Robust Smart Card based Password Authentication Scheme against Smart Card Security Breach ⋆

As the most prevailing two-factor authentication mechanism, smart card based password authentication has been a subject of intensive research in the past decade and hundreds of this type of schemes have been proposed. However, most of them were found severely flawed, especially prone to the smart card security breach problem, shortly after they were first put forward, no matter the security is heuristically analyzed or formally proved. In SEC’12, Wang pointed out that, the main cause of this issue is attributed to the lack of an appropriate security model to fully identify the practical threats. To address the issue, Wang presented three kinds of security models, namely Type I, II and III, and further proposed four concrete schemes, only two of which, i.e. PSCAV and PSCAb, are claimed to be secure under the harshest model, i.e. Type III security model. However, in this paper, we demonstrate that PSCAV still cannot achieve the claimed security goals and is vulnerable to an offline password guessing attack and other attacks in the Type III security mode, while PSCAb has several practical pitfalls. As our main contribution, a robust scheme is presented to cope with the aforementioned defects and it is proven to be secure in the random oracle model. Moreover, the analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship, which highly indicates the settlement of an open problem raised by Madhusudhan and Mittal in 2012. Beyond our cryptanalysis of current schemes and our proposal of the new scheme, the proposed adversary model and criteria set provide a benchmark for the systematic evaluation of future two-factor authentication proposals.

[1]  W M Ross Whats in a name? , 1989, Clinical radiology.

[2]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[3]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[4]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[5]  P. Kocher,et al.  Differential power analysis, advances in cryptology-CRYPTO'99 , 1999 .

[6]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[7]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1999 .

[8]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[9]  Duncan S. Wong,et al.  The performance measurement of cryptographic primitives on palm devices , 2001, Seventeenth Annual Computer Security Applications Conference.

[10]  Robert H. Deng,et al.  Privacy Protection for Transactions of Digital Goods , 2001, ICICS.

[11]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[12]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[13]  Emmanuel Bresson,et al.  Security proofs for an efficient password-based key exchange , 2003, CCS '03.

[14]  Wei-Chi Ku,et al.  Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[15]  Eun-Jun Yoon,et al.  Further improvement of an efficient password based remote user authentication scheme using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[16]  C.-C.,et al.  Remote password authentication with smart cards , 2004 .

[17]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[18]  Kee-Young Yoo,et al.  Improvement of Chien et al.'s remote user authentication scheme using smart cards , 2005, Comput. Stand. Interfaces.

[19]  Zhenfu Cao,et al.  Efficient remote user authentication scheme using smart card , 2005, Comput. Networks.

[20]  Chun-I Fan,et al.  Robust remote authentication scheme with smart cards , 2005, Comput. Secur..

[21]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[22]  Xiaotie Deng,et al.  Formal Analysis and Systematic Construction of Two-Factor Authentication Scheme (Short Paper) , 2006, ICICS.

[23]  Yongge Wang,et al.  Security analysis of a password-based authentication protocol proposed to IEEE 1363 , 2006, Theor. Comput. Sci..

[24]  Cheng-Chi Lee,et al.  Password Authentication Schemes: Current Status and Key Issues , 2006, Int. J. Netw. Secur..

[25]  Cheng-Chi Lee,et al.  A password authentication scheme over insecure networks , 2006, J. Comput. Syst. Sci..

[26]  Rajendra S. Katti,et al.  A Secure Identification and Key agreement protocol with user Anonymity (SIKA) , 2006, Comput. Secur..

[27]  Michael Scott,et al.  Implementing Cryptographic Pairings on Smartcards , 2006, CHES.

[28]  Srivaths Ravi,et al.  A study of the energy consumption characteristics of cryptographic algorithms and security protocols , 2006, IEEE Transactions on Mobile Computing.

[29]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[30]  Chin-Laung Lei,et al.  A Simple and Efficient Key Exchange Scheme Against the Smart Card Loss Problem , 2007, EUC Workshops.

[31]  Xiaomin Wang,et al.  Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards , 2007, Comput. Stand. Interfaces.

[32]  Dongho Won,et al.  Security Analysis of a Nonce-Based User Authentication Scheme Using Smart Cards , 2007, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[33]  Kwok-Wo Wong,et al.  Cryptanalysis of a password authentication scheme over insecure networks , 2008, J. Comput. Syst. Sci..

[34]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[35]  Dapeng Wu,et al.  Mobile Privacy in Wireless Networks-Revisited , 2008, IEEE Transactions on Wireless Communications.

[36]  Xiaotie Deng,et al.  Two-factor mutual authentication based on smart cards and passwords , 2008, J. Comput. Syst. Sci..

[37]  Wei-Bin Lee,et al.  A new method for using hash functions to solve remote user authentication , 2008, Comput. Electr. Eng..

[38]  Wen-Shenq Juang,et al.  Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards , 2008, IEEE Transactions on Industrial Electronics.

[39]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.

[40]  Wei-Kuan Shih,et al.  Weaknesses and improvements of the Yoon-Ryu-Yoo remote user authentication scheme using smart cards , 2009, Comput. Commun..

[41]  Yan-yan Wang,et al.  A more efficient and secure dynamic ID-based remote user authentication scheme , 2009, Comput. Commun..

[42]  Min Gyo Chung,et al.  More secure remote user authentication scheme , 2009, Comput. Commun..

[43]  Wei-Chi Ku,et al.  Weaknesses and improvement of Wang et al.'s remote user password authentication scheme for resource-limited environments , 2009, Comput. Stand. Interfaces.

[44]  Rajaram Ramasamy,et al.  New Remote Mutual Authentication Scheme using Smart Cards , 2009, Trans. Data Priv..

[45]  Yalin Chen,et al.  Improvements on two password-based authentication protocols , 2009, IACR Cryptol. ePrint Arch..

[46]  Jianhua Li,et al.  Anonymity Enhancement on Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards , 2010, IEEE Transactions on Industrial Electronics.

[47]  Bruce Schneier,et al.  Cryptography Engineering - Design Principles and Practical Applications , 2010 .

[48]  Qiong Pu,et al.  An Improved Two-factor Authentication Protocol , 2010, 2010 Second International Conference on Multimedia and Information Technology.

[49]  Wen-Bing Horng,et al.  A secure remote authentication scheme preserving user anonymity with non-tamper resistant smart cards , 2010 .

[50]  Ronggong Song Advanced smart card based password authentication protocol , 2010, Comput. Stand. Interfaces.

[51]  Jia-Lun Tsai,et al.  New dynamic ID authentication scheme using smart cards , 2010, Int. J. Commun. Syst..

[52]  Chunhua Su,et al.  Two robust remote user authentication protocols using smart cards , 2010, J. Syst. Softw..

[53]  Rui Zhang,et al.  Weaknesses of a dynamic ID-based remote user authentication scheme , 2010, Int. J. Electron. Secur. Digit. Forensics.

[54]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[55]  Yu Li,et al.  Cryptanalysis and security enhancement of an advanced authentication scheme using smart cards, and a key agreement scheme for two-party communication , 2011, 30th IEEE International Performance Computing and Communications Conference.

[56]  François-Xavier Standaert,et al.  Generic Side-Channel Distinguishers: Improvements and Limitations , 2011, IACR Cryptol. ePrint Arch..

[57]  Sandeep K. Sood,et al.  Secure Dynamic Identity-Based Authentication Scheme Using Smart Cards , 2011, Inf. Secur. J. A Glob. Perspect..

[58]  Christof Paar,et al.  Side-Channel Analysis of Cryptographic RFIDs with Analog Demodulation , 2011, RFIDSec.

[59]  Stefan Mangard,et al.  One for all - all for one: unifying standard differential power analysis attacks , 2011, IET Inf. Secur..

[60]  Jian Wang,et al.  Strong Authentication Scheme for Telecare Medicine Information Systems , 2011, Journal of Medical Systems.

[61]  Robert H. Deng,et al.  A Generic Framework for Three-Factor Authentication: Preserving Security and Privacy in Distributed Systems , 2011, IEEE Transactions on Parallel and Distributed Systems.

[62]  R. C. Mittal,et al.  An improved timestamp-based remote user authentication scheme , 2011, Comput. Electr. Eng..

[63]  Erich Wenger,et al.  Fast Multi-precision Multiplication for Public-Key Cryptography on Embedded Microprocessors , 2011, CHES.

[64]  Cheng-Chi Lee,et al.  A Robust Remote User Authentication Scheme against Smart Card Security Breach , 2011, DBSec.

[65]  Muhammad Khurram Khan,et al.  Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme' , 2011, Comput. Commun..

[66]  Hyoung-Kee Choi,et al.  Further Improved Remote User Authentication Scheme , 2011, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[67]  Qi Xie Dynamic ID-Based Password Authentication Protocol with Strong Security against Smart Card Lost Attacks , 2011 .

[68]  Wei-Kuan Shih,et al.  Security enhancement on an improvement on two remote user authentication schemes using smart cards , 2011, Future Gener. Comput. Syst..

[69]  Chin-Ling Chen,et al.  A Non-Repudiated and Traceable Authorization System Based on Electronic Health Insurance Cards , 2012, Journal of Medical Systems.

[70]  Cheng-Chi Lee,et al.  A Robust Remote User Authentication Scheme Using Smart Card , 2011, Inf. Technol. Control..

[71]  Chin-Laung Lei,et al.  Robust authentication and key agreement scheme preserving the privacy of secret key , 2011, Comput. Commun..

[72]  Chunguang Ma,et al.  Cryptanalysis and Improvement of Sood et al.'s Dynamic ID-Based Authentication Scheme , 2012, ICDCIT.

[73]  Michael Scott Cryptanalysis of a recent two factor authentication scheme , 2012, IACR Cryptol. ePrint Arch..

[74]  Chunguang Ma,et al.  Cryptanalysis of Two Dynamic ID-Based Remote User Authentication Schemes for Multi-server Architecture , 2012, NSS.

[75]  Peng Wu,et al.  Secure password-based remote user authentication scheme with non-tamper resistant smart cards , 2012, IACR Cryptol. ePrint Arch..

[76]  Yongge Wang,et al.  Password Protected Smart Card and Memory Stick Authentication Against Off-line Dictionary Attacks , 2012, IACR Cryptol. ePrint Arch..

[77]  Myung-Hwan Kim,et al.  An Enhanced Anonymous Authentication and Key Exchange Scheme Using Smartcard , 2012, ICISC.

[78]  Chunguang Ma,et al.  Breaking a Robust Remote User Authentication Scheme Using Smart Cards , 2012, NPC.

[79]  Yuefei Zhu,et al.  Robust smart-cards-based user authentication scheme with user anonymity , 2012, Secur. Commun. Networks.

[80]  Debiao He,et al.  Improvement on a Smart Card Based Password Authentication Scheme , 2012 .

[81]  Jenq-Shiou Leu,et al.  Exploiting hash functions to intensify the remote user authentication scheme , 2012, Comput. Secur..

[82]  Chunguang Ma,et al.  A New Dynamic ID-Based Remote User Authentication Scheme with Forward Secrecy , 2012, APWeb Workshops.

[83]  Ding Wang,et al.  Cryptanalysis and security enhancement of a remote user authentication scheme using smart cards , 2012 .

[84]  Tae Hyun Kim,et al.  Side channel analysis attacks using AM demodulation on commercial smart cards with SEED , 2012, J. Syst. Softw..

[85]  Chin-Chen Chang,et al.  A Secure Single Sign-On Mechanism for Distributed Computer Networks , 2012, IEEE Transactions on Industrial Electronics.

[86]  Andrey Bogdanov,et al.  Beyond the Limits of DPA: Combined Side-Channel Collision Attacks , 2012, IEEE Transactions on Computers.

[87]  Kyung-Ah Shim,et al.  Security Flaws in Three Password-Based Remote User Authentication Schemes with Smart Cards , 2012, Cryptologia.

[88]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[89]  R. C. Mittal,et al.  Dynamic ID-based remote user password authentication schemes using smart cards: A review , 2012, J. Netw. Comput. Appl..

[90]  G. P. Biswas,et al.  Design of improved password authentication and update scheme based on elliptic curve cryptography , 2013, Math. Comput. Model..

[91]  Huan Guo Zhang,et al.  Cryptanalysis of a Remote User Authentication Scheme , 2013 .

[92]  Juan Qu,et al.  An Improved Dynamic ID-Based Remote User Authentication with Key Agreement Scheme , 2013, J. Electr. Comput. Eng..

[93]  Yuqing Zhang,et al.  A simple and robust anonymous two-factor authenticated key exchange protocol , 2013, Secur. Commun. Networks.

[94]  Chun-Ta Li,et al.  A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card , 2013, IET Inf. Secur..

[95]  Ya-Fen Chang,et al.  Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update , 2014, Int. J. Commun. Syst..

[96]  Chunguang Ma,et al.  Security flaws in two improved remote user authentication schemes using smart cards , 2014, Int. J. Commun. Syst..

[97]  Lih-Chyau Wuu,et al.  Robust smart‐card‐based remote user password authentication scheme , 2014, Int. J. Commun. Syst..

[98]  Feng Hao On robust key agreement based on public key authentication , 2014 .