www.elsevier.com/locate/csi

Computer Standards & Interfaces 27 (2004) 25–31

Secure SAS-like password authentication schemes

Tzung-Her Chena,*, Wei-Bin Leeb, Gwoboa Hornga

a Institute of Computer Science, National Chung-Hsing University, 250 Kuo-Kuang Road, Taichung 402, Taiwan, ROCbDepartment of Information Engineering, Feng Chia University, 100 Wenhwa Road, Seatwen Taichung 407, Taiwan, ROC

Received 15 November 2003; received in revised form 20 February 2004; accepted 28 February 2004

Available online 20 March 2004

Abstract

Recently, there are several articles proposed for the so-called SAS password authentication scheme with lower storage,

processing, and transmission overheads. For benefiting from these advantages, there are a series of researches on the SAS-like

schemes. However, as knowledge of cryptanalysis has involved, a series of modification have been made. Unfortunately, those

enhancements have still security flaws. In this paper, a security issue is found in the latest modification and removed to form a

new one. The proposed schemes not only keep the original advantages but also highlight a feature, mutual authentication

between a user and a remote server, found in many authentication protocols but not found in the SAS-like schemes.

D 2004 Elsevier B.V. All rights reserved.

Keywords: Password authentication; Smart card; Mutual authentication; Denial-of-service attack

1. Introduction In the literature, there are many schemes [1–10]

There are large numbers of people worldwide with

daily access to the Internet. Therefore, it is now clear

that the Internet is a step in the ongoing evolution of

commercial markets. The technology opens up new

channels of distribution.

To provide a no-risk opportunity to try the Internet

shopping, a better and suitable authentication scheme

is a key. Hence, the real challenge is to authenticate

the alleged client because the traditional face-to-face

contact is not a practical thought for selling globally.

0920-5489/$ - see front matter D 2004 Elsevier B.V. All rights reserved.

doi:10.1016/j.csi.2004.02.004

* Corresponding author. Tel.: +886-422840497x912; fax: +886-

422853869.

E-mail addresses: phd9007@cs.nchu.edu.tw (T.-H. Chen),

lwb@iecs.fcu.edu.tw (W.-B. Lee), gbhorng@cs.nchu.edu.tw

(G. Horng).

proposed to provide authentication service. Password-

based authentication is one of the most popular

methods because of its simplicity and effectiveness.

By taking account of computational cost, user pass-

word authentication schemes can be further classified

into two broad categories: encryption-based [1–6]

and hash-function-based [7–10] techniques. The for-

mer is based on cryptosystem, such as DES, RSA, and

ElGamal, etc. [11]. Their main disadvantage is high

computational cost. In contrast to an encryption-based

technique, a hash-function-based technique, based on

the collision-resistant hash function such as SHA-1

[11], is more simple and efficient to implement. In

consideration of practicability, there are more and

more hash-function-based schemes proposed.

Sandirigama et al. [10] proposed a simple and secure

password authentication scheme, the so-called SAS.

Because of the advantages of lower storage, process-

T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–3126

ing, and transmission overheads, the SAS-like schemes

are widely concerned in the researches for user authen-

tication, and therefore, there are several articles [12–

15] proposed to continuously enhance SAS-like proto-

cols. Unfortunately, those enhancements still have

security flaws. In 2001, Lin et al. [12] proposed an

optimal strong-password authentication scheme, called

OSPA, to enhance the security of SAS which is

suffering from the replay attack and the denial-of-

service attack. Subsequently, the OSPA scheme has

been shown vulnerable to the stolen-verifier attack [13]

and the impersonation attack [14]. In 2003, Lin et al.

[15] proposed a latest SAS-like version for OSPA to

withstand the stolen-verifier attack.

In this paper, firstly, a security issue is found in the

latest modification and removed to form a new one.

The authors will point out that the Lin–Shen–Hwang

scheme suffers from the denial-of-service attack and

further propose an improved version (Method 1 for

short) to withstand this attack.

Secondly, the authors highlight a feature, mutual

authentication between the user and the remote server,

found in many authentication protocols but was never

addressed in the SAS-like schemes. In some situa-

tions, mutual authentication is necessary to provide

higher security. Therefore, the authors further propose

a SAS-like scheme (Method 2 for short) based on

Method 1 to address this issue.

The rest of the paper is organized as follows. In

the next section, the Lin–Shen–Hwang’s enhanced

scheme is briefly described and suffers the denial-of-

service attack. Subsequently, two enhancements are

proposed in Section 3. Then, discussion and security

analysis are presented in Section 4. Finally, some

brief conclusions will be given in Section 5.

2. Lin–Shen–Hwang scheme and its weakness

There are two phases in the Lin–Shen–Hwang

password authentication scheme: registration and au-

thentication [15]. The registration phase goes as

follows.

(R.1)Ui!S: IDi, h2(PWiPN)

A user Ui with his identity IDi chooses password

PWi freely and computes h2(PWiPN), where h(�) is acollision-resistant hash function and N is a nonce.

Then, Ui sends IDi and h2(PWiPN) to the remote

server. Upon receiving them, the server stores

h2(PWiPN) into the verification table.

(R.2) S!Ui: a smart card {N, K}

The server computes K=h2(PWiPN)Ph(xOIDi)

and writes {K, N} into the user’s smart card and

releases it to the user, where x is the secret key of

the server.

The authentication phase goes as follows.

(A.1) Ui!S: IDi, c2, c3User Ui inserts his smart card into a login device

and enters his identity IDi and password PWi. The

smart card will perform the following operations:

1. Calculate c1=KPh2(PWiPN)=h(xOIDi);

2. Calculate c2=c1Ph(PWiPN);

3. Calculate c3=h(c1)h2(PWiPN̄), where N̄ is a new

random nonce; and

4. Send {IDi, c2, c3} to the server as a login request.

Upon receiving the login request, the server then

performs the following operations:

1. Check the format of IDi.

2. Compute h(xOID i) and c̄2=h(xOID i)Pc2=

h(PWiPN).

3. Compare the hash value of c̄2 with the stored

verifier h2(PWiPN). If they are equivalent, then the

user is authenticated; otherwise, this login request

is rejected.

4. Replace h2(PWiPN) with h2(PWiPN̄), a new veri-

fier for the next login request, where h2(PWiPN̄)=

h2(xOIDi)Pc3.

2.1. Denial-of-service attack on Lin–Shen–Hwang

scheme

The denial-of-service attack, where the server is

cheated by an attacker to update the false verification

information for the next login phase, is found in the

Lin–Shen–Hwang scheme so that the server will reject

all subsequent login requests of the legal user.

To cheat the server, the attacker replaces c3 with an

arbitrary value c̄.

Upon receiving c̄, the server stores a false verifier

h2(xOIDi)Pc̄ without further checking the validity of

T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–31 27

the new verifier. Therefore, this makes the server be

fooled to store the false verifier and reject all subse-

quent login requests of the legal user.

The denial-of-service attack is therefore possible

and a remedy will be proposed in the following.

3. The proposed schemes

In this section, a secure SAS-like scheme is

proposed as Method 1 to enhance the security of

the Lin–Shen–Hwang scheme. The never been

addressed issue, mutual authentication, will be high-

lighted and solved in Method 2. To make the idea

concise and clear, Figs. 1, 2 and 3 are used to

illustrate the proposed schemes.

3.1. The proposed security enhancement (Method 1)

Firstly, an improved version of the Lin–Shen–

Hwang scheme is described below. The registration

phase goes as follows.

(R.1) Ui!S: IDi, h2(PWiPN), N

A user Ui with his identity IDi chooses password

PWi freely and computes h2(PWiPN), where N is a

nonce. Then, Ui sends IDi, h2(PWiPN)and N to the

remote server. Upon receiving them, the server stores

h2(PWiPN) into the verification table.

(R.2) S!Ui: a smart card {N, h(xOIDi)}

The server computes h(xOIDi) and writes {N,

h(xOIDi)} into the user’s smart card and releases it

to the user, where x is the secret key of the server.

The authentication phase is shown as follows.

(A.1) Ui!S: IDi, rPh(xOIDi), h(r),c1,c2,c3

Fig. 1. The registration phase of Method 1 an

Ui inserts his smart card into a login device and

enters his identity IDi and password PWi. The smart

card will perform the following operations:

1. Calculate c1=h(PWiPN)Ph(h2(PWiPN)Pr), where

r is a nonce;

2. Calculate c2=h2(PWiPN̄)Ph(PWiPN), where N̄ is a

new random nonce;

3. Calculate c3=h3(PWiPN̄);

4. Compute rPh(xOIDi) and h(r); and

5. Send {IDi,rPh(xOIDi), h(r), c1,c2,c3} to the server

as a login request.

Upon receiving the login request, the server does

the following operations:

1. Check the format of IDi;

2. Calculate h(xOIDi) to extract r from rPh(xOIDi);

3. Verify the validity of r by h(r);

4 Hash h2(PWiPN)Pr to extract h(PWiPN) from c1,

and use h(PWiPN) to extract h2(PWiPN̄) from

c2, respectively;

5 Check if the hash value of the extracted h(PWiPN) is

equal to that of the stored h2(PWiPN). If equivalent,

the user is authenticated; otherwise, this login

request is rejected.

6 Check if the hash value of the extracted h2(PWiPN̄)

is equal to the received c3. If it holds, the server

updates the verification table by replacing

h2(PWiPN) with h2(PWiPN̄).

3.2. The proposed scheme with mutual authentication

(Method 2)

Although Method 1 enhances the security of the

Lin–Shen–Hwang scheme, it does not provide mu-

tual authentication. Hence, Method 2 is addressed in

d Method 2 of the proposed schemes.

Fig. 2. The authentication phase of Method 1.

T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–3128

this issue particularly. The registration phase is the

same as that of Method 1 and omitted here. The

authentication phase is shown as follows.

(A.1) Ui!S: IDi, rVUi inserts his smart card into a login device and

enters the identity IDi and password PWi to enable the

card. Then the identity IDi and a random nonce rVused to identify this transaction uniquely are sent to

the remote server.

(A.2) S!Ui: rPh(xOIDi), h(rOr)

Fig. 3. The authentication

After checking the format of IDi, the server gen-

erates a new random nonce r and return rPh(xOIDi)

and h(rOrV) to assure this client that its correspondent

is a regular server.

(A.3) Ui!S: c1,c2,c3Upon receiving {rPh(xOIDi), h(rOrV)}, the cli-

ent extracts r from rPh(xOIDi). Then, with r, verify

whether h(rOrV) contains rV to authenticate the

remote server. With r, the smart card computes c1,

c2, and c3 just as that of Method 1. Upon receiving

the login request, the server performs the authenti-

phase of Method 2.

T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–31 29

cation operations just as those (Steps 4, 5, and 6) of

Method 1.

4. Discussion and security analysis

In Method 2, the identity of the login user is

verified by checking if the hash value of the

extracted h(PWiPN) is equal to that of the stored

h2(PWiPN) in Step A.3. On the other hand, the

identity of the server is verified by checking if the

server possesses the secret key x to generate the pair

{rPh(xOIDi), h(rOrV)} in Step A.2. Because only

both the legal user and the regular server know

h(xOIDi), it implies that authentication for the server

is indirectly proved.

In this section, the security of the proposed

schemes is examined from the user end, the server

end and the middle.

For the security of password authentication be-

tween the users and the remote server consideration,

what a man/attacker in the middle can do is to

intercept or modify the login request information

between the user and the remote server to pretend

the user or the server.

For the user end, he may impersonate a legal user

to login the server; intercept the login message to

perform the offline guessing attack, or merely replay

the intercepted login request.

For the server end, an attacker may impersonate the

server to fool/cheat the legal users, or modify the

message for authentication to cheat the server. Of

course, he may find some ways to steal the verifica-

tion table stored in the server to guess the password,

or do impersonation operations.

To describe how the proposed schemes work, these

possible attacks for password authentication schemes

are discussed as follows.

4.1. Impersonating user

In Method 1, an attacker may impersonate a legal

user by forging a login request {IDi,rPh(xOIDi), h(r),

c1,c2,c3}.

Because the server should check the validation of r

by extracting r from rPh(xOIDi) and comparing with

h(r), the attacker must have h(xOIDi) to compute

rPh(xOIDi); otherwise, he cannot pass the authenti-

cation. However, he has no idea about the server’s

secret key x to obtain h(xOIDi).

Similarly, in Method 2, the attacker must extract the

exact r to compute c1=h(PWiPN)Ph(h2(PWiPN)Pr).

He suffers the same challenge without knowing the

server’s secret key x.

4.2. Replaying login messages

The server updates the verifier from time to time

because the next verifier is prepared in the current

phase. Hence, an attacker cannot login the remote

server by replaying the previous login message in

Method 1 and Method 2.

4.3. Guessing password

There are only two instances including the pass-

word PWi: the login message c1, c2, c3 and the verifier

h2(PWiPN) stored by the server. If an attacker inter-

cepts c1=h(PWiPN)Ph(h2(PWiPN)Pr), c2=h2(PWi

PN̄)Ph(PWiPN), and c3=h3(PWiPN̄), it is infeasible

to guess the user’s password without knowing r, N, N̄

because he has no feasible way to ascertain the

guessing password. Suppose an attacker has stolen

the verifier h2(PWiPN). He cannot ascertain the

guessing password without knowing N.

4.4. Impersonating server

Method 1 focuses on how a server verifies the

identification of a user but not on verifying the

legality of a server. The server impersonation attack

is not discussed here.

In Method 2, if an attacker wants to impersonate

the remote server successfully, he sends {rPh(xOIDi),

h(rOrV)} to the client (see Step A.2 in Method 2).

Then, the client will extract r from rPh(xOIDi) and

verify the validity of r by using h(r||rV) and rV.Because the attacker has no idea about the server’s

long-term secret key x, he cannot compute h(xOIDi)

to forge a valid {rPh(xOIDi), h(rOrV)}.Here, rV is used to assure that the message

{rPh(xOIDi), h(rOrV)} is unique in each authentica-

tion transaction, and thus, the presence of rVkeep the

client from being fooled by replaying that message

previously issued from the server in Step A.2 of

Method 2.

ndards & Interfaces 27 (2004) 25–31

4.5. Stealing verifier

An attacker may have h2(PWiPN) if he finds some

ways to steal the verification table from the server. But

he still has no way to impersonate a legal user or a

regular server.

For server impersonation, without knowing

h(xOIDi), he cannot forge a valid identification infor-

mation {rPh(xOIDi), h(rOrV)} in Method 2.

This attack was not a concern in Method 1 because

it’s a one-way scheme.

To pass the authentication in Method 1, for user

impersonation, the attacker must have h(xOIDi) to

compute rPh(xOIDi). On the other hand, in Method

2, he must also have h(xOIDi) to extract r. No matter

what situation is concerned, the server’s secret pro-

tected key x make the computation of h(xOIDi)

impossible.

4.6. Denying service

If a server is cheated by an attacker to update the

false verification information for the next login phase,

the legal user will not login successfully anymore.

Hence, the so-called denial-of-service attack occurs.

To withstand the attack, the proposed two schemes

do not update the verifier directly but further check its

validity before update procedure.

To cheat the server, the attacker may replace

c3=h3(PWiPN̄) with an arbitrary value c̄3. After re-

ceiving c̄3, the server extracts h2(PWiPN̄) from c1, c2and further checks if the hash value of the extracted

h2(PWiPN̄) is equal to the received c̄3. Therefore, the

server rejects this verifier update request.

T.-H. Chen et al. / Computer Sta30

5. Conclusions

Generally speaking, steps that are simple to under-

stand and use are more likely to be accepted. Hence,

based on SAS idea, two solutions are provided. The

first one of the new SAS series aims to remove the

security flaw and the second one highlights mutual

authentication feature between a user and a remote

server. In addition, the authors have described that the

proposed schemes are more reliable.

References

[1] C.C. Chang, S.J. Hwang, Using smart cards to authenticate

remote passwords, Computer and Mathematics with Applica-

tions 26 (7) (1993) 19–27.

[2] C.C. Chang, W.Y. Liao, A remote password authentication

scheme based upon ElGamal’s signature scheme, Computer

and Security 13 (2) (1994) 137–144.

[3] J.K. Jan, Y.Y. Chen, ‘Paramita wisdom’ password authentica-

tion scheme without verification tables, The Journal of Sys-

tems and Software 42 (1998) 45–57.

[4] W.H. Yang, S.P. Shieh, Password authentication schemes

with smart cards, Computers and Security 18 (1999)

727–733.

[5] J.K. Lee, S.R. Ryu, K.Y. Yoo, Fingerprint-based remote user

authentication scheme using smart cards, Electronics Letters

38 (2) (2002) 554–555.

[6] I.C. Lin, M.S. Hwang, L.H. Li, A new remote user authenti-

cation scheme for multi-server architecture, Future Generation

Computer Systems 19 (2003) 13–22.

[7] L. Lamport, Password authentication with insecure communi-

cation, Communications of ACM 24 (1981) 28–30.

[8] N.M. Haller, The S/Key (TM) one-time password system,

Proceedings of Internet Society Symposium on Network and

Distributed System Security (1994) 151–158.

[9] T.C. Yeh, H.Y. Shen, J.J. Hwang, A secure one-time password

authentication scheme using smart cards, IEICE Transactions

on Communications E85-B (11) (2002) 2515–2518.

[10] M. Sandirigama, A. Shimizu, M.T. Noda, Simple and secure

password authentication protocol (SAS), IEICE Transactions

on Communications E83-B (6) (2000) 1363–1365.

[11] B. Schneier, Applied Cryptography, 2nd Edition, Wiley, New

York, 1996.

[12] C.L. Lin, H.M. Sun, T. Hwang, Attacks and solutions on

strong-password authentication, IEICE Transactions on Com-

munications E84-B (9) (2001) 2622–2627.

[13] C.M. Chen, W.C. Ku, Stolen-verifier attack on two new

strong-password authentication protocols, IEICE Transactions

on Communications E85-B (11) (2002) 2519–2521.

[14] T. Tsuji, A. Shimizu, An impersonation attack on one-time

password authentication protocol OSPA, IEICE Transactions

on Communications E86-B (7) (2003) 2182–2185.

[15] C.W. Lin, J.J. Shen, M.S. Hwang, Security enhancement for

optimal strong-password authentication protocol, ACM

SIGOPS Operating Systems Review 37 (3) (2003) 12–16.

ciate professor. His resea

phy, information security

security. He is an honora

Honor Society.

T.-H. Chen et al. / Computer Standards & Interfaces 27 (2004) 25–31 31

Tzung-Her Chen received his BS degree

from the National Taiwan Normal Uni-

versity, Taiwan, in 1991 and his MS

degree from Feng-Chia University, Tai-

wan, in 2001. He is currently pursuing

his PhD degree at the Institute of Com-

puter Science, National Chung-Hsing

University. His research interests include

cyptography, information hiding, and

digital watermaking.

Wei-Bin Lee received his BS degree in

Chung-Yuan Christian University, Chun-

gli, Taiwan, in 1991 and his MS degree in

computer science and information engi-

neering from the National Chung Cheng

University, Chiayi, Taiwan in 1993. He

received his PhD degree in 1997 from

National Chung Cheng University. Since

1999, he has been with the Department of

Information Engineering at Feng Chia

University, where he is currently an asso-

rch interests currently include cryptogra-

management, stenography, and network

ry member of the Phi Tau Phi Scholastic

Gwoboa Horng received his BS degree in

Electrical Engineering from the National

Taiwan University in 1981 and his MS and

PhD degrees from the University of South-

ern California in 1987 and 1992, respec-

tively, all in Computer Science. Since

1992, he has been on the faculty of the

Institute of Computer Science at National

Chung-Hsing University, Taichung, Tai-

wan, R.O.C. His current research interests

include artificial intelligence, cryptogra-

phy, and information security.