DOI QR코드

DOI QR Code

A Brokered Authentication Scheme Based on Smart-Card for Multi-Server Authentication

다중서버 인증을 위한 스마트카드 기반 중재 인증 기법 연구

  • 김명선 (수원대학교 IT대학 정보보호학과)
  • Received : 2013.02.26
  • Accepted : 2013.03.12
  • Published : 2013.03.29

Abstract

Since the facilities for the remote users tend to be deployed in distributed manner, authentication schemes for multi-server communication settings, which provide various web services, are required for real-world applications. A typical way to authenticate a remote user relies on password authentication mostly. However, this method is vulnerable to attacks and inconvenient as the system requires users to maintain different identities and corresponding passwords. On the other hand, the user can make use of a single password for all servers, but she may be exposed to variants of malicious attacks. In this paper, we propose an efficient and secure authentication scheme based on a brokered authentication along with smart-cards in multi-server environment. Further we show that our scheme is secure against possible attacks and analyze its performance with respect to communication and computational cost.

사용자가 원하는 서비스가 여러 개의 서버에 분산되어 있을 수 있기 때문에 다수의 서버가 존재하는 다중서버 환경을 위한 인증기법은 웹서비스를 이용할 때 반드시 필요하다. 일반적으로 Password를 사용하는 방법이 적용되나 안전성 측면에서 취약하고 서버마다 다른 Identity(ID)와 Password를 사용하는 것은 불편하다. 그래서 사용자가 사용하는 여러 서버에 접속할 때 항상 동일한 ID를 사용하는 것이 허용되나, 다양한 공격에 노출될 수 있다. 본 논문에서는 서버가 여러 개 존재하는 환경에서 원격지에 있는 사용자는 하나의 스마트카드만 사용하여 다양한 서비스를 편리하고 안전하게 받을 수 있는 인증기법을 제안한다. 추가로 제안한 기법의 안전성을 공격 유형별로 나누어 분석하고, 기존 방법과 성능비교를 통하여 제안하는 기법이 효율적임을 보인다.

Keywords

References

  1. ANSI, Public-key Cryptography for the Financial Services Industry: Elliptic Curve Key Agreement and Key Transport Schemes, ANSI X.963, 1998.
  2. R. Avanzi, C. Doche, T. Lange, K. Nguyen and F. Vercauteren, Handbook of Elliptic and Hiperelliptic Curve Cryptography, Chapman & Hall/CRC Press, 2006.
  3. I. Blake, G. Seroussi and N. Smart, Elliptic Curve in Cryptography, Cambridge Press, 1999.
  4. C. Chang and J. Lee, "An efficient and secure multi-server password authentication scheme using smart cards,"in Proc. 2004 Int. Conf. Cyberworlds (CW'04), pp. 417-422, Tokyo, Japan, Nov. 2004.
  5. K. Chatterjee, A. De, and D. Gupta, "Timestamp based authentication protocol for smart card using ECC," in Proc. Web Inform. Syst. Mining (WISM), pp. 368-375, Taiyuan, China, Sep. 2011.
  6. Y. Chen, C. Huang and J. Chou. (2009, Apr 21). A novel multi-server authentication protocol [Online], retrieved (2013, January 11), available: http://eprint.iacr.org/2009/176.
  7. J. H. Cheon, H. Kim, S. G. Hahn, and C. Park, "On the discrete logarithm of an elliptic curve," Korean Inst. Inform. Security (KIISC), vol. 8, no. 3, pp. 95-104, Sep. 1998.
  8. S. M. Cho, S. C. Seo, T. H. Kim, Y. H. Park, and S. Hong, "New efficient scalar multiplication algorithms based on Montgomery ladder method for elliptic curve cryptosystems," Korean Inst. Inform. Security (KIISC), vol. 19, no. 4, pp. 3-19, Aug. 2009.
  9. W. Diffie and M. Hellman, "New directions in cryptography," IEEE Tran. Inform. Theory, vol. 22, no. 6, pp. 644-654, Nov. 1976. https://doi.org/10.1109/TIT.1976.1055638
  10. IEEE, Standard specifications for public-key cryptography, IEEE P1363, 1999.
  11. W. Juang, "Efficient multi-server password authenticated key agreement using smart cards," IEEE Trans. Comsum. Electron., vol. 50, no. 1, pp. 252-255, Feb. 2004.
  12. Y. H. Kim, Y. H. Park, S. Lee, J. Y. Hwang, C. H. Kim, and J. Lim, "An improved method of scalar multiplication on elliptic curve cryptosystems over small fields of odd characteristic," Korean Inst. Inform. Security (KIISC), vol. 12, no. 6, pp. 105-113, Dec. 2002.
  13. N. Koblitz, "Elliptic curve cryptosystems," Math. Comp., vol. 48, no. 177, pp. 203-209, Jan. 1987. https://doi.org/10.1090/S0025-5718-1987-0866109-5
  14. KISA (2009, Apr 21), Development of improved Korean digital signature algorithm and standard [Online], retrieved (2012, November 21), available: http://www.kisa.or.kr/.
  15. Y. Lao and S. Wang, "A secure dynamic ID based remote user authentication scheme for multi-server environment," Computer Standards and Interfaces, vol. 13, no. 1, pp. 24-29, Jan. 2009.
  16. I. Lin, M. Hwang and L. Li, "A new remote user authentication scheme for multi-server architecture," Future Generation Computer Systems, vol. 19, no. 1, pp. 13-22, Jan. 2003. https://doi.org/10.1016/S0167-739X(02)00093-6
  17. Microsoft Corporation (2005), Web service security: scenarios, patterns and implementation guidance for web service enhancement (WSE) [Online], retrieved (2012, Oct. 12), available: http://msdn.microsoft.com/en-us.
  18. V. Miller, "Use of elliptic curves in cryptography," in Proc. Advances Cryptology (CRYPTO 2005), pp. 417-426, L.A., U.S.A., Aug. 1985.
  19. NIST, Secure hash standard, NIST FIPS 180-4, 2012.
  20. A. Pathan and C. Hong, "An improved timestamp-based password authentication scheme," The 9th Int. Conf. Advanced Commun. Technol. (ICACT 2007), pp. 804-809, Gangwon, Korea, Feb. 2007.
  21. R. Rivest, A. Shamir and L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems," Comm. ACM, vol. 21, no. 2, pp. 120-126, Feb. 1978. https://doi.org/10.1145/359340.359342
  22. J. Tsai, "Efficient multi-server authentication scheme based on one-way hash function without verification table," Comput. Security, vol. 27, no 3-4. pp. 115-121, June 2008. https://doi.org/10.1016/j.cose.2008.04.001
  23. B. Wang and M. Ma, "A smart card based efficient and secured multi-server authentication scheme," Wireless Pes. Commun., vol. 63, no. 3, pp. 361-378, Jan. 2013.
  24. X. Wang, J. Zhang, W. Zhang, and M. Khan, "Cryptanalysis and improvement on two efficient remote user authentication schemes using smart cards," Computer Standards and Interfaces, vol. 29, no. 52, pp. 507-512, July 2007. https://doi.org/10.1016/j.csi.2006.11.005