An exquisite mutual authentication scheme with key agreement using smart card.
1 Introduction
In recent years, people communicate via networks much more frequently than before. The frequency that network users transmit information and share the computing resources increases very quickly. Moreover, with ecommerce being prosperous, people use computers daily to link with server to ask for service. In these situations, the remote authentication (1) Verifying the integrity of a transmitted message. See message integrity, email authentication and MAC. (2) Verifying the identity of a user logging into a network. and network security become inevitable and very important. The authentication scheme is an essential part to assure legitimate, secure and efficient access to a network system. Among authentication schemes, passwordbased authentication is widely used. But passwordbased authentication is vulnerable to the dictionary attacks [1,2,3,4], i.e. the password guessing attacks, because people are inclined to choose easytoremember identities or meaningful phrases. As a result, a number of protocols have been proposed to overcome the guessing attacks [1,57]. Some of the improved protocols [1,812] use public key encryption See public key cryptography. in authentication. The others [6,11,12,14] use nonces and oneway hash functions This is a list of hash functions, including cyclic redundancy checks, checksum functions, and cryptographic hash functions. Cyclic redundancy checks
Name Length Type Adler32 32 bits sum . The noncebased protocol is more secure because the nonce is randomly generated. As for oneway hash functions, it is irreversible irreversible (ir´ēvur´sebl), adj incapable of being reversed or returned to the original state. . Thus, the protocol using hash functions and nonces is safe and secure. Recently, some authentication protocols using smart card have been proposed [6,11,12,14]. Using smart card has many merits. Not only can it implement computations and store a wealth of useful information, like identification number, password and basic personal data, but also it is portable. Although the protocol using public key encryption is much more secure, it may incur a burdensome computation load. Therefore, we propose an authentication protocol using DiffieHellman scheme [15] to enhance the security level and efficiency but to reduce the computation load for a smart card. In our method, the smart card is responsible for simple computations and the server is responsible for complicated ones. The proposed scheme also uses the oneway hash function An algorithm that turns a variablesized amount of text into a fixedsized output (hash value). Hash functions are used in creating digital signatures, hash tables and short condensations of text for analysis purposes (see hash buster). and the exclusiveor operation to maintain security and convenience. To prevent the replay attacks and the synchronization (1) See synchronous and synchronous transmission. (2) Ensuring that two sets of data are always the same. See data synchronization. (3) Keeping timeofday clocks in two devices set to the same time. See NTP. problem, we adopt the nonces in our scheme instead of using timestamp. Furthermore, we introduce the design of transformed identity [16] in our scheme to avoid the duplication of identities. The rest of this paper is organized as follows: Some related schemes are reviewed in Section 2. The proposed authentication scheme is described in Section 3. The security analysis of our scheme is discussed in Section 4. The efficiency and specialities of the proposed scheme are discussed in Section 5. The functionality and performance of the proposed scheme are compared with related schemes and the result is listed in Table 1. Finally, the conclusions are given in Section 6. 2 Reviews of related schemes In this section, we review some related schemes briefly and closely. 2.1 Chien and Jan's scheme (ROSI ROSI Return on Security Investment ROSI Repository of Student Information ROSI Rollergirls of Southern Indiana (Evansville, IN) ROSI Raytheon Optical Systems Incorporated ROSI Romanian Open Source and Free Software Initiative scheme) Chien and Jan proposed a noncebased authentication scheme using smart card: Robust and Simple authentication protocol (ROSI) [6], in 2003. The ROSI scheme consists of two phases: "The registration phase" and "The authentication phase". In the scheme, a prospective user, u, selects his identity, [ID.sub.u] password, [PW.sub.u], and an initial nonce, [N.sub.1]. Then, the user transmits these values to the server, S, in registration phase. After accepting the application, the server stores [ID.sub.u] and [h.sup.2]([PW.sub.u][parallel][N.sub.1]) in its database, where the symbol "[parallel]" is the string concatenation. The server also uses its secret key to calculate some parameters and stores them in a smart card. Then, the server issues the smart card to the applicant, u. After the authentication phase, the user and the server can mutually authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. each other. However, in this scheme, it is necessary to set up a verification table and a legitimate user cannot update his password conveniently and freely when the security faces potential threats. 2.2 Juang's password authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. key agreement scheme In Juang's authenticated key agreement scheme using smart card [12], two phases are included: "The registration phase" and "The login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. and session key agreement phase". A prospective user submits his identity and password to the server for registration. After getting a smart card, the user can use it to access the server. The user applies his smart card to compute To perform mathematical operations or general computer processing. For an explanation of "The 3 C's," or how the computer processes data, see computer. a secret key and uses the key to encrypt See encryption. a message, which includes a random value and an authentication tag. After receiving the message, the server computes the secret key and decrypts the received message to extract the embedded Inserted into. See embedded system. authentication tag. Then, the server verifies the validity of this tag. In order to attain the shared session key, the user's smart card has to encrypt a forwarding message and decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. the received message from server to perform a noncechecking. In this scheme, we found that the smart card should encrypt and decrypt several messages by using the cryptographic cryp·tog·ra·phy n. 1. The process or skill of communicating in or deciphering secret writings or ciphers. 2. Secret writing. cryp scheme. In this situation, the smart card has to compute the modular exponential 1. (mathematics) exponential  A function which raises some given constant (the "base") to the power of its argument. I.e. f x = b^x If no base is specified, e, the base of natural logarthims, is assumed. 2. operations, which require a large amount of computations. These computations may overload See information overload and overloading. the capability of the smart card. 2.3 Hwang et al's remote user authentication See authentication. scheme The scheme [14] is comprised of three main phases and an additional one. The main phases are "The registration phase", "The log in phase" and "The authentication phase". The additional phase is "The password changing phase" within the user's discretion. When a prospective user, u, wants to register with a server, S, he submits his identity, [ID.sub.u], and a hash value The fixedlength result of a oneway hash function. See hash function and hash total. of password, h([PW.sub.u]) to the registration center of S. Then, the center uses the server's secret key, [x.sub.s], and the hash value of password to compute a shifted password, [PW.sub.1u] = h([ID.sub.u] [direct sum] [x.sub.s]) [direct sum] h([PW.sub.u]) and stores it with the hash function, h(*), into a smart card, where" [direct sum] "is the exclusiveor operation. Then, the smart card is issued to the user. To access the server, the user connects his smart card to a card reader and keys in his identity and password at the user's terminal. The smart card executes the exclusiveor operation on the shifted password and h([PW.sub.u]) to attain a crucial parameter, h([ID.sub.u], [direct sum] [x.sub.s]). The smart card then combines this parameter with a timestamp to compute an authenticating value. Next, the user transmits these values to the server for authentication. On receiving the messages, the server executes the verification procedures and performs the authentication. However, although the scheme can verify a legitimate user, the user and the server cannot achieve the mutual authentication Mutual authentication or twoway authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both and the session key agreement. The scheme cannot avoid the time synchronization See real time clock, UTC and NTP. problem, either. 2.4 Behind the reviews In reviewing the related schemes, we are motivated to propose an improved scheme. Not only do we supplement the deficiencies, but we also enhance the efficiency and the functionality. In our scheme, the verification table is not required and the mutual authentication can be achieved. Furthermore, a user is allowed to select and update his password freely. Finally, the computation cost is reduced in the proposed scheme. 3 The proposed authentication scheme Our authentication scheme consists of four phases: the registration phase, the login and authentication phase, the key agreement phase and the password update phase. As mentioned before, for the sake of security, we prefer to adopt modular exponentiation Modular exponentiation is a type of exponentiation performed over a modulus. It is particularly useful in computer science, especially in the field of cryptology. Doing a "modular exponentiation" means calculating the remainder when dividing by a positive integer m (called in registration phase. But, it is performed only at the remote server to reduce the computation load for smart card. The login phase is executed at the user's terminal and the authentication is verified mutually between the user and the server. The key agreement is achieved by the user and the server respectively, and is kept temporarily for mutual communication in the session. As for the password update phase, it is completed only at the user's terminal. To describe our proposed scheme with ease, we use the following symbols and operations: 1. The operator "[direct sum]" is the bitwise exclusiveor operation. 2. The symbol "[parallel]" is the string concatenation. 3. The function "h" is a oneway hash function. 4. For the sake of convenience, let the expression "X [right arrow] Y : M" mean a sender X transmits a message M to a recipient Y. 3.1 The registration phase The registration phase is performed with the remote server. When a person, u, wants to be a legitimate user to a server, S, he offers an account application to S. The procedure is as follows: Step 1: u [right arrow] S : [ID.sub.u], [PW.sub.u]. Responding the challenge from the server, the applicant submits his identity, [ID.sub.u], and password, [PW.sub.u], to the server for registration via a secure communication channel. Both [ID.sub.u] and [PW.sub.u] are selected by himself freely. Step 2: After receiving the response, the server confirms the formats of the submitted identity and password first. Then, the server takes note of the registration time, [TS.sub.u] and archives the user's [ID.sub.u], and related [TS.sub.u] for later authenticating use. Then the server performs the following four processes: (1) Compute the transformed identity [16], [TID tid 3 times a day .sub.u] = [TS.sub.u][parallel][ID.sub.u], automatically by itself. The transformed identity, [TID.sub.u], can ensure the uniqueness of the identity. At this stage, the applicant only needs to remember his selected identity, [ID.sub.u], and password, [PW.sub.u]. (2) Compute [A.sub.u],  h([TID.sub.u] [direct sum] x), where the parameter x is the secret key of S and is kept confidentially. (3) Compute By = ([MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII ASCII or American Standard Code for Information Interchange, a set of codes used to represent letters, numbers, a few symbols, and control characters. Originally designed for teletype operations, it has found wide application in computers. ]) [direct sum] [PW.sub.u] where p is a large prime positive integer integer: see number; number theory and 9 is a primitive element In mathematics, the term primitive element can mean:
(4) Store the values, [TS.sub.u] [B.sub.u] and h(*), in a smart card and issue the smart card to the applicant. 3.2 The login and authentication phase When a legitimate user, u, intends to login the server, S, the user's terminal and the server need to mutually authenticate each other. Step 1: u [right arrow] S: [M.sub.1] {[ID.sub.u], [NTID NTID National Technical Institute for the Deaf (Rochester, NY) .sub.u], [C.sub.u]). The user, u, connects his smart card to a reader. The smart card challenges the user for his identity, [ID.sub.a], and password, [PW.sub.u], which are selected at his application. The smart card automatically performs the following processes: (1) Generate a nonce, [n.sub.u]. Store the value, [n.sub.u], temporarily until the end of the session. (2) Retrieve the stored registration time to generate the transformed identity, [TID.sub.u] = [TS.sub.u][parallel][ID.sub.u]. (3) Compute [NTID.sub.u] = [TID.sub.u] [direct sum] [n.sub.u]. (4) Compute the value [C.sub.u] h([B.sub.u] [direct sum] [PW.sub.u]) [direct sum] [n.sub.u]. (5) Send the message [M.sub.1] {[ID.sub.u], [NTID.sub.u], [C.sub.u]} to the server, S. Step 2: S [right arrow] u: [M.sub.2] = {[D.sub.u], [NTID.sub.u]}. After receiving the message [M.sub.1], S does the following processes: (1) Retrieve from the database the registration time, [TS.sub.u], which is corresponding with the identity, [ID.sub.u], of the connecting user. If no such corresponding user matches, the server terminates the connection. Otherwise, it goes on to the next processes. (2) Compute [TID.sub.u], = [TS.sub.u][parallel][ID.sub.u], and [n'.sub.u]. [NTID.sub.u] [direct sum] [TID.sub.u]. (3) Compute [A.sub.u]. = h([TID.sub.u], [direct sum] x) and [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] mod p, then h([MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]). (4) Compute [n".sub.u][C.sub.u] [direct sum] h([MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]). If [n'.sub.u] [n".sub.u] the received [NTID.sub.u] is truly sent from u and the parameters [n'.sub.u] and [n".sub.u] should be the same as [n.sub.u], which is generated by the smart card at the user's terminal. Hence, the legitimacy of the connecting user is authenticated. See Theorem theorem, in mathematics and logic, statement in words or symbols that can be established by means of deductive logic; it differs from an axiom in that a proof is required for its acceptance. 1. So, the communication will carry on. On the server terminates the other hand, if [n'.sub.u] [not equal to] [n".sub.u] connection. Furthermore, the server stores [n.sub.u] in memory temporarily for later use. (5) Create a nonce, [n.sub.s], randomly. Compute [D.sub.u] = [C.sub.u], [direct sum] [n.sub.u] [direct sum] [n.sub.s] and [NTID.sub.s] = [TID.sub.u] [direct sum] [n.sub.s]. Then the server sends the message, [M.sub.2] = {[D.sub.u], [NTID.sub.s]}, to the connecting user, u. Theorem 1: If [n'.sub.u] = [n".sub.u], the user, u, is authenticated. Proof Since [NTID.sub.u] [TID.sub.u] [direct sum] [n.sub.u], thus, [n'.sub.u] = [NTID.sub.u] [direct sum] [TID.sub.u] = [n.sub.u]. Also, given [B.sub.u]= ([MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]) [direct sum] [PW.sub.u] we have [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] Then, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] It follows that [n'.sub.u] = [n".sub.u] = [n.sub.u]. The nonce, [n.sub.u], is generated at the user terminal when the user, u, inserts his smart card into a card reader. So it is fresh and unique. It is also embedded in [NTID.sub.u] and never exposed. No one can impersonate im·per·son·ate tr.v. im·per·son·at·ed, im·per·son·at·ing, im·per·son·ates 1. To assume the character or appearance of, especially fraudulently: impersonate a police officer. 2. it or pry about it. Both [TID.sub.u] and [NTID.sub.u] are unique, and [NTID.sub.u] can be computed by u only. Once [n'.sub.u], = [n".sub.u] is proven, we verify [NTID.sub.u] is really transmitted by u. Hence, the genuineness of the user, u, is authenticated. [] Step 3: u [right arrow] S : [M.sub.3] = {[E.sub.u]}. When u receives the message [M.sub.2], he executes the following processes: (1) Compute [n'.sub.s] = [NTID.sub.s] [direct sum] [TID.sub.u] and [n".sub.s]. [C.sub.u] [direct sum] [n.sub.u] [direct sum] [D.sub.u]. If [n'.sub.s] = [n".sub.s], the communication goes on. In this situation, both [n'.sub.s] and [n".sub.s] are equal to [n.sub.s] which is generated by the server. Thus, the server is authenticated. See Theorem 2. On the other hand, if [n'.sub.s][not equal to][n".sub.s], u ceases the communication. Furthermore, u keeps [n.sub.s] temporarily at the user terminal for later use. (2) Compute [E.sub.u] ([C.sub.u][direct sum][n.sub.u])[parallel]([n.sub.s] + 1). Then u sends the message [M.sub.3] = {[E.sub.u]} to S. The parameter [n.sub.s] + 1 is the response to the server. Theorem 2: The server, S, is authenticated if [n'.sub.s] = [n".sub.s] Proof Since [NTID.sub.s] = [TID.sub.u] [direct sum] [n.sub.s], [n'.sub.s] = [NTID.sub.s] [direct sum] [TID.sub.u], = [n.sub.s]. Also, since [D.sub.u] = [C.sub.u] [direct sum] [n.sub.u] [direct sum] [n.sub.s], [n".sub.s] = [C.sub.u] [direct sum] [n.sub.u] [direct sum] [D.sub.u] = [n.sub.s]. Then, we have [n'.sub.s] = [n".sub.s] = [n.sub.s]. The nonce, [n.sub.s], is immediately generated by S, when S verifies the genuineness of the user, u. So [n.sub.s] is fresh and unique. The transformed identity, [TID.sub.u] is also unique. Thus, [NTID.sub.s] is unique and it can be computed by the server only. Furthermore, [D.sub.u] is computed with [C.sub.u] [n.sub.u] and [n.sub.s]. A false server can not forge all of them. Once [n'.sub.s] = [n".sub.s] is proven, the integrity of S is authenticated. [] Step 4: After receiving the message, [M.sub.3], the server finds [E.sub.u] in it. Since [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Thus, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] So, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], and it is really the string concatenation of [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. The server can easily extract [n.sub.s] + 1 from [E.sub.u] and find [n.sub.s] in there. At this time, the server ensures that the authenticating user does have the nonce, [n.sub.s]. Now, both the user and the server can try for a session key agreement. 3.3 The key agreement phase After receiving the nonce, [n.sub.s], sent from the server, the user creates a session key [SK.sub.u] = h(([B.sub.u][direct sum][PW.sub.u])[parallel][n.sub.s][parallel][n.sub.u]). Once the server ensures that u has the nonce, [n.sub.s], it generates a session key [SK.sub.s] = [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Since [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], is computed in the registration phase, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] Thus, [SK.sub.u] = [SK.sub.s]. Therefore, the key agreement is achieved and the session key for the session communication is [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] 3.4 The password update phase When a user wants to change his password for personal reasons or for the sake of security. He can do so at the user's terminal by performing the following: Step 1: Insert the smart card into a reader and announce a password update request at the user's terminal. Step 2: Key in the original password, [PW.sub.u]. The smart card calculates [B.sub.u] [direct sum] [PW.sub.u]. Step 3: Responding to the challenge of the smart card, the user gives a new password [PW.sup.*.sub.u]. The smart card calculates [B.sup.*.sub.u] ([B.sub.u])[direct sum][PW.sup.*.sub.u]) [direct sum] [PW.sup.*.sub.u] and then replaces [B.sub.u] with this new [B.sup.*.sub.u]. At this time, the password update phase is completed. 4 Security analysis Not only do we concern with the efficiency and the specialties of our scheme, but also we ask for security and the computational complexity computational complexity Inherent cost of solving a problem in largescale scientific computation, measured by the number of operations required as well as the amount of memory used and the order in which it is used. in our proposed scheme. In this section, we will display the strength of our scheme first, and later we discuss the computational complexity. The security analysis is listed as follows: (1) Our scheme can overcome the guess attacks: The user is allowed to select his own identity and password freely in our scheme, so he is apt to choose easytoremember or meaningful identity and password. In this situation, it seems easy to guess the identity and the password of a legitimate user. However, the construction of transformed identity in our proposed scheme makes the transformed identity be an independent unity. The uniqueness can prevent the transformed identity from being duplicate and resist the guess attacks. An intruder An attacker that gains, or tries to gain, unauthorized access to a system. See attacker, intrusion and IDS. guesses a legitimate user's identity. The guessed identity can not be converted into a valid transformed identity without the exact registration time, which is stored in the user's smart card. As a result, a intruder's intent to access a remote server should be rejected without a valid transformed identity. (2) Our scheme is capable of resisting the maninthemiddle attacks: A malicious intruder may intercept or eavesdrop eaves·drop intr.v. eaves·dropped, eaves·drop·ping, eaves·drops To listen secretly to the private conversation of others. on the communication between a legitimate user, u, and the server, S. After intercepting the message [M.sub.1] sent by u, he may impersonate u and replay the message to S. Then, he waits for a response message from S. The intruder can not compute the efficient [TID.sub.u] from the intercepted [NTID.sub.u] without the nonce, [n.sub.u], which is generated randomly by the smart card and is never exposed on the communication. Even though the intruder has the response message, [M.sub.2], from S, he can not extract the nonce, [n.sub.s], from [NTID.sub.s], which is included in [M.sub.2], because he has no [TID.sub.u] at hand. The nonce, [n.sub.s], is generated by S and is needed to authenticate the server in Step 3(l) in the login and authentication phase. This nonce is also required to achieve the session key agreement. Furthermore, the intruder must respond the server with [n.sub.s] + 1. Because the nonce, [n.sub.s], is unavailable, this response can't be completed, either. Eventually, an illegitimate ILLEGITIMATE. That which is contrary to law; it is usually applied to children born out of lawful wedlock. A bastard is sometimes called an illegitimate child. user should be rejected and the connection is terminated. On the other hand, when a malicious person intercepts the message [M.sub.1], he may pretend to be the server that u is connecting to. Furthermore, he has no [TID.sub.u] and he can't compute it because he has no [TS.sub.u] at hand. The intruder has no nonce, [n.sub.u], either. Thus, he can not send an available parameters to the user u for authenticating the integrity of the server. The communication terminates when the authentication fails. (3) An intruder can not achieve session key agreement: The user's password is never exposed in the transmission. An intruder can not intercept the password or any information about it. Meanwhile, the parameter [B.sub.u] is stored in the user's smart card, no one can access it. So, the parameter [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] can not be computed from [B.sub.u] [direct sum] [PW.sub.u]. On the other hand, if an intruder intends to compute [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] directly. He needs to compute [A.sub.u] = h([TID.sub.u] [direct sum] x) first. But, the secret key z of the server is kept confidentially. No one can have it. Hence, it is impossible to compute [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] directly. Therefore, no session key agreement can be achieved without all of [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], [n.sub.u] and [n.sub.s] at hand. (4) An intruder will be confronted with the complexity of the discrete logarithm In mathematics, specifically in abstract algebra and its applications, discrete logarithms are grouptheoretic analogues of ordinary logarithms. The problem of computing discrete logarithms is a sort of sibling to the problem of integer factorization, in that both problems are : The secret key x of the server is protected by the oneway hash function. It is not possible to derive it from [A.sub.u] = h(TID [direct sum] x). Trying to solve out [A.sub.u] from [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is also impossible, because the adversary adversary traditional appellation of Satan [O.T.: Job 1:6; N.T.: I Peter 5:8] See : Devil will be confronted with the difficulty and the complexity of the discrete logarithm problem. Without secret key z, an adversary can not pretend to be the server, S, in the communication. The parameter, [B.sub.u], can't be derived without [A.sub.u]. Thus, an adversary can not pretend to be the connecting user, u, either. 5 The efficiency and specialties of our scheme From the procedures of the construction, we point out some merits in our scheme. We concern not only efficiency but also special properties. (1) No verification table is needed: Once a prospective user, u, offers his identity, [ID.sub.u], and password, [PW.sub.u], in registration phase. The server, S, takes note of the registration time, [TS.sub.u], to derive the transformed identity, [TID.sub.u]. Then, S calculates the parameter, [B.sub.u], and stores it in a smart card. When the legitimate user wants to access the system, he only gives his selected identity to compute the transformed identity and then transmits it to the remote server. The smart card also generates automatically a nonce, [n.sub.u], to compute the authenticating values, [C.sub.u] and [NTID.sub.u]. Then the values are transmitted to the server. It is not necessary for the remote server to set up any verification table of passwords or other personal information. (2) The transformed identity is unique: The construction of transformed identity makes the identity unique. A few users could select the same identities, but the transformed identities should eventually be different since our scheme takes the registration time into account. It prevents the duplication from happening. (3) The user's identity and password can be selected freely: Since our proposed scheme uses the transformed identity to discriminate different users, the original identity is allowed to be selected according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the user's preference. Taking into account the registration time, the proposed scheme converts the selected identity into transformed identity. The transformed identities should be different from one another even if the selected identities might be the same. Thus, a user's identity can be selected freely. The transformed identity is used to compute the parameter [A.sub.u]. Then, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is computed. The parameter [B.sub.u] is generated by performing exclusiveor operation on [PW.sub.u] and [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Because [B.sub.u] is stored in the user's smart card, no one can pry about it. Therefore, the password can also be selected freely. (4) DiffieHellman scheme is used: In registration phase, the server calculates the parameter [B.sub.u] through DiffieHellman scheme to enhance security. Because the computation of modular exponentiation is burdensome for a smart card, the proposed scheme makes the server execute the operation in order to lessen less·en v. less·ened, less·en·ing, less·ens v.tr. 1. To make less; reduce. 2. Archaic To make little of; belittle. v.intr. To become less; decrease. the troublesome implementation for smart card and to speed up the computation. (5) The computations proceed very quickly and the load is low: The modular exponentiation is the only burdensome and timeconsuming computation. It is used on the DiffieHellman scheme and is performed only once at the remote server. The other computations at both the user's terminal and the remote server are just the oneway hash functions, string concatenations and the exclusiveor operations. The computations proceed very quickly, and the load is extremely low for either of them. The Table 1 demonstrates the computational complexity is simple. (6) The password can be conveniently updated at the user's terminal: The server needs no passwordverification table to check the a user's genuineness. The proposed scheme allows a user to update his password at his terminal. It is convenient and efficient for users. (7) The mutual authentication is executed: The scheme can mutually authenticate each other between the user and the server. From the Theorem 1 and 2, the correct methods of the mutually authentication between the user and the remote server are proven. At the end of this section, we compare our proposed scheme with some other schemes on the computational complexity and the performances. The comparison on computational complexity is also listed in Table 1. From an objective point of view about the performance, we include some criteria in the following items: Item 1. No verification table needed: At the remote server, a passwordverification table is not needed to authenticate the users. Item 2. Using unique transformed identity: Describe whether a user can choose his identity according to his preference and prevent it from duplication. Item 3. Choosing a password freely: Display whether a scheme allows a user to choose his password freely or not. Item 4. Mutual authentication: Demonstrate whether a legitimate user and the remote server can mutually authenticate each other or not. Item 5. Password update conveniently: Discuss whether a user can conveniently update his password at the user's terminal or not. Item 6. Session key agreement: Show whether a scheme can achieve the session key agreement or not. Item 7. Avoiding time synchronization problem: Exhibit whether a scheme can avoid the time synchronization problem or not. The result of the comparisons on the performances is listed in Table 2. 6 The conclusions We have proposed an exquisite mutual authentication scheme without verification table of passwords and other users' personal information. The proposed scheme includes session key agreement and convenient password update. Our scheme uses the registration time to create the unique transformed identity in order to discriminate a user from the others efficiently, even if they may choose the same value for their identities. Through the storage of important information in the smart card, the proposed scheme can generate necessary parameters without exposing the password in transmission. Our scheme can withstand the replay attacks and resist the maninthemiddle attacks. Moreover, the security of our scheme relies on the intractability in·trac·ta·ble adj. 1. Difficult to manage or govern; stubborn. See Synonyms at unruly. 2. Difficult to mold or manipulate: intractable materials. 3. of discrete logarithm because the DiffieHellman scheme is used. Received: June 25, 2008 References [1] S.M. Bellovin, M. Merritt, (1993) Augmented encrypted key exchange Encrypted Key Exchange (also known as EKE) is a family of passwordauthenticated key agreement methods described by Steven M. Bellovin and Michael Merritt ^{[1]}. : A passwordbased protocols secure against dictionary attacks and password file compromise, Proceedings of First ACM (Association for Computing Machinery, New York, www.acm.org) A membership organization founded in 1947 dedicated to advancing the arts and sciences of information processing. In addition to awards and publications, ACM also maintains special interest groups (SIGs) in the computer field. Conference on Computer & Communications Security See COMSEC. , pp.244250. [2] Y. Ding, E Horster, (1995) Undetectable online password guessing attacks, ACM Operating Syst. Rev., pp.7786. [3] DV. Klein, (1990) Foiling the cracker (1) A person who breaks into a computer system without authorization, whose purpose is to do damage (destroy files, steal credit card numbers, plant viruses, etc.). Because a cracker uses lowlevel hacker skills to do cracking, the terms "cracker" and "hacker" have become : a survey of, and improvements to password security, Proceedings of the second USENIX UNIX security Unix security, maintaining a secure environment on Unix and Unixlike operating systems is dependent on design concepts of these operating systems, but vigilance through user and administrative techniques is important to maintain security also. workshop, pp.514. [4] R. Morris, K. Thompson, (1979) Password security: a case history. Communications of the ACM (publication) Communications of the ACM  (CACM) A monthly publication by the Association for Computing Machinery sent to all members. CACM is an influential publication that keeps computer science professionals up to date on developments. , 22(11), pp.594597. [5] V. Goyal, V. Kumar, M. Singh, A. Abraham, and S. Sanyal, (2006) A new protocol to counter online dictionary attacks, Computers & Security, 25, pp.114120. [6] H.Y. Chien, J.K. Jan, (2003) Robust and simple authentication protocol, Computer Journal, 46, pp. 193201. [7] C.L. Lin, H.M. Sun, T. Hwang, (2001) Attacks and solutions on strongpassword authentication, IEICE IEICE Institute of Electronics, Information and Communication Engineers (Japan) IEICE Institute of Electronics Information and Communication Engineers Trans. Commun. E84B, No. 9, pp.26222627. [8] S. Halevi, H. Krawczyk, (1998) Publickey cryptography and password protocols, Proceedings of the 5th ACM Conference on Computer and Communications Security, San Francisco San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden , CA, pp. 122131. [9] C.C. Chang, W.Y. Liao, (1994) A Remote Password Authentication Scheme Based upon E1Gamal's Signature Scheme, Computer & Security, Vol. 13, pp.137144. [10] C.C. Chang, L.H. Wu, (1990) A Password Authentication Scheme Based upon Rabin's PublicKey Cryptosystem, Proceedings of lnternational Conference on Systems Management '90, Hong Kong Hong Kong (hŏng kŏng), Mandarin Xianggang, special administrative region of China, formerly a British crown colony (2005 est. pop. 6,899,000), land area 422 sq mi (1,092 sq km), adjacent to Guangdong prov. , pp.425429. [11] M.S. Hwang, L.H. Li, (2000) A new remote user authentication scheme using smart card, IEEE (Institute of Electrical and Electronics Engineers, New York, www.ieee.org) A membership organization that includes engineers, scientists and students in electronics and allied fields. Transactions on Consumer Electronics, 46(1), pp.2830. [12] W. S. Juang, (2004) Efficient password authenticated key agreement using smart card, Computer & Security, 23, pp. 167173. [13] Y.C. Chen, L.Y. Yeh, (2005) An efficient noncebased authentication scheme with key agreement, Applied Mathematics and Computation, 169, pp.982994. [14] M.S. Hwang, C.C. Lee, Y.L. Tang tang, in zoology tang: see butterfly fish. , (2002) A simple remote user authentication scheme, Mathematical and Computer Modelling,36, pp. 103107. [15] W. Diffie, M. Hellman, (1976) New directions in cryptography, IEEE Trans. Inform. Theory, 22, pp.476492. [16] C.T. Wang, C.C. Chang, C.H. Lin, (2004) Using IC Cards to Remotely Login Passwords without Verification Tables, Proceedings of the 18th International Conference on Advanced Information Networking and Application(AINA), Fukoka, Japan, pp.321326. ChiuHsiung Liao General Education Center National ChinYi University of Technology Taichung, Taiwan 411, R.O.C. Email: cliao@ncut.edu.tw HonChan Chen and ChingTe Wang Department of Information Management National ChinYi University of Technology Taichung, Taiwan 411, R.O.C. Email: {chenhc, ctwang}@ncut.edu.tw Table 1: Comparison on Computational Complexity Login and Key Password Phase Registration Authentication Agreement Update Our scheme ICo 3Co 1Ha 2Ha Yes Yes 2[direct sum] 9[direct sum] 1ME 1ME Chien et al [6] 2Co SCo 3Ha 17Ha No No 1[direct sum] l0[direct sum] Hwang and 1ME 2Ha Li [11] 2[direct sum] No No SME 2MM Juang's [12] 1Ha 1Co 1[direct sum] 4Ha 1[direct sum] Yes No 3En 3De Hwang et 2Ha 1Ha No Yes al [14] 2[direct sum] 2[direct sum] Co: concatenation; Ha: oneway hash function; [direct sum]: exclusiveor; ME: modular exponentiation; MM: modular multiplication; En: encryption; De: decryption Table 2: The result of the comparisons on performancesamong schemes No Using Choosing verification transformed PW Criterion item table ID freely Our scheme Yes Yes Yes Chien et al's [6] No No Yes Hwang and Li's [11] Yes No No Juang's [12] Yes No Yes Hwang et al's [14] Yes No Yes Mutual PW Criterion item authentication update Our scheme Yes Yes Chien et al's [6] Yes No Hwang and Li's [11] No No Juang's [12] Yes No Hwang et al's [14] No Yes Session key Avoiding Criterion item agreement synchronization Our scheme Yes Yes Chien et al's [6] No Yes Hwang and Li's [11] No No Juang's [12] Yes Yes Hwang et al's [14] No No 

Reader Opinion