Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지

A Remote Authentication Protocol Using Smartcard to Guarantee User Anonymity

사용자 익명성을 제공하는 스마트카드 기반 원격 인증 프로토콜

  • 백이루 (호서대학교 정보보호학과) ;
  • 길광은 (호서대학교 정보보호학과) ;
  • 하재철 (호서대학교 정보보호학과)
  • Published : 2009.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

To solve user authentication problem, many remote user authentication schemes using password and smart card at the same time have been proposed. Due to the increasing of interest in personal privacy, there were some recent researches to provide user anonymity. In 2004, Das et al. firstly proposed an authentication scheme that guarantees user anonymity using a dynamic ID. In 2005, Chien et al. pointed out that Das et al.'s scheme has a vulnerability for guaranteing user anonymity and proposed an improved scheme. However their authentication scheme was found some weaknesses about insider attack, DoS attack, and restricted replay attack. In this paper, we propose an enhanced scheme which can remove vulnerabilities of Chien et al.'s scheme. The proposed authentication protocol prevented insider attack by using user's Nonce value and removed the restricted replay attack by replacing time stamp with random number. Furthermore, we improved computational efficiency by eliminating the exponentiation operation.

원격 사용자 인증에 대한 문제를 해결하기 위해 자신이 알고 있는 패스워드와 소지한 스마트카드를 동시에 이용한 원격 사용자 인증 방식이 연구되었다. 최근에는 개인의 프라이버시를 보호하는 차원에서 통신 채널상에서 사용자의 익명성을 제공할 수 있는 방향으로 연구가 진행 중에 있다. 2004년도에 Das 등에 의해 동적 아이디를 사용한 사용자 익명성 제공 인증 기법이 처음으로 제안하였다. 그 후 Chien 등은 Das 등의 인증 기법이 사용자 익명성을 제공하지 못함을 지적하고 보다 개선된 인증 기법을 제안하였다. 그러나 Chien 등의 개선된 인증 기법도 내부자 공격, 서비스 거부 공격, 제한적 재전송 공격 등에 취약하다. 따라서 본 논문에서는 Chien 등의 방식이 가지는 취약점을 해결하는 향상된 인증 기법을 제안한다. 제안하는 원격 인증 방식은 사용자의 Nonce 값을 사용하여 내부자 공격을 방지하고, 타임 스탬프(time stamp) 대신 랜덤수를 사용하여 제한적 재전송 공격을 방어할 수 있도록 하였다. 또한, 복잡한 멱승 연산을 사용하지 않으므로 계산 효율성을 높였다.

Keywords

References

  1. L. Lamport, "Password authentication with insecure communications," Communication. of the ACM, Vol. 24, No. 11, pp. 770-772, 1981. https://doi.org/10.1145/358790.358797
  2. T. Y. Hwang, "Passwords Authentication Using Public-Key Encryption," Proc. of international Carnahan Conference on Security Technology, pp. 35-38, 1983.
  3. C. S. Laih, L. Harn, D. Huang, "Password authentication using quadratic residues," Proceedings of International Computer Symposium, pp. 1478-1483, 1988.
  4. T. Hwang, Y. Chen, and C.S. Laih, "Non-interactive password authentications without password tables," IEEE Region 10 Conference on Computer and Communication Systems, IEEE Computer Society, pp. 429-431, 1990.
  5. S. J. Wang, J. F. Chang, "Smart card based secure password authentication scheme," Computers and Security, Vol. 15 No. 3 pp. 231-237, 1996. https://doi.org/10.1016/0167-4048(96)00005-3
  6. W. H. Yang, S. P. Shieh, "Password authentication schemes with smart cards," Computers and Security, Vol. 18 No. 8, pp. 727-733, 1999. https://doi.org/10.1016/S0167-4048(99)80136-9
  7. C. C. Lee, M. S. Hwang, W. P. Yang, "A flexible remote user authentication scheme using smart cards," ACM Operating Systems Review, Vol. 36 No. 4 pp. 23-29, 2002. https://doi.org/10.1145/583800.583803
  8. C. C. Chang, T. C. Wu, "Remote password authentication with smart cards," IEE Proceedings-Computers and Digital Techniques, Vol. 138 No. 3, pp. 165-168, 1991. https://doi.org/10.1049/ip-e.1991.0022
  9. T. ElGamal, "A public key cryptosystem and a signature scheme based on discrete logarithms," IEEE Transactions on Information Theory, Vol. IT-31, pp. 469-472, 1985.
  10. M. S Hwang, L. H Li, "A new remote user authentication scheme using smart cards," IEEE Trans. On Comsumer Electronics, Vol. 46, No. 1, pp. 28-30, 2000. https://doi.org/10.1109/30.826377
  11. C. K. Chan and L. M. Cheng, "Cryptanalysis of a remote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, Vol. 46, No. 4, pp. 992-993, Nov. 2000. https://doi.org/10.1109/30.920451
  12. H. M. Sun, "An efficient remote user authentication scheme using smart cards," IEEE Trans. On Consumer Electronics, Vol. 46, No. 4, pp. 958-961, 2000. https://doi.org/10.1109/30.920446
  13. H. Y. Chien, J. K. Jan, and Y. M. Tseng, "An efficient and practical solution to remote authentication: Smart Card," Computers and Security, Vol. 21, No. 4, pp. 372-375, 2002. https://doi.org/10.1016/S0167-4048(02)00415-7
  14. C. L. Hsu "Security of two remote authentication schemes using smart cards," IEEE Transactions on Consumer Electronics, Vol. 49, No. 4, pp. 1196-1198, 2003. https://doi.org/10.1109/TCE.2003.1261216
  15. M. L Das, A. Saxena, V. P Gulati, "A dynamic ID-based remote user authentication scheme," IEEE Transactions on Consumer Electronics, Vol. 50, No. 2, pp. 629-631, May 2004. https://doi.org/10.1109/TCE.2004.1309441
  16. H. Y Chien, C. H. Chen. "A remote authentication scheme preserving user anonymity," IEEE AINA'05, Vol. 2, pp. 245-248, March 2005.
  17. L. Hu, Y. Yang, X. Niu. "Improved remote user authentication scheme preserving anonymity," Fifth Annual Conference on Communication Network and Services Research(CNSR), pp. 323-328, 2007.
  18. L. Gong, "A security risk of depending on synchronized clocks," Operating Systems Review, Vol. 26, No. 1, pp. 49-53, 1992. https://doi.org/10.1145/130704.130709