IEEE Int.
Conference Neural Networks & Signal Processing
Zhenjiang, China, June 8~10, 2008
Security Analysis of a Remote User Authentication
Scheme Using Smart Card
Canyan ZHU
School of EI Engineering, Soochow University,
Suzhou 215021, P.R.China
cyzhu@sohu.com
Abstract— Chien et al proposed an efficient and practical
remote authentication using smart cards. In 2004, Ku et al
pointed out that Chien et al’s scheme is insecure, and proposed
an improved password-based remote user authentication scheme.
In this paper, the security of Ku’s scheme is analyzed. It is
demonstrated that Ku’s scheme still has some weaknesses:
it cannot withstand against the parallel session attack; it is
vulnerable to the password guessing attacks and another new
attack; it cannot resist on changing time stamp attack. It is
then concluded that Ku’s scheme cannot achieve the security
requirements as their claims. Based on the analysis, we find all
the attacks are happened because of the simple computation
of h(ci ⊕ T j ) in all the phases of remote authentication,
thus we develop a hyper-complex chaotic hash scheme. It is
evidently shown that the security of the improved remote user
authentication scheme is efficiently enhanced.
Keyword— Cryptanalysis, authentication, security, chaotic map
I. INTRODUCTION
I
A remote password authentication scheme is to authenticate
the legitimacy of the remote users over an insecure channel.
In such a system, the password is often regarded as a secret
shared between the authentication server (AS ) and the remote
user. With the knowledge of the password, the remote user
can use it to create and send a valid login message to AS
for gaining the access right. On the other hand, AS uses the
shared password to check the validity of the login message for
authenticating the remote user. In 2002, Chien et al proposed
an efficient and practical remote authentication using smart
cards[2]. This scheme can provide mutual authentication and
let users freely choose their passwords. In [1], Ku et al pointed
out that there are some weaknesses in Chien et al’s scheme[2]
and proposed an improved scheme.
In this article, we show that there still exist weaknesses in
Ku et al’s scheme. The remainder of this article is presented
as follows. In section II, we will briefly review Ku et al’s
scheme. In section III, we will analyze the security of Ku
et al’s scheme, and present four attack mechanisms on the
scheme.
II. Ku'S SCHEME
Ku’ S
The security of Ku’s scheme is based on the one-way
function. There are three phases in Ku’s scheme: registration
phase, login phase, verification phase. Let U denotes the
133
Lihua ZHANG
School of EE Engineering, East China Jiaotong Uni.
Nanchang 330013, P.R.China
hbzlh@163.com
user; AS denotes authentication server; RS denotes register’s
system; n denotes the number of times U re-registers to AS ;
ID denotes the identity of U; PW denotes the password of U;
x denotes the permanent secret key of RS ; h(·) represents a
cryptographic hash function.The three phases are executed as
follows:
A. Registration Phase
The phase is invoked whenever a user initially registers or
re-registers to the system. U inserts his smart card to the reader
of the registers’ system and keys in his identity ID and his
password PW. The system and U then perform the following
operations:
1) U selects a random number b and computes h(b ⊕ PW).
Where the symbol ⊕ denotes the bitwise exclusive-or
operation for two bit-strings.
2) U submits message x = (ID, h(b ⊕ PW)) to RS in secure
channel.
3) If it is U’s initial registration, RS creates an entry for U
in the account database and stores n = 0 in this entry,
otherwise, RS sets n = n + 1 in the existing entry for U.
Next, RS computes R = h(EID ⊕ x) ⊕ h(b ⊕ PW), where
EID = (ID k n).
4) RS sends R back to U via a secure channel and then
issues a smart card containing R, h(·) and b. Note that
U’s smart card contains R, h(·) and b.
B. Login Phase
This phase is invoked whenever U logins AS for gaining
access right. U inserts his smart card to login a terminal
device, and then enters his identity ID and password PW.
The following computations are then performed.
1) Smart card computes c1 = R⊕h(b⊕PW); c2 = h(c1 ⊕T 1 ),
where T 1 denotes the U’s current time stamp.
2) U then sends message (ID, T 1 , c2 ) to AS through an
insecure channel.
C. Verification Phase
This phase is invoked whenever AS receives U’s login
request. Upon receiving the authentication request message
(ID, T 1 , c2 ) from U, AS and U’s smart card execute the
following jobs to facilitate the mutual authentication between
the U and AS .
 1) AS validates ID and verifies the time interval between
T 1 and T 2 ,where T 2 is the time stamp when the request
message is receive. If the format of ID is not correct or
(T 2 − T 1 ) ≥ △T , where △T denotes the expected valid
time interval for transmission delay, then the AS rejects
the login request.
2) AS computes h(h(ID ⊕ x) ⊕ T 3 ). If the computed result
equals the received c2 , AS accepts U’s login request
and then computes c3 = h((h(ID ⊕ x) ⊕ x ⊕ T 3 ), where
T 3 denotes AS ’s current time stamp.
3) AS sends (T 3 , c3 ) back to U via a insecure channel.
4) Once receiving the message from AS , U verifies the
validity of T 3 at first. If (T 4 − T 3 ) ≤ △T , where T 4
is the time stamp for received responding message
and △T denotes the expected valid time interval for
transmission delay, U will believes that the responding
part is an authenticity AS . Then U computes h(c1 ⊕ T 3 )
and compares the result to the received c3 . If equals, U
successfully authenticates AS , the mutual authentication
is done, otherwise, U stops the connection.
III. CRYPTANALYSIS OF Ku'S
C  Ku’ SCHEME
S
In this section, four attack mechanisms will be introduced.
There are Hsu’s parallel session attack[3], password guessing
attacks[4], changing time stamp attack[7] and another new
attack[5].
A. Parallel Session Attack
The parallel session attack is also named as Hsu et al’s
attack. In [3], Hsu et al’s proposed a new way to masquerade
as other legal user without knowing user’s passwords by
intercepting and dropping useful message. Considering that
an intruder Ua without knowing user’s passwords wants to
masquerade as a legal user U I by eavesdropping communica-
tion between AS and U I . Ua is able to perform the following
steps.
1) When U I wants to login the authentication server AS ,
U I sends the login message (IDi , T 1 , c2 ) to AS , where
T 1 is the current time stamp. If (IDi , T 1 , c2 ) is valid, the
identification of U I is authenticated and AS responses
U I with (T 3 , c3 ), where T 3 is the current time stamp. If
Ua wants to masquerade as a legal user U I , he intercept
this message.
2) Ua then masquerades as the legal user to start a new
session with AS by sending (IDi , T 3 , c∗2 ) back to AS ,
where c∗2 = c3 .
3) The login message (IDi , T 3 , c∗2 ) will pass the authentica-
tion of Ku’s scheme due to the fact that
c∗2 = c3 = h(h(EIDi ⊕ x) ⊕ T 3 ). So AS accepts Ua ’s
request.
4) Finally, AS responses Ua with the message (T 4 , c∗3 ),
where c∗3 = h(c1 ⊕ T 3 ) and T 4 is the current time stamp.
The intruder Ua intercepts and drops this message.
134
B. Guessing Password Attack
In general, the tamper resistance of smart cards is widely
assumed in most smart card based schemes. However, such
an assumption may be problematic in practice. In 2002,
Messerges et al[6] showed that the secrets stored in a smart
card may be breached by analyzing the leaked information.
Once the adversary has obtained the R and b stored in U’s
smart card, he can perform a guessing password attack[3]
to obtain PW. In the following, we will show that Ku’s
authentication is vulnerable to the password guessing attacks.
The password guessing attacks are performed by means of
known-plaintext attacks or verifiable-text attacks. Now, let’s
consider two cases, the off-line and the on-line password
guessing attacks on the Ku’s scheme.
1) Off-line password guessing attack
Suppose that the adversary also has intercepted the
messages (ID, T 1 , c2 ) during one of U’s past logins.
With the knowledge of R and T 1 , the intruder can
randomly guess a password PW ∗ and then compute
c∗1 = R⊕h(b⊕PW ∗ ); c∗2 = h(c∗1 ⊕T 1 ). If c∗2 = c2 , it means
PW ∗ is U’s password, then the intruder can successful
impersonate the legal U with the guessed password PW ∗
to login AS .
2) On-line password guessing attack
Consider the scenario of the on-line password guessing
attack that an intruder attempts to guess a password of
an intended user and creates a bogus login message until
the bogus message is accepted by the server AS . If the
intruder plots this attack successfully, it means that he
can impersonate the intended user and login AS . Ku’s
scheme is also vulnerable to such an attack since the
intruder can guess U’s password PW ∗ and create a bogus
login message (ID, T 1 , c2 ). If (ID, T 1 , c2 ) is accepted by
AS , then the intruder successfully impersonates user U
to login AS and U’s password is guessed.
C. Changing Time Stamp Attack
Changing time stamp attack[7] is a method for an intruder
eavesdrops communication between U and AS , and adapts
his clock to go beyond the valid user’s origin time stamp
T . Suppose T ′ is the time that the destination receives the
message, T a denotes the intruder’s current time stamp, △T
denotes the expected valid time interval for transmission delay.
He chooses T a and sends the message to destination. If
(T ′ − T a ) ≤ △T , he can successful be authenticated. There are
two modes of changing-time-stamp attacks in Ku’s scheme.
1) Mode one Suppose that an intruder has known c1
during one of U’s past logins. With the knowledge of
c1 , the intruder intercepts the message (ID, T 1 , c2 ) and
adapts his clock to go beyond the valid user U. He
chooses T 1a and computers c2a = h(c1 ⊕ T 1a ), then sends
the message (ID, T 1a , c2a ) back to AS . Where T 1a is the
intruder’s current time stamp, T ′ is the time stamp that
AS receives the message, △T denotes the expected valid
time interval for transmission delay, and (T ′ −T 1a ) ≤ △T .
 Thus the intruder can successfully masquerade as a legal
user U to login AS .
2) Mode two Suppose that an intruder has known c1 at
one time of U’s past logins. In authentication phase, after
AS has accepted U’s login request, and sends message
(T 3 , c3 ) to U, the intruder intercepts the message, and
adapts his clock to go beyond the valid AS . The intruder
chooses T 3a and computes c∗3a = h(c1 ⊕ T 3a ). Then the
intruder impersonates the AS and sends the message
(T 3a , c∗3a ) to U. Where T 3a is the intruder’s current time
stamp, T ′ is the time that U receives the message, △T
denotes the expected valid time interval for transmission
delay, and (T ′ −T 3a ) ≤ △T . The valid user U receives the
message and regards the intrude as a legal authentication
system. Such a weakness may result in serious in E-
commerce systems.
D. A New Attack
In Ku’s scheme, c1 is one of the most important parameters.
Suppose c1 is obtained, the adversary can use it to impersonate
legal user U to login AS . There are two modes for the
adversary to obtain c1 .
First, suppose AS ’s secret key x has been stolen or the
secret key x is revealed by some accident. When the message
(ID, T 1 , c2 ) is intercepted, one can get by computing c1 =
R ⊕ h(b ⊕ PW) = h(EID ⊕ x).
Second, if some one intercepted another message
(ID, T 1 , c2 ), he can get c1 by guessing. The adversary ran-
domly guesses c∗1 , and then computes c∗2 = h(c∗1 ⊕ T 1 ). If
c∗2 = c2 , he knows that he gets the proper c1 .
IV. HYPER-COMPLEX CHAOTIC
H-C C HASH
H SYSTME
S
Herein, we have shown that Ku’s scheme still do not achieve
the security requirement. As we further research the process
of the remote authentication, we evidently know that all the
attacks be happened in insecure channel on phases of login
and verification, where, the identifying or hash function in
Ku’s scheme or Chien et al’s scheme is simple enough, thus
the intruder can impersonate an illegal user easily intercepts
the message from authentication server, or attacks on AS
by simply computation or short time enough of computation
with Hash function h(ci ⊕ T j ) in Ku’s scheme or Chien et
al’s scheme. Here we suggest a Chaotic Hash authentication
scheme. It done by instead of Hash function h(ci ⊕ T j ) with
hyper-complex system, called scrambled chaotic map[8] in
Ku’s scheme or Chien et al’s scheme. Because chaotic map
is very sensitive to its initial values or keys, its computation
complexity goes beyond 10+30 on finite precision of 32 bits[9],
thus it is strong collision resistance, that is to say it almost
predictively fail to be attacked by guessing or directly compu-
tation. Let the scrambled chaotic map be denoted by function
sc(.), that is to do alternate c2 = h(c1 ⊕T 1 ) with c2 = sc(c1 , T 1 )
in login phase, do alternate c3 = h(c1 ⊕ T 3 ) with c3 = h(c1 , T 3 )
in verification phase in Ku’s scheme. All attacks mentioned
above will be defensive.
135
1) Guessing password attack is untanable because initial
sensitivity of chaotic map results in mass amounts of
computation.
2) The AS also needs the hyper-complex chaotic map to
compute sc(ci , T j ), thus changing time stamp attack will
responds very different time gap, and exceed beyond
valid time interval △T .
3) The scrambled chaotic map is not only hyper-
complexity, but also invertible[9]. However, if it is
combined with Hash function, it is not yet invertible
at all. So the new attack is not exist.
4) Parallel session attack do not achieved by some ex-
tend. Even if the intercepter can get the login message
(IDi , T 3 , c∗2 ) from AS , it cannot check the correction of
c3 , because he does not get signal c1 by computing
hyper-complex function sc(.), and finally the interceptor
stop his connection to AS .
Thus we can efficiently enhance the remote user authentication
scheme, and improve security of Ku’s scheme.
V. CONCLUSION
C
In this paper, we analyzed the security of Ku’s remote user
authentication scheme. We find it still cannot withstand against
the parallel session attack, and also be vulnerable to the off-
line and on-line password guessing attacks. Furthermore, we
also point out that Ku’s scheme is vulnerable to a new attack
and cannot resist changing time stamp attack. We improve Ku’s
scheme by instead of computation h(ci ⊕ T j ) in all the phases
of remote authentication with a hyper-complex chaotic map
sc(ci , T j ). The hyper-complex chaotic hash system is more
resistance to the attacks. We can conclude that the improved
scheme is more security than before.
REFERENCES
R
[1] Wei-chi Ku and Shui-min Chen. Weaknesses and Improvements of an
Efficient Password Dased Remote User Authentication Scheme Using
Smart Cards, IEEE Trans. on Consumer Electronics,Vol.50(1), February
2004, pp:204-206
[2] H.Y.Chien,J.K.Jan,and Y.M.Tsing, An Efficient and Practical Solution to
Remote Authentication: Smart Cards, Computers and Security, Vol.21(4),
2002, PP.372-375
[3] Chien-Lung Hsu, Security of Two Remote User Authentication Schemes
Using Smart Cards, IEEE Trans. on Consumer Electronics, Vol.49(4),
November 2003, pp.1196-1198
[4] M.Lomas, L.Gong, J,Saltzer, and R.Needham, Reducing Risks from
Poorly Chosen Keys, ACM Operating System Review, Vol.23(5), 1989,
pp.14-18
[5] Amit K.Awasthi and Sunder lal, A Remote User Authentication Scheme
Using Smart Cards with Forward Secrecy, IEEE Trans. on Consumer
Electronics, Vol.49(4), November 2003, pp.1246-1248
[6] T.S.Messerges, E.A.Dabbish, and R.H.Sloan, Examining Smart Card
Security under the Threat of Power Analysis Attacks, IEEE Trans.on
Computers, Vol.51, May 2002, pp.541-552
[7] Li Li, Zhang Huang-guo. Analyzing the Attacks Types on Cryptographic
Protocol. Computer Engineering and Application, Vol.171,2004, PP.16-19
[8] Zhu Canyan, Zhang Lihua, Wang Yiming, et. al. Periodic Performance
of the Chaotic Spread Spectrum Sequence on Finite Precision. Journal
of Systems Engineering & Electronics, to be published.
[9] Zheng Yufan, Chen Guanrong, Zhu Canyan. A System Inversion Ap-
proach to Chaos-Based Digital Secure Speech Communication. Interna-
tional Journal of Bifurcation & Chaos, Vol.15, Aug. 2005, pp.2569-2582.