An Improved Biometric Remote User Authentication ...

(IJCNS) INTERNATIONAL JOURNAL OF COMPUTER AND NETWORK SECURITY, VOL. 1, NO. 1, JANUARY 2009

1

An Improved Biometric Remote User Authentication Scheme Based on Nonce Keerti Srivastava, Amit K Awasthi, R.C. Mittal

Abstract—Today, In the online transactions (e-banking, mobile banking etc.), a remote user authentication is a tool to authenticate remote users, various authentication schemes have been proposed so far. Khan et al, in 2006 contributed a significant and novel idea to further stregthn and arrive at the secure communication network , their idea carried a concept of Chaotic hash-based fingerprint biometric remote user authentication scheme, but even this was vulnerable to a few deadly attacks. The current paper identitifies and proposes new improved scheme thereon. Keywords: Authentication, spoofing attack, smart card, security improvement

I. I NTRODUTION In 1981, Lamport [9] proposed authentication scheme using cryptographic hash functions. However, high hash overhead and the necessity for password resetting decrease its suitability for practical use. Since then, many improved password authentication schemes e.g. [15] [13] [2] [18] have been proposed. One of the common feature of these scheme is that the server has to securily store a verification table. If the the verification table is stolen by the adversary, the system may be broken. To resist such a stolen-verifier attack,In 1990 Hwang et al.[19] proposed a non-interactive password authetication scheme and its enhanced version, which additionally uses smart cards. In Hwang et al.’s schemes, the server does not require any verification table. In 2000, Hwang and Li [14] proposed a verification-free password authentication scheme using smart cards based on ElGamal’s public-key technique [17]. However, Hwang-Li’s scheme doesn’t allow users freely choosing and changing their passwords. Furthermore, Hwang-Li’s scheme was found to be vulnerable to various impersonation attacks [4], [3], [8]. To improve the efficiency, H.M.Sun proposed a light-weight verification table free password authentication scheme [7] using smart cards based on cryptographic hash functions.The major drawbacks of Sun’s scheme are that the password is not easily memorizable and the user can not freely choose or change his/her password. Various password protection mechnism in use, carry the risk of theft, willingly-unwillingly key disclosure to unauthorized user. Biometric dovetailed with typical remote user authentication scheme has made it infallible, as biometric works on physical behaviors, fingerprints, voice recognition etc. Group for Cryptology Reseach, Department of Applied Science Pranveer singh Institute of Technology, Kanpur,U.P INDIA. Department of Mathematics Indian Institute Of Technology, Roorkee, U.A, INDIA. Manuscript received on November 5, 2008; Revised and online on November 20, 2008.

In 2006,[12] Khan et al formulated biometric remote user authentication scheme with chaos in its deterministic from with in the real word omnipresence for a more secure design of communication protocol [23] [11]. Chaotic cryptography with its random behavior constitutes a potential protection aset in modern cryptography. Khan et al schemes based on new family of one-way collision free chaotic hash function [1] showed its supremacy over modular exponentiation-based authentication schemes e.g. DiffieHelman [1] El Gamal [17] and RSA based encryption algorithms [7]. Khan’s scheme however is exposed to priviged insider attacks to the remote system [22] and is also exposed to impersonation attack, as the adversary can be authenticated even if attacker does not have the valid password [6]. As a remedy to these pitfalls, this paper presents an efficient improvement on them with more security. as a result proposed scheme can withstand the previously proposed attacks. II. C HAOTIC H ASH F UNCTION This section briefly reviews chaotic hash function [12] [11]. This is a one way function/transformation which make them an ideal candidate to be used for the collision free one way hash function. after applying this function an arbitrary input becomes a fixed-size string, called as hash value [10]. In 2005, Wang et al.[21] created a chaotic hash algorithm based on n -D nonlinear autoregressive filter. The chaotic hash function is an iterative hash function . It can be represented by (Hi , φi ) = F (φi , Hi−1 ⊕ Mi ) where i = 1, 2, ........, s H(M ) = Hs Where F (.) is a round function, φi is input value of F (.), Mi is the ith message sub block, Hi is the ith inter hash value and H(M ) is the final hash value. III. R EVIEW OF K HAN ET AL . SCHEME This section briefly reviews the Khan et al.’s scheme which is composed of four phases: registration , login, authentication, and password change. Information held by remote system: x, hc (.) Shared information:hc (.) Information held by user Ui : IDi , P wi Mobile device IDi , Ai , Vi , Si , hc (.)

A. Registration Phase Fig 1 shows the registration phase of Khan et al.’s scheme. In the registration phase user Ui chooses his/her identity


USER Choose identityIDi Choose password P wi Input fingerprint Impression Si

2

REMOTE SYSTEM

IDi ,P wi ,Si

→

M obiledevice

Ai = hc (IDi ⊕ x) Vi = Ai ⊕ hc (P wi ⊕ Si ) store IDi , Ai , Vi , Si , hc (.)

← Secure channel

in mobile device

Fig. 1. REGISTRATION PHASE

USER Ui Input IDi , P wi ∗, Si Imprint fingerprint Verify fingerprint Bi = Vi ⊕ hc (pwi ∗ ⊕Si ) Verify Bi = Ai pick up Tu C1 = hc (Bi ⊕ Tu )

REMOTE SYSTEM

(IDi ,C1 ,Tu )

→

check IDi check Ts − Tu ≺ ∆T C1 ∗ = hc (hc (IDi ⊕ x) ⊕ Tu ) Verify C1 ∗ = C1 pick up Ts

C2 ,Ts

C2 = hc (hc (IDi ⊕ x) ⊕ Ts )

←

CheckTs = Tu C2 ∗ = hc (Bi ⊕ Ts ) CheckC2 ∗ = C2 Fig. 2. LOGIN PHASE

IDi and password pwi , and interactively submits these to the registration center. Ui also imprints his/her fingerprint impression at the sensor, and then registration system performs the following operations. 1) Computes Ai = hc (IDi ⊕ x) where x is the private key of the remote system, ⊕ is a bit-wise exclusive-ORoperation and hc (.) is a collision free one-way chaotic hash function. 2) Computes Vi = Ai ⊕ hc (pwi ⊕ Si ) where Si is the extracted fingerprint template of the user. 3) The remote system personalizes the secure information IDi , Ai , Vi , Si , hc (.)and saves it into the mobile device system of the Ui . B. Login Phase Fig 2 shows the login phase of the Khan et al’s scheme. If Ui wants to login the remote system, he or she opens the login application software, enters identity IDi and password pwi ∗ and imprints a fingerprint biometric at the sensor. If Ui is successfully verified by his/her fingerprint biometric, a mobile device will perfofm the following operations: 1) Computes Bi = Vi ⊕hc (pwi ∗⊕Si ), and verifies whether Bi is equal to the stored Ai or not. If not equal, the device terminates the operation; otherwise it performs further operations.

2) Computes C1 = hc (Bi ⊕ Tu ), where Tu is the current timestamps of the device. 3) At the end of the login phase, Ui sends the login message m = (IDi , C1 , Tu ) to the remote system over an insecure network. C. Authentication Phase When the remote system receives the message m = (IDi , C1 , Tu ) from the user, the remote system and the user perform the following operations: 1) The remote system checks either the format of IDi is invalid or Ts = Tu where Ts is the current time stamp of the remote system. then rejects the login request. 2) If (Ts − Tu ) ∆T Where ∆T denotes the expected valid time interval for transmission delay, then the remote system rejects the login request. 3) The remote system computes C1 ∗ = hc (hc (ID ⊕ x) ⊕ Tu ). if C1 ∗ is equal to the recieved C1 . it means the user is authentic,the remote system accepts the login request and performs next step otherwise rejected. 4) For mutual authentication, the remote system computes C2 = hc (hc (ID ⊕ x) ⊕ Ts ) and then sends a mutual authentication message C2 , Ts to the Ui . 5) Upon receiving the message C2 , Ts , the user verifies that either Ts is invalid or Ts = Tu , then the user Ui terminates this session; otherwise performs next step.


6) Ui Computes C2 ∗ = hc (Bi ⊕ Ts ) and compares C2 ∗ = C2 . if this is true, the user believes that the remote party is authentic and mutual authentication completes. D. Password change Phase Whenever Ui wants to change or update his/her old password pwi to the new one pwi0 , he/she opens the login application on his/her mobile device and enters his/her IDi , old password pwi ∗, new password pwi0 and also imprints a fingerprint at the sensor. if Ui is successfully verified by his/her fingerprint at the device performs the following operations. 1) Computes Bi = Vi ⊕ h( pwi ∗ ⊕Si ) = hc (IDi ⊕ x). 2) Verfies whether Bi = Ai or not. if the two are equal, the mobile device performs further operations; it terminates the operation. 3) Computes Vi0 = Bi ⊕ hc (pwi0 ⊕ Si ). 4) Store Vi0 on the user’s mobile device and replaces the old value of Vi . Next the new password pwi0 is successfully updated and phase is terminated.

3

C. Impersonation attack Khan et al.’s scheme is vulnerable to impersonation attacks using lost or stolen mobile devices. Namely, a user can be authenticated to a remote system even if he or she does not have the valid password pwi . Precisely, if an attacker gets a user’s mobile device and extracts secure value Ai from the mobile device, then he or she can simply be authenticated by using Ai without the user’s password. V. P ROPOSED BIOMETRIC AUTHENTICATION NONCE BASED SCHEME

This section proposes an improvement of Khan et al’s.scheme, that can remove the above security flaws. The proposed scheme is also composed of four phases: registration, login, authentication, password change. Information held by Remote System: x, hc (.) Shared information: hc (.) Information held by user IDi , pwi Mobile Device IDi , Xi , Vi , Si , hc (.)

IV. W EAKNESSES AND DRAWBACKS OF K HAN ET AL . SCHEME

In this section, we will demonstrate that Khan et al. scheme is vulnerable to an impersonation attack an insider attack.

A. Registration Phase

Khan et al’s.scheme is vulnerable to privileged insider attacks [22].In the registration phase of Khan et al’s.scheme, the user Ui0 s password pwi will be revealed to the remote system because it is directly transmitted to the remote system. In practice, users offer the same password pwi to access several remote servers for then convenience.Thus a privileged insider of the remote system may try to use Ui0 s password pwi to impersonate the legal Ui to login to the other remote systems that Ui has registered with outside this system. If the targeted outside remote system adopts the normal password authentication scheme, it is possible that the privileged insider of the remote system could successfully impersonate Ui to login to it by using pwi . Although it is also possible that all the privileged insiders of the remote system can be trusted and that Ui does not use the same password to access severel systems, the implementers and the users of the scheme should be aware of such a potential weakness.

Fig 3 shows the registration phase of proposed scheme. In the registration phase user Ui chooses his/her identity IDi and password pwi , a random nonce n and interactively submits IDi , Ep u(pwi ⊕ n) encrypted with public key pu to the registration center.Ui also imprints his/her fingerprint impression γ = (Si ⊕ n)at the sensor, and then registration system performs the following operations: 1) Decrypt the encrypted message by the server private key pr and get α = (pwi ⊕ n). 2) Compute (pwi ⊕ Si ) from α = (pwi ⊕ n) and γ = (Si ⊕ n). 3) Computes Ai = hc (IDi ⊕ x) and Xi = hc (Ai ) where x is the private key of the remote system,⊕ is a bit-wise exclusive-OR operation, hc (.)is a collision free one-way chaotic hash function. 4) Computes Vi = Ai ⊕ hc (β) = Ai ⊕ hc (pwi ⊕ Si ) where Si is the extracted fingerprint template of the user. 5) The remote system personalizes the secure information IDi , Xi , Vi , Si , hc (.) and saves it into the mobile device system of the Ui .

B. Spoofing Attack by using Lost or Stolen Mobile Device

B. Login Phase

Khan et al’s.scheme is vulnerable to spoofing attack by using lost or stolen mobile devices(smart card) by monitoring the power consumption [5], [16]. An adversary can intercept the mutual authentication message (C2 , Ts ) and re-send the forge message i.e., (C2 0 , Ts ) to the user and it could not be verified by step-(6) in authentication phase of Khan et al.’s scheme, because Bi = Ai is open on the mobile device. Precisely, if an attacker gets a user’s mobile device and extracts secure value Ai = hc (IDi ⊕ x) from it, then attacker could simply be authenticated by using Ai without knowing valid password.

Fig 4 shows the login phase of the proposed scheme. If Ui wants to login the remote system, he or she opens the login application software, enters identity IDi and password pwi ∗ and imprints a fingerprint biometric at the sensor. If Ui is successfully verified by his/her fingerprint biometric, a mobile device will perform the following operations: 1) Computes Bi = Vi ⊕hc (pwi ∗⊕Si ), and verifies whether hc (Bi ) = Xi or not. If equal the user’s device performs further operation; otherwise it terminates the operation. 2) Computes D1 = hc (Bi ⊕ Tu ), where Tu is the current timestamps of the device.

A. Privileged Insider Attack


USER Ui Choose identity IDi Choose password pwi Imprint nonce n Imprint fingerprint Impression Si Compute α = (pwi ⊕ n) Compute β = Epu (α) Where Epu is encryption with public key

4

REMOTE SYSTEM S

IDi ,β,γ

γ = Si ⊕ n

→

Dpr (β) = α = (pwi ⊕ n) α ⊕ γ = (pwi ⊕ Si ) Compute Ai = hc (ID ⊕ x) where x is a private key of server Xi = hc (Ai ) Vi = Ai ⊕ hc (pwi ⊕ Si )

IDi ,Xi ,Vi ,Si ,hc (.)

←

Fig. 3. REGISTRATION PHASE

USER Ui Input IDi , pwi Imprint fingerprint Verify fingerprint Bi = Vi ⊕ hc (pwi ⊕ Si ) Verify hc (Bi ) = Xi Pick up Tu D1 = hc (Bi ⊕ Tu )

REMOTE SYSTEM S

IDi ,D1 ,Tu

→

check IDi checkTs − Tu ≺ ∆T D1 ∗ = hc (hc (IDi ⊕ x) ⊕ Tu ) Verify D1 ∗ = D1

D2

D2 = hc (hc (IDi ⊕ x) ⊕ D1 )

←

D2 ∗ = hc (Bi ⊕ D1 ) checkD2 ∗ = D2 Fig. 4. LOGIN PHASE

3) At the end of the login phase, Ui sends the login message m = (IDi , D1 , Tu ) to the remote system over an insecure network. C. Authentication Phase In the authentication phase, when the remote system receives the message m = (IDi , D1 , Tu ) from the user, the remote system and user perform following operations. 1) The remote system checks if the format of IDi is invalid or if Ts = Tu where Ts is the current time stamp of the remote system, then rejects the login request. 2) If (Ts − Tu ) ∆T , Where ∆T denotes the expected valid time interval for transmission delay, then the remote system rejects the login request. 3) The remote system computes D1 ∗ = hc (hc (IDi ⊕ x) ⊕ Tu ).if D1 ∗ is equal to the received D1 . It means the user is authentic and the remote system accepts the login request and performs the next step, otherwise the login request is rejected.

4) For mutual authentication, the remote system computes D2 = hc (hc (IDi ⊕ x) ⊕ Ts ) and then sends a mutual authentication message D2 , Ts to the Ui . 5) Upon receiving the message D2 , Ts , the user verfies that either Ts , is invalid or Ts = Tu ,then the user Ui terminates this session; otherwise performs the next step. 6) Ui computes D2 = hc (Bi ⊕ Ts ) and compares D2 ∗ = D2 .If equal, the user believes that the remote party is an authentic, and it holds mutual authentication between. VI. S ECURITY A NALYSIS Next, this section shows that the improved scheme is secure against the impersonation attack, priviged insider attack, the stolen verifier attack, and this section analysis the enhanced security features of our improved scheme. A. Resistence to guessing attack A guessing attack involves an adversary tries to get longterm private keys (user’s password or server secret and private key), but using non invertible chaotic hash function for


any attacker it becomes difficult to extract Ai by knowing Xi = hc (Ai ) .although the adversary can obtain the secret information stored in the stolen smart card by analyzing the leaked information [20] however adversary could not be able to extract Ai . B. Resistance to parallel session, reflection attack In parallel session attack, without knowing the correct password of the user, an attacker can masquerade as the legal user by creating a valid login message out of some eavesdropped communication between the user and the server. but our proposed scheme is free from parallel session attack. C. Resistance to insider attack If an insider of S has obtained Ui0 s password pwi .he can try to impersonate Ui to access other server. In the registration phase of the improved scheme,Ui sends encrypted password with appropriate nonce, i.e., Epu (pwi ⊕ n) thus pwi will not be revealed to S without knowing remote system’s private key.Since the insider can not obtain pwi , the improved scheme can withstand the insider attack. D. Resistance to server spoofing attack The spoofing attack completely solved by providing mutual authentication between user and server.Since remote system S sends mutual authentication message [D2 ] to the user in login phase. If an atacker intercepts it and re-send the forged message i.e. [D20 ] to user U , it will not be verified by authentication phase since D2 ∗ = hc (Bi ⊕ Ts ) 6= D20 . Therefore proposed scheme can withstand the spoofing attack. VII. C ONCLUSION Here in, this paper has demonstratd that khan et al.[12] remote user authentication scheme is vulnerable to an impersonation attack, insider attack and pointed out the drawbacks of khan et al.,scheme for practical use. Finally this paper proposes a more secure remote user authentication scheme with better resistence to the to the impersonation attack, the stolen smart card attack, the priviliged insider attack. R EFERENCES [1] A.J.Menezes, P.C.Oorschot, and S.A.Vanstone. Handbook of applied cryptography. CRC Press, 1997. [2] A.Shimizu. A dynamic password authentication method by one-way function. IEICE Transactions, d-1(7)(J-73):1–15, 1990. [3] C.C.Chang and K.F.Hwang. Some forgery attack on a remote user authenticatication scheme using smart card. Informatica, (14(3)):289– 294, 2003. [4] C. K. Chan and L. M. Cheng. Cryptanalysis of a remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 46(4):992–93, 2000. [5] E.J.Yoon, E.K.Ryu, and K.Y.Yoo. Attacks on the shen et al’s timestampbased password authentication scheme using smart cards. IEICE Transactions on Fundamental, A(1)(E88):319–21, 2005. [6] E.J.Yoon, E.K.Ryu, and K.Y.Yoo. An improvement of hwang-leetwang;simple remote user authentication. Computer Security, (24):50– 56, 2005. [7] H.M.Sun. An efficient remote user authentication scheme using smart cards. IEEE Transaction on Consumer Electronics, 46(4):958–61, 2000.

5

[8] H.T.Yeh, H.M.Sun, and B.T.Hsieh. Security of a remote user authentication scheme using smart cards. IEICE Transactions on Communication, B(1)(E87):192–94, 2004. [9] L.Lamport. Password authentication with insecure communication. Communications of the ACM, (24):770–72, 1981. [10] M.Bellare, R.Canethi, and H.Krawzk. Keying hash function for message authentication. LNCS-1996 Advances in Cryptology-CRYPTO’96, (1109):1–15, 1996. [11] M.K.Khan, Z.Jiashu, and T.Lei. Chaotic secure content-based hidden transmission of biometric templates. Chaos,Solitons and fractals, 32(5):1749–59, 2007. [12] M.K.Khan, Z.Jiashu, and X.M.Wang. Chaotic hash based fingerprint biometric remote user authentication scheme on mobile devices. Chaos,Solitons and fractals, 35(3):519–24, 2006. [13] M.Sandirigama, A.Shimizu, and M.T.Noda. Simple and secure password authentication protocol(sas). IEICE Transaction Communication, B(6)(E83):1363–65, 2000. [14] M.S.Hwang and L.H.Li. A new remote user authentication scheme using smart card. IEEE Transaction Consumer Electronics, 46(1):28–30, 2000. [15] N.H.Haller. The s/key(tm) one time password system,proc. Internet Society Symposium on Network and Distributed System Seurity, pages 151–158, 1994. [16] P.Kochar, J.Jafle, and B.Jun. Differential power analysis. Advances in Cryptology(CRYPTO’99), pages 388–97, 1999. [17] T.Elgamal. A public key cryptosystem and a signature scheme based on discrete logarithm. IEEE Transactiions on Information theory, 31(4):469–72, 1985. [18] T.H.Chen and W.B.Lee. A new method for using hash function to solve remote user authentication. Computers and Electrical Engineering, (34):53–62, 2008. [19] T.Hwang, Y.Chen, and C.S.Laih. Non-interactive password authentication without password tables. IEEE Region 10 Conference on Computer and Communication System,Hong Kong, pages 429–31, 1990. [20] T.S.Messerges, E.A.Dabbish, and R.H.Sloan. Examining smart-card security under the threat of power analysis attacks. IEEE Transaction on Computers, 51(5):541–552, 2002. [21] M. Wang, J. Z. Lu, and X. F. Li. Remote password authentication scheme based on smartcards. Computer Applications, 25(10):2289–90, 2005. [22] W.C.Ku, H.M.Chuang, and M.J.Tsaur. Vulnerabilities of wu-chieu improved password authentication scheme using smart cards. IEICE Transaction Fundamentals, A(11)(E88):3241–43, 2005. [23] X.M.Wang, Z.Jiashu, and Z.Wenfang. Keyed hash function based on composite nonlinear autogressive filter. Acta Phy Sinica, 54:5566–5573, 2005.