The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Security Analysis and Enhancement of Tsai et al.'s Smart-Card Based Authentication Scheme

스마트카드 기반 Tsai et al. 인증기법의 안전성 분석과 새로운 보안기법 연구

  • 김명선 (수원대학교 IT대학 정보보호학과)
  • Received : 2013.10.29
  • Accepted : 2014.01.15
  • Published : 2014.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper we show that a dynamic ID authentication scheme using smart cards proposed by Tsai et al. is not secure against DoS attack and insider attack. Further we claim that their scheme may raise a security problem when a user changes his/her password. Then we come up with a security-enhanced version only with small additional computational cost. Our scheme is based on the security of cryptographic hash function and the infeasibility assumption of discrete logarithm problem. In addition, we provide details of security and computational cost analysis.

최근, Tsai 등의 연구자는 동적 ID 기반 스마트카드 인증 기법을 제안하였다. 본 논문에서 그들이 제안한 기법은 잘못된 패스워드의 검증을 조기에 탐지하지 못하기 때문에 발생하는 서비스거부 공격과 내부자 공격에 취약하고 패스워드 변경시 안전성이 보장되지 않는 문제가 있음을 제시하고, 이러한 문제를 해결하는 기법을 제시하려고 한다. 본 논문에서 제안하는 기법의 안전성은 일방향 해시 함수의 안전성과 이산대수 문제의 어려움에 기반을 둔다. 특히 기존 기법과 거의 대등한 수준의 연산량을 요구하면서 안전성 문제를 해결한다. 추가로 제안하는 기법의 안전성과 연산량에 대한 좀 더 자세한 분석을 제시한다.

Keywords

References

  1. C. Chan and L. Cheng, "Cryptanalysis of a remote user authentication scheme using smart cards," IEEE Trans. Consumer Electron., vol. 46, no. 4, pp. 992-993, Nov. 2000. https://doi.org/10.1109/30.920451
  2. C. Chan and L. Cheng, "Cryptanalysis of timestamp-based password authentication scheme," J. Computers and Security, vol. 21, no. 1, pp. 74-76, 1st Quarter 2001. https://doi.org/10.1016/S0167-4048(02)00110-4
  3. H. Chien, J. Jan, and Y. Tseng, "An efficient and practical solution to remote authentication: Smart card," J. Computers and Security, vol. 21, no. 4, pp. 372-375, Aug. 2002. https://doi.org/10.1016/S0167-4048(02)00415-7
  4. Citrix, http://support.citrix.com.
  5. M. Das, A. Saxena, and V. Gulati, "A dynamic ID-based remote user authentication scheme," IEEE Trans. Consumer Electron., vol. 50, no. 2, pp. 629-631, May 2004. https://doi.org/10.1109/TCE.2004.1309441
  6. N. Duif, "Smart card implementation of a digital signature scheme for twisted Edwards curves," M.S. Thesis, Technische Universiteit Eindhoven, May, 2011.
  7. T. Elgamal, "A public key cryptosystem and a signature scheme based on discrete logarithms," IEEE Trans. Inform. Theory, vol. 31, no. 4, pp. 469-472, Jul. 1985. https://doi.org/10.1109/TIT.1985.1057074
  8. M. Hwang and L. Li, "A new remote user authentication scheme using smart cards," IEEE Trans. Consumer Electron., vol. 46, no. 1, pp. 28-30, Feb. 2000. https://doi.org/10.1109/30.826377
  9. M. Hwang, C. Lee, and Y. Tang, "A simple remote user authentication scheme," Math. and Computer Modelling, vol. 36, no. 1, pp. 103-107, Nov. 2002. https://doi.org/10.1016/S0895-7177(02)00106-1
  10. C. Hsu, "Security of two remote user authentication schemes using smart cards," IEEE Trans. Consumer Electron., vol. 49, no. 4, pp. 1196-1198, Nov. 2003. https://doi.org/10.1109/TCE.2003.1261216
  11. Z. Hao and N. Yu, "A security enhanced remote password authentication scheme using smart card," ISDPE, pp. 56-60, Buffalo, NY, Sept. 2010.
  12. I. Lee, C. Lee, and M. Hwang, "Security enhancement for a dynamic ID-based remote user authentication scheme," NWeSP, pp. 437-440, Seoul, Korea, Aug. 2005.
  13. M. Kim, "A brokered authentication scheme based on smart-card for multi-server authentication," J. KICS, vol. 38, no B.3, pp. 190-198, Mar. 2013. https://doi.org/10.7840/kics.2013.38B.3.190
  14. W. Ku and S. Chen, "Weakness and improvements of an efficient password based remote user authentication using smart cards," IEEE Trans. Consumer Electron., vol. 50, no. 1, pp. 204-207, Feb. 2004. https://doi.org/10.1109/TCE.2004.1277863
  15. R. Rivest, A. Shamir, and L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems," Commun. ACM, vol. 21, no. 2, pp. 120-126, Feb. 1978. https://doi.org/10.1145/359340.359342
  16. H. Sun, "An efficient remote use authentication scheme using smart cards," IEEE Trans. Consumer Electron., vol. 46, no. 4, pp. 958-961, Nov. 2000. https://doi.org/10.1109/30.920446
  17. J. Tsai, T. Wu, and K. Tsai, "New dynamic ID authentication scheme using smart cards," IJCS, vol. 23, no. 12, pp. 1449-1462, Dec. 2010.
  18. Y. Wang, J. Liu, F. Xiao, and J. Dan, "A more efficient and secure dynamic ID-based remote user authentication scene," Computer Comm., vol. 32, pp. 583-585, 2009. https://doi.org/10.1016/j.comcom.2008.11.008
  19. X. Wang, W. Zhang, J. Zhang, and M. Khan, "Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards," Computer Standards and Interfaces, vol. 29, no. 5, pp. 507-512, Jul. 2007. https://doi.org/10.1016/j.csi.2006.11.005
  20. E. Yoon, E. Lee, and K. Yoo, "Cryptanalysis of Wang et al.'s remote user authentication scheme using smart cards," ICIT: New Generations, pp. 575-580, Las Vegas, USA, Apr. 2008.
  21. E. Yoon, E. Ryu, and Y. Yoo, "Further improvement of an efficient password based remote user authentication scheme using smart cards," IEEE Trans. Consumer Electron., vol. 50, no. 2, pp. 612-614, May 2004. https://doi.org/10.1109/TCE.2004.1309437
  22. E. Yoon, E. Ryu, and Y. Yoo, "An improvement of Hwang-Lee-Tang's simple remote user authentication scheme," Computers & Security, vol. 24, no. 1, pp. 50-56, Feb. 2005. https://doi.org/10.1016/j.cose.2004.06.004
  23. W. Yang and S. Shieh, "Password authentication schemes with smart cards," Computers and Security, vol. 18, no. 8, pp.727-733, 1999. https://doi.org/10.1016/S0167-4048(99)80136-9
  24. H. Zhang and M. Li, "Security vulnerabilities of an remote password authentication scheme with smart card," CECNet, pp. 698-701, Xianning, China, Apr. 2011.