With the advancement in telecommunications technologies and communications networks, a user can access various resources remotely via a communications network. For example, a user who works in a remote branch office can access the documents in the central office or access the services provided by the service provider. Security and accessibility are two of the key requirements for the design of a communications network.
Authentication is the process of attempting to verify the digital identity of a user who wants to access protected resources on the network. The goal of the authentication process is two-fold: to allow a legitimate user to access available resources and to prevent an intruder from impersonating a legitimate user. In other words, the authentication process protects a user's information from being obtained by another person and denies unauthorized use of network resources. The most commonly used authentication method is to use a password to secure the resources. It has been shown that the traditional authentication method that is based solely on a user ID and a fixed password is inadequate for applications that require a high level of security protection.
A portable smart card with embedded computation capabilities has been widely adopted in two factor authentication methods. An authentication process involving a smart card and a password has been recognized as a more secure authentication method.
An authentication system may issue each user a smart card with embedded information pertinent to the user. When the user wants to access the system resources from a remote location, the authentication process is required. The user enters his or her user ID and password after inserting the smart card into a smart card reader coupled to a remote terminal (e.g., a USB device that integrates the smart card and a smart card reader into a remote terminal.) The smart card generates a login request message using the user ID and the password. If the remote authentication server confirms the identity of the user, it grants the access to the system resources.
A password based remote authentication method was first proposed in 1981. In this method, a remote authentication server maintains a table of passwords for all registered users. The remote authentication server verifies the identity of a user by comparing the password entered by the user with the one in the table. This method is simple but not scalable, and the system employing this method is an easy target for dictionary attacks. In addition, the cost of maintaining and protecting user passwords by an authentication server increases drastically with an increase in the number of users.
A new authentication method was proposed in 2000. In this method, a remote authentication server maintains a security key xs. Based on the security key xs and the user ID, the authentication server creates a strong password, a 1024-bit security key, for a user. The method only requires an authentication server to maintain a security key not a table of passwords. However, it does not allow users to change their passwords. This restriction limits the practicability of the method.
In 1999, a different remote password authentication method based on time-stamps was proposed. The method does not need to maintain a table of passwords and it allows users to select their own passwords. A few more time-stamp based authentication methods were proposed in 2002 and 2003.
The commonalities of the time-stamp based authentication methods are as follows: First, a user can select his/her own password. Second, a remote authentication server does not need to maintain a table of passwords. Third, the authentication process is non-interactive, i.e., a user sends a one-way message to the remote authentication server, which validates the identity of the user.
The shortcoming of the time-stamp based authentication methods results from the fact that users tend to choose short and easy-to-remember passwords, usually 6 to 10 digits alphanumerical characters. This type of password is very easy to break by a dictionary attack.
A dictionary attack can be either an online attack or an offline attack. In the case of an online attack, a hacker tries to be authenticated by a remote authentication server by exhausting all possible passwords. There are two ways to defend against an online dictionary attack. The first method is to delay responses. The authentication server delays sending a login response to the remote terminal to prevent the hacker from exhausting all possible passwords in a finite amount of time. The second method is to lock the user account after several failed attempts to be authenticated by the authentication server. In other words, the authentication server temporarily deactivates the user account, which prevents the hacker from getting the correct password by exhausting all possible passwords in a finite amount of time.
An offline dictionary attack is a stronger attack technique. The hacker first intercepts the login information of a user and illegally obtains the user information stored in the smart card. The hacker then tries to guess the user password by calculating user information and exhausting all possible passwords. Because an offline dictionary attack has no interaction with the remote authentication server, it is more effective.
Smart card based authentication methods are susceptible to offline dictionary attacks due to the following two reasons. First, users tend to select weak passwords that are easier to remember. Second, the portability of a smart card brings convenience to users but the card could be lost or stolen.
Theoretically, a smart card must be temper proof, but in reality, multiple types of probe attacks exit. The information stored in a smart card can be obtained illegally. In some cases, user information is simply stored in the smart card without any protection. The hacker can use a dictionary attack to obtain the user password and impersonate the user to have unauthorized access to the system resources.
In one of the time-stamp based authentication methods, the parameters maintained by the system include n, e, d, and g; n and g are public information while e is a public key and d is a private key. The integer n is the product of two large prime numbers p and q, i.e., n=pq while the integer g is a predetermined system parameter (a primitive element) in GF(q) and GF(p). The selection of a public key e and a private key d must satisfy the following condition: ed≡1 mod φ(n).
In the registration phase, a user U submits his/her identity ID and password PW to an remote authentication server. Upon receiving a registration request from the user, the authentication server authenticates the identity ID of the user. If the identity of the user is confirmed, the authentication server generates a smart card identifier CID and calculates the security information S of the user according to the following equation: S=IDd mod n. The authentication server also generates a value h according to the following equation: h=gPW·d mod n. The set of information (n, e, g, CID, S, and h) is written into the memory of the smart card and the card is issued to the user U.
In the login phase, the user U must be authenticated by a remote authentication server. The user inserts the smart card into the smart card reader coupled to the remoter terminal and enters the user identity ID and password PW. The smart card calculates two integers X and Y according to the following two equations: X=gr·PW mod n and Y=S·hr·f(CID, T) mod n, where r is a random number; T is the current time at the login terminal and used as a time-stamp; f( . . . ) is a one-way function. The smart card sends a login request message, M=(ID, CID, X, Y, n, e, g, T), to the remote authentication server.
In the authentication phase, the remote authentication server receives the login request and tries to authenticate the user identity ID and time-stamp T. If both pieces of information are valid, the remote authentication server checks if Ye equals to ID·Xf(CID, T) mod n. If Ye and ID·Xf(CID, T) mod n are equal, the login request is accepted, or else it is denied.
This authentication method is vulnerable to dictionary attacks. If the hacker gets a hold of the user's smart card and retrieves the value h=gPW·d mod n from the smart card, the hacker can exhaust all possible passwords and find a password PW*. If gPW* is equal to he mod n, then PW* is the password of the user.
In another method, a remote authentication server only maintains a system security key x and a public hash function. In the registration phase, a user U submits his/her identity ID and password PW to the authentication server. Upon receiving the registration request from the user, the authentication server authenticates the identity ID of the user. If the identity of the user is confirmed, the authentication server generates a value R according to following equation: R=h(ID⊕x)⊕PW. The set of information (R and h) is written into the memory of the smart card and the card is issued to the user U.
In the login phase, the user U must be authenticated by the remote authentication server. The user inserts the smart card into the smart card reader coupled to a remoter terminal and enters the user identity ID and password PW. The smart card calculates two parameters k and C according to the following equations: k=R⊕PW and C=h(c⊕T), where T is the current time at the login terminal and used as a time-stamp. The smart card sends a login request message, M=(ID, T, C), to the remote authentication server.
In the authentication phase, the remote authentication server receives the login request and tries to authenticate the user identity ID and time-stamp T. If both pieces of information are valid, the remote authentication server checks if C equals to h(h(ID⊕x) ⊕T). If C and h(h(ID⊕x) ⊕T) are equal, the login request is accepted; otherwise, it is denied.
This authentication method is also vulnerable to dictionary attacks. If the hacker gets a hold of the user's smart card, retrieves the value R from the smart card, and intercepts the login information, M=(ID, T, C), the hacker can exhaust all possible passwords and find a password PW*. If C is equal to h(R⊕PW*⊕T), then PW* is the password of the user.
As such, what is desired is a method and system to further improve the smart card based remote authentication system.