• No results found

An Efficient 3-Factor Authentication for Secure Communication using Improved Smart Cards Authentication

N/A
N/A
Protected

Academic year: 2020

Share "An Efficient 3-Factor Authentication for Secure Communication using Improved Smart Cards Authentication"

Copied!
5
0
0

Loading.... (view fulltext now)

Full text

(1)

International Journal of Computer Systems (ISSN: 2394-1065), Volume 04– Issue 07, July, 2017 Available at http://www.ijcsonline.com/

An Efficient 3-Factor Authentication for Secure Communication using Improved

Smart Cards Authentication

Salil Jain, Deepak Sain

Department of Computer Science & Engineering S.A.T.I, Vidisha (M.P), India

Abstract

Security in computers is information protection from unauthorized or accidental disclosure while the information is in transmission and while information is in storage. Authentication protocols provide two entities to ensure that the counterparty is the intended one whom he attempts to communicate with over an insecure network. These protocols can be considered from three dimensions: type, efficiency and security. The Existing methodology implemented for Secure Communication using Smart Cards provides efficient Security from various attacks, but provides high Computation and Communication Cost, hence a new and efficient technique is implemented which is based on Concept of 3-Factor Authentication. In the First Factor Authentication secure password is generated for valid User and then Image based Authentication is generated and finally smart card based authentication is provided. The Proposed methodology implemented provides Secure Communication from various attacks and low Communication and Computation Cost.

Keywords: Authentication, Group Key Transfer, OTPK, Image Authentication, Smart Cards, Attacks.

I. INTRODUCTION

Authenticating humans to computers remain the main challenging issue when security is concerned and when data sends from sender to receiver. As a consequence, the vast amount of personal information thus available on the Web has led to growing concerns about privacy of its users. Today global networked infrastructure requires the ability for parties to communicate in a secure environment while at the same time preserving their privacy. Support for digital identities and definition of privacy- enhanced protocols and techniques for their management and exchange become then fundamental requirements. A number of useful privacy enhancing technologies (PETs) have been developed for dealing with privacy issues and previous works on privacy protection have focused on a wide variety of topics. Among them, for helping users in maintaining control over their personal information, access control solutions have been enriched with the ability of supporting privacy requirements, by regulating access to and release of users personal information. If privacy considerations are taken into account in the design of computer systems, they constrain the possible design space for such systems. Solutions that violate privacy constraints cannot be considered any more. Privacy constraints for computer systems stem primarily from two sources, namely from privacy laws and regulations and from personal privacy expectations of the computer users. Figure 1 shows the hierarchy of these constraints with a focus on privacy laws and regulations [1].

The need of user authentication is a fundamental security requirement in computer society. With wide-spread of distributed computer networks, remote user authentication has been introduced to identify a user remotely, and has been widely studied [2], [3], [4]. In general, authentication services may require three factors, i.e., password, smart card and biometric characteristics.

Figure 1. The Hierarchy of Potential Privacy Constraints [1].

(2)

user authentication mechanism through the Internet is based on password. Several authentication protocols have been proposed to integrate biometric authentication with password authentication and/or smart-card authentication. Lee et al. [5] designed an authentication system which does not need a password table to authenticate registered users. Instead, smart card and fingerprint are required in the authentication. However, due to the analysis given in [6], Lee et al.’s scheme is insecure under conspiring attack.

II. RELATED WORK

Starting with the work of Ford and Kaliski, various zero-knowledge multiple server password protocols have been proposed. Multi-server protocols should provide basic username-password authentication to the collection of servers, without using special hardware or long-term client side key storage. Even for low-entropy passwords, an attacker should not be able to improve upon the naive guessing strategy without corrupting a threshold number of servers. On the other hand, these protocols do not pretend to have unrealistic goals of preventing denial of service or protecting user passwords in the case of client compromise. Introduced the first remote user authentication scheme using smart cards there have been many of such schemes proposed [7, 8, 9, 10, and 11]. One prominent issue in this type of schemes is security against offline guessing attack, which is the severest threat that a sound and practical scheme must be able to thwart. Traditionally, to prevent an adversary from launching offline guessing attack, one need to make sure that the scheme is not going to leak any information useful about the client’s password to the adversary in the protocol run, even though the password is considered to be weak and low entropy. By observing this, many schemes employed some techniques similar to Bellovin and Merritt’s Encrypted Key Exchange protocol.

In 2010, Pu [12] pointed out Yang et al.’s scheme is vulnerable to key compromise attack. Surprisingly, we found Yang et al.’s scheme still cannot achieve its claimed main security goal by demonstrating an offline password guessing attack in Appendix A, and through the security analysis of Yang et al.’s scheme, some subtleties and challenges in designing this type of schemes, different from the traditional password-based authentication, are uncovered.

Following Yang et al.’s seminal work, many enhanced schemes [ 13] have been proposed to address the smart card security breach problem, however, most of them were shortly found having various security weaknesses being overlooked [14, 15] Remarkably, even have been provided with a formal proof. The past thirty years of research in the area of password-authenticated key exchange (PAKE) has proved that it is incredibly difficult to get even a single factor based authentication scheme right.

In SEC’12, Wang [14] observed that the previous papers in this area present attacks on protocols in previous papers and propose new protocols without proper security justification (or even a security model to fully identify the practical threats), which contributes to the main cause of the above failure.

III. PROPOSED METHODOLOGY

As shown in the figure 2 is the architecture proposed using OTPK, here in this technique the authentication or the digital signatures generated is one time and as soon as the transmission is successful the key is destroyed. The Proposed work implemented here works in two Stages.

Stage 1: Registration

In this stage first user is issued a One Time Password based token and if further required the verification using OTP tokens also takes place. This OTP token is used to allow the user to authenticate them from CA i.e. certified Authority.

Stage 2: Signing

In this signing stage each user required to construct digital signatures for the confirmation. At the outset generate a public/private key pair and for the authentication of the user, each user demands the OTP token to the CA in order that it will verifies the genuineness of the user and once authentication gets success the key pair gets destroys.

Figure 2. architecture working of contract signing using OTPK

Pre-assumption:

1) Both parties agree for communicate through the online TTP.

2) Both parties and TTP are agreeing to uses same one way hash function.

(3)

4) Both parties are agreeing to communicate with same time.

5) OTP is send with time stamp (2 min).

6) The parties are send their information like (email address, mobile no and password) at the time of registration to the server.

Here we are not used PKI (Public key infrastructure) so there are needed to the strong authentication for the both parties to the server so we used concept of OTPK.

NOTATIONS USED

Table 1. Different notations used in algorithm Proposed Protocol:

P1 Party 1 P2 Party 2 IDp1 Identity of p1 IDp2 Identity of p2

K Common shared key of p1&p2 Pw1 Password of party p1

Pw2 Password of party p2

Ek (M) Encryption of message m using shared key k Dk(M) Decryption of message m using shared key k R Random number generated by TTP

Si Secret key generated by TTP using TRNG H(r) One way hash function.

Mkey Master key which is generated by hash

1. Party p1 login with used their password pw1, TTP verify the password.

2. Party p1 Send IDp1 and IDp2 to the TTP.

3. Party p2 login with used their password pw2, TTP verify the password.

4. TTP generate a one time random number r with the time stamp for the both parties.

5. TTP send random number (r) to the both parties via other secure media.

6. Parties enter the random number r and generate the master key with Pw1 and send to the TTP.

7. TTP match these master keys to own master key, in that place 2FA (two factor authentication) is done. 8. TTP again generated a secrete key (using the concept

of TRNG) and make their master key. 9. That master key send to the both parties.

10. By using that master key and random number parties make their common session key.

11. K= r+H(Si).

12. Party P1 encrypted the message (M) using the common session key K.

13. Party P2 decrypted the message (M) using the common session key K.

14. TTP again generated a secrete key (using the concept of TRNG) and make their master key.

15. That master key send to the both parties.

16. By using that master key and random number parties make their common session key.

17. K= r+H(Si).

18. Party P1 encrypted the message (M) using the common session key K.

19. Party P2 decrypted the message (M) using the common session key K.

Figure. 3. Outline of the proposed technique As shown in the below figure is the architecture of the Proposed work. Here we are implementing the concept of contract signing protocol using OTPK. First of all for the establishment and generation of signatures both the parties request TTP for the generation of digital signatures. As soon as the signatures are generated both the parties exchange their signatures using TTP and if the signatures match the contract gets exchanges between two parties. For the fairness between the two parties the TTP is used and for the better security multiple TTP’s are used.

We present a secure and an efficient ID-based remote user authentication protocol with smart card. We use one-way hash function and Bitwise XOR operation in this proposed scheme. Which execution time is extremely very low to compare to using Modular exponentiation. Our proposed scheme doesn’t use any common key for encryption and decryption algorithm. Using one-way Hash function, it’s computationally infeasible to invert operation. This scheme has four phases.

1-Registration phase 2-Login phase

(4)

kkkk

USER Ui SERVER Si

INTIAL PHASE SELECT P,Q,X KEEP P,X SECRETLY

REGISTRATION PHASE

SELECT IDI & PWI A= h(id mod p) + h (pwi) SMART CARD Strore(ID,A,h(.),E(.)) INTO SMART CARD

LOGIN & AUTHENTICATION PHASE

INPUT IDi & Pwi Select R K=A + h(Pwi)

W=ek(R + TU) (IDi,CU,W,TU )

CU= h(TU||R||W||Rdi) VERIFY Idi & TU K= H(ID MOD P) R’= DK W + TU CU’=h TU||R||W||ID

( ID,CS,TS) VERIFY CU’=CU VERIFY ID & TS CS=h(Idi||R’|| TS CS’=hIdi||R||TS)

VERIFY CS’=CS

COMPUTE COMMON SECRET KEY

Sk=h(Idi ||TS||TU ||R) Sk=h(Idi||TS||TU ||R’) 9

Figure 4 Cycle process of Smart Card Authentication The notations use in proposed scheme and phases are describe below-

The Notations U – Remote User ID – Identity of User

PW– password chosen by User S– Remote authentication Server X– Permanent secret key of S H (·) – One-way hash Function xor – Bitwise XOR operation || – concatenation

Registration Phase- In the registration phase, User Ui

wants to register himself/herself in remote server S. Firstly User chooses his/her ID and PW. Before register on Server, registration authority computes h (ID) and h (ID||PW) and sends to remote server S over a secure channel. Upon receiving the registration request from User Ui. Server S computes same parameters related to the User Ui. S computes

Ai= h (ID) xor h (X || h (ID)) Bi = Ai xor h (ID || PW) Ci = h (Ai)

Di = h (ID || PW) xor h(X)

And stored some of them in the smart card memory and issues this smart card to User Ui. This smart card is delivered to User Ui through a secure channel.

Login Phase- This phase provides the facility of a

secure login to the user .User wants to access same services on remote server S. first it gain the access right on the remote server S. User Ui inserts the smart card to card reader and keys in ID* and PW*. The card reader computes

Ai*= Bi xor h (ID* || PW*)

And Ci* = h (Ai*) and checks whether Ci (stored in the smart card memory) and Ci* are equal or not. If not, terminate to again login process. Otherwise yes, User Ui is legitimate bearer of the smart card. Then the card reader generates a random nonce Ri and computes –

Ei = Ai* xor Ri

Cid = h (ID || PW) xor Ri Fi = h (Ai || Di || Ri || Tu)

Where Tu is current time when login request proceed. And send the login request massage {Fi, Ei, Cid, Tu, h (ID)} to remote server S.

Verification Phase- Upon receiving the login request

massage {Fi, Ei, Cid, Tu, h (ID)}. Server verifies the validity of time delay between Tu‟ and Tu. Where Tu’ is the travel time of the massage. Tu’-Tu ≤ ΔT where ΔT denotes expects valid time interval for transmission delay. Then server accepts the login request and go to next process, otherwise the server reject login request.

Server computes –

Ai* = h (ID) xor h (X || h (ID)) Ri* = Ai* xor Ci

G = h (ID || PW)* =Cid xor Ri Di* = h (ID || PW)* xor h(X)

And computes F* = h (Ai* || Di* || Ri* || Tu)

And checks whether F and F* are equal or not. If they are not then reject the login request. If equal, then server S Computes–

Fs = h (h (ID) || Di || Ri || Ts) Where, Ts is remote server current time. And send acknowledge massage {Fs, G, Ts} to user Ui. Upon receiving acknowledge massage smart card compute

G* = h (ID || PW)

Fs* = h (h (ID) || Di || Ri || Ts)

And checks where G =G*and Fs = Fs* are same or not. It is mutual authentication process. In which both Server and User verify to each other. If they are same then card reader makes session key (Sk) and both Server and User share it.

Sk = h (h (ID) || Ts || Tu || Ai)

Otherwise terminate to again login process.

Password change Phase- This phase is involved

whenever User U want to change the password PW with a new Password PWnew .User U inserts the smart card to the card reader/client machine and keys in ID* and PW* and request to change password. The card reader checks whether C = C* are equal or not. If it is satisfy User U is a legitimate bearer of the smart card. Then the card reader asks the User Ui to input new password PWnew. After entering the new password the card reader calculate-

(5)

Dnew = h (ID || PWnew) xor h (ID || PW) xor Di And change B with Bnew and D with Dnew in smart card memory.

IV. RESULT ANALYSIS

The Table shown below is the analysis and comparison of Communication Cost in bits between the Existing technique and the proposed work. The Communication cost can be computed on the basis of Server Registration Phase and User registration Phase and Login and Authentication Phase.

Table 2 Analysis of Communication Cost

Communication Cost

Existing Work Proposed

Work

Server Registration

Phase 352 bits 324 bits

User Registration

Phase 512 bits 256 bits

Login and

authentication Phase 2944 bits 2800 bits As shown in the table 3 is the analysis of first factor authentication. Here the number of bits generated in secrete value depends on the number of bits taken in token.

Table 3. Analysis of Storage of SmarCard based Authentications

Storage/ scheme Our scheme R. song al et.

Smart card 480 bits 320 bits

Server 160 bits 480 bits

V. CONCLUSION

The work that we are presented here is a 3-Factor authentication in which first password authentication is done through token based generation and then the concept of smart cards has been used for the authentication between sender and receiver. We proposed an efficient two factor authentication using the concept of token based key generation and smart card authentication. The proposed technique implemented here prevents from various types of attacks such as replay attach and identity disclosure attack or outsider attack. The two factor authentication that we proposed here takes less storage cost and takes less time complexity. The two factor authentication implemented here may contain some of the limitations such as the storage cost or the fraud use of

smart cards. Hence a new protocol has been implemented such as authentication using one time private key.

REFERENCES

[1] GWang, Y. and kobsa A. (2009). Privacy-enhancing technologies. In Gupta , M. and Sharman, R., editors, Social and Organizational Liabilities in Information Security, pages 203–227.

[2] A. K. Jain, A. Ross, and S. Pankanti, “Biometrics: a tool for information security,” IEEE Transactions on Information Forensics and Security, vol. 1, no. 2, pp. 125–143, 2006.

[3] J. Yu, G. Wang, and Y. Mu, “Provably secure single sign-on scheme in distributed systems and networks,” in TrustCom, 2012, pp. 271–278.

[4] G. Wang, J. Yu, and Q. Xie, “Security analysis of a single sign-on mechanism for distributed computer networks, ”IEEE Trans. Industrial Informatics, vol. 9, no. 1, pp. 294–302, 2013.

[5] J. K. Lee, S.R. Ryu, and K.Y. Yoo, “Fingerprint-Based Remote User Authentication Scheme Using Smart Cards,” Electronics Letters, vol. 38, no. 12, pp. 554-555, June 2002.

[6] C.C. Chang and I.C. Lin, “Remarks on Fingerprint-Based Remote User Authentication Scheme Using Smart Cards,” ACM SIGOPS Operating Systems Rev., vol. 38, no. 4, pp. 91-96, Oct. 2004. [7] Khan, M., Kim, S., Alghathbar, K.: Cryptanalysis and security

enhancement of a more efficient & secure dynamic id-based remote user authentication scheme’. Computer Communications 34(3), 305–309, 2011.

[8] Li, C.T., Lee, C.C.: “A robust remote user authentication scheme using smart card” Information Technology And Control 40(3), 236– 245, 2011.

[9] Ma, C.G., Wang, D., Zhang, Q.M.: “Cryptanalysis and improvement of sood et al.s dynamic id-based authentication scheme”,In: Ramanujam, R., Ramaswamy, S. (eds.) ICDCIT’12, LNCS, vol. 7154, pp. 141–152. Springer-Verlag, 2012.

[10] Kasper, T., Oswald, D., Paar, C.”Side-channel analysis of cryptographic rfids with analog demodulation”. In: Juels, A., Paar, C. (eds.) RFIDSec’12, LNCS, vol. 7055, pp. 61–77. Springer Berlin / Heidelberg, 2012.

[11] Pu, Q.,”An improved two-factor authentication protocol”. In: 2010 International Conference on Multimedia and Information Technology (MMIT). vol. 2, pp. 223– 226. Ieee, 2010.

[12] Shim, K.:” Security flaws in three password-based remote user authentication schemes with smart cards”. Cryptologia 36(1), 62– 69, 2012.

[13] Wang, Y.G.: “Password protected smart card and memory stick authentication against off-line dictionary attacks”. In: Gritzalis, D., Furnell, S., M., T. (eds.) SEC 2012, IFIP AICT, vol. 376, pp. 489– 500. Springer Boston availe at http://coitweb.uncc.edu/ yonwang/papers/smartcard.pdf, 2012.

Figure

Figure 1.  The Hierarchy of Potential Privacy Constraints [1].
Figure 2. architecture working of contract signing using OTPK
Table 1. Different notations used in algorithm Proposed
Table 2 Analysis of Communication Cost

References

Related documents

that an individual player never fails, but only its communication can fail due to the failure of the router connecting. its subgroup to

When compiling, the compiler translates your source code into Microsoft Common Intermediate Language (MSIL), which is a CPU independent set of instructions that can be

• I sampling point – water sample was collected from the ditch near the park at Wierzbowa Street in Białystok near Entertainment Club “Krąg”.. The area includes

Airlines and budget hotels have positive impact on the tourism development of West Bengal.

Figure 6 Conduct Assessments and Audits Provide Educational and Training Programs Write Appropriate Policies, Procedures, Manuals Institutional Commitment: Standards of

A summary of the 8 cases in which there was disagreement between expert clinical di- agnosis and electrophysiologic testing is provided in table 4; in each, there was a lack

streicht jedoch die Notwendigkeit einer differenzierten Dosis-Wirkungsuntersuchung, zumal bislang keine Daten zu der Zyto- oder Genotoxizität von PEG-PPG-PEG in vitro in

Figure 10: Axon model simulations of PST histograms for a single stimulus near threshold and the second of two stimuli where the first stimulus is at a firing efficiency of 100% and