Research On Password-based Romote Authentication With Key Agreement Protocol

The technology of password-based remote user authentication has become the dominantauthentication method, which does not only play an important role in the fields of commerce,government and military, but also has been applied universally in our daily life. With thedevelopments of mobile intelligent devices, wireless networks and cloud computingtechnologies, remote authentication technology as the principal line of defense in the securenetwork communication systems is changing greatly; in the meantime, the technology of keyagreement is also developing and innovating in order to meet the higher advanced requirementsof the secure communication systems.In this paper, we research password-based remote authentication with key agreementprotocols under three different types of communication models and point out several problemsand security flaws. We also design a series of new schemes, which provide mutualauthentication, key agreement, password change, user revocation and key updatefunctionalities, using elliptic curve cryptosystem, hash function and random number. Theanalysis of the security, functionality and performances in the new schemes are provided in thispaper.(1) We research Wang et al.’s dynamic ID-based remote user authentication scheme andpoint out that their scheme is not secure against impersonation attacks launched by anyadversary at anytime and could leak some key information to legal users, who can launch anoff-line guessing attack. If the adversary could get the secret information stored in the smartcards someway, their scheme will be completely broken down. In addition, their scheme doesnot provide anonymity for the users, and lacks the functionalities of revocation, key exchangeand secret renew for users and servers. Furthermore, we propose a more secure and robustscheme, which does not only recover all the above security flaws and weaknesses, but alsoprovides more functionalities.(2) We cryptanalyze Rhee et al.’s remote user authentication scheme without using smartcards and point out that their scheme is not completely secure against user impersonation attack.Then an improved scheme is proposed, which is more secure, effcient, practical and convenient.Firstly, we introduce elliptic curve cryptosystem in order to remedy the security flaw and increase the effciency. Secondly, password-based authentication schemes using portabledevices are much more easily implemented in our daily life, compared with the schemes basedon smart cards, biometrics or public key cryptosystems. It is not restricted by the additional costof hardware or software. Furthermore, synchronized clock or traditional password-table is notrequired in our client-server authentication scheme. Finally, the proposed scheme not onlyachieves mutual authentication with key agreement, but also provides the procedures of secretupdate for users and servers. Thus our improved scheme is more secure, efficient, practical,flexible.(3) We research cross-realm client-to-client password-based remote authentication with keyagreement protocol. In this paper, a new protocol is presented for mobile devices based onelliptic curve cryptosystem. Elliptic curve cryptosystem is introduced to enhance the securityflaws and increase the efficiency of computation with shorter key size. The new protocol isdesigned for mobile devices, which are prevalent and convenient in our daily life, and thesecurity of the protocol bases upon elliptic curve discrete logarithm problem. In addition, therisky password tables or expensive auxiliary equipments are not required in our protocol.Moreover, two additional functions of secrets update phase and revocation phase are providedfor security and flexibility. At last, the security analysis shows that the protocol is secureagainst known common attacks, including passwordcompromise impersonation attack.(4) We cryptanalyze a series of authentication schemes with anonymity for wirelesscommunications under the communication model of a roaming client between the foreign agentand home agent, point out that the common security weakness in the schemes. The securityanalysis proves that malicious attacker could lunch off-line password guessing attack if thesecret information stored in the smart card is compromised or the information transmittedonline is intercepted by the attacker.