Professional Documents
Culture Documents
Step 2: The registration center computes the messages Step 1: Si checks if the format of C i ’s IDi is valid or
ri = h( PWi || fi ) and not.
ei = h( IDi || Xs) ⊕ h( PWi || fi ) , where fi = h( Bi ) and Xs is Step 2: If the above-mentioned holds, Si computes the
the secret information generated by Si . messages M 3 = h( IDi || Xs) , M 4 = M 2 ⊕ M 3 = Rc ,
Step 3: The registration center stores ( IDi , h(.), fi , ei ) M 5 = M 3 ⊕ Rs , and M 6 = h(M 2 || M 4 ) to provide mutual
into the user’s smart card and then sends it to the user authentication between client and server.
through a secure channel. Step 3: Next, Si sends the messages (M5, M6) to Ci .
Step 4: On receiving the Si ’s message, C i checks if
Ci Ri
IDi , Bi , PWi M 6 = h( M 2 || Rc) .
Step 5: If the above-mentioned holds, C i considers that
Computes
Si is authenticated and then computes the following
ri = h(PWi || fi )
messages to offer mutual authentication between client and
ei = h(IDi || Xs) ⊕ h(PWi || fi ) server.
Stores ( ID i , h(.), f i , e i ) in the smart card M 7 = M 5 ⊕ M 1 = Rs ,
M 8 = h( M 5 || M 7 ) ,
Smart card where M7 is the random number of the server. The client,
which knows M 1 = h( IDi || Xs) , can send back the message
of M 8 = h((h( IDi || Xs) ⊕ Rs) || Rs) .
Figure 1. The registration phase
Step 6: Ci sends the message M8 to Si .
2.2 The Login Phase Step 7: On receiving C i ’s message, Si checks if
Whenever the users want to login to the server, they need M 8 = h( M 5 || Rs) .
to perform the following steps, as shown in Figure 2.
Step 1: The users insert their smart card into the smart
Step 8: If it holds, the server accepts C i ’s login
card reader of a terminal and offer their personal biometrics, request; otherwise, it rejects it.
Bi , on the specific device to verify user biometrics. Next,
Ci Si
the system checks if h( Bi ) = fi .
Checks the format of Ci ' s IDi
Step 2: If it holds, the user passes the biometrics
Computes M 3 = h(IDi | | Xs)
verification. Then the user inputs the PWi . Otherwise, it
M4 = M 2 ⊕ M 3 = Rc
means the user did not pass the biometrics verification and
the client terminates the session. M5 = M 3 ⊕ Rs
Step 3: After receiving C i ’s password, the smart card M6 = h(M 2 || M 4 )
will compute the messages M5, M6
ri ' = h( PWi || fi ) , M 1 = e i ⊕ ri ' = h( IDi || Xs) , and
Verifies M 6?= h(M 2 || Rc)
M 2 = M 1 ⊕ Rc , where Rc is a random number generated
Computes M 7 = M 5 ⊕ M1
by the user.
Step 4: Finally, C i sends the messages ( IDi , M 2 ) to Si . M 8 = h(M 5 || M7 )
M8
Ci Si
?
Inserts the smart card and offers Bi Verifies M 8 = h(M 5 || Rs)
e i′′ = e ′i ⊕ h( PWi new || f i ) , the ei will be replaced with ei′′ 3.2 It cannot withstand password-guessing attacks
new According to some of the research work [7], [8], storing
and PWi has been changed with PWi . of data as smart card messages is vulnerable, because the
secret information stored in the smart card could be
Ci Si extracted by monitoring its power consumption (power
Inserts the smart card and offers Bi analysis attacks). Using power consumption attacks, the
attacker can get the message ( fi , ei ) and intercept the
Verifies h(Bi )=? fi , Ci inputs PWi and PWi new
message (M2, M6) from the network. Through password-
Computes ri' = h(PWi || fi )
guessing attacks, the attacker can guess the password P Wi′ ,
ei' = ei ⊕ ri' = h( IDi || Xs)
and compute the value as Rc' = ei ⊕ h( P Wi′ || fi ) ⊕ M 2 to
ei'' = ei' ⊕ h( PWi new || fi )
check if M 6 = h( M 2 || Rc' ) . If it holds, the attacker can
The ei will be replaced with ei'' masquerade the user. Otherwise, the attacker can try for the
next guessed password P Wi′ until M 6 = h( M 2 || Rc' ) is
true. A detailed description is given below:
Figure 4. Change password phase Step 1: Using power consumption, the adversary gets the
message ( fi , ei ) .
3. The Weaknesses of Li and Hwang’s Step 2: The adversary intercepts the message (M2, M6)
from the network.
Proposed Scheme
Step 3: By choosing a password P Wi′ , the adversary
It can be seen that Li and Hwang’s proposed scheme
computes the message of Rc' = ei ⊕ h( P Wi′ || fi ) ⊕ M 2 to
enables users to change their passwords freely and provides
mutual authentication between the user and the server. The check if M 6 = h( M 2 || Rc' ) .
most significant feature of this scheme is that its operating Step 4: If the above-mentioned holds, it means the
mechanism is based on the users’ personal biometrics. password guessed, P Wi′ , is the correct password; thus, the
However, Li and Hwang’s proposed scheme still retains adversary can masquerade the user.
three weaknesses, as explained below: Step 5: On the contrary, if it does not hold, the adversary
tries for the next password guess until M 6 = h( M 2 || Rc' )
3.1 It cannot protect against impersonation attacks is true.
In the authentication phase, the server checks the format
3.3 Adversary can impersonate not only the client
of the client’s identity; if it holds, the server computes the
but also the server
message (M3, M4, M5, M6), and the server can get the
message ( IDi , M 2 ) from the client in the login phase. The Through a power analysis attack and the above-mentioned
statement 3.2, the attacker can get the value of h( IDi || Xs) ;
server can use the message ( IDi , M 2 ) and secret
then, the attacker can masquerade not only the client but
information Xs to masquerade M 2 ' , then get
also the server. As the attacker can intercept the
M 1 = M 3 = h( IDi || Xs) ; therefore, the attacker can message ( IDi , M 2 ) from the network, using the message
impersonate the client. The detailed procedure is given h( IDi || Xs) , it can compute the message
below:
( M 3 , M 4 , M 5 , M 6 ) to masquerade the server as well.
Step 1: The malicious server can compute the hash value
h( IDi || Xs) itself, and sends the message h( IDi || Xs) to the
adversary.
Step 2: After receiving the message h( IDi || Xs) , the 4. Conclusions
adversary chooses the random number Rc' to compute This paper points out that the scheme proposed by Li and
M 2 ' = h( IDi || Xs) ⊕ Rc' . The adversary can Hwang is not secure enough against some weaknesses and
masquerade IDi and sends the login request message proves that it is incapable to withstand impersonation and
power consumption attacks. The attacker can break in as a
( IDi , M 2 ' ) to the server. legal user and intercept the messages from networks to
Step 3: The adversary can use the hash value h( IDi || Xs) masquerade the user. Although Li and Hwang’s proposed
to compute the random number Rs chosen by the server. The personal biometrics scheme is practical in some fields, the
adversary will compute M 8 = h((h( IDi || Xs) ⊕ Rs) || Rs) to security is substandard.
achieve the validity of the login processes. The drawback
exists because the server does not execute the biometrics Acknowledgment
verification processes, thus causing insider attacks as
mentioned above. Furthermore, the scheme cannot achieve
non repudiation. This work was partially supported by the National
Science Council, Taiwan, R.O.C. under Grant NSC 98-
2221-E-324-019.
4 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 3, March 2010
References
[1] L. Lamport “Password authentication with insecure
communication”, Communications of the ACM 24, pp.
770–772, 1981.
[2] M.S. Hwang and L.H. Li, “A new remote user
authentication scheme using smart cards”, IEEE
Transactions on Consumer Electronics, vol. 46, pp.
28–30, 2000.
[3] M. Kim and CK. Koc, “A simple attack on a recently
introduced hash-based strong-password authentication
scheme”, International Journal of Network Security,
vol. 1, pp. 77–80, 2005.
[4] N.Y. Lee and Y.C. Chiu. “Improved remote
authentication scheme with smart card”, Computer
Standards and Interfaces, vol. 27, pp. 177–180, 2005.
[5] C.T. Li and M.S. Hwang, “An online biometrics-based
secret sharing scheme for multiparty cryptosystem
using smart cards”, International Journal of Innovative
Computing Information and Control, 2009.
[6] C.T. Li and M.S. Hwang, “An efficient biometrics-based
remote user authentication scheme using smart cards”,
Journal of Network and Computer Applications, vol. 33,
pp. 1-5, 2010.
[7] T.S. Messerges, E.A. Dabbish, and R.H. Sloan,
“Examining smart-card security under the threat of
power analysis attacks”, IEEE Transactions on
Computers, vol. 51, pp. 541–552, 2002.
[8] P. Kocher, J. Jaffe, and B. Jun, “Differential power
analysis”, Proceedings of Advances in Cryptology, pp.
388–397, 1999