Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

Vulnerability Analysis of Remote Multi-Server User Authentication System Based on Smart Card and Dynamic ID

스마트 카드 및 동적 ID 기반 멀티서버 원격 사용자 인증 프로토콜의 취약점 분석

  • 권순형 (인제대학교 컴퓨터공학부) ;
  • 변해원 (인제대학교 AI융합대학 및 BK21대학원 디지털항노화헬스케어학과) ;
  • 최윤성 (인제대학교 AI빅데이터학부)
  • Received : 2023.07.28
  • Accepted : 2023.08.22
  • Published : 2023.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Many businesses and organizations use smartcard-based user authentication for remote access. In the meantime, through various studies, dynamic ID-based remote user authentication protocols for distributed multi-server environments have been proposed to protect the connection between users and servers. Among them, Qiu et al. proposed an efficient smart card-based remote user authentication system that provides mutual authentication and key agreement, user anonymity, and resistance to various types of attacks. Later, Andola et al. found various vulnerabilities in the authentication scheme proposed by Qiu et al., and overcame the flaws in their authentication scheme, and whenever the user wants to log in to the server, the user ID is dynamically changed before logging in. An improved authentication protocol is proposed. In this paper, by analyzing the operation process and vulnerabilities of the protocol proposed by Andola et al., it was revealed that the protocol proposed by Andola et al. was vulnerable to offline smart card attack, dos attack, lack of perfect forward secrecy, and session key attack.

많은 기업과 단체들은 원격 접근을 위해 스마트카드 기반 사용자 인증을 사용한다. 그 동안 다양한 연구를 통하여 사용자와 서버 간의 연결을 보호하기 위해 분산된 다중 서버 환경에 대한 동적 ID 기반 원격 사용자 인증 프로토콜들이 제안되었다. 그 중, Qiu 등은 상호 인증 및 키 동의, 사용자 익명성, 다양한 종류의 공격에 대한 저항을 제공하는 효율적인 스마트카드 기반 원격 사용자 인증 프로토콜을 제안하였다. 이후, Andola 등은 Qiu 등이 제안된 인증 프로토콜에 대한 다양한 취약점을 찾아내었고, 그들의 인증 프로토콜에 대한 결점을 극복하고 사용자가 서버에 로그인하기를 원할 때마다 로그인하기 전에 사용자ID가 동적으로 변경되는 향상된 인증 프로토콜을 제안하였다. 본 논문에서는 Andola 등이 제안한 프로토콜의 동작 과정 및 취약점을 분석하여, Andola 등이 제안한 프로토콜이 offline smart card attack, dos attack, lack of perfect forward secrecy, session key attack에 취약하다는 것을 밝혔다.

Keywords

Acknowledgement

본 과제(결과물)는 2023년도 교육부의 재원으로 한국연구재단의 지원을 받아 수행된 지자체-대학 협력기반 지역혁신 사업의 결과입니다. (2021RIS-003)

References

  1. Andola, Nitish, et al. "An enhanced smart card and dynamic ID based remote multi-server user authentication scheme." Cluster Computing 25.5 (2022): 3699-3717.
  2. Lamport, L.: "Password authentication with insecure communication." Commun. ACM 24(11), 770-772 (1981).
  3. Hwang, M.S., Li, L.H.: "A new remote user authentication scheme using smart cards." IEEE Trans. Consum. Electron. 46(1), 28-30 (2000).
  4. Juang, W.S., Chen, S.T., Liaw, H.T.: "Robust and efficient password-authenticated key agreement using smart cards." IEEE Trans. Ind. Electron. 55(6), 2551-2556 (2008).
  5. Sun, D.Z., Huai, J.P., Sun, J.Z., Li, J.X., Zhang, J.W., Feng, Z.Y.: "Improvements of Juang's password-authenticated key agreement scheme using smart cards." IEEE Trans. Ind. Electron. 56(6), 2284-2291 (2009).
  6. Li, X., Qiu, W., Zheng, D., Chen, K., Li, J.: "Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards." IEEE Trans. Ind. Electron. 57(2), 793-800 (2010).
  7. Liao, Y.P., Wang, S.S.: "A secure dynamic ID based remote user authentication scheme for multi-server environment." Comput. Stand. Interfaces 31(1), 24-29 (2009).
  8. Hsiang, H.C., Shih, W.K.: "Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment." Comput. Stand. Interfaces 31(6), 1118-1123 (2009).
  9. Lee, C.C., Lin, T.H., Chang, R.X.: "A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards." Expert Syst. Appl. 38(11), 13863-13870 (2011).
  10. Li, X., Ma, J., Wang, W., Xiong, Y., Zhang, J.: "A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments." Math. Comput. Model. 58(1-2), 85-95 (2013).
  11. Leu, J.S., Hsieh, W.B.: "Efficient and secure dynamic ID-based remote user authentication scheme for distributed systems using smart cards." IET Inf. Secur. 8(2), 104-113 (2013).
  12. Shunmuganathan, S., Saravanan, R.D., Palanichamy, Y.: "Secure and efficient smart-card-based remote user authentication scheme for multiserver environment." Can. J. Electr. Comput. Eng. 38(1), 20-30 (2015).
  13. Hwang, M.S., Cahyadi, E.F., Chou, Y.C., Yang, C.Y.: "Cryptanalysis of Kumar's remote user authentication scheme with smart card." In: 2018 14th International Conference on Computational Intelligence and Security (CIS), pp 416-420. IEEE (2018).
  14. Qiu, S., Xu, G., Ahmad, H., Xu, G., Qiu, X., Xu, H.: "An improved lightweight two-factor authentication and key agreement protocol with dynamic identity based on elliptic curve cryptography." KSII Trans. Internet Inf. Syst. 13(2), 978-1002 (2019).
  15. Choi, Younsung, et al. :Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics. The Scientific World Journal 2014 (2014).