An Enhanced VerifierFree Password Authentication Scheme for ResourceLimited Environments

1
An Enhanced Verifier-Free Password Authentication
Scheme for Resource-Limited Environments

• Wei-Chi Ku1,, Hao-Rung Chung2, Maw-Jinn Tsaur3,
  and Szu-Yao Wang1
• 1Department of Computer and Information Science,
• National Taichung University, Taichung, Taiwan
• 2Department of Computer Science and Information
  Engineering,
• Fu Jen Catholic University, Taipei, Taiwan
• 3Graduate Institute of Applied Science and
  Engineering,
• Fu Jen Catholic University, Taipei, Taiwan
• Presenter Wei-Chi Ku

2
Outline

• Introduction
• Review of Wang et al.s Scheme
• Weaknesses of Wang et al.s Scheme
• Our Enhanced Scheme
• Security Analysis of Our Enhanced Scheme
• Conclusion

3
Introduction (1/6)

• To realize secure access to multimedia anywhere,
  anytime, and with any devices, we need efficient
  authentication mechanisms suitable for
  resource-limited environments.
• Password authentication
• one of the most widely used authentication
  mechanisms
• convenience
• easy implementation
• user-friendliness.
• to protect the confidentiality of the multimedia
  transmitted between the user and the server, a
  session key should be established.

4
Introduction (2/6)

• Verifier-Based Password Authentication Scheme

If the account database is compromised, modified,
or deleted, the system may be partially or
totally broken.
5
Introduction (3/6)

• Verifier-Free Password Authentication Scheme

our focus
account database
6
Introduction (4/6)

• Related Works
• Hwang-Chen-Laihs scheme (1990)
• without storing verifiers in the server (novel)
• using smart cards
• drawbacks
• password is difficult to memorize
• user cannot freely choose and change password
• vulnerable to a replay attack and an
  impersonation attack
• Hwang-Lis scheme (2000)
• based on ElGamals public-key technique
• user cannot freely choose and change password
• high-complexity operations

7
Introduction (5/6)

• Suns scheme (2000)
• user cannot freely choose and change password
• password is not easily memorizable
• Chien-Jan-Tsengs scheme (2002)
• vulnerable to reflection attack and insider
  attack
• not easily reparable
• Ku-Chens scheme (2004)
• as an improved version of Chien-Jan-Tsengs
  scheme
• vulnerable to a parallel-session attack
• Yoon-Ryu-Yoos scheme (2004)
• as an improved version of Ku-Chens scheme
• server has to record all the timestamps the users
  have used
• users smart card has to store all the timestamps
  the server has used

8
Introduction (6/6)

• In 2007, Wang et al.
• showed that Ku-Chens scheme and Yoon-Ryu-Yoos
  scheme are vulnerable to an off-line password
  guessing attack, a forgery attack, and a
  denial-of-service attack.
• proposed an improved scheme for the real
  application in resource-limited environments.
• In this paper, we will show that Wang et al.s
  scheme still
• is vulnerable to an impersonation attack
• is not easily reparable
• is unable to provide perfect forward secrecy
• and then propose an improved scheme.

9
Review of Wang et al.s Scheme (1/5)
10
Review of Wang et al.s Scheme (2/5) Registration
Phase

• Step R1
• chooses ID and pw
• chooses a random number b
• computes h(b ? pw)

• Step R3
• computes
• p h(ID ? k)
• R p ? h(b ? pw)
• V hp(h(b ? pw))

• Step R5
• enters b into smart card.

11
Review of Wang et al.s Scheme (3/5) Login Phase

• Step L2
• computes
• p? R ? h(b ? pw?)
• V? hp?(h(b ? pw?)
• if V? ? V, terminates

• Step L3
• generates random number r
• computes
• K h(r ? b)
• C1 p? ? K
• C2 hp?(K ? TU)

12
Review of Wang et al.s Scheme (4/5) Verification
Phase

• Step V1
• if ID is invalid or TU TS, rejects

• Step V2
• If TS TU ? ?T, rejects. (?T is the excepted
  legal time delay)

• Step V3
• computes
• p h(ID ? k)
• K? C1? p
• C2? hp(K? ? TU )
• if C2? C2 , accepts and computes
• C3 hp(K? ? TS) otherwise, rejects

• Step V5
• if TU TS or TU? TS ? ?T, terminates

• Step V6
• computes C3? hp?(K ? TS)
• if C3? C3, authenticates S otherwise,
  terminates

session key K K?
13
Review of Wang et al.s Scheme (5/5) Password
Change Phase

• Step P2
• computes
• p? R ? h(b ? pw?)
• V? hp?(h(b ? pw?))
• if V? V, enters a new password pwnew otherwise,
  rejects

• Step P3
• computes
• Rnew p?? h(b ? pwnew)
• Vnew hp?(h(b ? pwnew))
• replaces R and V with Rnew and Vnew.

14
Weaknesses of Wang et al.s Scheme (1/6)

• Vulnerable to an Impersonation Attack
• Poor Reparability
• Lack of Perfect Forward Secrecy

15
Weaknesses of Wang et al.s Scheme (2/6)
Impersonation Attack

• Step 1
• at time T, computes C1 C1 ? T ? TU
  ( p? ? K ? T ? TU)

• Step 3
• as T is valid, computes
• p h(ID ? k) ( p?)
• K? C1 ? p
• ( p? ? K ? T ? TU ? p
• K ? T ? TU)
• C2? hp(K? ? T)
• ( hp(K ? T ? TU ? T) hp(K ? TU) )
• as C2? C2 ( hp?(K ? TU)), accepts Es login
  request
• computes C3 hp(K? ? TS)

Step 5 E blocks the message.
Although K? is unknown to E, it reveals a
potential weakness that may be employed to carry
out other subtle attacks.
16
Weaknesses of Wang et al.s Scheme (3/6) Poor
Reparability (1/3)
E can impersonate U to cheat S.

• Step 1
• selects an arbitrary number w at time TE
• computes
• C1 p ? w
• C2 hp(w ? TE)

• Step 3
• since TE is valid, computes
• p h(ID ? k)
• K? C1 ? p
• C2? hp(K? ? TE) ( hp(w ? TE))
• as C2? C2, accepts Es login request

Knowing the session key K? w, E can impersonate
U to communicate with S.
17
Weaknesses of Wang et al.s Scheme (4/6) Poor
Reparability (2/3)
E can impersonate S to cheat U.

• Step 2
• intercepts this message to compute K C1 ? p
• C3 hp(K ? TE?) at time TE?

• Step 4
• since TE? is valid, computes C3? hp?(K ?TE?)
• as C3? C3, will falsely believe that E is S

Knowing the session key K K, E can impersonate
S to communicate with U.
Additionally, E can employ the above two attacks
to perform a man-in-the-middle attack by
establishing parallel sessions with U and S.
18
Weaknesses of Wang et al.s Scheme (5/6) Poor
Reparability (3/3)

• The above described attacks cannot be easily
  restricted and stopped even if U has detected
  that p has been compromised and then used a new
  password to re-register with S.
• The value of p is determined only by Us
  identifier ID and Ss permanent secret key k.
• Since k is commonly used for all users, it is
  unreasonable and inefficient if k should be
  changed to recover the security of U only.
• It is impractical to change ID, which should be
  tied to U in most applications.

19
Weaknesses of Wang et al.s Scheme (6/6) Lack of
Perfect Forward Secrecy

• Suppose Us long-term secret p h(ID ? k) has
  been compromised to E.
• If E has recorded the C1 ( p? ? K h(ID ? k) ?
  K) in Step L4 of any previous session, he can
  obtain the session key K used in that session by
  computing K C1 ? p.
• E can decrypt all the messages previously
  encrypted with K in that session.
• Thus, Wang et al.s scheme fails to provide
  perfect forward secrecy.

20
Our Enhanced Scheme (1/5)Registration Phase

• Step R3
• if U is not a registered user, creates an entry
  for U in account-database
• stores ID and Treg T
• generates random number r
• computes
• v h(ID Treg k)
• w h(v)
• u h(pw0 r)
• t u v mod p
• s t ? w

• Step R1
• chooses ID

• Step R5
• sets PIN for smart card
• changes pw0 to pw

• p, q, g system public parameters
• p and q are large primes q divides p ? 1
• g is a generator with order q in GF(p)

r, s, p, q, g, h( ), hk( )
21
Our Enhanced Scheme (2/5) Login Phase

• Step L2
• generates random number x
• computes
• X gx mod p
• u? h(pw? r)
• C1 X ? h(u?)

22
Our Enhanced Scheme (3/5) Verification Phase
(1/2)

• Step V1
• if ID is invalid, rejects

• Step V2
• generates a random number y
• computes Y gy mod p
• computes
• v h(ID Treg k) and w h(v)
• computes
• t? s ? w
• u?? t? / v mod p
• X? C1 ? h(u??)
• computes
• KS (X?)y mod p
• C2 h(KS) ? t?

23
Our Enhanced Scheme (4/5) Verification Phase
(2/2)

• Step V4
• computes
• KU (Y)x mod p
• t?? C2 ? h(KU)
• v? t?? / u? mod p
• w? h(v?)
• computes
• w?? s ? t??
• if w?? w?, authenticates S
• computes
• C3 h(KU t??)
• SKU h(t?? u? v? KU)

• Step V6
• computes
• C3? h(KS t?)
• SKS h(t? u?? v KS)
• if C3? C3, accepts
• computes
• SKS h(t? u?? v KS)

session key SKU SKS
24
Our Enhanced Scheme (5/5) Password Change Phase

• Step P1
• executes Step L1 Step L3
• executes Step V1 Step V4

• Step P2
• if step P1 succeeds, enters pwnew.

• Step P3
• Us smart card
• generates random string rnew
• computes
• unew h(pwnew rnew)
• tnew unew v? mod p
• snew tnew ? w?
• replaces r and s with rnew and snew

25
Security Analysis of Our Enhanced Scheme (1/4)

• Resistance to Impersonation Attack
• Reparability
• Perfect Forward Secrecy

26
Security Analysis of Our Enhanced Scheme (2/4)
Resistance to Impersonation Attack

• Suppose E has recorded ID, s, C1.
• If E knows the secret u corresponding to the
  recorded s, he can forge the authentication
  messages to fool S.
• However, since E doesnt know pw and r, he cannot
  compute u h(pw r).
• If E replays ID, s, C1 X ? h(u?) to S in Step
  L3, S will send back Y gy mod p, C2 h(KS) ?
  t?, where y and KS will vary for each session.
• As E doesnt know the nonce x embedded in C1 for
  computing KU Yx mod p and t C2 ? h(KU), he
  cannot send the correct authentication message
  h(KU t) to S in Step V5.

27
Security Analysis of Our Enhanced Scheme (3/4)
Reparability
If U finds u h(pw r) or v h(ID Treg
k) has been compromised, he can re-register to S.

• Step R1
• requests to re-register

• Step R3
• as U is a registered user, updates Treg T?
• generates random number rnew
• computes
• vnew h(ID Treg k)
• wnew h(vnew)
• unew h(pw0 rnew)
• tnew unew vnew mod p
• snew tnew ? wnew

• Step R5
• sets PIN for smart card
• changes pw0 to pwnew

From now on, the compromised v and u have been
revoked automatically, i.e., Es login request
using u and v will be rejected.
28
Security Analysis of Our Enhanced Scheme (4/4)
Perfect Forward Secrecy

• Suppose E has intercepted all Us transmitting
  and receiving messages ID, s, C1, Y, C2, C3 and
  has obtained Us secret v by some means.
• E can compute
• t s ? h(v)
• u t / v mod p
• X C1 ? h(u)
• If E can compute KU from the derived X ( gx mod
  p) and the intercepted Y ( gy mod p), the past
  session key SKU h(t u v KU) can be
  easily derived.
• However, since it is computationally infeasible
  for E to obtain KU gxy mod p by solving the
  discrete logarithm problem, SKU is still secure.
  

29
Conclusion

• Verifier-free password authentication schemes are
  useful for some constrained environments such
  that the server cannot easily protect the
  confidentiality of the account database.
• We have pointed out the weaknesses of a newly
  proposed verifier-free password authentication
  scheme for resource-limited environments, and
  then proposed an improved version with better
  security strength
• can resist the impersonation attack
• can be easily reparable
• can achieve perfect forward secrecy.

30

• Thank you for your attention.

31
Appendix Potential Weakness (1/2)

• It is likely that the application system may not
  use the session key to secure the subsequent
  message exchanged between U and S in some
  constrained environments.
• Since the subsequent message are not protected by
  MAC (message authentication code) or encryption
  with the session key, the adversary can easily
  impersonate as U to cheat S at will.

32
Appendix Potential Weakness (2/2)

• We consider a more general situation in which the
  subsequent message exchanged in same session are
  protected by MAC or encryption with the session
  key. Although the adversary cannot compute the
  session key, it is possible for him to breach the
  system such as in the following.
• Suppose that the services provided by S have to
  be charged, and S will begin to charge U once U
  has successfully logined S. Because the adversary
  can impersonate U to login S, he can fool S into
  wrongly charging U.
• Such an impersonation attack may falsify the
  system logs. And, false system logs may have
  great negative effects upon the application
  systems.