EFFICIENT DYNAMIC ID-BASED AUTHENTICATION FOR USER ANONIMITY

Volume 5, Number 6, June 2011 pp. 000-000

EFFICIENT DYNAMIC ID-BASED AUTHENTICATION FOR USER

ANONYMITY

Kuo-Ching Liu

, Hui-Feng Huang

, and Hui-Fang Chen

1_{Department of Medical Laboratory Science and Biotechnology}

China Medical University, Taichung 404, Taiwan [email protected]

2,∗_{Department of Computer Science and Information Engineering}

National Taichung Institute of Technology, Taichung 404, Taiwan [email protected]

3_{Graduate School of Computer Science and Information Technology}

National Taichung Institute of Technology, Taichung 404, Taiwan [email protected]

2,_{∗Corresponding author}

Abstract. User authentication is an important technology to guarantee that only the

legal users can access resources from the remote server. To protect user from tracing, we proposed a new efficient dynamic ID-based authentication with smart card to achieve user anonymity property. Since only one-way hash function and simple exclusive-or ( ) operations are involved in the processes, the proposed scheme is very suitable for the hardware-limited users such as the mobile units.

Keywords: authentication, dynamic ID, anonymity, smart card, password

1. Introduction. Password-based authentication scheme is very convenient for a user because a user only has to remember his/her password for logging the server. In 1981, Lamport [7] proposed a password authentication scheme using a one-way hash function. Lamport’s scheme is simple and efficient, but it suffers from the replay attack and the impersonation attack caused by modifying or stealing the hashed password table maintained by the servers. To overcome such security weaknesses, there are many password-based authentication schemes have been proposed in recent years [1-3, 5-6, 8, 10, 11, 13, 17]. However, most of these previously proposed schemes are based on the static identity number (ID). Then, they are vulnerable to leak the ID of the logging user. The compromise of user’s ID would lead to the tracing of the previous communications for the same user. Then, it may expose potential security threats and risks for the corporations or individuals.

Recently, to protect from the risk of ID-theft, Das et al. [4] presented the concept of dynamic ID authentication to provide the user anonymity. However, Das et al.’s scheme does not achieve mutual authentication and user anonymity properties [9, 12, 14, 15, 16]. In 2009, Wang et al. [12] proposed a new dynamic ID-based authentication scheme with smart card to achieve the user anonymity and mutual authentication properties. Their scheme is efficient since only one-way hash function and simple calculation are involved in the processes. Unfortunately, this paper will show that Wang et al.’s scheme is still vulnerable to the impersonation attack. Moreover, their scheme cannon provide the user anonymity property. Then, we will propose improved method to overcome Wang et al.’s weaknesses. In addition, the proposed dynamic ID-base authentication method can provide the following functionality: (1) a dictionary of password tables is not required for the server; (2) users can freely choose their own passwords; (3) it provides mutual authentication between the user and the server; (4) user may update their password after the registration phase; (5) user anonymity property is provided; (6) session key agreement is generated by the user and the remote server for each session.

The remainder of this paper is organized as follows. In the next section, we give a brief review of Wang et al.’s scheme. In section 3, the security weakness of Wang et al.’s scheme is given. We present the proposed scheme in section 4. In section 5, the security analyses of the proposed scheme are stated. And some conclusions will be made in the last section.

2. Review of Wang et al.’s scheme. We first review Wang et al.’s scheme [12], and the notations are shown as follows:

Ui: the ith user.

pwi: the ith user’s password. S: the remote server.

h(.): a one-way hash function.

Wang et al.’s scheme can be divided into four phases: registration phase, login phase, verification phase, and password change phase. These four phases are stated in the following.

2.1. The registration phase: The new user Ui first sends the registration request to S. The steps of

registration phase are described as follows. (1) Ui submits IDi to S.

(2) S computes Ni= h(pwi)⊕ h(x) ⊕ IDi, where x is a secret of the remote server S, where ⊕ is an

exclusive-or operator. Here, pwiis chosen by S. Then, S issues a smart card containing [h(.), Ni, y],

where y is the remote server’s secret key.

(3) S sends pwi and smart card to Ui through a secure channel. (Suppose that user cannot extract

any information stored in the user’s smart card)

2.2. The login phase: When Uiwants to login the remote server, he/she inserts the smart card into the

card reader and keys the identity IDi and password pwi. Then, the smart card performs the following

steps:

(1) Compute CIDi= h(pwi)⊕ h(Ni⊕ y ⊕ T1)⊕ IDi, where T1 is the current timestamp.

(2) The smart card sends the message (IDi, CIDi, Ni, T1) to S.

2.3. The verification phase: After receiving the login request (IDi, CIDi, Ni, T1) at the timestamp T2, S and smart card execute the following steps to achieve the mutual authentication between Ui and S.

(1) Check whether T2− T1 ≤ ∆T . If it holds, S accepts the request; otherwise, the request will be

rejected.

(2) S computes h′(pwi) = CIDi⊕ h(Ni⊕ y ⊕ T1)⊕ IDiand IDi′= Ni⊕ h(x) ⊕ h′(pwi). Then, checks

whether ID′_i is equal to IDi . If it holds, S accepts the request; otherwise, rejects it.

(3) S computes a′= h(h′(pwi)⊕ y ⊕ T2) and sends (a′, T2) to Ui.

(4) After receiving the reply message (a′, T2) at time T3, Uichecks whether T3− T2≤ ∆T ; if it holds, Ui computes a = h(h(pwi)⊕ y ⊕ T2), and compares it with the received a′. If a′ is equal to a, Ui

confirms that S is legality.

2.4. The password change phase: When Ui wants to change the password, he/she inserts smart card

into the card reader and keys the old password pwi and the new password pwi∗∗, then the smart card

computes N_i∗= Ni⊕ h(pwi)⊕ h(pw∗∗i ), and replaces the Ni with the new Ni∗.

3. Security analysis of Wang et al.’s scheme. In this section, we will show that the Wang et al.’s scheme cannot provide user anonymity property. Moreover, their scheme may be suffered from forgery attack.

3.1. No anonymity: In their scheme, Ui sends the login request message (IDi, CIDi, Ni, T1) to remote

server. Here, IDi and Ni are always kept the same parameters from Ui. The attacker can use IDi or Ni

to distinguish each user and to be seen as user’s identification. Therefore, their scheme uses CIDi as a

dynamic identity, it cannot actually provide the user anonymity property.

3.2. Impersonation attack: First, Ui randomly chooses new pw∗i, and then generate ID∗ such that h(pwi)⊕IDi= h(pw∗i)⊕ID∗i . That is new IDi∗= h(pwi)⊕IDi⊕h(pw∗i). We have h(pw∗i)⊕h(x)⊕ID∗i = h(pwi)⊕ h(x) ⊕ IDi = Ni. When Ui types IDi∗ and pw∗i to login the remote server. The smart card

performs the following steps:

(1) Compute CID_i∗= h(pw∗_i)⊕ h(Ni⊕ y ⊕ T1)⊕ ID∗i.

(2) Send the message (ID_i∗, CID∗_i, Ni, T1) to S.

In the verification phase, S checks the timestamp and then computes h(pw∗_i) = CID∗_i ⊕ h(Ni⊕ y ⊕ T1)⊕ IDi∗ and IDi′ = Ni⊕ h(x) ⊕ h(pwi∗). Next, S checks whether ID′i is equal to IDi∗, and then

computes a′ = h(h(pw∗_i)⊕ y ⊕ T2) and sends (a′, T2) to Ui. After receiving the reply message (a′, T2)

at time T3, Ui checks the timestamp T2 and computes a = h(h(pwi∗)⊕ y ⊕ T2), and compares it with a′. Here, it will be a′ = a. Since h(pw∗_i)⊕ h(x) ⊕ ID∗_i = h(pwi)⊕ h(x) ⊕ IDi = Ni, it is obvious that ID′_i= Ni⊕ h(x) ⊕ h(pwi∗) = h(pwi∗)⊕ h(x) ⊕ ID∗i ⊕ h(x) ⊕ h(pw∗i) = ID∗i

From above discussions, a legal user Ui can create other identity number ID∗i and password pw∗i to

pass the mutual authentication.

4. The proposed scheme. In this section, we will propose an improvement method to overcome Wang et al.’s weaknesses [12]. The detail is described in the following.

4.1. The registration phase: The new user Ui freely chooses an identity IDi and a password pwi.

Then, he/she sends the registration request to S. The steps of this phase are as follows: (1) Ui submits IDi and pwi to S.

(2) S computes Ni = h(pwi ∥ IDi)⊕ h(x ∥ y ∥ IDi) and issues a smart card containing [Ni, y, h(.)],

where x and y are secret keys of the remote server.

(3) S sends the smart card to Ui through a secure channel. (Suppose that user cannot extract any

information stored in the smart card)

4.2. The login phase: When Ui wants to login the remote server, Ui inserts the smart card into the

card reader and keys his/her identity IDiand password pwi. Then, the smart card performs the following

steps:

(1) Compute h(x∥ y ∥ IDi) = Ni⊕ h(pwi ∥ IDi), CIDi= IDi⊕ h(y ∥ T1), and Z = h(CIDi ∥ h(x ∥ y∥ IDi)∥ y ∥ T1), where T1 is the current timestamp and CIDi is the dynamic ID for Ui.

(2) The smart card sends the message (CIDi, Z, T1) to S.

4.3. The verification phase: After receiving the login request (CIDi, Z, Ti) at timestamp T2, S

exe-cutes the following steps:

(1) Check whether T2− T1 ≤ ∆T . If it holds, S accepts the request; otherwise, the request will be

rejected.

(2) S first derives IDi= CIDi⊕ h(y ∥ T1), then S computes h(x∥ y ∥ IDi) and Z′= h(CIDi∥ h(x ∥ y∥ IDi)∥ y ∥ T1). Then, checks whether Z′ is equal to Z or not. If it holds, S accepts the request;

otherwise, rejects it.

(3) S computes the session key K = h(h(x ∥ y ∥ IDi)∥ CIDi ∥ T1 ∥ T2 ∥ y) and D = h(h(x ∥ y ∥ IDi)∥ T2∥ K), then sends (D, T2) to Ui.

After receiving the message (D, T2) at timestamp T3, Ui’s smart card performs the following operation.

The smart card checks whether T3− T2≤ ∆T ; if it holds, it computes the session key K = h(h(x ∥ y ∥ IDi)∥ CIDi ∥ T1 ∥ T2 ∥ y) and D′ = h(h(x∥ y ∥ IDi)∥ T2∥ K). Then it checks whether D′ = D. If

they are equal, Ui confirms that S is legality. Upon the mutual authentication, Ui and S can use this

key K to encrypt/decrypt all communication messages in this session.

4.4. The password change phase: When Ui wants to update his/her password, he/she inserts smart

card into the card reader and keys the old password pwi and the new password pw′i, then the smart card

computes N_i′ = Ni⊕ h(pwi∥ IDi)⊕ h(pw′i∥ IDi) = h(x∥ y ∥ IDi)∥ h(pwi′ ∥ IDi), and replaces the Ni

with the new N_i′. Thus, the password can be changed. In addition, the remote serve doesn’t need join this phase.

5. Security analysis. Next, we analyze the security of the improvement method as follows. We discuss the security of our scheme as follows.

5.1. Anonymity: In login phase of the proposed scheme, the user Ui sends CIDi, Z, and T1 to the

server S. Then, the server delivers (D, T 2) to the user Ui for the verification phase. These current

parameters CIDi, Z, and D are various in each session because these parameters are embedded in

current timestamp T1and T2, where CIDi= IDi⊕h(y ∥ T1), Z = h(CIDi∥ h(x ∥ y ∥ IDi)∥ h(y) ∥ T1),

and D = h(h(x∥ y ∥ IDi)∥ T2 ∥ K). Therefore, without knowing the secrets y, even if an attacker can

obtain the current data CIDi, Z, and D in this phase, it is very hard for him to trace or identity the

same user Ui for the next communication by means of CIDi, Z, and D. By the way, these parameters

are indistinct on user’s identity number IDiso that the adversary does not know the real user’s identities

number IDi. Since CIDi, Z, and D are different for Ui in each session, then, the adversary cannot

easily trace the same user Uifrom the information CIDi, Z, and D. Therefore, the proposed scheme can

5.2. Replay attack: Suppose that an adversary has interrupted a login information (CIDi, Z, T1)

be-tween the server and the user, then he resends the login information (CIDi, Z, T1) that have been

previ-ously transmitted by a legal user Ui. From the current timestamp T , the adversary will be detected by

the server, since the validity of the information will be checked with the old timestamp T1. The remote

server will find illegal access and reject it. Hence, the replay attack will fail. Similarly, from the current timestamp, the attacker also cannot resend the K, D, and T2 that have been previously transmitted by

a legal sever S. Therefore, the proposed scheme can withstand the replay attack.

5.3. Impersonation attack: Suppose that an adversary wants to masquerade as a valid user and wants to login the remote server. To successfully perform the impersonation attack, the adversary is required to know y and h(x ∥ y ∥ IDi) for generating CIDi = IDi⊕ h(y ∥ T1) and Z = h(CIDi ∥ h(x ∥ y ∥

IDi) ∥ y ∥ T1). However, the adversary will fail, since it is impossible for him to obtain the user’s

password pwi and y. Based on the secure hash function h(), it is difficult to find the information of

x and y from (CIDi, Z).Without knowing the information x and y, the adversary cannot compute the

exactly CIDiand Z in the login phase. Hence, the server will detect that he/she is an adversary. Then,

the server will terminate this procedure. Similarly, without knowing the information of x and y, it is very hard for the attacker to masquerade the remote server. The probability of obtaining the exactly

CIDi = IDi⊕ h(y ∥ T1) and Z = h(CIDi ∥ h(x ∥ y ∥ IDi)∥ y ∥ T1) is equivalent to performing an

exhaustive search on x and y. Therefore, the proposed scheme can withstand the impersonation attack. Moreover, after a successful mutual authentication, the session key K = h(h(x∥ y ∥ IDi)∥ CIDi ∥ T1 ∥ T2 ∥ y) is constructed for Ui and the server. Then, even if an intruder obtains the current session

key K, it is difficult for him to obtain these values x and y from K. That are protected under the hash function h(). Moreover, K is used for only one session. Therefore, the intruder cannot easily obtain private messages from the past. The improvement scheme can provide forward security even if the current session key K has been compromised.

6. Conclusion. In this paper, we propose a new efficient dynamic ID authentication scheme to improve Wang et al.s weaknesses. Our scheme is efficient since only one-way hash function and simple exclusive-or operators are involved in the protocol. It is very suitable for the mobile communications. With the user anonymity property and mutual authentication between the user and the server, the proposed scheme can provide more secure communication for the practical applications.

Acknowledgment. The author gratefully acknowledges the helpful comments and suggestions of the reviewers, which have improved the presentation.

REFERENCES

[1] P. Shi, Limited Hamilton-Jacobi-Isaacs equations for singularly perturbed zero-sum dynamic (dis-crete time) games, SIAM J. Control and Optimization, vol.41, no.3, pp.826-850, 2002.

[2] A. K. Awasthi and S. Lal, ”An enhanced remote user authentication scheme using smart cards”,

IEEE Transactions on Consumer Electronics, Vol. 50, No. 2, pp. 583-586, 2004.

[3] C. K. Chan, and L. M. Cheng, ”Cryptanalysis of a remote user authentication scheme using smart cards”,IEEE Transactions on Consumer Electronics, Vol. 46, No. 4, pp. 992-993, 2000.

[4] H. Y. Chien and C. H. Chen, ”A remote authentication scheme preserving user anonymity”,the 19th

International Conference on Advanced Information Networking and Applications (AINA 2005), Vol.

2, pp. 245-248, 2005.

[5] M. L. Das, A. Saxena, and V. P. Gulati, ”A dynamic ID-based remote user authentication scheme”,

IEEE Transactions on Consumer Electronics, Vol. 50, No. 2, pp. 629-631, 2004.

[6] M. S. Hwang and L. H. Li, ”A new remote user authentication scheme using smart cards”, IEEE

Transactions on Consumer Electronics, Vol. 46, No. 1, pp. 28-30, 2000.

[7] M. Kumar, ”New remote user authentication scheme using smart cards”,IEEE Transactions on

Consumer Electronics, Vol. 50, No. 2, pp. 597-600, 2004.

[8] L. Lamport, ”Password authentication with insecure communication”, Communications of the ACM , Vol. 24, No. 11, pp. 770-772, 1981.

[9] C. C. Lee, M. S. Hwang, and W. P. Yang, ”A flexible remote user authentication scheme using smart card”, ACM operating Systems Review, Vol. 36, No.3, pp. 46-52, 2002.

[10] M. Misbahuddin, M. A. Ahmed, A. A. Rao, C. S. Bindu, and M. A. M. Khan ”A Novel Dynamic ID-Based Remote User Authentication Scheme”, 2006 Annual IEEE India Conference, pp. 1-5, 2006. [11] J. J. Shen, C. W. Lin, and M. S. Hwang, ”A modified remote user authentication scheme using smart

[12] H. M. Sun, ”An Efficient remote user authentication scheme using smart cards”, IEEE Transactions

on Consumer Electronics, Vol. 46, No. 4, pp. 958-961, 2000.

[13] Y. Wang, J. Liu , F. Xiao, and J. Dan, ”A more efficient and secure dynamic ID-based remote user authentication scheme”, Computer Communications, Vol. 32, No. 4, pp. 583-585, 2009.

[14] H. F. Huang and W. C. Wei, ”A new efficient and complete remote user authentication protocol with smart cards,” International Journal of Innovative Computing, Information and Control, Vol. 4, No. 11, pp. 2803-2808, 2008.

[15] X. Zhang, Q. Feng, M. Li, ”A Modified Dynamic ID-based Remote User Authentication Scheme”,

2006 International Conference on Communications, Circuits and Systems Proceedings, Vol. 3, pp.

1602-1604, 2006.

[16] J. S. Lee, Y. F. Chang, and C. C. Chang, ”A Novel Authentication Protocol for Multi-server Ar-chitecture without Smart Cards”, International Journal of Innovative Computing, Information and Control, vol.4, no.6, pp.1357-1364, 2008.

[17] R. C. Wang, W. S. Juang, and C. L. Lei, ”A Robust Authentication Scheme with User Anonymity for Wireless Environments”, International Journal of Innovative Computing, Information and Control, vol.5, no.4, pp.1069-1080, 2009.

[18] W. G. Shieh and M. T. Wang, ”An Improvement to Kim-Chung’s Authentication Scheme”, ICIC