On the Secure Design of Hash-Based Authenticator in the Smartcard Authentication System

Abstract

Most practical authentication systems employ an hash-based authenticator for mutual authentication. Usually a hash-based authenticator consists of a cryptographic-secure hash function that takes input of a shared key and common exchanged values between participants. Recently, in IEEE transaction on industrial informatics, Tsai et al. have presented a novel anonymous hash-based authentication system with provable security. Very recently, however, it has been demonstrated that Tsai et al.’s protocol has not been secure in view of provable security due to an inappropriate design of input for hash-based authenticator. Its countermeasure has been briefly sketched but it hasn’t presented a definite protocol with provable security. In this paper, first of all, we redesign Tsai et al.’s authentication protocol to be secure against session key security and present a new anonymous and authentication protocol with provable security guaranteeing both for session key security and anonymity. It is more simple and efficient than the previous results.

Appendix

1.1 TLW Protocol is Not Secure

Theorem 1

[2]. Let\({\mathcal {A}}\) be an adversary against the TLW protocol with the polynomial timeT. \({\mathcal {A}}\) can query\(q_{s}\)Send, oneExecute, and oneCorrupt queries. Then the sk advantage is non-negligible.

Proof

\({\mathcal {A}}\) asks the permitted queries as many as \({\mathcal {A}}\) wants according to the definition, but for retaining the freshness of session, it must be kept that after Corrupt query is once asked, any Send queries should not be asked at all. No Reveal query should be asked either. Please note that \({\mathcal {A}}\) in the proof only uses Corrupt and Execute queries to gain the sk advantage, and the queries always guarantee the freshness.

• First, for an honest execution between instances \(U^i\) and \(S^j\), \({\mathcal {A}}\) asks Execute\((U^i, S^j)\) and takes an answer back \([(C_1, e), (C_2, C_3), C_4]\) where,

  $$\begin{aligned} \left[ \begin{array}{l}{C_1}=[ID_i||(h(ID_i||x) \oplus N_{c_2})]\oplus h_1(c),\\ C_2=N_sP, \\ C_3=h(h(ID_i||x)||N_{c_2}||C_2||e||sk),\\ C_4=h(h(ID_i||x)||sk||N_{c_2}||C_2||e), \\ e=N_{c_1}P \end{array}\right] \end{aligned}$$

• Second, \({\mathcal {A}}\) obtains x, the server’s secret, throughout Corrupt(2) query.

• Third, \({\mathcal {A}}\) with x makes \(c(=N_{c_1}P_s)\) by computing xe. \({\mathcal {A}}\) also obtains \(ID_i||(h(ID_i||x) \oplus N_{c_2})\) by computing \(C_1 \oplus h_1(c)\). By taking the fixed prefix, \({\mathcal {A}}\) recovers \(ID_i\) and computes \(h(ID_i||x)\) with x. Then finally \(N_{c_2}\) is recovered by \({\mathcal {A}}\) through computing \(h(ID_i||x) \oplus N_{c_2} \oplus h(ID_i||x)\).

• As Test query is asked, internally a random coin b is flipped. If \(b=1\) then a real session key is returned to \({\mathcal {A}}\), otherwise, a random key is returned to \({\mathcal {A}}\). Let’s suppose the returned key is \({\widetilde{sk}}\). \({\mathcal {A}}\) performs the following steps to determine the given \({\widetilde{sk}}\) is a real session key or a random session key.

  • Step 1\({\mathcal {A}}\) has already obtained \(h(ID_i||x)\) and \(N_{c_2}\) from \([(C_1, e), (C_2, C_3), C_4]\). And the values \(C_2\) and e are given out of answers for Execute query.

  • Step 2 Then \({\mathcal {A}}\) can compute \(\widetilde{C_3}=h(h(ID_i||x)||N_{c_2}||C_2||e||{\widetilde{sk}})\) and check if \(\widetilde{C_3}\) is equal to \(C_3\). If it is right, \({\mathcal {A}}\) outputs the given \({\widetilde{sk}}\) is a real session key with output \(b'=1\). Otherwise, \({\mathcal {A}}\) outputs \(b'=0\), which indicates that the given \({\widetilde{sk}}\) is a random key.

  It is clear that the probability \({\mathcal {A}}\) can correctly guess \(b=b'\) is 1 (Pr[\(b=b'\)]=1). Thus we have

  $$\begin{aligned} \textsf {Adv}_{sk}^{P}(T', k) = 2 \text {Pr}\left[ b=b'\right] - 1 =1, \end{aligned}$$

  where \(T' \le T + T_e + T_c + 2T_h\). The notions, \(T_e, T_c, T_h\) are running time for Execute, Corrupt, Hash queries, respectively. In the above steps, the value \(C_3\) is exploited by \({\mathcal {A}}\), however, \(C_4\) may be exploited with the known values, \(h(ID_i||x), N_{c_2}, C_2\), and e, in the same way.

\(\square\)