Journal of Korea Society of Digital Industry and Information Management (디지털산업정보학회논문지)

Korea Society of Digital Industry and Information Management (디지털산업정보학회)
권호 표지
DOI QR코드

DOI QR Code

Security Analysis of a Biometric-Based User Authentication Scheme

Biometric 정보를 기반으로 하는 사용자 인증 스킴의 안전성 분석

  • 이영숙 (호원대학교 사이버수사 경찰학부)
  • Received : 2014.02.03
  • Accepted : 2014.02.12
  • Published : 2014.03.30
⟨ Previous Next ⟩

Abstract

Password-based authentication using smart card provides two factor authentications, namely a successful login requires the client to have a valid smart card and a correct password. While it provides stronger security guarantees than only password authentication, it could also fail if both authentication factors are compromised ((1) the user's smart card was stolen and (2) the user's password was exposed). In this case, there is no way to prevent the adversary from impersonating the user. Now, the new technology of biometrics is becoming a popular method for designing a more secure authentication scheme. In terms of physiological and behavior human characteristics, biometric information is used as a form of authentication factor. Biometric information, such as fingerprints, faces, voice, irises, hand geometry, and palmprints can be used to verify their identities. In this article, we review the biometric-based authentication scheme by Cheng et al. and provide a security analysis on the scheme. Our analysis shows that Cheng et al.'s scheme does not guarantee any kind of authentication, either server-to-user authentication or user-to-server authentication. The contribution of the current work is to demonstrate these by mounting two attacks, a server impersonation attack and a user impersonation attack, on Cheng et al.'s scheme. In addition, we propose the enhanced authentication scheme that eliminates the security vulnerabilities of Cheng et al.'s scheme.

Keywords

References

  1. R. Bird, I. Gopal, A. Herzberg, P. A Janson, S. Kutten, R. Molva, and M. Yung, "Systematic design of a family of attack-resistant authentication protocols," IEEE Journal on Selected Areas in Communications, Vol. 11, No. 5, 1993, pp. 679-693. https://doi.org/10.1109/49.223869
  2. Z. Cheng, Y. Lee, C. Chang, and C. Liu, "A novel biometric-based remote user authentication scheme using Quadratic Residues," International Journal of Information and Electronics Engineering, Vol. 3 No. 4, 2013, pp. 419-422.
  3. C. -C. Chang and T. -C. Wu, "Remote password authentication with smart cards," IEE Proceedings E -Computers and Digital Techniques, Vol. 138, No. 3, 1991, pp. 165-168. https://doi.org/10.1049/ip-e.1991.0022
  4. H. -Y. Chien, J. -K Jan, and Y. -M Tseng, "An efficient and practical solution to remote authentication: smart card," Computers & Security, Vol. 21, No. 4, 2002, pp. 372-375. https://doi.org/10.1016/S0167-4048(02)00415-7
  5. C. -L. Hsu, "Security of Chien et al.'s remote user authentication scheme using smart cards," Computer Standards and Interfaces, Vol. 26, No. 3, 2004, pp. 167-169. https://doi.org/10.1016/S0920-5489(03)00094-1
  6. M. -S. Hwang and L. -H. Li, "A new remote user authentication scheme using smart cards," IEEE Transaction on Consumer Electronics Vol. 46, No. 1, 2000, pp. 28-30. https://doi.org/10.1109/30.826377
  7. C. -L. Hsu, "Security of Chien et al.'s remote user authentication scheme using smart cards," Computer Standards and Interfaces, Vol. 26, No. 3, 2004, pp. 167-169. https://doi.org/10.1016/S0920-5489(03)00094-1
  8. P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," in Advances in Cryptology-CRYPTO99, 1999, pp. 388-397.
  9. J. Yuan, C. Jiang, and Z. Jiang, "A biometric-based User Authentication for wireless Sensor Networks," Wuhan university journal of national sciences, Vol. 5, No. 3, 2010, PP. 272-276.
  10. T. S. Messergers, E. A. Dabbish, and R. H. Sloan, "Examining smart card security under the threat of power analysis attacks," IEEE Trans. Comput. Vol. 51, No. 5, 2002, pp. 541-552. https://doi.org/10.1109/TC.2002.1004593
  11. Y. Lee, H. Yang, and D. Won. "Attacking and improving on Lee and Chiu's authentication scheme using smart cards," LNCS, 2000, Vol. 6047, pp. 377-385.
  12. E. -J. Yoon, and K. Y. Yoo, "A new biometric-based user authentication scheme without using password for wireless sensor networks," Proceedings of 2011 IEEE International workshops of enabling technologies: Infrastructure for collaborative enterprises, 2011, pp. 279-284.
  13. M. Kim, K. Lee, S. Kim, and D. Won, "Efficient and Secure Authentication Scheme Preserving User Anonymity," The Korea-Society of Digital Industry& Information Management, 2010, Vol. 6, No. 3, pp. 69-77.
  14. Y. Lee, J. Kim, and D. Won. Security Improvement to a Remote User Authentication Scheme for Multi-Server Environment, The Korea-Society of Digital Industry& Information Management, 2011, Vol. 7, No. 4, pp. 23-30.