Security Analysis of Two SAS-Like Password Authentication Schemes

全文

(1)2005 National Computer Symposium. Security Analysis of Two SAS-Like Password Authentication Schemes Wei-Chi Ku, Min-Hung Chiang, and Chun-Hao Hwang Department of Computer Science and Information Engineering Fu Jen Catholic University 510 Chung Cheng Rd., Hsinchuang, Taipei County, Taiwan 242, R.O.C. E-mail: [email protected]. In 2000, Sandirigama, Shimizu, and Noda [6] proposed a simple hash-based password authentication scheme, SAS (Simple And Secure password authentication), which was claimed to be superior to previous similar password authentication schemes in utilization, processing time, and transmission overhead. However, SAS was later found to be vulnerable to a replay attack, a denial-ofservice attack, and a stolen-verifier attack [4], [1]. To improve the security of SAS, Lin, Sun, and Hwang [4] proposed the OSPA (Optimal Strong-Password Authentication) scheme. Unfortunately, OSPA was found to be vulnerable to a stolen-verifier attack [1] and an impersonation attack [7]. In 2003, Lin, Shen, and Hwang [5] proposed an improved version of OSPA using smart cards. However, their scheme was found to be vulnerable to a denial-of-service attack and a replay attack [3].. Abstract In 2000, Sandirigama, Shimizu, and Noda proposed a simple password authentication scheme, SAS. However, SAS was later found to be flawed. Recently, Chen, Lee, Horng proposed two SAS-like schemes, which were claimed to be more secure than similar schemes. Herein, we show that both their schemes are still vulnerable to denialof-service attacks. Keywords: cryptographic hash function, denial-of-service attack, password authentication, smart card. 1. Introduction So far, authentication using passwords is still a popular approach often used to authenticate users logining any kind of server. Existing password authentication schemes can be categorized into two types, one is based on public-key cryptographic techniques and the other is based on cryptographic hash functions. The latter type has the advantages of lighter computational overhead, simpler designs, and easier implementations, and is the focus of this paper.. Recently, Chen, Lee, Horng [2] proposed two SAS-like schemes, which are denoted by scheme-1 and scheme-2 herein, based on smart cards. Scheme-1 was designed to enhance the security of Lin-Shen-Hwa ng ’ s scheme, and scheme-2 was designed to addi1.

(2) 2005 National Computer Symposium. tionally achieve mutual authentication, i.e., the user and the server can authenticate each other. Unfortunately, we find that both ChenLee-Hor ng ’ sscheme-1 and scheme-2 are still vulnerable to two kinds of denial-of-service attacks. In this paper, we will first review Chen-Lee-Hor ng ’ sscheme-1 and scheme-2, and then show their weaknesses.. A. Scheme-1 Scheme-1 was proposed to improve the security of Lin-Shen-Hwa ng ’ ss c he me ,a nd can be described as follows. Registration Phase of Scheme-1 Step R1. Ui freely chooses his password PWi and a nonce N, and then computes h2(PWi⊕N). Next, he. 2. Review of Chen-Lee-Hor ng’ s Schemes. submits {IDi, h2(PWi⊕N), N} to. The notations used in Chen-Lee-Hor ng ’ s schemes, scheme-1 and scheme-2, can be summarized in Table 1. Table 1. Notations used in Chen-Lee-Hor n g ’ ss c h e me s .. Notation. Description. Ui. user. IDi. identity of Ui. S. S through a secure channel for registration. Step R2. S stores h2(PWi ⊕ N) in his verification table, computes h(x||IDi), and delivers a smart card containing {N, h(x||IDi)} to Ui through a secure channel. Authentication Phase of Scheme-1. server. PWi. password of Ui. x. secret key of S. Step A1. Ui inserts his smart card into the smart card reader of a terminal,. nonce. and then enters IDi and PWi.. h( ). a cryptographic hash function. Next, his smart card generates a. ⊕. bitwise XOR operation. nonce. ||. concatenation operation. following computations:. N, N , r. r. and. performs. the. c1 = h(PWi⊕N)⊕ h(h2(PWi⊕N)⊕r) Chen-Lee-Hor ng ’ ss c he me si nvol v et wo phases, the registration phase and the authentication phase. The registration phase is invoked when Ui requests to register with S while the authentication phase is invoked whenever Ui requests to login S.. c2 = h2(PWi⊕ N )⊕h(PWi⊕N) c3 = h3(PWi⊕ N ) where N is a new nonce generated by Ui’ ss ma r tc a r d. Then, Ui’ ss ma r tc a r dcomputes r⊕h(x||IDi). 2.

(3) 2005 National Computer Symposium. h(r) and sends {IDi, r⊕h(x||IDi), h(r),. vide mutual authentication and can be described as in the following.. c1, c2, c3} to S.. Registration Phase of Scheme-2. Step A2. If IDi is valid, S computes h(x||IDi) to retrieve r from r⊕. The registration phase of scheme-2 is the same as that of scheme-1 and is omitted here.. h(x||IDi) and then verifies the validity of r by using h(r).. Authentication Phase of Scheme-2. Step A3. S computes h(h2(PWi ⊕ N) ⊕ r). Step A1. Ui inserts his smart card into the smart card reader of a terminal, and then enters IDi and PWi. Next, his smart card generates a. and then uses it to extract h(PWi ⊕N) from the received c1. Next, S applies h() to the extracted h(PWi⊕N). If the hashed result. nonce rand sends {IDi, r } to S.. equals the stored h2(PWi⊕N), S accepts Ui’ s l og i n r e que s t . Otherwise, S rejects Ui’ sl og i n request. Then, S sends the login acceptance/rejection message to Ui. Step A4. S uses the extracted h(PWi⊕N) to extract h2(PWi⊕ N ) from the. Step A2. If IDi is valid, S generates a nonce r, computes r ⊕ h(x||IDi) and h(r||r ), and then sends { r⊕ h(x||IDi), h(r||r )} to Ui. Step A3. Ui’ ss ma r tc a r dus e st hes t o r e d h(x||IDi) to retrieve r from the received r ⊕ h(x||IDi) and then. received c2. Next, S applies h(). computes. to the extracted h2(PWi⊕ N ). If. computed h(r||r ) equals the received one, Ui authenticates S.. the hashed result equals the received c3, S replaces h2(PWi⊕. h(r||r ).. If. the. Step A4. Ui’ ss ma r tc a r d pe r f or ms t he. 2. N) with h (PWi ⊕ N ). On the. following computations:. other hand, if Ui’ ssmart card receives the login acceptance message, it replaces the stored N. c1 = h(PWi⊕N)⊕ h(h2(PWi⊕N)⊕r) c2 = h2(PWi⊕ N )⊕h(PWi⊕N). with N .. c3 = h3(PWi⊕ N ). B. Scheme-2. where N is a new nonce generated by Ui’ ss ma r tcard. Next, Ui’ ss ma r tc a r ds e nds{ c1, c2, c3} to S.. Scheme-1 only provides unilateral authentication in that the server can authenticate the user while the user can not authenticate the server. To meet higher security requirements, scheme-2 was proposed to additionally pro-. Step A5. S computes h(h2(PWi ⊕ N) ⊕ r) and then uses it to extract h(PWi. 3.

(4) 2005 National Computer Symposium. will generate two new nonces r* and N * and perform the following computations:. ⊕N) from the received c1. Next, S applies h() to the extracted value. If the hashed result equals the stored h2(PWi⊕N), S accepts. c1* = h(PWi⊕N)⊕h(h2(PWi⊕N)⊕r*). Ui’ s login request. Then, S sends the login acceptance/rejection message to Ui.. c2* = h2(PWi⊕ N *)⊕h(PWi⊕N) c3* = h3(PWi⊕ N *) r*⊕h(x||IDi). Step A6. S uses the extracted h(PWi⊕N) to extract h2(PWi⊕ N ) from the. h(r*). received c2. Next, S applies h() Ui’ ss ma r tc a r ds e ndsout{ IDi, r*⊕h(x||IDi),. to the extracted h2(PWi⊕ N ). If. h(r*), c1*, c2*, c3*}, which is intended to reach S. In this moment, the adversary can replace * * N) with h2(PWi ⊕ N ). On the the transmitting c2 and c3 with the previously recorded c2 and c3. Then, S will comother hand, if Ui’ ss ma r tc a r d pute h(x||IDi) to retrieve r* from the received receives the login acceptance r*⊕h(x||IDi) and verify the validity of r* by message, it replaces the stored N using h(r*). Next, S computes h(h2(PWi⊕N) with N . ⊕r*) and uses the result to extract h(PWi⊕N) the hashed result equals the received c3, S replaces h2(PWi⊕. from the received c1*, and then applies h() to the extracted result. Since the hashed extracted result equals the stored h2(PWi⊕N), S. 3. Weaknesses of Chen-Lee-Horng’ s Schemes. will accept Ui’ sl og i nr equest. In addition, S will use the extracted h(PWi⊕N) to extract. We will demonstrate that both scheme-1 and scheme-2 are vulnerable to two kinds of denial-of-service attacks.. h2(PWi ⊕ N ) from c2 and apply h() to the extracted result. As the hashed extracted result equals c3, S will replace h2(PWi ⊕ N). Denial-of-Service Attacks on Scheme-1 During Ui’ sl og i n,t hea dve r s a r yc a nwi r etap the login message sent from Ui in Step A1 and then record c3 and c2. Simultaneously, the adversary can replace the transmitting c1. with h2(PWi⊕ N ). Upon receiving the login. with an arbitrary value, say X. Because h(X⊕. succeeding login request using N denied.. acceptance message, Ui’ ss ma r tc a r dwi l lr eplace the stored N with N *. Although Ui has successfully logined S in this session, his. 2. h(h (PWi⊕N)⊕r)) does not equal the stored. *. will be. h2(PWi⊕N), S will reject Ui’ sl og i nr e que s t . Furthermore, scheme-1 is vulnerable to After receiving the rejection message from S, Ui will be requested to enter PWi into his another kind of denial-of-service attack as sl og i n,S will send the smart card again, and then Ui’ ss ma r tc a r d follows. During Ui’. 4.

(5) 2005 National Computer Symposium. login acceptance message to Ui in Step A3. putations: Simultaneously, the adversary can replace c1* = h(PWi⊕N)⊕h(h2(PWi⊕N)⊕r*) the transmitting login acceptance message with the login rejection message. Accordc2* = h2(PWi⊕ N *)⊕h(PWi⊕N) ingly, Ui’ ss ma r tc a r dwi l lnotr e pl a c et he c3* = h3(PWi⊕ N *) stored N with N . However, S has replaced the stored h2(PWi ⊕N) with h2(PWi ⊕ N ).. Next, Ui’ ss ma r tc a r ds e ndsout{ c1*, c2*, c3*}, Since the data stored in Ui’ ss ma r tc a r da ndS which is intended to reach S. Simultaneously, are not consistent, Ui’ ss uc c e e di ngl og i nr e- the adversary can replace the transmitting c * 2 quest using N will be denied. Alternatively, and c * with the previously recorded c and 3 2 the adversary can fool Ui’ ss ma r tc a r di nt o c . Next, S will compute h(h2(PW ⊕N)⊕r*) 3 i changing N with N while the stored h2(PWi and use the result to extract h(PWi⊕N) from ⊕N) in S is left unchanged. In this case, Ui’ s the received c1* and then apply h() to the exsucceeding login request using N will also tracted result. Since the hashed extracted rebe denied. sult equals the stored h2(PWi⊕N), S will accept Ui’ sl og i nr e que s t .I na ddi t i on,S will use the extracted h(PWi ⊕ N) to extract. Denial-of-Service Attacks on Scheme-2 During Ui’ sl og i n,t hea dve r s a r yc a nwi r etap the login message sent from Ui in Step A4 and then record c2 and c3. Simultaneously, the adversary can replace the transmitting c1. h2(PWi ⊕ N ) from c2 and apply h() to the. with an arbitrary value, say X. Because h(X⊕. the login acceptance message, Ui’ ss ma r t. extracted result. As the hashed extracted result equals c3, S will replace h2(PWi ⊕ N) with h2(PWi⊕ N ). However, upon receiving. 2. h(h (PWi⊕N)⊕r)) does not equal the stored. card will replace the stored N with N *. Alh2(PWi⊕N), S will reject Ui’ sl og i nr e que s t . though Ui has successfully logined S in this After receiving the login rejection message session, his succeeding login request using * from S, Ui will be requested to enter PWi into N will be denied. his smart card again. Then, Ui’ ss ma r tc a r d Similarly, scheme-2 is also vulnerable to will generate a new nonce r and send {IDi, * r } to S. Next, S generates a nonce r , com- another kind of denial-of-service attack as  sl og i n,S will send the putes r* ⊕ h(x||IDi) and h(r*||r ), and then follows. During Ui’  sends {r* ⊕h(x||IDi), h(r*||r )} to Ui. Then, login acceptance message to Ui in Step A5.  Ui’ ss ma r tc a r dwi l lus et hes t or e dh(x||IDi) to Simultaneously, the adversary can replace the transmitting login acceptance message retrieve r* from the received r*⊕h(x||IDi) and with the login rejection message. Although S compute h(r*||r ). As the computed h(r*||r )   has replaced the stored h2(PWi ⊕ N) with equals the received one, Ui authenticates S. 2 ⊕ ss ma r tc a r dwi l lnotr eThen, Ui’ ss ma r tc a r dwi l lg e nerate a new h (PWi N ), Ui’ * nonce and perform the following com- place the stored N with N . Since the data. N. 5.

(6) 2005 National Computer Symposium. stored in Ui’ ss ma r tc a r da ndS are inconsistent, Ui’ ss u c c e e di ngl og i nr e que s tus i ngN will be denied. Alternatively, the adversary can fool Ui’ ss ma r tc a r di nt oc ha ng i ngN with N while the stored h2(PWi⊕N) in S is. Hwa ng ’ ss t r ong -password authenticat i onpr ot oc ol , ”ACM Operating Systems Review, vol.37, no.4, pp.26–31, Oct. 2003.. left unchanged. Thus, Ui’ ss uc c e e di ngl og i n request using N will be denied.. 4. Conclusion Herein, we have shown that both ChenLee-Hor ng ’ s pa s s wor d a ut he nt i c a t i on schemes, scheme-1 and scheme-2, are vulnerable to two kinds of denial-of-service attacks. Such weaknesses are due to the inconsi s t e nc eoft heda t as t or e di nt heus e r ’ ss ma r t card and the server.. Acknowledgment This work was partly supported by the National Science Council, R.O.C., under Grant NSC-93-2213-E-030-017.. [4] C.L. Lin, H.M. Sun, and T. Hwang, “ At t a c ks and solutions on strongpassword authentic a t i on, ”IEICE Trans. Commun., vol.E84-B, no.9, pp.2622– 2627, Sept. 2001. [5] C.W. Lin, J.J. Shen, and M.S. Hwang, “ Se c ur i t y e nha nc e me nt f or opt i ma l strong-password authentication protoc ol , ”ACM Operating Systems Review, vol.37, no.2, pp.7–12, April 2003. [6] M. Sandirigama, A. Shimizu, and M.T. Noda ,“ Si mpl ea nds e c ur epa s s wor da ut he nt i c a t i on pr ot oc ol ( SAS) , ” IEICE Trans. Commun., vol.E83-B, no.6, pp.1363–1365, June 2000. [7] T.Ts uj ia ndA.Shi mi z u,“ Ani mp e rsonation attack on one-time password a ut he nt i c a t i onpr ot oc olOSPA, ”IEICE Trans. Commun., vol.E86-B, no.7, pp.2182–2185, July 2003.. References [1] C. M.Che na nd W. C.Ku,“ St ol e nverifier attack on two new strongpassword authentic a t i on pr o t o c ol s , ” IEICE Trans. Commun., vol.E85-B, no.11, pp.2519–2521, Nov. 2002. [2] T.H. Chen, W.B. Lee, and G. Horng, “ Se c ur eSAS-like password authenticat i on s c he me s , ”Comput. Standards & Interfaces, vol.27, no.1, pp.25–31, Nov. 2004. [3] W.C. Ku, H.C. Tsai, and S.M. Chen, “ Two s i mpl ea t t a c ks on Li n-Shen-. 6.

(7)