Weaknesses and Improvement of Secure Hash-Based Strong-Password Authentication Protocol

JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 26, 1845-1858 (2010)

1845

Received October 3, 2008; revised May 3 & July 17, 2009; accepted August 13, 2009. Communicated by Chin-Laung Lei. * This research was supported by the Ministry of Knowledge Economy (MKE), Korea, under the Information

Technology Research Center (ITRC) support program supervised by the National IT Industry Promotion Agency No. NIPA-2010-C1090-1031-0005 and was also supported by Defense Acquisition Program Admini-stration and Agency for Defense Development under the contract UD100002KD.

+ Corresponding author.

Short Paper__________________________________________________

Weaknesses and Improvement of Secure Hash-Based

Strong-Password Authentication Protocol*

HANJAE JEONG, DONGHO WON AND SEUNGJOO KIM+

Information Security Group Sungkyunkwan University

Suwon-si, Gyeonggi-do, 440-746 Korea E-mail: {hjjeong; dhwon; skim}@security.re.kr

In 2008, Kim-Koç proposed a secure hash-based strong-password authentication

protocol using one-time public key cryptography. He claimed that the protocol was se-cure against guessing, stolen-verifier, replay, denial-of-service, and impersonation at-tacks. However, we show that the protocol is vulnerable to impersonation, guessing, and stolen-verifier attacks. We propose improvements to increase the security level of the protocol. Keywords: impersonation attack, guessing attack, stolen-verifier attack, password-based authentication, hash-based password authentication

1. INTRODUCTION

Password-based authentication schemes are commonly used in various systems to authenticate users. However, they have limitations. First, a server stores every user pass-word. Second, a transferred password could be stolen by sniffing or tapping [6]. There-fore, many researchers have proposed secure password-based schemes. In 2000, Sandiri-gama et al. proposed the simple and secure (SAS) password authentication protocol [1]. However, Lin et al. showed in [2] that the SAS protocol was vulnerable to replay and denial-of-service attacks; they proposed the optimal strong password authentication (OS- PA) scheme. They claimed that it was secure against all known problems. In [3], Chen and Ku showed that the SAS and OSPA protocols were vulnerable to stolen-verifier at-tack. In 2003, Tsuji and Shimizu showed in [4] that the OSPA protocol was vulnerable to impersonation attack. Later, Lin et al. proposed a new strong-password authentication protocol that resists various attacks [5].

The Lee-Li-Hwang (LLH) authentication scheme [7] improved vulnerability of guessing attack in Peyravian-Zunic (PZ) password shcme [8]. However,Yoon, Ryun, and Yoo (YRY) [9] show that the LLH scheme still vulnerable to denial of service (DoS) attack, and proposed improved protocol to solve it is security problems. Recently, Ku,

HANJAE JEONG, DONGHO WON AND SEUNGJOO KIM

1846

Chiang, and Chang (KCC) [10] demonstrated that that YRY scheme was not secure against off-line guessing and stolen-verifier attacks. Moreover, Kim-Koç showed that the YRY scheme ws also vulnerable to DoS attack. Furthermore, it was also claimed in [10] that the YRY scheme cannot achieve backward secrecy [6].

The Kim-Koç proposed a hash-based strong-password authentication protocol was described in [6]. It was claimed that this protocol is secure against guessing, stolen-verifier, replay, denial-of-service, and impersonation attacks. In this paper, we show that the protocol in [6] is vulnerable to impersonation, guessing, and stolen-verifier attacks. In section 2, we review the Kim-Koç protocol described in [6]. In section 3, we show the vulnerabilities of the protocol. In section 4, we propose an improved protocol. We ana-lyze the security of the improved protocol in section 5. Finally, we conclude the paper in section 6.

2. KIM-KOÇ’S PROTOCOL

In this section, we review the Kim-Koç protocol. It consists of four sub-protocols: registration, login, forget password, and password/verifier change.

2.1 Notations • U denotes the User and S denotes the Server. • ESpu denotes encryption with the public key of S. • DSpr denotes decryption with the private key of S. • h denotes a cryptographic hash function, such that h(m) signifies the message m is

hashed. Furthermore, h(a, b) denotes the hash of concatenated a and b; i.e., h(a, b) = h(a || b).

• P denotes the password of U. • Ku is a randomly generated key selected by U and shared with the server and stored in

secure storage in a smartcard. • Kpr denotes the private key of S. • rs denotes the nonce generated by S. • rc1, rc2 denote the nonce generated by U. • Ts denotes the timestamp. • Uid denotes the identification of the user. • ⊕ denotes the bitwise XOR operation, and || denotes concatenation. • AuthQ and AuthA denote the authentication question and answer for the registration,

forget password, and password/verifier change protocols. • The expression A → B: X means A sends message X to B via an insecure channel.

2.2 Registration Protocol

In step R2, S computes R = PV ⊕ Ts and then sends it to U. U receives R2, and U computes the user’s important verifier UV = h(Ku || P || Ts || Uid) ⊕ Ku. Next, U encrypts UV, T ′s, Uid, Ku, P, and AuthQ ⊕ AuthA with S′s public key, and then sends it. After S re-

WEAKNESSES AND IMPROVEMENT OF HASH-BASED PASSWORD AUTHENTICATION

1847

U SR1. PV = h(Ku ||P) ⊕ Ku

R2. R, AuthQ

R3. EKpu(UV, Ts′, Uid, Ku, P, AuthQ ⊕ AuthA)

Fig. 1. Registration protocol.

ceives R3, S decrypts R3 and computes h(Ku || P) ⊕ Ku. Then, S compares h(Ku || P) ⊕ Ku and T ′s with PV and Ts that were stored in step R2. If both are equal, S stores the sealed- verifier SV = h(Ku || P || Uid) ⊕ Kpr, PV, UKP = ESpu(Uid, Ku, P′), and QAK = AuthQ ⊕ Au-thA ⊕ Kpr in the S password file. 2.3 Login Protocol

The login protocol is described in Fig. 2.

U SL1. PV = h(Ku ||P) ⊕ Ku

L2. PV, rs

L3. L = h(h(Ku ||P ||Uid) ⊕ PV)⊕ h(Ku ||P ||Uid) ⊕ PV ⊕ rs Fig. 2. Login protocol.

After S receives L3, S derives C1 = h(h(Ku || P || Uid) ⊕ PV) ⊕ h(Ku || P || Uid) ⊕ PV

by XORing L with rs. Then, S computes C2 = SV ⊕ Kpr = h(Ku || P || Uid) and C3 = h(C2 ⊕ PV) ⊕ C2 ⊕ PV using stored SV in the S password file and Kpr. Next, S checks C1 = C3. If they are equal, S authenticates U.

2.4 Forget Password Protocol

The forget password protocol is described in Fig. 3.

U SFP1. forget password request

FP2. AuthQ, rs

FP3. ESpu(FP, U′id)

FP4. AuthA ⊕ Ku, AuthA ⊕ P Fig. 3. Forget password protocol.

In step FP3, U computes FP = AuthQ ⊕ AuthA ⊕ rs, and encrypts it and Uid with S’s

public key. Next, U sends ESpu(FP, U′id) to S. After S receives FP3, S decrypts ESpu(FP, Uid), and derives D1 = AuthQ ⊕ AuthA by XORing FP with rs. Then, S derives D2 = AuthQ ⊕ AuthA by XORing QAK with Kpr. S then checks D1 = D2. If they are equal, S decrypts


1848

UKP, ESpu(Uid, Ku, P) that was stored in the S password file. Otherwise, S rejects this re-quest. Next, S derives Uid, Ku and P, and then checks U′id = Uid. If they are equal, S com-putes AuthA ⊕ Ku and AuthA ⊕ P, and then sends these values to U. If not, S terminates this session. Finally, U receives FP4, U obtains the former password P XORing AuthA ⊕ P′ with AuthA, and obtains key Ku by XORing AuthA ⊕ Ku and AuthA. 2.5 Password/Verifier Change Protocol

The password/verifier change protocol is described in Fig. 4.

U S

PC1. password-change request

PC2. AuthQ, rs

PC3. ESpu(W1, Pnew, Kunew, Uidnew)

Fig. 4. Password/verifier change protocol.

In step PC3, U computes W1 = AuthQ ⊕ AuthA ⊕ rs ⊕ h(Ku || P || Uid), and encrypts W1

and the new values of Pnew, Kunew, and Uidnew. After S receives PC3, S decrypts ESpu(W1, Kunew, Pnew, Uidnew), and obtains W1, Kunew, Pnew, and Uidnew. S then computes W2 = AuthQ ⊕ AuthA by XORing QAK with Kpr and W3 = SV ⊕ Kpr = h(Ku || P || Uid) using the stored SV in the S password file and Kpr. Next, S computes W4 = W2 ⊕ rs ⊕ W3 and checks W1 = W4. If they are equal, S stores the new SV = h(Kunew || Pnew || Uidnew) ⊕ Kpr, PV = h(Kunew || Pnew) ⊕ Kunew, UKP′ = (ESpu(Uidnew, Kunew, Pnew), and QAK = AuthQ ⊕ AuthA ⊕ Kpr in the file.

3. ATTACKS ON THE KIM-KOC PROTOCOL

In this section, we show that the Kim-Koç protocol is vulnerable to impersonation attack, guessing attack, and stolen-verifier attack. 3.1 Impersonation Attack

The security of the login protocol depends on L in step L3. However, the adversary can easily derive L′ in the current session from stolen L in the previous session. Then, the adversary can act as a legitimate user. An impersonation attack is described in Fig. 5.

1. The adversary can steal PV, rs and L in the previous session. 2. The adversary sends the stolen PV to S as U, and then the adversary receives PV′, rs′

from S. 3. The adversary computes L′ using the stolen L, rs and received rs′.

L′ = L ⊕ rs ⊕ rs′. = h(h(Ku || P || Uid) ⊕ PV′) ⊕ h(Ku || P || Uid) ⊕ PV′ ⊕ rs ⊕ rs ⊕ rs′ = h(h(Ku || P || Uid) ⊕ PV′) ⊕ h(Ku || P || Uid) ⊕ PV′ ⊕ rs′


1849

Adversary S

PV

PV′, rs′

L′

Stolen PV, rs and L

Compute L′ = L ⊕ rs ⊕ rs′

Fig. 5. Password/verifier change protocol.

Then, the adversary sends L′ to S.

4. S derives C1 = h(h(Ku || P || Uid) ⊕ PV′) ⊕ h(Ku || P || Uid) ⊕ PV′ by XORing L′ with rs′. S then computes C2 = SV ⊕ Kpr = h(Ku || P || Uid) and C3 = h(C2 ⊕ PV) ⊕ C2 ⊕ PV using stored SV in the S password file and Kpr. Next, S checks C1 = C3. They are equal, so S authenticates the adversary as U.

3.2 Guessing Attack

In [6], the authors claimed that their protocol is secure against guessing attack. However, if the adversary has stolen U’s verifier, PV, from the registration protocol or the login protocol, then the adversary can derive AuthA and P by guessing attack.

3.2.1 Guessing attack to AuthA

AuthA is used to find P in the protocol; this is related to AuthQ. Generally, AuthA is

the answer to AuthQ. For example, in the real world, if a user wishes to join a server, the server asks the user about a personal fact, such as father’s name, or favorite color. The answer to that question is used to find the user’s password when the user has forgotten his/her password. This feature of AuthA is used in the guessing attack by the adversary.

1. The adversary steals AuthA ⊕ Ku and AuthA ⊕ P in step FP4 in the forget password

protocol. 2. The adversary computes PV′ by guessing AuthA.

PV′ = h((AuthA ⊕ Ku) ⊕ AuthA || (AuthA ⊕ P) ⊕ AuthA) ⊕ (AuthA ⊕ Ku) ⊕ AuthA.

If the stolen PV and PV′ are equal, then the adversary obtains U’s AuthA.

3.2.2 Guessing attack to P The adversary can also guess P, although it contains more randomness than AuthA.

Usually, a password in the password-based protocol is known as the value that is vul-nerable to guessing attack. Thus, many proposed protocols protect the password from guessing attack. Kim-Koç’s protocol also protects P against guessing attack. In their protocol, P is in the hash function, or it is XORing with the other values, which were unknown to the adversary, so the adversary cannot guess P. However, if the adversary


1850

steals AuthA ⊕ Ku and AuthA ⊕ P, then the adversary can guess P. 1. The adversary steals AuthA ⊕ Ku and AuthA ⊕ P in step FP4 in the forget password

protocol. 2. The adversary computes Ku ⊕ P by XORing AuthA ⊕ Ku with AuthA ⊕ P.

Ku ⊕ P = AuthA ⊕ Ku ⊕ AuthA ⊕ P

3. Then, the adversary computes PV′ by guessing P.

PV′ = h((Ku ⊕ P ) ⊕ P || P ) ⊕ (Ku ⊕ P′) ⊕ P.

If the stolen PV and PV′ are equal, then the adversary obtains P.

3.3 Stolen-Verifier Attack

The stolen-verifier attack means that the adversary has a user’s verifier, stolen from the server, and then impersonates the user with the stolen verifier. We now introduce the stolen-verifier attack to Kim-Koç’s protocol. The adversary stole verifier SV and QAK from S. They can then derive W1, XORing SV with QAK. That is, W1 can be derived by the adversary who does not know the values required to compute W1. Therefore, the ad-versary can impersonate U with the stolen verifier, and then can change Ku, P, and Uid. The stolen-verifier attack is shown in Fig. 6.

Adversary S

password-change request

AuthQ, rs

ESpu(W1, Pnew, Kunew, Uidnew)

Stolen SV, QAK

Compute W1 = SV ⊕ QAK ⊕ rs

Fig. 6. Stolen-verifier attack to the password/verifier change protocol.

1. The adversary has stolen verifier SV and QAK from S. 2. The adversary sends a password change request to S. 3. S generates a random nonce rs, and sends AuthQ and rs to the adversary. 4. The adversary computes W1 = AuthQ ⊕ AuthA ⊕ rs ⊕ h(Ku || P || Uid), XORing SV, QAK,

and rs. The adversary then defines Pnew, Kunew, and Uidnew. Next, the adversary sends ESpu(W1, Pnew, Kunew, Uidnew) to S.

S decrypts the message from the adversary. S then computes W2 = AuthQ ⊕ AuthA,

XORing QAK with Kpr and W3 = SV ⊕ Kpr = h(Ku || P || Uid) using the stored SV in the S password file and Kpr. Next, S computes W4 = W2 ⊕

rs ⊕ W3 and checks W1 = W4. They

are equal; then, S stores the new SV = h(Kunew || Pnew || Uidnew) ⊕ Kpr, PV = h(Kunew || Pnew)

⊕ Kunew, UKP = (ESpu(Uidnew, Kunew, Pnew), and QAK = AuthQ ⊕ AuthA ⊕ Kpr in the file.


1851

4. IMPROVED PROTOCOL

In this section, we propose an improved protocol that solves the previously de-scribed security problems; i.e., we improve the registration, login, forget password, and password/verifier change protocols of the Kim-Koç approach. The following notation has been modified.

• Kpu denotes the public key of S. • EKpu denotes a cryptographically secure public key encryption algorithm, such as RSA-

OAEP (Optimal Asymmetric Encryption Padding) with the public key of S. • DKpr denotes RSA-OAEP decryption with the private key of S.

4.1 Registration Protocol

In step R2, S computes R = PV ⊕ Ts and then sends it to U. U receives R2, and U computes the user’s important verifier UV = h(Ku || P′ || Ts || Uid) ⊕ Ku. Next, U encrypts UV, Ts′, Uid, Ku, P, and AuthQ ⊕ AuthA with S’s public key, and then sends it. After S receives R3, S decrypts R3 and computes h(Ku || P) ⊕ Ku. Then, S compares h(Ku || P) ⊕ Ku and Ts′ with PV and Ts that were stored in step R2. If both are equal, then S stores the sealed-verifier SV = EKpu(h(Ku || P || Uid)), PV, UKP = EKpu(Uid, Ku, P), and QAK = EKpu(A- uthQ ⊕ AuthA) in the S password file.

U SR1. PV = h(Ku ||P) ⊕ Ku

R2. R, AuthQ

R3. ESpu(UV, Ts′, Uid, Ku, P, AuthQ ⊕ AuthA)

Fig. 7. Registration protocol.

4.2 Login Protocol

The Kim-Koç login protocol used the challenge-response method as protection from replay attack. S sends a challenge, rs, to U in step L2, and then U sends a response, which consists of rs XORing with other values, to S in step L3. However, the adversary can easily eliminate rs in the response of step L3 by XORing rs in step L2, and then the adversary can impersonate U using the response without rs. The result of this attack is that the adversary can eliminate challenge rs in the response. Our improved protocol adds a hashed challenge to the response to protect against an adversary who attempts to elimi-nate the challenge in the response.

L1. U → S: PV′ = h(Ku || P) ⊕ Ku.

U inputs his/her ID, password, and private key into the client system. The client sys-tem computes U’s password verifier PV = h(Ku || P) ⊕ Ku, and sends it to S for a login request.

L2. S → U: PV, rs.


1852

U S L1. PV′ = h(Ku ||P) ⊕ Ku

L2. PV, rs

L3. L = h(h(Ku ||P ||Uid) ⊕ PV ⊕ rs)⊕ h(Ku ||P ||Uid) ⊕ PV ⊕ rs)

Fig. 8. Login protocol.

S compares PV′ to PV stored in R2. If they are equal, then S generates a random nonce rs, and then sends PV and rs to U.

L3. U → S: L. U compares PV′ to PV. If they are equal, then U computes L = h(h(Ku || P || Uid) ⊕ PV ⊕ rs) ⊕ h(Ku || P || Uid) ⊕ PV ⊕ rs, and sends it to S.

L4. S derives C1 = h(h(Ku || P || Uid) ⊕ PV ⊕ rs) ⊕ h(Ku || P || Uid) ⊕ PV XORing L with rs. S then computes C2 = SV ⊕ Kpr = h(Ku || P || Uid) and C3 = h(C2 ⊕ PV ⊕ rs) ⊕ C2 ⊕ PV using the stored SV and Kpr in the S password file. Next, S checks C1 = C3. If they are equal, S authenticates U.

4.3 Forget Password Protocol

The weakness of Kim-Koç’s forget password protocol is that if the adversary has stolen PV in the registration protocol or the login protocol, then the adversary can guess AuthA or P. Two solutions can secure against this weakness. The first solution is to en-crypt PV with S’s public key. However, this solution needs several additional encryption steps. The second solution is to modify the last message in the forget password protocol to prevent guessing attack on AuthA or P. It does not need an additional step to prevent guessing attack, so it is more efficient than the first solution. The improved protocol adds the values rc1 and rc2 to the encryption message in step FP3.

FP1. U → S: Forgotten password request. FP2. S → U: AuthQ, rs.

S generates a random nonce rs, and then sends AuthQ and rs to U. FP3. U → S: EKpu(FP, U′id, rc1, rc2).

U computes FP = AuthQ ⊕ AuthA ⊕ rs, and generates random nonces rc1 and rc2. Then, U encrypts FP, U′id, rc1 and rc2 with S’s public key. Next, U sends EKpu(FP, U′id, rc1, rc2) to S.

FP4. S → U: AuthA ⊕ Ku ⊕ rc1, AuthA ⊕ P ⊕ rc2. S decrypts EKpu(FP, U′id, rc1, rc2), and derives D1 = AuthQ ⊕ AuthA, XORing FP with rs. S then derives D2 = AuthQ ⊕ AuthA by decrypted QAK with Kpr that was stored in the S password file. Then, S checks D1 = D2. If they are equal, S decrypts UKP, EKpu(U′id, Ku, P) stored in the file. Otherwise, S rejects this request. Next, S derives Ku, Uid and P, and then checks U′id = Uid. If they are equal, S computes AuthA ⊕ Ku ⊕ rc1 and AuthA ⊕ P ⊕ rc2. S then sends these values to U. If not, S terminates this session.

FP5. U obtains the former key Ku, XORing AuthA ⊕ Ku ⊕ rc1 with AuthA and rc1, and then obtains the former password P, XORing AuthA ⊕ P′ ⊕ rc2

with AuthA and rc2.


1853

U SFP1. forget password request

FP2. Auth′Q, rs

FP3. ESpu(FP, U ′id, rc1, rc2

)

FP4. AuthA ⊕ Ku, ⊕ rc1, AuthA ⊕ P ⊕ rc2

Fig. 9. Forget password protocol.

U SPC1. password-change request

PC2. AuthQ, rs

PC3. ESpu(W1, Pnew, Kunew, Uidnew) Fig. 10. Password/verifier change protocol.

4.4 Password/Verifier Change Protocol

Kim-Koç’s password/verifier change protocol has a weakness against an adversary who has stolen SV and QAK from S. The adversary could easily compute the value that requires U’s private information to compute. We improve the protocol to prevent this. The difference between our improved protocol and Kim-Koç’s protocol is that PV is needed to compute W2 in step PC3.

PC1. U → S: password-change request. PC2. S → U: AuthQ, rs.

S generates a random nonce rs, and sends AuthQ and rs to U. PC3. U → S: EKpu(W, Pnew, Kunew, Uidnew).

U computes W = AuthQ ⊕ AuthA ⊕ rs ⊕ PV, and encrypts W and the new values of Kunew, Pnew, and Uidnew with S’s public key. Next, U sends EKpu(AuthQ ⊕ AuthA ⊕ rs ⊕ PV, Kunew, Pnew, Uidnew) to S.

PC4. S decrypts EKpu(W, Kunew, Pnew, Uidnew), and obtains W, Kunew, Pnew, and Uidnew. S then computes W2 = AuthQ ⊕ AuthA using decrypted QAK with Kpr, which was stored in the S password file, and obtains PV in the file. Next, S computes W4 = W2 ⊕ rs ⊕ PV and checks W = W4. If they are equal, then S stores the new SV = EKpu(h(Kunew || Pnew || Uidnew)), new PV = h(Kunew || Pnew) ⊕ Kunew, new UKP = EKpu(Uidnew, Kunew, Pnew), and QAK = EKpu(AuthQ ⊕ AuthA) in the file.

5. SECURITY ANALYSIS

In this section, we briefly describe how the improved protocol is secure against attacks including guessing attack, stolen-verifier attack, impersonation attack and replay attack.

5.1 Guessing Attack

A guessing attack stands for an adversary’s attempting to guess the user’s private


1854

information. In our proposed protocol, U’s private information is Ku, P, and AuthA. How-ever, P and AuthA differ from Ku. These values are defined by U, so it is easier than Ku to guess these values. Nevertheless, the adversary cannot easily guess these values in our protocol. Their redundancy is decreased by XORing with other values, so it is hard to find P or AuthA using a guessing attack. Although, the adversary steals the QAK stored in S, he/she cannot guess AuthA. Assume that the adversary encrypts AuthQ ⊕ AuthA with Kpu continuously to compare to stolen QAK. However, our scheme uses a cryptographi-cally secure public key encryption algorithm, such as RSA-OAEP. It is known to be se-cure against a chosen ciphertext attack. Therefore, he/she cannot compute correct QAK. Moreover, the table in the Appendix describes possible combinations of the values, ex-cept the encrypted values to break our protocol using a guessing attack. According to the table, most possible combinations of the values in our scheme contain more than two secret values. In our scheme, the secret values are Ku, P, AuthA, rc1, rc2. These values are not revealed to the adversary. P, AuthA have enough redundancy for guessing attack, so each value is vulnerable to guessing attack. However, they are used in our scheme with Ku, rc1 or rc2. These values are randomly chosen and have sufficient length to resist guessing attack. Although, some combinations (2, 5, 1 ⊕ 3 and 2 ⊕ 5 in Appendix) do not consist of the secret values. These combinations are nonces or meaningless values, so the adversary cannot derive any advantage to attack our scheme. Therefore, our protocol can resist guessing attack. 5.2 Stolen-Verifier Attack

The stolen-verifier attack stands for an adversary who has stolen a user’s verifier from a server. He/she can masquerade as the user, using the stolen verifier without any other attack, such as a guessing attack. Assume that the adversary has stolen U’s verifiers (SV, PV, UKP, and QAK) in our protocol. The adversary cannot directly use the stolen verifiers to masquerade as U. Thus, the adversary should change the value in the stolen verifiers or combine a few stolen verifiers. A stolen verifier attack on our proposed pro-tocol is shown in Fig. 11.

After step 2 in the login protocol, the adversary should calculate L, (i.e. h(h(Ku || P || Uid) ⊕ PV ⊕ rs) ⊕ h(Ku || P || Uid) ⊕ PV ⊕ rs), to impersonate U. However, the adversary cannot derive L from stolen verifiers. This message is made only by participants in the

Adversary S1. password-change request

2. AuthQ, rs Login Protocol

Forget PasswordProtocol

1. forget password request

2. AuthQ, rs

Password/Verifier Change Protocol

1. password-change request

2. AuthQ, rs Fig. 11. Stolen-verifier attack to the proposed protocol.


1855

protocol who know that h(Ku || P || Uid). h(Ku || P || Uid) is computed by decrypting SV with Kpr. However, Kpr is S’s private key, unknown to the adversary. Therefore, the adversary cannot masquerade as U in the login protocol using the stolen verifier.

After step 2 in the forget password protocol, the adversary should calculate FP; this is AuthQ ⊕ AuthA ⊕ rs. However, the adversary cannot derive FP from stolen verifiers. This message is made only by participants in the protocol who know AuthA. AuthA is computed by XORing decrypted QAK with Kpr and AuthQ. However, Kpr is S’s private key, unknown to the adversary. Therefore, the adversary cannot masquerade as a legiti-mate user in the forget password protocol using the stolen verifier.

After step 2 in the password/verifier change protocol, the adversary should calculate W; this is AuthQ ⊕ AuthA ⊕ rs ⊕ PV. However, the adversary cannot derive W from sto-len verifiers. This message is made only by participants in the protocol who know AuthA and PV. Although PV is the stolen verifier from S, AuthA is computed by XORing de-crypted QAK with Kpr and AuthQ. However, Kpr is S’s private key, unknown to the ad-versary. Therefore, the adversary cannot masquerade as a legitimate user in the pass-word/verifier protocol, using the stolen verifier.

Consequently, the login protocol, the forget password protocol, and the password/ verifier change protocol of our proposed protocol are secure against stolen-verifier attack.

5.3 Impersonation Attack

Impersonation attack stands for an adversary masquerading as a legitimate user by stealing or changing the message in a protocol. Our proposed protocol uses the message made by random nonce, AuthA, Kp, or P to authenticate a user. If the adversary wishes to impersonate a user, the adversary should know these values or send the stolen message. However, the adversary cannot know the values, because they are protected by XORing with Kpr, a hash function, or encryption with S’s public key. Moreover, if the adversary sends the stolen message to S, then S can detect that the message was used in the previ-ous session by confirming the nonce in that message. Thus, our proposed protocol is secure against impersonation attack.

5.4 Replay Attack

The replay attack stands for an adversary storing a message in a previous session, then the adversary sending the message in the current session to masquerade as a legiti-mate user. Our protocol is secure against this attack. The messages in our protocol are changed every session using a nonce. If S sends a nonce as a challenge to U, U sends a response that contains a hashed challenge to S. Therefore, if the adversary sends the pre-vious message to S, S can detect the received message was used in the previous session. Thus, the adversary cannot attack our protocol by sending the previous message.

5.5 Comparison with Kim-Koç’s Protocol

Table 1 describes a comparison between Kim-Koç’s protocol and our protocol. Their protocol is insecure against guessing, stolen-verifier, and impersonation attacks. Our protocol strengthens their protocol, and thus is more secure.


1856

Table 1. Comparison between Kim-Koç’s and the proposed protocol. Kim-Koç’s protocol Proposed protocol

Guessing attack Insecure Secure Stolen-verifier attack Insecure Secure

Replay attack Secure Secure Impersonation attack Insecure Secure

Table 2. Comparison between our scheme and recent schemes.

Kim-Koç’s scheme Our scheme [14] [15] [16] [17]

Registration protocol O O O O O O

Login protocol O O O O O O

Forget password protocol O O X X X X

Password/verifier change protocol O O X X X O

6. CONCLUSION

In [6], Kim-Koç proposed a hash-based strong-password authentication protocol. In this paper, we described the weaknesses of their protocol. We then proposed an improved protocol that eliminates the vulnerabilities of their protocol. We analyzed our proto-col and compared their protocol to our proposed protocol.

Moreover, in Table 2, we compare our scheme with the recently proposed strong- password authentication protocols. As shown in Table 2, the other protocols only pro-vide the registration protocol and the login protocol. However, our scheme does not only provide these protocols but also provide the forget password protocol and the pass-word/verifier change protocol.

REFERENCES

1. M. Sandirigama, A. Shimizu, and M. Noda, “Simple and secure password authenti-cation protocol,” IEICE Transactions on Communications, Vol. E83-B, 2000, pp. 1363-1365.

2. C. L. Lin, H. M. Sun, and T. Hwang, “Attacks and solutions on strong-password authentication,” IEICE Transactions on Communications, Vol. E84-B, 2001, pp. 2622- 2627.

3. C. M. Chen and W. C. Ku, “Stolen-verifier attack on two new strong-password au-thentication protocols,” IEICE Transactions on Communications, Vol. E85-B, 2002, pp. 2519-2521.

4. T. Tsuji and A. Shimizu, “An implementation attack on one-time password authen-tication protocol OSPA,” IEICE Transactions on Communications, Vol. E86-B,


1857

2003, pp. 2182-2185. 5. C. W. Lin, C. S. Tsai, and M. S. Hwang, “A new strong-password authentication

scheme using one-way hash functions,” Journal of Computer and Systems Sciences International, Vol. 45, 2006, pp. 623-626.

6. M. Kim and C. K. Koç, “A secure hash-based strong-password authentication pro-tocol using one-time public-key cryptography,” Journal of Information Science and Engineering, Vol. 24, 2008, pp. 1213-1227.

7. C. C. Lee, L. H. Li, and M. S. Hwang, “A remote user authentication scheme using hash functions,” ACM Operating System Review, Vol. 36, 2002, pp. 23-29.

8. M. Peyravian and N. Zunic, “Methods for protecting password transmissions,” Com-puters and Security, Vol. 19, 2000, pp. 466-469.

9. E. J. Yoon, E. K. Ryu, and K. Y. Yoo, “A secure user authentication scheme using hash functions,” ACM Operating System Review, Vol. 38, 2004, pp. 62-68.

10. W. C. Ku, M. H. Chiang, and S. T. Chang, “Weaknesses of Yoon-Ryu-Yoo’s hash- based password authentication scheme,” ACM Operating System Review, Vol. 39, 2005, pp. 85-89.

11. S. M. Bellovin and M. Merritt, “Augmented encrypted key exchange: A password- based protocol secure against dictionary attacks and password file compromise,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, 1993, pp. 244-250.

12. M. Bellare and P. Rogaway, “Optimal asymmetric encryption – How to encrypt with RSA,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, LNCS 950, 1995, pp. 92-111.

13. E. Jujisaki, T. Okamoto, D. Pointcheval, and J. Stern, “RSA-OAEP is secure under the RSA assumption,” in Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, LNCS 2139, 2001, pp. 260-274.

14. H. Rhee, J. Kwon, and D. Lee, “A remote user authentication scheme without using smart cards,” Computer Standard and Interfaces, Vol. 31, 2009, pp. 6-13.

15. J. Xu, W. T. Zhu, and D. G. Feng, “An improved smart card based password authen-tication scheme with provable security,” Computer Standards and Interfaces, Vol. 31, 2009, pp. 723-728.

16. M. Misbahuddin, P. Premchand, and A. Govardhan, “A smart card based remote user authentication scheme,” Journal of Digital Information Management, Vol. 6, 2008, pp. 256-261.

17. M. L. Das and V. L. Narasimhan, “A simple and secure authentication and key es-tablishment protocol,” in Proceedings of the 1st International Conference on Emerging Trends in Engineering and Technology, 2008, pp. 844-849. Hanjae Jeong received the B.S. degree in Computer Engineering from Sung-

kyunkwan University, Korea, in 2006 and the M.S. degree in Electrical and Computer Engineering from Sungkyunkwan University, Korea, in 2008. He is currently undertaking a Ph.D. course on Mobile Systems Engineering in Sungkyunkwan University. His current research interest is in the area of cryptography, authentication protocol, and mobile secu-rity.


1858

Dongho Won received his B.E., M.E., and Ph.D. degrees from Sungkyunkwan University in 1976, 1978, and 1988, respectively. After working at ETRI (Electronics and Telecommunications Research Institute) from 1978 to 1980, he joined Sungkyunk-wan University in 1982, where he is currently Professor of School of Information and Communication Engineering. His interests are cryptology and information security. He was the president of KIISC (Korea Institute of Information Security and Cryptology) in 2002.

Seungjoo Kim received his B.S. (1994), M.S. (1996), and Ph.D. (1999) in Informa-tion Engineering from Sungkyunkwan University (SKKU) in Korea. Prior to joining the faculty at SKKU in 2004, he had an appointment as Director of the Cryptographic Tech-nology Team and the (CC-based) IT Security Evaluation Team of the Korea Information Security Agency (KISA) for five years. He is now Associate Professor of the School of Information and Communication Engineering at SKKU. In addition, he has served as an executive committee member of Korean E-Government, and an advisory committee member of several public and private organizations, such as National Intelligence Ser-vice of Korea, Digital Investigation Advisory Committee of the Supreme Prosecutors’ Office, Ministry of Justice, The Bank of Korea, ETRI (Electronic and Telecommunica-tion Research Institute), and KISA (Korea Information Security Agency). His research interests include cryptography, information security and information assurance. He is a corresponding author.

Documents

Weaknesses and Improvement of Secure Hash-Based Strong-Password Authentication Protocol