Remote user authentication schemes are used to verify the legitimacy of remote users’ login request. Recently, several dynamic user authentication schemes have been proposed. It can be seen that, these schemes have weaknesses because of using timestamps. The implement of strict and safe time synchronization is very difficult and increases network overhead. In this paper, we propose a new dynamic user authentication based on nonce. Mutual authentication is performed using a challenge-response handshake between user and server, and it avoids the problems of synchronism between smart card and the remote server. Besides, the scheme provides user’s anonymity and session key agreement. Finally, the security analysis and performance evaluation show that the scheme can resist several attacks, and our proposal is feasible in terms of computation cost and communication cost.
With the large-scale proliferation of internet and network technologies, people are able to access any service from any place and at any time. Remote user authentication schemes are used to verify the legitimacy of remote user’s login request. Password-based authentication scheme is one of the convenient and efficient authentication mechanics. However, password-based authentication scheme suffers from attacks due to the low entropy password, thus designing a more secure and efficient authentication protocol is in urgent need. In 1981, Lamport proposed a remote user authentication scheme with password table [
In 2004, Das et al. [
The remainder of this paper is organized as follows. In Section 2, we present an enhanced remote user authentication scheme. In Section 3, there is the analysis about this scheme. Finally, conclusions are presented in Section 4.
Although the implement of strict and safe time synchronization is very difficult and increases network overhead, most time synchronization schemes were not designed with security in mind. In addition, if the setting of the interval of transmission delay is too short, it will cause the failure of the legal users’ login. However, if the setting of the interval of transmission delay is too large, it will be suffered from the relay attacks. Therefore, authentication protocols based on the timestamps not only introduces more safety risk, but also is unpractical. In this section, we propose an enhanced remote user authentication scheme. To avoid the clock synchronization problem, we replace the timestamp design with a novel nonce-based mechanism in our scheme. The improved scheme is divided into four phase: registration phase, login phase, authentication phase, and password change phase. Detailed steps of these phases of the proposed scheme are described as follows. The notations used throughout this paper are in
A user Ui with identifier IDi should first carry out this phase once before he can use any of the services provided by the server S. In this phase, Ui and S need to perform the following steps.
Step R1. User Ui keys his identity IDi and password PWi, and his smart card computes and submits
Step R2. After receiving the request, S computes
Whenever Ui wants to login a server S, he must perform the following steps:
Step L1. After inserting his smart card into the card reader, Ui inputs the identity IDi and password PWi. Then,
the smart card computes
. Notations
| Symbol | Description |
|---|---|
| Ui S IDi PWi h(.) x y ⊕ || | User i Server Identity of the user i Password of the user i A secure hash function Secret value of server Secret value of server Bitwise XOR operation Concatenation operation |
Step L2. The smart card checks whether or not Ei and Ci are equal. If yes, Ui passes the legitimate verification, and performs the following steps; otherwise, Ui is rejected.
Step L3. The smart card randomly chooses a nonce R1 and computes
Step L4. Ui sends the login request message
A user performs the remote authentication phase based on the login message for authentication as long as it visits the server. Ui and S perform the following steps to achieve mutual authentication and to establish a session key.
Step A1. After receiving the login message
Then, S chooses a nonce R2 and computes
Step A2. The server S sends the mutual authentication message
Step A3. After receiving the mutual authentication message
checks whether or not
otherwise, Ui authenticates S successfully and computes
Step A4. When the server S receives
sends reject message to the Ui; otherwise, S authenticates Ui.
After finishing mutual authentication phase, the user Ui and the server S each can compute a common session
key
The user Ui can change his password without the help of the server S, and the details of the password change procedures are as follows:
Ui inserts the smart card, and input his old password pwi and the identity IDi. Then, the smart card computes
process is correct, the smart card asks the cardholder to resubmit a new password
computes
with
In this subsection, we present these security analyses of our scheme and show that proposed scheme can resist many kinds of attack. To analyze the security of our scheme, we assume that an attacker can obtain the secret values stored in the smart card by monitoring the power consumption [
The proposed scheme can protect user’s anonymity. In login phase, the user Ui will send the login request mes-
sage
ble to derive the user identity IDi through h(IDi). Furthermore, the login message is dynamic in each login. Among the parameters of login message, Fi is associated with nonce R1 and dynamically changed. Consequently, the attacker cannot identify the person who is trying to login.
The proposed scheme can resist replay attack because the login request message and the mutual authentication message both contain the nonce instead of timestamp. Suppose that the attacker has intercepted a previous login
request message
the attacker still cannot successfully impersonate the server S to cheat the users by replaying the server’s pre-
vious mutual authentication message
The proposed scheme can withstand impersonation attack. Assume the attacker intercepts h(IDi), Fi, Hi, but these information has no meaning to an attacker. He can’t derive the secret parameter x and password PWi. Without R1, R2, x and PWi, the attacker can’t compute Hi, so impersonation can’t continue. What’s more, the attacker can’t impersonation of S, because he can’t compute
In our proposed scheme, the smart card of user Ui checks the validity of user identity IDi and password PWi before update procedure. The attacker has to insert the smart card of user Ui into the smart card reader and has to
guess the identity IDi and password PWi correctly. Since the smart card computes
gitimacy of Ui before the smart card accepts the password update request. It is not possible to guess the identity IDi and password PWi correctly at the same time in real polynomial time even after getting the smart card of user Ui. Therefore, the proposed protocol is secure against DOS attacks.
If an attacker obtains Bi and Ci from Ui’s smart card, he can’t extract sensitive information, like IDi, PWi, x, because it is computationally infeasible to invert the one-way hash function h(). Moreover, he can’t extract Ai from Bi without the knowledge of IDi and PWi. Furthermore, if the attacker is a legal user Ui, he can’t obtain x from his smart card. Thus, the insider attack is resisted.
In our scheme, Ui’s password is only involved with
or response message
message without knowing the server’s secret value x. Therefore, we believe that the on-line password guessing attacks can be prevented more efficiently.
On the other hand, in our scheme Ui’s login message, i.e. h(IDi), Fi, are well-protected and un-involved with Ui’s password. This design eliminates the correlation between Ui’s password and the transmitted messages, i.e. h(IDi), Fi, Hi, an attacker has no ability to examine his guessed password with previous legitimate request or reply message in an off-line mode. Hence, our scheme is secure against the off-line password guessing attack.
Our scheme can prevent stolen smart card attack. If the smart card is stolen or lost, the attacker can extract the secret information Bi and Ci from the smart card. With the parameter, the attacker tries to impersonate the user to
login to the server S, however, he must produce a valid login request message
that it is impossible to compute Ai and Fi from the given parameters without knowing x, IDi, and PWi, so the attacker can’t generate a valid login message.
Assume the attacker can masquerade as legitimate user Ui by replaying a login request message
However, he can’t compute the agreed session key
does not know the values of x, R1, R2. Therefore, the proposed scheme is secure against parallel session attack.
Our scheme provides mutual authentication of Ui and S. In our scheme, S sends mutual authentication message
and this message is infeasible to forge by a fake server to impersonate the S.
The proposed scheme provides session key agreement during the authentication phase. Suppose the attacker obtains the secret values in the legal user’s smart card and intercepts messages communicating between the user and the server, he may attempt to compute the session key SK. However, he can’t continue without knowing R1 and R2.
In this section, we summarize some performance issues of the proposed scheme. We compare the proposed scheme with related schemes in terms of cost and security requirements.
An efficient authentication scheme must take computation and communication cost into consideration during us- er’s authentication. The computation cost of each phase is defined as the total time of various operations executed in that phase. The communication cost of authentication includes the cost of transmitting messages involved in the authentication scheme. We mainly focus on the computations of registration, login and authentication phases since these phases are the main body of the proposed scheme.
In order to carry out the computation cost evaluation, we use the following notations: Th and Ts are defined as the execution time of the one-way hash function and symmetric operations. Because exclusive-or operation and concatenation operation require very low execution time, it is usually neglected considering its computational cost. The time complexity associated with the different operations can be expressed as T⊕ = Th < Ts. The comparative results are shown in
From the table, it is noticed that our scheme requires nearly the same computation as other related schemes, but our scheme provides more security.
In addition, we have shown the comparison of communication cost between our scheme and related scheme. The comparative results are shown in
From the table, it is noticed that the communication cost of Das et al.’s scheme is the least with 448 bits, because, it does not support mutual authentication. However, our scheme needs less bits than others.
In this section, we summarize the security features of our proposed scheme and compare its security robustness with related schemes. The comparative results are shown in
From the table, it is noticed that our scheme is more secure and robust than other schemes and achieves more security requirements, which were not considered in the their scheme and are essentially required in implementing a practical and universal remote user authentication scheme using smart cards.
In this paper, we see that several dynamic user authentication schemes have weaknesses because of using timestamps. Besides, the implement of strict and safe time synchronization is very difficult and increases network overhead. To eliminate these weaknesses, we propose a new dynamic user authentication scheme based on
. Computation cost comparison
| Scheme | Phase | ||
|---|---|---|---|
| Registration | Login and verification | Total cost | |
| Proposed scheme | 4Th | 8Th | 12Th |
| Khan et al. (2011) | 2Th | 10Th | 12Th |
| Wang et al. (2009) | 2Th | 6Th | 8Th |
| Das et al. (2004) | 2Th | 7Th | 9Th |
. Communication cost comparison
| Scheme | From user to server | From server to user | Total cost | ||
|---|---|---|---|---|---|
| Message | Cost | Message | Cost | ||
| Proposed scheme | h(IDi), Fi | 256 bits | 256 bits | 512 bits | |
| Khan et al. (2011) | CIDi, Ti, d, Ci | 384 bits | C2,Ts | 192 bits | 576 bits |
| Wang et al. (2009) | IDi, CIDi, Ni,T | 448 bits | a’, T* | 192 bits | 640 bits |
| Das et al. (2004) | CIDi, Ni, Ci, T | 448 bits | - | - | 448b its |
. Security properties comparison
| Scheme | S1 | S2 | S3 | S4 | S5 | S6 | S7 | S8 | S9 | S10 |
|---|---|---|---|---|---|---|---|---|---|---|
| Proposed | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
| Khan et al. | N | Y | N | Y | N | Y | Y | N | Y | Y |
| Wang et al. | N | N | N | N | N | N | Y | N | Y | N |
| Das et al. | N | N | N | Y | N | Y | Y | Y | N | N |
S1: Resist impersonation attack; S2: Resist DOS attack; S3: Resist insider attack; S4: Resist replay attack; S5: Resist password guessing attack; S6: Resist stolen smart card attack S7: Resist Parallel session attack; S8: Provide user’s anonymity; S9: Provide mutual authentication; S10: Provide session key agreement.
nonce instead of timestamps. Mutual authentication is performed using a challenge-response handshake between user and remote server. Moreover, our scheme uses hashing functions to implement user’s anonymity and session key agreement. The other merits include: 1) our scheme provides a secure password change method to prevent the adversary from updating password freely; 2) our scheme can resist various attack, including forward se- crecy; 3) our scheme requires less computation and communication traffic; 4) it is a nonce-based scheme to avoid the time-synchronization problem.
Therefore, this scheme is well suited to the network-based application systems. In our future work, we would carry on experiments if the conditions are met.
Yang Xiaohui, Cui Xinchun, Cao Zhenliang and Hu Ziqiang thank the anonymous reviewers for their valuable comments and suggestions.