This article was downloaded by: [Temple University Libraries]On: 14 November 2014, At: 21:01Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office:Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK

International Journal of Computer MathematicsPublication details, including instructions for authors and subscriptioninformation:http://www.tandfonline.com/loi/gcom20

A remote password authentication schemebased on the digital signature methodMin-Shiang Hwang aa Department of Information Management , ChaoYang University of Technology ,Taichung County, Wufeng, R.O.C.TaiwanPublished online: 19 Mar 2007.

To cite this article: Min-Shiang Hwang (1999) A remote password authentication scheme based onthe digital signature method, International Journal of Computer Mathematics, 70:4, 657-666, DOI:10.1080/00207169908804781

To link to this article: http://dx.doi.org/10.1080/00207169908804781

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”)contained in the publications on our platform. However, Taylor & Francis, our agents, and ourlicensors make no representations or warranties whatsoever as to the accuracy, completeness, orsuitability for any purpose of the Content. Any opinions and views expressed in this publication arethe opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis.The accuracy of the Content should not be relied upon and should be independently verified withprimary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims,proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoevercaused arising directly or indirectly in connection with, in relation to or arising out of the use of theContent.

This article may be used for research, teaching, and private study purposes. Any substantialor systematic reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, ordistribution in any form to anyone is expressly forbidden. Terms & Conditions of access and use canbe found at http://www.tandfonline.com/page/terms-and-conditions

Intern. I. Computer Math., Vol. 70, pp. 657-666 Reprints available d i d y from the publisher Photocopying pamitted by license only

Q 1999 OPA (Oversear Publishers Association) N.V. Published by license undu

the Gordon and Brcach Sciena Publishers imprint.

Printed in India.

A REMOTE PASSWORD AUTHENTICATION SCHEME BASED ON THE DIGITAL

SIGNATURE METHOD

MIN-SHIANG HWANG*

Department of Information Management, ChaoYang University of Technology, Wufeng, Taichung County, Taiwan, R.O.C.

(Received 30 September 1997)

Conventional password authentication schemes require password files or verification tables to validate the legitimacy of the login user. In addition, for remote access, these schemes cannot withstand an attack by replaying a previously intercepted login request. In this paper, we propose a remote password authentication scheme based on the digital signature methods. This scheme does not require the system to maintain a password file, and it can withstand attacks based on message replaying.

Keywords: Cryptography; digital signature; password authentication; security

C. R. Categories: E.3

1. INTRODUCTION

One problem with using the remote login method to authenticate a user is that the remote user's password can be discovered by an intruder. This problem may occur because the communication link between the terminal and the system is insecure. An intruder can intercept a plain-text password and use it to log into the system later on. Even if the password is encrypted during transmission, the intruder can still impersonate the legitimate user by replaying a previously intercepted login message [22]. An effective remote password authentication scheme must withstand this type of attack.

*Address for correspondence: Associate Professor, P.O. Box 55-67, Taichung, Taiwan, R.O.C. Tel.: (886)43323000, Ext. 4288, Fax: (886)-4-3742337; e-mail: mshwang@mail.cyut. edu. tw

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014

658 M.-S. HWANG

Password authentication schemes based on one-way functions [8, 13, 16, 19,21, 311 are commonly used to control access to computational resources. These schemes require a password table to verify the legitimacy of each user who attempts to login. These schemes may cause problems if an intruder can modify the passwords stored in the password table. In addition, these schemes cannot withstand a replaying attack. Singh [28] proposed an interactive password authentication scheme which is based on public-key cryptography such as Diffie-Hellman cryptosystem [q and RSG cryptosys- tem [25]. His scheme can withstand replaying attacks, but it requires multiple communications between the user and the computer system. Hwang et al. [14] proposed an authentication scheme using smart cards. Their scheme is based on Shamir's ID-based signature scheme. In 1991, Chang and Wu [3] proposed a similar scheme based on the Chinese remain- der theorem. Unfortunately, the scheme is vulnerable to attacks [4]. In this paper, we propose a remote password authentication scheme based on the ElGamal digital signature method [7]. In addition, we develop the same scheme based on a general digital signature method. This scheme can withstand message replaying attacks; it can also perform remote password authentication without using a password table. Before describing the proposed scheme, we fist briefly review the ElGarnal signature scheme.

2. REVIEW OF ELGAMAL'S SIGNATURE SCmME

In 1985, ElGamal [7] proposed a public key cryptosystem and a digital signature scheme based on discrete logarithms. In this scheme, there are two public values P and g in the system. P is a large prime number and (P - 1) has a large factor. g is the primitive element in the Galois field GF(P). Each user Ut has a secret key xi, xi E [l, P - 21, and a public key yi, where yi =el mod P. Thus, recovering the secret information from the public information requires the computation of a discrete logarithm modulo P. If user A wants to sign a message block M, an integer between 0 and (P - l), and send the signed message to user B, use A does the following:

1. Randomly chooses an integer k, 1 < k < (P - 1). 2. Computes h = $E mod P. 3. Evaluates s such that M = xh + ks mod (P - I), where x is a secret key

maintained by user A.

Once these calculations have been performed, user A's signature on M is the pair (h,s) since M = xh + ks mod (P - I), gM = $h+ks = fhgh = y h ~

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014

A REMOTE PASSWORD AUTHENTICATION SCHEME 659

mod P. Thus, the recipient B can verify that (M, h, s) = S,(M) by checking that gM = yhhs mod P.

The advantages of ElGamal's signature scheme is that it is simple and secure. It is also suitable for remote authentication access scheme. In our remote password authentication scheme, we make Mtion, and the signed version of M associated with system's secret key x, S,(M), as the password of the user. Whenever a user logs into the system with his identification (ID) and password (PW), the system uses the public key to check that

ID = h PW g y h mod P. In order to withstand replaying attacks, we introduce a time stamp [5] and a random number to encode the message of password authentication.

3. PROPOSED AUTHENTICATION SCHEME BASED ON ELGAMAL'S SIGNATURE METHOD

This new remote authentication scheme can be divided into three phases: the registration phase, the login phase, and the authentication phase. Before accessing a remote system, a new user must submit his identification to the system in the registration phase. The system registration center gives the new user a smart card which stores some public parameters and a password which is through a secure channel. When a legal user wants to log into the computer system, he inserts his smart card into a terminal and then keys in his identification and password.

Registration Phase

Suppose that a new user U, submits his IDi, to the system. To compute the password PWi for user Ui the system does the following:

1. ~ a n d o m l ~ chooses an integer ki, 1 < ki < (P - 1), such that gcd (ki,P-1) = 1.

2. Computes hi = klmod P. 3. Evaluates PWi such that IDi = xAi + kiPWi mod (P - I), where x, is a

secret key maintained by the system and y, = p m o d P is a public key of the system.

The registration center issues a smart card which stores some public parameters and a password which is through a secure channel to the new

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014

660 M . 4 . HWANG

user. The smart card [23, 29, 30, 321 contains a microprocessor, which can perform arithmetic operations quickly, a RAM, a ROM in which is stored the algorithmic of the one-way function f and parameters hi and P, an I/O interface, and programs for generating authenticating message.

Login Phase

Upon logining, Ui attaches his smart card to a terminal. ,Then he keys in his IDI and the password PWi to the device. The smart card will perform the following operations:

1. Generates a random number r, such that gcd (r , PWt ) = 1. 2. Computes C1 = hf mod P. 3. Computes t = f(Cl, T) mod(P - I), where T is the current date and time. 4. Computes Cz = PW, + rt mod(P - 1). 5. Send message, C = (IDi, hi, C1, C2, T) to the remote system.

Authentication Phase

After receiving the authentication message C, the system authenticates the login user using the following steps. Suppose that the system receives the message C sent from the user Ui at T', then the system performs the following:

1, Tests the validity of IDi, If the format of IDi is incorrect, then the system rejects the login request.

2. Tests the time interval between T and T'. If (T' - T) > AT, where AT denotes the expected legal time interval for transmissipn delay, then the system rejects the login request.

3. If h p = glDiy;hl~{(C1*T)m~d P, then the system accepts the login request. Otherwise, it rejects the login request.

When the user is legal, we show the above equation, h p = P y y h i mod P, is correct as follows:

Cz - hPWl+?t hi - i >

PW rr = hi ' hi , PW f ( C 1 7 ) = h i ' C ,

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014

A REMOTE PASSWORD AUTHENTICATION SCHEME 66 1

And,

From Eqs. (1) and (2), the equation h p = $ ~ i ~ ; ~ i ~ f ~ " ~ ) m o d P holds.

4. SECURITY ANALYSIS

Because our scheme is based on the ElGamal digital signature scheme, it is very difficult for the user Ui to compute the secret key of x, the system from the equation y, = gqmod P [6]. It is difficult for an intruder to obtain the system-generated random number ki directly from the equation hi =

?mod P in Step 2 of the registration phase. Also, it is difficult for an intruder to obtain the user-generated random number r directly from the equation C1 = hf mod P in Step 2 of the login phase.

This gives the intruder little information with which to obtain the password of the legal user from the equation IDi = xhi + kiPWi mod (P - 1) in Step 3 of the registration phase and the equation C2 = PWi + rt mod (P- 1) in Step 4 of the login phase. The difficulty relies on the complexity of computing discrete logarithms over finite fields [A.

In order to pass the test in Step 2 of the authentication phase, the intruder must change T into a new time T* such that (T" -T*) 5 AT, where T" is the time when the system receives the illegal login message. Once T is changed, the intruder will fail the test in Step 3 of the authentication phase unless either t or Cz has been changed accordingly. Therefore, the proposed scheme is secure against replaying attacks.

The scheme tests T'- T L A T to detect replays of login messages. However, this test may be susceptible in the following two cases. One is that as a result of possibly induced network delays and loose clock synchroniza- tion if A T is small, denying legitimate authentication requests. The other is that replaying attacks if A T is large. Thus, how to choose an appropriate AT is a very important issue in our scheme. One of the solutions is to use a replay detection buffer which is maintained by the authenticating party. The AT is variable according to the loads of network traffic and clock synchronization, and is stored in the replay detection buffer. Although the proposed replay detection scheme using timestamps in the authentication

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014

662 M.-S. HWANG

phase is susceptible to denial-of-service [2], the concept of timestamp is the most acceptable and widely used identification scheme 13, 221.

We use a well-known one-way function f for encoding the current date and time T in our scheme. The practical importance of such function has been known for some time, and researchers have used them in a number of schemes [I, 11, 15, 261. This one-way function f have the following pro- perties [17, 20, 241:

1. The function f is easy to compute, and it is also easy to pick a member of the function f at random.

2. The function is computationally difficult to invert. This means it is computationally infeasible, given a string x, to compute another string x # x' satisfying f ( x ) = f (x ') for a random chosen f.

Therefore it is difficult for an intruder to obtain T.* and C; such that f(G, T) =f ( C : , T * ) .

5. PROPOSED AUTHENTICATION SCHEME BASED ON GENERAL DIGITAL SIGNATURE

In Section 3 we stated that our authentication scheme is based on ElGamal's signature method. In fact, other digital signature methods, including such well-known schemes as the RSA digital signature [5], Sharnir's identity based signature schemes [27], Rabin's signature scheme [S], Goldwasser- Micali-Rivest signature scheme [lo], Fiat-Shamir signature scheme [9], and Merkle's tree signature schemes [18], also can be used in the present remote password authentication scheme.

5.1. Proposed Scheme Based on General Digital Signature

Now, we develop a remote password authentication scheme without verification tables, as shown in Figure 1. Basically, our scheme is based on the digital signature methods, the time stamp concept, and a random number generator. Before a remote system may be accessed, the system signs a new user identification (IDi) with system's secret key d that generates the user's secure password (PWi) in the registration phase. When a legal user wants to log into the computer system, the end-user terminal performs the following:

1. Generates a random number r and computes a one-way function fl with both parameters r and the public information (ei).

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014

A REMOTE PASSWORD AUTHENTICATION SCHEME 663

2. Computes a one-way function f2 with C1 and the current time T. 3. Computes C3 =f3(PWi)el f4(r, CZ), where f3 and f4 are two one-way

functions, Cz is obtained from Step 2, and is an operation over Galois fields [12].

4. Sends a message containing the ei, C1, C3, T, and user identification IDi.

After receiving the authentication message, the system first checks the format of the IDi and the expected legal time interval for transmission delay. It then uses authentication function E together with a public information ei to verify the user's identity. In the following subsection, we will show how to decide these functions fi,f2,f3, f4, fs, and f6.

( Generates ej I Registration Phase

Login Phase

Sends ( IDi , e,, Cl, C3, T)

1 Tests the validity of ID; I I Authentication Phase

Checks expected time interval

FIGURE 1 A password authentication scheme based on general digital signature.

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014

664 M . 4 . HWANG

5.2.- Correctness of the Scheme

In this subsection, we show why the check in the authentication phase of the general digital signature method is possible. When the user is legal, we derive the equation E,,'(G) =fs(IDi)e2 h(C1, C2) in the authentication phase as follows:

where Ee, is a designature function with the public information ei; 81 and 0 2

are operations over Galois fields. Since PWi = Dd(IDi), we always can find a function such that Ee,(f3(PWi)) =fs(IDi). By the property of linear dependence, we also can choose C1 = fi(r, ei) and h(r, C2) such that the equation Eer(f4(r, C2)) =fs(C1, Cz) holds. Therefore; the authentication of our scheme is correct.

We give an example to illustrate the correctness of the scheme. We assume that Shamir's identity based signature schemes [27] are used in our scheme. The password of user i is PWi = 1 ~ f r n o d n, where n is a multiplicate with two large primes, d is a secret key of system such that ed mod $(n) = 1, e is published to every user, and $(n) is an Euler's totient function of n. Let f3 be an identity function. We obtain the function f5 from Ee(PWi) =fi(IDi) as follows.

Thus, the function fS is an identity function. The other functions are chosen as follows.

Here, we leth(r, C2) = rC2, fi = re, h ( C l , C2) = @, and f2 is an arbitrary one-way function.

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014

A REMOTE PASSWORI) AUTHENTICATION SCHEME 665

The security of the authentication scheme is based on that of the general digital signature and time stamp concept. It is difficult for the user Ui to compute the secret key of the system by using his password which is generated by system in the registration phase. Also, it is difficult for an intruder to obtain the user-generated random number r directly from the procedures in the login phase. This gives the intruder little information with which to obtain the password of the legal user from the procedures in the registration phase and in the login phase. In order to withstand replaying attacks, the intruder must change T into a new time T* such that (T" - T*) 5 AT, where T" is the time when the system receives the illegal login message. Once T is changed, the intruder will fail to pass the authentication phase. Therefore, the proposed scheme is secure against replaying attacks.

6. CONCLUSIONS

We have proposed a remote password authentication scheme that does not require a password file or a verification table. The scheme can withstand attacks in which a previously intercepted login request message is replayed. The security of the scheme rests on the difficulty of computing discrete logarithms over finite fields. Without loss of generality, we develop a remote password authentication using various types of digital signature methods.

Acknowledgement

This research was partially supported by the National Science Council, Taiwan, R.O.C., under contact no.: NSC87-2218-E-324-001.

References

[l] Akl, S. G. and Taylor, P. D. (1983). Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer Systems, 1, 239-248.

121 Bauer, R. K., Berson, T. A. and Feiertag, R. J. (1983). A key distribution protocol using event markers. ACM Transactions'on Computer Systems, 1 , 249-255.

[3] Chang, C. C. and Wu, T. C. (1991). Remote password authentication with smart cards. IEE Proceedings-E, 1138, 165 - 168.

[4] Chang, C . C. and Laih, C. S. (1992). Remote password authentication with smart cards (correspondence). IEE Proceedings-E, 139, 372.

[q Denning, D. E. R. (1982). Cryptography and Data Security, Addison-Wesley, Massachu- setts.

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014

666 M.-S. HWANG I

[6] D a e , W, and Hellman, M. E. (1976). New directions in cryptography. IEEE Transactions on Information Theory, 22, W-654.

[7] ElGamal, T. (1985). A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31,469-472.

[8] Evans, A. Jr., Kantrowitz, W. and Weiss, E. (1974). A user authentication scheme not requiring secrecy in the computer. Communications of the ACM, 17,437-442.

[9] Fiat, A. and Shamir, A, (1986). How to prove yourself: practical solutions to identification and signature problems. Advances in Cryptology, CRYPT0'86, pp. 186- 194.

[lo] Goldwasser, S., Micali, S. and Rivest, R. L. (1984). A paradoxical solution to the signature problem. Proc. 25th Ann. IEEE Symp. FOCS, pp. 441 -448.

[Ill Gudes, E. (1980). The design of a cryptography based secure file system. IEEE Tiansactions on Software Engineering, OSE-6, 41 1 -420.

[12] Herstein, I. N. (1975). Topics in Algebra, Xerox College, Massachusetts. [13] Hwang, T. Y. (1983). Passwords authentication using public-key encryption. IEEE

Proceedings International Carnahan Conference Security Technology, pp. 141 - 144. [14] Hwang, T., Chen, Y. and Laih, C. S. (1990). Non-interactive password authentications

without password table. IEEE Region 10th Conference on Computer and Communication Systems, 429 -43 1 .

[IS] Ingemarsson, I. and Wong, C. K. (1981). A user authentication scheme for shared data based on trap-door one-way functions. Infarmation Processing Letters, 12, 63-67.

1161 Lamport, L. (1981). Password authentication with insecure communication. Commwtica- tiom of the ACM, 24, 770-772.

[17] Merkle, R. C. (1990). One-way hash functions and DES. Advances in Cryptology, CRYPTO'89, pp. 428 -446.

[18] Merkle, R. C. (1989). A digital signature based on a conventional encryption fmction. Advances in Cryptology, CR YPT0'89, pp. 21 8 - 238.

[19] Morris, R. and Thompson, K. (1979). Password security: a case history. Commwzicatiom of the ACM, 22, 594-597.

[20] Naor, M. and Yung, M. (1989). Universal one-way hash functions and their cryptographic applications. Proc. of the 21st STOC, pp. 33-43.

[21] Needham, R. M. and Schroeder, M. D. (1978). Using encryption for authentication in large networks of computers. Communicatiom of the ACM, 21, 993-999.

1221 Neumann, P. G. (1994). Risks of passwords. Communications of the ACM, 37, 126. [23] Reid, M. A. and Madan, M. S. (1989). Security issues in the use of smart cards. Computer

Communications, 12, 25 - 30. [24] Rompel, J. (1990). One-way functions are necessary and sufficient for secure signatures,

Proc. of the 22nd STOC, pp. 387-394. [25] Rivest, R. L., Shamir, A. and Adleman, L. (1978). A method for obtaining digital

signatures and public key cryptosystems. Communications of the ACM, 21, 120- 126. [2q Sandhu, R. S. (1988). Cryptographicimplementation of a tree hierarchy for access control.

Information Processing Letters, 27, 95-98. [27l Sharnir, A. (1984). Identity based cryptosystems & signature schemes. Advances in

Cryptology, CR YPTO '84, pp. 47 - 53. [28] Singh, K. (1985). On improvements to password security. Operating System Review, 19,

53-60. [29] Sternglass, D. (1992). The future is in the PC cards. IEEE Spectrum, 29, 46-50. [30] Weiss, K. P. (1986). When a password is not a password. IEEE Comuter, pp. 100- 108. [31] Wilkes, M. V. (1975). Time Sharing Computer Systems, Macdonald. [32] Wood, L. (1991). Smardcards: smarter than passwords. Datamation, 37, 69-70.

Dow

nloa

ded

by [

Tem

ple

Uni

vers

ity L

ibra

ries

] at

21:

01 1

4 N

ovem

ber

2014