1. An Improved Smart Card Based Password Authentication Scheme with Provable Security Source:Computer Standards & Interfaces, Vol. 31, No. 4, pp. 723-728, Jun. 2009 Author: Jing Xu, Wen-Tao Zhu and Deng-Guo Feng Speaker:Li-Tzu Chang

2. 2 Outline Review of Lee-Chiu’s scheme Forgery attack on Lee-Chiu’s scheme Review of Lee et al.’s scheme Offline password guessing attack on Lee et al.’s scheme Proposed scheme Conclusions

3. 3 h(. ): a one-way hash function p: a large prime number g: a primitive root in GF(p) q: a large prime such that p = 2q+1 ID: user’s identification PW: user’s password Notations

4. 4 Login and Authentication Computes A = h(ID||x) B = g A ． h(PW) mod p {ID, A, B, h(. ), p, g} Smart card Verifies ID, T Computes A * = h(ID||x) Verifies C 1 ?= h(T ⊕ (Z / A * mod p)) Review of Lee-Chiu’s scheme User Server Inputs ID, PW * Selects ID, PW {ID, PW} Smart card Verifies B ?= g A ． h(PW * ) mod p Computes Z = (B. A) mod p C 1 = h(T ⊕ B) {ID, Z, C 1, T} Registration No mutual authentication Server’s secret key

5. 5 Forgery attack on Lee-Chiu’s scheme Login and Authentication Verifies ID, T’ Computes A * = h(ID||x) Verifies C 1 ’ ?= h(T ⊕ (Z’ / A * mod p)) Adversary Server Steals a smart card and extracts the stored values someway Computes Z’ = (B. A) mod p C 1 ’ = h(T’ ⊕ B) {ID, Z’, C 1 ’, T’}

6. 6 Computes R = h(ID ⊕ x) ⊕ PW {ID, R, h(. )} Smart card Verifies ID, T 1 C 2 ?= h( h(ID ⊕ x) ⊕ T 1 ) Computes C 3 = h(h(ID ⊕ x) ⊕ T 3 ) Review of Lee et al.’s scheme User Server Inputs ID, PW * Selects ID, PW {ID, PW} Smart card Computes C 1 = R ⊕ PW * C 2 = h(C 1 ⊕ T 1 ) {ID, T 1, C 2 } {T 3, C 3 } Verifies T 3 C 3 ?= h(C 1 ⊕ T 3 ) Login and Authentication Registration Server’s secret key

7. 7 Offline password guessing attack on Lee et al.’s scheme Adversary Records T 1 and C 2 from a successful login of a certain user Steals the smart card and reveals R from it Selects a password S Computes C’ = R ⊕ S Checks h(C’ ⊕ T 1 ) ?= C 2 Repeats procedure offline until the correct password is yielded

8. 8 Computes B = (h(ID) x + h(PW)) mod p {ID, B, h(. ), p, g} Smart card Proposed scheme (1/2) User Server Selects ID, PW {ID, PW} Smart card Registration Server’s secret key (x ∈ Z q * )

9. 9 Login and Authentication Verifies ID, T Computes B” = W x mod p Verifies C ?= h(T||B”||W||ID) Selects m ∈ R Z q * Computes M = h(ID) m mod p C’ = h(M||B”||T’||ID) Proposed scheme (2/2) User Server Inputs ID, PW * Selects w ∈ R Z q * Computes B’ = (B – h(PW * )) w mod p W = h(ID) w mod p C = h(T||B’||W||ID) {ID, C, W, T} {ID, C’, M, T’} Verifies T’ C’ ?= h(M||B’||T’||ID) Key agreement sk = h(ID||M||W||M w ) sk = h(ID||M||W||W m )

10. 10 Conclusions Proposes an improved smart card based password authentication scheme with formal security proof Provides key agreement