Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

Design Flaws and Cryptanalysis of Cui et al's User Authentication Scheme

  • Park, Mi-Og (Dept. of Computer Engineering, Sungkyul University)
  • Received : 2019.08.29
  • Accepted : 2019.10.21
  • Published : 2019.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

In 2018, Cui et al proposed a three-factor remote user authentication scheme using biometrics. Cui et al claimed that their authentication scheme is vulnerable to eavesdropping attack, stolen smart card attack, and especially Dos(denial-of-service) attack. Also they claimed that it is safe to password guessing attack, impersonation attack, and anonymity attack. In this paper, however, we analyze Cui et al's authentication scheme and show that it is vulnerable to replay attack, insider attack, stolen smart card attack, and user impersonation attack, etc. In addition, we present the design flaws in Cui et al's authentication scheme as well.

2018년 Cui 등은 생체 정보를 사용하는 three-factor 원격 사용자 인증 프로토콜을 제안하였다. Cui 등은 자신들의 인증 프로토콜이 도청 공격, 스마트카드 분실 공격, 특별히 DoS(denial-of-service) 공격에 안전하다고 주장하였다. 또한 그들은 패스워드 추측 공격, 가장 공격, 그리고 익명성 공격 등에 안전하다고 주장하였다. 그러나 본 논문에서는 Cui 등의 인증 프로토콜을 분석하고, 이 인증 프로토콜이 재생 공격, 내부자 공격, 스마트카드 분실 공격, 그리고 사용자 가장 공격 등에 취약함을 보인다. 게다가 우리는 Cui 등의 인증 프로토콜의 설계 오류도 함께 제시한다.

Keywords

References

  1. Y.J. Liu, C.C. Chang, and S.C. Chang, "An Efficient and Secure Smart Card Based Password Authentication Scheme," International Journal of Network Security, Vol. 19, No. 1, pp. 1-10, January 2017.
  2. P. Chandrakar and H. Om, "An Efficient Two-Factor Remote User Authentication and Session Key Agreement Scheme Using Rabin Cryptosystem," Arabian Journal for Science and Engineering, Vol. 43, No. 2, pp. 661-673, February 2018. https://doi.org/10.1007/s13369-017-2709-6
  3. Y. Choi, "Security Enhanced Anonymous Two Factor Mutual Authentication Scheme with Key Agreement," Korea Digital Content Society, Vol. 19, No. 12, pp. 2415-2422, December 2018. https://doi.org/10.9728/dcs.2018.19.12.2415
  4. W. Zheng, Z..Gui, D. Liu., X. Li, and B. Chen, "Lightweight Certificateless Two-Factor Authentication Protocol Using Smart Cards," Journal of Internet Technology, Vol. 19 No.7, pp. 2227-2234, 2018.
  5. A. K. Das, "Analysis and Improvement on an efficient biometric-based remote user authentication scheme using smart cards," IET Information Security, Vol. 5, No. 3, pp. 541-552, 2011.
  6. Y. An, "Analysis and Improvements of a Biometrics-based User Authentication Scheme Using Smart Cards," Journal of the Korean Society of Computer Information, Vol. 17 No. 2 pp. 159-166, February 2012. https://doi.org/10.9708/jksci.2012.17.2.159
  7. Y. An, "Security Analysis and Enhancements of an Effective Biometric-Based Remote User Authentication Scheme Using Smart Cards," Journal of Biomedicine and Biotechnology, Vol. 2012, Article ID 519723, pp. 1-6, 2012.
  8. S. Ibjaoun, A.E. Kalam, V. Poirriez, A. Ouahman, and M. Montfort, "Analysis and enhancements of an efficient biometric based remote user authentication scheme using smart cards," 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications, 2016.
  9. J. Cui, R. Sui, X. Zhang, H. Li, and N. Cao, "A Biometrics-Based Remote User Authentication Scheme Using Smart Cards," 3rd International Conference on Computer and Communication Systems 2018, pp. 531-542, 2018. https://doi.org/10.1007/978-3-030-00015-8_46
  10. K.P. Xue, P.L. Hong, and C.S. Ma, "A Lightweight Dynamic Pseudonym Identity based Authentication and Key Agreement Protocol without Verification Tables for Multi-server Architecture," Journal Computer and System Sciences, Vol. 80, Issue. 1, pp. 195-206, February 2014. https://doi.org/10.1016/j.jcss.2013.07.004
  11. D.B. He, and D. Wang, "Robust Biometrics-based Authentication Scheme for Multi Server Environment," IEEE System Journal Vol. 9, Issue. 3, pp. 816-823, September 2015. https://doi.org/10.1109/JSYST.2014.2301517
  12. X. Li, J.W. Niu, J. Ma, W.D. Wang, and C.L. Liu, "Cryptanalysis and Improvement of a Biometrics-based Remote User Authentication Scheme using Smart Cards," Journal of Network and Computer Applications, Vol. 34, No. 1, pp. 76-79, 2011.
  13. C.T. Li, and M.S. Hwang, "An Efficient Biometrics-based Remote User Authentication Scheme using Smart Cards," Journal of Network and Computer Applications, Vol. 33, No. 1, pp. 1-5, 2010. https://doi.org/10.1016/j.jnca.2009.08.001
  14. V. Odelu, A.K. Das, and A. Goswami, "A Secure Biometrics-based Multi-server Authentication Protocol using Smart Cards," IEEE Transactions on Information Forensics and Security, Vol. 10, No. 9, pp. 1953-1966, 2015. https://doi.org/10.1109/TIFS.2015.2439964
  15. Z. Zheng, X. Liu, L. Yin, and Z. Liu, "A Hybrid Password Authentication Scheme Based on Shape and Text," Journal of Computers, Vol. 5, No. 5, pp. 765-772, May 2010.
  16. Y.S. Choi, J.H. Nam, D.H. Lee, J.Kim, J.W. Jung, and D.G. Won, "Security Enhanced Anonymous Multi Server Authenticated Key Agreement Scheme using Smart Cards and Biometrics," Scientific World Journal, Vol. 2014, Article ID 281305, pp. 1-15, 2014. http://dx.doi.org/10.1155/2014/281305
  17. M. Qi, J. Chena, and Y. Chen, "A Secure Biometrics-based Authentication Key Exchange Protocol for Multi-server TMIS using ECC," Computer Methods and Programs in Biomedicine, Vol. 164, pp. 101-109, 2018. https://doi.org/10.1016/j.cmpb.2018.07.008
  18. W.S. Juang, "Efficient Multi-server Password Authenticated Key Agreement Using Smart Cards," IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, pp. 251-255, February 2004. https://doi.org/10.1109/TCE.2004.1277870
  19. W.J. Tsuar, C.C. Wu, and W.B. Lee, "A Flexible User Authentication for Multi-server Internet Services," Networking-ICN 2001 First International Conference on Networking 2001, Vol. 2094, pp. 174-183, July 2001.