CC BY-NC-ND
0Available online at www.sciencedirect.com -
ScienceDirect PrOCed ¡Q
Computer Science
Procedia Computer Science 70 (2015) 318 - 324
4thInternational Conference on Eco-friendly Computing and Communication Systems
RSA Based Two-Factor Remote User Authentication Scheme
with User Anonymity
Preeti Chandrakara and Hari Omb
a bDepartment of Computer Science and Engineering Indian School of Mines, Dhanbad, Jharkhand -826004, India
Abstract
Remote user authentication is one of the most commonly used mechanisms to verify the legitimacy of a remote user over insecure communication channel. In remote user authentication, the server and the user mutually authenticate each other and establish a common session key for future communication. In this paper, we propose a secure and effective two-factor remote user authentication scheme based on RSA, which achieves mutual authentication and user anonymity properties. Informal security analysis ensures that the proposed scheme is secure against various malicious attacks and its security is based on the oneway hash function, smart card, and RSA algorithm. Performance comparison shows that the proposed scheme is efficient in terms of communication and computation overhead. Furthermore we demonstrate the validity of our proposed through BAN logic, which confirm that the proposed scheme achieve mutual authentication and session key agreement securely.
CrossMark
© 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).
Peer-review underresponsibilityofthe Organizing Committee of ICECCS 2015 Keywords:Authentication, BAN logic, RSA cryptosystem, Smart card, User anonymity;
1. Introduction
One of the most convenient and well popular two factor authentication scheme is based on smart card and password. It has been extensively used in different types of applications such as remote host login, e-banking, online
* Corresponding author. Tel.: +917549076289 E-mail addess.preet29.chandrakar@gmail.com
1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
Peer-review under responsibility of the Organizing Committee of ICECCS 2015 doi:10.1016/j.procs.2015.10.023
pay-TV, e-commerce, online bill payment, e-rail, etc. In order to access these application servers, a mutual authentication and key agreement scheme is needed, in which the remote server and the user mutually authenticate each other and generate a common session key. In 1981, Lamport proposed the first remote authentication scheme based on smart card [1]. However, in their scheme the server must store a password list and consequently cannot resist the interpolation attack. After that, many password authentication schemes have been proposed to improve the scheme security and enhance their functionality [2-8].
In 1999 Yang et al. proposed an authentication scheme based on RSA cryptosystem [5]. However, Chan et al. [6] show that Yang et al. scheme is not secure and vulnerable to impersonation attack. In 2002, Fan et al. [7] also prove that Yang et al. scheme could not withstand user impersonation attack and proposed a slight modification to resist this attack. In 2003, Shen et al. [8] proposed a modified Yang et. al scheme to enhance security. This scheme could withstand the impersonation attack and also provide mutual authentication. In recent years, many RSA based authentication scheme have been proposed by researcher [9-12] .The security of RSA cryptosystem is based on the difficulty of factoring large prime integers. In this paper, we propose a two-factor remote user authentication scheme with user anonymity based on RSA that provides mutual authentication with key agreement. In addition, we use BAN logic to demonstrate the validity of the proposed scheme. Our scheme precisely comprises of the following merits: (1) It has an efficient login phase, where an incorrect input can be quickly detected. (2) It has an efficient and user friendly password change phase where user can change his password without server assistant. (3) It provides user anonymity. (4) It supports mutual authentication and session key agreement. (5) The computation cost and communication cost are comparable with other relevant schemes. (6) It satisfies all desired security attributes.
The rest of paper is organized as follows: In section 2, we describe our proposed scheme. The formal and informal security analysis is presented in section 3. The functionality and performance comparison among the proposed scheme and other relevant schemes demonstrate in section 4. Finally the conclusion of our proposed scheme is described in section 5.
2. Proposed Scheme
Our scheme has five phases: initialization phase, registration phase, login phase, authentication and key agreement phase, and password change phase.
2.1. Initialization Phase
In this phase, the remote server S chooses the system parameters. For this purpose, the remote server S generate two large prime numbers p and q and compute n= pXq. The public key e is chosen randomly such that 1< e < 0(n) and gcd (e, 0(n)) =1, where 0(n)= (p- 1) X (q-1). The private key is computed as d= e_1 mod 0(n) where d is multiplicative inverse of e mod 0(n).The remote server publish {e, n} as public key and {d, p, q} as private key.
2.2. Registration Phase
When a new user Uj wants to registers or re-registers in the remote server, he/she chooses identity IDj , password PWj and generates a random number r and computes RPW= h(PWj ||r).Then the user sends registration request message (IDj, RPW) to the server S via a secure channel. After receiving the registration request message from the user Uj, the server S computes MK=h(IDj yd), L= MK©RPW, B= h(MK||RPW), J= IDjd mod n and Y= J ©B. Then the server sends a smart card containing the information {Y,L,h(.),n,e} to the user U through secure channel. After receiving the smart card securely from the server S, the user stores a random number r in the memory of the smart card. Finally the smart card contain {Y,L,h(.),n,e, r} and the registration phase is successfully completed.
2.3 Login Phase
Whenever a user wants to access the remote servers, he/she inserts the smart card into the smart card reader and enters his IDj and PWj. Smart card computes RPW' = h(PWj|| r), MK' =L© RPW', B' = h(MK||RPW'), Y =J© B © B and Y = Jemod n and checks whether Y equals to entered IDj or not. If they are not equal, the session is terminated by the smart card. Otherwise, the user is legal owner of smart card. Then the smart card generates a random nonce Rj, computes AID= IDj ©h(Rj||MK), Cj =h(Rj||MK||Y), Vj = h(IDj||Cj||R,||MK)emod n, Rj' = Rj ©h(MK||IDj) and sends the login request message {AID, Cj, Vj, Rj } to the server S through a public channel.
2.4 Authentication and Key agreement Phase
In this phase, the server and user authenticate each other and generate a session key for future communication by performing the following steps.
1.After receiving the login request message {AID, Cj, Vj, Rj }, the server computes Rj = Rj ©h(MK||IDj) , IDj = AID©h(Rj||MK),Ci' = h(Rj||MK||Y),Vj^=h(ID,||Cj||Rf ||MK)dmod n and Vj"= h(IDj||Cf'||Rj||MK).Then server matches IDj with the stored IDj , Vj = Vj and Cj =Cj. If it does not hold, this phase is terminated immediately, otherwise, the server believes that the user is legitimate entity and it generates a random nonce Rj and computes Ej =h(Rj ||MK||Y), Rj' = Rj ©h(MK||IDj), Vs = h(IDj ||Et ||Rf ||MK||Rj).Then Server sends (Ei(Rj', Vs) to the user U .
2. After receiving the authentication message { Ej, Rj , Vs} from the server, the user U computes Rj = Rj'©h(MK||IDi), Ei ' =h(Rj ||MK||Y) and Vs'= h(IDiEi 'RiMKRj).Then the User matches Ei =Ei ' and Vs=Vs'. If matched, the user is authenticated to the server and mutual authentication holds good.
3. Finally the server S and the user U agree upon a common secret session key SK = h(Rj ||MK||Rj ||Y) .
2.5 Password Change Phase
This phase is invoked when the user wants to change the password, the user inserts his/her smart card into smart card reader and keys in { IDj , PWj }.The smart card computes RPW' = h( PWj || r), MK' =L © RPW' , B' = h(MK ||RPW'), Y' =J © B © B', Y" = Jemod n and checks whether Y" is equal to entered IDj or not. If condition hold, it means the user is legitimate holder of smart card. Now the user enters his new password PWj"ew and smart card computes RPWnew = h(PWj"ew || r), Lnew =L© RPW © RPWnew , Ynew = Y ©RPW© RPWnew .Then the smart card replaces Y with Ynew and L with Lnew in its memory. Now the new password successfully updated.
3. Security Analysis of the Proposed Scheme
3.1. Authentication Proof Based on BAN logic
BAN logic [16] is one of the most popular and widely used logics, which ensures that the proposed scheme achieve mutual authentication and session key agreement securely. To implement BAN logic to prove an authentication scheme, the following steps should be performed.
STEP1: We show the verification goals of the proposed scheme as follows:
Goal 1: Ui|=(Ui<->S)
Goal 2: Uj|=S|= (Uj <->S)
Goal3: S|=(Uj <->S)
Goal4:S | = Uj|^(Uj<->S)
STEP2: We transform our proposed scheme to the idealised form as follows: Message1. Ui ^ S : AID, Cj , Vj: < IDj, Cj, Rj >MK , Rj' Message2. S ^ Ui: Ej, Vs: < IDj,Ej,Rj,Rj >MK , Rj'
STEP3: We make the following assumption about the initial state of the scheme to analyze the proposed scheme Ax: Uj|=#(Rj, Rj) A2: S|=#(Rj, Rj)
A3:Uj|=Uj <-> S
A4: Sis Uj <-> S
As : S = U, ^ R, A6 : U, s S ^ Rj
STEP4: Based on the above-mentioned assumptions and rules of BAN logic, we prove the security of the proposed scheme and main procedures of proof as follows: According to the message 1, we obtain: Sx : S < ( AID, Ci , Vt: < IDj, Cj, Rj >MK , Rj') According to Sx , A4 and the message meaning rule, we obtain
52 : Sis U,i~( IDj,Cj, Rj)
According to A2 , we apply the freshness conjuncatenation rule to obtain
53 : Sis #i( IDj, Cj, Rj)
According to S2 and S3 we apply the nonce verification rule to obtain
54 : Sis Uj is (IDj, Cj, Rj)
According to S4 , A5 and jurisdiction rule, we obtain S5: Sis (IDj, Cj, Rj)
According to S4 , A2 and session key rule, we obtain
56 : Sis(Uj <->S) Goal 3
According to S6 , A2 and nonce verification rule, we obtain
57 :Sis Ujis(Uj<->S) Goal4
According to the message 2, we obtain
58 : Ui < ( Ej, Vs: < IDj, E,, Rj, Rj >MK , Rj')
According to S8, A3 we apply message meaning rule to obtain
59 : Uj is si~( IDj, Cj, Rj, Rj)
According to assumption At we apply the freshness conjuncatenation rule to obtain S10 : Uj is #i( IDj,Cj,Rj,Rj)
According to S9 and S10 we apply the nonce verification rule to obtain Sn : UjisSis (IDj,Cj,Rj,Rj)
According to S1:1 , A6 and jurisdiction rule, we obtain S12: Uj is (IDj, Cj, Rj, Rj)
According to S11( At and session key rule, we obtain
S13 :Ujis(Uj<->S) Goal 1
According to S13 , At and nonce verification rule, we obtain
S14: UjisSis Uj <->S) Goal 2
3.2 Further Security Analysis and Discussion
Proposition 1: An attacker A from outside of the system gets the user's smart card and reveals the information { V , L, r} stored in it, then he will not be able to guess the user's password and private key d.
Proof: If by any means the attacker A gets the user's smart card and extracts the information { Y , L, r} stored in it. We show that the adversary A cannot get user's identity, password and secret key d as follows:
1. A has L= MK©RPW= h(/D;|| d) © h(fW;|| r), for a given r. But it is computationally hard to
extract identity IDj , password PWj and secret key d, from L due to inversion of cryptographic oneway hash function. Thus, attacker cannot solve one equation for three unknown values. 2. A has Y=J©B=/Didmod n©h(MK||RPW)= IDtdmod n© (h(/Di N d)|| h(PWt\\ r)) for given r. But it is computationally hard to extract identity ¡Dj, password PWj and secret key d, from Y due to inversion of cryptographic one way hash function.
Proposition 2: An attacker A from inside of the system uses his own smart card parameters { 7 , L, r}, then he cannot extract private key d of the server.
Proof: In this attack model, a legal but malicious user tries to extract the private key d by using his own {IDj, PWj }and smart card parameters { Y, L, r}. In the following, we show that the malicious user cannot get the secret key d.
1. A has L= MK©RPW= h(IDj || d ) © h(PWj || r). But it is computationally hard to extract the secret key d from L due to inversion of cryptographic one way hash function.
2. A has Y= J ©B=/D;d mod n © h(MK||RPW)= IDtd mod n © ( h(IDj\\ d )|| h(PW;|| r)). Due to factorization problem and inversion of cryptographic function, it is hard to find d from Y.
Proposition 3: An attacker A from the outside of the system cannot know the user's identity ¡Dj, server's private key d, random nonce Rj and Rj, from the login request message {AID, C;, Vt, Rj } and reply message {£;, Rj , Vs}.
Proof: In this attack model, the attacker traps the login request message {AID, C;, Vj, Rj } and reply message {Ej,Rj ,VS} . We show that the attacker cannot extract user's identity ¡Dj, private key d, random nonce Rj and Rj .
1. We have AID= ID©h(fl;||MK) = ID©h(P; \\h(IDj || d) ). An attacker has to guess two unknown parameters Rj and d at the same time to get the user's identity from the above equation, which is infeasible.
2. Similarly, the attacker cannot verify an identity ID; from {C; , Rj } parameters due to the same reason.
3. From Vj = hC/DiHCillflillMK)* mod n = h(/D; ||C;\\Rt ||h(/D; || d ) mod n, due to factorization problem, it is hard to find d from e. An attacker cannot decode h(IDj ||C; yMK)e mod n from Vj without knowing d. Hence the attacker cannot extract user's identity ¡Dj, private key d of the server and random nonce Rj .
4. From Ej =h(Rj ||MK||7)= h(Pj yh(/D; || d )||V). An attacker has to guess two unknown parameters Rj and d at the same time to get the user's identity from the above equation, which is infeasible.
5. Similarly, the attacker cannot obtain the identity ID; from { Rj , Vs} parameters due to the same reason.
Proposition 4: An attacker A from the inside of the system cannot know server's private key d of the server from the login request message {AID, Cj, Vj, Rj } and reply message {Ej, Rj , Vs} between the user and server.
Proof: In this attack model, a legal but malicious user tries to extract the private key d of the sever by intercepting the login request message {AID, Cj, Vj, Rj } and reply message {Ej, Rj , Vs} between the user and server. Due to inversion of cryptographic hash function the attacker cannot compute the server's private key d from the message MK=h(IDj || d). Hence the proof of proposition 4.
3.2.1 Resistance to Insider attack
In real environment, it is common practice that many users use same password to access different servers for their convenience. However, if the privileged insider of S has learnt the password of Uj, he may try to impersonate U; by access the other server. In our scheme, Ui registers with S by presenting RPW= h(PWt || r) instead of h(PWi) or PWi. The insider of S cannot directly obtain PWi. Therefore, our scheme is secure against the insider attack.
3.2.2 Resistance to password guessing attack
Proposition 1 and proposition 3 show that an attacker cannot extract or guess the user's password and secret key d using the secret values extracted from the smart card and communication message between user and server. Thus our scheme is secure against the password guessing attack.
3.2.3 Resistance to Replay attack
An adversary may intercept the previous login request and reply message. Then the attacker can impersonate Ui to access the server by sending the intercepted message. However, in each session of our scheme, the user Ui and the server Si generate a different random nonce Ri and Rj , respectively. The random nonce ensures that the authentication messages are distinct in different sessions and valid for that session only. Therefore our scheme is
secure against replay attack.
3.2.4 Resistance to Forward secrecy attack
Forward secrecy means that if the master key of the system is compromised, then the secrecy of previously established session key should not be affected. In our scheme, if the master key MK and Y are compromised due to some reason, the attacker cannot compute the session key without knowing the values of R; and Rj. Therefore our scheme is secure against the forward secrecy attack.
3.2.5 Resistance to user impersonation and server spoofing attack
Propositions 1, 2, 3, and 4 show that an adversary cannot extract the secret information between the user and server. Thus the attacker cannot create valid login request and reply message without knowing the secret information between the user and server. Thus our scheme is secure against the user impersonation and server spoofing attack.
3.2.6 Preserving User anonymity
In our scheme, the user's anonymity is preserved in each login request. We compute an anonymous identity AID= ID©h(fl;||MK) for the user and this identity is different in each login attempt because it is calculated with the random nonce R; .Only the authentication server knows the secret value MK and Ri. So only the authenticated server can retrieve user IDj. hence, in our scheme, an attacker cannot identify the person trying to log into the server.
4. Performance evaluation
In this section we compare security and performance of the proposed scheme with other relevant schemes [13, 14, 15].In Table 1, we summarized the communication cost and computation cost of the proposed scheme and other relevant scheme. The total computation overhead of our scheme is 16Th+3TE, where Th is time taken in the secure one-way hash function and TE is time taken in modular exponentiation operation. To analyze the communication overhead, we use the following facts and assumptions, identity, password, random nonce and output of secure oneway function are 160 bit long. One block in AES is 128 bit long and modular exponentiation operation takes 1024 bits. The communication overhead of our scheme is 160*6+1024=1984 bits. In Table 2, we have presented several security functionalities comparison of the proposed scheme with other relevant schemes [13, 14, 15] and it is noticeable that the proposed scheme is secure against relevant security attacks than other schemes.
Fig1: Performance Comparison: Communication Cost
Communication Cost
4000 2000 0
I Communication Cost
Tablet: Performance Comparison: Communication cost and Computation cost
Performance Comparison He et al.[13] Pippal et al.[14] Wen et al.[15] Proposed Scheme
Communication Cost 1024*2+160*5 =2848 1024*2+160*3= 2528 1024+512*2+160=2208 160*6+1024=1984
Computation Cost of Login Phase 2Th+2Te 1Tk+2Te 2Th+3 TE 5Tk+2Te
Computation Cost of Authentication Phase 3Th +ATB 6Tk +5Te 3Tk +5Te 11Th+1TE
Total Computational Cost 5Tk+6TE !Th +1TE 5Tk+STE 16Th+3 TE
Table 2: Security Features Comparison
Security Requirement He et al. [13] Pippal et al. [14] Wen et al. [15] Proposed Scheme
Resist Password Guessing Attack Yes No No Yes
Resist Replay Attack Yes No Yes Yes
Resist Impersonation Attack No No No Yes
Resist Denial of Service Attack Yes No No Yes
Resist Forward Secrecy Attack Yes Yes Yes Yes
Resist Insider Attack Yes No Yes Yes
Preserving User Anonymity No No No Yes
5. Conclusion
In this paper, we have discussed a secure and effective remote user authentication scheme using smart card which achieves mutual authentication and user anonymity properties. In our scheme, the computational cost and communicational cost are relatively low as compared to the important related schemes. Furthermore, the user can always change his password correctly and locally at any time without contacting the server. In addition, we have demonstrated the validity of our scheme through the BAN logic. Finally, in our scheme after successful authentication, a symmetric session key is established between a user and the server so that we can use this key for future secure communication.
References
1. Lamport, Password authentication with insecure communication. Communications of the ACM, 1981, 24(11), pp. 770-772.
2. Chang, C. C. & Wu, T. C., Remote password authentication with smart cards. Computers and Digital Techniques, IEE Proceedings E, 1991, 138(3), pp. 165-168.
3. Chang, C. C., & Hwang, K. F., Some Forgery Attacks on a Remote User Authentication Scheme Using Smart Cards. Informatics, Lith. Acad. Sci., 2003, 14(3), pp. 289-294.
4. Lee, S. W., Kim, H. S., & Yoo, K. Y., Efficient nonce-based remote user authentication scheme using smart cards. Applied Mathematics and Computation, 2005, 167(1), pp. 355-361.
5. Yang, W. H., & Shieh, S. P., Password authentication schemes with smart cards. Computers & Security, 1999, 18(8), pp. 727-733.
6. Chan, C. K., & Cheng, L. M., Cryptanalysis of a timestamp-based password authentication scheme. Computers & Security, 2001, 21(1), pp.74-76.
7. Fan, L., Li, J. H., & Zhu, H. W., An enhancement of timestamp-based password authentication scheme. Computers & Security, 2002, 21(7), pp. 665-667.
8. Shen, J. J., Lin, C. W., & Hwang, M. S., Security enhancement for the timestamp-based password authentication scheme using smart cards. Computers & Security, 2003, 22(7), pp. 591-595.
9. Giri, D., Maitra, T., Amin, R., & Srivastava, P. D., An efficient and robust RSA-based remote user authentication for telecare medical information systems. Journal of medical systems, 2015, 39(1), pp.1-9.
10. Amin, R., and Biswas G.P, An improved RSA based user authentication and session key agreement protocol usable in TMIS. J. Med. Syst.2015, 39(8):pp. 1-14.
11. Ramasamy, Rajaram, and Amutha Prabakar Muniyandi. "An Efficient Password Authentication Scheme for Smart Card." IJ Network Security 14.3, 2012, pp. 180-186.
12. Das, A. K., & Bruhadeshwar, B., An improved and effective secure password-based authentication and key agreement scheme using smart cards for the telecare medicine information system. Journal of medical systems, 2013, 37(5), pp.1-17.
13. He, D., Wang, D., & Wu, S., Cryptanalysis and improvement of a password-based remote user authentication scheme without smart cards. Information Technology And Control, 2013,42(2), pp. 105-112
14. Pippal, R. S., Jaidhar, C. D., & Tapaswi, S., Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 2013, 72(1), pp. 729-745.
15. Wen, F., & Guo, D., An improved anonymous authentication scheme for telecare medical information systems. Journal of medical systems, 2014, 38(5), pp. 1-11.
16. Burrows, M., Abadi, M., Needham, R., A logic of authentication. ACM Transactions on Computer Systems, 1990, 8(1), 1836.
