The Journal of the Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회논문지)

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Improvements of a Dynamic ID-Based Remote User Authentication Scheme

동적 ID 기반 원격 사용자 인증 스킴의 보안성 개선

  • 주영도 (강남대학교 컴퓨터미디어공학부) ;
  • 안영화 (강남대학교 컴퓨터미디어공학부)
  • Received : 2011.11.17
  • Accepted : 2011.12.16
  • Published : 2011.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, many user authentication schemes using smart cards have been proposed to improve the security weaknesses in user authentication process. In 2009, Wang et al. proposed a more effective and secure dynamic ID-based remote user authentication scheme to improve the security weakness of Das et al.'s scheme, and asserted that the improved scheme is secure against independent of password in authentication phase and provides mutual authentication between the user and the remote server. However, in this paper, we analyze the security of Wang et al. scheme and demonstrate that Wang et al.'s scheme is vulnerable to the man-in-the-middle attack and the off-line password guessing attack. In addition, we show that Wang et al. scheme also fails to provide mutual authentication. Accordingly, we propose an improved scheme to overcome these security weakness even if the secrete information stored in the smart card is revealed. Our proposed scheme can withstand the user impersonation attack, the server masquerading attack and off-line password guessing attack. Furthermore, this improved scheme provides the mutual authentication and is more effective than Wang et al.'s scheme in term of the computational complexities.

최근에 사용자 인증과정의 보안 취약점을 개선시킨 스마트 카드 기반의 사용자 인증 스킴들이 소개되었다. 2009년에 Wang 등은 Das의 스킴의 보안 문제점을 개선하여 보다 효율적이고 안전성 있는 동적 ID 기반 원격사용자 스킴을 제안하였다. Wang 등은 자신들의 스킴이 인증과정에서 패스워드 독립성에 기인한 위협요인으로부터 안전할 뿐 아니라, 사용자와 원격 인증 서버 간 상호인증을 제공하고 있다고 주장한다. 본 논문은 Wang 등의 보안 스킴을 분석하고, 제안된 스킴이 중간자 공격 및 off-line 패스워드 추측 공격에 취약하다는 것을 증명한다. 또한 그들의 스킴이 상호인증을 제공하지 못함을 보여준다. 또한 본 논문에서는, 비록 스마트 카드의 비밀정보가 노출된다 하더라도, 이와같은 보안 문제점들을 해결한 개선된 스킴을 제안한다. 제안된 스킴은 사용자 위장 공격, 서버 위장 공격 그리고 off-line 패스워드 추측 공격에 안전하고, 계산 복잡도에서 Wang등의 스킴보다 효율적임을 알 수 있다.

Keywords

References

  1. L. Lamport, "Password Authentication with Insecure Communication", Communications of the ACM Vol. 24, No. 11, pp. 770-772, 1981. https://doi.org/10.1145/358790.358797
  2. M. S. Hwang, and L. H. Li, "A New Remote User Authentication Scheme Using Smart Cards", IEEE Transactions on Consumer Electronics, Vol. 46, pp. 28-30, 2000. https://doi.org/10.1109/30.826377
  3. J. J. Shen, C. W. Lin, and M. S. Hwang, "Security Enhancement for the timestamp- based password Authentication Scheme Using Smart Cards", Computers and Security, 22(7), pp. 591-595, 2003. https://doi.org/10.1016/S0167-4048(03)00709-0
  4. E. J. Yoon, E. K. Ryu, and K. Y. Yoo, "Further Improvements of an Efficient Password based Remote User Authentication Scheme Using Smart Cards", IEEE Transactions on Consumer Electronics, Vol. 50, No. 2, pp. 612-614, 2004. https://doi.org/10.1109/TCE.2004.1309437
  5. M. L. Das, A. Sxena and V. P. Gulathi, "A Dynamic ID-based Remote User Authentication Scheme", IEEE Transactions on Consumer Electronics, Vol. 50, No.2, pp. 629-631, 2004. https://doi.org/10.1109/TCE.2004.1309441
  6. A. K. Awasthi, and S. Lal, "Security Analysis of a Dynamic ID based Remote User Authentication Scheme ", http://eprint.iacr.org/2004/238.pdf
  7. I. E. Liao, C. C. Lee, and M. S. Hwang, "Security Enhancement for a Dynamic ID based Remote User Authentication Scheme", in IEEE CSPress, NWeSP'05, pp. 437-440, 2005.
  8. C. W. Lin, C. S. Tsai, and M. S. Hwang, "A New Strong-Password Authentication Scheme Using One-Way Hash Functions", Journal of Computer and Systems Sciences International, Vol. 45, No. 4, pp. 623-626, 2006. https://doi.org/10.1134/S1064230706040137
  9. C. S. Bindu, P. C. S. Reddy, and B. Satyanarayana, "Improved Remote User Authentication Scheme Preserving User Anonymity", International Journal of Computer Science and Network Security, Vol. 8, No. 3, pp. 62-66, 2008.
  10. Y. Y. Wang, J. Y. Liu, and F. X. Dan, "A More Efficient and Secure Dynamic ID-based Remote User Authentication Scheme", Computer Communications, Vol. 32, pp. 583-585, 2009. https://doi.org/10.1016/j.comcom.2008.11.008
  11. P. Kocher, J. Jaffe, and B. Jun, "Differential Power Analysis", Proceedings of Advances in Cryptology, pp. 388-397, 1999.
  12. T. S. Messerges, E. A. Dabbish, and R.H. Sloan, "Examining Smart-Card Security under the Threat of Power Analysis Attacks", IEEE Transactions on Computers, Vol. 51, No. 5, pp. 541-552, 2002. https://doi.org/10.1109/TC.2002.1004593