Secure Password Authentication System Using Smart Card

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 3, Issue 1, January February 2014 ISSN 2278-6856
Secure Password Authentication System Using Smart Card

Sattar J. Aboud
Computer Science Department, University of Bedfordshire, UK
Abstract: We will present in this paper, an enhanced system

to eliminate the vulnerabilities and at the same time to increase the security characteristics. In a suggested system, there is no valuable information can be gained from a data saved in smart card. So, a stolen user smart card attack is blocked. To prevent server attack, we shift a user authentication operation from server to a registration center. This will guarantee that every server has the diverse private key. In comparing with some systems, we show the proposed system is more secure. Thus, a proposed system is more realistic.
2. RELATED WORKS
In 1981, the password authentication system across insecure channel was introduced by Lamport [2]. Since then, many systems have been introduced to report the problem and to achieve more roles and reach high efficiency, for example to remedy a high hash operating cost and password rearranging problems in 1990, Yamaguchi et al. [3] introduced as they claimed the simple and efficient authentication scheme. But, Later, Hwang et al. indicated that the scheme is weak to a guessing attack [4]. In 1991, Chang and Wu [5] introduced the remote password authentication protocol with the smart card relied on the Chinese Remainder Theorem. The system is not want to keep in verification table and is insecure against attacks of replaying before intercepted needs. But, a user password of this system cannot be selected and altered easily by a holder. In 1995, Wu [6] presented an efficient system relied on a geometric Euclidean smooth. The properties of this system are its ease of geometry and a characteristic that user can easily select its own passwords. But, a scheme is insecure as shown in [7]. In 1999, Yang and Shieh [8] presented an approach to avoid replay attack. The system do not save passwords in a server, and allow user easily to alter its password. But Tzung et al. [9] indicated that Yang and Shieh approach has certain weakness is that a hacker is able to impersonate the authorized user by create the authentic login request from the intercepted login. In 2002, Sandirigama et al. suggested another scheme [10], which was intended to be better compared with Lamport scheme, but this scheme in terms of computing time and communication overhead are high. Also, in 2002, Chien et al. [11] introduced a smart-cardtyped system relied on one-way hash function. In this system, authors claimed that their system has the characteristics of verification table is not needed in a server, a communication and computing cost is very low, a replay attack problem is entirely solved and user can easily select its password. But, Altinkemer and Wang [12] indicate that the system is not allowed user to alter its password easily. In 2005, Choo and McCullagh introduced the password authentication system using smart cards [13]. In their system, a smart-card-oriented remote login authentication scheme is employed to validate authorized user. A smart card holds the microprocessor that can achieve arithmetic processes rapidly, by which messages are kept. So, there is no need to keep a verification table in a server. In 2010, Li, et al., Page 75
Keywords: password authentication; server attack; smart card; stolen attack.
1. INTRODUCTION
The interconnection by network has been increasing in a recent past; therefore, a need for authentication under remote system has become very vital. This is based-on the knowledge of information and resources of network-typed attacks. Therefore, cryptosystem and network security have been developed increasingly. This directing to authentication systems relied on passwords have been introduced. The authentication is a security tool for remote login system. With many authentication techniques, a password system is the best suitable and broadly accepted. In the password system, the password table has some risks when altered since the passwords are kept in the remote sever. However, Kim in 1995 [1] indicated that there are three forms of identity techniques which are as follows. Something knows such as password, something has such as smart card and some personal properties such as fingerprint. Combine these techniques can improve security level of a scheme. A majority of the schemes use the first two techniques to recognize a user. In this paper, we introduce the practical characteristics that should include in any proposed password system. These characteristics are as follows. 1. The system can be used in multi-server settings 2. The system is not require to keep password table 3. The user who registered in many servers is not want to recall several login passwords to everyone. 4. The system can also resist modification and replay attacks. 5. The scheme lets user to select the password easily and modernize it offline. 6. The computing cost of a hash function is less compare with the formerly presented systems. Volume 3, Issue 1 January February 2014

[14] presented authentication system which gives mutual authentication and key agreement across insecure networks. But, in 2012 Sood S., [15] reported that Li et al. system is weak and easy to attack. In 2011, Lee et al., [16] presented an enhanced system to resolve the vulnerabilities of Hsiang-Shih scheme [17]. But, we notice that Lee et al., system is still weak to server and stolen attacks. Also, a password change protocol of a system is neither suitable to users nor low efficient. Therefore, to conquer these vulnerabilities, we introduce in this paper, an efficient and more secure password system using smart card. This paper is organized as follows. In Section 3 we listed the notations used. The proposed scheme and its analysis are presented in Sections 4 and 5 respectively. Finally, we formulate the conclusions in Section 6. 1. A registration center is responsible for registration and verification of a user U and server S . 2. Selects a master secret key e1 and a private key e 2 . 3. Generate an arbitrary integer d for the user and only used once. 4. Finds h( Id S || e1 ) and h(e1 e 2 ) 5. Shares h(e1 e 2 ) with S 6. Posts h( Id S || e1 ) to S over secure channel 7. Finds z h(h ( Id U || d ) || e1 ) . 8. Finds b h( z || h(e1 || e 2 )) . 9. Keeps ( z, b, h(.)) in a user smart card and passes it to user over secure channel. Step 3: The user U 1. Enters IdU and w in a user smart card. 2. Finds g h ( Id U || w) 3. Finds c b h( w Id U ) 4. Replaces b by c 5. Keeps ( z , g , c , h (.)) into the user smart card. 4.2 The Login Protocol If a user U desires to login to a server S , user enters the smart card in the terminal and keys an identity IdU , password w and a server identity Id S . The steps of the protocol are as follows. Step 1: The user smart card U 1. Finds p h( Id U || w) 2. Verifies that p g if no rejects this login request, else U must do the following. 1. Creates an integer n1 2. Finds b c h( w Id U ) 3. Finds i h(b || n1 ) ( Id U || b) 4. Finds u h( Id U || b || n1 || Id S ) 5. Send the server S value (i, z , u, n1 ) to the
3. NOTATIONS USED
The notations used in this paper are as follows: U : The user R : The registration center S : The server Id U : The public user identity Id S : The public server identity w : The secret password of user U e1 : The master private key kept by C e 2 : The private key known to C k : The session key share by the three participants n1 : The integer generated by the user U smart card
n2 : The integer generated by the server S : The exclusive OR operation h : The secure one-way hash function || : The concatenation
4 . THE PROPOSED SYSTEM

In this section, we present an enhanced system that is free from vulnerabilities stated above. In the proposed system there are three participants. These are a user U , a server S and a registration center R . The proposed system also contains four protocols. The description of these protocols is as follows. 4.1 The Registration Protocol If authorized user U desires to access a system, should register with registration center R . The steps of a registration protocol are as follows: Step 1: The user U 1. Chooses the identity Id U and the password w 2. Posts IdU , and w to a registration center R over secure channel. Step 2: The registration center R
4.3 The Authentication Protocol In this protocol the server S authenticates a user U . The steps of this protocol are as follows: Step 1: The server S 1. Obtain a login request information (i, z , u , n1 ) 2. Generate an arbitrary integer n 2 3. Finds r h( Id S || e 2 ) n2 4. Finds f h (h(e1 e 2 ) || n 2 ) 5. Sends (i, z , u , n1 , Id S , r , f ) to a registration center Step 2: The registration center R 1. Obtain a login request value (i, z , u , n1 , Id S , r , f ) 2. Finds n 2 r h( Id S || e 2 ) 3. Finds x h(h(e1 e 2 ) || n 2
Volume 3, Issue 1 January February 2014
Page 76

4. Verifies x f , If not ends a session if yes, must do the following: 1. Finds b h( z || h(e1 || e 2 )) 2. Finds Id U || b i h(b || n1 ) 3. Finds y h( IdU || b || n1 || Id S ) 5. Verifies y u , if not rejects a login request. If yes must do the following: 1. Generate a random integer n 3 2. Finds a n 3 h( Id S || n 2 ) 3. Finds q h(b || n1 ) n 2 n 3 4. Finds t h(h(b || n1 ) || (n 2 n3 )) 5. Sends (a, q, t ) to a server Step 3: The server S 1. Obtain the information (a, q, t ) 2. Finds n 3 a h( Id S || n 2 ) 3. Finds h(b || n1 ) q n 2 n 3 4. Finds m h(h(b || n1 ) || (n2 n3 )) 5. Verifies if m t is equal. If not ends a session. If yes, a registration center R is authorized center. 6. Sends (q, t ) to a user U Step 4: The user U 1. Obtain the information (q, t ) 2. Finds n 2 n 3 q h(b || n1 ) 3. Finds l h(h(b || n1 ) || (n 2 n 3 )) 4. Verifies if l t , is equal or not. If not a user U ended a session. 5. If yes, a registration center R and a server S are verified by a user U . A user U , a server S and a registration center R agree on the common session key k h(h(b || n1 ) || (n1 n2 n3 )) 4.4 The Password Change Protocol If a user wishes to alter a password w without assist from a registration center R , should do the following: Step 1: The user U 1. Enters a smart card into a terminal 2. Keys the Id U and the password w and request to change password 3. Finds p h( Id U || w) 4. Verifies if p g is not, a smart card rejects a password requested. 5. If yes a user should do the following: Chooses the new password w' Finds s h( Id U || w ' ) Finds c c h( w || Id U ) h( w Id U ) Replaces g , c by s, c ' respectively
' '
5 . SECURITY ANALYSIS
Now, we will study the security and efficiency of the proposed system 5.1 Stolen Attack When a user U smart card is stolen and a hacker got a card then can obtain the message ( z, g , c, h(.)) kept in a smart card. With this information, it is hard for hacker to find information like b, Id U , w to forge the valid login request. Although the formerly valid login request message (i, z , u, n1 ) was intercepted by the hacker cannot start replay attack because b cannot be calculated from ( z, g , c, h(.)) , and (i, z,u, n1) . Thus, the proposed system is protected anti-stolen attack. 5.2 Offline Dictionary Attack The hacker can enroll information and tries to deduce identity IdU or password w from recorded information. We suppose that a hacker is able to guess Id U or w . But, as indicated by Sood et al., [19], it is impossible to deduce two keys in polynomial time. In the proposed system, a hacker may get g h ( IdU || w), c b h ( w Id U ), z h ( h ( Id U || d ) || e1 ), i h (b || n1 ) ( Id U || b ) and u h(idU || b || n1 || Id S ) by stealing a smart card, or eavesdropped valid login request information. Hacker cannot deduce Id U or w from g since is unable to deduce two keys at once. Also, a hacker cannot deduce Id U or w from ( z, c, i) or u without keys (e1 , d ) . Thus, a proposed system is protected anti-offline dictionary attack. 5.3 User Attack The user U with information Id U and w can obtain data ( z, g , c, h(.)) kept in a smart card. In a proposed system, a user cannot obtain information with e1 , e2 , h(e1 || e2 ), h( Id S || e 2 ) or h (e1 e 2 ) to masquerade other user to login a system or impersonate as a server to trick users. Thus, the proposed system can withstand a user attack. 5.4 Server Attack Since each server has a private key h( Id S || e 2 ) and no way to calculate other private key h( Id k || e 2 ) without a value e 2 , the server S cannot impersonate as other server S k to cheat users. Also, even if the previously valid login request (i, z , u , n1 ) is intercepted, a server cannot forge valid login information (i ' , z ' , u ' , n1 ) to login other server S k masquerading U since he cannot find secret b . So, the proposed system is protected anti-server attack.
Volume 3, Issue 1 January February 2014
Page 77

5.5 User Anonymity In a registration protocol, a secure channel and an arbitrary integer d created by register center R are utilized to protect a user identity from revelation. In a login protocol, user U sends concealed identity i h(b || n1) (IdU || b) rather than an actual identity authentication system and must be implemented for every session, we mostly consider a timing cost of these two protocols. Table 1: Comparisons of the Proposed System with Other Systems Protocol Login Verification Protocol Total Name Protocol Proposed 4Th 13Th 17Th Li et al, 7Th 21Th 28Th Sood et al, 7Th 18Th 25Th Hisang-Shih 7Th Lee et al, 7Th
Id U to login request information. A verification and session key agreement of a proposed system is relied on calculation of a private key d , not on an actual identity Id U . According to that we can state that the proposed protocol can provide user anonymity. Actually user anonymity is categorized to transmission anonymity and login anonymity. The major dissimilarity between these two cases is that the first has a characteristic that can be traced to avoid interrupted by register center R , the second has no such property. Most of systems presented are of login anonymity. The proposed system is of transmission anonymity because actual identify Id U can be simply retrieved by register center R from b calculated in a verification process. With some alteration the proposed system can be modified to login anonymity. In ' login protocol, user creates another integer n1 and finds
' i h (b || n1 ) n1' , u h(b || n1 || Id S || n1 ) rather than i h(b || n1 ) ( Id U || b), u h(IdU || b || n1 || Id S ) .Register ' ' center R finds n1 i h(b || n1), u ' h (b || n1 || Id S || n1 ) rather than ( Id U || b ) i h (b || n1 ),
17Th 11Th
24Th 18Th
The systems listed in Table 1 share a common characteristic that is the register center R which plays a role in verification process. The involvement in authentication of R avoids servers to impersonate as other servers to fool authorized users. In contrast, the last two systems cannot withstand the server attack without this mechanism, while these two systems save timing cost of hash operations. From Table 1, it is clear that the proposed system is more efficient among the other systems with the technique stated above.
6 . CONCLUSIONS
In this paper, we present the enhanced system to resolve the vulnerabilities without reduce the security characteristics. To prevent stolen attack, a security of the proposed system is relied on secure keys hold by server, user and registration center and one-way hash function. Thus, there is no useful values can be calculated from values kept in smart card. To prevent server attack, we shift a user authentication operation from server to a registration center to ensure every server has different private key h( Id S || e 2 ) . By comparing with some systems proposed, we showed the proposed system is efficient and more secure.
u h ( IdU || b || n1 || Id S ) in an authentication protocol. It is not hard to see a tailored system is login anonymous. Thus, the proposed system is more flexible for uses.
5.6 Efficiency in Password Change Protocol In the proposed system, if user desires to change the password, a user can terminate it without an assist of registration center. Obviously, there is no want to exchange any private messages between registration center and users. Thus, efficiency in password change protocol of the proposed system is enhanced. Also, as no private messages is exchanged, a user is more suitable and secure to change the password offline, rather than creation secure channel between a registration center and user as described in Lee et al., system. 5.7 Cost Analysis We calculate the timing cost and performance of the proposed system by comparing it with some recently proposed systems. To compute a time complexity, we use the notation Th as the time complexity for hash functions. Because exclusion-OR and concatenation processes need few computation, we are ignored their timing cost. In Table 1, we compare the execution of the proposed system with others related systems. Because login and verification protocols are the principle parts of Volume 3, Issue 1 January February 2014
'
Acknowledgements
The author wishes to extend his thanks to the University of Bedfordshire, computer science Department for their helpful suggestions and supports.
References
[1] Kim H., Biometrics, Is It a Viable Proposition for Identity Authentication and Access Control, Computer Security, 14, pp. 205214, 1995. [2] Lamport L., Password Authentication with Insecure Communication, Communications of the ACM, 24, pp. 770-772, 1981. [3] Yamaguchi S., Okayama K.., Miyahara H., Design and Implementation of an Authentication System in Page 78

WIDE Internet Environment, Proceedings of IEEE Region Conference on Computer and Communication System, IEEE Press, 1990. [4] Hwang M., Lee C., Tang Y., An Improvement of SPLICE/AS in WIDE Against Guessing Attack, Internet Journal of Information, 12 (2), pp. 297302, 2001. [5] Chang C., Wu T., Remote Password Authentication with Smart Cards, IEE Proceedings138, pp. 165 168, 1991. [6] Wu T., Remote Login Authentication Scheme Based-on a Geometric Approach, Computer Communications 18 (12), pp. 959963, 1995. [7] Wu H., Liu C., Chiou S., Cryptanalysis of a Secure One-time Password Authentication Scheme with Low-communication for Mobile Communications, Internet Journal of Network Security, 1 (2), pp. 74 76, 2005 [8] Yang W., Shieh S., Password Authentication Schemes with Smart Cards, Computer Security, 18 (8), pp. 727733, 1999. [9] Tzung-Her CHEN, Gwoboa HORNG, Ke-Chiang WU, A Secure YS-Like User Authentication Scheme, INFORMATICA, Volume 18, No. 1, 27 36, 2007. [10] Sandirigama M., Shimizu A., Noda M., Simple and Secure Password Authentication Protocol (SAS), IEICE Transaction Communications, E83-B, pp. 13631365, 2002. [11] Chien H., Jan J., Tseng Y., An Efficient and Practical Solution to Remote Authentication: Smart card, Computers & Security 21, pp. 372375, 2002. [12] Altinkemer K. and Wang T., Cost and Benefit Analysis of Authentication Systems, Decision Support Systems, vol. 51, pp. 394-404, 2011. [13] Choo K.., McCullagh Barreto, Two-Party Id-based Authenticated Key Agreement Protocols, Internet Journal of Network Security, 1 (3), pp. 154160, 2005. [14] Li, C. Lee C., Wang L., A Two-Factor User Authentication Scheme Providing Mutual Authentication and Key Agreement over Insecure Channels, Journal of Information Assurance and Security 5, pp. 201-208, 2010. [15] Sood S., An Improved and Secure Smart Card Based Dynamic Identity Authentication Protocol, International Journal of Network Security, Volume 14, Number 1, pp. 39-46, 2012. [16] Hsiang H., and. Shih W., Improvement of the Secure Dynamic ID Based Remote User Authentication Scheme for Multi-server Environment, Computer Standards & Interfaces, Volume 31, pp. 1118-1123, 2009. [17] Lee C., Lin T. and Chang R., A Secure Dynamic ID Based Remote User Authentication Scheme for Multi-server Environment Using Smart Cards, Volume 3, Issue 1 January February 2014 Expert Systems with Applications, Volume 38, pp. 13863-13870, 2011.
AUTHOR
Sattar J Aboud is a Visiting Professor on Computer Science Department at University of Bedfordshire in UK.. He received his education from United Kingdom. Dr. Aboud has served his profession in many universities and he awarded the Quality Assurance Certificate of Philadelphia University, Faculty of Information Technology. His research interests include the areas of both symmetric and asymmetric cryptography, area of verification and validation, and performance evaluation.
Page 79

Secure Password Authentication System Using Smart Card

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Secure Password Authentication System Using Smart Card

Transféré par

Droits d'auteur :

Formats disponibles

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)