Security Analysis of an Authentication Scheme Using Smart Cards

In 2010, Sood et al [3] proposed a secure dynamic identity based authentication scheme using smart cards. They claimed that their scheme is secure against various attacks. In this paper, we improve their scheme for outsider attack as well as insider attack. To remedy these security flaws, an improved scheme is proposed to withstand these attacks. [1] Introduction With the rapid increasing need of remote digital services and electronic transactions; authentication schemes that ensure secure communication through an insecure channel are gaining popularity and have been studied widely in recent years. In 1981, Lamport [4] proposed first remote user password based authentication scheme by employing a one way hash chain, in an insecure and untrusted network, but this scheme has a. That is why, Smart cards major drawbacks of its dependency on verification table. Smart cards implementation solved this problem of dependency on verification tables and ensures secure communication based authentication scheme are becoming day by day more popular. The paper is organized as follows: Section 2 reviews Sood et al's authentication scheme. Section 3 describes our proposed scheme followed by security analysis in Section 4. Finally, we conclude the paper in Section 5. [2] Phases of Sood et al's Scheme The dynamic identity based authentication scheme proposed by Sood et al in 2010, consists of four phases: registration phase, login phase, verification and session key agreement phase and password changing phase. The notations used throughout the paper are summarized below: Notations and Symbols used in paper Ui Legitimate ith user IDi Identifier of Ui PWi Password of Ui S The Server x Secret key of the server S yi Server's random value ski Session Key T Current date and time of inpute device T' Current date and time of the server S δT Expected time interval for a transmission delay H(.) Secure one way Hash Function ⊕ Bitwise Exclusively or (XOR) operation ∥ Bitwise concatenation operation [3] Our Proposed Scheme In this section, we propose an upgraded authentication scheme, that preserves the properties of Sood et al’s scheme and resolves all the identified weaknesses of their scheme and make it secure and efficient for practical applications. The scheme consists of four phases: registration phase, login phase, verification & session key agreement phase and password changing phase. [3.1] Registration When the user Ui wants to register, he chooses his identity IDi and password PWi, and send it to the server S via a secure communication channel. Then, the server S chooses random value yi for ith user and computes: Ni = H(PWi) ⊕ H(yi∥IDi) ⊕ H(x) ⊕ yi , Bi = H(yi) ⊕ H(PWi) , Vi = H(IDi∥PWi ) ⊕ PWi , Di = H(H(yi) ∥ IDi) , S chooses the value of yi, in such a way that the value of Di must be unique for each user. The server S stores (Ni, Bi, Vi, H(.)) into smart card and sends it to Ui, via a secure channel. [3.2] Login Phase The user Ui, inserts the smart card into the card reader and keys in IDi∗ and PWi∗ , then the smart card computes Vi∗ = H(IDi∗ ∥ PWi∗ ) ⊕ PWi∗ and checks whether computed Vi∗ is equal to the Vi or not. If they are equal, the requested user is the legitimate bearer of the smart card otherwise rejects the login request. To resist offline password guessing attack, the card reader locks the card if Ui enters either wrong identifier or wrong password more than limited number of times. After verifying the legality of the user, the smart card computes: