효율적이고 안전한 스마트카드 기반 사용자 인증 시스템 연구

A Study on Efficient and Secure user Authentication System based on Smart-card

  • 변진욱 (평택대학교 정보통신학과)
  • Byun, Jin-Wook (Department of Information and Communication, Pyeongtaek University)
  • 투고 : 2010.08.19
  • 발행 : 2011.02.25


사용자 인증은 정보보안 시스템 구축 시 반드시 필수적인 핵심 기술이다. 사용자들은 인증과정을 통해 데이터베이스에 있는 자원에 접근하고 안전하게 사용할 수 있다. 사용자가 소지하는 스마트카드는 그 사용의 편리성과 대중성으로 인해 현재 중요한 인증 수단으로 각광받고 있다. 더욱이 스마트카드는 계산을 위한 저장 공간과 연산력을 확보하고 있기 때문에 효율적이고 안전한 사용자에 널리 사용될 수 있는 장점을 지니고 있다. 1981년, 램포트는 처음으로 사용자의 스마트카드를 이용해서 인증 통신 프로토콜을 설계했다. 하지만, 암호학적으로 안전한 해시함수가 체인으로 여러 번 적용됨으로 인해 높은 비용을 초래한다는 점과 이러한 해쉬 정보들이 서버에 저장되어야하므로 이와 관련한 공격 가능성들이 비판의 대상이 되었다. 이후 안전하고 효율적인 인증 통신 프로토콜 설계에 대한 연구가 활발히 진행되고 있다. 아주 최근에, Xu, Zhu, Feng 등은 증명가능하고 안전한 스마트카드 인증 프로토콜을 제안했다. 본 논문에서는 스마트카드 기반 인증 프로토콜에서 발생할 수 있는 가능한 취약점 및 공격들을 정의한다. 이를 통해, Xu, Zhu, Feng이 제안한 프로토콜이 서버의 비밀 값들을 획득한 공격자가 사용자의 비밀 값과 패스워드를 모르고도 해당 사용자를 가장 할 수 있다는 측면에서 안전하지 않다는 것을 보인다. 이에 대해 효율적이고 안전한 프로토콜을 설계하고 설계된 프로토콜의 안전성을 새롭게 분석한다.

User authentication service is an absolutely necessary condition while securely implementing an IT service system. It allows for valid users to securely log-in the system and even to access valid resources from database. For efficiently and securely authenticating users, smart-card has been used as a popular tool because of its convenience and popularity. Furthermore the smart-card can maintain its own power for computation and storage, which makes it easier to be used in all types of authenticating environment that usually needs temporary storage and additional computation for authenticating users and server. First, in 1981, Lamport has designed an authentication service protocol based on user's smart-card. However it has been criticized in aspects of efficiency and security because it uses hash chains and the revealment of server's secret values are not considered. Over the years, many smart-card based authentication service protocol have been designed. Very recently, Xu, Zhu, Feng have suggested a provable and secure smart-card based authentication protocol. In this paper, first, we define all types of attacks in the smart-card based authentication service. According to the defined attacks, however, the protocol by Xu, Zhu, Feng is weak against an attack that an attacker with secret values of server is able to impersonate a valid user without knowing password and secret values of user. An efficient and secure countermeasure is suggested, then the security is analyzed.



  1. C.K. Chan, L.M. Cheng, Cryptanalysis of a remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (4) (2000) 992-993. https://doi.org/10.1109/30.920451
  2. C.C. Chang, K.F. Hwang, Some forgery attacks on a remote user authentication scheme using smart cards, Informatica 14 (3) (2003) 289-.294.
  3. H.Y. Chien, J.K. Jan, Y.M. Tseng, An efficient and practical solution to remote authentication: smart card, Computer and Security 21 (4) (2002) 372-.375. https://doi.org/10.1016/S0167-4048(02)00415-7
  4. H. Chung, W. Ku, M. Tsaur, Weakness and improvement of Wang et al.'s remote user password authentication scheme for resource limited environments, Computer Standards & Interfaces, 31 (2009) 863-868 https://doi.org/10.1016/j.csi.2008.09.020
  5. W. Diffie, P.C. van Oorschot, M.J. Wiener, Authentication and authenticated key exchanges, Designs Codes and Cryptography 2 (2) (1992) 107-.125. https://doi.org/10.1007/BF00124891
  6. [FIPS201] Federal Information Processing Standard 201-1, Change Notice 1, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006. (See http://csrc.nist.gov)
  7. M.S. Hwang, L.H. Li, A new remote user authentication scheme using smart card, IEEE Transactions on Consumer Electronics 46 (1) (2000) 28-.30. https://doi.org/10.1109/30.826377
  8. P. Kocher, J. Jaffe, B. Jun, Differential power analysis, Proc. Advances in Cryptology (CRYPTO'99), 1999, pp. 388-397.
  9. W.C. Ku, S.M. Chen, Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (1) (2004) 204-207.
  10. S.W. Lee, H.S. Kim, K.Y. Yoo, Improvement of Chien et al.'s remote user authentication scheme using smart cards, Computer Standards and Interfaces 27 (2005) 181-.183.
  11. N.Y. Lee, Y.C. Chiu, Improved remote authentication scheme with smart card, Computer Standards and Interfaces 27 (2005) 177 -.180. https://doi.org/10.1016/j.csi.2004.06.001
  12. L. Lamport, Password authentication within secure communication, Communications of the ACM 24 (1981) 770-.772. https://doi.org/10.1145/358790.358797
  13. T.S. Messerges, E.A. Dabbish, R.H. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Transactions on Computers 51 (5) (2002) 541-552 https://doi.org/10.1109/TC.2002.1004593
  14. H.M. Sun, An efficient remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (4) (2000) 958-961. https://doi.org/10.1109/30.920446
  15. [SP800-78-2] NIST Special Publication 800-78-2, Cryptographic Algorithms and Key sizes for Personal Identity verification, February 2010. (See http://csrc.nist.gov)
  16. X.M. Wang, W.F. Zhang, J.S. Zhang, M.K. Khan, Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards, Computer Standards and Interfaces 29 (5) (2007) 507-512. https://doi.org/10.1016/j.csi.2006.11.005
  17. J. Xu, W. Zhu, D. Feng, An improved smart card based password authentication scheme with provable security Computer Standards & Interfaces 31 (2009) 723-728 https://doi.org/10.1016/j.csi.2008.09.006
  18. H.T. Yeh, H.M. Sun, B.T. Hsieh, Security of a remote user authentication scheme using smart cards, IEICE Transactions on Communications E87-B (1) (2004) 192-194
  19. E.J. Yoon, E.K. Ryu, K.Y. Yoo, Further improvement of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 50 (2) (2004) 612-614. https://doi.org/10.1109/TCE.2004.1309437