Cryptanalysis of the Modified Remote Login Authentication Scheme Based on a Geometric Approach

In 1995, Wu proposed a remote login authentication scheme based on geometric approach. However, Chien, Jan and Tseng presented a cryptanalysis of Wu's scheme to show that it is not secure. Moreover, they proposed a modified version of Wu's scheme. This paper presents there is a serious weakness in this modified remote login authentication scheme. We show that an illegal user can easily forge a valid login request in the modified version proposed previously.


Introduction
In 1995, Wu (Wu, 1995) proposed a remote password authentication scheme based on geometric approach.The advantages of this scheme are that (1) modular exponential operations are not required by the system and users, (2) the system does not need to maintain password table and/or verification table, (3) the user can choose his own password freely, and (4) the scheme can withstand the replaying attack.
However, Wu's scheme is not secure.In 1999, Hwang (Hwang, 1999) proposed a cryptanalysis to show that an illegal user can forge a valid login request from the eavesdropped login requests.Recently, Chien, Jan and Tseng (Chien et al., 2001) also proposed a different approach to break Wu's system.An attacker can easily derive a secret point for a legal user from two eavesdropped login requests, and then the attacker has the ability to impersonate the legal user and issue a valid login request.Furthermore, they also proposed a modified version of Wu's scheme, which not only can withstand the attacks of theirs and Hwang's, but also keep the efficiency.
In this paper, we show that Chien, Jan and Tseng's modified scheme is still not secure.The rest of this paper is organized as follows.In Section 2, we shall briefly review Wu's scheme and Chien, Jan and Tseng's attack and their improved scheme.In Section 3, we shall present an approach to break their improved scheme.Finally, some conclusions are made in the last section.

Previous Works
Remote login authentication scheme is a critical issue in the computer and network systems.Many efficient methods (Chang and Wu, 1991;Chang et al., 1995;Liaw, 1995) have been developed to verify the legitimacy of each login user.Recently, Chien, Jan and Tseng (Chien et al., 2001) pointed out that Wu's remote login authentication scheme is not secure and they proposed an improved version of Wu's scheme.In this section, we briefly introduce the remote password authentication scheme proposed by Wu (Wu, 1995) firstly.Then, the attack and the improved scheme proposed by Chien, Jan and Tseng will also be reviewed.
In Wu's scheme, it is divided into three phases: (1) the registration phase, (2) the login phase, and (3) the authentication phase.In the registration phase, a new user has to register with central authority (CA) to become a legal user.In the login phase, when a user wants to login to the computer system remotely, he/she delivers the login request to the system.The system will authenticate the legitimacy of the login user in the authentication phase.In the following, we describe the processes of each phase.Initially, the central authority (CA) chooses a large prime p, a one-way hash function f , and a secret point (x 0 , y 0 ) on the Euclidean plane.

The registration phase
A new user U i freely chooses his password P W i , and then presents f (P W i ) to CA.Then the CA performs the registration steps as follows.
1.The CA chooses the identity ID i for the user U i .2. The CA chooses two points r iw and r io , where and Then CA computes the middle point A i between r iw and r io on the Euclidean plane.Thus, A i can be expressed as 3. The CA stores four parameters {ID i , f, p, and A i } in a smart card and delivers the smart card to the user U i .

The login phase
When U i wants to login the system, U i inserts his/her own smart card to a remote terminal and keys in the password P W i .Then the smart card performs the following steps.
1.The smart card gets a timing sequence T from the system.2. With the password P W i , the smart card can compute r iw = (0, f(P W i )).
3. Since the point A i is stored in the smart card, so the line L i can be constructed by passing through the two points r iw and A i .4. Let B i be the middle point of r iw and A i , thus 5. The smart card computes a point r iT = (0, f(P W i ) + f (T )) on the y-axis.Therefore, a new line L W T can be constructed by passing through r iT and B i .6. Choose a random point C i from the line L W T .Then the smart card sends the login request [ID i , A i , C i , T] to the system.
Fig. 1 illustrates the concept of the login phase.

The authentication phase
After receiving the login request [ID i , A i , C i , T ], the system performs the following tasks to authenticate the legitimacy of the login user. 1.The system checks the correctness of the identification number ID i and the timing sequence T .2. Next, the system computes the point r io = (f (ID i • x 0 ), f(ID i • y 0 )).Therefore, the line L i can be reconstructed by passing through the two points r io and A i .3. According to the line L i and y-axis, the intercept point r iw can be computed and let r iw =(0, E i ). 4. The system computes the point r iT = (0, E i + f (T )), and then reconstructs the line L W T which is passing through r iT and C i . 5. Compute the intercept point D i of the lines L i and L W T .The system checks whether D i is the middle point of A i and r iw or not.If so, then the system accepts the login request; otherwise rejects login request.
Unfortunately, Wu's scheme was broken by Chien, Jan and Tseng (Chien et al., 2001).The attack is illustrated as follows.
An attacker eavesdrops two login requests for U i at time T and T , respectively.Since f , T , and T are known, the values f (T ) and f (T ) can be computed by the attacker.Suppose that r iw = (0, k), where k = f (P W i ), hence the points r iT and r iT become (0, k+f (T )) and (0, k+f (T )).According to the points (r iw , A i ), (r iT , C i ), and (r iT , C i ), the attacker can reconstruct three equations from the lines L i , L W T and L W T , respectively.Since the three equations intercept at the same point B i and only contains three variables k, x, and y, the attacker can easily derive the variable k.Therefore, the attacker can reconstruct the secret line L i .Thus, the system is not secure.Fig. 2 illustrates the graphical result of Chien, Jan and Tseng's attack.
On the other hand, Chien, Jan and Tseng also presented an improved scheme.They modified r iT = (0, f( Step 5 of the login phase and the system computes r iT = (0, E i ⊕ f (T )) in Step 4 of the authentication phase, where ⊕ is the bit-wise exclusive OR operation.The other steps are kept the same as in Wu's scheme.The modified scheme is claimed that it is secure against Hwang's and Chien-Jan-Tseng's attack.

The Weakness of Chien, Jan and Tseng's Modified Remote Login Authentication Scheme
In Chien, Jan and Tseng's attack, an attacker can easily derive the secret point r iw from the eavesdropped login requests.If we denote r iw as (0, k), then the points r iT and r iT can be expressed as (0, k + f (T )) and (0, k + f (T )), respectively.Since the values of f (T ) and f (T ) can be computed, the attacker can reconstruct three equations from the lines L i , L W T , and L W T , which contain only three variables k, x, and y.So the attacker can compute the value of k.The idea of this attack is to find the directed distances To remedy this weakness, Chien, Jan and Tseng replaced the addition operation with the bit-wise exclusive OR operation to compute the secret points r iT and r iT .They claimed that the attacker can not know the directed distances of − −−− → r iw r iT and − −−− → r iw r iT from the values of f (T ) and f (T ) in their improved scheme.Therefore, the attacker has no ability to impersonate a legal user and this improved scheme can withstand all possible attacks.However, the modification is not secure.We still can derive the directed distances from the values of f (T ) and f (T ).In the following, we present an approach to break Chien, Jan and Tseng's scheme.
Different from Chien, Jan and Tseng's attack, an attacker has to eavesdrop at least three login requests such as for U i at time T , T and T , respectively.Then, the attacker performs the follows steps.3. Let r iT = (0, z) be a point on y-axis, where z = f (P W i ) ⊕ f (T ).And r iT and r iT denoted as (0, z + u) and (0, z + v) be two points on y-axis, where u = (f (P ). 4. The attacker does not know the value f (P W i ), so he/she can not compute the difference between u and v. But, the attacker has the ability to obtain some possible values of u from computing the different bits between f (T ) and f (T ).Let P V u be the set of possible values of u, which can be expressed as Furthermore, the attacker can obtain some possible values of v from computing the different bits between f (T ) and f (T ).Let P V v be the set of possible values of v, which can be expressed as Therefore, the numbers of possible values of u and v are 2 n and 2 m , respectively.The set of possible pairs of (u, v)'s are 5. Pick out one possible pair (u, v) from P P , the line L W T can be reconstructed by passing through the two points C i and r iT ; similarly the line L W T can be reconstructed by passing through the two points C i and r iT ; the line L W T can be reconstructed by passing through the two points C i and r iT .Therefore, the attacker can build three equations from the reconstructed lines L W T , L W T , and L W T , which only contain three variables z, x, and y.Obviously, the variable z and the point B i = (x, y) can be easily derived by solving the three equations.6.After the values of z and f (T ) are computed, the attacker can easily compute f (P W i ) = z ⊕ f (T ) and obtain the secret point r iw = (0, f(P W i )). 7. To validate the secret point r iw , the attacker checks whether the derived point B i is the middle point between r iW and A i .If so, the attacker confirms that the derived secret point r iW is correct.Then the attacker can impersonate the legal user to forge a valid login request.Therefore, the system is not secure.
The concept of this attack is explained in Fig. 3.
In the following, we give a simple example to illustrate the weakness of Chien, Jan and Tseng's scheme.

Example
Assume that p = 23 and an attacker has eavesdropped three login requests (2,12), and C i = (−4, 19).Then the attacker performs the following steps.
5. Since the three lines intercept at the same point B i , and only contain three variables z, x, and y, so the attacker can solve these equations to obtain z = f (P W i )⊕f (T )= 3 and the point B i = (x, y) = (4, 5).Moreover, the attacker derives f (P W i ) = z⊕f (T )=7 to get the feasible secret point r iw =(0, f(P W i )) = (0, 7).6.Since the equation B i = (4, 5) = ( 0+82 , 7+3 2 ) holds, so B i is the middle point between r iW and A i .Therefore, the attacker confirms that the point r iw is correct.Then the attacker can impersonate U i to forge a valid login request.Furthermore, in order to reduce the number of possible pairs in set P P , the attacker can eavesdrop more than three login requests, and then select three of these login requests such that n + m is smallest.

Conclusions
In this article, we have shown how an attacker can know the directed distances of − −−− → r iw r iT and − −−− → r iw r iT from the values of f (T ) and f (T ) in Chien-Jan-Tseng's modified remote login authentication scheme.Therefore, an attacker can derive the secret point for a legal user from some eavesdropped login requests, and then the attacker has the ability to forge the login request.Although the system modified by Chien, Jan and Tseng is not secure, it has opened a brand new research area for remote login authentication scheme on a geometric approach.

1 .
Since f () is public and T , T , and T are known, the attacker computes the values of f (T ), f (T ), and f (T ). 2. Let the bit positions of a binary expression from right to left be 0, 1, 2, • • • , l.The attacker computes the different bit positions between f (T ) and f (T ).Meanwhile, the attacker computes the different bit positions between f (T ) and f (T ).Then, the attacker obtains a set S T T , which is {a 1 , a 2 , • • • , a n }, where a 1 , a 2 , • • • , a n are the different bit positions between f (T ) and f (T ).And the attacker obtains another set S T T , which is {b 1 , b 2 , • • • , b m }, where b 1 , b 2 , • • • , b m are the different bit positions between f (T ) and f (T ).
Ch.-Ch.Chang received his BS degree in applied mathematics in 1977 and the MS degree in computer and decision sciences in 1979, both from the National Tsing Hua University, Hsinchu, Taiwan.He received his PhD in computer engineering in 1982 from the National Chiao Tung University, Hsinchu, Taiwan.During the academic years of 1980-1983, he was on the faculty of the Department of Computer Engineering at the National Chiao Tung University.From 1983-1989, he was on the faculty of the Institute of Applied Mathematics, National Chung Hsing University, Taichung, Taiwan.From August 1989 to July 1992, he was the head of, and a professor in, the Institute of Computer Science and Information Engineering at the National Chung Cheng University, Chiayi, Taiwan.From August 1992 to July 1995, he was a dean of the College of Engineering at the same university.From August 1995 to October 1997, he was the provost at the National Chung Cheng University.From September 1996 to October 1997, Dr. Chang was the acting president at the National Chung Cheng University.From July 1998 to June 2000, he was a director of the Ministry of Education of the R.O.C.. Since 2002, he has been a chair professor of National Chung Cheng University.Dr. Chang is a fellow of the IEEE, a fellow of IEE, a research fellow of National Science Council of R.O.C., and a member of the Chinese Language Computer Society, the Chinese Institute of Engineers of the Republic of China, the International Association for Cryptologic Research, the Computer Society of the Republic of China, and the Phi Tau Phi Honorary Society of the Republic of China.His current research interests include database design, computer cryptography, image compression, and data structures.I.-Ch.Lin received the BS in computer and information sciences from Tung Hai University, Taichung, Taiwan, Republic of China, in 1998; the MS in information management from Chaoyang University of Technology, Taiwan, in 2000.He received his PhD in computer science and information engineering in March 2004 from National Chung Cheng University, Chiayi, Taiwan.He is currently an assistant professor of the Department of Management Information System, National Chung Hsing University, Taiwan, ROC.His current research interests include electronic commerce, information security, cryptography, and mobile communications.