In 2005, Manik et al. propose a novel remote user authentication scheme using bilinear pairings which allows a valid user to login to the remote system but prohibits too many users to login with the same login-ID. It also provides a flexible password change
function. In this paper, we will show that this remote user authentication scheme is not secure, an adversary can always pass the authentication

Jue-Sam Chou

Jyun-Yu Lin

Yalin Chen

Cryptology ePrint Archive

1Improvement ofManik et al.’sremote user authentication schemeJue-Sam Chou, a ,Yalin Chen b Jyun-Yu Lin ca Department of Information Management, Nanhua University Chiayi, 622, Taiwanjschou@mail.nhu.edu.twTel: 886+(0)5-2721001ext.56226b Institute of information systems and applications, National Tsing Hua Universityd949702@oz.nthu.edu.twTel: 886+(0)3-5738997c Department of Information Management, Nanhua University Chiayi, 622, Taiwanasurejoker@gmail.comTel: 886+(0)5-2721001 ext.2017AbstractIn 2005, Manik et al. propose a novel remote user authentication scheme usingbilinear pairings which allows a valid user to login to the remote system but prohibits toomany users to login with the same login-ID. It also provides a flexible password changefunction. In this paper, we will show that this remote user authentication scheme is notsecure, an adversary can always pass the authentication.Keywords: bilinear pairings, security, Key-Compromise Impersonation, authentication, smart card1. IntroductionIn 1976, Diffie and Hellman first propose a public key cryptosystem based on thecomplex discrete logarithm problem [3] and opened the modern cryptography era. Afterthat, several developed cryptosystems such as RSA [4], Digital signature [5] based on thePublic-Key Infrastructure are proposed. Because these systems have a superior securitylevel, many researches work in this area attempting to improve and extend some existedapplications. Under this scenario, the idea of ID-Based public-key cryptosystem was firstintroduced in 1984 by Shamir which [6] allows a user to use his ID as his public key.Recently, in 2001, bilinear pairings such as Weil pairing and Tate pairing defined onelliptic curves were proved and can be applied to cryptography. The bilinear pairings arean effective method to reduce the complexity of the discrete log problem in a finite field[1] [2]. Pairing provides a good setting for the bilinear Diffie–Hellman problem and hasbeen used to design several cryptosystems. The benefit of a bilinear pairing cryptosystemis that it remains the same security level but reduces the computation cost. Manyprotocols are designed based on the Weil pairing. For example, one-round tripartite keyagreement[7], the ID-based public-key encryption scheme based on bilinearDiffie–Hellman problem[8], ID-based authentication key agreement protocol based onpairing[9] and ID-based signature schemes[10], etc.In 2005, Manik et al. propose a novel remote user authentication scheme usingbilinear pairings [12] to prevent an adversary from launching a forgery attack in a loginsession. In this paper, we propose an impersonation attack on their remote user2authentication scheme by showing that any malicious users can impersonate an entity todeceive the remote server. So, their scheme cannot provide the security as claimed.The organization of this article is as follows: in Section 2, we present thepreliminaries of bilinear pairings and the four secure attributes [11] in a key agreementprotocols. In Section 3, we review the Manik et al.’sremote user authentication scheme.In section 4, we describe how their scheme is easy to suffer from the impersonationattack. Finally, a conclusion is given in Section 5.2. Bilinear pairingsIn this section, we will first introduce the concepts of bilinear pairings map under theassumption that G 1 is an additive cyclic group generated by P, whose order is a prime q,and G 2 is a multiplicative cyclic group of the same order. After that, the four secureattributes [11] in a sound authenticated key agreement protocol are described.2.1 Bilinear pairings mapA map e: G 1 ×G 1  G 2 is called a bilinear map if it satisfies the followingproperties:1. Bilinear: e(aP, bQ) =e(P ,Q) ab for all P, Q G 1 and a, bZ*q .2. Non-degenerate: there exist P, Q G 1 such that e(P,Q)1.3. Computable: there is an efficient algorithm to compute e(P; Q) for all P, Q G 1 .2.2 Security attributesIn order to reach a higher security level, Wilson and Menezes [11] defined severalsecurity attributes. We show these attributes in the following. Here, we assume A and Bare two honest entities.1. Known-Key SecurityIn each round of key agreement protocol, A and B should generate a unique session key.Each session key generated in one protocol round is independent and should not beexposed if other session keys are compromised.2. Forward SecrecyThe forward secrecy property is that if A and B’scurrent session key are compromised,the session keys used in the past should not be recovered.3. Key-Compromise Impersonation (KCI) attackA protocol which is secure against the KCI atack means that if A’s long-term secretkey is compromised, the adversary who knows the value can not impersonate others toA.4. Unknown Key-Share attackAfter the protocol, A believes he shares a key with B, but B mistakenly believes thatthe key is instead shared with an adversary. Therefore, a sound authenticated keyagreement protocol should prevent the unknown key-share situation.33. Review of Manik et al.’sremote user authentication schemeManik et al.’sscheme has three mainly phases, the setup phase, the registration phase,and the authentication phase.3.1 Setup phaseLet G 1 be an additive cyclic group of a prime order q, G 2 be a multiplicative cyclicgroup of the same order, and P be a generator of G1. Define e :( G 1 ×G 1 G 2 ) to be abilinear mapping and H: {0,1} *  G 1 be a cryptographic hash function. Suppose theremote system (RS) selects a secret key s and computes his public key as Pub RS =sP.Then, the RS publishes the system parameters (G 1 , G 2 , e, q, P, Pub RS , H) and keeps ssecret.3.2 Registration phaseThis phase is executed by the following steps when a new user U i wants to registerwith the RS.Step1. U i submits his identity ID i and password PW i to the RS.Step2. On receiving the registration request, the RS computesRegiID= sH(ID i ) + H(PW i ).Step3. The RS personalizes a smart card with the parameters ID i , Reg iID , H( ) andsends the smart card to U i over a secure channel.3.3 Authentication phaseThis phase will be executed whenever a user wants to log into the RS. We describe itas follows and also delineate it in figure 1.a. loginSuppose the ID i of user U i is stored in the smartcard and U i wants to login tothe remote system, then the smart card will process the login operation after U i hasinserted the smart card and inputted the ID i and PW i to the terminal. For example,the smart card will compute DID i = TReg iID and V i = TH (PW i ), where T is theuser system’s timestamp. After that, terminal will send the login request <ID i , DID i ,V i , T> to the RS over the public channel.b. verificationAfter receiving the login message <ID i , DID i , V i , T>, RS will perform the4following operations to verify it.Step1. Verify the validity of the time interval between T * and T. If (T * - T) T, thenRS goes to step2 else rejects. HereT denotes the time delay which is in thetolerable range by both the user and RS.Step2. Checks to see whether e(DID i -V i , P) = e(H(ID i ),Pub RS ) T holds, if it holds, RSaccepts the login request; otherwise, it rejects. The deduction process is asfollows:e (DID i -V i , P) = e(TReg iID －V i , P)= e((T(sH(ID i)+H(PW i )－TH (PW i ), P)= e(sH(ID i ), P)T = e(H(ID i ), Pub RS )TThe protocol is also shown below in Figure1:Registration phaseuser RS).) + H(PW= sH(IDReg iiID iAuthentication phase1.loginuser RS TVDIDID iii ,,,ii PWID、、H()、RegIDiIDi)(and, iiIDi PWHTVRegTDID i where2.verification RSTRSiii PubIDHePVDIDe )),((),( Checks hold or nota.b.1.2.3.4 Password change phaseThis phase allows U i to change his password freely. He can easily change hispassword without taking any assistance from the RS. This phase can be described asfollows:Step1. U i first inputs his correct ID i and PW i , and then he submit a newly selectedpassword PW *i to the smart card.Step2. The smart card then does the computation as follows:Reg *iID= RegiID－H(PW i ) + H(PW*i ) = sH(ID i ) + H(PW*i ).Thus, the password can be changed to PW *i and the smart card will replace theFigure1. Both of the registration and authentication phase inManik et al.’sscheme5previously stored RegiIDby Reg *iID.4. Our attackIn this section we will analyze the protocol proposed by Manik et al. under theassumption that an adversary X wants to impersonate a legal registered user U i to RS.After analyzing, we find that the protocol is not secure as they claimed. We describe ourcryptanalysis as follows.Step1. X can record any login message < ID i , DID i , V i , T >, sent by U i who had everlogged into RS. And then computes as follows:DID i -V i ＝ TReg iID －TH (PW i ).＝ T[sH(ID i )+H(PW i )]－TH(PW i )＝ TsH(ID i )Step2. X can pick a random timestamp T’and computes T’H(PW j ), where PW j isX’s randomly selected password not confirmed by RS.Step3. X computes his DID j and V j as follows.DID j ＝ T’( DID i -V i ) +T’TH(PW j )＝ T’TsH(ID i) + T’TH(PW j ), andV j ＝ T’TH(PW j ), respectively.Then X computes:( Let TT’ ＝ T”.)DID j -V j ＝ T”Reg iID －T”H (PW i )＝ {T”[sH(ID i ) + H(PW i )]}－T”H (PW i )＝ T”sH(ID i ).Step4. At a later time T”, when X wants to launch an attack, he can use this forgedmessage <ID i , DID j , V j, T”>to masquerade as U i to RS.Because RS doesn’t store the ID and PW of a specific user. And it’s verificationdepends only on checking whether e(DID j -V j , P) = e(H(ID i ), Pub RS )"T holds. If thisequation holds, RS will accept the forged login message. Clearly, it can be seem that thisverification equation holds. Since we already deduce (DID j -V j ) to be T”sH(ID i ) inStep3. As a result, X can easily impersonate any valid user, for example ID i , he wants byour method. We show our attack in figuare2.6valid user RS TVDIDID iii ,,,Recorded by XX RS ",,, TVDIDID jjiT'TT")H(PWT"V)H(PWT")H(IDST"DIDjjjijwhere5. Our improvementThe main problem in their scheme can be easily seen. It is that the value of V i can becancelled out from DID i and TsH(ID i ) remains after this cancellation. Thus, wemust prevent this situation to occur. To remedy this problem, the verification equationshould be modified to e(DID i , P) = e(TsH(ID i )+ V i , P).6. ConclusionsIn this paper, we have shown that Manik et al.’sscheme is vulnerable to theimpersonate attack. We have also proposed the resolvable solution in Section 5.References[1]G.Frey, H. Ruck, A remark concerning m-divisibility and the discrete logarithm in the divisor classgroup of curves, Mathematics of Computation 62 (1994) 865–874.[2] A.Menezes, T.Okamoto , S.Vanston, Reducing elliptic curve logarithms to logarithms in a finite field,IEEE Transaction on Information Theory 39 (1993) 1639–1646.[3] Diffie, W., Hellman, M., 1976. New directions in cryptography. IEEETransactions on Information Theory 22 (6), 644–654.[4] R.L. Rivest, A. Shamir, L. Adelman, A method for obtaining digital signature and public keycryptosystem, Comm. ACM 21 (2) (1978) 120–126[5] A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems,in: A.M. Odlyzko (Ed.), Advances in Cryptology, Proceedings of CRYPTO_86, 1986, Santa Barbara,CA, USA, Lecture Notes in Computer Science, vol. 263, Springer, New York, 1987.[6] Shamir, Identity based cryptosystems & signature schemes, Advances in Cryptology, CRYPTO’84, Lecture Notes-Computer Science, 1984, pp. 47–53.[7] A. Joux, A one round protocol for tripartite Diffie–Hellman, in: Proceedings of Algorithmic NumberTheory Symposium Lecture Notes in Computer Science, vol. 1838, Springer-Verlag, Berlin, 2000, pp.385–394.[8] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in: Advances inCryptology—Crypto_01, LNCS 2139, Springer-Verlag, 2001, pp. 213–229.[9] N.P. Smart, An identity based authentication key agreement protocol based on pairing, Electron. Lett.38 (2002) 630–632.[10] K.G. Paterson, ID-based signature from pairings on elliptic curves, Electron. Lett. 38 (18)(2002),1025–1026.Figuare2. Our attack7[11] S. B. Wilson, and A. Menezes, ”Authenticated Difie-Hellman key agreement protocols”, Proceedings of the 5th Annual Workshop on Selected Areas in Cryptography (SAC ’98), Lecture Notes in Computer Science, pp. 339-361, 1999.[12] M. L. Das , and A. Saxena , “A novel remote user authentication scheme using bilinear pairings”Computers & Security, 2005

Improvement of Manik et al.¡¦s remote user authentication scheme

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive