A Smart Card Based Authentication Scheme for Remote User Login and Verification

A Smart Card Based Authentication Scheme for Remote User Login and Verification

Zi-Yao Cheng

, Yun Liu

, Chin-Chen Chang

and Shih-Chang Chang

1

Department of Electronic and Information Engineering,

Beijing Jiaotong University, Key Lab. of Communication and Information Systems, Beijing Municipal Commission of Education Dept. Beijing, P.R. China

E-mail: 09111024@bjtu.edu.cn; liuyun@bjtu.edu.cn

2

Department of Information Engineering and Computer Science, Feng Chia University, Taichung, 40724, Taiwan, R.O.C.

E-mail: alan3c@gmail.com

3

Department of Computer Science and Information Engineering, National Chung Cheng University,

160 San-Hsing, Ming-Hsiung, Chiayi 621, Taiwan, R.O.C.

E-mail: chang.coby@gmail.com

Correspondence address:

Professor Chin-Chen Chang

Department of Information Engineering and Computer Science, Feng Chia University,

No. 100 Wenhwa Rd., Seatwen, Taichung 40724, Taiwan, R.O.C.

Email: alan3c@gmail.com

TEL: 886-4-24517250 ext. 3790 FAX: 886-4-27066495

A Smart Card Based Authentication Scheme for Remote User Login and Verification

Abstract

With the advancement of Internet network technologies, remote user authentication schemes using smart cards have been widely adopted. In order to satisfy the requirements of a remote user authentication scheme, the smart card has become an essential device, one that is widely used because of its low computation cost and expedient portability. To achieve computation efficiency and system security, many researchers have focused on this field and published corresponding literature.

Recently, Chen et al. proposed security enhancement on an improvement on two remote user authentication schemes using smart cards. They claimed their method does not have the security weaknesses of Wang et al.’s scheme such as impersonation attack and parallel session attack, and preserves important criteria through which a legal user can negotiate a specific session key with his remote authentication server by executing mutual authentication. Meanwhile, the scheme can provide high-level perfect forward secrecy. However, there is much room for security enhancement in Chen et al.’s scheme. In this paper, we suggest that serious vulnerabilities still threaten security requirements, and that security enhancements still cannot withstand known-key attack and off-line guessing attack. Accordingly, we propose an enhanced scheme to remedy these security weaknesses and prove that this scheme is more secure and efficient for network application with merits in its properties.

Key words: mutual authentication, cryptanalysis, smart card, security, key agreement

1. Introduction

As far as current Internet technologies are concerned, providing concise and secure

services has been extensively investigated for a long time. In this context, a remote

authentication scheme has become essential, in which a remote user with a computer can receive quality service and secure communication from a homologous server that requires authentication from the user.

It is generally known that the first proposed remote authentication scheme was based on a password to identify a legitimate user over even an insecure channel (Wu and Sung, 1996; Peyravian and Zunic, 2000; Chang et al., 2009), and this is the subject of a published research by Lamport in 1981 (Lamport, 1981). It has been claimed that there is a potential security threat caused by a stored verifier table on a remote authentication system, because the verifier table risks being modified by an adversary and has high maintenance cost, even through all secret passwords can be encrypted to the threat of disclosure. Later, Hwang and Li (2000) presented the weakness of Lamport’s scheme and proposed a new scheme based on the EIGamal public-key encryption system (Elgamal, 1985) to solve corresponding problem. In this novel method, there is no need to maintain any verifier table to achieve remote user authentication. In view of the low cost and capacity of cryptosystems, Sun (2000) developed an authentication scheme to enhance the performance efficiency of Hwang et al.’s scheme by involving only several one-way hash operations, so that the scheme could serve as an ideal substitute for high-cost modular exponentiations. Nevertheless, these two mentioned schemes could not provide users with a free choice of passwords and mutual authentication.

Since the smart card is with the tamper-resistant properties, it can solve the

problem of maintaining the verifier table on the server side. In a smart card based

authentication system only the user was required to hold a smart card, which was

issued by the server for more convenient communication and which contained all

kinds of stored secret information. Many related studies (Juang, 2004; Juang et al.,

2008; Kim and Chung, 2009; Liu et al., 2008; Sun et al., 2009) have been investigated

and the smart card has become essential in remote authentication schemes. More

specifically, Chien et al. (2002) proposed an effective solution for remote

authentication schemes by using smart cards. Their contributions contain several

aspects such as mutual authentication between the user and the server, free choice of passwords, and the requirement of only one-way hash operations. Besides, there is no need to process extra computation cost for maintaining the verifier table which achieves the requirements of low cost. This complements the attributes of cryptographic capacity and portability. However, Chen et al.’s scheme has serious security weaknesses, in which it cannot protect against insider attack, guessing attack and reflection attack. In 2004, Ku and Chen (2004) proposed an improved scheme to overcome these weaknesses, but Yoon et al. (2004) claimed that Ku and Chen’s scheme was still vulnerable to parallel attack; especially, they maintained that their scheme was unfeasible when the user arbitrarily changed his password. Then, Yoon et al. proposed an improvement to enhance Ku and Chen’s scheme. Unfortunately, Wang et al. (2007) found that an adversary could threaten both these schemes (Ku and Chen, 2004; Yoon et al., 2004) by achieving guessing attack, forgery attack and denial of service (DoS) attack; consequently, they proposed an efficient enhancement based on these two schemes.

Chen et al. (2011) pointed out that Wang et al.’s scheme could not withstand impersonation attack (Chan, 2000) and parallel session attack (Ku and Chen, 2004);

hence, they proposed an improved approach over Wang et al.’s scheme. After an in- depth analysis, we found that Chen et al.’s scheme is actually not as secure as they claimed, since it is still susceptible to known-key attack and off-line guessing attack.

Hence, we propose a novel scheme to defend against the mentioned security weaknesses. Furthermore, our proposed scheme has better computation efficiency, which has become clear by comparing previous works with ours. In addition, our scheme has the following properties:

P1. Freely chosen and exchanged password: A legal user can freely choose and change his password (Chien et al., 2002).

P2. No verification table: There is no need to maintain a verification table on the server side (Hwang and Li, 2000).

P3. No adversary can derive the known-key in the scheme: No one can utilize the

secret information of a legal user to derive the session key.

P4. No malicious user can guess the secret long-term key of the server: The secret long-term key is protected against off-line guessing attack to prevent malicious users from imitating the authentication server.

P5. Mutual authentication: Both the legal user and the remote server can authenticate each other successfully (Chien et al., 2002).

P6. Session key agreement: The legal user and the remote server can negotiate a session key and utilize it to process subsequent communication (Wang et al., 2007).

P7. Perfect forward secrecy: Even if an adversary can obtain contiguous knowledge of long-term key, he cannot derive the session keys.

P8. Efficiency and practicability: We ensure that our proposed scheme has higher computation efficiency by a comparison of performance, and is more practical for use in networking environments.

The rest of this paper is organized as follows. In Section 2, we review Chen et al.’s scheme and demonstrate its security weaknesses. In Section 3, we present our proposed scheme, and in Section 4, we illustrate the security analysis. In Section 5, we compare the performance of our scheme with those of Wang et al. and Chen et al.

Finally, our concluding remarks are shown in Section 6.

2. Review of Chen et al.’s scheme

In this section, we review Chen et al.’s authentication scheme and then show that their scheme cannot protect against known-key attack and off-line guessing attack.

The details and weaknesses of Chen et al.’s scheme are demonstrated in Subsections 2.1 and 2.2, respectively.

We first introduce the notations throughout this paper as follows:

 ^U : the user.

 ID : the identity of user.

 ^PW : the password of user ^U .

 ^S : the remote server.

 x : the permanent private key of the remote server ^S .

 h  : a one-way hash function without a cryptographic key. ( )

 h 

^{( )} : a one-way hash function with a cryptographic key p .

 ^ : a secure channel.

  : a common channel.

 : a concatenation operator which combines two strings into one.

2.1. Review of Chen et al.’s scheme

In this subsection, we briefly review the specific procedures of Chen et al.’s scheme. This scheme includes four phases: the registration phase, the login phase, the verification phase, and the password change phase.

2.1.1. Registration phase

We illustrate the procedures of this phase in Fig. 1 and show the details as

follows. Whenever ^U initially registers with ^S , the registration phase is invoked:

1. U chooses a random number b and computes ( h b  PW ) , then sends it with his

ID to the server ^S ; U  S ID h b : , (  PW ) .

2. S calculates the following parameters: p h ID  (  , x ) R   p h b (  PW ) ,

( ( ))

V  h h b

 PW , and the server _S stores the data  V R h , , ( ), ( )  h

 on a new 

smart card , and issues the smart cart to user ^U .

3. _U enters _b into his smart card so that it contains  V R h , , ( ), ( ),  h

 b  .

Fig. 1. Registration phase of Chen et al.’s scheme 2.1.2. Login phase

When ^U attempts to login to the server ^S , he should execute the following steps and this phase is depicted in Fig. 2.

1. ^U inserts the smart card into the smart card reader and inputs his ID and ^PW .

2. The smart card computes p R h b PW   (  ) and checks whether

( ( ))

h h b

 PW equals V . If so, the smart card continues to calculate

1

( )

c   p h r b  , ^c

^{ h h r}

^{( (   b T )}

⁾ , where r is a random number generated

by the smart card and T is the current timestamp of

U .

3. _U sends a login request message to the server _S ; U  S ID c c T :  , , ,

 .

Fig. 2. Login and Verification phase of Chen et al.’s scheme 2.1.3. Verification phase

Upon receiving the login request message, the following steps can be depicted in Fig. 2 and the details can be shown:

1. S checks the validity of ID and whether T

 , where T

T is the current

timestamp of the server. If one of them does not hold, then ^S rejects the login

request; otherwise, S checks whether T

 is within a valid time interval T T

 .

If not, ^S rejects the login request.

2. If T

 is really within the interval T T

 , ^S computes p h ID  (  and x )

'

1 1

c   p c in order to check whether h c T

(



) equals the original c . If so, the

validity of _U is authenticated and S  U c T : 

,

 , where c

 h c

(

  ; T

p )

otherwise, ^S rejects the login request.

3. After receiving  c T ,

,

 _U checks the validity of T and whether

T

 . If it T

does not hold, ^U terminates the connection; otherwise, ^U checks whether

( ( ) )

p s

h h r    b T p equals the received c . If so, the validity of

S is authenticated.

4. Moreover, U and S establish a common session key c

 h r (  b ) for private communication.

2.1.4. Password change phase

U can freely change his password PW to PW in this phase as follows:

1. ^U inserts the smart card into the smart card reader , inputs his ID and ^PW and requests to change his password. Thus, the smart card computes

( )

p

  R h b  PW , V

 h h b

( (  PW )) .

2. The smart card checks whether V

equals the original V stored in the smart card.

If so, then U selects a new password PW ; otherwise, the smart card rejects the

password change request.

3. The smart card computes R

 p

 h b (  PW

) and V

 h h b PW

( ( 

)) ,

then stores them and replaces the original R and ^V , respectively.

2.2. Weaknesses of the reviewed scheme

Chen et al. claimed their method is an enhanced version of Wang et al.’s scheme

that can withstand impersonation attack (Chan, 2000) and parallel session attack (Ku

and Chen, 2004). In this sub-section, we show that Chen et al.’s scheme is still

vulnerable to known-key attack and off-line guessing attack.

2.2.1. The known-key attack

A similar description of the known-key attack was presented (Wang et al., 2011).

We assume that an adversary compromises the parameter c

and c

  p c

; he can

easily intercept the parameter c from the login request message

 ID c c T , and , , ,



then derive the secret parameter p c  

c

. Thus, the adversary can utilize the

derived parameter p and select two random numbers r

and b to perform the

following computations: c

  p h r (

 b

) , c

 h h r

( (

 b

)  T

) . As a result, we can see that the adversary can execute the following procedure by sending a

fabricated login request message  ID c c T to the server ^{, , ,}

 _S . After receiving the adversary’s login message, the verification phase is followed step by step:

1. _S checks either if the format of ID is invalid or T

 , where T

T is the current

timestamp of the server. Due to the transmission delay or the adversary delay on

purpose, T

cannot be equal to T

. Hence, the adversary can smoothly pass this step.

2. S computes p h ID  (  and x ) c

   p c

h r (

 b

) . Upon calculating the

result, _S can get the verification c

 h c T

(



)  h h r

( (

 b

)  T

)  c

in Chen

et al.’s scheme. It is clear the identity of ^U can be authenticated.

3. _S responds to the message  c T to

^,

 _U , where c

 h c

(

  and T

p ) T

is the current timestamp of the server ^S . Upon receiving the message from ^U , the

verification of ^S is achieved. This way, user ^U and server ^S have a mutual authentication.

Thus, they obtain a new session key c

 h r (

 b

) so that the known-key attack happens in this scheme.

2.2.2. Off-line guessing attack

Assume that a malicious (legitimate) user ^U can derive the parameter p in the

login phase, such as p c  

h r b (  , since all these two random numbers r and ) ^b

stem from the choice of the user’s smart card. By utilizing the derived parameter p ,

the malicious user ^U can achieve a guessing attack as follows:

1. ^U can make use of the derived information to guess the long-term key x of the

authentication server S , since he can assume the long-term key is x and then

computes p

 h ID (  x

) .

2. U can check whether the p is equal to the derived p . If so, the malicious user

U has correctly guessed the private long-term key of the server ^S .

Consequently, the malicious user can easily imitate a legal server in the next

session. Hence, this scheme has definitely suffered from the risk of this guessing

attack.

3. The proposed scheme

In this section, we propose a robust and secure remote user authentication scheme to overcome the weakness of Chen et al.’s scheme. Taking computation efficiency into consideration, we execute our proposed scheme by utilizing simple one-way hash functions. There are four phases accordingly and all these phases work as follows:

3.1. Registration phase

This phase is invoked whenever ^U initially registers or reregisters with ^S . Suppose

x is the long-term key of the authentication server ^S . As shown in Fig. 3, the following steps are performed in this phase:

1. ^U chooses a random number ^b and computes ( h b  PW ) , then sends it with his

ID to the server ^S ; U  S ID h b : , (  PW ) .

2. S calculates the following parameters: p h ID  (   x ) h x ( ) , R   p h b (  PW )

, V  h h b

^{( (}  PW ⁾⁾ , and the server _S stores the data  V R h , , ( ), ( )  h

 on a new 

smart card , and issues the smart cart to user ^U .

3. _U enters _b into his smart card so that it contains  V R h , , ( ), ( ),  h

 b  .

Fig. 3. Registration phase of our proposed scheme 3.2. Login phase

This phase is depicted in Fig. 4. When ^U intends to login ^S , the following computations should be performed:

1. ^U inserts the smart card into the smart card reader and inputs his ID and ^PW .

2. The smart card computes p R h b PW   (  ) and checks whether

( ( ))

h h b

 PW equals V . If so, the smart card continues to calculate

1

( )

c   R h b  PW , ^c

^{ h c T}

⁽

^

⁾ , where T is the current timestamp of

_U .

3. _U sends a login request message to the server _S ; U  S ID c T :  , ,

 .

Fig. 4. Login and Verification phase of our proposed scheme 3.3. Verification phase

Upon receiving the login request message, the server ^S and the user ^U should perform the following steps to achieve mutual authentication and compute a session key. The details of this phase are shown in Fig. 4.

1. S checks the validity of ID and whether T

 , where T

T is the current

timestamp of the server. If one of them cannot hold, then ^S rejects the login

request; otherwise, S checks whether T

 is within a valid time interval T T

 .

If not, then ^S rejects the login request.

2. If the T

 T

is really within the interval T  , ^S computes

( ( ) ( ) )

p u

h h ID   x h x T  in order to check whether the result equals c . If so, the

validity of ^U is authenticated and S  U c T : 

,

 , where

3 _p

(( ( ) ( ))

)

c  h h ID  x  h x  T  p ; otherwise, ^S rejects the login request.

3. After receiving  c T ,

,

 _U checks the validity of T and whether

T

 . If it T

does not hold, ^U terminates the connection; otherwise, ^U checks whether

(

)

p s

h c   T p equals the received c . If so, the validity of

S is authenticated.

4. Moreover, ^U and ^S establish a common session key

((

)

) ((( ( ) ( )) )

)

SK  h c  ID   T T  h h ID  x  h x  ID T   T for private communication.

3.4. Password change phase

U can freely change his password PW to PW in this phase as follows:

1. ^U inserts the smart card into the smart card reader , inputs his ID and ^PW and requests to change his password. Thus, the smart card computes

( )

p

  R h b  PW , V

 h h b

( (  PW )) .

2. The smart card checks whether V

equals the original V stored in the smart card.

If so, then U selects a new password PW ; otherwise, the smart card rejects the

password change request.

3. The smart card computes R

 p

 h b (  PW

) and V

 h h b PW

( ( 

)) ,

then stores them and replaces the original R and ^V , respectively.

4. Security analysis of our proposed scheme

In this section, we present the logic analysis based on BAN logic to prove the authority of authentication procedure and the correctness of our scheme execution.

The details will be shown in Subsection 4.1. Then, we discuss several significant attacks and demonstrate the security strength of our proposed scheme in Subsection 4.2. Moreover, we show that our proposed scheme enhances the security of Chen et al.’s scheme and withstands its corresponding weaknesses.

4.1. BAN logic demonstration for our proposed scheme

We use BAN logic to verify our remote user authentication scheme using smart cards. Our scheme not only provides the mutual authentication requirement but also achieves to establish a common session key between the user and the server.

According to the analytical procedures of BAN logic, each round of the scheme has to be transformed into the idealized form. Next, we briefly describe basic notations of BAN logic as follows.

P↔

K

Q : P and Q may communicate with each other using the shared key K . The

key K will never be discovered by any principal except P or Q .

P⇔

Q : Formula X is a secretly known only to P and Q . Only P and Q may

use X to prove their identities to one another.

{ } X

: This represents Formula X encrypted under the key K .

X

  : This represents Formula X combined with Formula Y .

Then, we first give the following logical postulates to present that ^U and ^S can mutually authenticate and cooperate to obtain a session key.

S believes ID ,

S believes fresh ( T ),

U believes fresh ( T ),

U believes _{U ↔}

_S ,

U believes _S believes _{U ↔}

_S ,

S believes _{U ↔}

_S ,

S believes _U believes _{U ↔}

_S .

In our scheme, there are two messages that used to achieve the mutual authentication and key agreement requirements. These messages are shown in Fig. 4.

Then, we idealize the scheme as follows.

Message 1. _{U  S} : ID , ^h

^{(   c}

⁾ , T .

Message 2. _{S  U} : ^h

^{(    p T}

⁾ , T .

Before starting to analyze our scheme, we first make the following assumptions:

A 1. _U believes U ⇔

S ^.

A 2. _U believes U ⇔

S ^.

A 3. U believes fresh ( T ).

A 4. ^S believes ( ^U controls ID ).

A 5. _S believes U ⇔

S ^.

A 6. _S believes U ⇔

S ^.

A 7. S believes fresh ( T ).

A 8. _U believes ( _S controls _{U ↔}

_S ).

A 9. _S believes ( _U controls _{U ↔}

_S ).

Then, we analyzed the idealized form of our proposed scheme using the above assumptions and rules of BAN logic. Details of the logic proof are presented as follows.

S receives Message 1. The rules show that

S sees { ID , ^h

^{(   c}

⁾ , T }.

(Statement 1) We break conjunctions and produce

S believes ^U said ID , (Statement 2)

S believes U said h

⁽   c

⁾ , (Statement 3) and

S believes U said T . (Statement 4)

By A 4 and Statement 2, we apply the nonce-verification rule to deduce

S believes ID . (Statement 5)

By A 6 and Statement 3, we apply the message-meaning rule to derive S believes _U said   c

. (Statement 6)

By A 7 and Statement 6, the nonce-verification rule applies and yields

S believes   c

. (Statement 7)

By A 7 and Statement 4, we apply the nonce-verification rule to deduce

S believes T .

(Statement 8)

Then, ^U receives Message 2. The annotation rule yields that

U sees { ^h

^{(    p T}

⁾ , T }.

(Statement 9)

We break conjunctions and produce as following:

U believes _S said ^h

^{(    p T}

⁾ (Statement 10) and

U believes S said T .

(Statement 11)

By A 2 and Statement 10, the message-meaning rule to obtain

U believes _S said ^{   p T}

. (Statement 12)

By A 3 and Statement 12, we apply the nonce-verification rule to deduce

U believes ^{   p T}

. (Statement 13)

By A 3 and Statement 11, the nonce-verification rule applies and yields

U believes T .

(Statement 14)

Finally, we apply the message-meaning rule to derive

U controls _{U ↔}

_S (Statement

15) and

S controls _{U ↔}

_S . (Statement

16)

By A 8 and Statement 16, the jurisdiction rule applies to deduce

U believes _{U ↔}

_S . (Statement

17)

By A 9 and Statement 15, we apply the jurisdiction rule to derive

S believes _{U ↔}

_S . (Statement

18)

Based on Statement 7 and Statement 13, we prove our proposed scheme can

achieve the mutual authentication requirement. Due to the results of Statement 17 and

Statement 18, we also prove our proposed scheme can establish a common session

key between ^U and ^S .

4.2. Protection against possible attacks

In this subsection, we show our proposed scheme can withstand all these possible attacks as follows so that it successfully remedied the security drawbacks of Chen et al.’s scheme.

4.2.1. The known-key attack

Chen et al.’s scheme is vulnerable to the known-key attack because an adversary can

easily intercept a legal user’s login request message  ID c c T and get the , , ,



parameter c , when the

c

has been compromised. Upon getting the parameters, the

secret information p h ID  (  can be derived by computing x ) c

 c

. Nevertheless, it is impossible for the adversary to intercept any secret information from the user’s login request message in our proposed scheme, since the login request message

includes  ID c T . This is because , ,

 c is protected in the secure one-way hash

function belonging to c , where

^c

^{ h c T}

⁽

^

⁾ . Moreover, a legal user’s smart card has no need to select random number r to continue the following verification phase.

It is no longer possible to reveal any secret information to the adversary. Hence, an

adversary cannot obtain validation from the authentication server ^S . We surmount the weakness of Chen et al.’s scheme, because our proposed scheme prevents an adversary from deriving the secret information and sending a fabricated login request

message  ID c T to obtain a new session key. ^{, ,}



4.2.2. Off-line guessing attack

In the aforementioned scenario where a malicious user ^U can derive the essential

parameter p in Chen et al.’s scheme, it is obvious the malicious user can premeditate imitating a legal server by guessing the private long-term key x . If the malicious user U attempts to achieve this purpose in our proposed scheme, he needs to obtain the

parameter p in the login phase by calculating p R h b PW   (  ) , then execute the

operation of an off-line guessing attack. However, after obtaining the parameter p , the malicious user’s purpose of off-line guessing attack will fail, because the

malicious user ^U cannot achieve his purpose by using his own identity ID and the

derived parameter p . The reason is that he first assumes a long-term key x and

computes the equation p

 h ID (  x

)  h x ( )

. Then, he checks whether the equation

equals the original p or not. However, the malicious user ^U cannot successfully

perform the off-line guessing attack without knowing the hash value ( ) h x . In general, the off-line guessing attack can be achieved because an adversary can guess one part of the secret information by utilizing the other known part. Nevertheless, the equation

of p contains the long-term key x and the corresponding hash value ( ) h x in our

proposed scheme. The malicious user ^U cannot guess a correct value of long-term

key x to make

p

 h ID (  x

)  h x ( )

equal the original p , so the off-line guessing

attack on Chen et al.’s scheme has been defeated in our proposed scheme.

4.2.3. Replay attack

An adversary can intercept either the login request message  ID c T or the , ,



response message  c T that are transmitted among a legal user

,

 _U and the authentication server ^S . Both of these messages include the corresponding

timestamps T and

T , respectively. If the adversary replays his intercepted message,

the server S should check the validity of the corresponding ID and T .

Unfortunately, T

 cannot be within a valid time interval T T

 . Similarly, it cannot be verified in Step 3 of the verification phase when the adversary might replay the

response message  c T , since he cannot pass the time interval validation. Hence,

,



the adversary makes replay attack very hard.

4.2.4. Impersonation attack

An adversary desires to forge a legal user’s login request message  ID c T into , ,



message  ^{ID c T , ,}

 and transmits it to the remote server ^S . After receiving the

message  ID c T , ^{, ,}

 _S should check whether c

equals the result of

( ( ) ( )

)

p u

h h ID   x h x T  or not. However, the adversary cannot acquire the value of

( ) ( )

h ID   x h x . He cannot be validated by the server S in the verification phase.

Similarly, there is no way the adversary can forge the authentication server ^S by

transmitting an impersonation response message  c T . The adversary cannot be

^,



validated since the equation c

 h c

(

  cannot hold. Meanwhile, the T

p ) c and

p are unavailable parameters for the adversary in our scheme. Hence, the impersonation attempts of adversaries cannot be achieved.

4.2.5. Parallel attack

In Chen et al.’s scheme, an adversary who attempts to masquerade as a legal user ^U

by eavesdropping on communication between the server ^S and ^U cannot make a

parallel attack among the two different sessions, because c and

c have disparate

functions. We inherit the advantage in our proposed scheme, in which the adversary

cannot start a new session with server ^S by sending a fabricated login request

message  ID c T . Because in Step 2 of the authentication phase, , ,

 _S computes

( ( ) ( ) )

p u

h h ID   x h x T  to check whether the result equals the received c . However,

it is obvious when ^c

^{ h}

^{(( ( h ID  x )  h x ( ))  T}

^{ p )} , the result does not equal the

value of c . Hence, the adversary cannot make a parallel attack.

4.2.6. Mutual authentication

In our proposed scheme, user ^U can validate server ^S by checking whether

(

)

p s

h c   T p equals the received c

; at the same time, server ^S can also validate

user ^U by checking whether ^{h h ID}

^{( (   x ) h x T ( ) }

⁾ equals the received c

. Mutual

authentication protects the validity of both sides for user ^U and server ^S . 4.2.7. Perfect forward secrecy

This is an essential security property to ensure that it is impossible for an adversary to derive the session keys used previously, even if he obtains the contiguous knowledge of the current session key. We assume that the adversary has corrupted a

legal user ^U and acquired the long-term key x . However, the session key

((

)

)

SK  h c  ID T T   is protected with a one-way hash function and the equation is guaranteed to be secure since it contains an unavailable value of

1

( ) ( )

c  h ID   x h x for any adversary. Moreover, due to the different login and

authentication processes, the corresponding timestamps T and

T should be updated

accordingly. Thus, there is no way for the adversary to derive the session keys in our scheme. In this way, our proposed scheme can achieve perfect forward secrecy.

5. Performance analysis of our proposed scheme

In this section, we compare computation cost with previous works such as Wang et al.’s scheme (2007) and Chen et al.’s scheme (2011) to estimate the performance of

our proposed scheme. The detailed comparison is depicted in Table 1. We note that ^h

means a one-way hash operation and ^ denotes an exclusive-or operation. It is

terms of efficiency. In our proposed scheme, we utilize nearly all one-way hash functions to enhance system efficiency and simultaneously remedy the security weaknesses of Chen et al.’s scheme.

Table 1

Performance comparison between our scheme and previous schemes

Items Wang et al.’s scheme Chen et al.’s scheme Our scheme

Registration phase

3h

3  3h

3  4h

3 

Login phase

4h

5  4h

4  3h

2 

Verification phase

4h

5  4h

3  4h

4 

Password change phase

4h

4  4h

4  4h

4 

Total

15h

17  15h

14  15h

11 



h





From the viewpoint of system efficiency, the computation cost of the registration phase in our proposed scheme requires an extra one-way hash operation to calculate

the parameter p h ID  (   x ) h x ( ) so that our remedy is resistant to off-line guessing attack. In the login and verification phases, we utilize only seven one-way hash operations and eight exclusive-or operations which are lower than the computation cost of two comparison targets. Because we try to avoid known-key attack occurring,

we don’t use the random number r to compute the essential parameter c . Note that

this step remedy is superior to previous works on computation efficiency. In the

password change phase, we require the same computation cost as the other two

comparison schemes.

Table 2

Property comparison between our scheme and previous schemes

Items

P1 Yes Yes Yes

P2 Yes Yes Yes

P3 No No Yes

P4 No No Yes

P5 Yes Yes Yes

P6 Yes Yes Yes

P7 No Yes Yes

P8 No No Yes

Consequently, we not only achieve the goal of remedying Chen et al.’s security weaknesses but also require lower computation cost totally in our proposed scheme, which compares favorably with the relevant schemes. In Table 2, we show a comparison of the properties we have mentioned in Section 1 between our scheme and the related works. It is obvious we really propose a novel scheme to remedy the security drawback of Chen et al.’s scheme, and it also satisfies all the above- mentioned properties. In brief, due to the analysis of our proposed scheme, which focuses on the security and performance aspects, our scheme proves to be more secure and efficient than the schemes proposed previously.

6. Conclusions

In this paper, we propose a remote user authentication that is novel, has high-level of

security, and is efficient for smart cards use. According to the above analysis, we not

only enhance Chen et al.’s scheme but also provide evidence that our proposed

scheme requires lower computation load than the related works. Moreover, we

demonstrate that our new scheme has advanced security features and performance,

which have been summarized as properties that distinguished our scheme from

previous ones. Therefore, our proposed scheme is more secure and practical for the

remote user authentication environment.

References

Wu T-C, Sung H-S. Authentication passwords over an insecure channel. Computer &

Security 1996;15(5):431-9.

Peyravian M, Zunic N. Methods for protecting password transmission. Computer &

Security 2006;19(5):466-9.

Chang C-C, Lee C-Y, Chiu Y-C. Enhanced authentication scheme with anonymity for roaming service in global mobility networks. Computer Communications 2009;32(4):611-8.

Lamport L. Password authentication with insecure communication. Communications of the ACM 1981;24(11):770-2.

Hwang M-S, Li L-H. A new remote user authentication scheme using smart card.

IEEE Transactions on Consumer Electronics 2000;46(1):28-30.

Elgamal T. A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 1985;31(4):469-72.

Sun H-M. An efficient remote use authentication scheme using smart cards. IEEE Transactions on Consumer Electronics 2000;46(4):958-61.

Juang W-S. Efficient multi-server password authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics 2004;50(1):251-5.

Juang W-S, Chen S-T, Liaw H-T. Robust and efficient password-authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics 2008;55(6):2551-6.

Kim S-K, Chung M-G. More secure remote user authentication scheme. Computer Communications 2009;32(6):1018-21.

Liu J-Y, Zhou A-M, Gao M-X. A new mutual authentication scheme based on nonce and smart card. Computer Communications 2008;31(10):2205-9.

Sun D-Z, Huai J-P, Sun J-Z, Li J-X. Cryptanalysis of a mutual authentication scheme based on nonce and smart cards. Computer Communications 2009;32(6):1015-7.

Chien H-Y, Jan J-K, Tseng Y-M, An efficient and practical solution to remote authentication: smart card. Computer & Security 2002;2 (4):372-5.

Ku W-C, Chen S-M. Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics 2004;50(1):204-7.

Yoon E-J, Ryu E-K, Yoo K-Y. Further improvement of an efficient password based remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics 2004;50(2):612-4.

Wang X-M, Zhang W-F, Zhang J-S, Khan M-K. Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards. Computer Standard & Interfaces 2007;29(5):507-12.

Chen T-H, Hsiang H-C, Shih W.K. Security enhancement on an improvement on two remote user authentication schemes using smart cards. Future Generation Computer Systems 2011;27 (4):377-80.

Chan C-K. Cryptanalysis of a remote user authentication scheme using smart cards.

IEEE Transactions on Consumer Electronics 2000;46(4):992-3.

Wang R-C, Juang W-S, Lei C-L. Robust authentication and key agreement scheme

preserving the privacy of secret key. Computer Communications 2011;34(3):274-80.