Efficient password authenticated key agreement ... - Semantic Scholar

3 downloads 0 Views 137KB Size Report
Abstract The smart-card based remote user authentication and key agreement scheme is a very practical solution to create a secure distributed computer environ- ment. .... from his HSD using the ticket issuing protocol. Then he can use the ...
Computers & Security (2004) 23, 167e173

www.elsevier.com/locate/cose

Efficient password authenticated key agreement using smart cards Wen-Shenq Juang) Department of Information Management, Shih Hsin University, No. 1, Lane 17, Sec. 1, Muja Rd., Wenshan Chiu, Taipei 116, Taiwan, ROC Received 22 August 2003; revised 22 October 2003; accepted 26 November 2003

–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– KEYWORDS Password; Authentication; Session key; Smart card; Network security; Data security

Abstract The smart-card based remote user authentication and key agreement scheme is a very practical solution to create a secure distributed computer environment. In this paper, we propose a novel user authentication and key agreement scheme with much less computational cost and more functionality. The main merits include: (1) the scheme needs no verification table; (2) users can freely choose their own passwords; (3) the communication and computation cost is very low; (4) users and servers can authenticate each other; and (5) it generates a session key agreed by the user and the server. Also, our proposed scheme is a nonce-based scheme which does not have a serious time-synchronization problem. ª 2004 Elsevier Ltd. All rights reserved.

–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– Introduction In a distributed computer environment, when a user requests a server’s service, he must pass an examination of user authentication. Through this user authentication process, the server can determine if some services can be provided to this user and also the exact access rights of this user. Ever since Lamport (1981) proposed his remote user authentication scheme to authenticate a remote user over an insecure channel, several schemes (Chang and Hwang, 1993; Chang and Wu, 1991; Chien et al., 2002; Hwang and Li, 2000; Juang et al., 1999; Sun, 2000; Tan and Zhu, 1999; Wang

) Tel.: D886-2-22368225x3352; fax: D886-2-22367114. E-mail address: [email protected].

and Chang, 1996; Yang and Shieh, 1999) have been proposed to improve security, functionality and efficiency. Due to their portability and the cryptographic capacity, smart cards have been widely used in many e-commerce applications. As mentioned in Chien et al. (2002), the following criteria are important for user authentication schemes using smart cards. C1: No verification table: No password or verification table is required in a server. C2: Freely chosen password: Users can freely choose their own passwords. C3: Lower communication and computation cost: Due to the power constraints of smart cards, they may not provide a powerful computation capability and high bandwidth. C4: Mutual authentication: Users and servers can authenticate each other.

0167-4048/$ - see front matter ª 2004 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2003.11.005

168 Typically, if a user wants to log into a server, he must submit his identity and the corresponding password to the server. The server first computes the one-way hashing value of the user’s password and then compares the hashed password with the one in its stored verification file. However, this approach will introduce the risk and cost of managing and protecting the table. To solve this problem, several authentication schemes without the verification table (Chang and Wu, 1991; Hwang and Li, 2000; Sun, 2000; Tan and Zhu, 1999; Yang and Shieh, 1999) have been proposed. Also, it is hard for a user to memorize a long key or a server generated password, so several schemes (Tan and Zhu, 1999; Wang and Chang, 1996; Yang and Shieh, 1999) have provided the methods to let users freely choose their passwords. Due to the power constraint of smart cards and the cost of implementation, the communication and computation cost must be low in practical implementation (Chang and Wu, 1991; Hwang and Li, 2000; Juang et al., 1999; Sun, 2000; Tan and Zhu, 1999; Wang and Chang, 1996; Yang and Shieh, 1999). In Mcelroy and Turban (1998), several Internet frauds about unilateral authentication (the user authentication) have been reported. Mutual authentication between the user and the server is needed to preserve the security of authentication. In Chien et al. (2002), a smart-card based authentication scheme preserving these four criteria was proposed. The major drawback of this scheme is that it has a time-synchronization problem, namely that the user’s time and the server’s time must differ only in a small range. After a user passes user authentication check of a server, the transmitted messages between the user and the server must be kept secret when the user uses a service of the server. They must agree on a session key to be used for protecting their subsequent communications. Also, Chien et al.’s (2002) scheme does not provide the session key agreement mechanism. Juang et al. (1999) proposed a user authentication scheme for anonymous e-mail systems in wireless communications. This scheme provides the key agreement function and is a nonce-based scheme which does not have a time-synchronization problem. In this paper, we propose an efficient remote user authentication and key agreement scheme using smart cards. The proposed scheme satisfies all the above four criteria. Our proposed scheme is a nonce-based scheme which does not have a time-synchronization problem. After our scheme, the user and the server agree on a session key to be used for protecting their subsequent communications.

W.-S. Juang The remainder of this paper is organized as follows: in the next section, a brief review of related user authentication schemes is given. Then, in the following sections we present our scheme, examine the security, and present performance considerations and comparisons. Finally, a concluding remark is given.

Review Chien et al.’s (2002) authentication scheme Chien et al. (2002) proposed a remote authentication scheme based on smart cards and hash functions (NIST FIPS PUB 180, 1993; Rivest, 1992). The drawbacks of this scheme are that it has a time-synchronization problem and it does not provide the key agreement mechanism. This scheme consists of three phases: (1) the registration phase, (2) the login phase, and (3) the verification phase. Let h be a public one-way hash function (NIST FIPS PUB 180, 1993; Rivest, 1992), 4 be the bitwise exclusive-or operator and x be the secret key kept secretly by the server. The registration phase Assume that user i submits his identity IDi and his password PWi to the server for registration. If the server accepts this request, it will perform the following steps: Step 1: Compute user i’s secret information Ri ¼ hðIDi 4xÞ4PWi . Step 2: Store IDi and Ri to the memory of a smart card and issue this smart card to user i. The login phase If the user i wants to log into the server, he must attach his smart card to a card reader. He then inputs his identity IDi and his password PWi to this device. The smart card then performs the following steps: Step 1: Compute C1 ¼ Ri 4PWi . Step 2: Get the current timestamp T, and compute C2 ¼ hðC1 4TÞ. Step 3: Send the message (IDi,T,C2) to the server. The verification phase On receiving the message (IDi,T,C2), the server and the smart card execute the following steps to authenticate each other. Step 1: The server verifies the validity of IDi and checks if the time difference between T and

Efficient password authenticated key agreement T# is less than the maximum transmission latency, where T# is the time when the authentication message is received. Step 2: The server computes C1 ¼ hðIDi 4xÞ and verifies if C2 ? ¼ hðC1 4TÞ. If not, the server rejects the request. Otherwise, the server accepts user i’s request. Step 3: The server computes C3 ¼ hðC1 4T$Þ, where T$ is the current timestamp, and sends the message (T$,C3) back to user i. Step 4: On receiving the message (T$,C3), user i verifies if the time difference between T$ and T% is less than the maximum transmission latency, where T% is the time when the authentication message is received, and if C3 ? ¼ hðC1 4T$Þ. If yes, user i believes that the responding part is the real server and the mutual authentication is done.

Juang et al.’s (1999) authentication scheme Juang et al. (1999) proposed a user authentication scheme for anonymous e-mail systems in wireless communications. This scheme provides the key agreement function and is a nonce-based scheme which does not have a time-synchronization problem. This scheme uses the public key cryptosystem to authenticate each other, so the communication and computation cost of this scheme is higher than that of Chien et al.’s (2002) scheme. Also, the passwords of the users cannot be freely chosen and there needs to be a verification table in the server. A typical session of the scheme involves a user, his home service domain (HSD) that the user registered and the visiting service domain (VSD) from where the user requests the service. The communication between the user and his VSD is via wireless. The VSD can communicate with the HSD via a high-speed wireline network. The scheme consists of three protocols: the ticket issuing protocol, the authentication protocol and the ticket renewal protocol. If a user wants to send an anonymous message, he first requests a blind ticket from his HSD using the ticket issuing protocol. Then he can use the ticket as a password in the authentication protocol. If the lifetime of the ticket expires, the user can revive the lifetime of the ticket via the ticket renewal protocol. For accounting purpose, the HSD keeps a ticket database to check if the requested ticket is out of money or expires. A valid ticket can be regarded as a password in the user authentication scheme. For

169 simplicity, we only review the authentication protocol in this section. The user authentication protocol Let U denote a user, V denote the current VSD of U, H denote the HSD of U and ‘‘X/Y : Z’’ denote that a sender X sends a message Z to a receiver Y. Also, let Kvh be the secret key shared by H and V, HID be H’s identification number, fmgnr denote the ciphertext of m encrypted using Rabin’s public key nr (Rabin, 1979), (m)k denote the ciphertext of m encrypted using the secret key k of some secure symmetric cryptosystem (NIST FIPS PUB 197, 2001). Let h be a public one-way function (Merkle, 1989; NIST FIPS PUB 180, 1993; Rivest, 1992). H has the Rabin’s public key nr and the corresponding secret keys pr and qr, where pr and qr are two large strong primes, such that pr h4 qr h4 3, and nr ¼ pr !qr . Without loss of generality, we assume that nr is of 1024 bits. Let Kuh be the authentication ticket shared between the user and his HSD. The following protocol is the ith anonymous call with respect to this ticket. Step 1 : Step 2 : Step 3 : Step 4 :

U/V V/H H/V V/U

: : : :

HID; N3 ; fKuh ; ri gnr . fKuh ; ri gnr ; N4 . ðKi ; ri ; N4 ÞKvh . N3 ; ðIi ; ri ÞKi .

In Step 1, U sends his HID, a nonce N3 and the encrypted message fKsh ; ri gnr to V. The encrypted message includes the authentication ticket Kuh and the ith random challenge ri. The challenge ri is used for computing the ith session key Ki and checking freshness. In Step 2, V sends the received message fKsh ; ri gnr and a nonce N4 to H. On receiving the message in Step 2, H first decrypts the message, and then checks if Kuh is a valid ticket and ri has not been presented before. H rejects the ticket if it is not valid. Otherwise, he then computes the session key Ki ¼ hðKuh ; ri Þ, and sends the message ðKi ; ri ; N4 ÞKvh back to V. On receiving the message in Step 3, V decrypts the message and checks if the nonce N4 is in it for freshness checking. If yes, V generates a pseudo identification number Ii for this call and encrypts Ii and the challenge ri with the session key Ki. Then he sends the message N3 ; ðIi ; ri ÞKi back to U. The nonce N3 will be used as the indicator of this call response so that U can seize the message ðIi ; ri ÞKi from the wireless channel. After receiving the encrypted message, U then obtains Ii by the session key Ki, which can be computed by Ki ¼ hðKuh ; ri Þ, and verifies the freshness of the message from the challenge ri. Then he can use the pseudo identification number Ii and the session key Ki to send anonymous messages.

170

Our scheme In this section, we propose an efficient password authenticated key agreement scheme using smart cards. Let S denote the server, Ui denote user i and ‘‘X/Y : Z’’ denote that a sender X sends a message Z to a receiver Y. Also, let x be the secret key kept secretly by the server S, Ek(m) denote the ciphertext of m encrypted using the secret key k of some secure symmetric cryptosystem (NIST FIPS PUB 197, 2001), Dk(c) denote the plaintext of c decrypted using the secret key k of the corresponding symmetric cryptosystem, 4 denote the bitwise exclusive-or operator, and ‘‘k’’ denote the conventional string concatenation operator. Let h( ) be a secure one-way hashing function (Merkle, 1989; NIST FIPS PUB 180, 1993; Rivest, 1992). Let IDi be a unique identification of Ui. The proposed scheme is given in the following sections.

W.-S. Juang by computing Dvi ðEvi ðruj ; hðIDi k N1 ÞÞÞ, and then checks to see if the message contains the authentication tag h(IDikN1) and if the nonce N1 is fresh. S rejects this login if the tag is not valid. If it is valid and the nonce N1 is fresh, S sends the encrypted message Evi ðrsj ; N1 C1; N2 Þ back to Ui. The encrypted message includes the random value rsj chosen by S, which is used for generating the jth session key kj, and the nonce N2, which is for freshness checking. On receiving the message in Step 2, Ui’s smart card decrypts the message by computing Dvi ðEvi ðrsj ; N1 C1; N2 ÞÞ. He then checks if the nonce N1 C1 is in it for freshness checking. If yes, Ui computes the jth session key kj ¼ hðrsj ; ruj ; vi Þ and sends the encrypted message Ekj ðN2 C1Þ back to S. After receiving the message in Step 3, S decrypts the message by computing Dkj ðEkj ðN2 C1ÞÞ and checks if the nonce N2 C1 is in it for freshness checking. Then Ui and S can use the session key kj in secure communication soon.

Registration phase Assume that Ui submits his identity IDi and password PWi to the server for registration. If the server accepts this request, it will perform the following steps: Step 1: Compute U i ’s secret information vi ¼ hðIDi ; xÞ and wi ¼ vi 4PWi . Step 2: Store IDi and wi to the memory of a smart card and issue this smart card to Ui.

Login and session key agreement phase After getting the smart card from the server, Ui can use it when he logs into the server. If Ui wants to log into S, he must attach his smart card to a card reader. He then inputs his identity IDi and his password PWi to this device. The following protocol is the jth login with respect to this smart card. Step 1 : Ui /S : N1 ; IDi ; Evi ðruj ; hðIDi k N1 ÞÞ. Step 2 : S/Ui : Evi ðrsj ; N1 C1; N2 Þ. Step 3 : Ui /S : Ekj ðN2 C1Þ. In Step 1, Ui’s smart card first computes vi ¼ wi 4PWi and sends his IDi, a nonce N1 and the encrypted message Evi ðruj ; hðIDi k N1 ÞÞ to S. The encrypted message includes the jth random value ruj, which is used for generating the jth session key kj, and the authentication tag h(IDikN1), which is for verifying the identification of Ui. On receiving the message in Step 1, S first computes vi ¼ hðIDi ; xÞ and then decrypts the message

Security analysis In this section, we analyze the security of our scheme. 1. The secret wi ¼ vi 4PWi is stored in Ui’s smart card. Only the legal user Ui has his password PWi, which can compute the secret vi ¼ hðIDi ; xÞ, and then he can use his smart card. The server’s secret x is protected by the secure one-way hash function h( ). 2. The replay attacks fail because the freshness of the messages transmitted in Steps 1 and 2 of the login and session key agreement phase is provided by the nonces N1 and N2. Apart from the user, only the server with the shared key vi can embed the nonce N1 generated by the user in the encrypted message Evi ðrsj ; N1 C1; N2 Þ. Apart from the server, only the user with the session key kj can embed the nonce N2 generated by the server in the encrypted message Ekj ðN2 C1Þ. In consideration of the security of session key protection, the following criteria are important for session key agreement. (1) Session key security: At the end of the key exchange, the session key is known to nobody but the user and the server. (2) Forward secrecy: A compromised long-lived secret key cannot determine the session keys used before.

Efficient password authenticated key agreement (3) Known-key security: Only knowing a compromised session key cannot derive the other session keys. We examine these criteria as follows: 1. The session key kj ¼ hðrsj ; ruj ; vi Þ is known to nobody but the user and the server since the random values rsj and ruj are encrypted by the secret key vi. None of these three values are known to anybody but the user and the server. 2. A compromised long-lived secret key vi or x cannot be used to derive the session keys kl, 1 % l % j  1 that were used before, since without knowing the used random values rsl and rul, 1 % l % j  1, nobody can compute these used session keys kl ¼ hðrsl ; rul ; vi Þ, 1 % l % j  1. If a malicious person can get some used random values rsl and rul and the secret key vi, he can compute the used session key kl ¼ hðrsl ; rul ; vi Þ. For remedying this problem, the DiffieeHellman key exchange algorithm (Diffie and Hellman, 1976) can be used for computing the session key. In this approach, we let rsl ¼ gx and rul ¼ gy , where x and y are random numbers chosen by the user and the server separately, and kl ¼ hðrsyl ; vi Þ ¼ hðruxl ; vi Þ. 3. Knowing a session key kj and the random values rsj and ruj are of no use for computing the other session keys kl ¼ hðrsl ; rul ; vi Þ; lsj, since without knowing rsl, rul and vi it is infeasible to compute the session key kl. In our scheme, the goal of mutual authentication is to establish an agreed session key kj between user i and the server for the jth login (Burrows et al., 1990; Juang et al., 1999). Let Ui K denote user i and S denote the server. Let U 4 S denote that the player U shares a session key K with the player S. Thus mutual authentication is complete between user i and the server if there kj is a kj such that Ui believes Ui 4 S, and S believes kj Ui 4 S for the jth login (Burrows et al., 1990;

Table 1

171 Juang et al., 1999). A strong mutual authentication may lead to the following statement: kj

Ui believes S believes Ui 4 S, and S believes kj Ui believes Ui 4 S for the jth login. In Step 1 of the login and session key agreement phase, after S receives the message N1 ; IDi ; Evi ðruj ; hðIDi k N1 ÞÞ from Ui, he will check if the encrypted message contains authentication tag h(IDikN1). Since the authentication tag is encrypted by the secret key vi shared between S and Ui, S will believe that the jth random value ruj was sent from Ui. After S chooses the random value rsj, S can compute the session key kj kj ¼ hðrsj ; ruj ; vi Þ and will believe Ui 4 S. In Step 2, after Ui receives the message Evi ðrsj ; N1 C1; N2 Þ from S, he will check if the encrypted message contains the nonce N1 C1. Since the message is encrypted by the secret key vi shared between S and Ui, Ui will believe the jth random value rsj was sent from S. Ui can then compute the session key kj ¼ hðrsj ; ruj ; vi Þ and kj will believe Ui 4 S. Since the nonce N1 is chosen by Ui, Ui believes that the nonce N1 is fresh. On receiving the encrypted message Evi ðrsj ; N1 C1; kj N2 Þ from S, Ui believes S believes Ui 4 S. Since the nonce N2 is chosen by S, S believes that the nonce N2 is fresh. In Step 3, after S receives the message Ekj ðN2 C1Þ from Ui, S believes kj Ui believes Ui 4 S. Step 3 of the login and session key agreement phase can be delayed to the subsequent private communications in which Ui transmits the message N2 C1 encrypted by the session key kj to S.

Performance considerations We evaluate the efficiency of our scheme and the related schemes in Table 1. We assume that p in Hwang and Li’s (2000) scheme and n in Yang and Shieh’s (1999) and Juang et al.’s (1999) schemes

Efficiency comparison between other schemes and our proposed scheme

Our scheme Chien et al. (2002) Sun (2000) Hwang and Li (2000) Yang and Shieh (1999) Juang et al. (1999)

E1

E2

E3

E4

128 bits 128 bits 128 bits 1024 bits 1024 bits 1024 bits

2 ! 128 bits 2 ! 128 bits 1 ! 128 bits 2 ! 1024 bits 3 ! 1024 bits 4 ! 1024 bits

1 1 1 1 3 2

4 5 1 3 2 1

Hash Hash Hash Exp Exp Exp D 1 Sym

Sym D 3 Hash Hash Hash Exp D 1 Hash Exp D 1 Hash Exp D 4 Sym

E1: password length; E2: communication cost of authentication for cryptographic parameters; E3: computation cost of registration; E4: computation cost of authentication; Hash: hashing operation; Exp: exponential operation; Sym: symmetric encryption or decryption.

172

W.-S. Juang

are of 1024 bits in order to make the discrete logarithm and factoring problems infeasible. We assume that the block size of secure symmetric cryptosystems (NIST FIPS PUB 197, 2001) is 128 bits and the output size of secure one-way hashing function (Merkle, 1989; NIST FIPS PUB 180, 1993; Rivest, 1992) is 128 bits. Since our scheme and the schemes in Chien et al. (2002) and Sun (2000) are based on secure one-way hashing functions (Merkle, 1989; NIST FIPS PUB 180, 1993; Rivest, 1992) and symmetric cryptosystems (NIST FIPS PUB 197, 2001), the password length in our scheme and the schemes in Chien et al. (2002) and Sun (2000) can be 128 bits. The schemes in Juang et al. (1999), Hwang and Li (2000) and Yang and Shieh (1999) are based on the intractability of the discrete logarithm and factoring problems and the password length in those are 1024 bits. The communication cost of our scheme for user authentication is of 2!128 bits. Step 3 can be delayed to the subsequent private communications. The communication cost of Chien et al.’s (2002) scheme for user authentication is of 2!128 bits, that of Sun’s (2000) scheme is of 128 bits, but it does not provide mutual authentication, and that of the schemes in Juang et al. (1999), Hwang and Li (2000) and Yang and Shieh (1999) is of thousands of bits. In our scheme, only one hashing operation and one exclusive-or operation are required for a user to register and get his smart card. In the login and key agreement phase, only two symmetric key encryptions, two symmetric key decryptions, three hashing operations and one exclusive-or operation are required. The computation cost of Chien et al.’s (2002) scheme for a user to register is one hashing operation and one exclusive-or operation, and that of user authentication is five hashing operations and six exclusive-or operations. Sun’s (2000) scheme requires only one hashing operation. The computation cost of Hwang and Li’s (2000) scheme for user registration is one exponential operation and that for user authentication is three exponential operations and one hashing

Table 2

operation. The computation cost of Yang and Shieh’s (1999) scheme for user registration is three exponential operations and that for user authentication is two exponential operations and one hashing operation. In Juang et al.’s (1999) scheme, for achieving low-cost computation in mobile units, users encrypt their messages by modified RSA encryption schemes (Coppersmith et al., 1996; Hastad, 1985; Rabin, 1979; Williams, 1980). But the server also needs to decrypt the encrypted message. The computation cost of Juang et al.’s, (1999) scheme for user authentication is two symmetric key encryptions, two symmetric key decryptions, one multiplication operation, and one exponential operation. We summarize the functionality and complexity of related authentication and key distribution protocols in Table 2. In Juang et al. (1999), valid tickets can be regarded as user passwords. The server needs to keep a ticket database for verifying valid users. In the schemes of Hwang and Li (2000), Juang et al. (1999) and Sun (2000), the passwords are generated by the server for satisfying some equations. The users in these schemes cannot freely choose their passwords. As analyzed in Table 1, our scheme and the schemes in Chien et al. (2002) and Sun (2000) are based on secure one-way hashing functions (Merkle, 1989; NIST FIPS PUB 180, 1993; Rivest, 1992) and symmetric cryptosystems (NIST FIPS PUB 197, 2001). The computation cost of these schemes is extremely low compared to that of the schemes (Hwang and Li, 2000; Juang et al., 1999; Yang and Shieh, 1999) based on public key cryptosystems. If we only consider the client side in Juang et al.’s (1999) scheme, the computation cost of user authentication is one symmetric key decryption, one hashing operation, and one multiplication operation. The cost is lower than that of the schemes in Hwang and Li (2000) and Yang and Shieh (1999). The schemes in Hwang and Li (2000), Sun (2000) and Yang and Shieh (1999) provide only unilateral authentication (the user authentication), not mutual

Comparisons between other schemes and our proposed scheme

Our scheme Chien et al. (2002) Sun (2000) Hwang and Li (2000) Yang and Shieh (1999) Juang et al. (1999)

C1

C2

C3

C4

C5

C6

Yes Yes Yes Yes Yes No

Yes Yes No No Yes No

Extremely low Extremely low Extremely low Medium Medium Low

Yes Yes No No No Yes

Yes No No No Yes/no Yes

Yes No No No No Yes

C1: no password table; C2: freely chosen password; C3: computation and communication cost; C4: mutual authentication; C5: no time synchronization; C6: session key agreement.

Efficient password authenticated key agreement authentication. In the schemes of Chien et al. (2002), Hwang and Li (2000) and Sun (2000), timestamp is used to prevent a replay attack, but it also incurs a serious time-synchronization problem in a distributed environment. In Yang and Shieh (1999), two authentication schemes were proposed; one is timestamp-based and the other is nonce-based. In schemes of Chien et al. (2002), Hwang and Li (2000), Sun (2000) and Yang and Shieh (1999), the key agreement mechanism is not provided.

Conclusions In this paper, we propose a novel user authentication and key agreement scheme with smart cards. Using smart cards, only secure one-way hashing functions and symmetric cryptosystems are used in our proposed scheme. This approach can significantly improve the efficiency and provide much functionality for user authentication and key agreement. Compared with Chien et al.’s (2002) scheme, our scheme generates a session key agreed by the user and the server. Also, our proposed scheme is a nonce-based scheme which does not have a serious time-synchronization problem.

Acknowledgements This work was supported in part by the National Science Council of the Republic of China under contract NSC-92-2213-E-128-006. The authors would like to thank the anonymous referees for their valuable comments that helped improve the presentation of this paper.

References Burrows M, Abadi M, Needham R. A logic of authentication. ACM Trans Comput Syst 1990;8(1):18e36. Chang C, Hwang S. Using smart cards to authenticate remote passwords. Comput Math Appl 1993;26(7):19e27. Chang C, Wu T. Remote password authentication with smart cards. IEE Proc Comput Digit Tech 1991;138(3):165e8.

173 Chien H, Jan J, Tseng Y. An efficient and practical solution to remote authentication: smart card. Comput Secur 2002; 21(4):372e5. Coppersmith D, Franklin M, Patarin J, Reiter M. Low-exponent RSA with related messages. Advances in cryptology: Proceedings of EuroCrypt’96, LNCS 1070. Springer-Verlag; 1996. p. 1e9. Diffie W, Hellman M. New directions in cryptography. IEEE Trans Inf Theory 1976;IT-22(6):644e54. Hastad J. On using RSA with low exponent in a public key network. Advances in cryptology: Proceedings of Crypt’85, LNCS 218. Springer-Verlag; 1985. p. 403e8. Hwang M, Li L. A new remote user authentication scheme using smart cards. IEEE Trans Consumer Electron February 2000; 46(1):28e30. Juang W, Lei C, Chang C. Anonymous channel and authentication in wireless communications. Comput Commun 1999; 22(15e16):1502e11. Lamport L. Password authentication with insecure communication. Commun ACM 1981;24:770e2. Mcelroy D, Turban E. Using smart cards in electronic commerce. Int J Inf Manag 1998;18(1):61e72. Merkle R. One way hash functions and DES In: Brassard G, editor. Advances in cryptologydCrypt’89. Lecture notes in computer science, vol. 435. New York: Springer; 1989. p. 428e46. NIST FIPS PUB 180. Secure Hash Standard. National Institute of Standards and Technology, U.S. Department of Commerce, DRAFT; 1993. NIST FIPS PUB 197. Announcing the Advanced Encryption Standard (AES). National Institute of Standards and Technology, U.S. Department of Commerce; November 2001. Rabin M. Digitalized signatures and public key functions as intractable as factorization. MIT Lab. Computer Science, TR 212; January 1979. Rivest R. The MD5 message-digest algorithm, RFC 1321. Internet Activities Board, Internet Privacy Task Force; 1992. Sun H. An efficient remote user authentication scheme using smart cards. IEEE Trans Consumer Electron November 2000;46(4):958e61. Tan K, Zhu H. Remote password authentication scheme with smart cards. Comput Commun 1999;18:390e3. Wang S, Chang T. Smart card based secure password authentication scheme. Comput Secur 1996;15(3):231e7. Williams H. A modification of RSA public-key encryption. IEEE Trans Inf Theory 1980;IT-26(6):726e9. Yang W, Shieh S. Password authentication schemes with smart cards. Comput Secur 1999;18(8):727e33. Wen-Shenq Juang ([email protected]) received his Master’s degree in Computer Information Science from National Chiao Tung University in 1993, and his Ph.D. degree in electrical engineering from National Taiwan University in 1998. He joined the Department of Information Management, Shih Hsin University, Taipei, Taiwan, in 2000. His current research interests include cryptography, information security, and electronic commerce.