Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards.

Recently, many biometrics-based user authentication schemes using smart cards have been proposed to improve the security weaknesses in user authentication system. In 2011, Das proposed an efficient biometric-based remote user authentication scheme using smart cards that can provide strong authentication and mutual authentication. In this paper, we analyze the security of Das's authentication scheme, and we have shown that Das's authentication scheme is still insecure against the various attacks. Also, we proposed the enhanced scheme to remove these security problems of Das's authentication scheme, even if the secret information stored in the smart card is revealed to an attacker. As a result of security analysis, we can see that the enhanced scheme is secure against the user impersonation attack, the server masquerading attack, the password guessing attack, and the insider attack and provides mutual authentication between the user and the server.

1. Introduction

Recently, user authentication scheme in e-commerce and m-commerce has become one of important security issues. However, the security weaknesses in the remote user authentication scheme have been exposed seriously due to the careless password management and the sophisticated attack techniques. Several schemes [1-6] have been proposed to enhance the various security problems in user authentication schemes.

In traditional identity-based remote user authentications, the security of the remote user authentication is based on the passwords, but simple passwords are easy to break by simple dictionary attacks. To resolve the single-password authentication problems, several biometrics-based remote user authentication schemes [7-13] have been designed. Generally, biometrics-based remote user authentication is inherently more secure and reliable than the traditional authentication scheme. There are some advantages of using biometrics keys as compared to traditional passwords.

Biometric keys cannot be lost or forgotten.

Biometric keys are very difficult to copy or share.

Biometric keys are extremely hard to forge or distribute.

Biometric keys cannot be guessed easily.

Someone's biometrics is not easy to break than others.

In 2010, Li and Hwang [12] proposed an efficient biometrics-based remote user authentication scheme using smart cards. They claimed that their scheme not only keeps good properties (e.g., without synchronized clock, freely changes password, mutual authentication) but also provides nonrepudiation. But Das [13], in 2011, pointed out that Li-Hwang's scheme does not resolve security drawbacks in login and authentication, security drawbacks in password change phase, and security drawbacks in verification of biometrics. Then, Das proposed more efficient biometrics-based remote user authentication scheme using smart cards which is secure against the user impersonation attack, the server masquerading attack, the parallel session attack, and the stolen password attack, and provide mutual authentication.

In this paper, we analyze the security of Das's authentication scheme, and we have shown that Das's authentication scheme is still vulnerable to the various attacks and does not provide mutual authentication between the user and the server. Also, we proposed the enhanced scheme to remove these security problems of Das's authentication scheme, even if the secret information stored in the smart card is revealed to an attacker. To analyze the security analysis of Das's authentication scheme, we assume that an attacker could obtain the secret values stored in the smart card by monitoring the power consumption [14, 15] and intercept messages communicating between the user and the server. Also, we assume that an attacker may possess the capabilities to thwart the security schemes.

An attacker has total control over the communication channel between the user and the server in the login and authentication phase. That is, the attacker may intercept, insert, delete, or modify any message across the communication procedures.

An attacker may (i) either steal a user's smart card and then extract the secret values stored in the smart card, (ii) or steal a user's password, but cannot commit both of (i) and (ii) at a time.

Obviously, if both of the user's smart card and password was stolen at the same time, then there is no way to prevent an attacker from impersonating as the user. Therefore, a remote user authentication scheme should be secure if only one case out of (i) and (ii) is happening.

This paper is organized as follows. In Section 2, we briefly review Das's authentication scheme. In Section 3, we describe the security analysis of Das's authentication scheme. The enhanced scheme is presented in Section 4, and security analysis of the enhanced scheme is given in Section 5. Finally, the conclusions are presented in Section 6.

2. Reviews of Das's Scheme

In 2011, Das proposed an improved biometrics-based remote user authentication scheme using smart cards. This scheme is composed of three phases: registration phase, login phase, and authentication phase. The notations used in this paper are as follows shown in Table 1.

Table 1

Notations used in this paper.

Notation	Description
C i	User i
R i	Trusted registration centre i
S i	Server i
A i	Attacker i
PWi	Password of the user i
IDi	Identity of the user i
B i	Biometric template of the user i
h( )	A secure hash function
X s	A secret information maintained by the server
x||y	x concatenates with y
x ⊕ y	Exclusive-OR operation of x and y

2.1. Registration Phase

Before logging in the remote server S, a user C initially has to register to the trusted registration centre R as the following steps.

C submits his identity ID and password PW to R through a secure channel. Also, the user submits his biometrics information B on the specific device to R.

R computes f = h(B), r = h(PW) ⊕ f and e = h(ID||X) ⊕ r, where X is a secret value generated by the server.

R stores (ID, h(), f, e, r) on the user's smart card and sends it to the user via a secure channel.

2.2. Login Phase

When the user C wants to log in the remote server S, the user has to perform the following steps.

C inserts his smart card into a card reader and inputs the personal biometrics information B on the specific device to verify the user's biometrics. If the biometrics information matches the template stored in the system, C passes the biometrics verification.

C inputs the ID and PW, and then the smart card computes r′ = h(PW) ⊕ f. If r′ equals r, the smart card computes the following equations, where R is a random number generated by the smart card:

C sends the login request message {ID, M2, M3} to S.

2.3. Authentication Phase

After receiving the request login message, the remote server S has to perform the following steps with the user C to authenticate each other.

S checks the format of ID.

If the ID is valid, S computes M4 = h(ID||X) and M5 = M2 ⊕ M4.

S verifies whether M3 = h(M5) or not. If they are equal, S computes the following equations, where R is a random number generated by the server:

Then, S sends the message {M6, M7, M8} to C.

After receiving the reply message, C verifies whether M7 = h(M2||R) or not. If they are equal, C computes M9 = M6 ⊕ M1.

C verifies whether M8 = h(M9) or not. If they are equal, C computes M10 = h(M6||M9).

Then, C sends the message {M10} to S.

After receiving the message, S verifies whether M10 = h(M6||R) or not. If they are equal, S accepts the user's login request.

3. Security Analysis of Das's Scheme

In this section, we will analyze the security of Das's scheme. To analyze the security weaknesses, we assume that an attacker could obtain the secret values stored in the smart card by monitoring the power consumption [14, 15] and intercepting messages communicating between the user and the server. Under this assumption, we will discuss the various attacks, such as the user impersonation attack, the server masquerading attack, the password guessing attack, the insider attack, and the mutual authentication between the user and the server.

3.1. User Impersonation Attack

If the attacker can obtain the secret values (e, r) from the user's smart card illegally by some means and intercept the message {ID, M2, M3} in the login phase, the attacker can perform the user impersonation attack as the following steps. The procedure of the user impersonation attack is illustrated in Figure 1.

Figure 1

User impersonation attack and server masquerading attack.

The attacker A computes the following equations, where R is a random number chosen by the attacker:

Then, A sends the forged message {ID, M, M} to the remote server S.

Upon receiving the forged message, S checks the format of ID. If it holds, S computes M4 = h(ID||X) and M5 = M ⊕ M4.

S verifies whether M = h(M5) or not. If they are equal, S will be convinced the message {ID, M, M} sent from the legal user.

Then, S makes the reply message {M6, M7, M8} by computing M6 = M4 ⊕ R, M7 = h(M||M5) and M8 = h(R) in the authentication phase.

3.2. Server Masquerading Attack

If the attacker can obtain the secret values (e, r) from the user's smart card illegally by some means and intercept the message {M2} in the login phase and {M6, M7, M8} in the authentication phase, the attacker can perform the server masquerading attack as the following steps. The procedure of the server masquerading attack is illustrated in Figure 1.

The attacker A computes the following equations, where R is a random number chosen by the attacker:

Then, A sends the forged message {M, M, M} to the user C.

Upon receiving the forged message, C checks whether M = h(M2||R) or not. If they are equal, C computes M9 = M ⊕ M1.

C verifies whether M = h(M9) or not. If it holds, C will be convinced the message {M, M, M} sent from the legal server.

Then, C makes the reply massage {M10} by computing M10 = h(M||M9) in the authentication phase.

3.3. Password Guessing Attack

If an attacker can extract the secret values (r,f) from the legal user's smart card by some means, the attacker can easily find out PW by performing the password guessing attack, in which each guess PW* for PW can be verified as the following steps.

The attacker A computes the secret parameter r* = h(PW*) ⊕ f from the registration phase.

A verifies the correctness of PW* by checking r = r*.

A repeats the above steps until a correct password PW* is found.

Thus, the attacker can perform the password guessing attack, and can successfully impersonate the legal user with the guessed user password.

3.4. Insider Attack

In the registration phase, if the user's password PW and biometrics information B are revealed to the server, the insider of the server may directly obtain the user's password and biometrics information. Thus, the insider of the server as an attacker can impersonate as the legal user to access the user's other accounts in other server if the user uses the same password for the other accounts.

3.5. Mutual Authentication

Generally, if authentication scheme is insecure against user impersonation attack and server masquerading attack, the authentication schemes cannot provide mutual authentication between the user and the remote server. Therefore, Das's scheme fails to provide mutual authentication as described in Sections 3.1 and 3.2. Namely, if the attacker can obtain the secret values (e, r) from the legal user's smart card by some means and intercept the messages communicating between the user and the server, the attacker can make the forged messages easily by computing M = e ⊕ r, M = M ⊕ R, and M = h(R) in the login phase. Also, the attacker can make the forged messages easily by computing M = M ⊕ R, M = h(M2||M), and M = h(R) in the authentication phase.

4. The Enhanced Scheme

In this section, we propose an enhanced Das's scheme which not only can withstand the various attacks, but also provide mutual authentication between the user and the server. The enhanced scheme is divided into three phases: registration phase, login phase, and authentication phase.

4.1. Registration Phase

Before logging to the remote server S, a user C initially has to register to the trusted registration centre R as the following steps. The registration phase is illustrated in Figure 2.

Figure 2

Registration phase of the enhanced scheme.

C submits his identity ID and password information (PW ⊕ K) to R through a secure channel. Also the user submits his biometrics information (B ⊕ K) via the specific device to R, where K is a random number generated by C.

R computes f = h(B ⊕ K), r = h(PW ⊕ K) ⊕ f and e = h(ID||X) ⊕ r, where X is a secret value generated by the server.

R stores (ID, h(), f, e) on the user's smart card and sends it to the user via a secure channel. And C stores random number K into the smart card issued by R.

4.2. Login Phase

When the user C wants to login the remote server S, the user has to perform the following steps. The login phase and authentication phase are illustrated in Figure 3.

Figure 3

Login phase and authentication phase of the enhanced scheme.

C inserts his smart card into a card reader and inputs the biometrics information B on the specific device to verify user's biometrics. If the biometrics information h(B ⊕ K) matches f stored in the system, C passes the biometrics verification.

C inputs the ID and PW, and then the smart card computes the following equations, where R is a random number generated by the user:

C sends the login request message {ID,M2,M3} to S.

4.3. Authentication Phase

After receiving the request login message, the remote server S has to perform the following steps with the user C to authenticate each other.

S checks the format of ID.

If the ID is valid, S computes M4 = h(ID||X) and M5 = M2 ⊕ M4.

S verifies whether M3 = h(M4||M5) or not. If they are equal, S computes the following equations, where R is a random number generated by the server:

Then, S sends the message {M6, M7} to C.

After receiving the reply message, C computes M8 = M6 ⊕ M1 and verifies whether M7 = h(M1||M8) or not. If they are equal, C computes M9 = h(M1||R||M8).

Then, C sends the message {M9} for authentication to S.

After receiving the message, S verifies whether M9 = h(M4||M5||R) or not. If they are equal, S accepts the user's login request.

5. Security Analysis of the Enhanced Scheme

In this scheme, we will provide the security analysis of the enhanced scheme based on the password and biometrics information. To analyze the security of the enhanced scheme, we assume that an attacker can access a user's smart card and extract the secret values stored in the smart card by some means [14, 15], and intercept the messages communicating between the user and the server.

5.1. User Impersonation Attack

To impersonate as the legitimate user, an attacker attempts to make a forged login request message which can be authenticated to the server. However, the attacker cannot impersonate as the legitimate user by forging the login request message even if the attacker can extract the secret values (f, e) stored in the user's smart card, because the attacker cannot compute the login request message (M2, M3) without knowing the secret value X kept by the server. Hence, the attacker has no chance to login to the enhanced scheme by launching the user impersonation attack.

5.2. Server Masquerading Attack

To masquerade as the legitimate server, an attacker attempts to make the forged reply message which can be masqueraded to the user when receiving the user's login request message. However, the attacker cannot masquerade as the server by forging the reply message, because the attacker cannot compute (M6, M7) sending to the user without knowing the secret value X kept by the server. Hence, the attacker cannot masquerade as the legitimate server to the user by launching the server masquerading attack.

5.3. Password Guessing Attack

After the attacker extracts the secret values (f, e, K) stored in the user's smart card under the described assumption, the attacker attempts to derive the user's password PW using r = h(PW ⊕ K) ⊕ f in the registration phase. However, the attacker cannot guess the user's password PW using the secret values extracted from the legitimate user's smart card, because the attacker cannot compute the secret value r without knowing the secret value X kept by the server.

5.4. Insider Attack

In the registration phase, if the user's password PW and the biometrics information B are revealed to the server, the insider of the server may directly obtain PW and B and impersonate as the user to access user's other accounts in other server. But, the enhanced scheme is secure against the insider attack, because the user submits h(PW ⊕ K) instead of PW and h(B ⊕ K) instead of B.

5.5. Mutual Authentication

As described in Sections 5.1 and 5.2, the enhanced scheme can withstand the user impersonation attack and the server masquerading attack, consequently the proposed scheme provides mutual authentication between the user and the remote server. Namely, even if the attacker can extract the secret values (f, e) stored in the user's smart card, the user can be authenticated to the server and the server can be authenticated to the user. Because the attacker cannot make the login request message {ID, M2, M3} and the reply message {M6, M7} without knowing the secret value X kept by the server.

5.6. Security Comparison of the Related Scheme and the Enhanced Scheme

The security analysis of the related scheme and the enhanced scheme is summarized in Table 2. The enhanced scheme is relatively more secure than Li-Hwang's and Das's scheme. In addition, the enhanced scheme provides mutual authentication between the user and the server.

Table 2

Security comparison of the related scheme and the enhanced scheme.

Security features	Li-Hwang's scheme [12]	Das's scheme [13]	Enhanced scheme
User impersonation attack	Possible	Possible	Impossible
Sever masquerading attack	Possible	Possible	Impossible
Password guessing attack	Possible	Possible	Impossible
Insider attack	Possible	Possible	Impossible
Mutual authentication	Not provided	Not provided	Provided

6. Conclusions

In this paper, we analyzed the security of Das's scheme. And we have shown that Das's scheme is not secure against the various attacks and fails to provide mutual authentication between the user and the server. Also, we proposed the enhanced scheme to overcome these security weaknesses, while preserving all their merits, even if the secret information stored in the smart card is revealed. As a result of security analysis, the enhanced scheme is secure against the user impersonation attack, the server masquerading attack, and the password guessing attack, the insider attack and provides mutual authentication between the user and the server.