VIEWS: 15 PAGES: 5 CATEGORY: Internet / Online POSTED ON: 1/26/2011
Password Authentication Protocol (PAP), is the focus of a PPP link control protocol agreements, mainly through the use of 2 to provide a handshake on the other nodes to establish a simple method of authentication, which is determined based on the initial link basis.
ECE 679 PROJECT, SPRING 2004 1 Analysis of the Secure Password Authentication Protocol Minho Kim Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 E-mail: email@example.com Abstract— authentication scheme, the SAS protocol, which was in- In the Internet and Mobile communication environment, tended to be superior to several well-known scheme as authentication of the users is very important. Although at present password is extensively used for authentication, bare mentioned above. However, Lin et al. showed that the password transmission suﬀers from some inherent shortcom- SAS protocol is vulnerable to the replay attack and the ings. Several password-based authentication methods have denial of service attack, and then proposed a Optimal been proposed to eliminate such shortcomings. In 2000 Strong-Password Authentication scheme, the OSPA proto- and 2001, Lin et al. addressed two weaknesses of a new strong-password authentication scheme, the SAS protocol, col, which was asserted to be secure against stolen-veriﬁer and then proposed an improved one called the OSPA Pro- attacks, replay attacks, and the denial of service attacks. tocol. However, Chen et al. found that both the SAS and Also, Chen et al. found that the SAS and the OSPA pro- OSPA protocol are vulnerable to the stolenveriﬁer attack. Also, Tsuji et al. devise an impersonation attack on the tocol cannot eﬀectively resist the stolen-veriﬁer attack as OSPA method and discuss how to break down the OSPA the claimed. Even though, Chen et al.’s attack to the SAS method. Later, Lin et al. proposed an enhanced protocol and OSPA methods, this problem is solved if the server of OSPA and showed that the improved protocol can resist the guessing attack, the reply attack, the impersonation at- provides strong management. So, Tsuji et al. devise tack, and the stolen-veriﬁer attack. But, Ku et al. found an impersonation attack on the OSPA method without an that their protocol is still vulnerable to a reply attack and active attack on the server. a denial-of-service attack. Recently, Wei-Chi Ku propose a more secure hash-based strong-password authentication Later, Lin et al. proposed an enhanced protocol of scheme without using smart cards. However, we ﬁnd that OSPA and showed that the improved protocol can resist Ku’s proposed scheme is still vulnerable to a replay attack, the guessing attack, the reply attack, the impersonation at- stolen veriﬁer attack, and an impersonation attack. tack, and the stolen-veriﬁer attack. But, Ku et al. found that their protocol is still vulnerable to a reply attack and I. Introduction a denial-of-service attack. Also, these two simple attacks Password authentication is regard as one of the sim- can be easily performed without compromising the server in plest and the most convenient authentication mechanisms. advance. Recently, Wei-Chi Ku propose a more secure However, they are neither cost eﬀective nor suitable for hash-based strong-password authentication scheme with- distributed environments as like modern mobile applica- out using smart cards that can withstand the replay attack, tions. Usually the password is hashed and stored in the the password-ﬁle compromise attack, the denial-of-service computer to prevent stealing by others. Several such attack, the predictable n attack, and the insider attack. hash functions are available. Most famous are DES, FEAL, MISTY etc. In the Lamport one time pass- Stolen-veriﬁer problem. In most applications, the server word method, those problems are eliminated. But there stores veriﬁers of users’ passwords instead of the clear are two practical diﬃculties in Lamport method. One is text of passwords. The stolen-veriﬁer problem means the high hash overhead and the other is the necessity for that a thief who steals the password-veriﬁer from the password resetting. High hash overhead and password re- server can use it directly to masquerade as a legitimate setting are solved in CINON. But this method need two user in the authentication protocol. random numbers which was generated by the user and the Replay attack. A replay attack is an oﬀensive action in user is required to memorize them in some sort of mem- which an adversary impersonates or deceives an other ory. This random number memorizing problem is solved legitimate participant through the reuse of information in the PERM. In this method one random number (in obtained in a protocol. the form of an initial value incremented at each authenti- Denial of service attack. The denial of service attack cation) is stored in the host and sent to the user at each prevents or inhibits the normal use or management authentication. However, there is a possible security ﬂaw of communications facilities. This attack may act on in the system. It is a kind of man in the middle attack a speciﬁc user as like an adversary who may cause where an adversary would be able to login after tapping the server to reject all logins of a speciﬁc user until the communication line in two consecutive sessions. re-registration. Sandirigama et al. proposed a simple strong-password Impersonation attack. This attack deceives the identity 2 ECE 679 PROJECT, SPRING 2004 of one of the legitimate parties. An attacker inserts a A.1 Registration Phase message and claims it comes from a real sender. Step R1. U calculates h 2 (P 1). Step R2. U =⇒ S : U, h 2 (P 1). II. SAS Description Step R3. S stores U, h 2 (P 1), and T = 1. A. Notations A.2 Authentication Phase • U denotes the user. For U’s nth login: • S denotes the authentication server. Step A1. U −→ S : U, service request. • E denotes the adversary. Step A2. S −→ U : n. • P represents the strong password of U. Step A3. U −→ S : c1 , c2 , c3 , • T denotes a positive integer indicating the number of where times the authentication is being executed. c1 = h(P n) h 2 (P n), • Nn denotes a random number used for the nth authen- c2 = h 2 (P (n+1)) h(P n), tication. c3 = h 3 (P (n+1)). • h denotes a cryptographic hash function. h(m) means Step A4. S checks if c1 = c2 holds. If it does, m is hashed once, h 2 (m) means m is hashed twice. S uses the stored h 2 (P n) to compute • denotes the bitwise XOR operation. y1 = c 1 h 2 (P n), • denotes the concatenation. y2 = c 2 y1 , • The expression A −→ B : X represents that A sends If h(y1 ) equals the stored h 2 (P n) and X to B through a common channel. h(y2 ) = c3 holds, S replaces h 2 (P n) with • The expression A =⇒ B : X represents that A sends y2 (=h 2 (P (n+1))), and sets T = n+1 X to B through a secure channel. for U’s next login. B. SAS Protocol The protocol consists of two phases namely registration IV. Impersonation Attack on the OSPA phase and authentication phase. The registration is done When the server authenticates the user using the OSPA only once and authentication is done every time the user system, the server receives data consisting of two veriﬁers. logs in. Then the attacker impersonates a regular user with that au- thentication data. In an attack on the OSPA, the attacker B.1 Registration Phase replays and forges authentication data with communication Step R1. U choose an initial random number No , and then data from the previous authentication session. computes h 2 (P No ). Step R2. U =⇒ S : U, h 2 (P No ), No . A. Impersonation Attack with Two Previous Veriﬁers 2 Step R3. S stores U, h (P No ), and No . When the user tries to be authenticated by the server on the (n+1)th authentication session, it is assumed that B.2 Authentication Phase an attacker has intercepted transmission data from the (n– For U’s nth login: 1)th to the (n+1)th authentication sessions. Those data Step A1. U −→ S : U, service request. are as follows: Step A2. S −→ U : Nn . The (n–1)th authentication data are Step A3. U −→ S : c1 , c2 , c3 , c(n−1)1 = h(P (n-1)) h 2 (P (n-1)), where 2 2 c(n−1)2 = h (P n) h(P (n-1)), c1 = h(P Nn ) h (P Nn ), c(n−1)3 = h 3 (P n), c2 = h 2 (P Nn+1 ) h 2 (P Nn ), the nth authentication data are c3 = Nn+1 . c(n)1 = h(P n) h 2 (P n), Step A4. S uses the stored h 2 (P Nn ) to compute 2 2 c(n)2 = h (P (n+1)) h(P n), y 1 = c1 h (P Nn ), 2 c(n)3 = h 3 (P (n+1)), y 2 = c2 h (P Nn ), the (n+1)th authentication data are If h(y1 ) equals the stored h 2 (P Nn ), 2 c(n+1)1 = h(P (n+1) h 2 (P (n+1)), S replaces h (P Nn ) and Nn with 2 2 c(n+1)2 = h (P (n+2)) h(P (n+1)), y2 (=h (P Nn+1 )) and Nn+1 for A’s next login. c(n+1)3 = h 3 (P (n+2)). When the attacker impersonates the user, he ﬁrst com- III. OSPA Description putes h 2 (P n) h(P (n+1)) from c(n)1 c(n)2 A. OSPA Protocol c(n+1)1 and replaces c (n+1)3 with c(n−1)3 . Next the at- tacker sends the following data to the server for the (n+1)th The OSPA protocol also consists of two phases: the reg- authentication session. istration phase and the authentication phase. I describe these two phases as follows. c (n+1)1 = h(P (n+1)) h 2 (P (n+1)), KIM, MINHO 3 c (n+1)2 = h 2 (P n) h(P (n+1)), c (n+1)3 = h 3 (P s). c (n+1)3 = h 3 (P n). Therefore, the attacker can change the veriﬁer using pre- After receiving the authentication data, the server vious veriﬁers. ﬁrst checks whether c(n+1)1 = c (n+1)2 . The data is accepted because h 2 (P (n+1)) is diﬀerent from C. Impersonation Attack with Various Veriﬁers h 2 (P n). Next the server retrieves h(P (n+1)) from In above subsection A and B, the attacker can change c(n+1)1 h 2 (P (n+1)), and gets h 2 (P n) from the veriﬁer to one of the previous veriﬁers. Then it is as- c (n+1)2 h(P (n+1)). Then the server compares sumed that the attacker changes the veriﬁer used in the h(h(P (n+1))) with the stored veriﬁer h 2 (P (n+1)), sth authentication session. Next the attacker logs in to the and compares h(h 2 (P n)) with the received c (n+1)3 . system, and changes the veriﬁer. However, the new ver- There are the same so the user is authenticated. Then iﬁer is limited to h 2 (P t) (t is an integer, 1 < t < s the server stores h 2 (P n) and sets n=n+1 for the next or t = s + 1). This means that the attacker changes the authentication. veriﬁer to the next one h 2 (P (s+1)) if s is small. For In the future, if the attacker wants to login, he alter- example, an attacker could change veriﬁers as follows: nately sends the following two sets. The attacker uses the ﬁrst set in the (n+2k)th authentication session (k is a nat- · · ·, h 2 (P 7), h 2 (P 4), h 2 (P 2), h 2 (P 3), · · · ural number) c1 = h(P n) h 2 (P n), Then the attacker changes veriﬁers sequentially, like 2 c2 = h (P (n+1)) h(P n), h 2 (P 2), h 2 (P 3). In that case, the crime can easily c3 = h 3 (P (n+1)), be detected because the veriﬁers are changed sequentially. and the attacker uses the second set in the (n+2k+1)th Then the server memorizes only two sequential veriﬁers. authentication session This problem is solved then: the attacker doesn’t change c1 = h(P (n+1)) h 2 (P (n+1)), the veriﬁer sequentially. For example, when the attacker c2 = h 2 (P n) h(P (n+1)), changes the veriﬁer from h 2 (P s) to h 2 (P (s+2)), he c3 = h 3 (P n), generates the following transmission data. then the veriﬁer in the server is changed to h 2 (P (n+1)) The attacker uses the sth authentication data and h 2 (P n) in turns. In this way, the attacker can c(s)1 = h(P s) h 2 (P s), 2 impersonate the regular user. c(s)2 = h (P (s+1)) h(P s), c(s)3 = h 3 (P (s+1)), B. Impersonation Attack Using Many Previous Veriﬁers and the (s+1)th authentication data c(s+1)1 = h(P s) h 2 (P (s+1)), In an impersonation attack with two previous veriﬁers, 2 c(s+1)2 = h (P (s+2)) h(P (s+1)), the invasion can be detected if the server has stored two c(s+1)3 = h 3 (P (s+2)). veriﬁers. As a result, the attacker has to change the next veriﬁer intentionally. The attacker computes c2 from c(s)2 c(s+1)1 c(s+1)2 , As above mentioned, the attacker makes c(n+1)1 , c (n+1)2 , and replaces c3 and c(s+1)3 . Then he sends the following c (n+1)3 using transmission data from the (n–1)th to the data and changes the veriﬁer to h 2 (P (s+2)). (n+1)th authentication sessions. In the same manner, the c1 = h(P s) h 2 (P s), attacker can generate the following data using communica- c2 = h 2 (P (s+2)) h(P s), tion data from the (n–2)th to the (n+1)th authentication c3 = h 3 (P (s+2)). sessions, and changes the veriﬁer from h 2 (P (n+1)) to Similarly, the attacker computes c2 from c(s)2 c(s+1)1 h 2 (P (n–1)). Then the attacker computes c (n+1)2 from c(s+1)2 ··· c(u−1)1 c(u−1)2 , and replaces c3 c(n−1)1 c(n−1)2 c(n)1 c(n)2 c(n+1)1 , and replaces with c(u−1)3 . Then the attacker can change the veriﬁer to c (n+1)3 with c(n−2)3 . h 2 (P u) using the sth to (u-1)th authentication data (u c(n+1)1 = h(P (n+1)) h 2 (P (n+1)), is an integer, s < u < n + 2) as below: 2 c (n+1)2 = h (P (n–1)) h(P (n+1)), c1 = h(P s) h 2 (P s), 2 c (n+1)3 = h 3 (P (n–1)). c2 = h (P u) h(P s), c3 = h 3 (P u). The attacker can generate the following data in Therefore, the attacker can change the next veriﬁer using a similar manner, and the change the veriﬁer from various veriﬁers. h 2 (P (n+1)) to h 2 (P s) (s is an integer, 1 < s < n + 1). Then the attacker computes c (n+1)2 from D. Hybrid Impersonation Attack c(s)1 c(s)2 c(s+1)1 c(s+1)2 ··· c(n−1)1 c(n−1)2 The attacker can change the veriﬁer in various ways us- c(n)1 c(n)2 c(n+1)1 , and replaces c (n+1)3 with ing a combination of the three techniques explained above c(s−1)3 . section A, B, and C. c(n+1)1 = h(P (n+1)) h 2 (P (n+1)), However, the crime can be detected if the server has c (n+1)2 = h 2 (P s) h(P (n+1)), stored all veriﬁers, because the attacker changes to the ver- 4 ECE 679 PROJECT, SPRING 2004 iﬁer used before, but storing all the veriﬁers isn’t practical. A. Denial-of-Service Attack Further, the user can’t use the same veriﬁer if the server A denial-of-service attack is an oﬀensive action whereby stores and checks all veriﬁers. Such a mechanism can’t en- the adversary could use some method to work upon the sure security if the user has used the system for a long time. server so that the access requests issued by the legitimate user will be denied by the server. During Step A2 of Lin- V. Security Enhancement for Optimal Shen-hwang’s protocol, E can replace the transmitting c3 Strong-Password Authentication Protocol with an equal-sized random number, denoted by c3 while the transmitting U and c2 are left unchanged. After receiv- A. Lin-Shen-Hwang’s Protocol ing this modiﬁed message, S will compute This scheme propose a new scheme to withstand the c2 = h(X U) c2 = h(P N) stolen veriﬁer problem. Also, it is composed of two phases: the registration phase and the authentication phase. where c2 = h(X U) h(P N). Since h(c2 ) equals the stored veriﬁer h 2 (P N), S will grant U’s login request A.1 Registration Phase and compute Step R1. U calculates h 2 (P N), h 2 (X U) c3 where N is a nonce. Step R2. U =⇒ S : U, h 2 (P N). Then, S updates the veriﬁer h 2 (P N) with Step R3. S checks U and stores U, h 2 (P N). h 2 (X U) c3 for U’s next login. Although U can success- Step R4. S stores K and N into U’s SC and fully login S in this session, his succeeding login requests releases it to U, will be denied unless he re-registers to S again. That is, E where can easily lock the account of any user without using any SC is the smart card, cryptographic technique. Thus, Lin-Shen-hwang’s protocol K = h 2 (P N) h(X U), is vulerable to a denial-of-service attack. X is the secret key of the server. B. Replay Attack A.2 Authentication Phase Suppose that, before U’s nth login, the E has eaves- dropped U’s two previous authentication messages (U, For U’s login, U inserts U’s SC into a login device and (n−2) (n−2) (n−1) (n−1) keys in the password(U,P). The smart card perform the c2 , c3 ) and (U, c2 , c3 ). During U’s nth (n) following operations: login process, E can replace the transmitting (U, c2 , (n) (n) (n−2) (n) Step A1. U −→ S : U, c2 , and c3 as a login request. c3 ) with (U, c2 , c3 ), i.e., c3 is replaced with (n−2) where c3 (=h 2 (X U) h 2 (P N(n−1) )), N(n−2) = N(n−1) , c1 = K h 2 (P N) = h(X U). Here K is which was used in U’s (n–2)th authentication session. stored in the smart card. Next, S will compute c 2 = c1 h(P N), c2 (n) = h(X U) c2 (n) = h(P N(n) ) c3 = h(c1 ) h 2 (P N )). (n) where N is a new random nonce and where c2 = h(X U) h(P N(n) ). Since h(c2 (n) ) h 2 (P N ) is a new veriﬁer for the next login. equals the stored veriﬁer h 2 (P N(n) ), S will grant U’s login request and compute S performs the following operations to identify: the login (n−2) user h 2 (X U) c3 =h 2 (X U) h 2 (X U) h 2 (P N(n−1) ) Step A2. Check the format of U. =h (P2 N (n−1) ) Step A3. Check the identity of the login user by c2 . The server computes h(X U) and c2 , Next, S replaces the veriﬁer h 2 (P N(n) ) with where c2 = h(X U) c2 = h(P N) and 2 h (P N (n−1) ) for U’s next login. Before U’s next login, checks h(c2 ) with the stored veriﬁer h 2 (P N). E can impersonate as A to login S by sending (U, c2 (n−1) , If it passes, then the server accepts the login request (n−1) (n−1) c3 ) to S. Because h(h(X U) c2 ) equals the stored and permits the accessing power. veriﬁer h 2 (P N(n−1) ), S will grant E’s login request and Step A4. Calculate h 2 (P N ) and update h 2 (P N) 2 replace the veriﬁer h 2 (P N(n−1) ) with h 2 (P N(n) ). with h (P N ) for the next login. In addition, E can impersonate as A to login S by using h 2 (P N ) = h 2 (X U) c3 (n) (n−2) (U, c2 , c3 ) as his next authentication message. Simi- (n−1) (n−1) (n) larly, E can repeatedly use (U, c2 , c3 ) and (U, c2 , VI. Weaknesses of Lin-Shen-Hwang’s Protocol (n−2) (n) (n) c3 ) to impersonate as he can send (U, c2 , c3 ) with (n) (n−2) In this section, we are shown Lin-Shen-hwang’s proto- (U, c2 , c3 ) to S. If this replay attack is completed be- col is vulnerable to a denial-of-service attack and a replay fore U’s next login, it will not be detected easily by U. attack. KIM, MINHO 5 VII. A Hash-Based Strong-Password VIII. Stolen-Verifier Attack on the Ku’s Scheme Authentication Scheme without Using Assume that an adversary E has stolen the the password- Smart Cards veriﬁer, h 2 (S P n t) when U’s nth registration. Then, There are two protocol, the registration and the login during U’s nth login process, E blocks and copies the protocol, which can be described as in the following. message n, r, t in step L2, and c1 , c2 , and c3 in Step L3. E derives h(S P n t) by XORing the previous stolen A. Registration Protocol h 2 (S P n t) with the captured c1 , and derives h 2 (S P n+ 1 t) with h(S P n t). Then E sends c1 , c2 , and c3 to This protocol is invoked whenever U initially registers or server S. After receiving the authentication message, S ﬁrst re-registers to S. Let T denote the latest time U initially retrieves k(t) = h(S P n t) and the uses the computed k(t) A A registers or re-registers to S and N denotes a sequence num- to derive the veriﬁer h 2 (S P n t) from the stored sealed ber starting from 1 since U’s initial registration. veriﬁer sv (n) (=h 2 (S P n t) (t) kA ). Next, S computes u1 = c1 h 2 (S P n t) and u2 = c2 u1 . If h(u1 ) Step R1. U sends his registration request to S. equals the retrieved h 2 (S P n t) and h(u2 r)=c3 holds, S Step R2. S sets T to the value of his current timestamp. authenticates U. If it is U’s initial registration, S sets N to 1. After that E compute and change c1 , c2 , and c3 with Otherwise, S sets N=N+1. c1 , c2 , and c3 with new password P , n, r, and t what E U =⇒ S : N, T. received in the Step L2. Then E’ll always success to login. Step R3. U computes the veriﬁer h 2 (S P N T), and then ......... U =⇒ S : h 2 (S P N T). (T) Step R4. S computes the storage key kA : (T) kA =h(A h(k T )), References and then computes the sealed veriﬁer  NBS, “Data encryption standard,” FIPS-PUB-45, 1997. (T)  A.Shimizu and S.Miyaguchi, “Fast data encipherment algorithm sv (T ) =h 2 (S P N T) kA . Next, S stores feal,” IEICE Transactions, , no. 7, pp. 1413–1423, July 1987. (T ) sv , T, and N in his password ﬁle.  M.Matsui, “New block encryption algorithm misty,” Lecture where Note in Computer Science, FSE 1997, pp. 54–68, 1997.  L.Lamport, “Password authentication with insecure communica- k denotes S’s secret key commonly used for tion,” Communications of the ACM, vol. 24, no. 11, pp. 770–772, generating a unique storage key for each user. 1981.  A.Shimizu, “A dynamic password authentication method by one-way function,” IEICE Transactions, , no. 7, pp. 630–636, B. Login Protocol July 1990.  A.Shimizu, T.Horioka, and H.Inagaki, “A password authentica- This protocol is invoked whenever U logins S. Suppose tion method for contents communication on the internet,” IE- that N=n and T=t. ICE Transactions on Communications, , no. 8, pp. 1666–1673, Aug. 1998.  Manjula Sandirigama, Akihiro Shimizu, and Matu-Tarow Noda, Step L1. U −→ S : login request. “Simple and secure password authentication protocol(sas),” IE- Step L2. S −→ U : n, r, t. ICE Transactions on Communications, , no. 6, pp. 1363–1365, June 2000. where r is a random nonce selected by S.  Chun-Li Lin, Hung-Min SUN, and Tzonelih Hwang, “At- Step L3. U −→ S : c1 , c2 , c3 , tacks and solutions on strong-password authentication,” IEICE where Transactions on Communications, , no. 9, pp. 2622–2627, Sept. 2001. c1 = h 2 (S P n t) h(S P n t),  Chien-Ming Chen and Wei-Chi Ku, “Stolen-veriﬁer attack on c2 = h(S P n t) h 2 (S P n + 1 t), two new strong-password authentication protocols,” IEICE c3 = h(h 2 (S P n + 1 t) r). Transactions on Communications, , no. 11, pp. 2519–2521, Nov. 2002. Step L4. S retrieves t from his password ﬁle and computes  T.Tsuji and A.Shimizu, “An implementation attack on one-time password authentication protocol ospa,” IEICE Transactions on (t) kA =h(A h(k t)), and then uses the computed Communications, , no. 7, pp. 2182–2185, July 2003. (t)  Chih-Wei Lin, Jau-Ji Shen, and Min-Shiang Hwang, “Security kA to derive the veriﬁer h 2 (S P n t) from the enhancement for optimal strong-password authentication proto- (t) col,” ACM Operating System Review, vol. 37, no. 2, pp. 7–12, stored sealed veriﬁer sv (n) (=h 2 (S P n t) kA ). Apr. 2003. Next, S computes  Wei-Chi Ku, Hao-Chuan Tsai, and Shuai-Min Chen, “Two sim- ple attacks on lin-shen-hwang’s strong-password authentication u1 = c1 h 2 (S P n t), protocol,” ACM Operating System Review, vol. 37, no. 4, pp. u2 = c2 u1 . 26–31, Oct. 2003.  Wei-Chi Ku, “A hash-based strong-password authentication If h(u1 ) equals the retrieved h 2 (S P n t) and scheme without using smart cards,” ACM Operating System h(u2 r)=c3 holds, S authenticates U. Otherwise, S rejects Review, vol. 38, no. 1, pp. 29–34, Jan. 2004. U’s login request and terminates this session. Then, S com- (t) (t) putes sv (n+1) = u2 kA (=h 2 (S P n + 1 t) kA ), (n) (n+1) replaces sv with sv , and sets N=n+1 for U’s next login protocol, the value of T is unchanged, i.e., T=t.
Pages to are hidden for
"Analysis of the Secure Password Authentication Protocol_1_"Please download to view full document