Remote password authentication with smart cards
C.-C. Chang T.-C. WU
Indexing terms: Codes ond decoding, Cryprogrophy, Security
Abstract: A remote password authentication scheme based on the Chinese remainder theorem is proposed. The scheme can verify the remote password without verification tables. In the initial phase, the password generation centre generates and assigns a password corresponding to each user. The ideas of smart cards and the identity- based signature scheme introduced by Shamir are employed in this phase. Each user possesses a smart card for later login and authentication. In the login phase, the user submits the identity and password associated with the smart card. In the authentication phase, the system verifies the remotely submitted password to check if the login request is accepted or rejected. A signature scheme and communication timestamps are provided in the authentication phase against the potential attacks of replaying a previously intercepted login request.
1 Introduction
The importance of ensuring privacy and security is acute because of the rapid progress and prevalence of multi- user computing environments. Various types of security mechanisms have been employed to preclude information in the computer systems being disclosed, destroyed, altered or copied by unauthorised users. The password authentication schemes are the best-known and the most accepted of these mechanisms by contemporary com- puter systems [4, 5, 131.
In the conventional password authentication schemes, each user has an identity (ID) and a secret password (PW). When a user requests entry to the system, the correct ID and PW should be submitted so as to suc- cessfully pass the system authentication. One straightfor- ward approach to achieve the verification is to directly store and maintain a directory of user IDS and PWs in the system. Such an approach cannot eliminate the threat of revealing passwords in the directory.
To overcome the weakness of storing IDS and PWs directly in the system, some approaches [l, 5, 7-12, 151 have been proposed which encode the passwords as test patterns or verification tables instead of the plain pass- words directory. The whole system may be insecure and Paper 7947E (CZ), first received 13th September 1990 and revised form 15th January 1991
C.-C. Chang is with the Institute of Computer Science and Information Engineering, National Chung Cheng University, Chiayi, Taiwan 62107, Republic of China
T.-C. Wu is with the Institute of Computer Science and Information Engineering, National Chiao Tung University, Hsinchu, Taiwan 30043, Republic of China
broken down if the test patterns or verification tables are modifed by malicious users in these approaches. Chang and Wu [2] proposed a password authentication scheme without verification tables. In their scheme, the user is burdened with requests for additional information other than the I D and PW in the login stage.
Consider only the remote password authentication schemes in remote access systems. The privacy and security problems are threatened by potential attacks from the remote terminals, along the communication links, as well as the system itself [13]. Lamport [ll] pro- posed a scheme which protects against attacks of replay- ing previously intercepted requests. This scheme is insecure if the encrypted password stored in the centre is modified by an intruder. Denning [5] proposed another method by using the signature scheme of a public-key cryptosystem. That system also maintains verification tables. A remote password authentication system has the following characteristics :
(i) The system does not need to store or maintain veri- fication tables.
(ii) The login request should be verified easily and quickly.
(iii) The scheme is secure against attacks of replaying previously intercepted request.
Inspired by Shamir's identity-based signature scheme [18], a remote password authentication scheme based on the Chinese remainder theorem is proposed. A brief review of Shamir's identity-based signature scheme is stated before presenting the scheme.
2 Review of Shamir's identity-based signature schema
The identity-based cryptosystems and the signature scheme proposed by Shamir [18] enable any pair of users to communicate securely and to verify each other's signa- ture without exchanging private or public keys and without keeping key directories. It also eliminates use by a third party. Shamir's identity-based signature scheme is first described.
Let n, p , q, e and d be parameters in the RSA scheme [16], where p and q are large primes and n = pq, ed = 1 mod (p - 1)(q - 1). The system publishes e and n. p , q and d are kept secret. That is, d is known only to the key generation centre. The ith user's secret key K i is com- puted by the centre as
(1) where IDi is the ith user's identity. The ith user may sign a message m and the signature of m can be verified by anyone who knows IDi as
(2) (3) K i = (IDi)' mod n
t = re mod n s = Kig('i'"' mod n
where r is a random number selected by the user a n d f i s a one-way function. The pair (t. s) is the signature of m. To anyone who knows I D i , the signature of m can be easily verified using the test
se = I D i tf('< " (mod n) (4) For physical implementation, the secret key generated by the centre is issued to the user in the form of smart card when the user first registers to the system. A smart card is an IC processor which can efficiently perform computa- tional operations [14]. The smart card possessed by the user contains a microprocessor, and IjO port, a RAM, a ROM with the user's secret key and programs for gener- ating and verifying the signature [18]. Any pair of users can verify each other's signature easily and quickly.
The merits of Shamir's identity-based signature scheme is that it is simple and secure. It is also suitable for remote access systems. It is weak against the potential attack of replaying previously intercepted authentication keys if an intruder knows the identity I D i and eavesdrops on the signature message s and t .
A new remote password authentication scheme is pre- sented. The concept of timestamps [ 6 ] is employed to avoid attacks by using the strategy of replaying pre- viously intercepted passwords.
3 Proposed scheme
Since the scheme uses the Chinese remainder theorem (CRT), the theorem is described. Given 2n positive inte- gers m,, m 2 , ..., m,, and r,, r,, ..., r,, a constant C can be found such that
C
=
r , mod m,, C=
r 2 mod m,...,
C=
rn mod m, if mi and mj are relatively prime for all i # j [17].The CRT can be applied to encrypt the plaintext and decrypt the ciphertext. Let d,, d , ,
. . .
, d , be m large rela- tively prime numbers and a,, a , ,. . .
, a,,, be m plain mes- sages. The encrypted data isIn the authentication phase, the system verifies the remotely submitted password to check if the login request is accepted or rejected.
Let d,, d,
, . . .
, d , be large relatively prime numbers and D = d , d 2 ,...,
d,, where d,, d,, ..., d , are known only to the password generation centre. Let g be a pseu- dorandom number generating function and f be a one-way function. The algorithm of g should be kept secret in the system, i.e., anyone who knows x cannot predict the value of g ( x ) , and the value of g ( x ) is less than D . D andfcan be made public.Initial phase: When a new user U i registers to the system,
the identity I D i should be presented to the system. The password generation centre does the following:
(i) Generate a password P w = (wil, w i z , ..., wi,),
where
(10) w i j = g ( I D i ) mod d j j = 1, 2,
. . .
, mand m is predetermined integer, say m = 5.
(ii) Deliver a smart card, which contains the informa- tion
{ A
( e , , e 2 , .. .
, e,), d}, to the user U i .The smart cards possessed by all users are the same. The smart card contains a microprocessor which can perform arithmetic operations quickly, an 1/0 port, a RAM, a ROM in wihch is stored the algorithmic description of the one-way function f and parameters (e,, e 2 ,
. .
.
,
e,,,) and D , and programs for generating signature and authenticating message.Login phase: For login the system, U i first attaches the smart card to a terminal. The IDi and P w are then keyed in. The smart card performs the following tasks:
(i) Generate a random vector (rl, r2
. .
., rm). (ii) Let P w . = (wil, w i 2 ....,
wim). ComputeC
=
ai mod di i = 1, 2,...,
m (5) s = (wilr w i 2 ,. . .
, wim)+
(rl, r 2 ,. . .
, r , ) f ( t , T) The value ai can be recovered computingai = C mod d,
= ( X i , , xi2 > .
.
., xi,,,) (12)(6) where T is the login current date and time used as time- stamn. . . . . ~ ~ ~ Let D = d , d 2 , . .
.
, d , and bi satisfy (ii6 Construct the authenticating message C = { I D i , t , s, T } and transmit C to the system by communication (:)hi=
1 mod d i i = 1, 2,.
. . , m (7) link.\-I/
The encryption keys can be computed as e . = - bi i = 1 , 2 ,
...,
m'
(9
By the CRT
C = e i a i mod D
( i I l
)
(9)The proposed remote password authentication scheme can be divided into three phases. In the initial phase, when a user registers to the system, the password gener- ation centre generates a password (PW) for the user according to the presented identity (ID). The password is returned to the user through a very secure channel or by hand. A smart card, storing the information used by the login and authentication phases, is constructed and delivered to the user. In the login phase, the user attaches the smart card to a terminal and submits the I D and PW.
166
The pair ( t , s) computed by the smart card is used as the signature. The timestamp T is employed to withstand potential attacks of replaying previously intercepted pass- words. When the login procedure is finished, the authen- tication phase follows.
Authentication phase: Let T be the date and time when the system receives the message C sent by the login user U i
.
After receiving the message C, the system verifies the remote login with the following steps:(i) Check if the format of I D i is correct. If it is incorrect then reject the login request.
(ii) Test if T' - T
<
AT, where AT is the legal timeinterval for transmission delay. If it is false, then reject the login request.
(iii) Encrypt s by keys ( e , , e 2 ,
. . .
, e,). Then test if the result is equal to (g(ID,)+
t f ( t , T ) ) mod D . If it is true, then accept the login request; otherwise, reject the login request.Examining step (iii) of the authentication phase carefully, it is found that the result of encrypting s is equal to
(zl
e . x . . 1 J ) mod D=
(
f
eXwij+
r j f ( t , T ) )j = 1
=
((
I - 1 f e j w i j ) mod D+
( f 1 e j r j ) f ( t , T I ) mod D= ( g ( I D i )
+
t f ( t , T)) mod D 4 Security analysis and discussionsThe secrecy of the CRT is based on the factoring of the large number D . As pointed out in Reference 3, if one knows (C, w j ) and ( C , wi) pairs computed from
w j = C mod d j w; = C mod d j then
C - w j = Qdj C - w‘. = Q ‘ d . for some Q and Q‘.
It has a high probability of revealing d j by finding the greatest common divisor of C - w j and C - w ; . In the initial phase of generating passwords, the password P w has a one-to-one correspondence to the returned value of a secure pseudorandom number generating function g
with identity I D i as the seed of g. It can therefore prevent any two conspirational users with known ( I D i ,
PF)
and ( I D j , PWj) pairs from maliciously revealing d j . It should be noted that the users with different identities may have the same passwords if the function g is not a one-to-one mapping.An intruder may try to masquerade as Ui by replaying previously intercepted message C = ( I D i , I , s, T). To pass step (iii) in the authenticating phase, the intruder must change the timestamp T to T* such that T - T*
<
AT. Once the timestamp T is changed, either t or s has to be changed. So the scheme can withstand potential attacks with the strategy of replaying a previously intercepted login request.The encryption keys e;s can be predetermined in the scheme presented. The computational complexities of the scheme is examined in each phase. Let
T,
be the time required for the pseudorandom number generating func- tion g. and let T, be the time required for the one-way function1:
The time complexities in each stage are listed below.Initial phase
Time for password generation
= T,
+
(m modular operations) Login phase:Time for computing s = (m multiplications)
+
{(m - 1) additions}+
(1 modular operation) Time for computing t = T,+
(m multiplications)+
(m additions) IEE PROCEEDINGS-E, Vol. 138, No. 3, M A Y 1991Authentication phase:
Time for encrypting s = (m multiplications)
+
{(m - 1) additions}+
(1 modular operation) Time for verification = Tg+
T,+
(1 multiplication)+
(1 addition)+
(1 modular operation)+
(1 comparison)The login and authentication phases can be performed easily and quickly by applying the smart card. However the user of the system cannot choose his password freely. If a user’s password has to be changed, for some security considerations, a new identity has to be reassigned to the user and the old identity should not be used by new users in the initial phase.
5 Conclusions
A remote password authentication scheme which does not use a directory of passwords or verification tables is presented. The scheme is very useful in remote access systems or computer networks with remote login under insecure communication links. By employing the concept of timestamps, the scheme can withstand attacks which use the strategy of replaying previously intercepted login request.
A disadvantage of the scheme is that a very secure channel is required for the return of the password to the registering user. The users cannot freely choose their passwords. The problem of allowing users to freely choose their passwords in the authentication system without storing verification tables still remains open.
6 Acknowledgments
The authors would like to thank the referees for useful comments which have improved the presentation of this paper.
7 References
1 CHANG, C.C., and WU, L.H.: ‘A password authentication scheme based upon Rabin’s public-key cryptosystems’, Proc. Int. Con$
Systems Management ’90, Hong Kong, June 1990, pp. 4 2 5 4 2 9 2 CHANG, C.C., and WU, T.C.: ‘A password authentication scheme
without verification tables’, Proc. 8th IASTED Int. Symp. Applied Informatics, February 1990, Innsbruck, Austria, pp. 202-204 3 DAVIDA, G.I., WELLS, D.L., and KAM, J.B.: ‘A database encryp-
tion system with subkeys’, ACM Trans. Database Syst., 1981, 6, (2), pp. 312-328
4 DAVIES, D.W., and PRICE, W.L.: ‘Security for computer net- works’(John Wiley, New York, 1984)
5 DENNING, D.E.: ‘Cryptography and data security’ (Addison- Wesley, Massachusets, 1982)
6 DENNING, D.E., and SACCO, G.M.: ‘Timestamps in key distribu- tion protocols’. Commun. ACM, 1981,24, (8), pp. 533-536 7 EVANS, A. Jr., KANTROWITZ, W., and WEISS, E.: ‘A user
authentication scheme not requiring secrecy in the computer’, Commun. A C M , 1974,17, (8), pp. 437-442
8 FEISTEL, H., NOTZ, W.A., and SMITH, J.L.: ‘Some cryptographic techniques for machine to machine data communications’, Proc. IEEE, 1975.63, (11). pp. 1545-1554
9 HWANG, T.Y.: ‘Passwords authentication using public-key encryp tion’, Proc. I n t . Carnahan Con$ Security Technology, Zurich, Switzerland, October 1983, pp. 35-38
10 LAIH, C.S., HARN, L., and HUANG, D.: ‘Password authentication using quadratic residues’, Proc. 1988 Int. Computer Symp., Taipei, Taiwan, December 1988, pp. 148&1489
11 LAMPORT, L.: ‘Password authentication with insecure communi- cation’, Commun. A C M , 1981,24, (11). pp. 77C772
12 LENNON, R.E., MATYAS, S.M., and MEYER, C.H.: ‘Crypto- graphic authentication of time-invariant quantities’, IEEE Trans., 1981, COM-29, (6), pp. 773-777
13 MORRIS, R., and THOMPSON, K.: ‘Password security: a case study’, Commun. A C M , 1979,22, (1 l), pp. 594597
14 OKAMOTO, E.: ‘Identity-based information security management
system for personal computer networks’, IEEE J. Sel. Areas Proc. C R Y P T 0 ’84, Springer-Verlag, pp. 47-53 Commun., 1989, SAC-7, (Z), pp. 2 W 2 9 4
15 PURDY, G.P.: ‘A high security log-in procedure’, Commun. A C M , 1974, 17, (8), pp. 4 4 2 4 5
16 RIVEST, R.L., SHAMIR, A., and ADLEMAN, L.: ‘A method for obtaining digital signatures and public-key cryptosystems’, Commun.
A C M , 1978,21, (2). pp. 12@126
17 SCHROEDER, M.R.: ‘Number theory in science and communica- tion’ (Springer-Verlag Berlin, 1983)
18 SHAMIR, A.: ‘Identity-based cryptosystems and signature schemes’,
IEE PROCEEDINGS-E, Vol 138, N o 3, M A Y 1991