Two-factor mutual authentication based on smart cards and passwords

One of the most commonly used two-factor user authentication mechanisms nowadays is based on smart-card and password. A scheme of this type is called a smart-card-based password authentication scheme. The core feature of such a scheme is to enforce two-factor authentication in the sense that the client must have the smart-card and know the password in order to gain access to the server. In this paper, we scrutinize the security requirements of this kind of schemes, and propose a new scheme and a generic construction framework for smart-card-based password authentication. We show that a secure password based key exchange protocol can be efficiently transformed to a smart-card-based password authentication scheme provided that there exist pseudorandom functions and target collision resistant hash functions. Our construction appears to be the first one with provable security. In addition, we show that two recently proposed schemes of this kind are insecure.

[1]  Eun-Jun Yoon,et al.  Efficient remote user authentication scheme based on generalized ElGamal signature scheme , 2004, IEEE Transactions on Consumer Electronics.

[2]  Eun-Jun Yoon,et al.  New Authentication Scheme Based on a One-Way Hash Function and Diffie-Hellman Key Exchange , 2005, CANS.

[3]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[4]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[5]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[6]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[7]  Rafail Ostrovsky,et al.  Efficient and secure authenticated key exchange using weak passwords , 2009, JACM.

[8]  Victor Shoup,et al.  Session Key Distribution Using Smart Cards , 1996, EUROCRYPT.

[9]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[10]  Mike Scott,et al.  Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number , 2002, IACR Cryptol. ePrint Arch..

[11]  Guang Gong,et al.  Password Based Key Exchange with Mutual Authentication , 2004, IACR Cryptol. ePrint Arch..

[12]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[13]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[14]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[15]  Hung-Yu Chien,et al.  An Efficient and Practical Solution to Remote Authentication: Smart Card , 2002, Comput. Secur..

[16]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[17]  Chin-Chen Chang,et al.  An improved low computation cost user authentication scheme for mobile communication , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[18]  Cheng-Chi Lee,et al.  An Improvement of SPLICE/AS in WIDE against Guessing Attack , 2001, Informatica.

[19]  Bin Wang,et al.  Cryptanalysis of an enhanced timestamp-based password authentication scheme , 2003, Comput. Secur..

[20]  Michael Scott Cryptanalysis of an ID-based password authentication scheme using smart cards and fingerprints , 2004, OPSR.

[21]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[22]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[23]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1999 .

[24]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[25]  Shyi-Tsong Wu,et al.  A user friendly remote authentication scheme with smart cards , 2003, Comput. Secur..

[26]  Min-Shiang Hwang,et al.  Cryptanalysis of a remote login authentication scheme , 1999, Comput. Commun..

[27]  Cheng-Chi Lee,et al.  A password authentication scheme over insecure networks , 2006, J. Comput. Syst. Sci..