Cryptanalysis of Three Password-Based Remote User Authentication Schemes with Non-Tamper-Resistant Smart Card ChenyuWang and

Remote user authentication is the first step to guarantee the security of online services. Online services grow rapidly and numerous remote user authentication schemes were proposed with high capability and efficiency. Recently, there are three new improved remote user authentication schemes which claim to be resistant to various attacks. Unfortunately, according to our analysis, these schemes all fail to achieve some critical security goals. This paper demonstrates that they all suffer from offline dictionary attack or fail to achieve forward secrecy and user anonymity. It is worth mentioning that we divide offline dictionary attacks into two categories: (1) the ones using the verification from smart cards and (2) the ones using the verification from the open channel. The second is more complicated and intractable than the first type. Such distinction benefits the exploration of better design principles. We also discuss some practical solutions to the two kinds of attacks, respectively. Furthermore, we proposed a reference model to deal with the first kind of attack and proved its effectiveness by taking one of our cryptanalysis schemes as an example.


Introduction
These days an increasing number of online services (E-Health, E-Banking, and E-Shopping) have been provided for people's daily life with the rapid development of the Internet.Moreover, modern terminal equipment, like smartphones, smartwatches, and Google's Project Glass glasses, has become widespread.The growth of online services and terminal equipment makes the authentication process more important and difficult.Remote authentication is an essential part to guarantee both the claimed user and server are legitimate.In other words, authentication ensures that only the legitimate users can access the resources on the target server.And authentication protocols have been widely used for various fields, including cloud computing, E-Health, and wireless sensor [1][2][3][4].
In 1981, Lamport [5] designed the first authentication scheme based on password, while this scheme was pointed out as being insecure shortly: (1) the server having to maintain a password table and (2) high hash overhead.Therefore, many advanced schemes [6][7][8] were proposed with a lower overhead for the hash function to improve the computing performance of Lamport's scheme, while most of them still require a verification table.
To tackle this problem, Hwang et al. [9] developed a noninteractive password authentication scheme which discards the verification table but using smart card instead in 1990.The main drawback lies in the hardship of changing password.Because the password is related to the ID, for the sake of security, the ID has to be changed once the password is changed.However, it is not easy to change the ID.In 1991, Chang and Wu [10] also developed a scheme using smart card for storing sensitive information to help the authentication.Since then, smart cards have been applied to user authentication schemes widely, and some notable ones include [11][12][13][14].Furthermore, these years many schemes used biometrics characteristic as an additional factor to provide the authentication [15][16][17].
From 1990 to 2004, numerous remote user authentication schemes with smart card were designed, while almost all were proved to be flawed.However after these years of research, remote user authentication has made great progress: on the one hand, the problem of maintaining the verification table was almost settled, and smart cards got widely used; on (2) Smart card loss attack and offline dictionary attack draw more and more attentions: (i) Ma et al. [36] showed that the public key algorithm is required to resist offline dictionary attack (also called offline-password guessing attack).It is worth mentioning that we will show the following in later section: here the method is specifically applied to the offline dictionary attack using the verification from the open channel, while it is not applied to the offline dictionary attack using the verification from the smart card; (ii) Wang et al. [29] demonstrated that there is an unavoidable trade-off between changing password locally and resisting smart card loss attack (including offline-password attack).As shown in [37], here the offline dictionary attack should be specific to the offline dictionary attack using the verification from the smart card, but not to offline dictionary attack using the verification from the open channel; (iii) in [38], Wang gave an analysis to offline dictionary attack and proposed several security models.
(3) User anonymity and forward secrecy attract many discussions: Ma et al. [36] proved that public key algorithm is necessary to protect user anonymity; to achieve forward secrecy, the server side needs to conduct two exponentiation operations at least [36].
Although numerous user remote schemes were proposed, people are still confused about how to assess which scheme is better or whether a scheme is secure enough.Thus Madhusudhan and Mittal [39] tried to answer the question by giving nine security requirements and ten desirable attributes of a sound smart card-based authentication scheme, which we think is another landmark in the history of remote user authentication.Those security requirements and desirable attributes are shown in Tables 1 and 2. They have become an important criterion of an ideal remote authentication scheme.Most of remote user authentication schemes [4,[40][41][42] are designed and evaluated according to them, while none of the schemes could actually satisfy them simultaneously.Therefore, many researchers begin to pay more attention to Session key agreement exploring the design principles and assessment criteria of authentication schemes.The most recent one is from Wang et al. [29,37].These two papers explored the relationship between the security requirements and desirable attributes and gave two significant tables to show the relationships.However, how to assess an authentication scheme is still an unsettled issue.Furthermore, in [11], D. Wang and P. Wang for the first time integrated "honeywords" and "fuzzy-verifiers" to settle a long-standing security-usability conflict (i.e., the trade-off between changing password locally and resisting smart card loss attack).It is a remarkable breakthrough in this area, and we will give more details in later section.
Throughout the history of two-factor authentication, it is easy to find the following: although there have been dozens of works endeavored to construct practical remote user authentication schemes, no one has succeeded in withstanding various attacks or satisfying various desirable attributes.The main reason is the chaos of some essential issue, for example, the sound assessment criterion, the reasonable classification, and definition of attacks in smart card-based scheme.Our work tries to give some inspiration on exploring better proposals.
1.1.Our Contributions.Most recently, Yeh [43] proved Chang et al. 's scheme [20] is vulnerable to replay attack, user impersonation attack, and so on and therefore proposed a new authentication scheme with user untraceability.In 2016, Kang et al. [44] showed that Djellali et al. 's scheme [45] suffers from offline dictionary attack, impersonation attack, and replay attack and then developed an enhanced scheme that achieves user anonymity with a Markov chain; and Kaul et al. [46] also designed an improved authentication scheme based on Kumari et al. 's scheme [34].These schemes all claim to be resistant to various attacks, such as offline dictionary attack and impersonation attack.Unfortunately, according to our analysis, they fail to withstand those attacks as claimed.We summarize our contributions as follows: (1) This paper demonstrates that the three schemes all suffer from offline dictionary attack, man-in-themiddle attack, and impersonation attack, as well as failing to preserve user anonymity or forward secrecy.(2) Furthermore, we for the first time divide offline dictionary attacks into two categories: (1) the ones using the verification from smart cards and (2) the ones using the verification from the open channel.
The second is more complicated and intractable than the first type.We show that treating them with no difference arouses confusion and misleads the related research.Such distinction which benefits the exploration of better design principles is requisite and significant.(3) Remarkably, we explore the solution to such two kinds of attacks and propose a reference model to settle the offline dictionary attack using the verification from the open channel and then use Yeh's scheme to check the effectiveness of our reference model; the result shows that our reference model actually works.
The remainder of this paper is organized as follows: in Section 2, the system architecture and the capacities of adversary are explained.In Section 3, we give a cryptanalysis of Yeh's scheme.We review Kang et al. 's scheme in Section 4 and Kaul et al. 's scheme in Section 5. Section 6 analyzes the two kinds of offline-password guessing attacks.And Section 7 gives a conclusion.

System Architecture and the Capacities of Adversary
In this section, we first list the notations used in the three schemes and then briefly introduce the system architecture and the capacities of the adversary in the schemes.

Notations and Abbreviations.
The notations in the three schemes are shown in Notations and Abbreviations at the end of the paper.

System
Architecture.Like many other smart card-based authentication methods, the three schemes involve a set of users and a single server.Users access the resources by mutual authentication with server.The authentication usually includes four basic phases: registration, login, authentication, and password change.Firstly, a user submits personal information to the server to register.Then the server issues the user a smart card with security parameters.The registration phase is only performed once unless the user reregisters for special reasons.After that, in the login phase, the user will send the access request.Then the server and the user authenticate each other in verification phase to finish the authentication.The phases of login and verification usually will be carried out many times.A sound two-factor authentication schemes should ensure that only the user who owns the smart card and submits the corresponding password can access the server successfully.As a realistic problem, the password change phase attracts more and more attention these years where the user can change his/her password locally or remotely.

The Capacities of Adversary.
In the cryptanalysis of the two-factor authentication schemes, the adversary A is also supposed to have the following capacities [29,[47][48][49]: ( Smart card with (2) A can enumerate all the items in D pw * D id in polynomial time, where D pw and D id denote the password space and the identity space, respectively.(3) A can acquire the password of a legitimate user by a malicious card reader or get the parameters in smart card but cannot achieve both.(4) When evaluating forward secrecy, A can get the server's secret key.

Cryptanalysis of Yeh's Scheme
3.1.Review of Yeh's Scheme.This section gives a brief review of Yeh's [43] scheme with user untraceability (shown in Figure 1).

Password Change Phase.
If   wants to change the password, he/she inserts the smart card to the card reader and inputs ID  , PW  , and a new password PW  new .Then the smart card computes and then replaces   and   with   new and   new .

Cryptanalysis of Yeh's Schemes.
In this section we show that Yeh's scheme cannot resist various attacks, such as password guessing attack, impersonation attack, and desynchronization attack.

Offline Dictionary Attack via Verification Value in Chan-
nel.Supposing the adversary A stole   's smart card and then got security parameters   ,  1 , and   from the smart card, A also has {  , CID  ,    , } through eavesdropping the open channel between   and ; then A can perform the attack by the following steps: (1) Guess the value of PW  to be PW *  from the password dictionary space D pw .
Remark 1.The offline dictionary attack here uses the verification from the open channel.The inherent reason for this attack is that (1) the adversary can find a verification to check whether the guessing value is correct; (2) the password is the only unknown value to the adversary; that is, the adversary can get other parameters consisting of the verification, except the password or the identity.To such attack, the lightweight public key algorithm is the necessary condition, as explained in [36].

User Anonymity.
Once the adversary A gets the password through "offline dictionary attack," he can get the user's ID by the following steps: (1) Compute  =   ⊕ ℎ(PW *  ‖  1 ) = ℎ( ‖  2 );   and  1 are from the smart card. (2 In computing ID  , what the server knows more than the adversary is ℎ(ℎ( ‖  2 )), while, after getting the PW  , the adversary can get ℎ(ℎ( ‖  2 )) by   ⊕ ℎ(PW *  ‖  1 ), so in fact the adversary A has the same capacity as the server; thus A can get ID  according to the way the server does.
As for the server , it computes 3 ) and then checks (1)  * =?   ; (2) the freshness of  3 ; and (3) whether {  , CID  ,    ,   } has ever been received before.All of them are satisfied, so A is authenticated by  successfully.
With PW  , ID  , and smart card, the adversary A has the same capacity as the legitimate user; that is, A can impersonate the user to the server successfully.The original reason for this attack is the offline dictionary attack.
In most cases, the capacity of legitimate user and remote server is the same; to be more precise, what the legitimate user knows can transform into what the remote server knows.So if the user impersonation attack can be performed, the server impersonation attack can be performed too.

Man-in-the-Middle Attack. With PW *
and ID *  that have been got from "password guessing attack" and "user anonymity," respectively, A can execute a man-in-the-middle attack as follows: (1) Interrupt {, CID  ,    , } that   sends to . (2) Compute {  , CID  ,    ,   } as in "user impersonation attack," and send them to . (4) Compute {  ,   4 } as in "server impersonation attack," and send them to   .
Through above attack procedures, the adversary A can execute a man-in-the-middle attack without being noticed by   or .
Smart card with In fact, man-in-the-middle attack usually is a result of "server impersonation attack" and "user impersonation attack," while offline dictionary attack is the original reason of these three attacks.

Desynchronization Attack.
As there is no any verification in password change phase, an adversary A can execute desynchronization attack easily: stealing   's smart card and inputting a random ID  , PW  , and a new password PW  new .According to the scheme,   and   will be replaced by   new and   new , respectively, where   new =   ⊕ ℎ(PW  ‖  1 ) ⊕ ℎ(PW  new ‖  1 ) and   new =   ⊕ℎ(PW  ‖  1 )⊕ℎ(PW  new ‖  1 ).As a result, even the legitimate user cannot login successfully.
Desynchronization attack often happens in password change phase where the user, without inputting the correct PW  and ID  , can change the password successfully.This results in the that legitimate user with correct old password cannot login successfully.So if a user wants to change the password, he should be authenticated firstly, and there are usually two ways: interacting with the remote server like the authentication phase and interacting with the smart card.The second way requires a verification value from the smart card; thus such scheme is vulnerable to offline dictionary attack, but it helps detect wrong password input, which saves user's time.The first one requires costing more time to make the user change the password and detect wrong password input.

Insider Attack.
In this scheme, the user   submits a pair of PW  and ID  to the server  without any transformation or protection; thus the server  can get the PW  and ID  and carries out an insider attack to impersonate the user   .
Insider attack is quite easy to deal with: do some transformation to the PW  and ID  , such as ℎ(PW  ‖ ) and ℎ(ID  ‖ ) ( is a random number).

Registration Phase
Step 1 (  ⇒ ).  chooses ID  , PW  , and a random number  and computes RPW  = ℎ(PW  ‖ ) and then sends {ID  , RPW  } to the server  via a secure channel.
Step 3.   firstly checks the freshness of  2 and then computes )), so the above attack is quite efficient.Once A has the PW  , he/she also can carry out user impersonation attack, server impersonation attack, and man-in-the-middle attack.And as the methods to those attacks are similar to the methods in Yeh's schemes, it is unnecessary to go into details here.

Offline Dictionary Attack via Verification Value in Smart
Card.Supposing an adversary A got   's smart card and then acquired security parameters TPW  ,   , , and   from the smart card, then A can perform the attack as follows: (1) Guess the value of PW  to be PW *  from the password dictionary space D pw and ID  to be ID *  from the identity dictionary space D id .( 2 [29] demonstrated which is the trade-off between changing password locally and resisting offline-password attack.Luckily, in [11], D. Wang and P. Wang for the first time integrated "honeywords" and "fuzzyverifiers" to settle such a long-standing security-usability conflict.So according to [11], we simply give an improved way to avoid such conflict.Let the verification TPW  = ℎ((ℎ(PW  ‖ ) ‖ ID  ) mod  0 ), where 2 4 ≤  0 ≤ 2 8 and  0 determines the capacity of the pool of the (ID, PW).So now there are |D pw | * D id \  0 ≈ 2 32 candidates of (ID, PW) pair for adversary to guess when  0 = 2 8 and |D pw | = D id = 2 6 .For these candidates, the adversary can only guess the right one from online guessing, while there is also a way called "honeywords" to avoid such online dictionary guessing; "honeywords" in fact is a word list to timely detect whether the smart card is extracted.

Forward Secrecy.
Supposing A knew 's secret key , then he can calculate the session key SK as follows: (1) Interrupt {TI  ,   ,   , Compute In this scheme, the session key consists of a random number  from   , a random number  from , and two open time stamps  1 and  2 .The key parameters are the two random number, while, compared to the adversary, what the server only knows more is the secret key , so once the adversary knows the secret key , he can compute the random number   chosen by   as the way the server does.On the other hand, in computing SK, what the user only knows more than the adversary is the random number .While the adversary has known  now, thus the adversary also can compute the random number  chosen by the server as the user does.With  and , the adversary gets .Furthermore, it proves that "more than two exponentiation operations conducted on the server side are necessary to achieve forward secrecy" [36].

Review of Kaul et al. 's Scheme.
This section gives a brief review of Kaul et al. 's scheme [46] (Figure 3), and password change phase is also omitted.
Step 3.   enters   to the smart card.
Security and Communication Networks 9

User Anonymity.
User anonymity preserves an adversary from acquiring user's privacy message including lifestyle, habit, and hobbies by analyzing the login history, communications, and services request.In an era of big data, user anonymity has a profound significance.A well-designed protocol needs to keep the identity notion not only unexposed, but also untraceable.The former requires that even if an adversary eavesdrops the message via the open channel, he still cannot know whose communication message it is; the latter requires that the adversary does not know whether the eavesdropped message is from the same user.In fact, the latter is more restrictive than the former.However, in this scheme the user identity ID  was exposed in the open channel; the adversary just needs to eavesdrop the open channel to get the user ID  .With the ID  , every time the user logs in, the adversary can know.So the privacy of the user was revealed.

Offline Dictionary Attack via Verification Value in Channel.
A who extracts   ,   from smart card, and {ID,   ,   , } can perform an offline dictionary attack as follows: (1) Guess the value of PW  to be PW *  from the password dictionary space D pw .
( The time complexity is O(|D pw | * (6  + 9  )), so the above attack is quite efficient.With ID  and PW  , A can conduct further attack such as impersonation attack, manin-the-middle attack, and getting session key by the ways described in Sections 3.2.3,3.2.4,3.2.5, and 4.3.3.Thus, the whole security of the system is compromised.

Offline Dictionary Attack via Verification Value in Smart
Card.An adversary A who gets the smart card from   extracts security parameters   , ,   ,   .Further as shown in the previous paragraph, A also can easily get ID  .So now the adversary A can perform an offline dictionary attack by the following steps: (1) Guess the value of PW  to be PW *  from the password dictionary space D pw . (

A Deep Exploration to Offline Dictionary Attack
The scheme of Yeh, Kang et al., and Kaul et al. cannot resist offline-password guessing attacks, while this is exactly what most two-factor remote authentication schemes actually suffer from.As we mentioned before, such attack is also one of the original reasons for other attacks.In this section, we try to explain why it is so hard to avoid offline dictionary attack.Furthermore, we for the first time recommend distinguishing offline dictionary attack via verification value in smart card (hereafter called Attack I) from offline dictionary attack via verification value in channel (hereafter called Attack II).When talking about offline dictionary attack, most papers [36,51,52] ignore the difference between them and collectively call them as offline dictionary attack (offline-password guessing attack).Although the basic principles of these two attacks are the same, the key parameters transmitted in the insecure channel or in smart card, having no "camouflage" by random numbers or other special parameters only owned by the user or the server, the adversary can get a verification (usually it is the key parameter for the server or the user to verify the validity of the other one) to perform dictionary attack.
Where the verifications come from is different, Attack I uses the verification from the smart card and Attack II from the channel.Do not overlook this little difference; this results in the quite slight difference in the corresponding solutions.
Distinguishing them contributes to in-depth analysis of design principles.In this section, we analyze these two attacks thoroughly.

Solutions to Offline Dictionary Attack via Verification
Value in Smart Card.In the schemes of Kang et al. and Kaul et al., to achieve better user-friendliness, that is, changing password locally and detecting the wrong password-inputting timely, a verification for a smart card to authenticate the user is stored in smart card.This results in A getting the key parameters   and TPW  in smart card, which leads to Attack I. What if there was no such verification parameters?Then the password change phase may be influenced, such as Yeh's scheme which changes password remotely and fails to detect wrong password input timely.In fact, [29] points out that "there is an unavoidable trade-off when achieving the password change locally and resisting offline dictionary attack."More specifically and accurately, the offline dictionary attack here should be specific to Attack I; it usually can be avoided by two ways: (i) A new approach called "a fuzzy verifier" and "honeywords" [11], which is a new solution to such problem.This approach can greatly increase the cost of guessing password in respect of A. And we have given a simple application case in Section 4.3.2.
(ii) Sacrificing certain performance (e.g., not providing the attribute of changing password locally).In other  where the _ refers to the parameters deploying a public key algorithm.To   , with the knowledge of the random number , _ = _(, ), where  is the public key and _(, ) refer to a series of public key operations; to , with the knowledge of private key , _ = _(, _), where _ = _().All in all, to resist Attack II, the _ should satisfy _ = (_, _); the _, PW  , ID  , , and _ cannot be exposed to the open channel; furthermore, _ should be transmitted to the server.When   authenticates , if only considering resisting Attack II,  only requires proving that it knows about the _ and _.Furthermore, the parameters transmitted in the open channel follow the same principles as above.Now, we take Yeh's scheme as an example to check the effectiveness of our reference model.And we select the Computational Diffie-Hellman problem to construct the public key algorithm.In Yeh et al. 's scheme, the _ has been designed well, so we only need to apply the Computational Diffie-Hellman problem to this scheme.The definition of the Computational Diffie-Hellman problem is as follows.
is the generator of a cyclic group  *  ; then, given   and   where ,  ∈  *  , it is hard to compute ,  within a polynomial time.
According to this, we can design a lightweight public key algorithm for the user and the server:  selects a larger prime , a generator  of cyclic group  *  , and a secret key  and computes the public key  =   mod .Then if   selects a random number  1 , it computes  1 =   1 mod  and  2 =   1 mod  and sends  1 to .  can compute  2 as   1 mod .Here,  1 = _ and  2 = _; even the adversary intercepts the  1 ; he/she still cannot compute the  2 .So then  only needs to prove that it knows about the  2 .Furthermore, to   ,  1 = _() and  2 = _(, ); to ,  2 = _(, _); it also follows the principles mentioned above.In short, we improve Yeh's scheme as shown in Figure 5.
In the improved scheme, _ =  = (_, _); even the adversary guesses the PW  and ID  to be PW *  and ID *  , while without _, he/she cannot find a verification to check the correctness of the guessed value  x ＧＩ＞ p = (g r 3 ) x ＧＩ＞ p (N i , M i , r 1 , ℎ (•)) and thus fails to perform Attack II.It should be noted that we only improve Yeh's scheme to be secure to Attack II, and the reference model can only be applied to resisting Attack II.
It is generally accepted that public key algorithm is necessary for resisting offline dictionary attack, while, according to our analysis, the offline dictionary attack here should be specific to Attack II, and Attack I is not included in it: the public key algorithm consists of a private key and a public key.In Attack II, the vulnerability takes place in the authentication between the server and the smart card.So the public key algorithm acts on the server and the smart card.Usually the server takes the responsibility to keep private key , while, in Attack I, the vulnerability takes place in the authentication between the user and the smart card.But it makes no sense to both of them to own such private key for two reasons at least: (i) To the users: he always uses the password as the unique parameter to get authenticated, and the private key plays the same role as the password.Moreover, the private key is too long for the user to remember or preserve.
(ii) Smart card: as we have stated before, the parameters in the smart card can be easily obtained by an adversary.

Conclusion
In this paper, we demonstrated that the schemes of Yeh, Kang et al., and Kaul et al. all suffer from various attacks, such as offline dictionary attack and impersonation attack.Furthermore, we showed that offline dictionary attack is the original reason of many other attacks.Remarkably, we divide offline dictionary attacks into two categories: (1) the ones using the verification from smart cards and (2) the ones using the verification from the open channel.The solution to the first type involves the trade-off between the security and effectiveness, or "a fuzzy verifier" + "honeywords" as suggested in [11].While the solution to the second is using a public key algorithm as advised by Ma et al. [36], this solution is not applicable to the first type.Furthermore, even many schemes using a public key algorithm still suffer from Attack II.The original reason is incorrectly deploying the public key algorithms.Thus, we proposed a reference model to guide the protocol designers to deploy the public key algorithms correctly.Our reference model is not the only way to deal with such problem, but it really is one of them.We hope that this work provides new insights into future research.The string concatenation operation →: An insecure channel ⇒: A secure channel.

Figure 1 :
Figure 1: The scheme of Yeh et al.

Figure 2 :
Figure 2: The scheme of Kang et al.

4. 1 .
Review ofKang et al. 's Scheme.This section gives a brief review of Kang et al. 's scheme[44] (Figure2).As little relevance as password change phase, we omit it.Security and Communication Networks

Figure 3 :
Figure 3: The scheme of Kaul et al.
and   ,   are from smart card and {ID,   , } is from the open channel.(3) Verify the correctness of PW *  by checking whether  *  ?=   , and   is from smart card.(4) Repeat Steps (1), (2), and (3) until the correct PW *  is found.

Figure 4 :
Figure 4: The reference model to employ a public key algorithm securely.
and    = ℎ(SK  ‖    ) and verifies  through comparing    with   .If the values of them are the same,   authenticates , and accepts SK as the session key.Otherwise, end the session.Supposing the adversary A got   's smart card and then acquired security parameters TPW  ,   , , and   from the smart card, A also has {TI  ,   ,   ,  1 ,     } through eavesdropping the open channel between   and ; then A The time complexity is O(|D pw | * 4(  + *  ; TPW  ,   , ,   are extracted from the smart card.(3) Compute   = TI  ⊕  *  and  *  = ℎ(  ‖  *  ‖  1 ), and {TI  ,   ,  1 ,     } is from the channel.(4) Verify the correctness of PW *  and ID *  by checking  *  =?   ;   is from the channel.
ID_The related auxiliary parameters are stored in verifier table; thus with the verifier table and transmitted parameters, the server computes Mid_Vau as f(x) Note.x is the private key of the public key algorithm, and y is its public key This model can only guarantee resisting against Attack II This model is not the only way to apply the public key algorithm, but it actually works  , . . .