Elsevier

Computers & Security

Volume 21, Issue 4, 1 August 2002, Pages 372-375
Computers & Security

An Efficient and Practical Solution to Remote Authentication: Smart Card

https://doi.org/10.1016/S0167-4048(02)00415-7Get rights and content

Abstract

The smart card-based scheme is a very promising and practical solution to remote authentication. Compared with other smart card-based schemes, our solution achieves more functionality and requires much less computational cost. These important merits include: (1) there is no verification table; (2) users can freely choose their passwords; (3) the communication cost and the computational cost is very low; and (4) it provides mutual authentication between the user and the server.

Introduction

A remote authentication scheme is a mechanism to authenticate a remote user over an insecure communication. Since Lamport [21] proposed his remote authentication scheme in 1981, several schemes [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [17], [18], [19], [20] have been proposed to improve the security, the cost or the efficiency.

The security of the schemes has been improved in several ways. Traditionally, if a user wants to login to a computer system, he has to submit his identity and its corresponding password to the system. The system then compares the received data with the ones in its stored password files. Since the password is stored in plain-text form, this approach is clearly under the threat of revealing the password. To get rid of the attack on the stored plain password file, the schemes [17], [18] firstly encrypt the plain password file into the verification table. The verification table consists of the one-way hashing values of users’ passwords. It, therefore, ensures the secrecy of the passwords even the verification table is disclosed [17], [18]. However, the existence of the verification table (in disk and in memory) still incurs the risk of modification and the cost of protecting and maintaining the table [1], [3]. Therefore, several schemes without the verification table have been proposed [1], [3], [4], [6], [7], [11], [12], [19]. Among them, the technique based on the timestamp or the sequence number is widely used to resist the replay attack [1], [3]. However, Wu’s scheme [1] was found insecure by Hwang [2], and later improved by Chien et al. [10]. Chien et al. [9] also pointed out the insecurity in Tan-Zhu’s scheme [3]. Yang and Shieh [4] reported the security weakness of Wang-Chang’s scheme [8]. Chang and Laih [20] showed the insecurity of Chang-Wu’s scheme [19]. Unfortunately, most of these schemes only provide unilateral authentication (the user authentication), and only Yen-Liao’s scheme provides the function of mutual authentication [5]. As several Internet frauds being reported reveal [22], mutual authentication between the user and the server is indispensable to ensure the security.

Due to the low cost, the portability, and the efficiency and the cryptographic capacity, smart cards have been widely adopted in many E-commerce applications, network security protocols [15], [16], and also remote authentication schemes [1], [3], [4], [5], [6], [7], [8], [11], [12], [19]. However, from a business viewpoint, the cost of the implementation is always one of the most important factors in practical implementation [15]. Due to the power constraint of the smart cards and the cost of implementation, the lower the cost, the greater the chance of success in practical implementation. Among those smart-cards-based schemes, Sun’s scheme [12] is the most cost-effective because it requires only few hashing operations instead of the costly modular exponentiations in other implementations. However, Sun’s scheme did not provide mutual authentication and did not let users freely choose their passwords. From the view of human psychology, it is a very difficult and troublesome to memorize a long key or a server generated password; therefore, several schemes [1], [3], [4], [5], [6], [7], [8] have provided solutions to let users freely choose their passwords.

In this article, we propose an efficient and practical remote authentication scheme. This scheme has several merits: (1) it provides mutual authentication between the user and the server; (2) it lets users freely choose their passwords; (3) the verification table is not required; (4) the required operations are only few hashing operations. The remainder of this article is presented as follows. In Section 2, we present our scheme. In Section 3, we examine the security. In Section 4, the efficiency issue is discussed and a comparison is given. Finally, we conclude this article in Section 5.

Section snippets

Our scheme

In this section, we propose an efficient solution for remote authentication, using smart cards. The security of our scheme only depends on the secure one-way hash function, eg. MD5 or SHA-1 [13], [14]. Our scheme consists of three phases: the registration phase, the login phase, and the verification phase.

Registration phase: Like Sun’s scheme [12], we let x be the secret key maintained by the system, and h() be a secure one-way hash function with fixed-length output. Compared with the

Security analysis

In this section, the security of our scheme is examined as follows:

  • 1.

    The replay attacks, either the replay of the old request message or the replay of response message (T″, C3 ) in Step 3 of the authentication phase, fail because the validity of these messages can be checked through the time stamps.

  • 2.

    If an illegal user tries to request the authentication, he has to prepare the message (IDi,T, C2). However, this approach is not feasible because an illegal user has no way to have the value h(IDix)

Efficiency

In this section, we summarize some performance issues of our scheme. We then compare the result with Hwang’s scheme [12] and Sun’s scheme [13]. Finally, a table of comparisons of important properties among the referenced schemes is given at the end of this section.

Our scheme only requires several hashing operations in both the smart card side and the server side, and it requires a very small quantity of transmission data. Because the efficiency of the smart card is mostly concerned, only the

Conclusions

In this article, we have proposed a remote authentication scheme using the smart card. Compared with Sun’s scheme that is the most efficient one among the referenced works, our scheme achieves the same efficiency as Sun’s scheme. In addition to its performance achievement, our scheme has other merits: (1) Users can freely choose their passwords; (2) the verification table is not needed; (3) mutual authentication between the user and the server is provided. These merits make our scheme a very

References (22)

  • T.C. Wu, “Remote Login Authentication Scheme Based on a Geometric Approach,” Computer Communications 18 (12), pp....
  • M.-S. Hwang, “Cryptanalysis of a Remote Login Authentication Scheme,” Computer Communications 22, 742–744,...
  • K. Tan, and H. Zhu, “Remote password authentication scheme based on cross-produc,t”, Computer Communications 18, pp....
  • W.-H. Yang, and S.-P. Shieh, “Password authentication schemes with smart card,” Computer & Security, Vol. 18, No. 8,...
  • S.-M. Yen, and K.-H. Liao, “Shared authentication token secure against replay and weak key attack,” Information...
  • T.-C. Wu, and H.-S. Sung, “Authentication passwords over an insecure channel,” Computer & Security, Vol. 15, No. 5, pp....
  • J.-K. Jan, and Y.-Y. Chen, “Paramita wisdom: password authentication scheme without verification tables,” The Journal...
  • S,-J. Wang, and Jin-Fu Chang, “Smart card based secure password authentication scheme,” Computers & Security, Vol. 15,...
  • H.-Y. Chien, J.-K. Jan, and Y.-M. Tseng, “Impersonation attack on Tan-Zhu’s remote login scheme,” Electronics Letters,...
  • H.-Y. Chien, J.-K. Jan, and Y.-M. Tseng, “A modified remote login authentication scheme based on geometric approach,”...
  • M.-S. Hwang, and L.-H. Li, “A new remote user authentication scheme using smart cards,” IEEE Trans. on Consumer...
  • Cited by (0)

    View full text