C RYPTANALYSIS A ND E NHANCEMENT O F P ASSWORD A UTHENTICATION S CHEME F OR S MART C ARD

Password authentication with smart card is one of the simplest and efficient authentication mechanisms to ensure secure communication over insecure network environments. Recently, Tsai et al. proposed an improved password authentication scheme for smart card. Their scheme is more secure than the other previous schemes. In this paper, we show Tsai et al.’s scheme is vulnerable to password guessing attack and has computational overhead. Furthermore, we propose an enhanced password authentication scheme to eliminate the security vulnerability and enhance the overhead. By presenting concrete analysis of security and performance, we show that the proposed scheme cannot only resist various well known attacks, but also is more efficient than the other related works, and thus is feasible for practical applications.


INTRODUCTION
More resources are getting distributed over the network due to the rapid progress in information technology, which is managed by servers in distributed systems [1].Many systems that control remote access to computer networks use password based authentication and many people researched about how to make secure authentication [2][3][4].However, the password is easily exposed by guessing attacks [3].However, there still exists challenges in both security and performance aspects due to the stringent security requirements and resource strained characteristics of the clients.
Since Chang et al. in [5] introduced the first remote user authentication scheme using smart cards, there has been many of such schemes proposed [6][7][8][9].One prominent issue in this type of schemes is security against offline guessing attack.Traditionally, to prevent an adversary from launching offline guessing attack, one needs to make sure that the scheme is not going to leak any information useful about the client's password to the adversary in the protocol run, even though the password is considered to be weak and low-entropy.By observing this, many schemes assumed that the smart card is tamper-resistant, i.e., the secret parameters stored in the smart card cannot be revealed.However, recent results have demonstrated that the secret data stored in the smart card could be extracted by some means, such as monitoring the power consumption [10] or analyzing the leaked information [11].Therefore, such schemes [6][7][8] based on the tamper resistance assumption of the smart card are at least vulnerable to offline password guessing attacks, once an adversary has obtained the secret data stored in a user's smart card [12][13][14].Consequently, a stronger notion of security against offline guessing attack is developed to require

LOGIN PHASE
In this phase, U i wants to login into SV for obtaining some services; U i first attaches his (or her) smart card to a device reader and inputs his (or her) identity ID i and password PW i .The login phase is executed as follows: LP1) U i sends the login request parameters, his (or her) identity ID i and password PW i to the smart card SC.SC computes W i ' = h(PW i ||r) and checks whether W i ' is equal to W i .If it holds, SC executes the next steps.If U i fails to verify ID i and PW i for 3 times, U i will lock SC.
where T 1 denotes the current timestamp of SC and a denotes a random number.
The adversary only has three times to guess the user's password in Step 2 of the login phase.).If R i '≠ R i , SV terminates the session.Otherwise, U i is authenticated by SV, and the shared session key is set as sk' = h(ID i ||D i '||V i ||Z i ).Finally, an agreed session key sk = sk' is established between U i and SV.

ANALYSES OF TSAI ET AL.'S AUTHENTICATION SCHEME
In this section, we provide security analysis and computational overhead analysis.First of all, we will show that Tsai et al.'s scheme in [18] is weak against password guessing attack based on two adversary assumptions.Furthermore, it has big computational overhead due to exponentiation operations in the authentication phase.

PASSWORD GUESSING ATTACK FEASIBILITY
For the security analysis, we will follow Xu et al.'s two assumptions of the adversary's capabilities explicitly made in this kind of authentication scheme [19] : A1) Adversary has total control over the communication channel between the users and the remote server in the protocol run, which means the adversary can intercept, insert, delete, or modify any message transmitted in the channel.
A2) Adversary may either steal a user's smart card and then extract the information from it by the method introduced by Kocher et al. [20], or obtain a user's password, but not both.
They have been widely accepted as the standard threat model for cryptographic protocols [21].
By A2, an adversary A can obtain U i 's smart card and extract the data {A i , p, q, h(.), r, W i }.Subsequently, A can launch off-line password guessing attacks as follows: (1) A picks up a password candidate PW i '. ( , which means that A can verify the validity of PW i ′ .Otherwise, A repeats the above procedure until the correct password is found.
In Tsai et al.'s scheme, the password is selected by the user, which indicates that it is value easy to remember and guess, rather than random numbers with high entropy.Thereby, Tsai et al.'s scheme is still weak against password guessing attack.

COMPUTATIONAL OVERHEAD CONCERN
For the computational overhead analysis, we need to check the following steps of LP2, AP2 and AP3 from Tsai et al.'s scheme.
where T 1 denotes the current timestamp of SC and a denotes a random number.
AP2) SV checks whether AP3) After receiving the message, SC checks ID i and compares T S with T S ', where T S ' the time that the message is received.
the session is terminated.Otherwise, SV is authenticated by U i , and the shared session key is set as , and generates a response message

and then sends the message {ID
The scheme requires modular exponentiation operations to compute D i , V i and Z i , which requires a big overhead than the other operations.

ENHANCED PASSWORD AUTHENTICATION SCHEME
In this section, we propose a new enhanced password authentication scheme (EPAS) with smart card, which could solve all the security and overhead problems depicted in the previous section.Especially, EPAS uses biometrics to cope from the attack and removes the expensive operations to be computationally effective.EPAS has three phases, registration, login and authentication.Figure 1 shows the flows of EPAS.

REGISTRATION PHASE
When a user U i wants to be a member of SV, this phase is performed as follows: (1) U i selects his (or her) identity ID i and password PW i after generating a random number r. U i computes h(PW i ||r) and submits {ID i , h(PW i ||r)} to SV as the registration request message via a secure channel.
(2) After receiving the message, SV checks whether ID i is valid or not.If it is not, SV rejects the request.Otherwise, SV computes ) and issues a smart card SC to U i via a secure channel, which stores {A i , p, h(.), H(.)}.
(3) After receiving the SC, U i inputs PW i and r, imprints his (or her) fingerprint b, computes W i = h(PW i ||r||H(b)) and stores r and W i into SC.

LOGIN PHASE
In this phase, U i logins into SV for some services; U i first attaches his (or her) smart card to the smart card reader and inputs his (or her) identity ID i , password PW i and fingerprint b.The login phase is executed as follows: (1) U i inputs his (or her) identity ID i , password PW i and fingerprint b to SC. SC computes W i ′ = h(PW i ||r||H(b)) and checks whether W i ′ is equal to W i .Only if it holds, SC executes the next steps.If U i fails to verify ID i , PW i and b for 3 times, SC will be locked.
(2) SC computes B i , D i , F i and M i as follows: , where a denotes a random number and T 1 denotes the current timestamp of SC. ( The adversary only has three times chance to guess the user's password in Step 1 of the login phase.
Figure 1.Enhanced password authentication scheme

AUTHENTICATION PHASE
Upon receiving the authentication request message {ID i , F i , M i , T 1 } from U i , SV executes this authentication phase as follows: (1) SV checks whether ID i format and the timestamp T 1 are valid or not.If both of conditions hold, SV continuously performs the following steps.
(2) SV checks whether is equal to M i or not.If it does not hold, SV rejects the login request.Otherwise, SV computes ) and T S is the current time stamp of SV.Finally, SV sends the message {ID i , V i , M S , T S } to U i .
(3) After receiving the message, SC checks ID i and compares T S with T S ′ , where T S ′ is the time stamp of SC when the message is received.If ID i is valid and SV terminates the session.Otherwise, U i is authenticated by SV, and SV believes that an agreed session key sk = sk ′ is established between U i and SV.

PASSWORD CHANGE PHASE
In this phase, U i changes his (or her) password PW i into PW new after the success of user authentication from SC. U i first attaches his (or her) smart card to the smart card reader and inputs his (or her) identity ID i , password PW i and fingerprint b.The password change phase is executed as follows: (1) U i sends the password change parameters, his (

SECURITY ANALYSES
In this section, we provide security analysis based on BAN logic and formal security analysis.The security analysis of EPAS was conducted under the following assumptions: 1.An adversary A can be either a user or a server.U i and as well as SC can act as an adversary.2. A can eavesdrop on every communication across public channels.He (or she) can capture any message that is exchanged between U i and SC. 3. A has the ability to alter, delete or reroute the captured message.
4. Information can be extracted from the smart card by examining the power consumption of the card.

PROOF USING BAN LOGIC
Formal security analysis of EPAS is verified with the help of Burrows, Abadi and Needham (BAN) logic [22].The formal analysis of a network security protocol using BAN logic involves following steps: (1) Converting original scheme statements to their idealized form.(2) Determining the assumptions about the initial state of the system.(3) Representation of the state of the system after executing each statement as logical assertions by attaching logical formulas to each statement.( 4) Application of logical postulates to assumptions and assertions.
The following notations are used in formal security analysis using the BAN logic: • #(X): Formula X is fresh.
• Q |⟹ X: Principal Q has jurisdiction over the statement X.
• Q ⊲ X: Principal Q sees the statement X.
• Q |~ X: Principal Q once said the statement X.
• (X, Y): Formula X or Y is one part of the formula (X, Y).
• 〈 〉 : Formula P combined with the formula Q.
• ↔ : Principal Q and R may use the shared session key, sk to communicate among each other.The session key sk is good, in that it will never be discovered by any principal except Q and R.
In addition, the following four BAN logic rules are used to prove that EPAS provides a secure mutual authentication between U i and SV: In order to show that EPAS provides secure mutual authentication between U i and SV, we need to achieve the following four goals: Idealized form: The arrangement of the transmitted messages between U i and SV in EPAS to the idealized forms is as follows: Assumptions: The following are the initial assumptions of EPAS:

PROOF:
In the following, we prove the test goals in order to show the secure authentication using the BAN logic rules and the assumptions.
Based on Message 1, we could derive: Step 1.
According to assumption A4 and the message meaning rule, we could get: Step 2.
According to assumption A1 and the freshness concatenation rule, we could get: Step 3: According to Step 2, Step 3 and the nonce verification rule, we could get: Step 4.
According to Step 4, assumption A3 and the believe rule, we could get: Step 5. SV |≡ |≡ ( ) According to the jurisdiction rule, we could get: Step 6. SV |≡ (SV

)
According to the jurisdiction rule, we could get: Step 12. |≡ ( According to Steps 14 and 20, EPAS successfully achieves both goals (Goals 1 and 2).Both U i and SV believes that they share a common session key sk = h(ID i ||D i ||V i ||a||v).

FORMAL SECURITY ANALYSIS
This subsection demonstrates the formal security analysis of EPAS and shows that it is secure.First of all, we define the hash function [23].

Definition 1.
A secure one way hash function h(.): X=0, 1}* -> Y={0, 1} n , which takes an input as an arbitrary length binary string x∈{0, 1}* and outputs a binary string h(x)∈{0, 1} n , which satisfies the following requirements: a.Given y∈Y, it is computationally infeasible to find an x∈X such that y=h(x).
b.Given x∈X, it is computationally infeasible to find another x ′ ≠ x∈X such that h(x ′ )=h(x).
c.It is computationally infeasible to find a pair (x ′ , x)∈X ′ ⨯X, with x ′ ≠ x, such that h(x ′ )=h(x).
Theorem 1.Under the assumption that the one way hash function h(.) closely behaves like an oracle, EPAS is provably secure against an adversary A for the protection of U i 's identity ID i , password PW i and fingerprint band SV's secret value x that is selected by SV.
Proof.The formal security proof of EPAS is based on those in [24][25][26].Using the oracle to construct A who has the ability to derive U i 's identity ID i , password PW i and fingerprint b and SV's secret value x.
Reveal : A will unconditionally output the input x from the given hash result y= h(x).

PERFORMANCE ANALYSIS
In this section, we summarize the performance analysis of EPAS in terms of the computation complexities.We thus present a performance evaluation to compare EPAS to the other related schemes [17,18].We present a comparison of the computational costs, and measure the execution time.The computational analysis of an authentication scheme is generally conducted by focusing on operations performed by each party within the schemes.Therefore, for analysis of the computational costs, we concentrated on the operations that are conducted by the parties in the network: namely a user and a server.In order to facilitate the analysis of the computational costs, we define the following notation.
• T h : the time to execute a one-way hashing operation • T e : the time to compute a modular exponentiation operation In addition, in order to achieve accurate measurement, we performed an experiment.This experiment was performed using the Crypto++ Library [27] on a system using the 64-bits Windows 7 operating system, 3.2 GHz processor, 4 GB memory, Visual C++ 2013 Software, the SHA-1 hash function, the AES symmetric encryption/decryption function, and the ECC-160 function.According to our experiment, T h is nearly 0.0002 seconds on average and T e is nearly 0.6 seconds on average.
Table 1.Performance comparisons among the related schemes.
Table 1 shows a comparative analysis of the computational cost among the related schemes.In addition, even though EPAS is computationally efficient than the other schemes, EPAS assures higher security, and affords resistance to the most well known attacks, while providing functionality.

CONCLUSION
This paper first examined Tsai et al.'s improved password authentication scheme for smart card.Our cryptanalysis showed that the scheme is vulnerable to password guessing attack once the private information stored in the smart card has been disclosed.In addition, we also pointed out that Tsai et al.'s scheme has computational overhead problem.Subsequently, to overcome the defects existing in the scheme, we proposed an enhanced password authentication scheme for smart card.By presenting the concrete analysis of security, we demonstrated that our proposal is not only free from various well known attacks, but also is more efficient than the other previous related works.Thus, our scheme is more feasible for practical applications.

) 1 )
According to Step 8, Step 9, Step 10 and the nonce verification rule, we could get: Step 13. i |≡ SV |≡ (SV ↔ ) (Goal 3) According to assumption A5 and the jurisdiction rule, we could get: Step 14. i |≡ ( ↔ ) (Goal Based on Message 3, we could derive Step 15.SV ⊲ ID i , <R i > sk , T s new According to assumption A4 and the message meaning rule, we could get: Step 16.SV |≡ |~(ID i , <R i > sk , T s new ) According to assumption A1 and the freshness concatenation rule, we could get: Step 17: SV |≡ #(ID i , <R i > sk , T s new ) According to Step 16, Step 17 and the nonce verification rule, we could get: Step 18. SV |≡ |≡ (ID i , <R i > sk , T s new ) According to Step 18, assumption A3 and the believe rule, we could get: Step 19.SV |≡ |≡ ( ↔ ) (Goal 4) According to assumption A6 and the jurisdiction rule, we could get: Step 20.SV |≡ ( ↔ i ) (Goal 2) Upon receiving the authentication request message {ID i , F i , M i , T 1 } from U i , SV executes this authentication phase as follows: AP1) SV checks whether ID i format and the timestamp T 1 are in valid time or not.If both of conditions hold, SV continuously authenticates the following steps.AP2) SV checks whether M i ' = h(ID i ||F i ||T 1 )⊕h(x||ID i ) is equal to M i or not.If it does not hold, SV rejects the login request.Otherwise, SV computes and T S is the current time of SV.Finally, SV sends the message {ID i , V i , M S , T S } to U i .AP3) After receiving the message, SC checks ID i and compares T S with T S ', where T S ' the time that the message is received.If ID i is valid and the session is terminated.Otherwise, SV is authenticated by U i , and the shared session key is set as sk = h(ID i ||D i ||V i ||Z i ').Furthermore, U i gets the current time T i new , and generates a response message R i = h(ID i ||D i ||V i ||Z i '||T i SC terminates the session.Otherwise, SV is authenticated by U i , and the shared session key is set as sk ′ .Furthermore, U i gets the current time T i new , generates a response messageR i = h(ID i ||D i ||V i ||v ′ ||sk ′ ||T i new), and sends the message {ID i , R i , T i Upon receiving the response message, SV checks ID i and T i new.If they are valid, SV computes SC asks an input of a new password PW new to U i .Otherwise, SC rejects the request.(2) SC computes B i = A i ⊕h(ID i ||h(PW i ||r)), W new = h(PW new ||r||H(b)) and A new = B or her) identity ID i , password PW i and fingerprint b to SC. SC computes W i ′ = h(PW i ||r||H(b)) and checks whether W i ′ is equal to W i .If it holds, i ⊕h(ID i ||h(PW new ||r)) and updates W i and A i with W new and A new , respectively.
).As a result, there is no way for A to discover the complete connections between U i and SV and by deriving {ID i , PW i , b, x}, EPAS is provably secure against the adversary.′ and x ′ as the correct ID i , PW i , b and x 9.