Cryptanalysis of Smart Card Based Remote User Authentication Scheme for Multi-Server Environment

The traditional remote user authentication scheme is designed for single-server environment. However, with the increasing of network services, the user is not only required to severally register with each server, but also must store a mass of different identities and passwords. Therefore, a large number of password based remote user authentication scheme for multi-server environment have been proposed by researchers. Unfortunately, all the proposed remote user authentication scheme for multi-server environment have a big design defect in the login phase that user have to use the original static ID to login to server without encrypt. To fix this problem, Li et al. proposed a dynamic ID based remote user authentication scheme for multi-server environment. Recently, Shunmuganathan et al. pointed out that Li et al.’s scheme is vulnerable to off-line password guessing attack, stolen smart card attack and user impersonation attack. Later, they proposed an improved protocol to fix these problems. However, we found that Shunmuganathan et al.’s scheme is still vulnerable to off-line password guessing attack, off-line identity guessing attack and user impersonation attack.


Introduction
With the rapid development of network technologies, network services gradually becomes a hot topic recently.Increasingly more services are being provided by internet such as on-line financial, bill payment, games, medical, study, etc.When the user wants to inquire information or ask something from the server, he/she must login to the server first.Due to the openness of the internet, approach of guarding valuable information from unauthorized access is an essential part of network security infrastructure.If conventional smart card remote authentication methods are applied to multi-server environment, each user who wants to access server does not only need to log on various remote servers again and again, but also need to remember a large number of identities and passwords.It's lead to server needs to compute the exponentiation time for authentication and has a lot of security weakness.Therefore, conventional password authentication designed for single-server environment is not suitable for multi-server environment.
Recently, to enhance performance of traditional password authentication, as large the amounts of smart card based identity remote user authentication scheme have been proposed by researchers.These schemes can be divided into two types by cryptographic algorithms used, the one-way hash based authentication scheme and public key based authentication scheme.An efficient and secure remote user authentication scheme should have the ability of resisting all kinds of attacks such that it can be applied in the real world, the computation costs of the smart card must be low, user and server can authenticate each other and agree on a shared session key, allows the user to update his password freely after assuring the legality of user, no need for time synchronization and can avoid the delay-time problem.Moreover, users are required to register with the registration center only once to access all registered servers.The registered server does not store any password table or verification table and can provide two-factor security, maintain user anonymity, withstand masquerade attacks.
Nowadays, an enhanced smart card based remote user authentication scheme for multi-server environment was proposed by Shunmuganathan et al. [7].They presented that their scheme have a secure session key, can protect anonymity of user, resist the off-line password guessing attack, user impersonation attack and spoofing attack.However, we found that their scheme is still vulnerable to same complex attacks such as off-line password guessing attack, stolen smart card attack and user impersonation attack.This paper is organized as follows.We begin by the introducing the existing research scheme about remote user authentication in section 2. We review Shunmuganathan et al.'s scheme in section 3. We describe the security weaknesses of Shunmuganathan et al.'s remote user authentication scheme for multi-server environment in section 4. Finally, we propose our further work and make a summing up of this paper in Section 5.

Related Works
Rivest et al. [1] proposed a public-key cryptosystem for remote user authentication in 1978.However, their scheme needs high cost to encrypt and decrypt for public-key cryp-Tosystem.In 1990, Hwang et al. [2] proposed a non-interactive password authentication scheme and its improved version, which additionally uses smart cards.Since then, many password authentication schemes using smart cards have been proposed [3,4,5], and each has its advantages and disadvantages.In 2001, Juang [6] constructed an enhanced version of authentication scheme based on hash function and symmetric key cryptosystem.
Later, Lee and Chang [8] pointed out that Juang's scheme [6] is vulnerable to off-line dictionary attack, replay attack, server spoofing attack and proposed a new scheme that is based on hash function for multi-server environment.
However, a common characteristic among most of the remote user authentication schemes is the user's identity is static, which may leak some information about the user and create risk of ID during the message transmission, this gives the adversary a chance to monitor a legal user.In 2013, Li et al. [9] also proposed an enhance dynamic ID based remote user authentication scheme.However, in 2015, Shunmuganathan et al. [7] claimed that Li et al.'s protocol [9] has a flaw against the off-line password guessing attack, stolen smart card attack and forgery attack.They proposed an improved protocol to remedy the security weakness.Recently, we found that Shunmuganathan et al.'s scheme still cannot resist the off-line password guessing attack, stolen smart card attack and user impersonation attack.

Review Of Shunmugnathan et al.'s Scheme
In this section, we will show the detail of scheme that was proposed by Shunmuganathan et al.As same as all the basic requirements of smart card based remote user authentication for multi-server, Shunmuganathan et al.'s protocol also has four phases, i.e., the registration phase, the login phase, the authentication phase, and the password change phase.We show these phases as described below.The notations used in this paper are summarized as Table 1.

Registration phase
When the user Ui wants to access the server Sj, the user Ui needs to register with registration center RC first, when Sj has already been registered.The registration phase is the initial phase of the scheme.In this phase, the registration center provides secrets to the user as well as server.
(a) User Ui freely chooses his/her identity IDi, password PWi, and computes Ai = h(b||PWi), where b is a random number generated by user Ui.After that, Ui sends IDi and Ai to the registration center RC for registration.
(b) When receiving the registration request message, the registration center RC computes,

Login phase
Whenever the user wants to login to the remote server, the user must first login to a specific terminal using smart card.The user inserts his/her smart card into card reader and inputs his/her identity IDi, password PWi.Then, the smart card executes the following sequence of operations.
(a) After that, the smart card computes Ai = h(b||PWi) and Ci * = h(IDi||h(y)||Ai).Then, the smart card checks whether Ci * is equal to the Ci stored in it.If holds, the smart card proves the user and goes to the next step.Otherwise, the smart card rejects this access.
(b) The smart card generates two random numbers Ni and Nk and computes as following,

Pij = Ei⊕h(h(SIDj||h(y))||Ni)
(5) (c) Then, the smart card sends the login request message {Pij, CIDi, M1, Ni} to the server Sj over a public channel for mutual authentication and computing session key.

Authentication phase
After receiving the login request messages, the server Sj performs the following set of operations to authenticate each other and generate the same session key with user Ui.After receiving the login request messages, the server Sj performs the following set of operations to authenticate each other and generate the same session key with user Ui. compute session key as SK = h(Fi||Ali||Ni||Nj||SIDj).It is to be noted that both session keys are the same.

Password change phase
This mechanism is simple enough, if a user wants to change his/her password of smart card, it can be done without informing the registration center.
(a) The user Ui inserts his/her smart card into card-reader and inputs his/her identity IDi, password PWi.

Security Analysis
Shunmuganathan et al. [7] claimed that their protocol can resist all known attack such as off-line password guessing attack, user impersonation attack and stolen smart card attack.After careful analysis, we found that their scheme is still vulnerable to off-line password guessing attack.If an adversary is able to obtain the smart card of user Ui, Fig. 3. Authentication Phase.he/she can extract user's identity IDi and password PWi from stolen smart card.Therefore, it's easy for him/her to impersonate user Ui to login to the server.Moreover, their scheme has a big design defect in the session key agreement phase by which the session key can be easily obtained by the adversary after extracting the secret value password PWi.Thus, the protocol proposed by Shunmuganathan et al. is still insecure.The details of these flaws are described as follows.

Off-line Password Guessing Attack
Stolen smart card attack means that an adversary who possessed of smart card performs any operation which obtains any information from smart card.If an adversary steals the smart card of legitimate user Ui and obtains the parameters {Ci, Di, Ei , b, h(•), h(y)}, then, he/she can easily compute out the hash value of the password PWi of the user.Now, an adversary performs an off-line password guessing attack to get the current password PWi of the user Ui.
(b) The adversary speculates the value of a candidate password to be PWi * from the password space D.
(c) Then, computation is shown as follows: verifies the correctness of PWi * by checking if M1 * equals the revealed M1.
(d) Goes back to the step (b) of this phase until the true value of PWi is found.Since the size of the password dictionary D is very limited in fact, the above attack procedure can be completed in short time.Moreover, the above attack is very effective because it only needs the abilities of an eavesdropping attacker, i.e., a passive attacker, and involves no special cryptographic operations.

Off-line Identity Guessing Attack
In Shunmuganathan et al.'s scheme, a user Ui is allowed to choose his/her own identity IDi during the registration phase.The user usually like to select a simple identity such as his/her e-mail or his/her phone number.Therefore, these easy-to-remembered identities have low entropy and cannot resist off-line identity guessing attack.Let's think about this, a legitimate user Ui's smart card is somehow obtained by an adversary.Then, he/she can calculate the user Ui's password PWi through the above process, and extract the stored secret values like Ci, Di from smart card so that it's easy for him/her to speculate the user's identity IDi by performing the following malicious attack procedure: (a) The adversary can compute Ai = h(b||PWi) with secret value b from stolen smart card, then, compute out password PWi by above attack.Then, computes Fi = Di⊕ Ai with secret value Di.
(c) After that, the adversary guesses the value of a candidate identity to be IDi * from the identity space E. He/she calculates Ci * = h(IDi * ||h(y)||Ai) and verifies whether Ci * is equal to Ci or not.
(d) Repeat step (c) until Ci * is equal to Ci.

User Impersonation Attack
An impersonation attack is an attack in which an adversary successfully assumes the identity of one of the legitimate parties in a system or in a communications protocol.If the secret value identity IDi and password PWi are obtained by adversary from smart card, he/she can successfully impersonate as user Ui to access the remote server because he/she knows everything about user Ui.
(a) The adversary extracts the secret value identity IDi and password PWi through the above attack process.
(b) Lastly, the adversary can successfully login to the server like the legitimate user Ui with identity IDi and password PWi.Therefore, Shunmuganathan et al.'s scheme fails to provide proper authentication.

Violation of the Session Key Security
In the part of weakness analysis of Shunmuganathan et al.'s paper, they proposed the session key SK generated by five parameters (Fi, Ali, Ni, Nj, SIDj).Fi consists of the user's ID information protected by hash function and master keys.Most importantly, Fi is not directly stored in the smart card.They said that it's impossible for adversary to know (Fi, Ali, Nj), but the adversary have already obtained the value Fi and Ali from the stolen smart card through the above process.Therefore, if he/she have already extracted the value Nj from stolen smart card or authentication message, he/she can extract the session key.Then, the adversary computes Nj = M3⊕Ni⊕Ali with M3 from intercepted authentication message {M2, M3}.Finally, the adversary can easily calculate the secret session key SK = h(Fi||Ali||Ni||Nj||SIDj) without problem.

Conclusions
Remote User authentication scheme is widely used for communicating between authorized remote users over insecure network.In this paper, we have indicated that Shunmuganathan et al.'s scheme is still vulnerable to stolen smart card attack, off-line password guessing attack, and user impersonation attack, and dose not provide perfect forward secrecy.Finally, our further research will focus on proposing a secure user authentication scheme which can solve these problems.

Fig. 1 .
Fig. 1.Registration Phase.where x is the master secret key maintained by RC and y is the secret number generated by RC.(c) Then, the registration center creates a smart card with the following information {Ci, Di, Ei , b, h(•), h(y)} and sends to user via a secure channel.Finally, User stores the random number b in the smart card to complete this phase.
(b) Smart card checks the entered information.the user is the authentic one, then the smart card prompts the user to inputs a new password PWi * and generates a new random number b * computes, Ai * = h(b * ||PWi * ) (16) Ci * = h(IDi||h(y)||Ai * ) (17) Di * = Di⊕Ai⊕Ai * (18) (c) Finally, the smart card Ci * , Di * and b * in the place of Ci, Di and b.Now, the updated smart card has {Ci * , Di ,Ei b * ,h(•),h(y)}.The smart card can be used as before.