A Novel Smart Card-based Remote User Authentication Mechanism

The past few years have seen a rapid progress of multi-user computing environments. Numerous security mechanisms have therefore been employed in a bid to ensure that sensitive information in computer systems does not get destroyed, copied or even altered by unauthorized users. Remote users attempting to login into a particular system would therefore have to authenticate themselves to the server and vice versa. This paper proposes a novel remote user authentication scheme using smart cards. Our scheme endeavors to be an efficient yet secure scheme, hence we chose to use only one-way hash functions and XOR operations, in order to avoid computationally complex operations. We also conducted a security analysis on our scheme to ensure that it is secure against possible known attacks.


Introduction
The main reason why schemes for user authentication are necessary is because a server needs be enabled to remotely verify the legitimacy of a user trying to login, and ensure that this user is indeed genuine and trustworthy. The user on the other hand also needs to ensure that the server is truly genuine, hence they both require to authenticate each other; Mutual authentication.
In the past decade, there has been a recent influx of various remote user authentication schemes that use biometrics, passwords and smart cards. Many of these schemes however have a number of limitations that render them inadequate to be used as authentication schemes. Cryptanalysis shows us that many of them are at risk of attacks and security breaches.
Remote user authentication scheme is a very suitable authentication scheme to deal with private data that is being transmitted over insecure channels. Since Security and privacy have proven to be one of the most important factors in today's real time applications, users are therefore required to have the proper access rights in order to be able to access resources at remote system in client/server-based service architecture, which are widely used. In this type of architecture we find that a single computer can handle a huge amount of clients who are dispersed all over the world. In daily routines, there too are many real-time applications that also require user authentication such as, e-banking, e-commerce, physical access control to computer resources.
Based on various comprehensive surveys on password-based remote user authentication schemes, we see that most of the remote user authentication schemes that are password-based are impractical due to the fact that they are either very expensive in terms of computation or are susceptible to different security attacks. In [1], Das et.al proposes a dynamic ID and password-based remote user authentication scheme that uses smart cards, and incorporates the use of hash function and XOR operations. Ever since, numerous researchers have proposed improved authentication protocols. This was done in order to eliminate the weaknesses in the previous authentication protocols such as [2], [3], and [4]. These weaknesses are dealt with in the following studies; according to [5] we see a dynamic ID-based authentication scheme that has key agreement using symmetric cryptology. This scheme endeavors to deal with the security flaws and weaknesses of [2]. They incorporated a Session key in order to create a more secure channel for communication. In [6] Li et al. assert that their scheme resisted masquerading attacks and avoided the leaking of information. However, [7], pointed out that [6] was not entirely secure, since it leaked partial information about the communication party's secret parameters and any attacker would be able to access the leaked information to deduce session keys .In [8], a secure remote user authentication scheme was proposed that is also password-based was introduced. However, their scheme uses Elliptic curve cryptography and hash functions. Due to this fact, their scheme is too costly and thus not feasible.
In our paper, we propose a Novel Smart Card-Based remote user authentication scheme using XOR operations and hash functions. The rest of this paper is organized as follows. In Section 2, we propose our new and secure Smart card-based remote user authentication scheme. In Section 3, we conduct a security analysis where we perform a security analysis of our proposed scheme. In Section 4, we have the conclusion of our paper.

118
A Novel Smart Card-based Remote User Authentication Mechanism

Our Proposed Scheme
In this part, we introduce our Remote User Authentication scheme that is based on Smart Cards.

Proposed Scheme's Phases
In this scheme, we have three phases; i.
The registration phase, ii.
The login phase, iii.
The authentication phase. The registration phase is the phase where the user first registers to the server in order to gain access to services from the remote server . After the registering occurs, the server then issues a smart card that contains detailed parameters stored in the smart card's memory.
The login phase, is the phase where we see that whenever the user needs to gain access to the services from the server , the user is required to input his/her identity and password in order to login to the server, while also using the smart card issued to them by the registration server.
The authentication phase is the phase where mutual authentication occurs between the server and the user; the server authenticates the user and the user also authenticates the server . After mutual authentication between and , both and establish a secret session key shared between them so that they communicate securely using that established key in future.

Registration Phase.
These are the steps found in this phase.
Step 1. First, the user selects his/her own secret identity and then chooses a strong password Step 2.
then generates a secret number ' ' randomly, and makes sure to keep it secret to everyone else except from themselves.
Step 3. The user then uses the secret number generated 'K' in order to mask the password using, as = h( ‖ ) .And stores 'K' in the memory of the smart card and then proceeds to send the registration request message ⟨ , ⟩ to the registration remote server S via a secure channel.
Step 4. After the server S j receives the registration request message from the user U i , the server then generates a secret number randomly, which is kept secret to only.
Step 5. then computes Z 1 = h( ‖ ) and Z 2 = h( ‖ ) ⊕ Z 1 . Furthermore, S j computes AID = ID i ⊕h( i ‖Z 2 ‖T s ). Here the AID is incorporated in order to achieve user anonymity, and it is a temporary identity for the user , which is used rather than the permanent identity Step 6. In the Final step, issues the smart card SC which contains the information ⟨AID, h (.), Z 1 ⟩ and sends it to the user via a secure channel.

Login Phase
The following steps are executed in this phase.
Step 1. The user first inserts his/her smart card SC into a card reader then.
inputs his/her identity ID ' and password PW i '.
Step 2. Then Smart Card SC computes the masked password RPW' i as RPW' i = h ( ‖ ' i ) using the secret number ' ' stored in the memory of the smart card. memory. SC then computes Z 1 ' = h( i '‖ ' i ) and checks if the condition Z 1 ' = Z 1 holds. If this condition holds, then is able to pass the password verification step and the next step is executed. Otherwise, this phase has to be terminated immediately.
Step 3. The smart card SC computes J 1 = Z 1 ⊕ Z 2 where these parameters are embedded within the smart card. And then the Smart Card generates a random nonce sc and proceeds to compute J 2 = (Z 1⊕ Z 2 ) Rsc ‖Tsc and J 3 = h(ID i ⊕ R SC ⊕T SC where T SC is the current system timestamp. Finally, SC sends the login request message ⟨J 1 ,J 3 ,T SC ⟩ to the server using a public channel.

Authentication Phase
These are the steps found in this phase.
Step 1. The server checks the validity of the timestamp T SC in the received message by the condition ( SC − ' SC | < Δ , where ' SC is the current system timestamp of . If this condition is satisfied, computes J 4 where Xs is the secret number of the server. S j then verifies if J 4 = J 1 If it does not hold, Server S j rejects the login request message and this phase terminates immediately. After that S j computes Step 2. Then the server S j generates a random nonce R S and then computes J 6 = J 4 ⊕Rs⊕Ts where Ts is the current system time stamp of the server S j , J 7 =h(Rs‖Ts‖J 5 ‖Tsc) ⊕AID' new , where AID' new is a random and temporary identity generated by the server S j , The server S j then sends the authentication request message⟨J 7 ,J 6 ,T S , AID new ⟩ to the user U i via a public channel.
Step 3. After receiving the authentication request message, Smart Card SC checks the validity of the timestamp Ts in the received message with the condition (T S − T' S ) < ΔT, where T' S is the current system timestamp of SC. If this condition does not hold, the phase terminates immediately. Otherwise, SC computes J 8 = J 6 ⊕J 1 ⊕T S = (Z 1 ⊕Z 2 ⊕Rs⊕Ts) ⊕ (Z 1 ⊕Z 2 )⊕T S , thus J 8 =Rs, Then the Smart card SC further computes J 9 = h(J 8 ‖Ts‖Rsc‖T SC ) Step 4. SC then computes J 10 = J 9 ⊕AID', J 10 = J 7 , Smart Card SC verifies that this holds, if not, the procedures are terminated. Otherwise the Smart card computes a secret session key shared between U i and S j ; SK=h (Rs‖Ts‖ R sc ‖T SC ‖AID' new ). Thus, after successful authentication, both U i and S j can communicate securely using the established secret session key.

Security Analysis of the Proposed Scheme
In this section, we first show that our scheme is secure against various known attacks.

Impersonation Attack
In this kind of attack, an adversary attempts to impersonate the remote server or a legal user . If an attacker intercepts the login request message ⟨J 1 ,J 3 ,T SC ⟩ during the login phase and wants to start a new session, the attacker has to modify both J 1 and J 3 . However, in order to change J 3 the attacker has to know both and sc, which are unknown to the attacker.

Stolen Smart Card Attack
In this kind of attack, we assume that the card SC is lost or stolen by an attacker. The Attacker can then be able to extract all the information contained ⟨AID, h (.), Z 1 , Z 2 ⟩ in the smart card S of the user with the use of power analysis attack. However, the attacker still has no way to find out the secret information Xs of the server, therefore, since Z 2 =h ( ‖ ) ⊕Z 1 and AID = ID ⊕h( i ‖Z 2 ‖T s ) this is not helpful to the attacker

Password Guessing Attack
In this attack, we consider that the smart card SC of a legal user is lost or stolen by an attacker .All the secret information ⟨AID, h (.), Z 1 , Z 2 ⟩ stored in the memory of the smart card S is known to the attacker. Still then the attacker is not able to guess correctly the password of . In addition, suppose the attacker intercepts all the transmitted messages ⟨J 1 ,J 3 ,T SC ⟩ during the login phase and ⟨J 7 ,J 6 ,T S , AID new ⟩ during the authentication phase.
None of these messages involves the password of the user , therefore still the attacker is unable to carry out the password guessing attack

Conclusions
We have made an analysis of existing schemes for remote user authentication, and identified that they either have vulnerabilities to various known attacks or have a large cost for computation, this paper therefore proposes a novel password-based remote user authentication scheme using smart cards. Our scheme ensures efficiency and security, while upholding simplicity with the use of only one-way hash function and XOR operations. This enables us to avoid the usage of costly computationally complex operations. We have also conducted a security analysis on our scheme to ensure that it is secure against possible known attacks. Hence, we propose that our new scheme is both feasible and secure, making it an Ideal remote user authentication scheme.