A Practical and Secure Hash Function-Based Password Authentication Scheme

: In this study, we propose a practical and secure hash function-based password authentication scheme using smart cards. Our proposed scheme offers some advantages and interesting features. Firstly, the scheme does not require a verification table and is secure against the replay attacks, an attack that most of the existing schemes suffer. Secondly, any user of the scheme be allowed to change his or her account’s password efficiently. Thirdly, the time complexity for each algorithm in the proposed scheme are relatively low and minimal compared to some existing well-known password authentication schemes.


Introduction
The global network channel with today's technology is a must for it conveniently provides access to various type of online services through remote systems, an open system that enable users from over the world to communicate confidently and safely. However, the open environment of this kind communication has normally led to the source of security risks and threats. These include data disclosure, data modification and even worse identity impersonation. The password authentication scheme provides a reliable and solid protection from these three main security risks. The scheme allows one to verify the legitimacy of a user over an insecure channel and simultaneously enabling the server to authenticate the user prior to providing access to network database and services. Conventional password authentication schemes normally request users to generate and submit their private username or user ID and password as inputs into the system. The system is designed to match and verify the input data from the verification table in the server. Many existing schemes use this verification table as a mechanism and platform to identify and validate the users. However, it requires one to maintain and administer the space and storage of the table in the scheme. Usually the verification table is protected by the server and is assumed secure against any form of attacks. Some previous verification tablebased password authentication schemes were not designed to withstand replay attack, an attack where an intruder observes on a secure network communication, intercepts a message and then fraudulently delays or resends the message to misdirect the receiver into doing what the intruder wants. In other words, the intruder could "impersonate" the user by intercepting the message from the network and later log in and communicate to the server as a "legitimate" user. This attack is commonly due to improper and inappropriate selection of keys and parameters in their algorithms and in the design of the mathematical equations involving these keys and parameters of the scheme. In short,  verification table allows intruders to modify the  password verification table which indirectly resulted in  uncontrollable cost of managing and protecting the table. Evans et al. (1974) proposed a method for protecting the verification table by preventing passwords from being disclosed. However, the proposed technique failed as users could be impersonated. Lennon et al. (1981) then proposed a secure scheme which used a test pattern and several secret keys to construct a relationship between the user ID and their password. However, Hwang (1983) and later Harn et al. (1989) showed that the scheme has a major drawback wherein all the user's password could be retrieved by an intruder subject to changes in secret keys. Lamport (1981) proposed a password authentication scheme and claimed that the scheme secure against replay attacks. However, it was later noted by Chang and Wu (1991) that intruders could modify the user's passwords stored in the password table within the system. Few years later, several password authentication schemes using smart cards have been proposed by researchers (Chang and Liao, 1994;Chien et al., 2001;Sun, 2000;Liao et al., 2006;Hwang, 1999;Wang and Chang, 1996;Wu, 1995;Lee et al., 2002;Kumar, 2010;Sood, 2012;Thandra et al., 2016). However, a common drawback from many schemes is that users are not allowed to change their passwords as no such mechanism are provided in the schemes for example in (Sun, 2000;Chien et al., 2002;Xu et al., 2009;Rajaram and Amutha, 2012). The practical solutions to the above systems have been demonstrated by many researchers such as Hwang et al. (2002) and Chang and Lee (2006). Wang and Chang (1996) applied the concept of timestamp to an improved authentication scheme based on ElGamal signature (1985). The authors showed the ability for a remote system to determine the validity of the authentication message, but unable to validate the identity of the user. Hwang et al. (2002;Lee et al., 2002;Kumar, 2010;Sood, 2012;Rajaram and Amutha, 2012;Lee, 2013;Thandra et al., 2016;Pooja and Pramav, 2016;Liu et al., 2017) enhanced the authentication scheme using smart cards by allowing users to change and select their passwords without revealing them to the server. Sun (2000) proposed an efficient and practical remote user authentication scheme. No password table is required to keep in his system and therefore the communication and computation costs are reduced. Hwang et al. (2002;Chien et al., 2002;Lee et al., 2002) respectively proposed their simple remote user authentication schemes. In those schemes, the authors claimed that their schemes could achieve the following goals: requires no verification table on the server's side; low communication and computation costs, the replay attack problem completely solved and users' freedom to choose their own passwords. Yoon et al. (2005) next improved upon Hwang et al.'s simple remote user authentication scheme using smart cards. Xu et al. (2009) proposed an exponential based smart card authentication scheme and claimed that it can resist various feasible attacks. Kumar (2010) proposed a scheme wherein the server and user authenticate one another and then generate a secret session key for secure communication. In this scheme, the remote user is free to change his or her password without connecting to the server. Next, Rajaram and Amutha (2012) proposed an efficient password authentication scheme for smart cards by using RSA algorithm which offers minimum computational costs. Sood (2012) proposed a protocol that allow the user to choose and change password at their choice and provides mutual authentication between the user and the server to protect it from forgery attack. Lee (2013) proposed an improved scheme claimed that it can provides dynamic identity and user anonymity, obtaining forward or backward secrecy and mutual authentication and can withstanding the replay attack, insider attack and impersonation attack. Pooja and Pramav (2016) proposed a biometrical authentication scheme based on geometric approach using smart card. The combination of passwords, smart card and biometric is used to construct a secure three factor authentication scheme. Thandra et al. (2016) cryptanalyzed and improved Rajaram and Amutha's scheme and achieved mutual authentication during the login phase. Liu et al. (2017) proposed a smart card-based password authentication scheme to overcome the weaknesses of Li et al. (2013)'s scheme and claimed that it can resist various type of attacks with better computational efficiency.
In this study, we propose a new practical and secure password authentication scheme using smart cards based on hash functions. The new scheme is designed to resist replay attacks, guess and impersonation attacks and allows users to freely change their passwords. In the event of a lost smart card, the system also facilitates for a secure transfer into a new system without creation of a new ID. One of the advantages of this system is the lack of necessity to maintain a password verification table for verifying the legitimacy of the user. The time complexity, communication and computational costs of our proposed scheme are relatively low and minimal compared to some existing schemes.

The Design of Password Authentication Scheme
The conventional password authentication scheme consists of four components; initialization phase, registration phase, login phase and authentication phase. Our scheme design makes use of cryptographic hash functions and one may refer (Paar and Pelzl, 2010) for theoretical aspects of definitions and properties on hash functions. Basically, for security reason, we require that the hash function is collision-resistant that is, it is hard to find two different inputs of the function that map to a same value of output. In other words, we require that no algorithm could find the collision of the hash function in polynomial time.
The scheme also makes use of a secure channel. This channel assumes no attacker in some ways could steal or modify the smart card. In real life, this is not something impossible to achieve and in fact many forms of secure channel have been introduced and used practically and securely. The new proposed scheme also allows users to freely change their passwords if necessary. The scheme requires an SRC, the honest-based assumption server to communicate with the users and complete the required transactions. We now examine and discuss the phases/algorithms in our password authentication scheme. Refer  H ⋅ respectively need two and single inputs and output a single number. The secret key, x is kept private by the SRC and only the legitimate user knows his PWD i whereas his ID i is publicly known.

Phase 2: Registration Phase
In this phase, a smart card will be issued by the SRC to each registered user, U i : 1. User U i submits his identity, ID i and password, PWD i to SRC for registration 2. SRC then computes user's secret information, the standard XOR operation 4. SRC embeds the two computed secret values w and b into the smart card 5. SRC issues the smart card to the user U i via a secure channel The smart card now contains the values of w and b which uniquely corresponds to the authorized user. The card must be safely stored by the user.

Phase 3: Login Phase
If user wishes to log into the system, he must first insert the smart card into the terminal and insert his identity, ID i and password, PWD i . Suppose that T is the current time of the user inserting his identity and password into the smart card. The smart card then digitally performs the following operations:

Phase 4: Authentication Phase
Upon receiving the message E, the system authenticates the login user as follows. Suppose that, the system receives the message E at time T ′ . The system then does the following:

Proposition 1
If the above system (Phase 1-4) runs smoothly and the message E = (ID i , C, T, t) is properly generated, then the login request via C = h(w, t) will always be successful. This can be shown as below: i If the login request is rejected three times the user's account will be automatically locked. The user then must contact the SRC to unlock the account.
Grant access if step 4 holds true

Password-Changing Mechanism
If user wants to change his password from PWD i to PWD′ the following procedure will be performed:

Security and Performance Analysis
In this section, we define the security requirements an ideal password authentication scheme should satisfy. The definitions are taken from Tsai et al. (2006):

Forgery Attacks (Impersonation Attacks)
An attacker attempts to modify intercepted communications to masquerade the legal user and login to the system.

Forward Secrecy
It ensures that the previously generated passwords in the system are secure even if the system's secret key has been revealed in public by accident or is stolen.

Password Guessing Attacks
Most passwords have such low entropy that it is vulnerable to password guessing attacks, where an attacker intercepts authentication messages and stores them locally and then attempts to use a guessed password to verify the correctness of his/her guess using theses authentication messages.

Replay Attacks
An attacker eavesdrops on a secure network communication, intercepts it and then maliciously or fraudulently delays or resends it to misdirect the receiver into doing what the attacker wants.

Smart Card Loss Attacks
When the smart card is lost or stolen, unauthorized users can easily change the password of the smart card or can guess the password of the user by using password guessing attacks or can impersonate the user to login to the system.

Denial of Service Attacks
An attacker can update false verification information of a legal user for the next login phase. Afterwards, the legal user will not be able to login successfully anymore.

Parallel Session Attacks
Without knowing a user's password, an attacker can masquerade as the legal user by creating a valid login message out of some eavesdropped communication between the user and the server.
This section demonstrates that the proposed password authentication scheme is secure against the following cryptographic attacks. A good password authentication scheme provides protection from different possible attacks. The cyber-criminal might perform attacks as follows.

Resistance to Impersonation Attack
We demonstrate that our scheme can resist from impersonation attack. In this case, the adversary/intruder first chooses w′ and tries to solve

Resistance to Guessing Attacks
Guessing attacks can be classified by off-line and online attacks. In our scheme, if adversary intercepts E = (ID i , C, T, t), he cannot recover PWD i by playing off-line guessing attacks since the PWD i is fully protected by the hardness of inverting the one-way hash functions, h and H in C. Now, assuming the adversary passes the login phase, the device then sends where the equality happens only if PWD A = PWD i which again occurs with non-negligible probability. Therefore, the system will reject the adversary's login request. The on-line guessing attacks on the other hands can be prevented easily by limiting the number of failed log-in. For example, if the login request is rejected three times then the user's account will be automatically locked by the system.

Resistance to Replay Attack
The replay attack cannot work on our proposed scheme because of timestamp, the SRC is able to identify an intruder who replays a message. Assuming in the login phase intruder is successful send the message E = (ID i , C, T, t) to the SRC. Even if an intruder eavesdrop message E successfully in login phase and replay message E to confuse the server, he will fail in step 2-check validity of time interval of the authentication phase. Next, to pass the authentication phase the intruder must change T in order to satisfy T T T ′ − ≥ ∆ . However, once T is changed, the authentication phase would fail.

Resistance to Man-In-The Middle Attack
In this type of attack, the attacker intercepts the messages send between the user and the SRC, then replays these intercepted messages within the valid time frame. In our proposed scheme, the attacker can intercept the login request message E = (ID i , C, T, t) from the user to the server. Then he starts a new session with the SRC by sending a login request by replaying the login request message E = (ID i , C, T, t) within the valid time frame. The attacker can authenticate itself to the SRC as well as to the legitimate user but cannot compute the session C = h(w, t) because the attacker does not know the value of w, b and m. Therefore, the proposed scheme is secure against man-in-the-middle attack.

Resistance to Insider Attack
In this attack, a privileged insider of the server can access other servers by stealing the identity. However, in the proposed scheme, it is computationally infeasible for the attacker to derive the password PWD i from the b = w ⊕ H(PWD i ) because of the system is protected by the one-way function. Therefore, the proposed scheme resists the insider attack.

Resistance to Denial of Service Attack
Denial of service attack might be result from the computation consumption. If ID i is a legal user identity and T is a legitimate timestamp, the server will perform the authentication. They might send the forged login request message to server. The more forged login request messages are sent, the more computational load to server performs. In the proposed scheme, if the login request is rejected three times then the user account is automatically will be locked and he has to contact server to unlock the account.

Resistance to Stolen Smart Card Attack
The same scenario goes if the user loses his smart card. The adversary still needs to insert the actual password before granting access to the system. However, this seems impossible. If adversary tries to update the password, he still needs to supply the actual password to the SRC before the mechanism is done.
For performance consideration, we compare our scheme with twelve other schemes in terms of various operations. We chose the twelve schemes since they are hash function-based and are secure until today. Table 1 shows the comparisons of time complexity, communication and computational costs between the twelve schemes for various phases. We define three mode of operations used in the system as the following: T hash is time for performing hash function operation, T mul is time for performing multiplication operation and T ⊕ is time for performing Exclusive-OR (XOR) operation.

Conclusion
In this study, we designed a new password authentication scheme based on the hardness of inverting one-way hash function. The proposed scheme requires no verification table in order to authenticate users. The scheme also provides a synchronised system clock (timestamp) that could block intruders from penetrating the verification phase wherein a time-change by an intruder fails the authentication step. Furthermore, analyses showed that the scheme can withstand common possible cryptographic attacks including impersonation attack. The scheme also allows users to freely change their passwords. Finally, we demonstrated lower time complexity, communication and computation costs in each phase of the proposed scheme compared to the chosen four schemes.