IEICE TRANS. COMMUN., VOL.E83–B, NO.6 JUNE 2000 1363 LETTER Simple and Secure Password Authentication Protocol (SAS) Manjula SANDIRIGAMA† , Student Member, Akihiro SHIMIZU†† , Regular Member, and Matu-Tarow NODA† , Nonmember SUMMARY In the Internet and Mobile communication en- two random numbers are generated by the user and vironment, authentication of the users is very important. Al- the user is required to memorize them in some sort of though at present password is extensively used for authentication, memory. In the Internet environment users may be ac- bare password transmission suﬀers from some inherent shortcom- ings. Several password-based authentication methods have been cessing their hosts from many parts of the world and proposed to eliminate such shortcomings. Those proposed meth- hence the user has to carry a memory device (like an ods have relative demerits as well as merits. In this letter we IC card) wherever he goes. This is an unnecessary bur- propose a method where those demerits are eliminated. The den apart from the fact that all the computers may not prominent feature is security improvement apart from low pro- cessing, storage and transmission overheads compared to previous have such IC reading facilities. Making such dedicated methods. This method can be used in several applications like facilities are extra hardware expense. remote login, encrypted and authenticated communication and The above random number memorizing problem is electronic payment etc. solved in the PERM method . In this method one key words: ÖÝÔØÓ Ö Ô Ý¸ × ÙÒ Ø ÓÒ×¸ Ô ××ÛÓÖ ÙØ ÒØ ¹ random number (in the form of an initial value incre- Ø ÓÒ¸ × ÙÖ ØÝ¸ ÓÒ Ø Ñ Ô ××ÛÓÖ mented at each authentication) is stored in the host and sent to the user at each authentication. It is sent 1. Introduction back to the user upon a service request for necessary calculations. The other random number is derived from As the Internet and Mobile applications have been in- the this number by pre-determined increments. creasing in the recent past, the need for authentication Though the PERM method solves random number over remote servers and telephones has become very memorizing problem, the authors point out a possible important . Several authentication methods based security ﬂaw in the system , , . It is a kind on passwords have been proposed. of ‘Man in the Middle’ attack where an eavesdropper Usually the password is hashed and stored in the would be able to login after tapping the communication computer to prevent stealing by others . Several such line in two consecutive sessions. hash functions are available. Most famous are DES , In this letter a developed method called ‘Simple FEAL , MISTY  etc. And Secure (SAS) Password Authentication’ is pro- Though the hashing prevent stealing, still there are posed which eliminates the above mentioned security two shortcomings. The ﬁrst is that the user is required ﬂaw. Apart from eliminating the security ﬂaw, storage, to submitt the bare password at each authentication. processing and transmission overheads are lower in the The second is that in case of a network (which is usually new method. the case) the transmitted password could be stolen by wire tap. 2. SAS Description In the Lamport ,  one time password method, those problems are eliminated. But there are two prac- 2.1 Deﬁnitions and Notations tical diﬃcuilties in Lamport method. First is the high hash overhead. The other is the necessasity for pass- The following Deﬁnitions and Notations are used in this word resetting. letter. High hash overhead and password resetting are solved in CINON ,  method. One time charac- 1. User is a user of a computer who uses the protocol teristics is gained by using two variable random num- for authentication. bers which are changed at each authentication. These 2. Host is the server that authenticates users. 3. A is user identity. Manuscript received September 13, 1999. S is user password. † The authors are with the Department of Computer Sci- 4. E is a cryptographic hash function. ence Engineering, Ehime University, Matsuyama-shi, 790- 8577 Japan. E(X) means X is hashed once. †† The author is with the Department of Information Sys- E 2 (X) means X is hashed twice. tems Engineering, Kochi University of Technology, Kochi- 5. n is an integer greater or equal to 0 which represent ken, 782-8502 Japan. the number of authentication sessions. IEICE TRANS. COMMUN., VOL.E83–B, NO.6 JUNE 2000 1364 Note: E(S//N0 ) ⊕ E 2 (S//N0 ) is for the current authentication session. E 2 (S//N1 ) ⊕ E 2 (S//N0 ) is for the next authentication session. 4. Host: XOR the data with stored E 2 (S//N0 ) and obtain the following. Fig. 1 Registration. E(S//N0 ). E 2 (S//N1 ) 5. Host: Applies hash function to E(S//N0 ). E . E(S//N0 ) = E 2 (S//N0 ) Compare with the stored E 2 (S//N0 ). If they match user is authenticated. If they don’t match user is rejected. Updates E 2 (S//N0 ) and N0 with E 2 (S//(N1 )) and N1 for the next authentication session. 2.3 Evaluations Fig. 2 Authentication. In this subsection we evaluate the security and perfor- 6. Nn represent a random number corresponding to mance of the new method. nth authentication. 7. ⊕ represent bitwise XOR operation. 2.3.1 Security 8. // represent concatenation. 9. Service Request means a request by the user to In the PERM method the authors indicates a possible host to allow login. security ﬂaw , , . If an attacker is able to re- 10. User/Host: XYZ –> Host/User means User/Host ceive two sets of data from two consecutive sessions he sends XYZ to Host/User. is able to insert his own password and do the neces- sary calculations and send to the host. From the next authentication session onwards the attacker can freely 2.2 SAS Protocol login impersonating the real user , . In SAS this security ﬂaw is eliminated. Suppose The protocol consists of two phases namely registration an attacker obtain the following two consecutive sets of phase and authentication phase. The registration is data. done only once and authentication is done every time the user logs in. E(S//N0 )⊕E 2 (S//N0 ) , E 2 (S//N1 )⊕E 2 (S//N0 ) E(S//N1 )⊕E 2 (S//N1 ) , E 2 (S//N2 )⊕E 2 (S//N1 ) 2.2.1 Registration Phase (see Fig. 1) From these data the attacker cannot calculate 1. User: Calculate E 2 (S//N0 ). E(S//N0 ) or E(S//N1 ) or E(S//N2 ) since he does not 2. User: A, E 2 (S//N0 ), N0 –> Host. know E 2 (S//N0 ) or E 2 (S//N1 ) or E 2 (S//N2 ). There- (through a secure channel) fore he cannot insert his own password that will enable 3. Host: Stores A, E 2 (S//N0 ), N0 him to login impersonating the real user. Therefore it is seen that SAS has better security features than PERM or CINNON. 2.2.2 Authentication Phase 2.3.2 Performance When the user wants to login subsequently he executes the following protocol (see Fig. 2). Table 1 summerizes the performance of Lamport, 1. User: Service Request –> Host. CINON, PERM and SAS. 2. Host: N0 –> User. 3. User: Calculates following data and 3. Conclusion sends to the host. E(S//N0 ) ⊕ E 2 (S//N0 ) –> Host. From the above evaluations it is seen that the new pro- E 2 (S//N1 ) ⊕ E 2 (S//N0 ) –> Host. tocol SAS has improved features compared to the pre- N1 –> Host. vious methods. The most important feature is extra LETTER 1365 Table 1 Performance evaluations of Lamport, CINON, PERM and SAS. security which is not available in previous methods.  L. Lamport, “Password authentication with insecure com- Also it needs fewer hash overhead and data storage. munication,” Commun. ACM, vol.24, no.11, pp.770–772, Data transmission is also low. SAS does not need pass- 1981.  N. Haller, “The S/KEY (TM) one-time password system,” word resetting or random numbers. Moreover the same Proc. Internet Society Symposium on Network and Dis- protocol consists a facility to create a session key to tributed System Security, pp.151–158, 1994. facilitate session encryption.  A. Shimizu, “A dynamic password authentication method by one-way function,” IEICE Trans., vol.J73-D-I, no.7, References pp.630–636, July 1990.  A. Shimizu, “A dynamic password authentication method  A. Evance, W. Kantrowitz, and E. Weiss, “A user authenti- by one-way function,” System and Computers in Japan, cation scheme not requiring secrecy in the computer,” Com- vol.22, no.7, 1991. mun. ACM, vol.17, no.8, pp.437–442, 1974.  T. Arakawa and T. Kamada, “The Internet home electron-  G.B. Purdy, “A high-security log-in procedure,” Commun. ics and the information network revolution,” IEICE Tech- ACM, vol.17, no.8, pp.442–445, 1974. nical Report, OFS96-1, 1996.  A. Morris and K. Thompsan, “Password security: A case  A. Shimizu, “Public E-mail messages forwarding services,” history,” UNIX Programmer’s Manual, Seventh Edition, IEICE Technical Report, OFS96-39, 1996. 2B, 1979.  T. Horioka, M. Toda, and A. Shimizu, “E-mail messages  NBS, “Data Encryption Standard,” FIPS-PUB-45, 1977. forwarding services,” IEICE Technical Report, OFS97-39,  A. Shimizu and S. Miyaguchi, “Fast data encipherment al- 1997. gorithm FEAL,” IEICE Trans., vol.J70-D, no.7, pp.1413–  A. Simizu, T. Horioka, and H. Inagaki, “A password au- 1423, July 1987. thentication method for contents communication on the in-  M. Matsui, “New block encryption algorithm MISTY,” Lec- ternet,” IEICE Trans. Commun., vol.E81-B, no.8, pp.1666– ture Notes in Computer Science, FSE 1997, pp.54–68, 1997. 1673, Aug. 1998.