Abstract
In recent years, several dynamic ID-based remote user authentication schemes have been proposed. In 2012, Wen and Li proposed a dynamic ID-based remote user authentication with key agreement scheme. They claimed that their scheme can resist impersonation attack and insider attack and provide anonymity for the users. However, we will show that Wen and Li's scheme cannot withstand insider attack and forward secrecy, does not provide anonymity for the users, and inefficiency for error password login. In this paper, we propose a novel ECC-based remote user authentication scheme which is immune to various known types of attack and is more secure and practical for mobile clients.
1. Introduction
Smart card authentication is that the most commonly used authentication method that legal users can access the resources provided by remote servers. Due to its simplicity and convenience, it is used in many areas such as E-banks or remote host login. Over the past few years, considerable authentication protocols [1–7] have been proposed. However, most of these schemes are based on static ID and have some flaws such as server spoofing attack, insider attack, and impersonation attack. Based on previous research, an ideal password authentication scheme should achieve the following goals. First, the server should not maintain any verifier table and the user can choose and change his/her password freely. Second, the remote user authentication scheme should meet all the security requirements and achieve all the goals. Third, the remote user authentication scheme has low communication and computation cost. In 2004, Das et al. [8] presented a dynamic ID-based remote user authentication scheme using smart cards. They pointed out that their scheme does not maintain any verifier table and can resist the replay attack, forgery attacks, guessing attacks, and insider attacks. However, in 2009, Wang et al. [9] pointed out that Das et al.’s scheme does not achieve mutual authentication and could not resist impersonation attack. Then, Wang et al. proposed an enhanced password authentication scheme which keeps the merits of Das et al.’s scheme. After that, Tsai et al. [10] showed that Wang et al.’s scheme cannot achieve user anonymity since both and its dynamic are presented in the login message. In the following, Tsai et al. demonstrate that Wang et al.’s scheme is also vulnerable to the impersonation attack. In the same year, Yeh et al. [11] showed that Wang et al.’s scheme is insecure against replay attack, user impersonation attack, server counterfeit attack, man-in-the-middle attack, and password guessing attacks. And they propose an enhanced protocol to overcome all identified security flaws. In 2011, Khan et al. [12] showed that Wang et al.’s scheme does not provide anonymity of a user during authentication is vulnerable to insider attack and stolen smart card attack, and does not provide session key agreement and its user has no choice in choosing his password. And they cover all the flaws of Wang et al.’s scheme and propose an enhanced authentication scheme. In 2012, Madhusudhan and Mittal [13] presented six of the currently available dynamic ID-based remote user authentication schemes; none of these schemes meet all the security requirements. In 2012, Wen and Li [14] analyzed Wang et al.’s scheme and pointed out that their scheme is vulnerable to impersonation attack; only through intercepting and modifying the messages transmitted in the public networks, the adversary could impersonate the legal user to login the server. Moreover, an insider user who has registered in the remote server can reveal some secret information of the server and the other user. Later, Wen et al. proposed an improved scheme, which can resist impersonation attack, avoiding partial information leakage and providing anonymity for the users.
1.1. Our Contributions
In this paper, we research Wen and Li’s scheme and show that their scheme cannot withstand insider attack and forward secrecy, and, though eavesdropping the user’s login request message in the public networks, the user can be traced out. Furthermore, a secure dynamic-ID remote user authentication scheme has been proposed in this paper using ECC. The proposed scheme is immune to various known types of attack and is more secure and practical for mobile clients. The remainder of this paper is organized as follows. We give a brief review of Wen and Li’s scheme in Section 2. In Section 3, the security flaws of Wen and Li’s scheme are presented. In Section 4, we propose an enhanced authentication protocol. In Section 5, we make security analysis and performance analysis. Finally, we give some conclusions in Section 6.
2. Review of Wen and Li’s Scheme
In this section, we briefly review Wen and Li’s scheme [14], which is composed of seven phases: registration phase, login phase, authentication phase and key exchange phase, mutual authentication, and key confirmation phase.
2.1. Registration Phase
(1)When a user wants to register in the remote server, he/she sends his/her chosen , , to the remote server via a secret channel.(2) computes , where is the user’s number and is a one-way hash function. The unique number is kept by to check the validity of the smart card, but the server does not need to keep the or password tables. Then computes , = , where is the server’s secret number kept by itself in private.(3) personalizes the smart card with the following parameters .(4) sends the smart card to via a secret channel.
2.2. Login Phase
When a user wants to login , then inserts his/her smart card in the terminal and keys and . The smart card computes , , , and forwards the login request message to the server .
2.3. Authentication and Key Exchange Phase
Upon receiving the login request message , performs the following steps.(1)Check if the time interval , where is the current timestamp; if it holds and is in the registered list, continues the next step.(2) computes , , , and checks whether the equation holds.(3)If so, computes , and the session key , and key confirmation message .(4) sends the message .
2.4. Mutual Authentication and Key Confirmation Phase
When received at time , performs the following steps.(1)Check whether is valid.(2)If the time interval is valid, computes and verifies that the following equation holds: .(3) computes , and then check if the equation holds. If it holds, computes .(4) sends the message to the server .(5) verifies whether or not. If the equation holds, the scheme is over.
3. Flaws of Wen and Li’s Scheme
In this section, we will demonstrate that Wen and Li’s scheme is vulnerable to insider attack, does not provide the user’s anonymity, and is inefficient in error password login and when the private key of the server is compromised, the adversary can obtain all the previous session keys between the user and the server .
3.1. User Anonymity
Wen and Li claimed that their scheme provides the property of the user’s anonymity. However, we found that the user’s anonymity of Wen and Li’s scheme cannot be protected from an eavesdropping attack in the login phase. The attacker can eavesdrop the user ’s login request message between the user and the server from the public channel; both and in the login request message are kept the same until the user’s password is updated. In other words, a malicious attacker is capable of tracing out the user according to and which is in the ’s login request message. Therefore, Wen and Li’s scheme fails in providing the privacy and anonymity of during the login phase.
3.2. Insider Attack
Insider attack is that the user’s password is derived by the privileged insider of the registration server in the registration protocol. In many scenarios, if the user registers to the server with plaintext password, an insider of the server can impersonate user’s login by abusing the legitimate user’s password and can get access to the other systems. As mentioned in the registration phase of Wen and Li’s scheme, the user sends his and to the server over secure channel. So, the password of the user will be revealed to the server . The privileged insider of the remote system could impersonate to access the other remote system that has registered with outside this system. That is, Wen and Li’s scheme is vulnerable to insider attack.
3.3. Inefficiency for Error Password Login
In Wen and Li’s scheme, even if inputs an error password in login phase, the smart card still sends ’s login request message to the server . Both the login phase and authentication phase are still performed, and this process will terminate until checks whether the equation holds. This situation will waste unnecessary extra communication and computation cost. So, the password authentication is delayed and inefficient.
3.4. Perfect Forward Secrecy
A protocol is called perfect forward secrecy if the compromise of the long-term private keys related to participating entities does not affect the security of previous session keys. In Wen and Li’s scheme, when the private key of the server is compromised and an adversary has intercepted ’s previous login request messages and the message over public networks, then the adversary can compute , , . Then all the past session keys of Wen and Li’s scheme should be compromised to the adversary. From the above discussion, we can obtain that Wen and Li’s scheme fails to protect forward security.
4. Preliminaries
Before the description of our proposed scheme, we introduce the basic concepts of ECC. In all elliptic curve cryptosystem, the elliptic curve equation is defined as the form of : . Given an integer and a point , the point-multiplication over can be defined as ( times). Generally, the security of ECC relies on the difficulties of the following problems.
Definition 1. Given two points and over , the elliptic curve discrete logarithm problem (ECDLP) is to find an integer such that .
Definition 2. Given three points , , and over for , , the computational Diffie-Hellman problem (CDLP) is to find the point over .
5. Proposed Scheme
This section introduces the proposed dynamic ID-based remote user authentication scheme. The proposed scheme is composed of four phases, which are the user registration phase, the login phase, the authentication phase, and the password change phase. The details will be described as follows.
5.1. Registration Phase
(1)When a user wants to register and become a legal user, freely chooses his/her identity and , chooses a random number , and submits , to the via a secure communication channel.(2) computes , , , where is the server’s secret key kept in secretly.(3) stores in the smart card and submits the smart card to the via a secure channel.(4)When receiving the smart card, the user enters into the smart card. At last, the smart card contains parameters .
5.2. Login Phase
If wants to access the server, he/she inserts smart card into the terminal, and keys with , and then the smart card verifies whether the equation holds or not. If they are equal, the smart card accepts the login request and performs the following steps.(1)The smart card chooses a random and computes , , , , and forwards the login request message to the server .(2)The smart card sends the login request message to the server over a public channel.
5.3. Verification Phase
(1)After receiving the message , the server computes , , , and verifies whether the equation holds.(2)If they are equal, it means that is an authentic user and accepts the login request message; otherwise, the login request is rejected. Then, generates a random number , computes , and computes , and the session key and key confirmation message .(3) sends the message to the user .(4)When the user receives the message , computes and verifies whether the following equation holds: .(5) computes and then checks if the equation holds. If it holds, computes .(6) sends the message to the server .(7) verifies whether or not. If the equation holds, the mutual authentication is completed.
5.4. Password Change Phase
In this phase, can change his/her password any time when he/she wants without the help of the . The steps of the password change phase are as follows.(1) inserts his smart card into the smart card reader and then inputs and .(2)The smart card computes and then checks if the is the same as . If they are the same, inputs a new password and computes , , and then the smart card replaces , with , to finish the password change process.
6. Protocol Analysis
This section describes the security analysis of the proposed scheme and compares performance with Wen and Li’s scheme.
6.1. User Anonymity
Suppose that an adversary intercepts the login request message in the login phase of our scheme; the user has no way of guessing because of the hardness of inverting of hash functions. Moreover, due to the random , the user cannot be traced out from the login request message . Therefore, our scheme is able to preserve the user’s anonymity.
6.2. Perfect Forward Secrecy
Perfect forward secrecy is that even though the user’s password or the server’s secret key is compromised, an adversary still cannot obtain all the past session keys. In our proposed authentication scheme, suppose that an adversary knows the ’s password or the server ’s secret key ; he/she tries to determine all the past session key . To know the session key , he has to compute or , from the and , which is faced with the hardness of the computational Diffie-Hellman problem. Therefore, our proposed authentication scheme can provide the property of perfect secrecy.
6.3. Insider Attack
In our proposed scheme, the user freely chooses and a random number and submits , , to the via a secure communication channel. So the insider of server cannot compute the user’s from because it is protected by hash function. Therefore, the insider attack is impossible in the proposed scheme.
6.4. Replay Attack
The replay attack is replaying the same message of receiver or the sender again. The login request message of our proposed protocol uses a random number instead of timestamp to protect against replay attack. The random number is and are generated independently and both will be different in each login message and each verification phase.
6.5. Mutual Authentication and Session Key Agreement
In our proposed protocol, the user and the server can authenticate each other. The server verifies the legal user by verifying whether the equation holds. And the user can also verify the server by verifying whether and are equal. The mutual authentication protects against server side impersonation. Moreover, the user and the server establish a secure session key in each session. With this session key, the user and the remote server can exchange confidential data securely.
6.6. Performance Comparison
In this section, we summarize the functionality comparisons between our scheme and other remote user authentication schemes in Table 1.
7. Conclusions
In this paper, we discuss several weaknesses in Wen and Li’s dynamic ID-based remote user authentication scheme, such as being vulnerable to insider attack, failing to provide anonymity of a user, and perfect forward security. To remedy these weaknesses and improve performance, we have proposed an enhanced remote user authentication scheme that uses elliptic curve cryptography. The proposed scheme does not only inherit the merits of their scheme, but also has low computational and communist cost.
Acknowledgment
This research is supported and partly funded by Natural Science Foundation Project of Chongqing Municipal Education Commission (KJ121103).