The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

A Robust and Secure Remote User Authentication Scheme Preserving User Anonymity

사용자 익명성을 보장하는 안전하고 개선된 원격 사용자 인증스킴

  • Shin, Kwang-Cheul (Dept. of Industrial Management Engineering, Sungkyul University)
  • Received : 2013.02.28
  • Accepted : 2013.04.22
  • Published : 2013.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an common communication channel. Currently, smart card based remote user authentication schemes have been widely adopted due to their low computational cost and convenient portability for the mutual authentication. 2009 years, Wang et al.'s proposed a dynamic ID-based remote user authentication schemes using smart cards. They presented that their scheme preserves anonymity of user, has the feature of storing password chosen by the server, and protected from several attacks. However, in this paper, I point out that Wang et al.'s scheme has practical vulnerability. I found that their scheme does not provide anonymity of a user during authentication. In addition, the user does not have the right to choose a password. And his scheme is vulnerable to limited replay attacks. In particular, the parameter y to be delivered to the user is ambiguous. To overcome these security faults, I propose an enhanced authentication scheme, which covers all the identified weakness of Wang et al.'s scheme and an efficient user authentication scheme that preserve perfect anonymity to both the outsider and remote server.

원격사용자 인증스킴은 안전하지 않은 통신상에서 원격 서버에게 사용자의 적법함을 확인하는 방법이다. 현재, 스마트카드 기반의 원격사용자 인증스킴들은 상호인증을 위해 연산비용은 낮추면서 간편한 기법이 넓게 적용되어오고 있다. 2009년, Wang et al.'s는 스마트카드를 이용한 동적 ID기반의 원격사용자 인증스킴을 제안했다. Wang et al.'s 스킴은 여러 가지 공격에 안전하고 서버에서 선택된 강력한 패스워드에 의해 익명성이 보장된다고 주장했다. 그러나 본 논문에서는 Wang et al.'s 스킴이 인증과정에서 사용자의 익명성을 제공하지 않는 취약점이 있다고 지적한다. 또 사용자에게 패스워드 선택의 권한이 없으며 제한된 replay 공격에 취약하다. 특히 사용자에게 전송된 파라미터 y는 매우 부적절하게 사용되고 있다. 이러한 보안의 결점을 극복하기 위해 Wang et al.'s 스킴의 식별된 약점을 보완하고 사용자와 원격서버 간에 완전한 익명성보장과 향상된 인증스킴을 제안한다.

Keywords

References

  1. Chen, C. M. and Ku, W. C., "Stolen-verifier attack on two new strong-password authentication protocol," IEICE Transactions on communications, E85-B, pp. 2519-2521, 2002.
  2. Das, M. L., Saxena, A., and Gulati, V. P., "A dynamic ID-based remote user authentication Scheme," IEEE Transactions on Consume Electronics, Vol. 50, No. 2, pp. 629-631, 2004. https://doi.org/10.1109/TCE.2004.1309441
  3. Fan, C. I., Chan, Y. C., Zhang, Z. K., "Robust remote authentication scheme with smart cards," Computers and Security, Vol. 24, No. 8, pp. 619-628, 2005. https://doi.org/10.1016/j.cose.2005.03.006
  4. Gong, L., "A security risk of depending on synchronized clock," Operating System Review, Vol. 26, No. 1, pp. 49-53, 1992. https://doi.org/10.1145/130704.130709
  5. Hwang, M. S. and Li, L. H., "A new ernote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, Vol. 46, No. 1, pp. 28-30, 2000. https://doi.org/10.1109/30.826377
  6. Khan, M. K., Kim, S. K., and Alghathbar, K., "Cryptanalysis and security enhancement of a more efficient and secure dynamic ID-based remote user authentication scheme," Computer Communications, Vol. 34, No. 3, pp. 305-309, 2011. https://doi.org/10.1016/j.comcom.2010.02.011
  7. Ku, W. C. and Chen, S. M., "Weaknesses and improvements of an efficient password based remote user authentication scheme using smart card," IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, pp. 204-207, 2004. https://doi.org/10.1109/TCE.2004.1277863
  8. Lamport, L., "Password authentication with insecure communication," Communications of the ACM, Vol. 24, No. 11, pp. 770-772, 1981. https://doi.org/10.1145/358790.358797
  9. Lee, C. C., Hwang, M. S., and Yang, W. P., "A Flexible Remote User Authentication Scheme using Smart Cards," ACM Operating System Review, Vol. 36, No. 4, pp. 23-29, 2002.
  10. Lee, N. Y. and Chiu, Y. C., "Improved remote authentication scheme with smart card," Computer Standard and Interface, Vol. 27, No. 2, pp. 177-180, 2005. https://doi.org/10.1016/j.csi.2004.06.001
  11. Liao, I. E., Lee, C. C., and Hwang, M. S., "Security enhancement for a dynamic ID-based remote user authentication scheme," KOREA : International Conference on Next Generation Web Services Practices, IEEE, 2005.
  12. Liao, Y. P. and Wang, S. S., "A secure dynamic ID-based remote user authentication scheme for multi-server environment," Computer Standards and Interfaces, Vol. 31, No. 1, pp. 24-29, 2009. https://doi.org/10.1016/j.csi.2007.10.007
  13. Messerges, T. S., Dabbish, E. A., and Sloan, R. H., "Examining Smart Card Security under the Threat of Power Analysis Attack," IEEE Transactions on Computers, Vol. 51, No. 5, pp. 541-552, 2002. https://doi.org/10.1109/TC.2002.1004593
  14. Shin, K. C., "Vulnerability Analysis and Improvement in Man-in-the-Middle Attack for Remote User Authentication Scheme of Shieh and Wang et al.'s using Smart Card," The Journal of Society for e-Business Studies, Vol. 17, No. 4, pp. 1-16, 2012, (dx.doi.org/10.7838 /jsebs.2012.17.4.001). https://doi.org/10.7838/jsebs.2012.17.4.001
  15. Shin, K. C., "Analysis and Countermeasure for Authentication Scheme of Qi Xie's Based on Variable Authenticator," The Korean Institute of Information Technology, Vol. 10, No. 1, pp. 139-146, 2012.
  16. Shin, K. C., "Vulnerability Analysis and Improvement of a Remote User Authentication Scheme by Legitimate Members," Korea Knowledge Information Technology Sciety, Vol. 7, No. 6, pp. 181-192, 2012.
  17. Song, R., "Advance smart card based password authentication protocol," Computer Standards and Interface, Vol. 32, No. 5-6, pp. 321-325, 2010. https://doi.org/10.1016/j.csi.2010.03.008
  18. Wang, Y. Y., Kiu, J. Y., Xiao, F. X., and dan, J., "A more efficient and secure dynamic ID-based remote user authentication scheme," Computer Communications, Vol. 32, No. 4, pp. 583-585, 2009. https://doi.org/10.1016/j.comcom.2008.11.008
  19. Xie, Q., Wang, J. K., Chen, D. R., and Wang, X. Y., "A novel user authentication scheme using smart card," College of Computer Science. Zhejiang University, Hangzhou, 310027, P R China, and Graduate School. Hangzhou Normal University, 2008.
  20. Xu, J., Zhu, W., and Feng, D., "An improved smart card based password authentication scheme provable security," Computer Standard and Interface, Vol. 31, No. 4, pp. 723-728, 2009. https://doi.org/10.1016/j.csi.2008.09.006

Cited by

  1. A Robust Biometric-based User Authentication Protocol in Wireless Sensor Network Environment vol.18, pp.3, 2013, https://doi.org/10.7838/jsebs.2013.18.3.107