CHAPTER 1

moodusroundoSoftware and s/w Development

Aug 15, 2012 (5 years and 28 days ago)

381 views

APPLICATION OF SMART CARD
TECHNOLOGY

FOR AUTHENTICATION








EMIR HABUL


0
6
1
3713













DEPARTMENT OF ELECTRICAL AND COMPUTER
ENGINEERING

KULLIYYAH OF ENGINEERING

INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA


OCTOBER

2009

APPLICATION OF SMART CARD
TECHNOLOGY

FOR AUTHENTICATION








EMIR HABUL


0
6
1
3713


SUPERVISOR:
ASSOC. PROF. DR. SHEROZ KHAN














A REPORT SUBMITTED IN PARTIAL FULFILLMENT OF THE
REQUIREMENT FOR A DEGREE OF BACHELOR OF

ENGINEERING (B.ENG) COMMUNICATION ENGINEERING








i

Disclaimer

This report entitled ‘
Application of Smart Card technology

for Authentication
’ was
written with a purpose of completing the final year project by:

Emir Habul



(Matric No.:
0613713
)

Therefore, all the information in this report is based on my understanding and
discussion with my supervisor. With this, I ensure t
hat the Kulliyyah of Engineering is
not responsible for any incorrect information in the report.


ii

Acknowledgement

Let us humbly express our praise and gratitude to Allah our Merciful Creator, who
sent His Messenger, our beloved Prophet Muhammad, peace be
upon him.

Here I would like to convey sincere thanks to my supervisor,
Assoc. Prof.
Dr.
Sheroz
Khan
for continuous professional advices, support and encouragement to proceed with
this project. This report could not be done without his unbounded assistance
and
knowledge. My thanks also go to
Prof. Ahmed Patel

for his idea and support to do this
topic.

Last but not least, I would like to thank all my colleagues and technical staff for
sincere help and support in offering their priceless technical expe
rtise. M
ay Allah
bless them all.





iii

Abstract

In this project,
I discuss the importance of authentication, and influence of
cryptography to authentication using smart cards. Various existing schemes are
examined and for their reliability and resistance to attacks
and tampering.
S
imple
authentication protocol is proposed and analyzed to demonstrate correct
methodological procedures, and to explore the development and testing environment
for Java Card 3.
Preliminary results
include a working program implementing the
Simple Protocol and analysis
Simple Protocol for
resistance to various types of
attacks.
Implementation and simulation of more sophisticated protocols is planned for
the Final Year Project II.


iv

Table of Contents


Disclaimer

................................
................................
................................
.......................

i

Acknowledgement

................................
................................
................................
.........

ii

Abstract

................................
................................
................................
.........................

iii

List of Figures

................................
................................
................................
................

v

1

Introduction

................................
................................
................................
............

1

1.1

Background to the Research

................................
................................
..........

1

1.2

Problem Statement and Motivation
................................
................................

1

1.3

Aims and Objectives

................................
................................
......................

2

1.4

Research Methodology

................................
................................
..................

2

2

Theoretical background and literature review

................................
.......................

3

2.1

Authentication

................................
................................
................................

3

2.2

Smart card standards

................................
................................
......................

4

2.2.1

Standards

................................
................................
................................
....

5

2.2.2

Java card

................................
................................
................................
.....

7

2.3

Literature

review

................................
................................
............................

8

2.3.1

Geometric approach

................................
................................
...................

8

2.3.2

Password table

................................
................................
.........................

10

2.3.3

OS
PA Protocol

................................
................................
........................

12

2.3.4

Timestamp based

................................
................................
.....................

13

2.3.5

Zero knowledge proof

................................
................................
..............

14

3

Preliminary methodological work

................................
................................
........

17

3.1

A Simple protocol

................................
................................
........................

17

3.1.1

Implementation of a Simple Protocol

................................
......................

18

4

Discussion and Planning for FYP II

................................
................................
....

19

4.1

Analysis of a simple protocol
................................
................................
.......

19

4.2

Plan for FYP II

................................
................................
.............................

21

References

................................
................................
................................
....................

22




v

List of Figures

Figure 2.1 Physical appearance of smart cards

................................
............

7



1

1

Introduction



1.1

Background to the Research

The term smart card is

coined by Fresh publicist Roy Bright in 1980
[1]

and it
was invented by two German engineers. Smart cards have been used throughout the
world in a variety of applications. Their use to convey subscription and identification
informatio
n for GMS cellular telephones is widespread, as is their use to convey
account information for credit, debit, and cash services. The use of smart cards in the
IT environment is still relatively small market segment. In examining the potential IT
use of sma
rt cards, four applications arise as being particularly suited to exploiting the
characteristics of smart cards:



ID
badge



Token for building and office door access



Token for computer and network access



Token for small financial transactions
[1]

1.2

Problem Statement and Motivation

With the widespread of smart cards people are not aware of the details of
operation of these

tiny computers


called smart cards.

Whereas
many types of attacks
can be performed
related with

smart cards
, and
potentially
giving

harm to
unsuspecting

users.
With analysis and simulation of the authentication schemes we
can learn their inner workings and test for various vulnerabilities.



2

1.3

Aims and Objectives

In this project I plan to perform a comprehensive study of authentication
protocols
for smart cards, in order to determine their strengths and weaknesses.

Goals of this project are:



explain the theory behind the authentication
protocols;



develop and simulate applications implementing those protocols; explore
their strengths and weaknesses;



implement
a reliable and efficient protocol that can be
supported

with
current technology of smart cards

and
will be useful in practice.

1.4

Rese
arch Methodology

Research methodology involves two parts. First one is the discussion of
theoretical background and mathematical proof of the validity of authentication
scheme. Second part is implementation of those protocols using Java Card and
simulation

with simulator that is included in Java Card Developers Kit.





3

2

Theoretical background and literature review

2.1

Authentication

User authentication is essential in many networked applications. It is a process
by which a user proves his or her identity to the s
ystem, thus proving his or her rights
to use particular information and services. The essence of authentication is the
demonstration of either the knowledge of some secret, the possession of some
physical object, or the authenticity of a certain human body

characteristic.

The most popular mechanism of user authentication is the use of passwords.
It’s

cheap to deploy and easy to use. While suitable for many applications, password
authentication is lacking many features necessary for security critical applica
tions.
Badly chosen passwords are easy to guess, passwords can be intercepted in
transmission and re
-
used later for impersonating legitimate users. Passwords cannot
be used directly to sign digital documents.

Cryptography offers better methods of authentic
ation, but their use is
connected with manipulating secret cryptographic keys, which are hard to remember.
For sensible use, cryptographic keys need to be stored in some well
-
protected
computing device. For people on the go, such a device has to be small e
nough to fit
into a pocket. Smart cards are probably the most widespread device of this sort.

A Smart card is a credit card sized plastic card with an embedded single
-
chip
microcomputer. The use of special manufacturing technology makes physical
tampering

or probing of the microcomputer circuitry difficult, although not
completely impossible. Smart card microcomputers are characterised by low clock
frequencies (around 1 MHz) and small memory capacity (1
-
16 Kb of ROM and less
then 1 kb of RAM)

[2]
.



4

The limitations of smart cards severely impact the choice of cryptographic
techniques available for use in smart card applications. Currently, only techniques
based on symmetric cryptography are in wide use. Although asymmetric (public key)
cryptography of
fers a richer range of functionality, it requires more memory space and
processing power than is available in the majority of currently available smart cards.

2.2

Smart card

standards

A smart card looks like a normal credit card with a chip embedded in it. Sm
art
cards can be divided in three main categories accordingly to the capabilities of the
chip

[3]
.



Memory car
ds
, which can just store data and have no data processing capabilities.



Wired Logic Intelligent Memory cards
, which contain also some built
-
in logic,
usually used to control the access to the memory of the card.



Processor cards
, which contain memory and
processor and have data processing
capabilities.

Smart cards communicate with some other device to gain access to a network.
To do so cards can be plugged into a reader, commonly referred to as a card
terminal

or they can operate using RF radio frequencie
s. In the former type of card the
connection is made when the reader contacts a small golden chip on the front of the
card whilst the latter (
contactless card
) can communicate via an antenna, eliminating
the need to insert and remove the card by hand. All
that is necessary to start the
interaction is to get close enough to a receiver. Contactless cards are practical in
applications in which speed is important or in which card insertion/removal may be


5

impractical (an example could be mobile phones). Some man
ufacturers are making
cards that function in both contact and contactless mode.

All smart cards contain three types of memory: persistent non
-
mutable
memory, persistent mutable memory and non
-
persistent mutable memory. ROM,
EEPROM and RAM are the most wide
ly used memories for the three respective ty
pes
in the current smart cards.

A typical processor card with contacts has 16KB ROM, 512 bytes of RAM and
an eight
-
bit processor, although the technology is moving towards 16 or 32
-
bit CPU
[2]
.

Although smart cards are more

expensive than ordinary magnetic stripe cards,
their use is increasing because of several reasons. First, smart cards are more secure
than magnetic stripe cards. In fact, it is easy today to purchase tools needed to hack
into confidential data on a magnet
ic stripe card whilst smart cards are considered
tamper resistant.

Unfortunately, smart cards are not so tamper resistant, as it’s
believed. The technology to read protected memory or reverse
-
engineer smart cards’
CPU is surprisingly good
[4]

and, at the present state of the art, they couldn’t resist
well planned invasive tampering

[5]
.

Second, processor cards with their processing
capabilities and increased memory capacity can perform more activities than magnetic
stripe cards that requ
ire a host system to store and process all data.

2.2.1

Standards

This standard defined by International Standards Organisation covers various
aspects of Integrated Circuit Cards with Electrical Contacts. ISO7816 consist of the
following parts

[6]
:



6



Ph
ysical characteristics
: defines the physical dimensions of contact smart cards
and their resistance to static electricity, electromagnetic radiation and mechanical
stress. It also prescribes the physical location of an embossing area



Dimensi
on and location

of the contacts
: defines the location, purpose and
electrical characteristics of the card's metallic contacts



Electronic signals and Transmission protocols: defines the voltage and current
requirements for the

electrical contacts
and asynchronous half
-
dup
lex character
transmission protocol



Inter
-
in
dustry commands for interchange
: establishes a set of commands to
provide access, security and transmission of card data. Within this basic kernel, for
example, are commands to read, write and update records



Appl
ication identifiers
: establishes standards for Application Identifiers (AIDs)



Inter
-
industry data elements: describes encoding rules for data needed in many
applications, e.g. name and photograph of owner, his preference of languages, etc.



Inter
-
industry c
ommands
for SQL
: describes how to use the database paradigm in
cards through the concept of views and the standard SQL commands

The
Figure
2
.
1

shows the physical appearance of a smart card as defined in
ISO7816.



7

Contacts
Embossing
Area

Figure
2
.
1

Physical appearance of smart cards


Normally, a smart card does not contain a power supply, a displa
y, or a
keyboard. It interacts with the outside world using the serial communication interface
via its eight contact points.

The embossing area is reserved to personalise the card, embossing or laser
engraving the name of the owner, the card number or othe
r personal details relevant to
the application in which the card is involved.

Among other things, ISO7816 also defines a standard data format for
interaction between card and the outside world called APDU (Application Protocol
Data Unit). If we consider th
e communication protocol in terms of master/slave
paradigm, the card has always a passive role, waiting for a command APDU from the
terminal in which it’s inserted. In reply to the command, the card sends a response
APDU.

2.2.2

Java card

There is no standard sma
rt card programming language today. Smart card
companies use different languages to develop smart card software; code is compiled
into machine language and embedded into the chip
[7]
. The major problem is non
-


8

portability of smart card s
oftware and a small universe of knowledgeable
programmers

[8]

[9]
.

How to overcome these problems that slow down the adoption of smart cards
in many applications? Java programming language offers a possib
le solution. Java is
an object
-
oriented programming language that compiles into platform
-
independent
byte code that can be run on any platform providing a Java byte code interpreter. The
idea to give smart cards developers the ability to write applications

once and have
them run on all platforms led, in November 1996, to the release of the Java Card API
Specification. One year later, with the release of Java Card API 2.0, every major
vendor of smart cards in the world had licensed the technology

[8]
.

For these reasons,
Java Card was chosen as the target platform for this project.

The Java Card API is a part

of the smallest virtual machine specification for
Java. It’s designed to allow Java to run on an 8
-
bit microprocessor, with 8 kilobytes of
electrically erasable and programmable read only memory (EEPROM), 16 kilobytes
of read only memory (ROM), and 256 by
tes of random access memory (RAM)

[10]
.

Java Card programs, called applets, are small enough

so that several can fit
into the small amounts of memory available on smart cards. Applets can be easily
updated, and Java Card functionality can therefore be continually updated as new
applications or updates become available.

2.3

Literature review

2.3.1

Geometric

approach

Based on simple geometric properties on the Euclidean plane, Wu
[11]

proposed an
efficient

smart card oriented remote login authentication scheme. Like


9

other smart card
-
oriented scheme, there is no ve
ri
fi
cation table for authentication in
Wu’s scheme. Furthermore, the scheme allows a user to freely choose his password
and

requires much less computation overhead than other schemes.

The proposed scheme can be divided into three phases: registration, login and
authentication. In
the registration phase, the user chooses a password known
to
hims
elf, and the central authority (CA) delivers a smart card

to
the registered

user.
The smart ca
rd contains
the user’
s identity and some necessary public parameters used

in the login and authentication phases. In
realistic applications, the password consists
of a string of characters. However, any string of characters can be expressed as an
integer.
For
simply describing the proposed scheme,
Wu
[11]

assumed

that the

user’s

chosen

password is an integer. When logging
in, the user first inserts his smart card
into a terminal and keys in his password. The
sma
rt card
then generates

an authentic
message
and transmits it to the system. Having receiving the user’s login request (i.e.
the authentic message sent from the smart card), the system can easily validate the
login
request by applying simple geometric
prope
rties
about straight lines in
the
Euclidean plane.

Wu’s scheme is very eff
i
cient because it cleverly exploits the simple geometry
property;

however

it also implicitly
leaves

a clue in the transmission messages.
F
rom
the eavesdropped messages, Hwang
[12]

found that an illegal user can easily forge a
valid messa
ge.
T
his scheme
was shown to be

insecure.

To show the insecurity,
Hwang

demonstrated
how an
attacker can easily derive the secret point

from the eavesdropped
message.

In

a
ddition to Hwang’s attacks, Hung Chien et

al.
[13]

demonstrated

a
differen
t approach to break Wu’s

[11]

scheme.

They

show
ed

that if the attacker can


10

derive any geometric clue then he can break the system easily. Hwang

[12]

did not
show this key point, and
did not propose his improvement. By adding a simple
hashing,
a

propose
d

m
odi
f
ied

scheme that can withstand all possible attacks but still
keep highly simple and eff
i
cient.


Hung Chien proposed a modification to the original protocol this modification
was a
ble to withstands attacks by Hwang as well
.

The analysis
in
[13]

shows that
their

modified scheme

can withstand all possible attacks while keeping it

s

e
ffici
ency.

However,
they did not go into the lengths of proving their new sc
heme secure.

As a result Chang in 2005
[14]

show
ed

that Chien,

Jan and Tseng’s modified scheme
is still not secure.

In this article,
Chang

showed

how an attacker can know the directed
distances in Chien
-
Jan
-
Tseng’s modified remote

login authentication scheme.
Therefore, an attacker can derive the secret point for a leg
al

user from some
eavesdropped login requests, and then the attacker has the ability to forge

the login
request. Although the system modi
fi
ed by Chien, Jan and Tseng is not secure,

conclusion of this author
[14]

is that
it has opened a brand new research area for
remote login authentication scheme on a

geometric appr
oach.

Chang did not try to fix
the problems of previous modification, instead only demonstrated the vulnerability
without providing any insight as to in which direction should improvement be
directed.

2.3.2

Password table

Lamport

in 1981

[15]

proposed a

remote password authentication scheme
using a

password table to achieve user authentication.

In this
method
a

user password
authentication
is
de
scribed which is secure even if an intruder
can

read

the system's

data,

and

can

tamper wi
th

or eavesdrop

on

the communication

between

the

user

and



11

the

system.

The method

assumes

a

secure

one
-
way

encryption

function and

can

be

implemented

with

a

microcomputer

in

the user's

terminal.

However
Hwang and Li
[16]

pointed out that Lamport’s

scheme
[15]

suffers
from the risk of a modified

password table and the cost of protecting and

maintaining
the p
assword table. They further pro
posed a new remote user authentication scheme

using smart cards to get rid of the risk and the

cost.

This new scheme
,

cannot
withstand the replaying attacks

and

also
cannot
authenticate

remote
users without
maintaining a password

table.

Also this scheme

[16]

is not
efficient
as Sun
[17]

proposed an efficient smart

card
-
based remote user authentication scheme to

improve
the efficiency of Hwang and Li’s scheme.

Recently, Chien et al.
[18]

pointed out that Sun’s

scheme only achiev
es
unilateral user authentication

that only
authentication server
(
AS
)

can authenticate the
legitimacy of the

remote user while the user cannot authenticate that

of AS. Chien et
al.
[18]

further proposed a remote

user authentication scheme using smart

card to

achieve the mutual user authentication that both AS

and the remote user can verify the
legitimacy of the

other one.

Another paper appeared by a Hsu
[19]

which demonstrates that previous
protocol
is vulnerable to the parallel session a
ttack

that the intruder without knowing
user’s password can

masquerade as the legal user by creating a valid login

message
from th
e eavesdropped communication be
tween AS and the user.

Hsu managed to
prove the previous scheme insecure
,

however
he
did not gi
ve any insight as to which
improvement should be applied to remedy these problems.

In addition,
Le
, Hwang and Yang
[20]

described an improvement to Sun’s
[17]

and Hwang Li
[16]

scheme
which allows users to freely choose and change their


12

password without significantly increasing co
mputational cost. These two schemes
have been shown to be vulnerable before
[18]

[19]

, and authors did not prove that
these attacks don’t apply to their
scheme

as well.

Indeed it was insecure by Ku and Chen
[21]
.
Le, Hwang and Yang’s scheme
[20]

is eff
icient because of mainly using cryptographic hash
functions. However,
Ku
and Chen

f
ound tha
t this
scheme is not reparable once the user's perma
nent secret is
compromised and is vulnerable to a privileged insider's attack.

Furthe
rmore,
it lacks
the
user eviction mechanism. In
th
eir

paper

[21]
,
they have shown the weaknesses of
Lee
-
Hwang
-
Yang's scheme, and then
compare
d Lee
-
Hwang
-
Yang's scheme
with
three similar schemes.

At the end they propose that further investigation must be done
to solve these problems and authors don’t provid
e any insight as to what can be done
to improve this scheme.

2.3.3

OSPA Protocol

OSPA stands for Optimal Strong
-
Password
Authentication Protocol

and it was
proposed by Lin, Sun, Hwang
[22]

which was asserted to be
secure against the stolen
-
verifier attack, the replay attack, and the denial
-
of
-
service attack.


This protocol was
improvement of the prev
ious SAS proposed by Sandirigama and

Shimizu,

[23]
.

Unfortunatelly, Chen and Ku
[24]

showed that OSPA and SAS can not
effectively withstand a stolen
-
verifier

attack
.
Furthermore, Tsuji
and Shimizu

[25]

showed that OSPA suffers fr
om an easier attack, the
man
-
in
-
the
-
middle attac
k.

Recently, Lin, Shen, and Hwang
[26]

proposed an improved version of

OSPA,
denoted by Lin
-
Shen
-
Hwang's protocol for short, and showed that it can resist the
guessing

attack, the replay attack, the impersonation attack, and the stolen
-
verifier
attack.

However
However,
Ku, Tsai and Chen
[27]

find that

Lin
-
Shen
-
Hwang's


13

prot
ocol is still vulnerable to a denial
-
of
-
service attack and a replay attack.
And the

show
ed

the ways to mount these two simple attacks on Lin
-
Shen
-
Hwang's protocol .

Authors Ku and Chen have not considered or proposed any improvement to
circumvent these pro
blems.

2.3.4

Timestamp based

In 1999, Yang and Shieh
[28]

proposed a timestamp
-
based password
authentication

scheme using a smart card to achieve user authentication and arbitrarily
change a password. In addition, the remote server does not need to store the passwords
or veri
fi
cation tables for authentication the users. Subsequently, Chan and Cheng
[29]


pointed out that Yang and Shieh’s scheme was vulnerable to a forged login attack, in
which an
intruder could impersonate legitimate users to login and accesses the remote
server. In 2002, Fan et

al.
[30]

also showed that Yang
-
Shieh scheme could not with
stand the forged login attack and proposed a slight modification to eliminate the
security flaws. Thereafter, in 2003, Shen et al.
[31]

pointed out that Fan et al.’s
solution are
inefficient

and impra
ctical because it limits the user identity with a strict
form and proposed an improved scheme that could withstand the forged login attack
and also provide mutual authentication to withstand the forged server attack.

Yet, Shen et al.’s improved scheme is s
till susceptible to forged login attack
that developed by Sun et al. in
[32]

and Chen in
[33]
, respectively.
In a research paper
by Yoon et al.
[34]

demonstrated

how the forged login attack can be
worked out on
their scheme.

These papers mostly don’t consider the physical limitations of the smart card
technology and with proposing new attacks on existing schemes usually it is difficult
to
adjust existing protocols to withstand these attacks.



14

2.3.5

Zero kn
owledge proof

In the domain of authentication protocols, an alternative to both symmetric and
asymmetric cryptography is the use of zero
-
knowledge proof techniques. Zero
-
knowledge authentication protocols offer same level of convenience as authentication
protocols based on asymmetric cryptography, but require less memory space and
processing power.

Zero
-
knowledge protocols, as their name says, are cryptographic protocols in
which one party (
the prover
) can demonstrate the knowledge of some secret to anothe
r
party (
the verifier
) without revealing the secret. This way, an eavesdropper, as well as
the verifier, can gain no information about the secret and cannot convince a third party
that they know the secret. More precisely, the properties of a zero
-
knowledg
e protocol
are as follows:



the prover cannot cheat the verifier unless the prover is extremely lucky: By
reiterating the protocol, the odds of an impostor passing as legitimate user can
be made as low as necessary



the verifier cannot pretend to be the pro
ver to any third party because during
the protocol execution the verifier gains no knowledge of the secret



the verifier cannot convince a third party of the validity of the authentication
proof

2.3.5.1

Basic Zero
-
Knowledge Protocol

Let's consider the basic operati
on of a zero
-
knowledge protocol on the
following example taken from
[35]
.



15

A
ssume that the prover knows some information, and furthermore that the
information is the solution to a hard problem. The basic protocol consists of several
rounds: what is explained below is repeated
n

times.

The prover uses the information she knows and

a random number to transform
the hard problem into another hard problem, one that is isomorphic to the original one.
Not all problems and transformations, of course, are suitable for this purpose; the
prover must be sure that the verifier cannot deduce an
y knowledge from the execution
of the protocol, even after many iterations of it.

Then, the prover uses the information she knows and the random number to
solve the new instance of the hard problem, then commits to the solution, using a bit
-
commitment sch
eme. This kind of scheme is used when someone wants to commit to
a result but doesn’t want to reveal it until sometime later and, meanwhile, the
counterpart wants to make sure that the result is not going to be changed after the
commitment.

The prover reve
als the new problem instance to the verifier, but the verifier
cannot use this problem to get any information about the original instance or its
solution. At this stage, the verifier asks the prover either to prove that the old and the
new instances are is
omorphic (i.e. two different solutions to two related problems) or
to open the solution to which the prover committed before and show that it’s a
solution to the new instance. The prover complies.

In this protocol the verifier doesn’t get any knowledge of
the secret
information and the prover cannot cheat. Also, the verifier cannot use a transcription
of the exchange to convince a third party that the prover knows the secret, because the


16

verifier cannot demonstrate that she did not collude with the prover t
o build a
simulator that fakes the prover's knowledge.

2.3.5.2

Which problems can be used in Zero
-
Knowledge Protocols?

The notion of Zero
-
Knowledge proof was set forward by Goldwasser, Micali
and Rackoff
[36]

in 1985. One year later Goldwasser, Micali and Wigderson
[37]

proved that any problem in NP class has a zero
-
knowledge proof, assuming the
existence of one
-
way functions.

Unfortunately, not all problems in NP class are suitable for a realistic
implementation. Like in other

cryptographic protocols, the problems most widely used
in actual zero
-
knowledge protocols are the following
[38]
:



the probl
em of finding discrete logarithms for large natural numbers



the problem of checking that
y

is (
x
2

mod
n
) for some natural number
x
,

if the
factors of n are unknown



the problem of factoring a large natural number which is a product of two or more
large prim
es

2.3.5.3

Real zero knowledge authentication protocols

In 1986, Amos Fiat and Adi Shamir showed in
[39]

how to utilise zero
-
knowledge proofs for

authentication and generating digital signatures. Their protocol,
called Fiat
-
Shamir, was the first realistic zero
-
knowledge protocol; a number of other
protocols have been developed after this one. This includes Feige
-
Fiat
-
Shamir
[40]
,
Guillou
-
Quisquater
[41]
, Ohta
-
Okamoto
[42]
, Beth
[7]
, Schnorr
[43]
, and Burmester
-
Desmedt
-
Beth
[44]

protocols.






17

3

Preliminary

methodological work

To implement authentication protocols by the end
of FYP project

II
, I plan to
use Java

Card 3 technology and NetBeans as a Integrated
D
evelopment
E
ditor.

The
Reason for choosing Java is that,
Java Card technology provides a secure environment
for applications that run on smart cards and other devices wit
h very limited memory
and processing capabilities. Multiple applications can be deployed on a single card,
and new ones can be added to it even after it has been issued to the end user.
Applications written in the Java programming language can be executed
securely on
cards from different vendors.

Java

Card development kit provides a compiler

and a
simulator for Java

Cards.

In order to show effectiveness of Java

Card and NetBeans I
decided to
implement a simple protocol described in the next section.

3.1

A
Simple protocol

Authentication is between two parties. First is a user

with a smart
card which
we are going to call a
client
, and verifier that is going to verify the user with a smart

card.
Assumption is that both share a secret password which I will deno
te as
P
.
This
simple p
rot
ocol is described in following steps:

1.

Server detects an inserted smart

card, and
establishes communication with a
client.

2.

Server generates a random string of bits which
I

am

going to
a SALT and
denote as
S

3.

Server will calculate
W

according to the equation
(
3
.
1
)


( )
W f S P
 

(
3
.
1
)



18

In the equation
(
3
.
1
)
, dot



denotes concatenation of two binary strings, and
()
f

is one
-
way hash function
, for example SHA1

or less secure MD5
.

4.

Server will send
S

to a client
and start two timers, one with
shorter

duration
and one with longer.

Shorter one will be time waiting for a reply and second
one (longer) will an inserted deliberate delay for a response from a server.

5.

After
the
first
timer
(with shorter duration)

sends a signal,
server will check
whether it received a reply from client or

not. I
f server did not receive a reply
from a client
, this session is destroyed and server will wait until second timer,
after that it will return back to first step


that is waiting for new smart

card.

6.

If server does receive a reply
R
it will compare it
computed
with
W
. In case
they are equal, authorization is complete, otherwise user is rejected.
Server
will wait until second timer and it will take appropriate action for a case of
accepted or rejected
card, and after that it will return to step 1.

As for the client algorithm is simple. Whenever it receives a request from the server as
a salt
S

it
will

reply with
R

according to the equation
(
3
.
2
)
.

Value of P
stored

is the
stored password on the client smart
card.


( )
stored
R f S P
 

(
3
.
2
)




3.1.1

Implementation of a Simple Protocol

Using aforementioned JavaCard

and Netbeans protocol of a client was
implemented to show that this protocol is viable, and to demonstrate that Netbeans
with JavaCard simulator is working properly. Any further analysis of
this program

and
implementation of more sophisticated protocols

is planned for the FYP II
.




19

4

Discussion and Planning for FYP II

What I have shown in Literature review section is that even most sophisticated
protocols are found to be susceptible to certain t
ypes of attacks. One reason for this is
existence of many types of attacks as can be seen in Literature review of most famous
authentication protocols for smart cards. In this section I will analyse this preliminary
work that I have done and implem
ented to

test for resistance to

various types of
attacks.

4.1

Analysis of a simple protocol

I am going to call an eavesdropper my the name of Eve. In case of an
eavesdropper, she can’t learn the password by listening to the communication link
since only hash
R

and random strings
S

are transmitted and not the password.
Assuming that
()
f

is not easily invertible, can we conclude that indeed password
cannot be retrieved by solely listening to the communication channel.

Eve cannot learn the password by pretending to be a server, since only reply it
receives back from a client is a hash with
out possibility of reversing, again assuming
that hashing function is not revertible.

Brute force attacks are made difficult as well, because server will wait for the
second timer before taking and actions and thus making it time consuming to try to
guess
the password. With large space of possible passwords multiplied by a time of
second timer to wait, we can achieve more thousands of years to pass before actual
probability of guessing is possible.



20

Eve cannot do a replay attack since server will ask for a d
ifferent salt each time
authentication is attempted, thus knowledge of previous
R

is not helpful with a new
authentication.

However, this scheme is susceptible to man
-
in
-
the
-
middle attack. If Eve can
setup a fake server and pretend

that it is an actual server for the client. Then SALT
that is receives from the real server can be forwarded to the real client and reply from
a real client can be forwarded to a real server. This way Eve can achieve an
unauthorized access to facility. Bu
t, Eve does not learn anything about the password
from this attack.

What is possible argument here is that, it is possible to make this attack
difficult, by restricting the value of the first timer in the server. Value of the first timer
is the time server

will wait for a reply from the client. This value must be reasonable
for a normal smart

card to be able to do successful authentication. Eve has to spend
additional time by reading values, processing and forwarding them between client and
server. To make
a user of
smart

card unaware it is being attacked, usually attack must
happen on the distance from the actual server. Thus propagation time of a signal
between client and server must be considered.

This time would be greater than the
additional

time
to aut
henticate that is
left for the normal client operation, thus server
would time
-
out before Eve can finish her attack. Using more sophisticated technology
Eve ca
n improve her chance of success, by using faster transmission lines, Eve can
reduce its delay, th
is can countered by the server by making more restrictions on the
time of the reply (value of the first counter), thus making Eve’s attack very difficult
with current technology.





21

4.2

Plan for FYP II

In this part of the Final Year Project I have explored popular authentication
schemes and familiarized with development environment by build a working
prototype of a Simple Protocol.

With second part of Final Year Project I plan to explore more sophistica
ted
schemes for authentication and test their resistance to different types of attacks.

Sensitivity of this subject is in the fact that an attacker can be at many places
(server, client, channel) and has an opportunity for the tampering with standard
proto
col, thus raising for various attack methods and vulnerabilities in protocols.

One step of the goal, after developing interesting protocols, is to simulate them
with a tested and proven simulator, and test for resistance to a numerous potential
vulnerabili
ties.

Ultimately, goal is to have a re
liable and efficient protocol that can be
implemented with current technology of smart

cards

and will be useful in practice
.





22

References


[1]

S. B. G. Timothy M. Jurgensen,
Smart Cards
-

The
Developer's Toolkit
. Upper
Saddle River, NJ 07458: Prentice Hall, PTR, 2002.

[2]

D. N. Sun. (2004, 10 September).
Smart Card Overview
. Available:
http://java.sun.com/products/javacard/sm
artcards.html

[3]

(2005, 4 October).
A Frequently Asked Questions list (FAQ) for
alt.technology.smartcards
. Available:
http://www.ioc.ee/atsc/faq.html

[4]

M. K. Ross Anderson. (1996, 13 August).
Tamper Resist
ance


a Cautionary
Note
. Available:
http://www.cl.cam.ac.uk/users/rja14/tamper.htm

[5]

J. J. a. B. J. Paul Kocher. (1998, 13 August).
Introduction to Differential
Power

Analysis and Related At
tacks
. Available:
http://www.cryptography.com/dpa/technical

[6]

K. M. Shelfer and J. D. Procaccino, "Smart card evolution,"
Commun. ACM,
vol. 45, pp. 83
-
88, 2002.

[7]

T. Beth, "Efficient zero
-
knowle
dged identification scheme for smart cards,"
presented at the Lecture Notes in Computer Science on Advances in
Cryptology
-
EUROCRYPT'88, Davos, Switzerland, 1988.

[8]

A. Coleman. (1998, 20 October).
Giving currency to the Java Card API
.
Available:
http://www.javaworld.com/javaworld/jw
-
02
-
1998/jw
-
02
-
javacard.html

[9]

P. Peyret. (1995, 5 September).
Which Smart Card technologies will you need
to ride the Information Highway safel
y?

Available:
http://www.dice.ucl.ac.be/crypto/cascade/scard95.html

[10]

Z. C. a. R. D. Giorgio. (1998, 20 October).
Understanding Java Card 2.0
.
Available:
http://www.javaworld.com/javaworld/jw
-
03
-
1998/jw
-
03
-
javadev.html

[11]

T.
-
C. Wu, "Remote login authentication scheme based on a geometric
approach,"
Computer Communications,
vol.

18, pp. 959
-
963, 1995.

[12]

M. Hwang, "Cryptanalysis of a remote login authentication scheme,"
Computer Communications,
vol. 22, pp. 742
-
744, 1999.

[13]

H.
-
Y. Chien
, et al.
, "A modified remote login authentication scheme based on
geometric approach,"
Jour
nal of Systems and Software,
vol. 55, pp. 287
-
290,
2001.

[14]

C. Chang and L. Iuon
-
Chang, "Cryptanalysis of the Modified Remote Login
Authentication Scheme Based on a Geometric Approach,"
Informatica,
vol.
16, pp. 37
-
44, 2005.

[15]

L. Lamport, "Password
authentication with insecure communication," 1981.

[16]

M. Hwang and L. Li, "A new remote user authentication scheme using smart
cards,"
IEEE Transactions on Consumer Electronics,
vol. 46, pp. 28
-
30, 2000.

[17]

H. M. Sun, "An efficient remote user authenti
cation scheme using smart
cards,"
IEEE Transactions on Consumer Electronics,
vol. 46, pp. 958
--
961,
Nov. 2000.

[18]

H.
-
Y. Chien
, et al.
, "An Efficient and Practical Solution to Remote
Authentication: Smart Card,"
Computers & Security,
vol. 21, pp. 372
-
375,

2002.



23

[19]

C.
-
L. Hsu, "Security of Chien et al.'s remote user authentication scheme using
smart cards,"
Computer Standards & Interfaces,
vol. 26, pp. 167
-
169, 2004.

[20]

C.
-
C. Lee
, et al.
, "A flexible remote user authentication scheme using smart
cards,"
SIGOPS Oper. Syst. Rev.,
vol. 36, pp. 46
-
52, 2002.

[21]

W.
-
C. Ku and S.
-
M. Chen, "Cryptanalysis of a flexible remote user
authentication scheme using smart cards,"
SIGOPS Oper. Syst. Rev.,
vol. 39,
pp. 90
-
96, 2005.

[22]

C. Lin
, et al.
, "Attacks and solutio
ns on strong
-
password authentication,"
IEICE Transactions on Communications,
vol. 84, pp. 2622
-
2627, 2001.

[23]

M. Sandirigama
, et al.
, "Simple and secure password authentication protocol
(SAS),"
IEICE Transactions on Communications,
vol. 83, pp. 1363

1365
,
2000.

[24]

C. Chen and W. Ku, "Stolen
-
verifier attack on two new strong
-
password
authentication protocols,"
IEICE Transactions on Communications,
vol. 85,
pp. 2519
-
2521, 2002.

[25]

T. Tsuji and A. Shimizu, "An impersonation attack on one
-
time password
au
thentication protocol OSPA,"
IEICE Transactions on Communications,
vol.
86, pp. 2182
-
2185, 2003.

[26]

C.
-
W. Lin
, et al.
, "Security enhancement for Optimal Strong
-
Password
Authentication protocol,"
SIGOPS Oper. Syst. Rev.,
vol. 37, pp. 7
-
12, 2003.

[27]

W.
-
C. Ku
, et al.
, "Two simple attacks on Lin
-
Shen
-
Hwang's strong
-
password
authentication protocol,"
SIGOPS Oper. Syst. Rev.,
vol. 37, pp. 26
-
31, 2003.

[28]

W. Yang and S. Shieh, "Password authentication schemes with smart cards,"
Computers & Security,
vol.

18, pp. 727
-
733, 1999.

[29]

C. Chan and L. Cheng, "Cryptanalysis of a timestamp
-
based password
authentication scheme,"
Computers & Security,
vol. 21, pp. 74
-
76, 2001.

[30]

L. Fan
, et al.
, "An enhancement of timestamp
-
based password authentication
scheme,"

Computers & Security,
vol. 21, pp. 665
-
667, 2002.

[31]

J. Shen
, et al.
, "Security enhancement for the timestamp
-
based password
authentication scheme using smart cards,"
Computers and Security,
vol. 22,
pp. 591
-
595, 2003.

[32]

H. Sun and H. Yeh, "Further c
ryptanalysis of a password authentication
scheme with smart cards,"
IEICE Transactions on Communications,
vol. 86,
pp. 1412
-
1415, 2003.

[33]

K. Chen and S. Zhong, "Attacks on the (enhanced) Yang
-
Shieh
authentication,"
Computers & Security,
vol. 22, pp. 725
-
727, 2003.

[34]

E. YOON
, et al.
, "Attacks on the Shen et al.'s timestamp
-
based password
authentication scheme using smart cards,"
IEICE Transactions on
Fundamentals of Electronics Communications and Computer Sciences,
pp.
319
-
321, 2005.

[35]

B. Schneier,
Applied Cryptography: Protocols, Algorithms, and Source Code
in C, Second Edition
: Wiley, 1996.

[36]

S. Goldwasser
, et al.
, "The knowledge complexity of interactive proof
-
systems," 1985, p. 304.

[37]

G. Goldreich
, et al.
, "Proofs that Yield Nothing But the
ir Validity and a
Methodology of Cryptographic Protocol Design; 27th FOCS,"
IEEE Computer
Society,
pp. 174
-
187, 1986.



24

[38]

H. A. Aronsson. (1996, 10 October).
Zero Knowledge Protocols and Small
Systems
. Available:
http://www.tcm.hut.fi/Opinnot/Tik
-
110.501/1995/zeroknowledge.html

[39]

A. Fiat and A. Shamir, "How to prove yourself: Practical solutions to
identification and signature problems," 1986, pp. 186

194.

[40]

S. Micali a
nd A. Shamir, "An improvement of the Fiat
-
Shamir identification
and signature scheme," 1988, p. 247.

[41]

L. Guillou and J. Quisquater, "A “paradoxical” identity
-
based signature
scheme resulting from zero
-
knowledge," 1988, pp. 216

231.

[42]

K. Ohta and T. Okamoto, "A modification of Fiat
-
Shamir scheme. Crypto’88,"
Lecture Notes in Computer Science. Springer Verlag,
pp. 232
-
243, 1988.

[43]

C. Schnorr, "Efficient identification and signatures for smart cards," 1989, pp.
239

252.

[44]

M. Burmest
er
, et al.
, "Efficient zero
-
knowledge identification schemes for
smart cards,"
The Computer Journal,
vol. 35, p. 21, 1992.