1

INTRODUCTION

1. Introduction

The idea of a single smart card to be used for multiple services has been around for years.
Instead of using separate access devices for different services, a user can access multiple services from different service providers by a single smart card. For example, a user can use the same smart card to log on to a remote server system, enter a secure building, and perform a financial transaction.
This kind of design frees people from carrying many cards, bringing users the great convenience and at the same time saving resources and costs by manufacturing and managing less volume of cards. Therefore, multi-service smart card systems exhibit a high potential for economic and social benefits. Such a system is even more convenient if only one pass- word is used for each card so that users do not need to remember and cope with many passwords. 1.1 MULTISERVICE SMARTCARDS

A smart card, chip card, or integrated circuit card (ICC), is any pocket-sized card with embedded integrated circuits. With a single card, and a single administration tool, organizations from government, to industry to academic institutions can deliver an array of personalized credit and loyalty-based services to their users, while generating comprehensive reports, and maintaining strict controls on usage. These cards can offer multiple applications such as: * Credit cards : These are the best known payment cards (classic plastic card): * Financial : Smart cards serve as credit or ATM cards, fuel cards, mobile phone SIMs, authorization cards for pay television, household utility pre-payment cards, high-security identification and access-control cards, and public transport and public phone payment cards. * Health care (medical) : Smart health cards can improve the security and privacy of patient information, provide a secure carrier for patient identity. * Identification : A quickly growing application is in digital identification. In this application, the cards authenticate identity. The card stores an encrypted digital certificate along with other relevant information. Combined with biometrics, cards can provide two- or three-factor authentication. * Schools : Smart cards are being provided to students at schools and colleges. Usage includes: * Tracking student attendance * As an electronic purse, to pay for items at canteens, vending machines etc.

1.2 DYNAMIC AUTHENTICATION

In authentication process, the originator of the communication and the respondent transacts some identification codes to each other prior to start of the message transaction. Several methods have been proposed regarding the authentication process from time to time. Dynamic authentication scheme includes number of factors, among them the password, password index, and date of modification are important factors which decides the dynamicity.

The static approach authentication schemes are vulnerable to different types of attacks. In order to overcome the threats of the existing approaches, the dynamic authentication scheme is introduced. This scheme ensures the authentication, confidentiality, reliability, integrity and security. Remote authentication scheme permits both the user and the server to identify the genuine transacting partners over an existing communication channel.

2

PROBLEM STATEMENT

2. PROBLEM STATEMENT

With multiservice smart card systems, each user normally shows the same identity (ID) to different service systems. Hence, their access behaviour to different services can be easily traced, linked and abused by adversaries.
The multi-service smart card system becomes further complicated when a single-password is used for different services. With this one-password scheme, passwords would run a high risk of being stolen and tampered since they are exposed to more parties.

To address these problems, the author has developed a sophisticated system model. The model fully realizes one-card/one-password access for multiple services (over an open network) while maintaining high levels of security and service performance.
The contributions are summarized as follows: 1) An indirect password authentication scheme, where password authentication is mingled with service authentication. No passwords need to be sent separately over the network, making password leaks over the network impossible. Moreover, with this scheme, passwords are not stored in any server system nor on any smart card, providing little opportunity for offline password attacks.

2) Based on the separate user-service ID approach , they propose a robust design for user service ID generation, storage, and management. In comparison to the existing approach, the design only stores a user service ID on the related service system, not on the smart card. The service ID that a user has to present each time to access a service, is dynamically calculated based on the user password.

3) A mutual authentication protocol that can resist many attacks from both internal users and external hackers while keeping low computation and communication costs.

4) To ensure communication confidentiality and efficiency, a key agreement scheme that uses session keys for service transaction such that maintaining a large and growing table of keys is avoided, thus saving memory spaces and improving performance.

3

Evolution of Multi-Service systems: VARIOUS approaches

3. Evolution of Multi-Service systems : Various Approaches

Many approaches to improve the system security have been proposed. They can be classified into two groups: * Identity authentication (to counter impersonation attacks) and * Communication protection (to counter network related attacks such as man-in-the-middle and replay attacks).

Various Approaches:

1) One-way hashed value:
Passwords are commonly utilized for user authentication, where users identify themselves by sending the system their IDs and passwords. User passwords are usually concealed in the system in an encrypted format, such as one-way hashed value. On receiving a password, the system calculates its hashed value and searches for a match in the password table. When a match is found, the user's authenticity is verified.
Problem: However, the approach is not safe if the password is transferred over an insecure network.

2) A scheme for remote password authentication with insecure communication. In his scheme, not only are user passwords stored in the hashed format, they are also hashed during transmission to prevent password eavesdropping. To realize such a design, the approach uses a sequence of passwords, each of which is formed by repeatedly hashing a given secret value. For each round of authentication, a different password from the sequence is used.
Problem:
A. It requires the remote system to maintain a password table, which may incur significant performance and memory overheads if the number of users becomes large and B. It risks attacks if the password table can be moderated by intruders.

3) Another multi-server password authentication scheme using smart cards. The scheme is based on the Chinese Remainder Theorem and a modulus table.
Problem: The size of the modulus table increases as the number of servers increases.

4) A security solution for the multi-functional smart card system using public key cryptography. Instead of using an ID for each user, separate private and public key pairs are used for different functions to ensure authenticity and integrity of application processes and maximally protects the user privacy. Problem: However, their designs are complicated and entail a large amount of efforts for system maintenance.

In this paper, they have presented a design model that combines a set of security design techniques to achieve a high system security for the multi-service smart card system with low design costs.

4

Design overview

4. Design Overview

The structure of multi-service smart card system is given in Fig.1. There are three entities: * the Trusted Management Centre (TMC) * User Group and * Service Group.

The TMC is a trusted third party between users and service providers. It handles user and service registrations. Users are the smart card holders who access services available in the system. Unlike most existing systems, where user service portfolios are generated by the management centre, users in this system can customize and dynamically change their service wish list. There are multiple Services, each service must be registered by its provider before it is available to users.

4.1 SET OF DESIGN TECHNIQUES They have employed a set of design techniques to best ensure system security, optimize performance and at the same time extensively reduce costs. They are summarized as follows.

* Hash functions whenever possible to lower computation costs. A hash function is computationally simple and can easily compress a varying size of message to a fixed length string. It is impossible to compute original inputs from hash values, nor to replace them with moderated data for the same outputs within a limited time frame. Hence hash functions have high resistance to online decipher attacks. Hash functions to encrypt messages and mingle the hashed value with other messages during authentication so that when transferred over networks, the messages are effectively immune to online attacks. * To protect smart card from being abused by unauthorized people, a card validation scheme is introduced. A key (PIN) is assigned to a smart card. Each time a card is used, it is first validated against the key. Only after the card is validated, can the user use the card together with a correct password to perform service operation. The scheme also effectively enables users to safely change their passwords any time after registration. * Since the user identities are of paramount importance to the overall system security, the permanent store of identities is minimized to limit offline attacks. To protect user privacy, only user ID is stored that can reveal user personal information in the TMC, a separate ID, called User Registration ID (UID), for anonymous service access. To achieve service unlinkability, different User-Service binding ID, USID is used.

4.2 SIGNCRYPTION

The authors have employed Signcryption for communication between the user and the TMC.

Signcryption is a public key cryptography (asymmetric) scheme that simultaneously fulfils both digital signature and public key encryption. It is much more secure and has lower computational costs than traditional asymmetric approaches.
Symmetric-key encryption techniques can achieve the same level of security as asymmetric encryption methods, but they are computationally fast. Since a symmetric-key encryption requires a separate key for each communication pair, the cost of key maintenance becomes significant for large groups of users. Therefore, only the symmetric-key encryption for communications between the TMC and services. The symmetric keys are generated by the TMC and populated to the service systems in a secure environment. A standard encryption/decryption algorithm can be used for the encryption. For large, growing user groups, session keys for service transactions between users and services.

SESSION KEYS:

A session key is an ephemeral secret value, which is restricted to a session. After the session finishes, it is eliminated. Therefore, the average session-key list of a service system is minimized. The author propose to use Diffie-Hellman key agreement to generate session key, which can be easily embedded in mutual authentication protocol so that the key is authenticated for each round of communication, ensuring high integrity of the transferred message.

Diffie-Hellman key agreement requires that both the sender and recipient of a message have key pairs. By combining one's private key and the other party's public key, both parties can compute the same shared secret number. This number can then be converted into cryptographic keying material. That keying material is typically used as a key-encryption key (KEK) to encrypt (wrap) a content-encryption key (CEK) which is in turn used to encrypt the message data.

Figure 2: Diffie-Hellman key agreement

5

Design DETAILS

5. Design Details

This section elaborates the system model. Along with the design description, some remarks are provided to highlight the design feature.

There are a number of parameters and functions used in the system. : 1) public information that is available to whole system, and 2) keys used for encryption and verification.

5.1 Public Information:

The public information includes parameters and functions that are generated by the
TMC and can be either loaded into smart cards at the card issue stage, or stored in the trusted card access terminals from which the information can be later retrieved by smart cards. p: a large prime number, recommended to be at least 1024 bits for security. q: a large prime number, factor of p - 1. g: an integer, with the order q modulo p, chosen randomly from (1,........, p - 1). h(.): the one-way hash function with a fixed-length output.
KH(.): a keyed one-way hash function. The hash function includes a key in the calculation. Ek(.): symmetric encryption algorithm with key k.
Dk(.): symmetric decryption algorithm with key k.

5.2 Keys:

Keys are generated by one of the entities in the system.

k: long secret key of the TMC. The TMC should keep it confidential at any time. It is used to generate the user registration ID (UID) from the user ID (ID). x: the TMC's private key, chosen randomly from (1, ..... , q - 1). y: the TMC's public key, (y = gxmodp). xi: the user Ui's private key, chosen randomly from (1, ..... , q - 1). yi: the user Ui's public key, (yi = gximodp). kj : a symmetric cryptographic key, generated by the TMC and shared between the
TMC and service provider for service Sj .
(k1, k2): the symmetric keys, used in Signcryption.
PIN: a key for card verification.

5.3 Registration PHASE

To use the multi-service smart card system, both smart card users and service providers need to register. The registration basically sets up parameters required for each system component and establishes the logic connection between users and services. There are three registration phases: * user registration, * service registration, and * user-service binding. Users and services only need to register once, while the user-service binding operation can happen unlimited times. Each phase is detailed below and the related system parameter generation and allocation are recorded in the table shown in Fig.3 for easy reference, where the first column of the table lists all the phases to set up a system, the first row lists the three systems entities, and the last column specifies the parameter transfer actions.

Figure 3: System Parameters

Before the overall system is set up, no users and services are connected to the TMC.
The TMC initially contains only the secret key, k, and its private and public key pair, (x,
y), both smart cards and service systems hold empty information, as shown in the second row in the table (see Fig.3).

5.3.1. User Registration

To register, a user, Ui, provides the TMC with his/her personal information and password, PWi. After verifying his/her identity, the TMC generates a unique user ID, IDi, based on the user information, and creates a user registration identity (UIDi) and a parameter (Vi) by using the following formulas:
UIDi = h(IDi || k) (1)
Vi = UIDi + PWi (2) where k is a secret key of the TMC, || the concatenation operation, and + the logic exclusive
OR (XOR) operation.
The TMC then issues the user a smart card that is loaded with parameter Vi.

Remark 1: The user's personal information can only be revealed with UIDi on the
TMC. To maximally protect UIDi as well as PWi, they do not store them directly in the smart card, instead, an indirect value (Vi) is stored. Given a smart card, UIDi can only be obtained with a correct PWi. In case of card loss or theft, the chance for an adversary to gain UIDi or PWi by exploring information on the card is almost nil since both UIDi and
PWi are unknown to the adversary.
A new card must be activated before its first use. To activate a card, the user inserts his/her card into a secure terminal at the TMC, inputs a password, PWi, at the prompt.
Then the card computes UIDi based on the following formula derived from Formula 2:
UIDi = Vi + PWi (3)

5.3.2. Service Registration
When a service provider, SPj , registers its service, Sj, with the TMC, the TMC generates a unique service identity SIDj for Sj and a symmetric key kj for later communication. These two parameters are transferred to SPj through a secure channel and saved on both sides of the system. Service identities SIDs are available to any user in the system. However, both the TMC and service providers should keep their communication symmetric-key confidential.

5.3.3. User-Service Binding

A service binding enables a user to use a service. It consists of following five steps:

Step 1. At a trusted card reader terminal provided by the TMC, user, Ui, attaches his/her smart card, and keys in the PIN. After the card is validated, the user is prompted for a password PWi . With the user's password, the smart card computes UIDi based on
Formula 3, Then, the user can select a service from the service list displayed on the terminal screen. When a service, Sj, is selected, its service identity SIDj is transferred to the smart card. Step 2. The smart card generates binding identity USIDij for user Ui and service Sj using USIDij = h(UIDi + SIDj) (4)

Remark 2:
The hash function ensures that with knowledge of USIDij , it is computationally infeasible to find input UIDi, which is a secret to identify Ui.

Step 3. The USIDij is sent to the TMC with Signcryption. USIDij together with UIDi and SIDj is encrypted into a cipher message (c, r, s, yi) which is transferred to the TMC.

Step 4. After receiving the message, the TMC un-Signcryptes it to obtain data (USIDij ,
UIDi, SIDj ).
The TMC confirms the UIDi by searching a match in its user list and verifies the correctness of the received USIDij . Then it passes USIDij to service provider SPj over an open network. The message transferred is encrypted with their shared symmetric key kj .

Remark 3: The Signcryption ensures security with both a public key encryption and a digital signature. The encryption ensures message transmission is secure over the open network. The digital signature certifies the binding identity USIDij is originated from Ui, which confirms the true service binding by the user.

Step 5. Upon receiving of USIDij , the service provider SPj stores the ID in its service customer list for Sj-a new user now has been successfully linked to the service.

Remark 4:
Access activities of Ui to service Sj are linked and only linked with USIDij .
Neither users' real identities nor their activities on other services are exposed to SPj .
Therefore , * the service unlinkability is realized. * In addition, the binding scheme allows a user to bind many services at the same time and only to signcrypt them once, thus improving the system efficiency.

Figure 4: Signcryption and Verification

5.4. Service Transaction
After binding, a user can access a certain service with a valid smart card. To ensure the authenticity of both communication parties, they employ a mutual authentication scheme.
To protect the confidentiality of transferred messages, encrypt the messages with session keys. The service transaction process consists of a series of tasks. The process can be divided into three steps: the first step is user authentication, if it is successful, then service authentication is performed in the next step, a session key is established after the mutual authentication succeeds. The session key is used in the following service transaction over an insecure channel. The completed task flow is elaborated as follows.

5.4.1 User Authentication:

To access a service Sj, a user Ui attaches his/her smart card to a terminal device. After the card is verified with the PIN, the user inputs his/her password, PWi. Then, the smart card performs a number of tasks.

5.4.2 Service Provider Authentication & Session Key Generation:
On the successful authentication of the user, the service provider continues.

Figure 5: Service Authentication Task Flow

Remark 5:
This authentication scheme achieves mutual authentication through an insecure channel with low computational complexity & communication costs.

5.5 User-Service Unbinding

If user Ui wants to unbind service Sj, he/she can send a Signcrypted message to the TMC.
The message includes user identity UIDi, service identity SIDj , related user-service binding identity USIDij , together with an unbinding request. Similar to service binding, the Signcryption performs both digital signature and message encryption functions.
After receiving and verifying the request, the TMC informs the service provider SPj to unbind its service from the user. If there is no pending payment and other contract issues, the service provider will delete the user's service ID, USIDij , from its customer list. Ui will no longer be able to access this service.

Remark 6:
With the available unbinding facility, the system can be easily expanded and contracted over the time, without the need to maintain redundant users on each service system, as compared to the existing similar designs .

5.6. Password Change

To change a password, the user inserts his/her smart card in a system card reader. After the card is validated, the user selects the password change function. He/she is then prompted for an old password. With the old password, the smart card calculates the user ID, UIDi, using Formula 3. The UIDi is used to calculate a new value of Vi for the new password.
The old Vi is then replaced by the new value on the smart card.

Remark 7:
Anyone except the legitimate user cannot change a password without knowing both the PIN and the old password, which effectively enables password change by users themselves.

6

SECURITY ANALYSIS

6. SECURITY ANANLYSIS

6.1 Off-line Password Guessing Attack
The legitimate use of smart cards is ensured by double passes: 1) card validation where a card is verified against a PIN each time it is used, and 2) user indirect password authentication. In user password authentication, the password authentication is mingled with service authentication, the user password cannot be revealed either through offline attacks to the smart card or via online eavesdropping over the network.

6.2 UnAUTHORIZED ACCESS TO SMART CARD

This is a type of attack using which the intruder could get hold of the smart card and try to use the stored information. An indirect value (Vi) is stored on the card. Vi = UIDi + PWi
Given a smart card, UIDi can only be obtained with a correct PWi. In case of card loss or theft, the chance for an adversary to gain UIDi or PWi by exploring information on the card is almost nil since both UIDi and PWi are unknown to the adversary.

6.3 Server Spoofing

It is a type of attack in which the attacker acts like the authenticated server to deceive the user. When a service, Sj, is selected, its service identity SIDj is transferred to the smart card. The smart card generates binding identity USIDij for user Ui and service Sj using USIDij = h(UIDi + SIDj)

6.4 Modification Attack

This attack causes to modify the contents of the authentication code by the attacker. If an attacker tries to modify the contents

The modification causes for lot of changes due to h( ) in the received information at the server, and the server will easily identify these changes by comparing the received code with the stored code as well as the computed code. Because, whenever the server receives security code, it re-computes the same using h( ) with the available data in its table to verify the originality of the received authentication codes. If the computed code and the received code do not agree with each other, the server rejects the login request. Thus, the modification attack is prevented by this method.

6.5 Bucket Brigade Attack

This attack is also known as Man-in-the-Middle attack. In this type of attack, the attacker intercepts the authentication code transaction between the user and the authenticated server. Due to this interception, the attacker may change the entire content of the intercepted code and this code may be retransmitted to the another side of the transaction either at the user or server side. But, anywhere if the intercepted data is altered and retransmitted to the another side of the communicating systems, it is easily identified by the receiving systems by means of re-computation using h( ) and comparison of the received code with the computed code. It ensures the confidentiality of the authentication system. So, this scheme prevents the bucket brigade attack.

6.6 Denial of Service Attack

It is an attack by which the required service by the user from the authenticated server is denied by the attacker at the initial or intermittent level of transaction. This scheme does not permit denial of service. Because, the adversary cannot make false attempt of the legitimate user to the authentication server. Even if any false attempt of the legal user is made, the server rejects the login request of that particular session. The future login attempts of the legitimate user are not affected by any of the false attempt made by the attacker. This causes for ensuring the reliability of the proposed method. So, this scheme is free from denial of service attack.

6.7 Mutual Authentication

This is a type of authentication in which both the user and the remote authentication server verify themselves for their legitimate access and authenticity. The fast hash functions are used for the mutual authentication and the performance-efficient Diffe-Hellman key agreement protocol is used for the session key generation.

6.8 Smart Card Duplication Attack

When the original smart card is lost or stolen, it may be possible to duplicate the original card by the eavesdropper but for further login process a card has to be validated. For that, the PIN along with the user password must be known. It ensures the security of the authentication system. Thus, this scheme prevents the smart card duplication attack.

7

performance analysis

7. Performance Analysis

The authors have judiciously combined a set of security design techniques of different computational complexity to enhance system performance without sacrificing security. * In the user and service registration phases, the hash function and XOR operation are used. Both have small computation costs. These computations are mainly performed by the TMC which normally has a superior computing power. Therefore, the performance concern in these registration phases can be eliminated. * In the user-service binding/unbinding phase, since high complexity operations for dig- ital signature and asymmetric encryption are necessary for security, and they need to be performed by low-end smart cards, they apply Signcryption to speed up performance. The signcryption on average takes 50% less computation time than a normal signature-then- encryption approach. * In the service transaction phase, fast hash functions are used for the mutual authentication and the performance-efficient Diffie-Hellman key agreement protocol is used for the session key generation. * Service transactions are frequently operated and dominate the system performance.
Therefore, to verify the performance effectiveness of the design, compare the authentication process of service transactions in the model with some existing authentication designs. * The computation costs are measured in the number of blocks of symmetric encryptions/decryptions (row 3), modular exponentiation operations (row 4), and modular multiplication operations (row 5).

Figure 6: Comparison of computation and communication costs in authentication processes

Note that with T's scheme, the number of modular multiplication operations is related to the number of servers in the system, m. The communication costs are measured in number of network transmission rounds and the size of each transmission in bits. They are given in the last two rows in the table.
The costs for those designs were derived from the results presented in with the following upgraded security settings: * The output size of SHA-256 and the size of random number are 256 bits, while block size of AES is 256 bits * The size of the identity is 256 bits. * Parameter p is 1024 bits rather than 512 bits as used in [12].
From the table (Fig.5), see that the computation cost of the scheme is low, just trailing behind T's. The design also requires fewer rounds of network transmissions than J's,
C-K's and H-S's. For each transmission the message size is smaller than the other designs except H-S's. Overall, design is the most efficient when computation and communication costs are combined.

8

conclusions

1. Conclusions

In the paper, a secure and efficient multi-service system model is proposed where a user can use a smart card to access multiple services with a single password.
An effective ID model and a series of design techniques to best enhance system security and performance, and at the same time to reduce costs on memory consumption and network traffic volumes.
To maximally protect the system, the authors have proposed to minimize the physical storage of secret information (such as user service identities and passwords) on smart cards and service systems, and to implement a strict measure on smart card uses. To ensure service unlinkability, a separate service identity scheme similar to an existing approach is proposed, but the scheme is enhanced by improving the security in service ID generation, transmission, and management.
The legitimate use of smart cards is ensured by double passes: 1) card validation where a card is verified against a PIN each time it is used, and 2) user indirect password authentication. In user password authentication, the password authentication is mingled with service authentication, the user password cannot be revealed either through offline attacks to the smart card or via online eavesdropping over the network. User passwords are much more secure than any other existing smart card password designs.
To improve performance, a fast mutual authentication process is employed for service transactions, fast design solutions, such as Signcryption, to mitigate performance bottlenecks in the system, and reduce network communication.
The reduced network communication also helps relieve network traffic and reduces the hardware costs that would otherwise be incurred by extra network resources. The hardware costs are also saved by the reduced memory consumption in each service system. The design model is scalable, highly secure and more efficient in performance and cost.