Cryptanalysis of Hsiang-Shih’s Secure Dynamic ID
Based Remote User Authentication Scheme
Wen-Chung Kuo
Department of Computer Science and Information EngineerinG National Formosa University
simonkuo@nfu.edu.tw
Yu-Shuan Chu
Department of Computer Science and Information Engineering National Formosa University
s49343101@nfu.edu.tw Bae-Ling Chen
Graduate School of Engineering Science and Technology National Yunlin University of Science and Technology
chenbl@yuntech.edu.tw
Abstract― Recently, Liao and Wang proposed a secure
dynamic ID based remote user authentication scheme for multi-server environment. They achieved user's anonym-ity by using secure dynamic ID instead of static ID. Later, Hsiang and Shih gave an improved scheme to repair the security flaws found in Liao-Wang’s scheme. Hsiang and Shih claimed that their scheme inherits the merits, en-hances the security of Liao-Wang’s scheme, and achieves mutual authentication that Liao-Wang’s scheme fails to provide. In this paper, however, we show that Hsiang-Shih’s scheme cannot withstand both user and server impersonation attacks. In addition, their scheme is vulnerable to malicious user and insecure for practical application.
Index Terms―Cryptanalysis, Authentication, Smart
Card, Dynamic ID, Multi-server. I. INTRODUCTION
With the increasing number of systems that pro-vide services over open networks, remote authenti-cation is critical for preventing unauthorized parties from accessing remote system resources. Smart card based authentication schemes are the most commonly used mechanism in remote user authen-tication schemes. With the convenience of net-works, the system resources or services are often composed of many different servers distributed over the network to make remote users access effi-ciently and conveniently. Most of traditional au-thentication schemes use real ID or static ID for multi-server environment, but this careless design causes that adversary is able to trace and identify user(s) requests by monitoring the communications
between servers [3].
Recently, Liao and Wang proposed a secure dy-namic ID based remote user authentication scheme for multi-server environment [3]. Their scheme uses only hashing functions in mutual authentica-tion and session key agreement and dynamic ID [1] instead real ID or static ID to achieve user’s ano-nymity. They claimed their scheme can get service granted from multi-server environment. Later, Hsiang and Shih gave an improved scheme [2] to repair the security flaws found in Liao-Wang’s scheme. Hsiang and Shih claimed that their scheme inherits the merits, enhances the security of Liao-Wang’s scheme, and achieves mutual authen-tication that Liao-Wang’s scheme fails to provide. In this paper, however, we show that Hsiang-Shih’s scheme cannot withstand both user and server im-personation attacks. In addition, their scheme is vulnerable to malicious user and insecure for prac-tical application.
The rest of this paper is organized as follows. In Section 2, we briefly review Hsiang-Shih’s scheme. We analyze the weakness of Hsiang-Shih’s scheme in Section 3. Our conclusions are given in Section 4.
II. REVIEW OF HSIANG-SHIH’S SCHEME
In this section, we briefly review Hsiang-Shih’s scheme. For convenience, the notations used in Hsiang-Shih’s scheme are listed as follows:
z RC registration center z x master secret key of RC z r, y secret numbers of RC z Ui i-th user
z CIDi dynamic ID of Ui z pwi password of Ui z bi blind factor of Ui z Sj j-th remote server z SIDj identification of Sj
z h(·) secure one-way hash z ♁ bitwise XOR operation z || string concatenation operation
Hsiang-Shih’s scheme assumes that only RC knows the master secret key x and two secret num-bers r, y. There are four phases in Hsiang-Shih’s scheme: the registration phase, the login phase, the mutual authentication and session key agreement phase, and the password change phase.
A. Registration phase
In the registration phase, user Ui initially
regis-ters with registration center RC. Ui submit his
iden-tity IDi and password pwi to registration center RC,
and RC performs the following steps:
Step R1. Ui chooses his password pwi and arbitrary
number bi, and then, computes h(bi ⊕ pwi).
Step R2. Ui sends {IDi, h(bi ⊕ pwi)} to RC over a
secure channel.
Step R3. Upon receiving the registration informa-tion, RC performs following computa-tions: Ti = h(IDi || x) Vi = Ti ⊕ h(IDi || h(bi ⊕ pwi)) Ai = h(h(bi ⊕ pwi) || r) ⊕ h(x ⊕ r) Bi = Ai ⊕ h(bi ⊕ pwi) Ri = h(h(bi ⊕ pwi) || r) Hi = h(Ti).
Step R4. RC issues a smart card containing {Vi, Bi,
Hi, Ri, h(·)} to Ui over a secure channel.
Step R5. Upon receiving the smart card, Ui enters bi
into his smart card.
Note that Ui’s smart card contains {Vi, Bi, bi, Ri, Hi,
h(·)}. B. Login phase
This phase is invoked whenever Ui requests to
log into Sj. Ui inputs his identity IDi, password pwi,
and the identity of target server SIDj to his smart
card, and the smart card performs the following steps:
Step L1. Ui’s smart card computes Ti = Vi ⊕ h(IDi ||
h(bi ⊕ pwi)) and Hi* = h(Ti) and checks
whether Hi* and Hi is equal. If they are
not equal, the smart card rejects Ui;
oth-erwise, the legitimacy of Ui can be
as-sured.
Step L2. The smart card generates nonce Ni and
performs the following computations:
Ai =Bi ⊕ h(bi ⊕ pwi) CIDi =h(bi ⊕ pwi)⊕ h(Ti || Ai || Ni) Pij = Ti ⊕ h(Ai || Ni || SIDj) Qi =h(Bi || Ai || Ni) Di = Ri ⊕ SIDj ⊕ Ni C0 =h(Ai || Ni + 1 || SIDj).
Step L3. The smart card sends Ui’s login request
{CIDi, Pij, Qi, Di, C0, Ni} to Sj.
C. Mutual verification and session key agree-ment phase
In this phase, user Ui and server Sj authenticate
each other. After finish mutual authentication pro-tocol, Ui and Sj compute their session key SK
re-spectively. Ui and Sj perform the following steps:
Step V1. Upon receiving the login request, Sj
gen-erates nonce Njr and computes Mjr =
h(SIDj || y) ⊕ Njr, then sends the message
{Mjr, SIDj, Di, C0, Ni} to registration
cen-ter RC.
Step V2a. Upon receiving Sj’s message, RC
com-putes Njr’ = Mjr ⊕ h(SIDj || y), Ri’ = Di ⊕
SIDj ⊕ Ni, and Ai’ = Ri’ ⊕ h(x ⊕ r).
Step V2b. RC computes C0’ = h(Ai || Ni + 1 || SIDj)
and compares it with C0. If they are not equal, RC terminates the authentication protocol.
Step V2c. RC generates nonce Nrj and computes C1 = h(Nj r’ || h(SIDj || y) || Nr j) and
C2 = Ai ⊕ h(h(SIDj || y) || Nrj), and
sends {C1, C2, Nrj} back to Sj.
Step V3. Upon receiving RC’s reply, Sj computes
C1’ = h(Njr || h(SIDj || y) || Nrj) compares it
with C1. If they are not equal, Sj reports a
RC authentication error and terminates the
authentication protocol.
Step V4. Sj computes Ai = C2 ⊕ h(h(SIDj || y) || Nrj),
Ti = Pij ⊕ h(Ai || Ni || SIDj), h(bi ⊕ pwi) =
CIDi ⊕ h(Ti || Ai || Ni), and Bi = Ai ⊕ h(bi
⊕ pwi).
Step V5. Sj computes h(Bi || Ai || Ni) and compares it
with Qi. If they are not equal, Sj
termi-nates the authentication protocol.
Step V6. Sj generates nonce Nj, computes Mji’ =
h(Bi || Ni || Ai || SIDj), and sends back {Mji’, Nj} to Ui.
Step V7. Upon receiving Sj’s reply, Ui computes
h(Bi || Ni || Ai || SIDj) and compares it with
Mji’. If they are not equal, Ui aborts the
connection; otherwise Sj is authenticated
by Ui.
Step V8. Ui computes Mij” = h(Bi || Nj || Ai || SIDj)
and sends back Mij” to Sj.
Step V9. Upon receiving Ui’s reply, Sj computes
Mji”. If they are not equal, Sj terminates
the authentication protocol; otherwise Ui
is authenticated by Sj and the mutual
au-thentication is completed. Ui and Sj then
compute h(Bi || Ai || Ni || Nj || SIDj) as their
session key SK.
D. Password change phase
In this phase, user Ui can update his password
without the help of registration center RC. Ui and
his smart card perform the following steps:
Step C1. Ui inserts his smart card to his card reader,
inputs {IDi, pwi}, and requests to change
password.
Step C2. Upon receiving Ui’s request, the smart
card computes Ti = Vi ⊕ h(IDi || h(bi ⊕
pwi)) and Hi* = h(Ti) and checks whether
Hi* and Hi is equal. If they are not equal,
the smart card rejects Ui; otherwise, Ui is
asked to choose new password pwinew.
Step C3. After Ui inputs pwinew, Ui’s smart card
computes Vi n e w = Ti ⊕ h(IDi || h(bi ⊕
pwinew)) and Binew = Bi ⊕ h(bi ⊕ pwi) ⊕
h(bi ⊕ pwinew). Finally, Vinew and Binew are
stored back to the smart card to replace Vi
and Bi respectively.
III. WEAKNESS OF HSIANG-SHIH’S SCHEME
A. User impersonation attack
We first prove that a malicious user can easily impersonate other user without user’s password and smart card in Hsiang-Shih’s scheme. Suppose that there is a malicious user with identity Ua in
Hsiang-Shih’s scheme. Since Ua is authenticated by
remote server Sj, Ua has a smart card containing
{Va, Ba, ba, Ra, Ha, h(·)}, and these authentication
information are known by Ua. Ua manipulates the
authentication information stored on the smart card and the collected communication flows of another user Ui to impersonate Ui as the following steps:
Step U1. Ua first computes Aa = Ba ⊕ h(ba ⊕ pwa),
and then he has h(x ⊕ r) = Ra ⊕ Aa.
Step U2. From the collected communication flows of user Ui, Ua retrieves Ui’s login request
{CIDi, Pij, Qi, Di, C0, Ni} and performs the
following computations: Ri = Di ⊕ SIDj ⊕ Ni Ai = Ri ⊕ h(x ⊕ r) Ti = Pij ⊕ h(Ai || Ni || SIDj) h(bi ⊕ pwi) = CIDi ⊕ h(Ti || Ai || Ni) Bi = Ai ⊕ h(bi ⊕ pwi).
Step U3. Ua generates nonce Na and performs the
following computations: CIDi* = h(bi ⊕ pwi) ⊕ h(Ti || Ai || Na) Pij* = Ti ⊕ h(Ai || Na || SIDj) Qi* = h(Bi || Ai || Na) Di* = Ri ⊕ SIDj ⊕ Na C0* = h(Ai || Na + 1 || SIDj).
Step U4. Ua sends the forged login request {CIDi*,
Pij*, Qi*, Di*, C0*, Na} to Sj.
Step U5. Upon receiving the login request, Sj
gen-erates nonce Njr and computes Mjr =
h(SIDj || y) ⊕ Njr, then sends the message
{Mjr, SIDj, Di*, C0*, Na} to registration
center RC.
Step U6a. Upon receiving Sj’s message, RC
com-putes Njr* = Mjr ⊕ h(SIDj || y), Ri* = Di*
⊕ SIDj ⊕ Na, and Ai* = Ri* ⊕ h(x ⊕ r).
Step U6b. RC computes C0* = h(Ai* || Na + 1 || SIDj)
and checks C0* = C0.
Step U6c. RC generates nonce Nrj and computes
C1* = h(Nj r* || h(SIDj || y) || Nr j)
and C2* = Ai* ⊕ h(h(SIDj || y) || Nrj),
and sends {C1*, C2*, Nrj} back to Sj.
Step U7. Upon receiving RC’s reply, Sj computes
C1’ = h(Njr || h(SIDj || y) || Nrj) and checks
C1’ = C1*.
Step U8. Sj computes Ai’ = C2* ⊕ h(h(SIDj || y) || Nrj), Ti’ = Pij* ⊕ h(Ai’ || Na || SIDj), h(bi ⊕
pwi)’ = CIDi* ⊕ h(Ti’ || Ai’ || Na), and Bi’ =
Ai’ ⊕ h(bi⊕ pwi)’.
Step U9. Sj computes Qi’ = h(Bi’ || Ai’ || Na) and
checks Qi’ = Qi.
Step U10. Sj generates nonce Nj, computes Mji* =
h(Bi’ || Na || Ai’ || SIDj), and sends back
{Mji*, Nj} to Ua.
Step U11. Upon receiving Sj’s reply, Ua computes
h(Bi || Na || Ai || SIDj) and checks it
equals to Mji*.
Step U12. Ua computes Mij** = h(Bi || Nj || Ai ||
SIDj) and sends back Mij** to Sj.
Step U13. Upon receiving Ua’s reply, Sj computes
h(Bi’ || Nj || Ai’ || SIDj) and checks it
equals to Mji**. Ua is authenticated as
Ui by Sj and the mutual authentication is
completed. Ua can also compute SK =
h(Bi || Ai || Ni || Nj || SIDj).
The forged login request is accepted. Sj is fooled
into believing that malicious user Ua is Ui. Sj
au-thenticates Ua, and Ua access the remote system as
Ui. Hence, Ua impersonate Ui without Ui’ password
and smart card. Therefore, Hsiang-Shih’s scheme is vulnerable to user impersonation attacks.
B. Server impersonation attack
In this subsection, we show that a malicious user can easily impersonate remote server without the secret information sharing between servers and
registration center in Hsiang-Shih’s scheme.
Sup-pose that there is a malicious user with identity Ua
in Hsiang-Shih’s scheme. Ua is trying to
imperson-ate remote server Sj to cheat user Ui. Ui sends his
login request {CIDi, Pij, Qi, Di, C0, Ni} to Ua. By
h(x ⊕ r) = Ra ⊕ Aa and the same manner discussed
in previous subsection (Section 3.1), Ua can get Ri
= Di ⊕ SIDj ⊕ Ni, Ai = Ri ⊕ h(x ⊕ r), Ti = Pij ⊕ h(Ai
|| Ni || SIDj), h(bi ⊕ pwi) = CIDi ⊕ h(Ti || Ai || Ni),
and Bi = Ai ⊕ h(bi ⊕ pwi). Since Ua has Ai, Ti, h(bi
⊕ pwi), and Bi, Ua can compute h(Bi || Ai || Ni) and
check Qi directly without the help of registration
center RC. Beside, Ua can choose Nj, compute Mji’
= h(Bi || Ni || Ai || SIDj), and challenge Ui by
mes-sage { Mji’, Nj}.
Ui is fooled into believing that malicious user Ua
is Sj. Hence, Ua impersonate Sj without the help of
RC. Therefore, Hsiang-Shih’s scheme is vulnerable to server impersonation attacks.
C. Security flaw
From the results of above two subsection, we know that in Hsiang-Shih’s scheme, a legitimate user can easily compute h(x ⊕ r), so any legitimate user can execute impersonation attacks. Obviously, Hsiang-Shih’s scheme fails to provide mutual au-thentication.
IV. CONCLUSIONS
In 2009, Hsiang and Shih proposed secure dy-namic ID based remote user authentication scheme
for multi-server environment. They claimed that their scheme inherits the merits and enhances the security of Liao-Wang’s scheme, and achieves mutual authentication that Liao-Wang’s scheme fails to provide. However, we have demonstrated that Hsiang-Shih’s scheme suffers from both user and server impersonation attacks. In Hsiang-Shih’s scheme, a malicious user can easily impersonate other user to access remote servers without correct password, and a malicious user can also imperson-ate any remote server to cheat other user without secret information of registration center. For this reason, their scheme is insecure for practical appli-cation.
REFERENCES
[1] M.L. Das, A. Saxena, and V.P. Gulati, “A
dy-namic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics 50 (2) (2004) 629–631.
[2] H.C. Hsiang and W.K. Shih, “Improvement of
the secure dynamic ID based remote user au-thentication scheme for multi-server environ-ment,” Computer Standards & Interfaces 31 (6) (2009) 1118–1123.
[3] Y.P. Liao and S.S. Wang, “A secure dynamic
ID based remote user authentication scheme for multi-server environment,” Computer Stan-dards & Interfaces 31 (1) (2009) 24–29.