An Enhanced Remote User Authentication Scheme

Remote user authentication schemes are used to verify the legitimacy of remote users' login request. Recently, several dynamic user authentication schemes have been proposed. It can be seen that, these schemes have weaknesses because of using timestamps. The implement of strict and safe time synchronization is very difficult and increases network overhead. In this paper, we propose a new dynamic user authentication based on nonce. Mutual authentication is performed using a challenge-response handshake between user and server, and it avoids the problems of syn-chronism between smart card and the remote server. Besides, the scheme provides user's anonymity and session key agreement. Finally, the security analysis and performance evaluation show that the scheme can resist several attacks, and our proposal is feasible in terms of computation cost and communication cost.


Introduction
With the large-scale proliferation of internet and network technologies, people are able to access any service from any place and at any time.Remote user authentication schemes are used to verify the legitimacy of remote user's login request.Password-based authentication scheme is one of the convenient and efficient authentication mechanics.However, password-based authentication scheme suffers from attacks due to the low entropy password, thus designing a more secure and efficient authentication protocol is in urgent need.In 1981, Lamport proposed a remote user authentication scheme with password table [1].Afterwards, several schemes and improvements [2]- [4] have been extensively proposed.However, most of them using the static identity (ID) are included.Since the user's login ID is static in these verifier-free schemes, it may leak partial information about the user's login messages so that the adversary can use it to forge the user's login messages by some subtle means.
One of the solutions to the problem is to employ dynamic ID in different login.
In 2004, Das et al. [5] proposed a dynamic ID-based remote user authentication scheme, which can resist replay, masquerade, and insider attacks.However, Wang et al. in 2009 [6] pointed out that Das et al.'s scheme is susceptible to smart card attack and does not provide mutual authentication.Then, Wang et al. proposed a more efficient and secure dynamic ID-based remote user authentication scheme.Recently, Khan et al. in 2011 [7] pointed out that Wang et al.'s scheme has insider attack and does not provide user's anonymity and session key agreement.Then, they proposed a dynamic ID based remote user authentication scheme.We can see that these schemes have weaknesses because of using timestamps and lead to serious clock synchronization problems.In this paper, we proposed an enhanced dynamic ID-based remote user authentication scheme.In this scheme, mutual authentication is performed using a challenge-response handshake between user and server, and it avoids the problems of synchronism.Furthermore, the scheme provides user's anonymity and session key agreement.
The remainder of this paper is organized as follows.In Section 2, we present an enhanced remote user authentication scheme.In Section 3, there is the analysis about this scheme.Finally, conclusions are presented in Section 4.

The Proposed Scheme
Although the implement of strict and safe time synchronization is very difficult and increases network overhead, most time synchronization schemes were not designed with security in mind.In addition, if the setting of the interval of transmission delay is too short, it will cause the failure of the legal users' login.However, if the setting of the interval of transmission delay is too large, it will be suffered from the relay attacks.Therefore, authentication protocols based on the timestamps not only introduces more safety risk, but also is unpractical.In this section, we propose an enhanced remote user authentication scheme.To avoid the clock synchronization problem, we replace the timestamp design with a novel nonce-based mechanism in our scheme.The improved scheme is divided into four phase: registration phase, login phase, authentication phase, and password change phase.Detailed steps of these phases of the proposed scheme are described as follows.The notations used throughout this paper are in Table 1.

Registration Phase
A user U i with identifier ID i should first carry out this phase once before he can use any of the services provided by the server S. In this phase, U i and S need to perform the following steps.
Step R1.User U i keys his identity ID i and password PW i , and his smart card computes and submits  ( ) ( ) , where x is the permanent secret key of S.Then, S sends to U i through a secure channel.

Login Phase
Whenever U i wants to login a server S, he must perform the following steps: Step L1.After inserting his smart card into the card reader, U i inputs the identity ID i and password PW i .Then, the smart card computes ( ) Step L2.The smart card checks whether or not E i and C i are equal.If yes, U i passes the legitimate verification, and performs the following steps; otherwise, U i is rejected.
Step L3.The smart card randomly chooses a nonce R 1 and computes h ID F to the remote server S.

Authentication Phase
A user performs the remote authentication phase based on the login message for authentication as long as it visits the server.U i and S perform the following steps to achieve mutual authentication and to establish a session key.
Step A1.After receiving the login message Then, S chooses a nonce R 2 and computes Step A2.The server S sends the mutual authentication message Step A3.After receiving the mutual authentication message H h R′ from the server S, the user U i checks whether or not ( ) h R′ and h(R 1 ) are equal .If no, U i rejects this message and terminates the operation; otherwise, U i authenticates S successfully and computes 2 Step A4.When the server S receives ( ) h R′ , checks whether or not ( ) h R′ and h(R 2 ) are equal.If no, S sends reject message to the U i ; otherwise, S authenticates U i .
After finishing mutual authentication phase, the user U i and the server S each can compute a common session key ( ) for the next data transmission.

Password Change Phase
The user U i can change his password without the help of the server S, and the details of the password change procedures are as follows: U i inserts the smart card, and input his old password pw i and the identity ID i .Then, the smart card computes ( ) , and checks whether or not i C′ and C i are equal.If the verification process is correct, the smart card asks the cardholder to resubmit a new password new i PW , and then smart card computes ( ) . At last, the smart card replaces the values of B i stored in its memory to finish the password change phase.

Security Analysis
In this subsection, we present these security analyses of our scheme and show that proposed scheme can resist many kinds of attack.To analyze the security of our scheme, we assume that an attacker can obtain the secret values stored in the smart card by monitoring the power consumption [8] [9] and intercept the messages communicating between the user and the server.

User Anonymity
The proposed scheme can protect user's anonymity.In login phase, the user U i will send the login request message h ID F to the server S. Thus, the attacker might incept and analyze the login message.It is infeasi- ble to derive the user identity ID i through h(ID i ).Furthermore, the login message is dynamic in each login.Among the parameters of login message, F i is associated with nonce R 1 and dynamically changed.Consequently, the attacker cannot identify the person who is trying to login.

Relay Attack
The proposed scheme can resist replay attack because the login request message and the mutual authentication message both contain the nonce instead of timestamp.Suppose that the attacker has intercepted a previous login request message

Impersonation Attack
The proposed scheme can withstand impersonation attack.Assume the attacker intercepts h(ID i ), F i , H i , but these information has no meaning to an attacker.He can't derive the secret parameter x and password PW i .Without R 1 , R 2 , x and PW i , the attacker can't compute H i , so impersonation can't continue.What's more, the attacker can't impersonation of S, because he can't compute 1 R′ without knowing the secret key x.

Denial-of-Service Attack
In our proposed scheme, the smart card of user U i checks the validity of user identity ID i and password PW i before update procedure.The attacker has to insert the smart card of user U i into the smart card reader and has to guess the identity ID i and password PW i correctly.Since the smart card computes ( ) , and compares the computed value of i C′ with the stored value of C i in its memory to verify the legitimacy of U i before the smart card accepts the password update request.It is not possible to guess the identity ID i and password PW i correctly at the same time in real polynomial time even after getting the smart card of user U i .Therefore, the proposed protocol is secure against DOS attacks.

Insider Attack
If an attacker obtains B i and C i from U i 's smart card, he can't extract sensitive information, like ID i , PW i , x, because it is computationally infeasible to invert the one-way hash function h().Moreover, he can't extract A i from B i without the knowledge of ID i and PW i .Furthermore, if the attacker is a legal user U i , he can't obtain x from his smart card.Thus, the insider attack is resisted.

Password Guessing Attack
In our scheme, U i 's password is only involved with ( ) H h R′ , it is more difficult for an attacker to compute a valid authentication request message without knowing the server's secret value x.Therefore, we believe that the on-line password guessing attacks can be prevented more efficiently.On the other hand, in our scheme U i 's login message, i.e. h(ID i ), F i , are well-protected and un-involved with U i 's password.This design eliminates the correlation between U i 's password and the transmitted messages, i.e. h(ID i ), F i , H i , an attacker has no ability to examine his guessed password with previous legitimate request or reply message in an off-line mode.Hence, our scheme is secure against the off-line password guessing attack.

Stolen Smart Card Attack
Our scheme can prevent stolen smart card attack.If the smart card is stolen or lost, the attacker can extract the secret information B i and C i from the smart card.With the parameter, the attacker tries to impersonate the user to login to the server S, however, he must produce a valid login request message that it is impossible to compute A i and F i from the given parameters without knowing x, ID i , and PW i , so the attacker can't generate a valid login message.

Parallel Session Attack
Assume the attacker can masquerade as legitimate user U i by replaying a login request message However, he can't compute the agreed session key ( ) between user U i and server S because he does not know the values of x, R 1 , R 2 .Therefore, the proposed scheme is secure against parallel session attack.

Mutual Authentication
Our scheme provides mutual authentication of U i and S. In our scheme, S sends mutual authentication message i H h R′ to U i validate its authenticity.The value of H i is calculated by G i which is only known to U i and S and this message is infeasible to forge by a fake server to impersonate the S.

Session Key Agreement
The proposed scheme provides session key agreement during the authentication phase.Suppose the attacker obtains the secret values in the legal user's smart card and intercepts messages communicating between the user and the server, he may attempt to compute the session key SK.However, he can't continue without knowing R 1 and R 2 .

Performance Comparison
In this section, we summarize some performance issues of the proposed scheme.We compare the proposed scheme with related schemes in terms of cost and security requirements.

Cost Analysis
An efficient authentication scheme must take computation and communication cost into consideration during user's authentication.The computation cost of each phase is defined as the total time of various operations executed in that phase.The communication cost of authentication includes the cost of transmitting messages involved in the authentication scheme.We mainly focus on the computations of registration, login and authentication phases since these phases are the main body of the proposed scheme.
In order to carry out the computation cost evaluation, we use the following notations: T h and T s are defined as the execution time of the one-way hash function and symmetric operations.Because exclusive-or operation and concatenation operation require very low execution time, it is usually neglected considering its computational cost.The time complexity associated with the different operations can be expressed as T⊕  T h < T s .The comparative results are shown in Table 2.
From the table, it is noticed that our scheme requires nearly the same computation as other related schemes, but our scheme provides more security.
In addition, we have shown the comparison of communication cost between our scheme and related scheme.The comparative results are shown in Table 3, we assume that the output size of secure one-way hash function is 128 bits.For comparison, we also assume that, the lengths of ID i , PW i , x, y are 128 bits, and the sizes of timestamps and random number are 64 bits.
From the table, it is noticed that the communication cost of Das et al.'s scheme is the least with 448 bits, because, it does not support mutual authentication.However, our scheme needs less bits than others.

Security Requirements Analysis
In this section, we summarize the security features of our proposed scheme and compare its security robustness with related schemes.The comparative results are shown in Table 4.
From the table, it is noticed that our scheme is more secure and robust than other schemes and achieves more security requirements, which were not considered in the their scheme and are essentially required in implementing a practical and universal remote user authentication scheme using smart cards.

Conclusions
In this paper, we see that several dynamic user authentication schemes have weaknesses because of using timestamps.Besides, the implement of strict and safe time synchronization is very difficult and increases network overhead.To eliminate these weaknesses, we propose a new dynamic user authentication scheme based on nonce instead of timestamps.Mutual authentication is performed using a challenge-response handshake between user and remote server.Moreover, our scheme uses hashing functions to implement user's anonymity and session key agreement.The other merits include: 1) our scheme provides a secure password change method to prevent the adversary from updating password freely; 2) our scheme can resist various attack, including forward secrecy; 3) our scheme requires less computation and communication traffic; 4) it is a nonce-based scheme to avoid the time-synchronization problem.Therefore, this scheme is well suited to the network-based application systems.In our future work, we would carry on experiments if the conditions are met.
the attacker can resend the same message to S, but he can't continue, R′ .For the same reason, the attacker still cannot successfully impersonate the server S to cheat the users by replaying the server's previous mutual authentication message i H h R′ .