an improved timestamp-based remote user authentication scheme
TRANSCRIPT
Computers and Electrical Engineering 37 (2011) 869–874
Contents lists available at SciVerse ScienceDirect
Computers and Electrical Engineering
journal homepage: www.elsevier .com/ locate/compeleceng
An improved timestamp-based remote user authentication scheme q
Amit K. Awasthi a,⇑, Keerti Srivastava a, R.C. Mittal b
a Group for Cryptology Research, School of Vocational Studies and Applied Sciences, Gautam Buddha University, Greater Noida 201 308, Indiab Department of Mathematics, I.I.T. Roorkee, Roorkee 247 667, Uttarakhand, India
a r t i c l e i n f o
Article history:Received 15 March 2010Received in revised form 27 September 2011Accepted 27 September 2011Available online 1 November 2011
0045-7906/$ - see front matter � 2011 Elsevier Ltddoi:10.1016/j.compeleceng.2011.09.015
q Reviews processed and approved for publication⇑ Corresponding author.
E-mail addresses: [email protected], awasthi_hc
a b s t r a c t
To protect the remote server from various malicious attacks, many authentication schemeshave been proposed. Some schemes have to maintain a password verification table in theremote server for checking the legitimacy of the login users. To overcome potential risks ofverification tables, researchers proposed remote user authentication schemes using smart-card, in which the remote server only keeps a secret key for computing the user’spasswords and does not need any verification table for verifying legal user. In 2003 Shen,Lin, and Hwang proposed a timestamp-based password authentication scheme usingsmartcards in which the remote server does not need to store the passwords or verificationtable for user authentication. Unfortunately, this scheme is vulnerable to some deadlyattacks. In this paper, we analyze few attacks and finally propose an improved time-stamp-based remote user authentication scheme. The modified scheme is more efficientand secure than original scheme.
� 2011 Elsevier Ltd. All rights reserved.
1. Introduction
With rapid development of the Internet technology, we are able to access any service from any place and at any time.Remote user authentication becomes an important process for such service providers. Service servers use this process toverify whether a remote user is legal even through insecure channels. Since the first well-known scheme of Lamport [1],various schemes have been proposed to improve security, cost, and efficiency of table based remote authentication schemes.Table based authentication schemes suffer from the risk of cheating with verification table and cost of protecting and main-tain these tables. These tables have high risk of being stolen by adversaries, which results, as system is totally or partiallybroken.
The advantages of smart cards are storage and computation abilities. Some scholars [2,3] used these powers of smart-cards, but their schemes have to maintain a verified table of passwords and do not allow changing passwords freely. Manyschemes have been proposed using smartcards claiming that these provide mutual authentication, free choice of password,and secure against various known attacks.
In 1999, Yang and Sheih [4] proposed a timestamp-based password remote authentication scheme using smartcard toremove the need of password tables or verification tables at the end of server. In this scheme, users are free to chooseand change their passwords. However, this scheme was later found to be vulnerable to the forged login attacks by Cheng[5], Fan [6], and Shen [7] independently. In addition, Fan gave a slight modification of the original scheme, but his modifi-cation is not so practical.
In 2003, Shen et al. [7] proposed an improved scheme to resist the forged login attacks and provided mutual authentica-tion. In Shen’s scheme, the attacker can intercept the legal users login request and register the smartcard to carry out theforged login attacks.
. All rights reserved.
to the Editor-in-Chief Dr. Manu Malek.
[email protected] (A.K. Awasthi), [email protected] (R.C. Mittal).
870 A.K. Awasthi et al. / Computers and Electrical Engineering 37 (2011) 869–874
Liu et al. [8] pointed out that Shen’ scheme is vulnerable to forged login attack. To overcome this problem, they proposeda new improved scheme based on nonce [8], but in absence of timestamp this scheme is prone to certain attacks, e.g. Replayattack.
This paper analyzes the weakness of the Shen et al.’s scheme [7], and presents an improved remote authenticationscheme, which still keeps the features of the non-storage of data at server side. In proposed scheme, remote server needsnot to store any verification information of the users.
2. Review of Shen et al.’s. scheme [4]
In this scheme, the key information center (KIC), a trusted authority, is responsible for generating global parameters, com-puting user’s secret information and providing smartcards to the new users. There are four phases in the authenticationscheme: initialization, registration, login, and authentication.
2.1. Initialization phase
KIC performs the following steps:
1. Generate two large primes p and q and computes n = pq.2. Choose a prime number e and an integer d such that
e � d mod ðp� 1Þðq� 1Þ ¼ 1
where e is the system public key, d is the corresponding private key, which should be provided to the server in a safe way.3. Find an integer g, which is a primitive element in both GF(p) and GF(q) and the public information in the system.
2.2. Registration phase
A new user Ui securely submits his identifier IDi and password PWi to the KIC. The KIC then performs the following steps:
1. Calculate the user’s secret information Si : Si ¼ IDdi mod n.
2. Generate the smart card’s identifier CIDi and hi of the user Ui as
CIDi ¼ f ðIDi � dÞ
and
hi ¼ gpwi � d mod n
where f(x) is a one way function.3. Write n, e, g, IDi, CIDi, Si and hi in to the smart card of the user Ui, and issues this smartcard to user Ui through a secure
channel.
2.3. Login phase
User (client) performs the following steps:
1. Generate a random number ri and compute Xi and Yi as follows:Xi ¼ gri � pwi mod n, Yi ¼ Si � hri � f ðCIDi ;TcÞ
i mod nwhere Tc is the timestamp at the login device and f(x,y) is a one way function.
2. Ui!M
S: User Ui sends M to the remote server S. Here M = IDi, CIDi, Xi, Yi, n, e, g, Tc is a login request message of the user Ui.
2.4. Authentication phase
After receiving the login request message M from Ui, the remote server will perform the following steps to verify the cor-rectness of M.
1. Verify that IDi is a valid user identifier. If IDi is not valid then reject the login request.2. Check the validity of Tc. If (Ts � Tc) � DT then reject the login request. Where Ts is the current timestamp at the remote
server; DT is expected legitimate time interval for transmission delay.3. Compute CID0i = f(IDi;� d). If CID0i – CIDi then reject the login request.4. Check the equation Ye
i ¼ IDi:Xf ðCIDi ;TC Þi mod n. If it holds, the login request is accepted, otherwise rejected.
5. S!M0 Ui: Remote server S sends M0 to the user Ui. Here M0 ¼ ðR; T 0s), where R ¼ ðf ðCIDi; T0sÞÞ
d mod n and T 0S is the timestampat the remote server.
A.K. Awasthi et al. / Computers and Electrical Engineering 37 (2011) 869–874 871
6. Upon receiving the message M0 from the server, the user Ui verifies the server as follows:(a) Check the time interval between T 0s and T 0c where T 0c is the timestamp when the user Ui receives the message M0. If
T 0c � T 0S � DT, then Ui rejects the remote server, where DT denotes the predetermined legitimate time interval of trans-mission delay.
(b) Checks R0 = Re mod n. In fact,
Re mod n ¼ ðf ðCIDi; T0sÞÞ
dÞe mod n ¼ f ðCIDi; T0sÞ
3. Forged login attack on the Shen et al. [7]
3.1. By Liu, Zhou, Gao
In this section, we have depicted a forged login attack on the Timestamp-based password authentication scheme [7],which was earlier discovered by Liu et al. [8]. In this attack, an attacker can pretend to be a legal user and login the remoteserver successfully by registering a legal smart card and intercepting valid login request sent by the legal user. Suppose anattacker Uf attempts to impersonate a legal user Ui with identity IDi. The attacker can login the remote server successfully byperforming the following steps:
1. Intercept a login request message of the user Ui:IDi, CIDi, Xi, Yi, n, e, g, Tc by monitoring the power consumption.2. Compute IDf ¼ ID�1
i mod n, choose some password PWf and send these information to server for registration as his iden-tity. Server computes (As in Section 2.2)
CIDf ¼ f ðIDf � dÞ; Sf ¼ IDdf mod n;hf ¼ gPWf :d mod n
where d is the secret information known to server. Server writes n, e, g, IDf, CIDf, Sf and hf in to the smart card of Uf, andissue it through a secure channel.
3. As
Sf ¼ IDdf mod n ¼ ðID�1
i Þd mod n ¼ ID�d
i mod n
and
Si ¼ IDdi mod n
therefore
Si � Sf ¼ 1 mod n
Now compute the secret information Si of the user Ui by using the extended Euclidean algorithm.4. Generate a random number rf, and compute Xf and Yf.
Xf ¼ grf � PWf mod n; Yf ¼ Si � hrf � f ðCID;Tf Þf mod n
here Tf is the current timestamp.5. Uf !
MS : M ¼ Xf ;Yf , IDi, CIDi, n, e, g, Tfwhere M is the forged login request message of the user Ui. It is easy to verify that
M = Xf, Yf, IDi, CIDi, n, e, g, Tf is a valid login request.In fact, (by using Extended Euclidean algorithm)
Yef ¼ Si � h
rf � f ðCIDi ;Tf Þf
� �emod n
¼ IDedi � h
rf � f ðCIDi ;Tf Þ � ef mod n
¼ IDi � gPWf � d � rf � f ðCIDi ;Tf Þ � e mod n
¼ IDi � Xf ðCIDi ;Tf Þf mod n
So an attacker can forge valid login request of the user Ui.
3.2. Proposed attack
An adversary has stolen a smartcard and with this smartcard he can login the remote server successfully by performingthe following steps:
1. Intercept a login request message of the user
Ui : IDi;CIDi;Xi;Yi;n; e; g; Tc
872 A.K. Awasthi et al. / Computers and Electrical Engineering 37 (2011) 869–874
2. Send Xi to the remote server as his identifier and PWi as chosen password. Server computes
Sx ¼ Xdi mod n
The attacker Uf can get the message (n, e, g, Sx) on the valid smartcard through the registration phase.3. Extract Si from stolen smart card. Compute
Yf ¼ Si � Sf ðCIDi ;Tf Þx mod n
and
Xf ¼ Sx
where Tf is the timestamp at the login device and f(x,y) is one way function.4. Uf !
MS : M ¼ Xf ;Yf ; IDi; CIDi;n; e; g; Tf where M is the forged login request message of the user Uf.
It is easy to verify that M = CIDi, IDi, Xf, Yf, n, e, g, Tf is a valid login request. In fact (using Extended Euclidean algorithm),
Yef ¼ Se
i � Se � f ðCIDi ;Tf Þx mod n
¼ IDi � Se � f ðCIDi ;Tf Þx mod n
¼ IDi � Xf ðCIDi ;Tf Þi mod n
Form Shen et al.’s Authentication phase 2.4(4) it shows that adversary Uf is succeeded to make server fool.
4. The improved authentication scheme
4.1. Initialization phase
In proposed improved scheme Key Information Centre (KIC) is a trusted authority which generates global parameters. KICalso computes user’s secret information and provides smart cards to users. KIC performs the following steps:
1. Generate two large primes p and q and compute n = pq.2. Choose a prime number e and an integer d, such that
e � d mod ðp� 1Þðq� 1Þ ¼ 1
where e is the system’s public key, and d is the corresponding private key, which should be provided to the server in a safeway.
3. Find an integer g, which is a primitive element in both GF(p) and GF(q) and the public information of the system.
4.2. Registration phase
A new user Ui securely submits his identifier IDi and password PWi to the KIC. The KIC then performs the following steps:
1. Generate the smart card’s identifier CIDi for user Ui and hi as
CIDi ¼ f ðIDi � dÞ;hi ¼ gpwi :d mod n
where f(x) is a one way function.2. Calculate the user’s secret information Si
Si ¼ CIDdi mod n
3. Write n, e, g, IDi, Si and hi into the smart card of Ui, and issue the smartcard to the user through a secure channel.
4.3. Login phase
User Ui performs the following steps:
1. Choose a random number ri and compute Xi and Yi as follows:
Xi ¼ gri ;pwi mod n; Yi ¼ Si � hri � f ðIDi ;TcÞi mod n
where Tc is the timestamp at the login device and f(x, y) is a one way function.
A.K. Awasthi et al. / Computers and Electrical Engineering 37 (2011) 869–874 873
2. Ui!M
S : M ¼ IDi,Xi, Yi, n, e, g, Tc
User sends M to the remote server S, where M is a login request message of the user Ui
4.4. Authentication phase
After receiving the login request message M from Ui, the remote server will perform the following steps to verify the cor-rectness of M.
1. Verify that IDi is a valid user identifier. If it is not then reject the login request.2. Check the validity of Tc. If (Ts � Tc) � DT, then the server rejects the login request, where Ts is the current timestamp at the
remote server; DT is expected legitimate time interval for transmission delay.3. Compute CIDi = f(IDi � d)4. Check the equation
Yei ¼ CIDi � Xf ðIDi ;TC Þ
i mod n
If it holds, accept the login request, otherwise reject.5. S!M0 Ui : M0 ¼ ðR; T 0sÞ where R ¼ ðf ðIDi; T
0sÞÞ
d mod n and T 0S is the current timestamp on the remote server. Upon receivingthe message M0 from the server, the user Ui verifies the server as follows.
6. Check the time interval between T 0s and T 0c where T 0c is the timestamp when the user Ui receives the message M0. IfT 0c � T 0S � DT, then Ui rejects the remote server, where DT denotes the predetermined legitimate time interval of transmis-sion delay.
7. Compute R0 = Re mod n. If R0 ¼? f ðIDi; T0sÞ, accept the server otherwise reject server and disconnect it. In fact,
Re mod n ¼ ðf ðIDi; T0sÞÞ
dÞe mod n ¼ f ðIDi; T0sÞ
5. Attributes of the proposed scheme
� Perfect secrecySuppose that the adversary has intercepted all U0s transmitting and receiving message IDi, Xi, Yi, Si, e, g, Tc, the adversary
cannot compute CID = f(ID � d), since it is computationally infeasible for the adversary to obtain d by solving the discretelogarithm problem, so CID will still be secure. therefore, the improved scheme can provide perfect forward secrecy.
� Mutual authentication
The user and the server can authenticate each other. Not only the server can verify the legal users, but the users can alsoverify the legal server. Mutual authentication can help withstand the server spoofing attacks where an attacker pretends tobe the server to manipulate sensitive data of the legal users.
� Cost analysis
In login phase of proposed scheme CID is not transmitted with Login message M, which saves transmission cost compar-ison to Shen et al. scheme [7], and does not add additional computational cost to the smart card.
� Storing capacity
Improved scheme still maintains the features of the non-storage of data. The remote server does not need to store anyauthentication information of the user. In the whole process of the authentication, the server can carry out the authentica-tion using the elements coming directly from the user’s login, its own secure private key, and the public information of thesystem.
6. Conclusion
This paper has shown that Shen, Lin and Hwang’s timestamp-based password remote authentication scheme [7] is stillvulnerable to the forged login. We reviewed Liu et al.’s [8] attack and pointed out an additional security threat. To patch upthe problems of Shen’s scheme in the registration and authentication phase, we proposed a scheme to prevent discussedforgery attacks.
The proposed scheme is an improvement over Shen et al.’s scheme. The improved scheme is secure against the forgedlogin attack by calculating different structure of secret information Si = CIDd mod n, and still the security of the improvedscheme is based on the security of one way function and the difficulty of computing the discrete logarithm and decompo-sition of large integral number. Although an adversary can intercept the login message IDi, Xi, Yi, Si, e, g, Tc however, without
874 A.K. Awasthi et al. / Computers and Electrical Engineering 37 (2011) 869–874
knowing the secret information d he or she could not compute CID, and will be fail to forge the legal user. By removing thedirect Ui’s CIDi on smartcard, we can stop the forged login attack. As d is the remote server’s secret key and we hide CIDi in Si.That is secure until d is not compromised. Any intruder cannot forge the valid CIDi and the login request message M.
The performance of our scheme is better than Shen’s Scheme. In the modified scheme, the remote server does not writethe information CIDi on smartcard exclusively, which saves the memory on smartcard. The user is still free to choose his/hermemorable and short identity IDi without increasing any additional computations of remote server. Therefore, the modifiedscheme is more efficient and secure than Shen’s scheme.
References
[1] Lamport L. Password authentication with insecure communication. Communication ACM 1981;24:770–2.[2] Hwang MS, Li LH. A new remote user authentication scheme using smart card. IEEE Transaction on Consumer Electronics 2000;46(1):28–30.[3] Sun HM. An efficient remote user authentication scheme using smart cards. Transaction on Consumer Electronics 2000;46(4):958G–961.[4] Yang WH, Shieh SP. Password authentication scheme with smard cards. Computers and Security 1999;18(8):727–33.[5] Chan CK, Cheng LM. Cryptanalysis of timestamp-based password authentication scheme. Computers and Security 2002;21(1):74–6.[6] Fan L, Li JH, Zhu HW. An enhancement of timestamp-based password authentication scheme. Computers and Security 2002;21(7):665–7.[7] Shen JJ, Lin CW, Hwang MS. Security enhancement for the timestamp-based password authentication. Computers and Security 2003;22(7):591–5.[8] Liu Jia-Yong, Zhou An-Min, Gao Min-Xu. A new mutual authentication scheme based on nonce and smart cards. Computer Communications
2008;31:2205–9.
Amit K. Awasthi received his M.Sc. degree in Mathematics from MJP Rohilkhand University, Bareilly, India, in 1999, and Ph.D. degree in Mathematics fromDr. BRA University, Agra, India in 2007. He is currently working as Assistant Professor in Department of Mathematics, at Gautam Buddha University, GreaterNoida, India. His research interests include applied Cryptography, Network security, and Number Theory.
Keerti Srivastava is a Ph.D. scholar at UP Technical University, Lucknow. Her research interests include applied Cryptography, Network security.
R.C. Mittal received his M.Sc. and Ph.D. degree in Mathematics from IIT Delhi, in 1975 and 1979, respectively. He is currently working as Professor inDepartment of Mathematics, at IIT Roorkee, India. His research interests include Numerical Analysis, Computer Software, Applied Cryptography, etc.