The Journal of the Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회논문지)

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Security Improvement of Remote User Authentication Scheme based on Smart Cards

스마트 카드 기반 사용자 인증 스킴의 보안 개선

  • 주영도 (강남대학교 컴퓨터미디어공학부) ;
  • 안영화 (강남대학교 컴퓨터미디어공학부)
  • Received : 2011.04.22
  • Accepted : 2011.10.14
  • Published : 2011.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Recently Lin et al. proposed a simple remote user authentication scheme using smart cards. But the proposed scheme has not satisfied security requirements which should be considered in the user authentication scheme using the password based smart card. In this paper, we show that Lin et al.'s scheme is insecure against off-line password guessing attack. In their scheme, any legal user's password may be derived from the password guessing when his/her smart card is stolen and the secret information is leaked from the smart card by an attacker. Accordingly, we demonstrate the vulnerability of their scheme and present an enhancement to resolve such security weakness. Our proposed scheme can withstand various possible attacks including password guessing attack. Furthermore, this improved scheme can provide mutual authentication to improve the security robustness. Performance evaluation shows that the proposed scheme is relatively more effective than Lin et al.'s scheme.

최근에 Lin 등은 패스워드와 스마트 카드를 이용하여 원격지에 있는 사용자를 인증할 수 있는 스킴을 제안하였다. 그러나 Lin 등에 의해 제안된 시킴은 패스워드 기반 스마트 카드를 이용한 사용자 인증 스킴에서 고려해야 하는 보안 요구사항을 만족하지 못하고 있다. 본 논문은 공격자가 사용자의 스마트 카드를 훔치거나 일시적으로 접근할 수 있는 경우에 Lin 등의 스킴은 off-line 패스워드 추측공격에 취약하다는 것을 증명한다. 따라서 이와 같은 보안 취약점을 해결하기 위해 해쉬함수와 랜덤 nonce 기반의 개선된 인증 스킴을 제안한다. 본 연구에서 제시하는 사용자 인증 스킴은 패스워드 추측공격 및 위조공격과 재생공격이 불가능하도록 구현되고, 또한 사용자와 인증서버 간 상호인증을 제공한다. 따라서 제안된 인증 스킴은 Lin 등의 스킴에 비해 상대적으로 효율적이고 보안성이 강화된 스킴임을 알 수 있다.

Keywords

References

  1. L. Lamport, "Password Authentication with Insecure Communication", Communications of the ACM Vol. 24, No. 11, pp. 770-772, 1981. https://doi.org/10.1145/358790.358797
  2. R. E. Lennon, S. M. Matyas, and C. H. Mayer, "Cryptographic Authentication of Time-invariant Quantities", IEEE Trans. Commun., COM-29, Vol. 6, pp. 773-777, 1981.
  3. S. M. Yen, and K. H. Liao, "Shared Authentication Token Secure against Replay and Weak Key Attack", Information Proceeding Letters, pp. 78-80, 1997.
  4. H. Y. Chien, J. K. Jan, and Y. M. Tseng, "An Efficient and Practical Solution to Remote Authentication", Smart Card, Computers & Security, Vol. 21, No. 4, pp. 4372-375, 2002.
  5. C. W. Lin, J. J. Shen, and M. S. Hwang, "Security Enhancement for Optimal Strong Password Authentication Protocol", ACM Operating Systems Review, Vol. 37, No. 2, 2003.
  6. S. M. Chen, and W. C. Ku, "Weakness and Improvements of an Efficient Password based Remote User Authentication Scheme Using Smart Cards", IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, pp. 204-207, 2004. https://doi.org/10.1109/TCE.2004.1277863
  7. E. J. Yoon, E. K. Ryu, and K. Y. Yoo, "Further Improvements of an Efficient Password based Remote User Authentication Scheme Using Smart Cards", IEEE Transactions on Consumer Electronics, Vol. 50, No. 2, pp. 612-614, 2004. https://doi.org/10.1109/TCE.2004.1309437
  8. X. Duan, J. W. Liu, and Q. Zhang, "Security Improvements on Chien et al.'s Remote User Authentication Scheme Using Smart Cards", IEEE International Conference on Computational Intelligence and Security, pp. 1133-11135, 2006.
  9. C. W. Lin, C. S. Tsai, and M. S. Hwang, "A New Strong-Password Authentication Scheme Using One-Way Hash Functions", Journal of Computer and Systems Sciences International, Vol. 45, No. 4, pp. 623-626, 2006. https://doi.org/10.1134/S1064230706040137
  10. H. C Hsiang, and W. K. Shih, "Weakness and Improvements of the Yoon-Ryu-Yoo Remote User Authentication Scheme Using Smart Cards", Computer Communications, Vol. 32, pp. 649-652, 2009. https://doi.org/10.1016/j.comcom.2008.11.019
  11. J. Xu, W. T. Zhu, and D. G. Feng, "An Improved Smart Card based Password Authentication Scheme with Provable Security", Computers Standard & Interfaces, Vol. 31, pp. 723-728, 2009 https://doi.org/10.1016/j.csi.2008.09.006
  12. P. Kocher, J. Jaffe, and B. Jun, "Differential Power Analysis", Proceedings of Advances in Cryptology, pp. 388-397, 1999.
  13. T. S. Messerges, E. A. Dabbish, and R.H. Sloan, "Examining Smart-Card Security under the Threat of Power Analysis Attacks", IEEE Transactions on Computers, Vol. 51, No. 5, pp. 541-552, 2002. https://doi.org/10.1109/TC.2002.1004593
  14. N. Aoskan, H. Debar, M. Steiner and M. Waidner, "Authentication Public Terminals", Computer Network, Vol. 31, pp. 861-970, 1999. https://doi.org/10.1016/S1389-1286(98)00020-6