Title: An Enhanced VerifierFree Password Authentication Scheme for ResourceLimited Environments
1An Enhanced Verifier-Free Password Authentication
Scheme for Resource-Limited Environments
- Wei-Chi Ku1,, Hao-Rung Chung2, Maw-Jinn Tsaur3,
and Szu-Yao Wang1 - 1Department of Computer and Information Science,
- National Taichung University, Taichung, Taiwan
- 2Department of Computer Science and Information
Engineering, - Fu Jen Catholic University, Taipei, Taiwan
- 3Graduate Institute of Applied Science and
Engineering, - Fu Jen Catholic University, Taipei, Taiwan
- Presenter Wei-Chi Ku
2Outline
- Introduction
- Review of Wang et al.s Scheme
- Weaknesses of Wang et al.s Scheme
- Our Enhanced Scheme
- Security Analysis of Our Enhanced Scheme
- Conclusion
3Introduction (1/6)
- To realize secure access to multimedia anywhere,
anytime, and with any devices, we need efficient
authentication mechanisms suitable for
resource-limited environments. - Password authentication
- one of the most widely used authentication
mechanisms - convenience
- easy implementation
- user-friendliness.
- to protect the confidentiality of the multimedia
transmitted between the user and the server, a
session key should be established.
4Introduction (2/6)
- Verifier-Based Password Authentication Scheme
If the account database is compromised, modified,
or deleted, the system may be partially or
totally broken.
5Introduction (3/6)
- Verifier-Free Password Authentication Scheme
our focus
account database
6Introduction (4/6)
- Related Works
- Hwang-Chen-Laihs scheme (1990)
- without storing verifiers in the server (novel)
- using smart cards
- drawbacks
- password is difficult to memorize
- user cannot freely choose and change password
- vulnerable to a replay attack and an
impersonation attack - Hwang-Lis scheme (2000)
- based on ElGamals public-key technique
- user cannot freely choose and change password
- high-complexity operations
7Introduction (5/6)
- Suns scheme (2000)
- user cannot freely choose and change password
- password is not easily memorizable
- Chien-Jan-Tsengs scheme (2002)
- vulnerable to reflection attack and insider
attack - not easily reparable
- Ku-Chens scheme (2004)
- as an improved version of Chien-Jan-Tsengs
scheme - vulnerable to a parallel-session attack
- Yoon-Ryu-Yoos scheme (2004)
- as an improved version of Ku-Chens scheme
- server has to record all the timestamps the users
have used - users smart card has to store all the timestamps
the server has used
8Introduction (6/6)
- In 2007, Wang et al.
- showed that Ku-Chens scheme and Yoon-Ryu-Yoos
scheme are vulnerable to an off-line password
guessing attack, a forgery attack, and a
denial-of-service attack. - proposed an improved scheme for the real
application in resource-limited environments. - In this paper, we will show that Wang et al.s
scheme still - is vulnerable to an impersonation attack
- is not easily reparable
- is unable to provide perfect forward secrecy
- and then propose an improved scheme.
9Review of Wang et al.s Scheme (1/5)
10Review of Wang et al.s Scheme (2/5) Registration
Phase
- Step R1
- chooses ID and pw
- chooses a random number b
- computes h(b ? pw)
- Step R3
- computes
- p h(ID ? k)
- R p ? h(b ? pw)
- V hp(h(b ? pw))
- Step R5
- enters b into smart card.
11Review of Wang et al.s Scheme (3/5) Login Phase
- Step L2
- computes
- p? R ? h(b ? pw?)
- V? hp?(h(b ? pw?)
- if V? ? V, terminates
- Step L3
- generates random number r
- computes
- K h(r ? b)
- C1 p? ? K
- C2 hp?(K ? TU)
12Review of Wang et al.s Scheme (4/5) Verification
Phase
- Step V1
- if ID is invalid or TU TS, rejects
- Step V2
- If TS TU ? ?T, rejects. (?T is the excepted
legal time delay)
- Step V3
- computes
- p h(ID ? k)
- K? C1? p
- C2? hp(K? ? TU )
- if C2? C2 , accepts and computes
- C3 hp(K? ? TS) otherwise, rejects
- Step V5
- if TU TS or TU? TS ? ?T, terminates
- Step V6
- computes C3? hp?(K ? TS)
- if C3? C3, authenticates S otherwise,
terminates
session key K K?
13Review of Wang et al.s Scheme (5/5) Password
Change Phase
- Step P2
- computes
- p? R ? h(b ? pw?)
- V? hp?(h(b ? pw?))
- if V? V, enters a new password pwnew otherwise,
rejects
- Step P3
- computes
- Rnew p?? h(b ? pwnew)
- Vnew hp?(h(b ? pwnew))
- replaces R and V with Rnew and Vnew.
14Weaknesses of Wang et al.s Scheme (1/6)
- Vulnerable to an Impersonation Attack
- Poor Reparability
- Lack of Perfect Forward Secrecy
15Weaknesses of Wang et al.s Scheme (2/6)
Impersonation Attack
- Step 1
- at time T, computes C1 C1 ? T ? TU
( p? ? K ? T ? TU)
- Step 3
- as T is valid, computes
- p h(ID ? k) ( p?)
- K? C1 ? p
- ( p? ? K ? T ? TU ? p
- K ? T ? TU)
- C2? hp(K? ? T)
- ( hp(K ? T ? TU ? T) hp(K ? TU) )
- as C2? C2 ( hp?(K ? TU)), accepts Es login
request - computes C3 hp(K? ? TS)
Step 5 E blocks the message.
Although K? is unknown to E, it reveals a
potential weakness that may be employed to carry
out other subtle attacks.
16Weaknesses of Wang et al.s Scheme (3/6) Poor
Reparability (1/3)
E can impersonate U to cheat S.
- Step 1
- selects an arbitrary number w at time TE
- computes
- C1 p ? w
- C2 hp(w ? TE)
- Step 3
- since TE is valid, computes
- p h(ID ? k)
- K? C1 ? p
- C2? hp(K? ? TE) ( hp(w ? TE))
- as C2? C2, accepts Es login request
Knowing the session key K? w, E can impersonate
U to communicate with S.
17Weaknesses of Wang et al.s Scheme (4/6) Poor
Reparability (2/3)
E can impersonate S to cheat U.
- Step 2
- intercepts this message to compute K C1 ? p
- C3 hp(K ? TE?) at time TE?
- Step 4
- since TE? is valid, computes C3? hp?(K ?TE?)
- as C3? C3, will falsely believe that E is S
Knowing the session key K K, E can impersonate
S to communicate with U.
Additionally, E can employ the above two attacks
to perform a man-in-the-middle attack by
establishing parallel sessions with U and S.
18Weaknesses of Wang et al.s Scheme (5/6) Poor
Reparability (3/3)
- The above described attacks cannot be easily
restricted and stopped even if U has detected
that p has been compromised and then used a new
password to re-register with S. - The value of p is determined only by Us
identifier ID and Ss permanent secret key k. - Since k is commonly used for all users, it is
unreasonable and inefficient if k should be
changed to recover the security of U only. - It is impractical to change ID, which should be
tied to U in most applications.
19Weaknesses of Wang et al.s Scheme (6/6) Lack of
Perfect Forward Secrecy
- Suppose Us long-term secret p h(ID ? k) has
been compromised to E. - If E has recorded the C1 ( p? ? K h(ID ? k) ?
K) in Step L4 of any previous session, he can
obtain the session key K used in that session by
computing K C1 ? p. - E can decrypt all the messages previously
encrypted with K in that session. - Thus, Wang et al.s scheme fails to provide
perfect forward secrecy.
20Our Enhanced Scheme (1/5)Registration Phase
- Step R3
- if U is not a registered user, creates an entry
for U in account-database - stores ID and Treg T
- generates random number r
- computes
- v h(ID Treg k)
- w h(v)
- u h(pw0 r)
- t u v mod p
- s t ? w
- Step R5
- sets PIN for smart card
- changes pw0 to pw
- p, q, g system public parameters
- p and q are large primes q divides p ? 1
- g is a generator with order q in GF(p)
r, s, p, q, g, h( ), hk( )
21Our Enhanced Scheme (2/5) Login Phase
- Step L2
- generates random number x
- computes
- X gx mod p
- u? h(pw? r)
- C1 X ? h(u?)
22Our Enhanced Scheme (3/5) Verification Phase
(1/2)
- Step V1
- if ID is invalid, rejects
- Step V2
- generates a random number y
- computes Y gy mod p
- computes
- v h(ID Treg k) and w h(v)
- computes
- t? s ? w
- u?? t? / v mod p
- X? C1 ? h(u??)
- computes
- KS (X?)y mod p
- C2 h(KS) ? t?
23Our Enhanced Scheme (4/5) Verification Phase
(2/2)
- Step V4
- computes
- KU (Y)x mod p
- t?? C2 ? h(KU)
- v? t?? / u? mod p
- w? h(v?)
- computes
- w?? s ? t??
- if w?? w?, authenticates S
- computes
- C3 h(KU t??)
- SKU h(t?? u? v? KU)
-
- Step V6
- computes
- C3? h(KS t?)
- SKS h(t? u?? v KS)
- if C3? C3, accepts
- computes
- SKS h(t? u?? v KS)
session key SKU SKS
24Our Enhanced Scheme (5/5) Password Change Phase
- Step P1
- executes Step L1 Step L3
- executes Step V1 Step V4
- Step P2
- if step P1 succeeds, enters pwnew.
- Step P3
- Us smart card
- generates random string rnew
- computes
- unew h(pwnew rnew)
- tnew unew v? mod p
- snew tnew ? w?
- replaces r and s with rnew and snew
25Security Analysis of Our Enhanced Scheme (1/4)
- Resistance to Impersonation Attack
- Reparability
- Perfect Forward Secrecy
26Security Analysis of Our Enhanced Scheme (2/4)
Resistance to Impersonation Attack
- Suppose E has recorded ID, s, C1.
- If E knows the secret u corresponding to the
recorded s, he can forge the authentication
messages to fool S. - However, since E doesnt know pw and r, he cannot
compute u h(pw r). - If E replays ID, s, C1 X ? h(u?) to S in Step
L3, S will send back Y gy mod p, C2 h(KS) ?
t?, where y and KS will vary for each session. - As E doesnt know the nonce x embedded in C1 for
computing KU Yx mod p and t C2 ? h(KU), he
cannot send the correct authentication message
h(KU t) to S in Step V5.
27Security Analysis of Our Enhanced Scheme (3/4)
Reparability
If U finds u h(pw r) or v h(ID Treg
k) has been compromised, he can re-register to S.
- Step R1
- requests to re-register
- Step R3
- as U is a registered user, updates Treg T?
- generates random number rnew
- computes
- vnew h(ID Treg k)
- wnew h(vnew)
- unew h(pw0 rnew)
- tnew unew vnew mod p
- snew tnew ? wnew
- Step R5
- sets PIN for smart card
- changes pw0 to pwnew
From now on, the compromised v and u have been
revoked automatically, i.e., Es login request
using u and v will be rejected.
28Security Analysis of Our Enhanced Scheme (4/4)
Perfect Forward Secrecy
- Suppose E has intercepted all Us transmitting
and receiving messages ID, s, C1, Y, C2, C3 and
has obtained Us secret v by some means. - E can compute
- t s ? h(v)
- u t / v mod p
- X C1 ? h(u)
- If E can compute KU from the derived X ( gx mod
p) and the intercepted Y ( gy mod p), the past
session key SKU h(t u v KU) can be
easily derived. - However, since it is computationally infeasible
for E to obtain KU gxy mod p by solving the
discrete logarithm problem, SKU is still secure.
29Conclusion
- Verifier-free password authentication schemes are
useful for some constrained environments such
that the server cannot easily protect the
confidentiality of the account database. - We have pointed out the weaknesses of a newly
proposed verifier-free password authentication
scheme for resource-limited environments, and
then proposed an improved version with better
security strength - can resist the impersonation attack
- can be easily reparable
- can achieve perfect forward secrecy.
30- Thank you for your attention.
31Appendix Potential Weakness (1/2)
- It is likely that the application system may not
use the session key to secure the subsequent
message exchanged between U and S in some
constrained environments. - Since the subsequent message are not protected by
MAC (message authentication code) or encryption
with the session key, the adversary can easily
impersonate as U to cheat S at will.
32Appendix Potential Weakness (2/2)
- We consider a more general situation in which the
subsequent message exchanged in same session are
protected by MAC or encryption with the session
key. Although the adversary cannot compute the
session key, it is possible for him to breach the
system such as in the following. - Suppose that the services provided by S have to
be charged, and S will begin to charge U once U
has successfully logined S. Because the adversary
can impersonate U to login S, he can fool S into
wrongly charging U. - Such an impersonation attack may falsify the
system logs. And, false system logs may have
great negative effects upon the application
systems.