smart cards [6, 7, 19]. C1: Privacy protection: When the user authenticates successfully to the server, the adversary can not derive the user’s identity. C2: Freely chosen password: Users can freely chosen and change their passwords for protecting their smart cards. C3: Low computation and communication cost: Since capacity and communication constrains of smart cards, they may not offer a powerful computation capability and high bandwidth. C4: Mutual authentication: Servers and users can authenticate each other. C5: Session key agreement: Servers and users must negotiate a session key for subsequent communications. In this paper, we propose two efficient user authentication and key agreement schemes with the ability of privacy protection. One is only for a single server environment and the other is suitable for a multi-server environment. Compared. 2 2.1. Review Notation. We first define the notation used in this paper. Let ”X → Y : Z” denote that a sender X sends a message Z to a receiver Y , Ek (m) denote the ciphertext of m encrypted using the secret key k of some secure symmetric cryptosystem [13], Dk (c) denote the plaintext of c decrypted using the secret key k of the corresponding symmetric cryptosystem [13], ”||” denote the conventional string concatenation operator and ⊕ denote the bitwise exclusive-or operator. Let h be a public one-way function [14].. 2.2. Juang’s single server authentication scheme. In [6], Juang proposed a user authentication and key agreement scheme using smart cards with much less computational cost. 2.

(3) much less computational cost and more functionality. The major drawback of this scheme is that it does not provide the user anonymity functionality. There are three kinds of participants in this scheme: users, servers and a registration centre. In this scheme, assume that the registration centre can be trusted. The registration centre examines the validity of login users and then issues a smart card to eligible users. The user only has to register at the registration center once and can use services provided by various servers. Let RC denote the registration centre, Sj denote server j, and Ui denote user i. Let UIDi be a unique identification of Ui and SIDj be a unique identification of Sj . Also, let x be the secret key kept secretly by RC, and wj = h(x, SIDj ) be the secret key shared by Sj and RC. The shared secret key wj can be computed by RC and sent to Sj after he registered at RC. The proposed scheme is as follows. Registration Phase: Ui submits his identity UIDi and his password P Wi to RC for registration. RC then performs the following steps: Step 1: Compute Ui ’s secret information vi = h(x, UIDi ) and µi = vi ⊕ P Wi . Step 2: Store UIDi and µi to the memory of a smart card and issue this smart card to Ui . Step 3: Compute the shared secret key vi,j = h(vi , SIDj ) between Ui and Sj , and send the encrypted secret key Ewj (vi,j , UIDi ) to each Sj . Upon receiving Ewj (vi,j , UIDi ), Sj stored it in his encrypted keys table. Login and Session Key Agreement Phase: After getting the smart card from RC, Ui can use it to login into Sj . Assume that N1 is a nonce chosen by Ui and N2 is a nonce chosen by Sj for freshness checking. Assume that ruk is a random number chosen by Ui and rsk is a random number chosen by Sj for generating the session key. and more functionality. The major drawbacks of this scheme are that it does not provide the user anonymity functionality and it is not suitable for multi-server environments. Let S denote the server, Ui denote user i. Also, let x be the secret key kept secretly by the server S. Let IDi be a unique identification of Ui . The scheme is as following. Registration Phase: Assume Ui submits his identity IDi and his password P Wi to the server for registration. If the server accepts this request, he will perform the following steps: Step 1: Compute Ui s secret information vi = h(IDi , x) and wi = vi ⊕ P Wi . Step 2: Store IDi and wi to the memory of a smart card and issue this smart card to Ui . Login and Session Key Agreement Phase: After getting the smart card from the server, Ui can use it when he logins in the server. If Ui wants to login to S, he must attach his smart card to a card reader. He then inputs his identity IDi and his password P Wi to this device. Assume that N1 is a nonce chosen by Ui and N2 is a nonce chosen by Sj for freshness checking. Assume that ruk is a random number chosen by Ui and rsk is a random number chosen by Sj for generating the session key ki = h(rsk , ruk , vi ). The following protocol is the ith login with respect to this smart card. Step 1: Ui → S : N1 , IDi, Evi (rui , h(IDi|| N1 )) Step 2: S → Ui : Evi (rsi, N1 + 1, N2 ) Step 3: Ui → S : Eki (N2 + 1). 2.3. Juang’s multi-server authentication scheme. In [7], Juang proposed a user authentication and key agreement scheme using smart cards for multi-server environments with. 3.

(4) putes n = pq, randomly selects a number e and computes d, where ed ≡ 1 mod φ(n) and φ(n) = (p − 1)(q − 1).. skk = h(rsk , ruk , vi,j ). The following protocol is the kth login with respect to his smart card. Step 1: Ui → Sj : N1 , UIDi , Evi,j (ruk , h( UIDi ||N1 )) Step 2: Sj → Ui : Evi,j (rsk , N1 + 1, N2 ) Step 3: Ui → Sj : Eskk (N2 + 1) Shared Key Inquiry Phase: In Step 3 of the registration phase, RC will send the encrypted shared secret key Ewj (vi,j , UIDi ) to each Sj . Upon receiving the message, he will store it in his encrypted shared key table. If he do not want to manipulate this table, the shared key can be inquired from RC when it is needed. The following protocol can be inserted between Step 1 and Step 2 of the login and session key agreement phase when Sj needs the shared key. Step 1’: Sj → RC : N3 , UIDi , SIDj , Ewj (h(UIDi ||SIDj ||N3 )) Step 1”: Ewj (vi,j , N3 + 1). 2.4. 2. Chooses an element g ∈ Zn∗ which is a generator of both Zp∗ and Zq∗ . 3. Publishes (e, n, g) as public system parameters and keeps (d, p, q) secret. 4. Sends to each registered user Ui or service provider Pi a secret token Si ≡ (IDi )d mod n, where IDi is the identity of Ui or Pi . The anonymous user identification phase: If Ui wants to request a service from Pj , they then performs the following steps: Step 1: Ui Sends the service request to Pj for requesting services from Pj . Step 2: Upon receiving the request, Pj chooses a random number k and computes z ≡ g k Sj−1 mod n and sends z to Ui . Step 3: Upon receiving z, Ui chooses a random number t and does the following computations:. Yang et al.’s user authentication and key distribution scheme. a = z e IDj mod n,. Yang et al. proposed a user authentication and key distribution with user anonymity [19] based on factoring, discrete logarithm and hash functions. The major drawbacks of this scheme are that it has a timesynchronization problem, and the computation and communication cost is still high. There are three kinds of participants in this scheme: a Smart Card Producing Center (SCPC), service providers (servers) and users. Let Ui denote user i, Pj denote service provider j. This scheme consists of two phases: (1) the key generation phase and (2) the anonymous user identification phase. Their proposed scheme is as follows: The key generation phase: The SCPC does the following to set up system parameters.. Kij = at mod n, x = g et mod n, h(x,T ). s = g t Si. mod n,. y = EKij (IDi ), where T is the current timestamp and Ki,j is the common session key. Ui then sends (x, s, y, T ) to Pj . Step 4: Upon receiving the message in Step 3, Pj checks the timestamp T . If it is old, he aborts the protocol. Otherwise, he then obtains the common session key Kij = xk mod n and then decrypts y as IDi = DKij (y) and verifies h(x,T ) ?. xIDi. = se mod n.. If the verification passes, then the service request is granted.. 1. Chooses two large primes p and q, com-. 4.

(5) 3. Single server authentication and key agreement with user anonymity. Step 3: Ui → S : Eskk (N2 + 1) In step 1, Ui s smart card first computes αi = βi ⊕ P Wi and sends his pseudo identification λi,k = h(αi ||IDi||k), a nonce N1 and the encrypted message Eαi (ruk , h(N1 ||ruk ||λi,k )) to S. The encrypted message includes the kth random value ruk , which is used for generating the kth session key skk , and the authentication tag h(N1 ||ruk ||λi,k ), which is for verifying the identification of Ui .. In this section, we propose an efficient single server user authentication and key agreement scheme with privacy protection. The concept used in this section will be used in the next section to construct an efficient multi-server user authentication and key agreement scheme with privacy protection. Let IDi be a unique identification of user i. Also, let x be the master secret key kept secretly by the server S.. 3.1. Upon receiving the message in step 1, S first searches the pseudo identification λi,k in the identification table He then computes to retrieve IDi . αi = h(x, IDi ) and decrypts the message Eαi (ruk , h(N1 ||ruk ||λi,k )) and verifies if the authentication tag h(N1 ||ruk ||λi,k ) is valid. If it is valid, S sends a nonce N2 and the encrypted message Eαi (rsk, h(rsk ||N1 ||N2 )) back to Ui . The encrypted message includes the random value rsk chosen by S, which is used for generating the kth session key skk .. The proposed scheme. The proposed scheme is as follows. Registration Phase: Assume Ui submits his identity IDi and his password P Wi to the server S for registration. If S accepts this request, he will perform the following steps: Step 1: Compute Ui ’s secret information αi = h(x, IDi ) and βi = αi ⊕ P Wi . Compute the pseudo identification number λi,1 = h(αi ||IDi ||1) and records (k = 1, λi,1, IDi ) in an identification table. Step 2: Store IDi , λi,1 , k = 1, and βi to the memory of a smart card and issue this smart card to Ui or send them secretly to Ui . User Authentication and Session Key Agreement Phase: If Ui wants to log into S anonymously, he must attach his smart card to a card reader. He then inputs his identity IDi and his password P Wi to this device. The following protocol is the kth login with respect to this smart card. Step 1: Ui → S : N1 , λi,k , Eαi (ruk , h( N1 ||ruk ||λi,k )) Step 2: S → Ui : N2 , Eαi (rsk, h(rsk || N1 ||N2)). Upon receiving the message in step 2, Ui decrypts the message by computing Dαi (Eαi ( rsk, h(rsk ||N1 ||N2 ))). He then checks if the authentication tag h(rsk ||N1 ||N2 ) is in it for freshness checking. If yes, Ui computes the next pseudo identification λi,k+1 = h(αi ||IDi||k +1), the kth session key skk = h(rsk , ruk , αi ), and updates (λi,k+1 , k + 1) and sends the encrypted Eskk (N2 + 1) back to S.. message. After receiving the message in step 3, S decrypts the message by computing Dskk (Eskk ( N2 + 1)) and checks if the nonce N2 + 1 is in it for freshness checking. He then computes λi,k+1 = h(αi ||IDi||k + 1) and updates (k + 1, λi,k+1, IDi ) in the identification table. Then Ui and S can use the session key skk in secure communication soon.. 5.

(6) Table 1: Efficiency comparison between our single server scheme and other related scheme Our scheme Juang’s scheme [6] D1 128 bits 128 bits D2 384 bits 256 bits D3 2 Hash 1 Hash D4 6 Sym + 7 Hash 6 Sym + 3 Hash D1: Password length D2: Communication cost of authentication for cryptographic parameters D3: Computation cost of registration D4: Computation cost of authentication Hash: Hashing operation Exp: Exponential operation Sym: Symmetric encryption or decryption. 3.2. Security Analysis. B if there exists a session key skk , and A skk skk believes A ←→ B and B believes A ←→ B. A strong mutual authentication should include the statement: skk B and B A believes B believes A ←→ skk B believes A believes A ←→ In step 1 of the user authentication and session key agreement phase, after B receives the message Eαi (ruk , h(N1 ||ruk ||λi,k )), he will compute Dαi (Eαi (ruk , h(N1 ||ruk ||λi,k ))) with using the shared key αi of A and B. Then B can check if this message contains authenticator h(N1 ||ruk ||λi,k ). If yes, B chooses a random number rsk and sends message N2 , Eαi (rsk, h(rsk ||N1 ||N2 ) to A. B then computes the kth session key skk B. skk = h(ruk , rsk , αi) and believe A ←→ In step 2 of the user authentication and session key agreement phase, upon receiving the message N2 , Eαi (rsk, h(rsk ||N1||N2 )), A decrypts the message Dαi (Eαi (rsk, h(rsk ||N1 ||N2 )) and confirms if this message contains the authenticator h(rsk ||N1 ||N2). If yes, A generates a session key skk = h(ruk , rsk , αi ) skk and believe A ←→ B. Since N1 is chosen skk B. by A, A will believes B believes A ←→ In step 3 of user authentication and session key agreement phase, after B received. (1) Identity protection: Compared with Juang’s scheme [6], our proposed single-server scheme can achieve the ability of identity privacy. The adversary can not derive the user’s identity IDi or the secure key αi from λi,k = h(αi ||IDi ||k). When the user wants to login, he first inputs his correct password. If the password is matching, then the smart card computes αi = h(x, IDi ) and sends message N1 , λi,k , Eαi (ruk , h(N1 ||ruk ||λi,k )) to the server. The adversary can not know the user identity since this message does not include the plaintext about the user identity IDi . (2) Mutual authentication The server and the user must achieve authentication each other. That means the server must verify the user’s identity. Similarity, the user must also confirm whether the server is legal. The goal of mutual authentication is to create an agreement session key skk = h(rsk , ruk , αi ) between the user and the server [1, 6, 7]. Let A and B denote the user and the skk B denote server, respectively. Let A ←→ the player A shares a session key skk with the player B. Thus, the mutual authentication is between the player A and the player. 6.

(7) Eskk (N2 + 1) , he will decrypt this message Eskk (N2 + 1) with the kth session key skk and get N2 + 1. Then B checks if N2 which is sent by him is correct. If yes, B believes skk B. A believes A ←→ (3)Session key agreement The session key skk = h(rui, rsi , αi) is not known to anybody but S and Ui since the random values rui, rsi are encrypted by the secret key αi. (4) Withstanding attacks We prove our scheme can resist to following attack.. user can not normal communicate each other. The server and the user consider they have the same session key ki , but they have different session key ki in fact. Our proposed scheme can also resist this attack. Upon the message N1 , λi,k , Eαi (ruk , h(N1 ||ruk ||λi,k )) in step 1 of the user authentication and session key agreement phase, the adversary can not add or modify this message since the adversary does not has the share key αi . If the adversary modify the message, the server will reject this message since the authentication tag is invalid. In the other hand, the user have the same process to prevent this attack.. 1. The man-in-middle attack [16] Since either ends of communicators can verify that the message is sent by the peer though the authenticators. The adversary has no way to forge a message, so this attack can be prevented on our scheme.. 5. The stolen-verifier attack [3] For achieving the ability of user anonymity, we use a pseudo identification λi,k = h(αi ||IDi ||k) to communicate with the server. If the λi,k is known by the attacker, the attacker is still difficult to derive the user’s real identification IDi since the shared key αi is protected by the secure one-way hash function h() and the entropy of αi is very large.. 2. The dictionary attack [2] For computing the session key ki , the adversary must know rui , rsi and αi , where the entropy of rui, rsi or αi is very large. The shared key αi is only kept by the user and the server, so the session key are not be computed by the adversary.. 6. The insider attack [11]. 3. The replay attack [17]. The weak password P Wi used in our scheme is only for protecting the corresponding smart card from being used by illegal users. If a user uses P Wi to access several servers for his convenience, the insider of the server can not impersonate the user to access other servers if this server do not have the corresponding smart card. We can replace βi = αi ⊕ P Wi with αi ⊕ h(b ⊕ P Wi ) and use the checking method mentioned in [11] for protecting the weak password being known by the server. But this approach will need the user to remember the random number. Replay attack is simply replaying the message to the user or the server. For instance, the user just logins one time to server, but the adversary replays these authentication messages to the server for getting the permission of extra logins. To avoid these kind of attacks, our proposed scheme use nonces N1 , N2 , N2 + 1 to resist them. 4. The modification attack [18] The modification attack is a disturbance attack. The purpose of this attack is that both the server and the. 7.

(8) b and input it after getting the smart card. The most important assumption for the server is protecting his master secret key x secretly. If this master secret key x is compromised, then the total system is insecure.. 3.3. Performance tions. given in Table 2. Compared with Juang’s scheme [6], our scheme can completely satisfy the listed properties but Juang’s scheme [6] have no ability of privacy protection since it only transmits user identity to server for initial authentication.. considera-. 4. We evaluate the efficiency of our scheme and Juang’s scheme in Table 1. First, we assume the block size of secure symmetric cryptosystems is 128 bits and the output size of secure one way hashing functions is 128 bits. Because both our proposed single-server scheme and Juang’s scheme are based on symmetric key cryptosystem, the performance is very well. In our scheme and [6], the password length only 128 bits is required. Our proposed scheme needs 384 bits for the user authentication. Both ours and Juang’s scheme [6], the computation cost for registration is only needed one hash operation. The computation cost are aggregated operation numbers, including encryption operations, decryption operations or hashing operations. The encryption and encryption operations may be asymmetric or symmetric cryptosystem. In the login and session key agreement phase of our scheme, three symmetric key encryptions, three symmetric key decryptions and seven hash operations are required. In that of Juang’s scheme [6], only three symmetric key encryptions, three symmetric key decryptions and three hash operation are required. The computation cost of the login and session key agreement is not including cost of generating session key. Although our proposed scheme has a little high communication and computation cost than Juang’s scheme [6], but our scheme have more complete functionality. The functionality comparison between our proposed scheme and related scheme is. Multi-server authentication and key agreement with user anonymity. There are three kinds of participants in our multi-server protocol: a key distribution centre, service providers (servers) and users. Let KDC denote the trusted key distribution centre, Ui denote user i, Sj denote service provider j . Let UIDi be a unique identification of Ui and SIDj be a unique identification of service provider j. Also, let x be the master secret key kept secretly by the key distribution centre KDC and δj = h(x, SIDj ) be the secret key shared by Sj and KDC. The shared secret key δj can be computed by KDC and sent secretly to Sj after he registered at KDC.. 4.1. The proposed scheme. The proposed scheme is as follows. Registration Phase: Assume Ui submits his identity UIDi and his password P Wi to KDC for registration. If KDC accepts this request, he will perform the following steps: Step 1: Compute Ui ’s secret information αi = h(x, UIDi ) and βi = αi ⊕ P Wi . Step 2: Store UIDi , and βi to the memory of a smart card and issue this smart card to Ui or send them secretly to Ui . Shared Key Inquiring Phase: If Ui wants to use the services provided by Sj , he must inform Sj to query the shared key. 8.

(9) Table 2: Functionality comparison between our single server scheme and other related scheme C1 C2 C3 C4 C5 C6 C1: C2: C3: C4: C5: C6:. Our scheme Juang’s scheme [6] Yes No Yes Yes Very low Very low Yes Yes Yes Yes Yes Yes Privacy protection Freely chosen password Communication and computation cost Mutual authentication Session key agreement No serious time-synchronization problem Sj decrypts the message Eδj (γi,j , h(UIDi ||UIDj || N1 ||γi,j )) and checks if the verification tag h(UIDi ||UIDj ||N1 ||γi,j ) is valid. If yes, he records (UIDi , 1, λi,j,1 = h(γi,j ||UIDi ||SIDj ||1), γi,j ) in a key table and then sends the encrypted message Eγi,j (N1 + 1) back to Ui . Upon receiving the message in Step 4, Ui decrypts the message Eγi,j (N1 + 1) and checks if N1 + 1 is in it for freshness checking. If yes, then the pseudo identification registration in Sj has been finished. User Authentication and Session Key Agreement Phase: If Ui wants to logs into Sj anonymously, he must attach his smart card to a card reader. He then inputs his identity UIDi and his password P Wi to this device. The following protocol is the kth login for Ui with respect to Sj . Step 1: Ui → Sj : N2 , λi,j,k , Eγi,j (ruk , h( N2 ||ruk ||λi,j,k )) Step 2: Sj → Ui : N3 , Eγi,j (rsk, h(rsk || N2 ||N3 )) Step 3: Ui → Sj : Eskk (N3 + 1) In step 1, Ui s smart card first computes αi = βi ⊕ P Wi and γi,j = h(αi , SIDj ) and sends his pseudo identification λi,j,k , a nonce N2 and the encrypted message. γi,j from KDC in advance. KDC will compute γi,j = h(αi ⊕SIDj ),where αi is shared key with Ui , and then sends γi,j to Sj .They will perform the following steps: Step 1: Ui → Sj : N1 , UIDi Step 2: Sj → KDC : N1 , SIDj , Eδj ( UIDi , h(UIDi ||SIDj ||N1 )) Step 3: KDC → Sj : Eδj (γi,j , h(UIDi || SIDj ||N1 ||γi,j )) Step 4: Sj → Ui : Eγi,j (N1 + 1) In Step 1, Ui sends a nonce N1 , his identification UIDi to Sj for informing Sj to query the shared key γi,j from KDC. Upon receiving the message in Step 1, Sj first checks if Ui had logined before. If not, he sends a nonce N1 , his identification SIDj and the encrypted message Eδj (UIDi , h(UIDi ||SIDj ||N1 )) to KDC. Upon receiving the message in Step 2, KDC decrypts the message Eδj (UIDi , h(UIDi || SIDj ||N1 )), and checks if the verification tag h(UIDi ||SIDj ||N1 ) is valid and the nonce N1 is fresh. For checking the freshness of the nonce N1 , KDC can keep a recently used nonces table. If yes, he then sends the encrypted message Eδj (γi,j , h(UIDi ||SIDj ||N1 ||γi,j )) back to Sj . Upon receiving the message in Step 3,. 9.

(10) Eγi,j (ruk , h(N2 ||ruk ||λi,j,k )) to Sj . The encrypted message includes the kth random value ruk , which is used for generating the kth session key skk , and the authentication tag h(N2 ||ruk ||λi,j,k ), which is for verifying the identification of Ui .. 4.2. Security Analysis. (1) Identity protection: Similarity, our proposed multi-server scheme can offer user identity protection. So the adversary can not know the user identification. In the user authentication and session key agreement phase, the user first sends a message N2 , λi,j,k , Eγi,j (ruk , h(N2 ||ruk ||λi,i,k )) to the server. Because this message does not include user identification UIDi , the adversary can not know the user identification. (2) Mutual authentication In step 1 of the user authentication and session key agreement phase, after Sj receives the message Eγi ,j (ruk , h(N2 ||ruk ||λi,j,k )), Sj will compute Dγi,j (Eγi,j (ruk , h(N2 ||ruk ||λi,j,k ))) using the share key γi,j of Ui and Sj . Then Sj can check if this authenticator h(N2 ||ruk ||λi,j,k ) is valid. If yes, Sj chooses a random number rsk and can computes the kth session key skk = h(ruk , rsk , γi,j ) skk Sj . and believes Ui ←→ In step 2 of the user authentication and session key agreement phase, upon receiving the message N3 , Eγi,j (rsk,h(rsk ||N2 ||N3 )), Ui decrypts the message Dγi,j (Eγi,j (rsk, h(rsk ||N2 ||N3 )) and confirms if this message contains the authenticator h(rsk ||N2 ||N3 ). If yes, Ui generates a session key skk = h(ruk , rsk , γi,j ) and believe skk Ui ←→ Sj . Since N2 is chosen by Ui , skk Sj . Ui will believes Sj believes Ui ←→ In step 3 of the user authentication and session key agreement phase, after Sj receiving Eskk (N3 + 1) , he will decrypt this message Eskk (N3 + 1) with the kth session key skk and get N3 + 1. Then Sj checks if N3 which is sent by him is correct. If yes, skk Sj . Sj believes Ui believes Ui ←→ (3)Session key agreement. The session key skk = h(ruk , rsk , γi,j ) is. Upon receiving the message in step 1, Sj first searches the pseudo identification λi,j,k in the key table. He then decrypts the message Eγi,j (ruk , h(N2 ||ruk ||λi,j,k )) and verifies if the authentication tag h(N2 ||ruk ||λi,j,k ) is valid using the shared key γi,j in the matched entries. If yes in some entry, the corresponding valid user identification UIDi is found. If it is valid and the nonce N2 is fresh, Sj sends a nonce N3 and the encrypted message Eγi,j (rsk, h(rsk ||N2 ||N3 )) back to Ui . The encrypted message includes the random value rsk chosen by Sj , which is used for generating the kth session key skk , and the nonce N3 , which is for freshness checking. Upon receiving the message in step 2, Ui decrypts the message by computing Dγi,j (Eγi,j (rsk, h(rsk ||N2 ||N3))). He then checks if the authentication tag h(rsk ||N2 ||N3 ) is in it for freshness checking. If yes, Ui computes the next pseudo identification λi,j,k+1 = h(γi,j ||UIDi ||SIDj ||k + 1), the kth session key skk = h(rsk , ruk , γi,j ), and records SIDj , λi,j,k in a table and sends the encrypted message Eskk (N3 + 1) back to Sj . After receiving the message in step 3, Sj decrypts the message by computing Dskk (Eskk ( N3 + 1)) and checks if the nonce N3 + 1 is in it for freshness checking. He then computes λi,j,k+1 = h(γi,j ||UIDi ||SIDj ||k + 1) and updates (UIDi , k + 1, λi,j,k+1 = h(γi,j ||UIDi ||SIDj ||k + 1), γi,j ) in the key table. Then Ui and Sj can use the session key skk in secure communication soon. 10.

(11) the message, the server will reject this message. In the other hand, the user also can observe the original message whether is changed by the adversary. So this attack on our scheme can be prevented.. known to nobody but Si and Uj , since the random values ruk , rsk are randomly chosen by the user and the server and are encrypted by the shared key γi,j . (4) Withstanding attacks We prove our scheme can resist to following attack. 5. The stolen-verifier attack [3] 1. The man-in-middle attack [16]. In our proposed multi-server scheme, we use a pseudo identification λi,j,k = h(γi,j ||UIDi ||SIDj ||k) for user anonymity. Without knowing γi,j = h(αi , SIDj ), the attacker can not get the user’s real identification UIDi since the entropy of γi,j is very large. Our proposed multiserver scheme can withstand the stolen-verifier attack.. Our proposed multi-server scheme also can resist to the man-in-the-middle attack. If the message is modified by the adversary, either ends of the communication will find out and reject this message. Since our proposed scheme can accomplish strong mutual authentication, our scheme can resist this attack. 2. The dictionary attack [2]. 6. The insider attack [11]. For deriving the session key skk , the adversary must know ruk , rsk and γi,j but the shared key γi,j is only kept secretly by the user, the server and KDC. The adversary can not get the session key skk , since rui and rsi are randomly chosen and protected by the shared key γi,j and the entropy of ruk , rsk or γi,j is very large.. The function of the weak password P Wi in our multi-server scheme is the same with that in our single server scheme. The most important assumption for KDC is protecting his master secret key x secretly. If this master secret key x is compromised, then this multi-server system is insecure. The most important assumption for the server Sj is protecting his shared key table γi,j secretly. If his shared key table is compromised, then this server is insecure.. 3. The replay attack [17] The replay attack is simply replaying the message to the user or the server. Our multi-server scheme also provide an ability to avoid this attack. Our proposed scheme uses nonces N2 , N3 , N3 + 1 to resist the replay attack.. 4.3. 4. The modification attack [18]. Performance tions. considera-. In this subsection, we present a efficiency comparison among our proposed scheme, Yang et al.’s scheme [19] and Juang’s scheme [7]. The comparison is given in Table 3. We also assume that n in Yang et al.’s scheme [19] that has the same assumption with Lin et al.’s scheme [10] is of 1024 bits in order to make the discrete logarithm. Upon the message N2 , λi,i,k , Eγi,j (ruk , h(N2 ||ruk ||λi,j,k )) in step 1 of the user authentication and session key agreement phase, the adversary can not alter this message since the adversary does not has the share key γi,j . If the adversary modify. 11.

(12) Table 3: Efficiency comparison between our multi-server scheme and other related schemes Our scheme Yang et al.’s scheme [19] Juang’s scheme [7] E1 256 bits 1024 bits 256 bits E2 384 bits 5 × 1024 bits 256 bits E3 1 Hash 2 Exp 1 Hash E4 6 Sym + 5 Hash None 4 Sym +2 Hash E5 6 Sym + 7 Hash 9 Exp + 2 Sym + 2 Hash 7 Sym + 3 Hash E1: Memory needed in the smart card E2: Communication cost of the authentication for cryptographic parameters E3: Computation cost of the registration E4: Computation cost of the shared key inquiring E5: Computation cost of the user authentication and key agreement Hash: Hashing operation Exp: Exponential operation Sym: Symmetric encryption or decryption identification in our scheme is three symmetric key encryptions, three symmetric key decryptions and seven hash operations. The computation cost of user identification in Juang’s scheme [7] is three symmetric key encryptions, four symmetric key decryptions and three hash operations. The computation cost of anonymous user identification in Yang et al.’s scheme [19], nine exponential operations, one symmetric key encryptions, one symmetric key encryptions, and two hash operations are required. Note that the computation cost of our scheme, Juang et al.’s scheme[7] and Yang et al.’s scheme[19] do not accounted cost of generating session key. We summarize the functionality and complexity of related scheme in Table 4. Our scheme can satisfy all listed functions and has low communication and computation cost. In comparison with Yang et al.’s, our proposed scheme have low communication and no time synchronization problems since using symmetric key cryptosystems and nonces to prevent replay attack, respectively. In comparison with Juang’s scheme [7], our scheme provides an ability of privacy protection which is not provided by Juang [7].. problem infeasible. Moreover, we also assume both the output size of secure oneway hashing functions and the block size of secure symmetric cryptosystems are 128 bits. In our scheme and Juang’s scheme [7], the memory needed in the smart card is 256 bits. In [19], However, the memory needed in the smart card is 1024 bits since their scheme based on the intractability of the discrete logarithm problem. The communication cost of the user authentication of our scheme and Juang’s scheme [7] is 384 and 256 bits respectively. In [19], the communication cost for the authentication is 5 × 1024 bits. In our scheme and Juang’s scheme [7], the computation cost of registration is one hash operation. In that phase, that is two exponentiation operations in Yang et. al.’s scheme. In our scheme, the computation cost of the shared key inquiring phase is needed three symmetric key encryptions, three symmetric key decryptions, five hash operations and one exclusive-or operation. In Juang’s scheme [7], that is needed two symmetric key encryptions, two symmetric key decryptions, two hash operations. That phase of Yang et al.’s scheme [19] is not required. The computation cost of anonymous user. 12.

(13) Table 4: Functionality comparison between our multi-server scheme and other related schemes C1 C2 C3 C4 C5 C6 C1: C2: C3: C4: C5: C6:. 5. Our scheme Yang et al.’s scheme [19] Juang’s scheme [7] Yes Yes No Yes Yes Yes Very low High Very low Yes Yes Yes Yes Yes Yes Yes No Yes Privacy protection Freely chosen password Communication and computation cost Mutual authentication Session key agreement No serious time synchronization problem. Discussions. crete logarithm problem. In practical considerations, one-way hash functions can be easily constructed by symmetric cryptosystems [12]. This approach can reduce the needed memory in smart cards for storing cryptographic programs. In step 1 of our proposed schemes, the pseudo identification λi,k = h(αi ||IDi||k) in section 3 or λi,j,k = h(γi,j ||UIDi ||SIDj ||k) in section 4 for the kth transaction is used for protecting the privacy of user i. After the server receiving the pseudo identification λi,k or λi,j,k , he will search this entry in the key table and find the corresponding real identification. By sending the transaction value k in step 1 of our proposed schemes, all possible pseudo identification λi,k or λi,j,k can be easily computed online and then compared with the received pseudo identification λi,k or λi,j,k by the server for saving the storage. In our scheme, for improving the repairability mentioned in [5, 11], the secret value αi = h(x, UIDi ) stored in each Ui ’s smart card can be replaced with the new formula αi = h(x, UIDi , j), where j is the number of times that Ui has revoked his used secret key αi . But this approach will. For practical implementation, the smart cards used in our schemes can be issued by the trusted key distribution center and assumed to be tamperproof devices. For protecting Ui s smart card from being used by an illegal user, a weak password P Wi can be chosen and used to protect it. Its role is like the personal identification number (PIN) used in the current banking system. If some illegal user uses the smart card by wrong passwords exceeding some fixed times, the operating system of the smart card will block the login procedure. Using the factoring method proposed in [9], factoring a 512-bit moduli can be done in less than ten minutes on a US$10K device and factoring a 1024-bit moduli can be done in a year on a US$10M device in 2003. Differently from the schemes [19] using public-key cryptosystems, only symmetric cryptosystems and one-way hashing functions are used in our proposed schemes. Our approach provides another choice for better efficiency and no need to base on any assumed hard number theoretical problem, e.g., the factoring problem or the dis-. 13.

(14) need the key distribution center to record the number j in his database or Ui needs to send the number j to the server in the authentication phase. The password changing procedure proposed in [5, 11] can be directly used in our proposed schemes for changing users’ passwords. Like the schemes in [6, 7], we do not provide the perfect forward secrecy in our proposed schemes, since it may cause a result of lower performance and increased communication and computation cost. If this property is required, the Diffie-Hellman algorithm [4] can be directly applied to our schemes as in the schemes [6, 7]. Yang et al.’s scheme [19] has a serious time-synchronization problem, since their scheme is based on time-stamps. For example, when receiving the message (x, s, y, T ) from the user, the server would believe the user is legal if T − T < T where T is the receiving time of the server and T is the sending time of the user. Our proposed schemes solve this serious problem, because we use nonces to prevent the replay attacks.. 6. schemes are nonce-based. Acknowledgments. This work was supported in part by the National Science Council of Republic of China under contract NSC 94-2213-E-128-001.. References [1] M. Burrows, M. Abadi and R. Needham, ”A Logic of Authentication,” ACM Trans. on Computer Systems, Vol. 8, No. 1, pp. 18-36, 1990. [2] S. Bellovin and M. Merritt, ”Encrypted key Exchange: PasswordBased Protocols Secure Against Dictionary Attacks,” Research in Security and Privacy, Proceedings IEEE Computer Society Symposium, pp. 72-84, 1992. [3] Y. Chang and C. Chang, ”Authentication Schemes with no Verification Table,” Applied Mathematics and Computation, Vol. 167, pp.820-832, 2005. [4] W. Diffie and M. Hellman, ”New Directions in Cryptography,” IEEE Transactions on Information Theory, Vol. IT-22, No. 6, pp. 644-654, 1976.. Conclusions. In this paper, we have proposed two user authentication and key agreement schemes with privacy protection for single server and multi-server environments. Regarding the single-server scheme, it is more simple and efficient. Regarding the multiserver scheme, users only need to register one time and can use all provided services by service providers. Both our proposed schemes have the ability of privacy protection. Our schemes also have low communication and computation cost for user authentication by only using symmetric cryptosystems and one-way functions. Also, our schemes successfully solve the serious timesynchronization problem in a distributed computers environment since our proposed. [5] T. Hwang and W. Ku, ”Repairable Key Distribution Protocols for Internet Environments,” IEEE Trans. on Communications, Vol. 43, No. 5, pp. 1947-1950, 1995. [6] W. Juang, ”Efficient Password Authenticated Key Agreement Using Smart Cards,” Computers & Security, Vol. 23, No. 2, pp. 167-173, 2004. [7] W. Juang, ”Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards,” IEEE Trans. on Consumer Electronics, Vol. 50, No. 1, pp. 251-255, 2004.. 14.

(15) tivities Board, Internet Privacy Task Force, 1992.. [8] L. Lamport, ”Password Authentication With Insecure Communication,” Communications of the ACM, Vol. 24, pp. 770-772, 1981.. [16] D. Seo and P. Sweeney,” Simple Authenticated Key Agreement Algorithm,”. Electronics Letters, Vol. 35, pp. 1073 - 1074, 1999.. [9] A. Lenstra, E. Tromer, A. Shamir, W. Kortsmit, B. Dodson, J. Hughes and P. Leyland, ”Factoring Estimates for a 1024-bit RSA Modulus,” In Laih, C. (ed.), Advances in Cryptology-AsiaCrypt’03, Lecture Notes in Computer Science, 2894, pp. 55-74, Springer, New York, 2003.. [17] P. Syverson, ”A Taxonomy of Replay Attacks,” Computer Security Foundations Workshop VII,. CSFW 7. Proceedings 14-16, pp. 187-191, 1994. [18] C. Yang, T. Chang and M. Hwang, ”Cryptanalysis of Simple Authenticated Key Agreement Protocols,” IEICE Trans. Fundamentals, Vol. E87A, No. 8, pp. 2174-2176, 2004.. [10] I. Lin, M. Hwang and L. Li, ”A New Remote User Authentication Scheme for Multi-server Architecture,” Future Generation Computer Systems, Vol. 19, pp. 13-22, 2003.. [19] Y. Yang, S. Wang, F. Bao, J. Wang, R. Deng, ”New Efficient User Identification and Key Distribution Scheme Providing Enhanced Security,” Computers and Security, Vol. 23, No. 8, pp. 697-704, 2004.. [11] W. Ku and S. Chen, ”Weaknesses and Improvements of an Efficient Password Based Remote User Authentication Scheme Using Smart Cards,” IEEE Trans on Consumer Electronics, Vol. 50, No. 1, pp. 204-207, 2004. [12] R. Merkle, ”One Way Hash Functions and DES,” In Brassard, G. (ed.), Advances in Cryptology-Crypt’89, Lecture Notes in Computer Science, 435, pp. 428-446, Springer, New York, 1989. [13] NIST FIPS PUB 197, ”Announcing the ADVANCED ENCRYPTION STANDARD(AES),” National Institute of Standards and Technology, U. S. Department of Commerce, Nov., 2001. [14] NIST FIPS PUB 180-2, ”Secure Hash Standard,” National Institute of Standards and Technology, U. S. Department of Commerce, DRAFT, 2004. [15] R. Rivest, ”The MD5 Message-digest Algorithm,” RFC 1321, Internet Ac-. 15.

(16)