Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

Improvements of the Hsiang-Shih's remote user authentication scheme using the smart cards

스마트카드를 이용한 Hsiang-Shih의 원격 사용자 인증 스킴의 개선에 관한 연구

  • 안영화 (강남대학교 컴퓨터미디어정보공학부)
  • Published : 2010.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Recently Hsiang-Shih proposed the user authentication scheme to improve Yoon et al's scheme. But the proposed scheme has not been satisfied security requirements considering in the user authentication scheme using the password based smart card. In this paper, we proved that Hsiang-Shih's scheme is vulnerable to the off-line password guessing attack. In other words, the attacker can get the user's password using the off-line password guessing attack on the scheme when the attacker steals the user's smart card and extracts the information in the smart card. Also, the improved scheme based on the hash function and random number was introduced, thus preventing the attacks, such as password guessing attack, forgery attack and impersonation attack etc. And we suggested the effective mutual authentication scheme that can authenticate each other at the same time between the user and server.

최근 Hsiang-Shih는 Yoon 등의 스킴[7]을 개선한 사용자 인증 스킴을 제안하였다[10]. 그러나 제안된 스킴은 패스워드를 기반으로 하는 스마트카드를 이용한 사용자 인증 스킴에서 고려하는 보안 요구사항을 만족하지 못한다. 본 논문에서는, Hsiang-Shih가 제안한 스킴은 off-line 패스워드 추측공격에 취약함을 보였다. 즉, 공격자가 사용자의 스마트카드를 훔치거나 일시적으로 접근하여 그 안에 저장된 정보를 추출하여 사용자의 패스워드를 알아낼 수 있음을 보였다. 또한 이와 같은 문제점들을 해결한 해쉬함수와 난수에 기반한 개선된 사용자 인증스킴을 제안하였다. 제안한 인증 스킴은 패스워드 추측공격, 위조 및 위장공격이 불가능함을 알 수 있었다. 그리고 사용자와 서버가 상대방을 인증할 수 있는 효율적인 상호 인증방식을 제시하였다.

Keywords

References

  1. L. Lamport, "Password authentication with insecure communication," Communications of the ACM, 24(11), pp. 770-772, 1981. https://doi.org/10.1145/358790.358797
  2. R.E. Lennon, S.M Matyas, C.H Mayer, "Cryptographic authentication of time-invariant quantities," IEEE Trans . Communication, COM-29, Vol. 6, pp. 773-777, 1981,
  3. S.M. Yen, KH Liao, "Shared authentication token secure against replay and weak key attack" Information Proceeding Letters, pp. 78-80, 1937.
  4. H.Y. Chien, J.K. Jan, Y.M. Tseng, "An efficient and practical solution to remote authentication using smart card," Computers & Security, 21 (4), pp. 372-375. 2002. https://doi.org/10.1016/S0167-4048(02)00415-7
  5. C.W. Lin, J.J. Shen, and M.S. Hwang, "Security Enhancement for Optimal Strong-Password Authentication Protocol," ACM Operating Systems Review,37 (2), 2003.
  6. S.M Chen, W.C. Ku, 'Weakness and improvements of an efficient password based remote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, 50(1), pp. 204-207, 2004. https://doi.org/10.1109/TCE.2004.1277863
  7. E.J. Yoon, E.K Ryu, K.Y. Yoo, ''Further improvements of an efficient password based remote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, 50(2), pp. 612-614, 2004. https://doi.org/10.1109/TCE.2004.1309437
  8. X. Duan, J.W. Liu, Q. Zhang, "Security improverments on Chien et al.'s remote user authentication scheme using smart cards," IEEE International conference on Computational Intelligence and Security (CIS 2006), 2, pp. 1133-1135, 2006.
  9. C.W. Lin, C.S. Tsai, and M.S. Hwang, "A New Strong-Password Authentication Scheme Using One-Way Hash Functions," Journal of Computer and Systems Sciences International, vol. 45, no. 4, pp. 623-626, 2006, https://doi.org/10.1134/S1064230706040137
  10. H.C Hsiang, W.K. Shih, "Weakness and improvements of the Yoon-Ryu-Yoo remote user authentication scheme using smart cards," Computer Communications, 32, pp. 649-652, 2009. https://doi.org/10.1016/j.comcom.2008.11.019
  11. P. Kocher, J. Jaffe, B. Jun, "Differential power analysis," Proceedings of Advances in Cryptology (CRYPTO 99), pp. 388-397, 1999.
  12. T.S. Messerges, E.A. Dabbish, R.H. Sloan, "Examining smart-card security under the threat of power analysis attacks," IEEE Transactions on Computers, 51 (5), pp. 541 - 552, 2002. https://doi.org/10.1109/TC.2002.1004593
  13. 신광철, "서비스거부공격에 안전한 OTP 스마트카드 인중 프로토콜," 한국컴퓨터정보학회논문지, 제12권, 제6호, 201-206쪽, 2007년 12월.
  14. 안영화, 이강호, "스마트카드를 이용한 사용자 인증 스킴의 안전성 분석," 한국컴퓨터정보학회논문지, 제14권, 제3호, 133-138쪽, 2009년 3월.