Password authentication scheme preserving identity privacy

1,*Fuw-Yi Yang, 1Chih-Wei Hsu, and 2Su-Hui Chiu1Department of Computer Science and Information Engineering,

2Office of Accounting, 1,2Chaoyang University of Technology yangffyyy@163.com

Abstract—Recently, the authentication schemes based on password have been used widely in network environment. It provides a convenient way for users to authenticate him/her to servers. Previously, Xu et al. proposed an improved smart card based password authentication scheme with provable security. Unfortunately, Song pointed out their scheme cannot withstand impersonation attacks. Moreover, Song proposed two improved schemes to solve it, but his first scheme stillcannot withstand impersonation attack. This paper in addition to analyze the weakness of Song’s scheme, improved scheme preserving identity privacy also proposes.

Keywords-impersonation attack, identity authentication, identity privacy, password guessing attacks, trapdoor function.

I. INTRODUCTION

Recently, many smart card based password authentication schemes have been proposed by many scholars [1-3]. In 1981, Lamport [4] proposed the first password authentication scheme within an insecure communication. However, his scheme suffers from off-line password guessing attack. In 2002, Chien et al. [5] proposed an efficient and practical solution to remote authentication, but Lee et al. [6] pointed out that Chien et al.’s scheme is vulnerable to a parallel attack and proposed an improvement to remedy the security weakness. This improved scheme enables users freely choose their password and provides mutual authentication between users and server. Furthermore,server does not need to preserve verification table. The same year, Lee et al. proposed an improved remote authentication using smart card. In the scheme, the user can freely choose his/her password. Later Xu et al. [8] pointed out an off-line password guessing attack on Lee at al.’s scheme [6] and a counterfeiting attack on Lee et al.’s scheme [7]. Therefore, Xu et al. proposed improved password authentication scheme. In 2010, Song [9] showed that Xu et al.’s scheme can not withstand impersonation attack and proposed two improved schemes. In this paper, we review the Song’s improved first scheme and point out that it still suffers from impersonation attack by cryptanalysis. In addition, we proposed an improved scheme using one-way trapdoor function [10, 11]. With the trapdoor function, the proposed scheme not only remedies the weakness of security but also provides user’s identity privacy.

II. REVIEW SONG’S IMPROVED SCHEME

Song’s first improved scheme mainly contains four phases: initial phase, registration phase, login phase and

authentication phase. The followings describe the details of each phase. Table 1 summarizes the notations used in Song’sscheme.

(1) Initial phase Initially, the server chooses two big prime numbers p and

q such that p = 2q + 1, and the server also selects private keyfrom the multiplicative group modulo q, i.e. x�Z*

q .Table 1 Notations

IDA is the identity of user A.PWA is the password of user A.TA and TS are timestamps when user A and server start a protocol run, respectively.∆T is the allowable time threshold predefined by the system.h(·) is a one-way and collision resistant hash function.

denotes bitwise exclusive-or operation.|| denotes concatenation operation of bit strings.p, q are two large prime numbers such that p = 2q + 1.Z*

q = {1, 2, 3, ���, q-1} is a multiplicative group.

(2) Registration phase When a user wants to access the server, he/she must have

registered to the server. As shown in Fig. 1, the registration steps are as follows:

Step 1: The user chooses his/her identity ID and password PW, then sends them to the server through the secure channel.

Step 2: When the server receives the message {ID, PW}, it computes B = h(ID)x + h(PW) mod p. Finally, the server stores the data {ID, B, h(·), p, q} into the smart card and sends to the user through the secure channel.

Figure 1. The registration phase

(3) Login phase The user needs to send the login message to the server if the user wants to login to the server, as shown in figure 2. The user inserts his smart card into the reader and inputs his/her identity ID and password PW. The smart card selects

Chooses ID, PW

User Server{ID, PW}

B = h(ID)x + h(PW)mod p

Stores {ID, B, h(·), p,}

Smart card

2014 Sixth International Conference on Measuring Technology and Mechatronics Automation

978-1-4799-3434-8/14 $31.00 © 2014 IEEE

DOI 10.1109/ICMTMA.2014.108

432

2014 Sixth International Conference on Measuring Technology and Mechatronics Automation

978-1-4799-3434-8/14 $31.00 © 2014 IEEE

DOI 10.1109/ICMTMA.2014.108

443

2014 Sixth International Conference on Measuring Technology and Mechatronics Automation

978-1-4799-3434-8/14 $31.00 © 2014 IEEE

DOI 10.1109/ICMTMA.2014.108

443

2014 Sixth International Conference on Measuring Technology and Mechatronics Automation

978-1-4799-3434-8/14 $31.00 © 2014 IEEE

DOI 10.1109/ICMTMA.2014.108

443

2014 Sixth International Conference on Measuring Technology and Mechatronics Automation

978-1-4799-3435-5/14 $31.00 © 2014 IEEE

DOI 10.1109/ICMTMA.2014.108

443

a random number w�Z*q and uses system’s time to generates

timestamp T. Then it computes B� = (B - h(PW))w+1 mod p W = h(ID)w mod p C = h(T||B�||W||ID)Finally, the server sends login message {ID, C, W, T} to the server.

(4) Authentication phase When the server receives login messages, the server first

verifies whether the user is a legal user, show in Fig. 2. The authentication steps are as follows:

Step 1: The server receives login messages at time T*.First, the server verifies the user’s identity ID and checks the validity of the timestamp T*. If (T *- T) � T holds, then the server computes B�� = (W h(ID))x mod p, and it checks whether C and h(T||B��||W||ID) is equal. The server will assume the user is legitimate if the above successfully authenticates. The server chooses a random number m�Z*

q

and uses the system’s time to generate timestamp T��. Then, it computes

M = h(ID)m mod pC´ = h(M||B��||T��||ID)Finally, the server sends the message {ID, C�, M, T��} to

the user. Step 2: After the user receives the message, the smart card

verifies identity ID and T��.It also checks if C� with h(M||B�||T��||ID) is equal. The server will assume the user is legitimate if the above successfully authenticates.

Step 3: User computes sk = h(ID||M||W||Mw) as session key to communicate with server. The server computes sk =h(ID||M||W||Wm) as session key to communicate with user.

Figure 2. Login and authentication phase

III. SECURITY ANALYSIS

The followings point out that Song’s first scheme still has security weakness or flaw: impersonation attack, time asynchronous, and insider attack.

(1) Impersonation attackAssume that the user A wants to impersonate the user B to

access server, the steps are as follows: Step 1: User A selects a random number w�Z*

q and uses the system’s time to generate timestamp T. The user extracts

secret information B from the smart card to compute B� = (B- h(PWA))w+1 mod p with the password and uses the identityIDA and user B’s identity IDB to computes W = h(IDA)w�h(IDA) / h(IDB) mod p and C = h(T||B�||W||IDB). Finally, userA sends the login message {IDB, C, W, T} to the server.

Step 2: When the server receives the login message {IDB,C, W, T}, the server verifies user’s identity IDB and checks the validity of the timestamp T. Since user B is a legal user, so verifies identity is successes. Then the server computes B�� = (W h(IDB))x mod p, and compares C and h(T||B��||W||IDB) to check whether it is equal or not. Since the comparison is equal, so user A will successfully impersonate user B to login the server. Later steps can be omitted, because the attacker who repeats the above steps can always impersonate user B or other users.

(2) Time asynchronousIn the Song’s first scheme, it uses the timestamp to verify

between user and server. However, using timestamp may cause Time asynchronous. Hence, in the improved scheme, we use nonce mechanism in our scheme to solve it.

(3) Insider attackIn registration phase, the user sends his/her identity ID and

password PW to the server through the secure channel. Since the password is directly sent to the server to register that is not protected, so that is suffer from insider attack. Because the privileged insiders can obtain the private message in server side, such as password PW, this will cause the privileged insiders can be abused the user's identity and password to the server request for service.

IV. THE PROPOSED AUTHENTICATION SCHEME

We improved Song’s first scheme to withstand those attacks in this section. The parameters are same as Table 1 except that a one-way trapdoor function FS(�) [10, 11] is added. Since only the server have the knowledge of trapdoor, the inclusion of FS(�) will promote the improved authentication scheme to preserve user identity privacy. The improved authentication scheme mainly contains four phases: initial phase, registration phase, login phase and authentication phase. The details of each phase are described as follows.

(1) Initial phase In this phase, server chooses two big prime number p and

q such that p = 2q + 1, and selects a private key x�Z*q .

(2) Registration phase When user wants to access the server, his must have

registered to the server first, show in Fig. 3, the registration steps are as follows:

Step 1: User chooses his identity IDA and password PWAand a random number b, computes h(b�PWA), then user sends IDA and h(b�PWA) to the server through the secure channel.

Step 2: When server receives the registration message {IDA, h(b�PWA)}, the server computes BA =h(IDA)x�h(b�PWA) mod p. Finally, the server stores the data {IDA, BA, h(·), p, q, FS(�)} into the smart card, where

Input ID, PWrandom number w�Z*

q ,timestamp T

B� = (B - h(PW))w+1 mod pW = h(ID)w mod pC = h(T||B�||W||ID)

{ID, C, W, T}

User Server

Verifies ID, TB�� = (W�h(ID))x

C ?= h(T||B��||W||ID)

m �R Z*q ,

timestamp T��M = h(ID)m mod pC´ = h(M||B��|| T��||ID)

sk = h(ID||M||W||Wm)

{ID, C´, M, T��}Verifies ID, T��C´?

=h(M||B�|| T��||ID)sk=h(ID||M||W||Mw)

433444444444444

FS(�) is one-way trapdoor function, only server knows the trapdoor key. Finally, the server sends smart card to the user through the secure channel.

Step 3: Upon user receiving the smart card, he/she enters random number b to the smart card.

(3) Login phaseUser needs to send a login message to the server if he/she

wants to login to the server, as shown in Fig. 4. User inserts his smart card into the reader and input his

identity IDA and password PWA. The smart card generates a random number RA and a nonce Ni, then computes

KA = BA�h(b�PWA) Ni

WA = FS(IDA, RA�KA, Ni) CA = h(Ni||RA||IDA||WA||KA) Finally, the server sends the login message {WA, CA} to the

server.

Figure 3. The proposed registration phase

Figure 4. The proposed login and authentication phase

(4) Authentication phase The details of authentication steps are as follows and

shown in Fig. 4.Step 1: After receiving the login message {WA, CA}, the

server decrypts cipher text WA to obtain IDA, (RA�KA), and Ni. Then server verifies whether the user IDA is a legal one by checking its format or database. A valid check leads the server to compute KA = h(IDA)x mod p�Ni, RA� = (RA�KA)�KA, and testify h(Ni||RA�||IDA||WA||KA) = CA.Finally, server generates a nonce Nj, compute session key sk= h(IDA||Ni||Nj||RA�) and message authentication code Cs =h(sk||IDA||RA�||Nj), and sends message {Cs, Nj} to the user.

Step 2: Upon receiving the message {Cs, Nj}, the smart card computes session key sk = h(IDA||Ni||Nj||RA) and message authentication code Cs� = h(IDA||RA||Nj). Finally, an equal comparison between Cs and Cs� completes the

authentication phase. Otherwise, terminates the session.

V. SECURITY ANALYSIS

The In this section, we discussed the security properties about impersonation attack, off-line password guessing attack, mutual authentication, time asynchronous, insider attack, and user’s identity privacy.

(1) Impersonation attack The followings show that the proposed scheme can

withstand to impersonation attack. If attacker A is a legal user that wants to impersonation legal user B to the server request for service, the steps are as follows:

Step 1: Attacker A generates a random number RA and a nonce Ni, then extracts BA and b from his smart card to computes KA and WA with his password PWA

KA = BA�h(b�PWA) �NiWA = FS(IDB, RA�KA, Ni) Attacker A using user B’s identity IDB to computes

CA=h(Ni||RA||IDB||WA||KA). Finally, attacker A sent the message {WA, CA} to the server.

Step 2: After receiving the login message {WA, CA}, the server firstly decrypt WA with trapdoor key to obtain IDB,(RA�KA), and Ni. Then, verifies user’s identity IDB. Since user B’s identity IDB is a legal user, so verifies identity is successes. The server using user’s identity IDB to computeKA = h(IDB)x mod p�Ni, RA� = (RA�KA)�KA. Finally check whether h(Ni||RA�||IDB||WA||KA) is equal to CA. Since the KAcomputed in server side is not equal to the KA in user side, so server’s RA� is also not equal RA. Therefore, the result of comparison is not equal. By the above analysis, the proposed scheme is immune from the impersonation attack.

(2) Off-line password guessing attackAssume that an attacker can extract BA and b from smart

card to execute off-line password guessing attack assuggested by references [12-13]. The followings show that the proposed scheme can withstand the off-line password guessing attack. The scenarios are as follow.

Step 1: Assume that an attacker has extracted BA and random number b from a smart card. Also, the attacker had intercepted a login message {WA, CA} and response message {CS, Nj} that a user passed to the server and the server sent back to the user respectively.

Step 2: Since WA is a cipher text encrypted with server’strapdoor function, attacker cannot learn any knowledge about its content. Similarly, CA, CS, and Nj are message authentication code and random number.

Since step 1 and 2 fail to extract any information to check or validate login or response messages, it follows that the attacker cannot successfully launch off-line password guessing attack.

(3) Mutual authenticationUpon receiving a login message {WA, CA}, the server

decrypts WA to obtain user’s identity IDA, randomized KA �RA, and nonce Ni. By these information and long term secret value x, server can recover the random information IDA, KA,RA, and Ni. Thus server authenticates user if an equal comparison of h(Ni||RA||IDA||WA||KA) = CA. On the other hand,

User

Input IDA, PWA, RA, NiKA = BA�h(b�PWA)�NiWA = FS (IDA, RA�KA, Ni)CA = h(Ni||RA||IDA||WA||KA)

{WA, CA} Decrypt WA to obtainIDA, RA�KA, NiVerifies IDAKA = h(IDA)x mod p�Ni

RA�= (RA�KA) KA

CA?=h(Ni||RA�||IDA||WA||KA)

sk = h(IDA||Ni||Nj||RA�)Generates a nonce Nj

Cs=h(sk||IDA||RA�||Nj)

{Cs, Nj}

sk = h(IDA||Ni||Nj||RA)Cs

?= h(sk||IDA||RA||Nj)

Server

Chooses IDA, PWArandom number bh(b�PWA)

Enters b, SC contains {IDA, BA, h(·), p, q, FS()}

{IDA, h(b�PWA)}

SC

BA = h(IDA)x +h(b�PWA) mod pStores {IDA, BA, h(·), p,q, FS()} to (SC)

User Server

434445445445445

if server is able to correctly compute the quantities IDA, KA,RA, and Ni, it implies that he/her learns the trapdoor key. Therefore, an equal test on Cs = h(sk||IDA||RA�||Nj) indicates that user authenticate server. Namely, the login message authenticates user, the response message authenticates server, and the proposed scheme possesses mutual authentication.

(4) Time asynchronousIn the Song’s first scheme, timestamp is used to verify

between user and server. But use timestamp have timeasynchronous, because user’s time and server’s time may beasynchronous, it to cause verify invalid. In the proposed scheme, random numbers and nonce are used instead timestamp. Therefore, time synchronization among server and users no more required.

(5) Insider attackIn Song’s first scheme, user sent his password PW to the

server through the secure channel in registration phase.Since password is not protected, so it will suffer from insider attack. In the proposed scheme, a random number band one-way hash function are used to protect the password.The registration message sent to the server is h(b�PWA).Now, the privileged insiders cannot obtain the private message in server side, so our scheme can withstand to the insider attack.

(6) Preserve user’s identity privacy Using passwords selected from a collection of small space,

an attacker might enumerate all possible passwords. The enumeration can be done offline. Ultimately, the attacker may get the correct password. It is called dictionary attack or password-guessing attack [14-15]. Since the space of identity is also small, Hsu and Chuang [16] proposed a dictionary attack on schemes [17-18] to disclose the identity of user. By searching an identity IDi to satisfy a given formula, a victim user is identified. In many situations it might be a quite important issue [19-21] to protect user’sidentity from revealing. The proposed scheme uses trapdoor function to encrypt the identity of users and session key to verify the authenticity of messages. That is, identities of legitimate user are not immediately apparent from the publicly available information. Only legitimate serverknows the corresponding trapdoor key can obtain the user true identity.

Table 2 Security properties

Xu at al. [8] Song [9]

Withstand impersonation attack No No YesWithstand Off-line password guessing attack

Yes Yes Yes

Withstand insider attack No No YesRequired no time synchronization No No YesMutual authentication Yes Yes YesPreserving user’s identity privacy No No Yes

Table 2 summarizes the comparison of the security analysis with our scheme and previous schemes. As shown,Xu at al.’s [8] scheme and Song’s [9] first scheme cannot

withstand impersonation attack and insider attack. Also, these schemes should mention the problem of time synchronization and do not provide user’s identity privacy. Only our proposed scheme can meet all the security properties listed in Table 2.

VI. CONCLUSIONS

In this paper, we reviewed Song’s authentication scheme and found the scheme still have flaws in security, such as impersonation attack, insider attack and time asynchronous. In order to remedy these security weaknesses, this paper proposes an improved scheme, which not only redresses the vulnerabilities mentioned above, but also provides identity privacy.

In the Internet environments, the security properties oftime synchronization and identity privacy play important impact on authentication schemes. The proposed scheme has followed the impact. It eliminates the use of timestamps to avoid the inconvenience of using synchronized clocks across distributed systems. Due to the rapid advance in Internet technology and identity theft is being called “Crime of Twenty-First Century” [22], disclosure of identity may lead to be easy identity theft, extensive misuse, and harmful to users. In the authentication procedure, the properties of preserving identity privacy have received much attention. Thus, these amendments make the proposed scheme more suitable for Internet environments.

REFERENCES

[1] Sun, H. M., “An efficient remote use authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, vol. 46, pp. 958- 961, 2000.

[2] Wu, S. T. and Chieu, B. C., “A user friendly remote authentication scheme with smart cards,” Computers & Security, vol. 22, pp. 547-550, 2003.

[3] Hsu, C. L., “A user friendly remote authentication scheme with smart cards against impersonation attacks,” Applied Mathematics and Computation, vol. 170, pp. 135-143, 2005.

[4] Lamport, L., “Password authentication with insecure communication,” Communications of the ACM, vol. 24, pp. 770-772, 1981.

[5] Chien, H. Y., Jan, J. K. and Tseng, Y. M., “An efficient and practical solution to remote authentication: smart card,” Computers & Security, vol. 21, pp. 372- 375, 2002.

[6] Lee, S.W., Kim, H.S. and Yoo, K. Y., “Improvement of Chien et al.s’ remote user authentication scheme using smart cards,” Computer Standards & Interfaces, vol. 27, pp. 181-183, 2005.

[7] Lee, N. Y. and Chiu Y. C., “Improved remote authentication scheme with smart card,” Computer Standards & Interfaces, vol. 27, pp. 177-180, 2005.

[8] Xu, J., Zhu, W. T. and Feng, D. G., “An Improved smart card based password authentication scheme with provable security,” Computer Standards & Interfaces, vol. 31, pp. 723-728, 2009.

[9] Song, R., “Advanced smart card based password authentication protocol,” Computer Standards & Interfaces, vol. 32, pp. 321-325, 2010.

[10] Chen, H. - B., Chen, T. -H., Lee, W. -B. and Chang, C. -C., “Security enhancement for a three-party encrypted key exchange protocol against undetectable online password guessing attacks,” Computer Standards & Interfaces, vol. 30, pp. 95-99, 2008.

[11] Bellare, M., Halevi, S., Sahai, A. and Vadhan, S., “Many-to-one trapdoor functions and their relations to public-key cryptosystems,” Lecture Notes in Computer Science, vol. 1462, pp. 283-298, 1998.

435446446446446

[12] Das, M. L., “Two-factor user authentication in wireless sensor networks,” IEEE Transactions on Wireless Communications, vol. 8, pp. 1086-1090, 2009.

[13] Song, R., Korba, L. and Yee, G., “Analysis of smart card-based remote user authentication schemes,” Proceedings of the 2007 International Conference on Security and Management, pp. 323-329, 2007.

[14] Bellare, M., Pointcheval, D., and Rogaway, P., “Authenticated key exchange secure against dictionary attacks,” Advances in Cryptology Eurocrypy 2000, LNCS 1807, pp.139-166, 2000.

[15] Bellovin, S. and Merritt, M., “Encrypted key exchange: password-based protocols secure against dictionary attacks,” Research in Security and Privacy, Proceedings IEEE Computer Society Symposium, pp.72-84, 1992.

[16] Hsu, C.L. and Chuang, Y.H., “A novel user identification scheme with key distribution preserving user anonymity for distributed computer networks,” Information Sciences, vol. 179, Issue 4, pp.422-429, 2009.

[17] Mangipudi, K. and Katti, R., “A Secure Identification and Key agreement protocol with user Anonymity (SIKA),” Computers & Security, vol. 25, Issue 6, pp.420-425, 2006.

[18] Yang, Y., Wang, S., Bao F., Wang, J. and Deng, R.H., “New efficient user identification and key distribution scheme providing enhanced security,” Computers & Security, vol. 23, Issue 8, pp.697-704, 2004.

[19] Tschorsch, F. and Scheuermann B., “An algorithm for privacy-preserving distributed user statistics,” Computer Networks, vol. 57, Issue 14, pp. 2775-2787, 2013.

[20] Waqar, A., Raza, A., Abbas H., and Khan, M. K., “A framework for preservation of cloud users’ data privacy using dynamic reconstruction of metadata,” Journal of Network and Computer Applications, vol. 36, Issue 1, pp. 235-248, 2013.

[21] Litt, E., “Understanding social network site users’ privacy tool use,”Computers in Human Behavior, vol. 29, Issue 4, pp. 1649-1656,2013.

[22] Thompson J. F., “Identity, Privacy, and. Information Technology,” available at http://www.educause.edu/ir/library/pdf/erm0267.pdf,2002.

436447447447447