(IJCNS) International Journal of Computer and Network Security, 1

Vol. 2, No. 3, March 2010

Cryptanalysis of an efficient biometrics-based

remote user authentication scheme using smart cards
Fuw-Yi Yang 1 and Jian-Sen Wang 2
1
Department of Computer Science and Information Engineering,
Chaoyang University of Technology,
168 Jifong E. Rd., Wufong Township Taichung County, 41349,
Taiwan, R.O.C.
yangfy@cyut.edu.tw
2
Department of Computer Science and Information Engineering,
Chaoyang University of Technology,
168 Jifong E. Rd., Wufong Township Taichung County, 41349,
Taiwan, R.O.C.
s9827619@cyut.edu.tw

2, we give a brief review of Li and Hwang’s proposed

Abstract: The authors Li and Hwang have proposed an
efficient biometrics-based remote user authentication scheme scheme, and then, in Section 3, we demonstrate this
using smart cards. Security is provided through one-way hash scheme’s weaknesses. Finally, we conclude this paper in
functions and biometrics verification. This scheme is more Section 4.
efficient than other related schemes and enables the users to
change their passwords freely. However, there are some flaws in 2. Review of Li and Hwang’s proposed scheme
it, such as vulnerability to impersonation attacks, password-
guessing attacks, and power analysis attacks. Thus, this paper Li and Hwang proposed an efficient biometrics-based
shows that the scheme proposed by Li and Hwang can be remote user authentication scheme using smart cards. The
susceptible to certain types of attacks. scheme is divided into three phases: registration phase,
Keywords: Biometrics, remote user authentication, login phase, and authentication phase. Here, we briefly
impersonation attacks, password-guessing attacks, power analysis introduce the three phases. In Table 1, we list the notations
attacks and abbreviations used in their scheme. The three phases are
as follows:
1. Introduction Table 1: Notations used in their scheme
In an insecure network environment, user authentication Client
Ci
is a significant component of security. Remote user
authentication schemes are used to verify the validity of the Si Server
user login request. In 1981, Lamport [1] proposed a remote Ri Trust registration center
user authentication scheme with verification tables. IDi Identity of the user
However, Hwang and Li pointed out that if the verification
tables were modified or stolen, the remote authentication PWi Password of the user between Ci and Si
system would be influenced. Therefore, in 2000, Li and Bi Biometrics template of the user
Hwang proposed [2] a remote user authentication scheme h(.) One-way hash function
without any verification tables, using smart cards.
Xs Secret information maintained by the Si
In general, ID-based remote user authentication schemes
are based on passwords [3], [4]. As simple passwords are Rc Random number chosen by the C i
easy to break, many schemes have been proposed to enhance Rs Random number chosen by the Si
the security of the remote user authentication. But the
passwords can be lost, forgotten, or shared with other || Concatenation
people, and thus, there is no way to know who the actual ⊕ XOR operation
user is. Therefore, it cannot provide non repudiation. Hence,
biometric keys have been proposed [5], which are based on 2.1 The Registration Phase
personal characteristics such as fingerprints, palm prints,
and irises. Before the users login to the system, they must perform
Li and Hwang have proposed an efficient biometrics- the following steps, as shown in Figure 1.
based remote user authentication scheme using smart cards Step 1: The users offer their personal biometrics, Bi , on
[6], which, however, could not withstand the impersonation the specific device and input the password, PWi , and the
and power consumption attacks. This paper shall point out user identity, IDi , to the registration center in person.
the flaws of this proposed scheme.
The rest of this paper is organized as follows. In Section
2 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 3, March 2010

Step 2: The registration center computes the messages Step 1: Si checks if the format of C i ’s IDi is valid or
ri = h( PWi || fi ) and not.
ei = h( IDi || Xs) ⊕ h( PWi || fi ) , where fi = h( Bi ) and Xs is Step 2: If the above-mentioned holds, Si computes the
the secret information generated by Si . messages M 3 = h( IDi || Xs) , M 4 = M 2 ⊕ M 3 = Rc ,
Step 3: The registration center stores ( IDi , h(.), fi , ei ) M 5 = M 3 ⊕ Rs , and M 6 = h(M 2 || M 4 ) to provide mutual
into the user’s smart card and then sends it to the user authentication between client and server.
through a secure channel. Step 3: Next, Si sends the messages (M5, M6) to Ci .
Step 4: On receiving the Si ’s message, C i checks if
Ci Ri
IDi , Bi , PWi M 6 = h( M 2 || Rc) .
Step 5: If the above-mentioned holds, C i considers that
Computes
Si is authenticated and then computes the following
ri = h(PWi || fi )
messages to offer mutual authentication between client and
ei = h(IDi || Xs) ⊕ h(PWi || fi ) server.
Stores ( ID i , h(.), f i , e i ) in the smart card M 7 = M 5 ⊕ M 1 = Rs ,
M 8 = h( M 5 || M 7 ) ,
Smart card where M7 is the random number of the server. The client,
which knows M 1 = h( IDi || Xs) , can send back the message
of M 8 = h((h( IDi || Xs) ⊕ Rs) || Rs) .
Figure 1. The registration phase
Step 6: Ci sends the message M8 to Si .
2.2 The Login Phase Step 7: On receiving C i ’s message, Si checks if
Whenever the users want to login to the server, they need M 8 = h( M 5 || Rs) .
to perform the following steps, as shown in Figure 2.
Step 1: The users insert their smart card into the smart
Step 8: If it holds, the server accepts C i ’s login
card reader of a terminal and offer their personal biometrics, request; otherwise, it rejects it.
Bi , on the specific device to verify user biometrics. Next,
Ci Si
the system checks if h( Bi ) = fi .
Checks the format of Ci ' s IDi
Step 2: If it holds, the user passes the biometrics
Computes M 3 = h(IDi | | Xs)
verification. Then the user inputs the PWi . Otherwise, it
M4 = M 2 ⊕ M 3 = Rc
means the user did not pass the biometrics verification and
the client terminates the session. M5 = M 3 ⊕ Rs
Step 3: After receiving C i ’s password, the smart card M6 = h(M 2 || M 4 )
will compute the messages M5, M6
ri ' = h( PWi || fi ) , M 1 = e i ⊕ ri ' = h( IDi || Xs) , and
Verifies M 6?= h(M 2 || Rc)
M 2 = M 1 ⊕ Rc , where Rc is a random number generated
Computes M 7 = M 5 ⊕ M1
by the user.
Step 4: Finally, C i sends the messages ( IDi , M 2 ) to Si . M 8 = h(M 5 || M7 )

M8
Ci Si
?
Inserts the smart card and offers Bi Verifies M 8 = h(M 5 || Rs)

Verifies h(Bi )=? fi , Ci inputs PWi

Figure 3. The authentication phase
Computes ri' = h(PWi || fi )
M1 = ei ⊕ ri' 2.4 Changing of password
M 2 = M1 ⊕ Rc Whenever the users want to change their passwords, they
can easily and freely change the password PWi to a new
IDi , M 2 password, PWi new , as shown in Figure 4.
Step 1: The users insert their smart card in the smart
Figure 2. The login phase card reader and offer their biometrics to the specific device
in order to verify the user biometrics.
2.3 The Authentication Phase Step 2: If it holds, the user can input the old
On receiving the login request message, Si will password, PWi , and the new password, PWi new .
authenticate whether the user is legal or not in the following Step 3: The smart card computes
manner, as shown in Figure 3. ri′ = h( PWi || f i ) , e i′ = ei ⊕ ri′ = h( IDi || Xs) , and
 (IJCNS) International Journal of Computer and Network Security, 3
e i′′ = e ′i ⊕ h( PWi new || f i ) , the ei will be replaced with ei′′
new
and PWi has been changed with PWi . of data as smart card messages is vulnerable, because the
Ci Si
Inserts the smart card and offers Bi
Verifies h(Bi )=? fi , Ci inputs PWi and PWi new
Computes ri' = h(PWi || fi )
ei' = ei ⊕ ri' = h( IDi || Xs)
ei'' = ei' ⊕ h( PWi new || fi )
The ei will be replaced with ei''
Figure 4. Change password phase
3. The Weaknesses of Li and Hwang’s
Proposed Scheme
It can be seen that Li and Hwang’s proposed scheme
enables users to change their passwords freely and provides
mutual authentication between the user and the server. The
most significant feature of this scheme is that its operating
mechanism is based on the users’ personal biometrics.
However, Li and Hwang’s proposed scheme still retains
three weaknesses, as explained below:
3.1 It cannot protect against impersonation attacks
In the authentication phase, the server checks the format
of the client’s identity; if it holds, the server computes the
message (M3, M4, M5, M6), and the server can get the
message ( IDi , M 2 ) from the client in the login phase. The
server can use the message ( IDi , M 2 ) and secret
information Xs to masquerade M 2 ' , then get
M 1 = M 3 = h( IDi || Xs) ; therefore, the attacker can
impersonate the client. The detailed procedure is given
below:
Step 1: The malicious server can compute the hash value
h( IDi || Xs) itself, and sends the message h( IDi || Xs) to the
adversary.
Step 2: After receiving the message h( IDi || Xs) , the
adversary chooses the random number Rc' to compute
M 2 ' = h( IDi || Xs) ⊕ Rc' . The adversary can
masquerade IDi and sends the login request message
( IDi , M 2 ' ) to the server.
Step 3: The adversary can use the hash value h( IDi || Xs)
to compute the random number Rs chosen by the server. The
adversary will compute M 8 = h((h( IDi || Xs) ⊕ Rs) || Rs) to
achieve the validity of the login processes. The drawback
exists because the server does not execute the biometrics
verification processes, thus causing insider attacks as
mentioned above. Furthermore, the scheme cannot achieve
non repudiation.
Vol. 2, No. 3, March 2010
3.2 It cannot withstand password-guessing attacks
According to some of the research work [7], [8], storing
secret information stored in the smart card could be
extracted by monitoring its power consumption (power
analysis attacks). Using power consumption attacks, the
attacker can get the message ( fi , ei ) and intercept the
message (M2, M6) from the network. Through password-
guessing attacks, the attacker can guess the password P Wi′ ,
and compute the value as Rc' = ei ⊕ h( P Wi′ || fi ) ⊕ M 2 to
check if M 6 = h( M 2 || Rc' ) . If it holds, the attacker can
masquerade the user. Otherwise, the attacker can try for the
next guessed password P Wi′ until M 6 = h( M 2 || Rc' ) is
true. A detailed description is given below:
Step 1: Using power consumption, the adversary gets the
message ( fi , ei ) .
Step 2: The adversary intercepts the message (M2, M6)
from the network.
Step 3: By choosing a password P Wi′ , the adversary
computes the message of Rc' = ei ⊕ h( P Wi′ || fi ) ⊕ M 2 to
check if M 6 = h( M 2 || Rc' ) .
Step 4: If the above-mentioned holds, it means the
password guessed, P Wi′ , is the correct password; thus, the
adversary can masquerade the user.
Step 5: On the contrary, if it does not hold, the adversary
tries for the next password guess until M 6 = h( M 2 || Rc' )
is true.
3.3 Adversary can impersonate not only the client
but also the server
Through a power analysis attack and the above-mentioned
statement 3.2, the attacker can get the value of h( IDi || Xs) ;
then, the attacker can masquerade not only the client but
also the server. As the attacker can intercept the
message ( IDi , M 2 ) from the network, using the message
h( IDi || Xs) , it can compute the message
( M 3 , M 4 , M 5 , M 6 ) to masquerade the server as well.
4. Conclusions
This paper points out that the scheme proposed by Li and
Hwang is not secure enough against some weaknesses and
proves that it is incapable to withstand impersonation and
power consumption attacks. The attacker can break in as a
legal user and intercept the messages from networks to
masquerade the user. Although Li and Hwang’s proposed
personal biometrics scheme is practical in some fields, the
security is substandard.
Acknowledgment
This work was partially supported by the National
Science Council, Taiwan, R.O.C. under Grant NSC 98-
2221-E-324-019.
4 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 3, March 2010

References
[1] L. Lamport “Password authentication with insecure
communication”, Communications of the ACM 24, pp.
770–772, 1981.
[2] M.S. Hwang and L.H. Li, “A new remote user
authentication scheme using smart cards”, IEEE
Transactions on Consumer Electronics, vol. 46, pp.
28–30, 2000.
[3] M. Kim and CK. Koc, “A simple attack on a recently
introduced hash-based strong-password authentication
scheme”, International Journal of Network Security,
vol. 1, pp. 77–80, 2005.
[4] N.Y. Lee and Y.C. Chiu. “Improved remote
authentication scheme with smart card”, Computer
Standards and Interfaces, vol. 27, pp. 177–180, 2005.
[5] C.T. Li and M.S. Hwang, “An online biometrics-based
secret sharing scheme for multiparty cryptosystem
using smart cards”, International Journal of Innovative
Computing Information and Control, 2009.
[6] C.T. Li and M.S. Hwang, “An efficient biometrics-based
remote user authentication scheme using smart cards”,
Journal of Network and Computer Applications, vol. 33,
pp. 1-5, 2010.
[7] T.S. Messerges, E.A. Dabbish, and R.H. Sloan,
“Examining smart-card security under the threat of
power analysis attacks”, IEEE Transactions on
Computers, vol. 51, pp. 541–552, 2002.
[8] P. Kocher, J. Jaffe, and B. Jun, “Differential power
analysis”, Proceedings of Advances in Cryptology, pp.
388–397, 1999