DOI QR코드

DOI QR Code

Weaknesses Cryptanalysis of Khan's Scheme and Improved Authentication Scheme preserving User Anonymity

Khan 인증기법의 취약점 분석과 개선된 사용자 익명성 제공 인증기법

  • Park, Mi-Og (Division. of Computer Science Engineering, Sungkyul University)
  • 박미옥 (성결대학교 컴퓨터공학부)
  • Received : 2012.11.13
  • Accepted : 2013.01.09
  • Published : 2013.02.28

Abstract

In this paper, we analyse the weaknesses of authentication scheme preserving user anonymity proposed by Khan et al in 2011 and we propose a new authentication schemes preserving user anonymity that improved these weaknesses. Khan et al's authentication scheme is vulnerable to insider attack and doesn't provide user anonymity to the server. Also, this scheme is still a weakness of wrong password input by mistake in spite of proposing the password change phase. In this paper, we will show that Khan et al's scheme is vulnerable to the stolen smart card attack and the strong server/user masquerade attack. The proposed authentication scheme propose the improved user anonymity, which can provide more secure privacy to user by improving these weaknesses.

본 논문에서는 2011년 Khan[7] 등에 의해 제안된 사용자 익명성 제공 인증기법에 대한 취약점을 분석하고, 이러한 취약점을 개선한 새로운 사용자 익명성 제공 인증기법을 제안한다. Khan의 인증기법은 내부자 공격에 취약하고 서버에 대한 사용자 익명성을 제공하지 못한다. 또한, 패스워드 변경 단계를 제안하고 있음에도 불구하고, 여전히 패스워드 오입력시의 취약점이 존재한다. 본 논문에서는 Khan 기법이 스마트카드를 분실할 경우의 취약점과 강력한 서버/사용자 가장 공격에도 취약함을 보인다. 제안 인증기법은 이러한 취약점들을 개선하여 사용자에게 보다 안전한 프라이버시를 제공할 수 있는 향상된 사용자 익명성을 제안한다.

Keywords

References

  1. L. Lamport, "Password Authentication with Insecure Communication," Communications of the ACM, Vol.24, pp.770-772, November 1981. https://doi.org/10.1145/358790.358797
  2. C. C. Chang and T. C. Wu, "Remote password authentication with smart cards," IEEE Proceedings-Computers and Digital Techniques, Vol.38, No.3, pp.165-168, May 1991.
  3. H. S. Kim, S. W. Lee, and K. Y. Yoo, "ID-based Password Authentication Scheme using Smart Cards and Fingerprints," ACM Operating Systems Review, Vol.37, No.4, pp.32-41, October 2003. https://doi.org/10.1145/958965.958969
  4. C. L. Hsu, "Security of Chien et al's remote user authentication scheme using smart cards," Computer Standards and Interfaces 26, pp.167-169, May 2004. https://doi.org/10.1016/S0920-5489(03)00094-1
  5. E. J. Yoon, E. K. Ryu, and K. Y. Yoo, "Efficient Remote User Authentication Scheme base on Generalized ElGamal Signature Scheme," IEEE Transactions on Consumer Electronics, Vol.50, No.2, pp.568-570, May 2004. https://doi.org/10.1109/TCE.2004.1309425
  6. K. L. Das, A. Saxena, and V. P. Gulati, "A dynamic ID-based remote user authentication scheme," IEEE Transactions on Consumer Electronics, Vol.50, No.2, pp.629-631, May 2004. https://doi.org/10.1109/TCE.2004.1309441
  7. M. K. Khan, S. K. Kim, and K. Alghathbar, "Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme," Computer Communications, Vol.34, Issue.3, pp.305-309, March 2011. https://doi.org/10.1016/j.comcom.2010.02.011
  8. Y. Y. Wang, J. Y. Liu, F. X. Xiao, and J. Dan, "A more efficient and secure dynamic ID-based remote user authentication scheme,"Computer Communications 32, pp.583-585, March 2009. https://doi.org/10.1016/j.comcom.2008.11.008
  9. R. Madhusudhan and R. C. Mittal, "Dynamic ID-based remote user password authentication schemes using smart cards : A review," Journal of Network and Computer Applications 35, pp.1235-1248, July 2012. https://doi.org/10.1016/j.jnca.2012.01.007
  10. C. S. Bindu, P. C. S. Reddy, and B. Satyanarayana, "Improved Remote User Authentication Scheme Preserving User Anonymity," IJCSNS International Journal of Computer Science and Network Security, Vol.8 No.3, pp.62-66, March 2008.
  11. H. C. Hsiang and W. K. Shih, "Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment", Computer Standard and Interfaces 31, pp.1118-1123, November 2009. https://doi.org/10.1016/j.csi.2008.11.002