DOI QR코드

DOI QR Code

Security Analysis and Improvements of a Biometrics-based User Authentication Scheme Using Smart Cards

스마트 카드를 이용한 생체인식 기반 사용자 인증 스킴의 안전성 분석 및 개선

  • An, Young-Hwa (Division of Computer and Media Information Engineering, Kangnam University)
  • 안영화 (강남대학교 컴퓨터미디어정보공학부)
  • Received : 2011.12.21
  • Accepted : 2012.01.28
  • Published : 2012.02.29

Abstract

Many biometrics-based user authentication schemes using smart cards have been proposed to improve the security weaknesses in user authentication system. In 2010, Chang et al. proposed an improved biometrics-based user authentication scheme without concurrency system which can withstand forgery attack, off-line password guessing attack, replay attack, etc. In this paper, we analyze the security weaknesses of Chang et al.'s scheme and we have shown that Chang et al.'s scheme is still insecure against man-in-the-middle attack, off-line biometrics guessing attack, and does not provide mutual authentication between the user and the server. And we proposed the improved scheme to overcome these security weaknesses, even if the secret information stored in the smart card is revealed. As a result, the proposed scheme is secure for the user authentication attack, the server masquerading attack, the man-in-the-middle attack, and the off-line biometrics guessing attack, does provide the mutual authentication between the user and the remote server. And, in terms of computational complexities, the proposed scheme is more effective than Chang et al.'s scheme.

스마트카드를 이용한 생체인식 기반 사용자 인증 스킴이 인증 시스템에서 안전성 취약점을 개선하기 위해 제안되고 있다. 2010년 Chang 등은 위조 공격, 오프라인 패스워드 추측 공격, 재생 공격 등에 안전한 개선된 생체인식 기반 사용자 인증 스킴을 제안하였다. 본 논문에서는 Chang 등의 스킴에 대한 안전성을 분석하고, Chang 등의 스킴이 중간자 공격, 오프라인 생체인식 추측 공격 등에 취약하고, 사용자와 서버 사이에 상호인증을 제공하지 못함을 증명하였다. 그리고 본 논문에서는 이와 같은 안전성 취약점들을 개선한 인증 스킴을 제안하였다. 안전성 분석 결과, 제안된 스킴은 사용자 가장 공격, 서버 가장 공격, 중간자 공격, 오프라인 생체인식 추측 공격 등에 안전하고, 사용자와 서버 사이에 상호인증을 제공하고 있음을 알 수 있다. 그리고 계산 복잡도 관점에서 제안된 스킴은 Chang 등의 스킴보다 효율적임을 알 수 있다.

Keywords

References

  1. J.J. Shen, C.W. Lin andM.S. Hwang, "Security Enhancement for the Timestamp-based Password Authentication Scheme Using Smart Cards," Computers and Security, 22(7), pp.591-595, 2003. https://doi.org/10.1016/S0167-4048(03)00709-0
  2. E. J. Yoon, E. K. Ryu and K. Y. Yoo, "Further Improvements of an Efficient Password-based Remote User Authentication Scheme Using Smart Cards," IEEE Transactions on Consumer Electronics, Vol.50, No.2, pp.612-614, 2004. https://doi.org/10.1109/TCE.2004.1309437
  3. M.L. Das, A. Sxena and V.P. Gulathi, "A Dynamic ID-based Remote User Authentication Scheme," IEEE Transactions on Consumer Electronics, Vol.50, No.2, pp.629-631, 2004. https://doi.org/10.1109/TCE.2004.1309441
  4. C.S. Bindu, P.C.S. Reddy and B. Satyanarayana, "Improved Remote User Authentication Scheme Preserving User Anonymity," International Journal of Computer Science and Network Security, Vol.8, No.3, pp.62-66, 2008.
  5. Y. Lee, D. Won, "Cryptanalysis and Enhancement of a Remote User Authentication Scheme Using Smart Cards," Journal of The Korea Society of Computer and Information, Vol. 15, N0. 1, pp. 139-147, 2010. https://doi.org/10.9708/jksci.2010.15.1.139
  6. S.M. Seo, Y.H. An, "Security Improvements on the Remote User Authentication Scheme Using Smart Cards," Journal of The Korea Society of Computer and Information, Vol. 15, No. 3, pp. 91-97, 2010. https://doi.org/10.9708/jksci.2010.15.3.091
  7. A.T.B. Jin, D.N.C. Ling and A. Goh, "Biohashing: two Factor Authentication Featuring Fingerprint Data and Tokenized Random Number," Pattern Recognition, Vol.37, pp.2245-2255, 2004. https://doi.org/10.1016/j.patcog.2004.04.011
  8. M.K. Khan, J. Zhang, "Improving the Security of a Flexible Biometrics Remote User Authentication Scheme," Computer Standards and Interfaces, Vol.29, No.1, pp.82-85, 2007. https://doi.org/10.1016/j.csi.2006.01.002
  9. C.T. Li, M.S. Hwang, "An Efficient Biometrics- based Remote User Authentication Scheme Using Smart Cards," Journal of Network and Computer Applications, Vol.33, pp.1-5, 2010. https://doi.org/10.1016/j.jnca.2009.08.001
  10. C.C. Chang, S.C. Chang, and Y.W. Lai, "An Improved Biometrics-based User Authentication Scheme without Concurrency System," International Journal of Intelligent Information Processing, Vol.1, No.1, pp. 41-49, 2010. https://doi.org/10.4156/ijiip.vol1.issue1.5
  11. P. Kocher, J. Jaffe and B. Jun, "Differential Power Analysis," Proceedings of Advances in Cryptology, pp.388-397, 1999.
  12. T. S. Messerges, E. A. Dabbish and R.H. Sloan, "Examining Smart-Card Security under the Threat of Power Analysis Attacks," IEEE Transactions on Computers, Vol.51, No.5, pp.541-552, 2002. https://doi.org/10.1109/TC.2002.1004593

Cited by

  1. '스마트카드를 이용한 생체인식기반 사용자 인증스킴의 분석 및 개선'의 내용 오류와 안전성 분석 vol.19, pp.10, 2012, https://doi.org/10.9708/jksci.2014.19.10.099