The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

Vulnerability Analysis and Improvement in Man-in-the-Middle Attack for Remote User Authentication Scheme of Shieh and Wang's using Smart Card

Shieh and Wang's의 스마트카드 상호인증 스킴에 대한 중간자공격 개선

  • 신광철 (성결대학교 산업경영공학부)
  • Received : 2012.08.13
  • Accepted : 2012.09.24
  • Published : 2012.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

Shieh and Wang [10] recently proposed an efficient mutual authentication scheme that combined the cost-effectiveness of operations of Lee et al. [6]. scheme and the security and key agreement of Chen and Yeh scheme. Shieh and Wang [10] scheme, however, does not satisfy the security requirements against a third party (the man-in the middle, attacker) that have to be considered in remote user authentication scheme using password-based smart cards. Shieh and Wang weaknesses are the inappropriateness that it cannot verify the forged message in 3-way handshaking mutual authentication, and the vulnerability that the system (server) secret key can easily be exposed. This paper investigates the problems of Shieh and Wang scheme in the verification procedure of the forged messages intercepted by the eavesdrop. An enhanced two-way remote user authentication scheme is proposed that is safe and strong against multiple attacks by adding the ability to perform integrity check on the server and proposed scheme is not expose user password information and the system's confidential information.

최근 Shieh and Wang[10]은 Lee et al.[6] 스킴의 연산비용 효율성과 Chen and Yeh[1] 스킴의 보안성과 키 합의를 조합한 효율적인 상호인증 스킴을 제안했다. 그러나 Shieh and Wang[10] 스킴은 패스워드 기반의 스마트카드를 이용한 원격 사용자인증 스킴에서 고려해야 하는 제 3자(중간자, 공격자)에 대한 보안요구 내용들을 만족시키지 못하고 있다. Shieh and Wang 스킴의 약점은 3-way handshaking 상호인증에서 위조된 메시지를 검증하지 못하는 부적절과 시스템(서버)의 비밀키가 쉽게 노출되는 취약성을 갖는다. 본 논문에서는 Shieh and Wang 스킴의 도청에 의해 위조된 메시지의 검증절차의 문제점을 지적한다. 제안 스킴은 사용자의 패스워드 정보와 시스템의 비밀정보를 노출하지 않을 뿐 아니라 서버에서 무결성 검사를 할 수 있는 기능을 추가하여 다양한 공격에 안전한 강력하고 개선된 two-way 원격사용자 인증 스킴을 제안한다.

Keywords

Acknowledgement

Supported by : 성결대학교

References

  1. Chen, Y. C. and Yeh, L. Y., "An Efficient nonce-based authentication scheme with key agreement," Applied Mathematices and Computation, Vol. 169, pp. 982-994, 2005. https://doi.org/10.1016/j.amc.2004.11.004
  2. Hwang, M.-S. and Li, L. H., "A New Remote User Authentication Scheme Using Smarts Cards," IEEE Transactions on Consumer Electronics, Vol. 46, No.1, pp. 28-30, 2000. https://doi.org/10.1109/30.826377
  3. Kim, S. K. and Chung, M G., "More secure remote user authentication scheme," Computer Communications, Vol. 32, No. 6, pp. 1018-1021, 2009. https://doi.org/10.1016/j.comcom.2008.11.026
  4. Lamport, L., "Password authentication -with msecure communication," communications of the ACM, Vol. 24, No. 11, pp. 710-712, 1981.
  5. Lee, N. Y. and Chiu, Y. C., "lrnproved remote authentication scheme with smart card," Computer standards and Interface, Vol. 27, No.2, pp. 177-180, 2005. https://doi.org/10.1016/j.csi.2004.06.001
  6. Lee, S. W., Kim, H. S., and Yoo, K. Y., "Efficient nonce-based remote user authentication scheme using smart cards," Applied Mathematices and Computation, Vol. 167, pp. 355-361, 2005. https://doi.org/10.1016/j.amc.2004.06.111
  7. Liao, I. E., Lee, C. -C., and Hwang, M -S. : IDentity-based deniable authentication protocol from pairings. IMSA 2006 : 112-114.
  8. Qi Xie, Wang, J-K., Chen, D.-R., and Wang, X.-Y., "A novel user authenticatiON scheme using smart card," College of Computer Science, Zhejiang University, Hangzhou, 310027, P R China, and Graduate School, Hangzhou Normal University, 2008.
  9. Shieh, W. G., "The Weakness of Efficient nonce-based remote user authentication scheme using smart cards," WSEAS Trans. on Information Science and Applicayions, Vol. 3, No.3, pp. 584-587, 2006.
  10. Shieh, W. G. and Wang, M. T., "A Cost Effective Mutual authentication scheme with Key Agreement using smart cards," International Journal of Information and Management Sciences, Vol. 19, No.4, pp. 571-587, 2008.
  11. Song, R., "Advanced smart card based password authentication pmtocol," Computer standards and Interface, Vol. 32, pp. 321-325, 2010. https://doi.org/10.1016/j.csi.2010.03.008
  12. XU, J., Zhu, W. T., and Feng, D. G., "An improved smart card based password authentication scheme with provable security," Computer standards and Interface, Vol. 31, No.4, pp. 723-728, 2009. https://doi.org/10.1016/j.csi.2008.09.006

Cited by

  1. A Robust and Secure Remote User Authentication Scheme Preserving User Anonymity vol.18, pp.2, 2013, https://doi.org/10.7838/jsebs.2013.18.2.081