secure sas-like password authentication schemes
TRANSCRIPT
www.elsevier.com/locate/csi
Computer Standards & Interfaces 27 (2004) 25–31
Secure SAS-like password authentication schemes
Tzung-Her Chena,*, Wei-Bin Leeb, Gwoboa Hornga
a Institute of Computer Science, National Chung-Hsing University, 250 Kuo-Kuang Road, Taichung 402, Taiwan, ROCbDepartment of Information Engineering, Feng Chia University, 100 Wenhwa Road, Seatwen Taichung 407, Taiwan, ROC
Received 15 November 2003; received in revised form 20 February 2004; accepted 28 February 2004
Available online 20 March 2004
Abstract
Recently, there are several articles proposed for the so-called SAS password authentication scheme with lower storage,
processing, and transmission overheads. For benefiting from these advantages, there are a series of researches on the SAS-like
schemes. However, as knowledge of cryptanalysis has involved, a series of modification have been made. Unfortunately, those
enhancements have still security flaws. In this paper, a security issue is found in the latest modification and removed to form a
new one. The proposed schemes not only keep the original advantages but also highlight a feature, mutual authentication
between a user and a remote server, found in many authentication protocols but not found in the SAS-like schemes.
D 2004 Elsevier B.V. All rights reserved.
Keywords: Password authentication; Smart card; Mutual authentication; Denial-of-service attack
1. Introduction In the literature, there are many schemes [1–10]
There are large numbers of people worldwide with
daily access to the Internet. Therefore, it is now clear
that the Internet is a step in the ongoing evolution of
commercial markets. The technology opens up new
channels of distribution.
To provide a no-risk opportunity to try the Internet
shopping, a better and suitable authentication scheme
is a key. Hence, the real challenge is to authenticate
the alleged client because the traditional face-to-face
contact is not a practical thought for selling globally.
0920-5489/$ - see front matter D 2004 Elsevier B.V. All rights reserved.
doi:10.1016/j.csi.2004.02.004
* Corresponding author. Tel.: +886-422840497x912; fax: +886-
422853869.
E-mail addresses: [email protected] (T.-H. Chen),
[email protected] (W.-B. Lee), [email protected]
(G. Horng).
proposed to provide authentication service. Password-
based authentication is one of the most popular
methods because of its simplicity and effectiveness.
By taking account of computational cost, user pass-
word authentication schemes can be further classified
into two broad categories: encryption-based [1–6]
and hash-function-based [7–10] techniques. The for-
mer is based on cryptosystem, such as DES, RSA, and
ElGamal, etc. [11]. Their main disadvantage is high
computational cost. In contrast to an encryption-based
technique, a hash-function-based technique, based on
the collision-resistant hash function such as SHA-1
[11], is more simple and efficient to implement. In
consideration of practicability, there are more and
more hash-function-based schemes proposed.
Sandirigama et al. [10] proposed a simple and secure
password authentication scheme, the so-called SAS.
Because of the advantages of lower storage, process-
T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–3126
ing, and transmission overheads, the SAS-like schemes
are widely concerned in the researches for user authen-
tication, and therefore, there are several articles [12–
15] proposed to continuously enhance SAS-like proto-
cols. Unfortunately, those enhancements still have
security flaws. In 2001, Lin et al. [12] proposed an
optimal strong-password authentication scheme, called
OSPA, to enhance the security of SAS which is
suffering from the replay attack and the denial-of-
service attack. Subsequently, the OSPA scheme has
been shown vulnerable to the stolen-verifier attack [13]
and the impersonation attack [14]. In 2003, Lin et al.
[15] proposed a latest SAS-like version for OSPA to
withstand the stolen-verifier attack.
In this paper, firstly, a security issue is found in the
latest modification and removed to form a new one.
The authors will point out that the Lin–Shen–Hwang
scheme suffers from the denial-of-service attack and
further propose an improved version (Method 1 for
short) to withstand this attack.
Secondly, the authors highlight a feature, mutual
authentication between the user and the remote server,
found in many authentication protocols but was never
addressed in the SAS-like schemes. In some situa-
tions, mutual authentication is necessary to provide
higher security. Therefore, the authors further propose
a SAS-like scheme (Method 2 for short) based on
Method 1 to address this issue.
The rest of the paper is organized as follows. In
the next section, the Lin–Shen–Hwang’s enhanced
scheme is briefly described and suffers the denial-of-
service attack. Subsequently, two enhancements are
proposed in Section 3. Then, discussion and security
analysis are presented in Section 4. Finally, some
brief conclusions will be given in Section 5.
2. Lin–Shen–Hwang scheme and its weakness
There are two phases in the Lin–Shen–Hwang
password authentication scheme: registration and au-
thentication [15]. The registration phase goes as
follows.
(R.1)Ui!S: IDi, h2(PWiPN)
A user Ui with his identity IDi chooses password
PWi freely and computes h2(PWiPN), where h(�) is acollision-resistant hash function and N is a nonce.
Then, Ui sends IDi and h2(PWiPN) to the remote
server. Upon receiving them, the server stores
h2(PWiPN) into the verification table.
(R.2) S!Ui: a smart card {N, K}
The server computes K=h2(PWiPN)Ph(xOIDi)
and writes {K, N} into the user’s smart card and
releases it to the user, where x is the secret key of
the server.
The authentication phase goes as follows.
(A.1) Ui!S: IDi, c2, c3User Ui inserts his smart card into a login device
and enters his identity IDi and password PWi. The
smart card will perform the following operations:
1. Calculate c1=KPh2(PWiPN)=h(xOIDi);
2. Calculate c2=c1Ph(PWiPN);
3. Calculate c3=h(c1)h2(PWiPN̄), where N̄ is a new
random nonce; and
4. Send {IDi, c2, c3} to the server as a login request.
Upon receiving the login request, the server then
performs the following operations:
1. Check the format of IDi.
2. Compute h(xOID i) and c̄2=h(xOID i)Pc2=
h(PWiPN).
3. Compare the hash value of c̄2 with the stored
verifier h2(PWiPN). If they are equivalent, then the
user is authenticated; otherwise, this login request
is rejected.
4. Replace h2(PWiPN) with h2(PWiPN̄), a new veri-
fier for the next login request, where h2(PWiPN̄)=
h2(xOIDi)Pc3.
2.1. Denial-of-service attack on Lin–Shen–Hwang
scheme
The denial-of-service attack, where the server is
cheated by an attacker to update the false verification
information for the next login phase, is found in the
Lin–Shen–Hwang scheme so that the server will reject
all subsequent login requests of the legal user.
To cheat the server, the attacker replaces c3 with an
arbitrary value c̄.
Upon receiving c̄, the server stores a false verifier
h2(xOIDi)Pc̄ without further checking the validity of
T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–31 27
the new verifier. Therefore, this makes the server be
fooled to store the false verifier and reject all subse-
quent login requests of the legal user.
The denial-of-service attack is therefore possible
and a remedy will be proposed in the following.
3. The proposed schemes
In this section, a secure SAS-like scheme is
proposed as Method 1 to enhance the security of
the Lin–Shen–Hwang scheme. The never been
addressed issue, mutual authentication, will be high-
lighted and solved in Method 2. To make the idea
concise and clear, Figs. 1, 2 and 3 are used to
illustrate the proposed schemes.
3.1. The proposed security enhancement (Method 1)
Firstly, an improved version of the Lin–Shen–
Hwang scheme is described below. The registration
phase goes as follows.
(R.1) Ui!S: IDi, h2(PWiPN), N
A user Ui with his identity IDi chooses password
PWi freely and computes h2(PWiPN), where N is a
nonce. Then, Ui sends IDi, h2(PWiPN)and N to the
remote server. Upon receiving them, the server stores
h2(PWiPN) into the verification table.
(R.2) S!Ui: a smart card {N, h(xOIDi)}
The server computes h(xOIDi) and writes {N,
h(xOIDi)} into the user’s smart card and releases it
to the user, where x is the secret key of the server.
The authentication phase is shown as follows.
(A.1) Ui!S: IDi, rPh(xOIDi), h(r),c1,c2,c3
Fig. 1. The registration phase of Method 1 an
Ui inserts his smart card into a login device and
enters his identity IDi and password PWi. The smart
card will perform the following operations:
1. Calculate c1=h(PWiPN)Ph(h2(PWiPN)Pr), where
r is a nonce;
2. Calculate c2=h2(PWiPN̄)Ph(PWiPN), where N̄ is a
new random nonce;
3. Calculate c3=h3(PWiPN̄);
4. Compute rPh(xOIDi) and h(r); and
5. Send {IDi,rPh(xOIDi), h(r), c1,c2,c3} to the server
as a login request.
Upon receiving the login request, the server does
the following operations:
1. Check the format of IDi;
2. Calculate h(xOIDi) to extract r from rPh(xOIDi);
3. Verify the validity of r by h(r);
4 Hash h2(PWiPN)Pr to extract h(PWiPN) from c1,
and use h(PWiPN) to extract h2(PWiPN̄) from
c2, respectively;
5 Check if the hash value of the extracted h(PWiPN) is
equal to that of the stored h2(PWiPN). If equivalent,
the user is authenticated; otherwise, this login
request is rejected.
6 Check if the hash value of the extracted h2(PWiPN̄)
is equal to the received c3. If it holds, the server
updates the verification table by replacing
h2(PWiPN) with h2(PWiPN̄).
3.2. The proposed scheme with mutual authentication
(Method 2)
Although Method 1 enhances the security of the
Lin–Shen–Hwang scheme, it does not provide mu-
tual authentication. Hence, Method 2 is addressed in
d Method 2 of the proposed schemes.
Fig. 2. The authentication phase of Method 1.
T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–3128
this issue particularly. The registration phase is the
same as that of Method 1 and omitted here. The
authentication phase is shown as follows.
(A.1) Ui!S: IDi, rVUi inserts his smart card into a login device and
enters the identity IDi and password PWi to enable the
card. Then the identity IDi and a random nonce rVused to identify this transaction uniquely are sent to
the remote server.
(A.2) S!Ui: rPh(xOIDi), h(rOr)
Fig. 3. The authentication
After checking the format of IDi, the server gen-
erates a new random nonce r and return rPh(xOIDi)
and h(rOrV) to assure this client that its correspondent
is a regular server.
(A.3) Ui!S: c1,c2,c3Upon receiving {rPh(xOIDi), h(rOrV)}, the cli-
ent extracts r from rPh(xOIDi). Then, with r, verify
whether h(rOrV) contains rV to authenticate the
remote server. With r, the smart card computes c1,
c2, and c3 just as that of Method 1. Upon receiving
the login request, the server performs the authenti-
phase of Method 2.
T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–31 29
cation operations just as those (Steps 4, 5, and 6) of
Method 1.
4. Discussion and security analysis
In Method 2, the identity of the login user is
verified by checking if the hash value of the
extracted h(PWiPN) is equal to that of the stored
h2(PWiPN) in Step A.3. On the other hand, the
identity of the server is verified by checking if the
server possesses the secret key x to generate the pair
{rPh(xOIDi), h(rOrV)} in Step A.2. Because only
both the legal user and the regular server know
h(xOIDi), it implies that authentication for the server
is indirectly proved.
In this section, the security of the proposed
schemes is examined from the user end, the server
end and the middle.
For the security of password authentication be-
tween the users and the remote server consideration,
what a man/attacker in the middle can do is to
intercept or modify the login request information
between the user and the remote server to pretend
the user or the server.
For the user end, he may impersonate a legal user
to login the server; intercept the login message to
perform the offline guessing attack, or merely replay
the intercepted login request.
For the server end, an attacker may impersonate the
server to fool/cheat the legal users, or modify the
message for authentication to cheat the server. Of
course, he may find some ways to steal the verifica-
tion table stored in the server to guess the password,
or do impersonation operations.
To describe how the proposed schemes work, these
possible attacks for password authentication schemes
are discussed as follows.
4.1. Impersonating user
In Method 1, an attacker may impersonate a legal
user by forging a login request {IDi,rPh(xOIDi), h(r),
c1,c2,c3}.
Because the server should check the validation of r
by extracting r from rPh(xOIDi) and comparing with
h(r), the attacker must have h(xOIDi) to compute
rPh(xOIDi); otherwise, he cannot pass the authenti-
cation. However, he has no idea about the server’s
secret key x to obtain h(xOIDi).
Similarly, in Method 2, the attacker must extract the
exact r to compute c1=h(PWiPN)Ph(h2(PWiPN)Pr).
He suffers the same challenge without knowing the
server’s secret key x.
4.2. Replaying login messages
The server updates the verifier from time to time
because the next verifier is prepared in the current
phase. Hence, an attacker cannot login the remote
server by replaying the previous login message in
Method 1 and Method 2.
4.3. Guessing password
There are only two instances including the pass-
word PWi: the login message c1, c2, c3 and the verifier
h2(PWiPN) stored by the server. If an attacker inter-
cepts c1=h(PWiPN)Ph(h2(PWiPN)Pr), c2=h2(PWi
PN̄)Ph(PWiPN), and c3=h3(PWiPN̄), it is infeasible
to guess the user’s password without knowing r, N, N̄
because he has no feasible way to ascertain the
guessing password. Suppose an attacker has stolen
the verifier h2(PWiPN). He cannot ascertain the
guessing password without knowing N.
4.4. Impersonating server
Method 1 focuses on how a server verifies the
identification of a user but not on verifying the
legality of a server. The server impersonation attack
is not discussed here.
In Method 2, if an attacker wants to impersonate
the remote server successfully, he sends {rPh(xOIDi),
h(rOrV)} to the client (see Step A.2 in Method 2).
Then, the client will extract r from rPh(xOIDi) and
verify the validity of r by using h(r||rV) and rV.Because the attacker has no idea about the server’s
long-term secret key x, he cannot compute h(xOIDi)
to forge a valid {rPh(xOIDi), h(rOrV)}.Here, rV is used to assure that the message
{rPh(xOIDi), h(rOrV)} is unique in each authentica-
tion transaction, and thus, the presence of rVkeep the
client from being fooled by replaying that message
previously issued from the server in Step A.2 of
Method 2.
ndards & Interfaces 27 (2004) 25–31
4.5. Stealing verifier
An attacker may have h2(PWiPN) if he finds some
ways to steal the verification table from the server. But
he still has no way to impersonate a legal user or a
regular server.
For server impersonation, without knowing
h(xOIDi), he cannot forge a valid identification infor-
mation {rPh(xOIDi), h(rOrV)} in Method 2.
This attack was not a concern in Method 1 because
it’s a one-way scheme.
To pass the authentication in Method 1, for user
impersonation, the attacker must have h(xOIDi) to
compute rPh(xOIDi). On the other hand, in Method
2, he must also have h(xOIDi) to extract r. No matter
what situation is concerned, the server’s secret pro-
tected key x make the computation of h(xOIDi)
impossible.
4.6. Denying service
If a server is cheated by an attacker to update the
false verification information for the next login phase,
the legal user will not login successfully anymore.
Hence, the so-called denial-of-service attack occurs.
To withstand the attack, the proposed two schemes
do not update the verifier directly but further check its
validity before update procedure.
To cheat the server, the attacker may replace
c3=h3(PWiPN̄) with an arbitrary value c̄3. After re-
ceiving c̄3, the server extracts h2(PWiPN̄) from c1, c2and further checks if the hash value of the extracted
h2(PWiPN̄) is equal to the received c̄3. Therefore, the
server rejects this verifier update request.
T.-H. Chen et al. / Computer Sta30
5. Conclusions
Generally speaking, steps that are simple to under-
stand and use are more likely to be accepted. Hence,
based on SAS idea, two solutions are provided. The
first one of the new SAS series aims to remove the
security flaw and the second one highlights mutual
authentication feature between a user and a remote
server. In addition, the authors have described that the
proposed schemes are more reliable.
References
[1] C.C. Chang, S.J. Hwang, Using smart cards to authenticate
remote passwords, Computer and Mathematics with Applica-
tions 26 (7) (1993) 19–27.
[2] C.C. Chang, W.Y. Liao, A remote password authentication
scheme based upon ElGamal’s signature scheme, Computer
and Security 13 (2) (1994) 137–144.
[3] J.K. Jan, Y.Y. Chen, ‘Paramita wisdom’ password authentica-
tion scheme without verification tables, The Journal of Sys-
tems and Software 42 (1998) 45–57.
[4] W.H. Yang, S.P. Shieh, Password authentication schemes
with smart cards, Computers and Security 18 (1999)
727–733.
[5] J.K. Lee, S.R. Ryu, K.Y. Yoo, Fingerprint-based remote user
authentication scheme using smart cards, Electronics Letters
38 (2) (2002) 554–555.
[6] I.C. Lin, M.S. Hwang, L.H. Li, A new remote user authenti-
cation scheme for multi-server architecture, Future Generation
Computer Systems 19 (2003) 13–22.
[7] L. Lamport, Password authentication with insecure communi-
cation, Communications of ACM 24 (1981) 28–30.
[8] N.M. Haller, The S/Key (TM) one-time password system,
Proceedings of Internet Society Symposium on Network and
Distributed System Security (1994) 151–158.
[9] T.C. Yeh, H.Y. Shen, J.J. Hwang, A secure one-time password
authentication scheme using smart cards, IEICE Transactions
on Communications E85-B (11) (2002) 2515–2518.
[10] M. Sandirigama, A. Shimizu, M.T. Noda, Simple and secure
password authentication protocol (SAS), IEICE Transactions
on Communications E83-B (6) (2000) 1363–1365.
[11] B. Schneier, Applied Cryptography, 2nd Edition, Wiley, New
York, 1996.
[12] C.L. Lin, H.M. Sun, T. Hwang, Attacks and solutions on
strong-password authentication, IEICE Transactions on Com-
munications E84-B (9) (2001) 2622–2627.
[13] C.M. Chen, W.C. Ku, Stolen-verifier attack on two new
strong-password authentication protocols, IEICE Transactions
on Communications E85-B (11) (2002) 2519–2521.
[14] T. Tsuji, A. Shimizu, An impersonation attack on one-time
password authentication protocol OSPA, IEICE Transactions
on Communications E86-B (7) (2003) 2182–2185.
[15] C.W. Lin, J.J. Shen, M.S. Hwang, Security enhancement for
optimal strong-password authentication protocol, ACM
SIGOPS Operating Systems Review 37 (3) (2003) 12–16.
ciate professor. His resea
phy, information security
security. He is an honora
Honor Society.
T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–31 31
Tzung-Her Chen received his BS degree
from the National Taiwan Normal Uni-
versity, Taiwan, in 1991 and his MS
degree from Feng-Chia University, Tai-
wan, in 2001. He is currently pursuing
his PhD degree at the Institute of Com-
puter Science, National Chung-Hsing
University. His research interests include
cyptography, information hiding, and
digital watermaking.
Wei-Bin Lee received his BS degree in
Chung-Yuan Christian University, Chun-
gli, Taiwan, in 1991 and his MS degree in
computer science and information engi-
neering from the National Chung Cheng
University, Chiayi, Taiwan in 1993. He
received his PhD degree in 1997 from
National Chung Cheng University. Since
1999, he has been with the Department of
Information Engineering at Feng Chia
University, where he is currently an asso-
rch interests currently include cryptogra-
management, stenography, and network
ry member of the Phi Tau Phi Scholastic
Gwoboa Horng received his BS degree in
Electrical Engineering from the National
Taiwan University in 1981 and his MS and
PhD degrees from the University of South-
ern California in 1987 and 1992, respec-
tively, all in Computer Science. Since
1992, he has been on the faculty of the
Institute of Computer Science at National
Chung-Hsing University, Taichung, Tai-
wan, R.O.C. His current research interests
include artificial intelligence, cryptogra-
phy, and information security.