Analysis and Enhancement of a Password Authentication and Update Scheme Based on Elliptic Curve Cryptography

Recently, a password authentication and update scheme has been presented by Islam and Biswas to remove the security weaknesses in Lin and Huang’s scheme. Unfortunately, He et al., Wang et al., and Li have found out that Islam and Biswas’ improvement was vulnerable to offline password guessing attack, stolen verifier attack, privilege insider attack, and denial of service attack. In this paper, we further analyze Islam and Biswas’ scheme and demonstrate that their scheme cannot resist password compromise impersonation attack. In order to remedy the weaknesses mentioned above, we propose an improved anonymous remote authentication scheme using smart card without using bilinear paring computation. In addition, the verifier tables are no longer existent, and the privacy of users could be protected better. Furthermore, our proposal not only inherits the advantages in Islam and Biswas’ scheme, but also provides more features, including preserving user anonymity, supporting offline password change, revocation, reregistration with the same identifier, and system update. Finally, we compare our enhancement with related works to illustrate that the improvement is more secure and robust, while maintaining low performance cost.


Introduction
With the fast development of communication terminals and networks, users could obtain lots of services distributed over the world, whenever and wherever.Nevertheless, more and more security issues prevent the advanced technologies from moving forward, and more and more people start to concern about the security problems of their information and communication applications.In detail, how to access the remote server securely is concerned by all users as a key issue.Generally speaking, the first line of defense for remote communication systems is authentication, which permits the legal users to obtain their desired services securely, while it rejects the illegal users to access to the servers.After that, to guarantee private communications over the insecure public networks, key agreement provides us the session keys, which are used to encrypt and decrypt the subsequent information transmitted over public channels (e.g., the Internet and radio).In other words, authentication and key agreement plays important roles in guaranteeing the security of the information and communication systems.In this paper, we will focus on the remote authentication and private communication.
Due to the property of easy-to-memory, the password has become the most popular and widely adopted method for authentication, since Lamport's [1] contributions on remote authentication using hash function in 1981.However, the convenient property leads to the weakness of low entropy, which can be the target for adversaries to attack, for example, password guessing (online or offline) attacks [2] and verifier stolen attacks.In addition, password-verifier tables are heavy burdens for servers to store and manage.Furthermore, password-verifier tables are threatened by the attackers, who can compromise these verifier tables and reveal (guess) user's password or masquerade as the legal user.In 2000, Peyravian and Zunic [3] presented one method for protecting and changing passwords in authentication schemes while being transmitted over untrusted networks [4].Their scheme did not use any symmetric-key or public-key cryptosystems but only employed a collision resistant hash function.In 2002, Hwang and Yeh [5] pointed out that the scheme in [3] was vulnerable to guessing attack, server spoofing, and data RG2: Session Key Distribution.The legal participants in the scheme should generate a secure session key.In addition, the session key should be only shared between the participants and anyone else could not reveal it.Furthermore, the session key should be generated fresh with key privacy, forward secrecy, and out of key control.
RG3: Password Change.Users can change their passwords securely and freely without interacting with the remote server; that is, users could securely change their passwords offline.
RG4: Revocation and Reregistration.Users can revoke their credentials for some secure concerns and reregister without changing their identifiers in the same server.
RG5: System Update.The master key of the server should be changed termly for security or system update.
RG6: Credentials Leakage Resistant.For users, the password should be protected securely to resist various kinds of guessing attacks launched by insider users, servers, or adversaries.For servers, there are no verifier tables stored in its database to resist verifier-stolen attack or insider server attack.
RG7: Denial of Service Resistance.The server should provide the mechanism to resist the denial of service (DoS) attack caused by exhausted resources (computation, memory, or connection) and malicious password change.
RG8: Preserving User Anonymity.The user's identifier should be protected from being hijacked or theft, because the user's privacy will be concerned in most applications, and any one cannot obtain the user's identifier except the legal participants.
In the rest of the paper, we briefly review Hafizul Islam and Biswas' scheme [10] in Section 2. The analysis and comments on their scheme are presented in Section 3. Furthermore, an improved scheme is proposed in Section 4. In addition, the analysis, comparison, and comments of our proposal are shown in Section 5.The paper si concluded in Section 6.Finally, notations used in this paper are shown in Notations section.

Review
In this section, the scheme of Hafizul Islam and Biswas [10] is reviewed in brief.There are four phases in Hafizul Islam and Biswas' [10] scheme, including registration phase, password authentication phase, password change phase, and session key distribution phase.The details of their scheme are described as follows.

Registration Phase.
The client  registers to the server  with identity ID  and password verifier   = pw  ⋅  and collects the server's public key   =   ⋅ .Then,  stores each legal client's identity ID  , password-verifier   , and a statusbit in a write protected file, where the status-bit indicates the status of the client in the server (logged-in or logged-off).

Password Authentication Phase
Step A1.  keys ID  and pw  into the terminal. selects a random number   ∈ [1,  − 1], computing where the symmetric key   is the -coordinate of  = pw  ⋅   = pw  ⋅  ⋅ = (  ,   ).Finally,  sends the login request message, to the remote server.
Step A2.  checks the validity of ID  and computes its corresponding decryption keys   by calculating After decrypting compares received ID  with decrypted ID  and ê(  ,   ) with ê(  ,   ).If all the conditions are satisfied,  selects a random number   and computes At last,  sends its response message, to the client.
Step A3.  retrieves   by subtracting   from   +   .If the hash value of retrieved   is equal to received (  ),  computes and sends it to the remote server.
Step A4.  computes with its own copies of   and   and compares the results with the received (  ,   ).If they are equal,  accepts the client's login request, otherwise rejects.
Step D4.  → : key distribution granted/denied.In this protocol, two random numbers   ,   ∈ [1,  − 1] are chosen by the client and the server, respectively. computes the final session key as and  computes

Analysis
In this section, we demonstrate that Hafizul Islam and Biswas' [10] scheme is vulnerable to password compromise impersonation attack.In addition, the comments on the scheme show the security weaknesses caused by the low-entropy password, weak password-verifier table, and improper challengeresponse mechanism.

Password Compromise Impersonation
Attack.The password as the unique secret information of the client plays the key role in the password-based remote authentication schemes.Intuitively, the adversary could impersonate the client, who compromises his/her password, to cheat the remote server as the trivial attack.However, the password compromise impersonation [14][15][16] as a special attack indicates that the adversary could impersonate the remote server to cheat the client himself/herself using his/her compromised password.PCI attack is defined as,in the password-based clientserver remote authentication (or authenticated key distribution) scheme, the adversary is considered successful in a PCI attack if it can impersonate the uncorrupted remote server  to communicate with the corrupted client , who compromised his/her password to the adversary.In other words, the goal of the adversary by launching PCI attack is to impersonate the remote server to cheat the client himself/herself without being detected.More detailed introductions about PCI attack could be found in the literatures [14][15][16].
PCI Attack.Assume that the adversary not only can control the communication between the client and the server, that is, it can eavesdrop, record, intercept, modify, delete, insert messages, or even inject new messages during the protocol execution, but also can obtain the password pw  of client .Then PCI attack can be performed as the following steps and referred to as the illustration in Figure 1.
Step 1.The adversary intercepts the login request message, sent from  to , when  initializes a new password authentication session with  in Step A1.
Step 2. The adversary computes and decrypts with   to obtain   .Then the adversary generates a random number  *  and computes where  *  =  *  ⋅   .Finally, the adversary sends the reply, to .Note that the verification procedures executed by the adversary could be ignored for simplicity, due to the purpose of impersonating the remote server.
Step 3.After receiving the reply from the adversary,  retrieves  *  from   +  *  , verifies the hash value of retrieved  *  with received ( *  ), and sends to the adversary.
Step 4. According to the description of the original protocol, the adversary computes (  ,  *  ) with its own copies of   and  *  and compares the results with the received (  ,  *  ).If they are equal, the adversary accepts the client's login request, otherwise rejects.
The password change and session key distribution phases are vulnerable to PCI attack with the same procedures for different targets.First, the adversary could get the new password verifier by retrieving    from   +    using the decrypted   in    (ID  ,   ,   ) caused by the compromised password pw  .Then the adversary could further launch offline password guessing attack to obtain the new password pw   of the client.Secondly, the adversary can compute and share the session key where SK * = pw  ⋅   ⋅  *  =   ⋅  *  ⋅ pw  ⋅   ⋅  is computed by .Consequently, the adversary could also launch man-inthe-middle attack and modify the communications between  and  arbitrarily.

Comments. The first and most important weakness in
Hafizul Islam and Biswas' [10] scheme is the low-entropy password, which is usually vulnerable to guessing (online or offline) attacks.The reason for guessing attack is that the password is selected in a small space/set, which is called a dictionary  with the size of ||, and therefore the password can be easy-to-remember.However, the small space of the dictionary is a double-edged swords; it provides the convenience for users and could be used by the adversary to guess the correct password through analyzing the security flaws in the algorithms.He [11], Wang et al. [12], and Li [13] have demonstrated that the adversary could launch various offline password guessing attacks, for example, tracing the password in the execution of the scheme to match the redundant information, using the verifier tables to confirm the guessed password, and obtaining the verifier table to guess the client's password by the malicious system manager or the privileged insider.Furthermore, once the password of the client is compromised, the adversary not only can impersonate the client to cheat the remote server, but also can impersonate the remote server to cheat the client himself/herself.Finally, the serious security weaknesses caused by the unique lowentropy factor (password) show that the single factor cannot resist common attacks sufficiently and the second factor (smart card) should be introduced to overcome the security flaws while keeping the improved scheme efficient and practical.
Moreover, the threats on the weak password-verifier tables have shown in [11,12], for example, offline password guessing attack and privileged insider attacks.The weak password-verifier tables have been the crucial targets for most adversaries, who can take these tables for further attack.Generally speaking, offline password guessing attack is always depending on the verifier tables, which provide the matching information.Moreover, various application servers could take the password-verifier tables carelessly, because the secret key   is their crucial information for themselves, but password-verifier tables are not.In addition, the password-verifier tables are the same with the others usually, and the leakage of the password-verifier tables occasionally happens in real applications.Consequently, the weak password-verifier tables should be avoided in the future design.
The challenge-response mechanism should be used for resisting replay attack and contribute to the fresh session key.However, the improper challenge-response mechanism may

Password authentication phase (public channel)
The adversary The client A

Key distribution
Computes the session key Computes the session key Step 1 and Step 2 are the same as password authentication phase Step 1-Step 4 are the same as password authentication phase be used by the adversary to launch DoS attack.In addition, the denial of service attack pointed by Wang et al. [12] is caused by the improper challenge-response mechanism, because the adversary could replay all the expired legal login request messages and delegate the resources of the server, for example, computation, memory, and connection.Another reason for the denial of service attack is the expensive cost of the bilinear paring operations.Thus, the improper challenge-response mechanism may cause important security issues or break down the system.Consequently, how to take the maximum advantage of challenge-response mechanism into the scheme is quite helpful for future design.

Enhancement
There are two participants in the protocol: the user as the client  and the remote server .The proposed scheme is composed of five phases, namely, registration phase, authentication with key agreement phase, password change phase, revocation/reregistration phase, and key update phase.
The details of the enhanced scheme are described as follows and illustrated in Figure 2.

Registration Phase.
When the client  wants to register in the remote server  as a legal client to obtain the services, the following steps should be performed.
Step R1.The client  chooses the identity ID  with the password pw  , generates a random number , and sends the registration request, to  over the secure channel.
Step R2.  checks the validity of ID  after receiving the registration request and computes the client's authentication information where   =  ⊕   ,  is the secret key of  and   is the unique identifier (or random number) generated by  for the smart card.Then the smart card is initialized by the parameters where  is the generator of the elliptic curve cryptosystem.Next,  sends the smart card to  over the secure channel and maintains the client table as where Status ∈ {0, 1} indicates the log-in 1 or log-off 0 status and Update ∈ {0, 1} indicates if the client updates the latest authentication information AI  .
Step R3.The client  initializes the smart card with the parameters ,   , where   = (ID  ⊕ ( ⊕ pw  )).All the parameters in the smart card are and ID  with pw  are kept by the client as his/her own knowledge.Finally, the registration phase is finished and  shares the secret, with  to authenticate each other and establish the session key.

Authentication with Key Agreement Phase.
When  wants to access the remote server and obtains the desired services, the following operations should be executed.
Step A1.The client  inputs ID *  with pw *  into his/her smart card.The smart card computes and checks If the equation holds, the smart card confirms the legal holder and sends the login request {Hello} (26) to .Note that once the smart card confirms its legal holder, that is, the equations ID *  = ID  and pw *  = pw  are true.
Step A2.After receiving the login request,  sends the precomputed challenge, to , where   is a random number generated by .Note that the challenge could be seen as a client puzzle [17] and sent by the technology of completely automated public turing test to tell computers and humans apart (CAPTCHA) [18].
Step A3.The client  solves and inputs the challenge  *  , and the smart card generates its own challenge where   is a random number generated by the smart card.
Then the smart card sends the response and its challenge, to .
Step A4.After confirming the validity of the response  *  ,  computes where   =  ⊕   .After that,  checks whether the computed value If it is,  authenticates  and computes the session key Then  computes the response and sends it to .In addition,  sets up Status = 1 before replying the acceptance.
Step A5.The smart card computes the session key After receiving the response, the smart card decrypts and checks the validity of both   and   .If they are valid,  authenticates  and establishes the session key SK.Finally, mutual authentication and key agreement phase is finished successfully.

Password Change Phase.
When the client wants to change the old password pw  to a new one pw new  , the following offline steps should be performed after the smart card confirms its legal holder in Step A1.
Step P1.Once the procedure is successfully verified,  selects the password change option and inputs the new password pw new  .
Step P2.The smart card computes Finally,  replaces   , AI  by  new  , AI new  , and password change phase is finished.

Revocation/Reregistration
Phase.When  wants to revoke the his/her registration for security concern or reregister without changing his/her identity ID  ,  should delete the random number   for revocation or chooses a new random number  new  and executes the registration phase again for reregistration.After revocation phase,  could not authenticate  or reply the correct response to  without   .Similarly, The reregistration phase could make the old smart card expired, because  new  ̸ =   .Consequently, revocation/reregistration phase is successfully finished.

System Update Phase.
When the remote server requires updating the system or changing its secret key regularly, key update phase should be performed between  and . selects new key  new and establishes a new table containing where  new  =  new ⊕(⊕  ).If  updates the secret key, then it initializes all the clients' Update = 0 that is, all the clients should update their authentication information Note that the client could update their secret authentication information over a secure channel established by the session key SK.In other words,  must maintain the original secret key and client tables for these specific users, who have not update their authentication information.Upon receiving SAI new  ,  stores replacing AI  and  deletes the old list in the original tables of  while marking Update = 1.Finally, the system update phase is finished successfully.

Analysis and Comments
In this section, the security analysis demonstrates that the improved scheme not only remedies the weaknesses mentioned above, but also can resist all known common attacks.Furthermore, the comparisons of the security attribute, performance cost, and functionality illustrate that the improved scheme is more secure, efficient, and practical than the scheme in [10].

Security Analysis.
The security of the scheme is based on the secure cryptographic primitives, including one-way hash function, pseudorandom generator, and symmetric cryptosystem.Furthermore, the assumptions of discrete logarithm problem (DLP) and computational Diffie-Hellman and decisional Diffie-Hellman problems (CDHP and DDHP) on the elliptic curve are hard to be solved under the polynomial time algorithms [19,20].(2) The design of mutual authentication with key agreement can help to resist man-in-the-middle attack in our scheme; that is, the key agreement protocol is authenticated and the adversary could not launch man-in-the-middle attack without authentication.In other words, authenticated Diffie-Hellman mechanism helps to resist man-in-the-middle attack. (

Denial of Service
Resistance.The technologies of client puzzle and CAPTCHA are introduced to protect the system from being DoS attacks.In addition, the other network equipment (e.g., IDS and firewall) can be used in the system to avoid such attacks.

Comparisons and Comments.
The comparisons and comments with related works [6,10,13] on security and functionality are shown to illustrate that our enhancement is more secure and robust.The comparisons of security features in Table 1 show that our enhancement satisfies more  2 show that our enhancement provides more functionalities mentioned in Section 1 to support user friendly property and system flexibility.In addition, our enhancement can be implemented in the environments of symmetric cryptosystem; that is, it is more practical without public key infrastructure (PKI).Finally, our enhancement of two-factor authentication with key agreement scheme using smart card is suitable for mobile wireless communication system while keeping low efficiency on elliptic curve cryptosystem without expensive computations, for example, modular exponentiation or bilinear pairings.For computational comparison, we only consider the latest schemes, for example, [10,13], and our proposal.Table 3 shows the computation cost in the login and authentication phase, which is the main procedure of the scheme.It illustrates that our proposal costs 3 (4) more hash function and one more symmetric decryption (encryption) operation for user (server), but we save more time cost operations, such as point-multiplication operation on elliptic curve, pointmultiplication operation on finite field, addition operation, and bilinear paring computation on elliptic curve.

Conclusion
In this paper, the scheme of Hafizul Islam and Biswas is cryptanalyzed and improved.Password compromise impersonation attack is demonstrated and some security weaknesses are discussed about their scheme.Furthermore, an enhanced scheme in symmetric key environment is presented to overcome the existing weaknesses and provide more functionalities.In detail, the technologies of client puzzle and CAPTCHA are introduced to resist the common known attacks with proper challenge-response mechanism.The public key infrastructure is replaced by the second factor (smart card) to enhance the security and robustness of the scheme.In addition, the enhanced scheme can also be used in global mobility networks to provide secure authentication and private communication.Finally, the analysis and comments show that our improved scheme is more secure, practical, efficient, and suitable for smart card while providing more user friendly property and system flexibility.
3) Retrieves W * S ← W A + W * S Computes and verifies H(W * S ) Computes H(W A , W * S )
random Generates N A ∈ unique random Computes M A = x ⊕ N A R3: Writes b into smart card Initializes the smart card [b, V A , N A , AI A , G, H(•)] ∈ smart card (public channel) S with x and client tables {Hello!}A2: Generates r s ∈ random A3: Inputs R * S and generates r A R A =? valid SK = A with ID A , pw A , and smart card
,   ) is authenticated, then  subtracts   from   +    to extract the new password verifier    .Finally,  replaces   with    to finish the password change phase if and only if the hash value of (  ,    ) is equal to received (  ,    ).
.If  finds ID  in the client tables, then checks the Status of .If  has logged-in (Status = 1),  terminates the session.Otherwise,  extracts   in the client table and computes 5.1.1.Impersonation Attack.The enhanced scheme can resist the following common attacks for the purpose of impersonation, including replay attack, reflection attack, parallel session attack, man-in-the-middle attack, known session key attack, forgery attack, and password compromise impersonation attack.(1) The technologies of client puzzle   and challengeresponse mechanism   are introduced into resist replay attack, reflection attack, and parallel session attack.  and   can also contribute to the computation of the fresh session key SK = (SAI  ‖   ⋅  ) = (AI  ‖   ⋅  ), which can resist known session key attack.
) Any adversary could not impersonate the legal participants (client or remote server) to share the session key with the intended partner, because the adversary cannot forge the messages  TK [ID  , (  ‖ *  ‖SAI  )] or  SK [  ,   ] without knowing the temporary key TK or the session key .The security of the temporary key TK is based on the assumption of DLP and CDHP.If the adversary could get TK, that is, the adversary can compute TK = (  ⋅   ⋅ ) without   or   , which is infeasible under the assumptions.It is the same for the session key as that the adversary cannot compute SK without solving DLP or CDHP.Furthermore, the secret authentication information SAI  can also help to resist impersonation attack.SAI  is important for the adversary to forge the messages for authentication, because (  ‖ *  ‖SAI  ) and SK = (SAI  ‖   ⋅   ⋅ ) are composed of SAI  .However, SAI  = (ID  ‖   ) can be computed only by the legal client with the corrected ID  , pw  , and the smart card or by the remote server with  and   .(4)Thetwo-factorauthenticationwithkeyagreementcanresist the password compromise impersonation attack in the enhanced scheme.If the client's password pw  is compromised, the adversary cannot forge the correct authentication message without knowing ID  and obtaining the smart card.Furthermore, the secret information cannot be computed by the adversary with pw  only, because the security of SAI  depends on ID  , pw  , AI  for user or ,   for server.5.1.2.Password Guessing Attack.In password-based schemes, the adversary can guess the password in a dictionary , which is defined in a finite space of size ||.The adversary can guess the correct password with the successful probability 1/||.However, the enhanced scheme with two factors can resist such attack due to the first defense of smart card, which can help to protect the information stored in its memory.Furthermore, the anonymity in the enhanced scheme can also resist password guessing attack with higher level, because the adversary must guess ID  and pw  at the same time.In other words, the success of the probability about guessing the correct password is Minmum{1/|||  | , 1/|  | || },where |  | is the size of the identity dictionary.In addition, online password guessing attack is out of our consideration, because the technologies of client puzzle and CAPTCHA and additional network equipment (e.g., IDS and firewall) can help the remote server to restrict the limitations of failed login attempts.5.1.3.Secrecy of the Session Key.The secrecy of the fresh session key SK = (SAI  ‖   ⋅   ⋅ ) includes key privacy, forward secrecy, and key control.First, the challengeresponse mechanism   and   can help to contribute the fresh of the session key and make the generation of the session key out of control.Secondly, the secure authentication information SAI  , which can be computed by  and , decides that any one cannot break the key privacy without knowing SAI  .Furthermore, under the assumptions of DLP, CDHP, and DDHP, the forward secrecy of the session key can be protected even if the long term keys SAI  or  is compromised.Finally, the authenticated Diffie-Hellman key exchange enhances the security of the scheme, because the compromise of the temporary random number cannot threat the security of the final session key SK = (SAI  ‖   ⋅   ⋅ ) without knowing SAI  .5.1.4.Credentials Leakage Resistant.The credentials mentioned in the enhancement are ID  , pw  , SAI  , , the smart card, and client tables.Credentials leakage means the adversary could get some of the credentials.In detail, the anonymous login request protects ID  from leakage and meanwhile protects pw  from guessing attack.Specifically, if the adversary could forge a server by phishing user's identity ID  , user anonymity cannot be preserved as usual.An additional mechanism should be provided to avoid this attack, while the other credentials are still protected as normal.Furthermore, secure one-way hash function helps to avoid the compromise of SAI  from (  ‖ *  ‖SAI  ), (SAI  ‖   ⋅   ⋅ ) and protect  from being extracted in (ID  ‖   ) by the insider clients.