XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

XiaoYi Duan,Jianwei Liu,Qishan Zhang

DOI: https://doi.org/10.1109/ICCIAS.2006.295440

2006-01-01

Abstract:A smart card based scheme is very practical to authenticate remote user. In 2002, Chien-Jan-Tseng proposed a mutual authentication scheme using smart card. But in 2004, Ku-chen pointed out the weaknesses of Chien et al's scheme and proposed an improvement to Chien et al.'s scheme to prevent from some weaknesses. However, Hsu pointed out there is still susceptible to parallel session attack in Ku-Chen's scheme. Later, Chien et al.'s indicated there is another weakness in Ku-Chen's scheme and made an enhancement to resolve such problems. But we find Chien et al's scheme can't resist parallel session attack too. In this paper, we make a modification of Chien et al.'s scheme to resolve the problem.

Jie Liu,Lei Fan,Jianhua Li

DOI: https://doi.org/10.1145/1501434.1501509

2006-01-01

Abstract:Yang and Shieh proposed two password authentication schemes based on smart cards. The best merit of their schemes is that the remote server can verify a login user without any prior knowledge except a login request message. Unfortunately, some security weaknesses had been found and kinds of attacks were presented later. Although some improvements were proposed to fix those weaknesses, part of these improvements need the remote server to maintain verification tables and the other improvements were proved insecure either. In this paper, we will propose two improved schemes that can withstand all existed attacks while keeping the best merit of the original schemes. The remote server in our improved schemes is still able to verify a login user only by a request message.

Baoyuan Kang,Jinguang Han,Qingju Wang

DOI: https://doi.org/10.1109/ICCET.2010.5486299

2010-01-01

Abstract:Wang et al. presented a remote password authentication scheme using IC (integrated Circuit)cards in 2004. Recently, Cheng et al. pointed that the Wang et al.'s scheme is unable to withstand the forgery attack. They consequently proposed a novel version to resist the forgery attack. Although Cheng et al. claimed that their scheme is secure against all known attacks and more practical in application than other IC-card-based authentication schemes, in this paper, we show that Cheng et al. scheme is vulnerable to the guessing attack, parallel session attack and key-compromise attack. To remedy these flaws, this paper proposes an improvement over Cheng et al. scheme with more security.

Xiong Li,Jian-Wei Niu,Jian Ma,Wen-Dong Wang,Cheng-Lian Liu

DOI: https://doi.org/10.1016/j.jnca.2010.09.003

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:Recently, Li and Hwang proposed a biometrics-based remote user authentication scheme using smart cards [Journal of Network and Computer Applications 33 (2010) 1–5]. The scheme is based on biometrics verification, smart card and one-way hash function, and it uses the nonce rather than a synchronized clock, so it is very efficient in computational cost. Unfortunately, the scheme has some security weaknesses, that is to say Li and Hwang's scheme does not provide proper authentication and it cannot resist the man-in-the-middle attacks. If an attacker controls the insecure channel, she/he can easily fabricate messages to pass the user's or server's authentication. Besides, the malicious attacker can impersonate the user to cheat the server and can impersonate the server to cheat the user without knowing any secret information. This paper proposes an improved biometrics-based remote user authentication scheme that removes the aforementioned weaknesses and supports session key agreement.

Xiaoyi Duan,Jianwei Liu,Qishan Zhang

2006-01-01

Abstract:A smartcardbasedschemeisverypractical to authenticate remote user. In2002,Chien-Jan-Tseng proposed amutual authentication scheme using smart card. Butin2004, Ku-chen pointed outtheweaknesses ofChien etal'sscheme andproposed animprovement toChienetal.'s schemetoprevent fromsome weaknesses. However, Hsupointed outthere isstill susceptible toparallel session attack inKu-Chen's scheme. Later, Chien etal. 'sindicated there isanother weakness inKu-Chen's schemeand madean enhancement toresolve suchproblems. Butwefind Chienetal'sschemecan'tresist parallel session attack too. Inthis paper, wemakeamodification of Chien etal. 'sscheme toresolve theproblem.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Debiao He,Jianhua Chen,Jin Hu

2011-01-01

Abstract:Very recently, Sun et al. proposed an improved password authenticated key agreement scheme based on Juang et al.'s scheme. However, after reviewing their scheme and analyzing its security, we find their scheme is vulnerable to two kinds of attacks, i.e., the offline password guessing attack, and the Denial-of-Service (DoS) attack. The analysis shows that Sun's scheme is insecure for practical application. Then, we propose a further improved scheme to eliminate the security vulnerability. Compared with Juang et al.'s scheme and Sun et al.'s scheme, our scheme is more secure and more suitable for real-life applications.

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Da-Zhi Sun,Jin-Peng Huai,Ji-Zhou Sun,Jian-Xin Li,Jia-Wan Zhang,Zhi-Yong Feng

DOI: https://doi.org/10.1109/tie.2009.2016508

IF: 7.7

2009-01-01

IEEE Transactions on Industrial Electronics

Abstract:In the IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, vol. 55, no. 6, Juang et al proposed a password-authenticated key agreement scheme using smart cards. Although the scheme of Juang et aL has many benefits, we find that it suffers from three weaknesses: 1) inability of the password-changing operation; 2) the session-key problem; and 3) inefficiency of the double secret keys. Therefore, we propose an improved scheme to overcome the weaknesses and maintain the benefits of the original scheme. In addition, our improved scheme reduces the storage and computation costs on the smart card compared with the scheme of Juang et aL We believe that our improved scheme is more suitable for real-life applications than that of Juang et aL

Xiong Li,Junguo Liao,Jiao Zhang,Jianwei Niu,Saru Kumari

DOI: https://doi.org/10.1109/comcomap.2014.7017176

2014-01-01

Abstract:Recently, Yang et al. Proposed a remote user authentication scheme using smart card. Through careful cryptanalysis, we find that Yang et al.'s scheme is not repairable, and cannot achieve mutual authentication and session key agreement. To overcome these security flaws, we propose a new remote user authentication scheme with smart card. In the proposed scheme, the user can choose his/her password freely and renew the password anytime. At the same time, the proposed scheme provides more functions and security features, such as mutual authentication, session key agreement, perfect forward secrecy and so on.

Jie Gu,Zhi Xue,Yan Zhu,Fangbiao Li

DOI: https://doi.org/10.1049/cp.2012.1864

2012-01-01

Abstract:Mutual authentication is a process or technology in which both entities in a communications link authenticate each other before conducting any business. It is gaining acceptance as a tool that can minimize the risk of online fraud in e-commerce and other network application. Recently, Wang et al. proposed an efficient remote authentication scheme using smart cards. They claimed that the scheme can withstand guessing attack, forgery attack, denial of service attack and is easily realized in the practical resource-limited environment. However, we point out that Wang et al.'s scheme suffers from parallel session attack and replay attack. Furthermore, we propose an enhanced remote mutual authentication scheme to eliminate all identified security flaws in the aforementioned scheme.

Ding Wang,Chunguang Ma,Sendong Zhao,ChangLi Zhou

DOI: https://doi.org/10.1007/978-3-642-35606-3_13

2012-01-01

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. Recently, Yeh et al. showed that Hsiang and Shih's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is nontamper resistant, and proposed an improved version which was claimed to be efficient and secure. In this study, however, we find that, although Yeh et al.'s scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack and key-compromise impersonation attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity and forward secrecy; (3) It has some other minor defects. The proposed cryptanalysis discourages any use of the scheme under investigation in practice. Remarkably, rationales for the security analysis of password-based authentication schemes using smart cards are discussed in detail. © IFIP International Federation for Information Processing 2012.

Dz Sun,Zf Cao

DOI: https://doi.org/10.1007/11540007_73

2005-01-01

Abstract:Very recently, Lee, Kim, and Yoo proposed a modified remote user authentication scheme using smart cards [Computer Standards and Interfaces 27 (2) (2005) 181-183] to prevent the parallel session attack. In this paper, we demonstrate that Lee-Kim-Yoo's scheme is vulnerable to a reflection attack. Therefore, an improved scheme is proposed to resolve previous problems. We conclude that our improved scheme not only withstands the reflection attack and the parallel session attack, but also is more efficient compared with Lee-Kim-Yoo's scheme.

JQ Liu,J Sun,TH Li

DOI: https://doi.org/10.1109/sips.2005.1579870

2005-01-01

Abstract:Based on one-way hash function, Sun proposed an efficient remote login authentication protocol with smart card in 2000. However, in 2002, Chien at al. pointed out a deficiency of Sun's scheme which only realized unilateral authentication and put forward an efficient and practical solution for remote mutual authentication scheme. But recently, Hsu discussed that this scheme was not secure enough since it was vulnerable to the parallel session attack again. In this paper, we give an enhanced remote login authentication with smart card, which inherits all the merits of the previous schemes as well as realizes secure mutual authentication without significantly increasing the computational cost.

Siqiong Fan,Zhenfu Cao,Xiaolei Dong

DOI: https://doi.org/10.1049/cp.2014.1279

2014-01-01

Abstract:Remote user authentication scheme has been widely adopted in the cyberworld to provide security and privacy because of various online threats and insecure communications. In the past few decades, many smart card-based authentication schemes are put forward. In such schemes, a user only need to maintain an identity and a password and employ a smart card to fulfill the authentication with a remote server. In 2014, Lee et al. put forward an authentication scheme using smart based on the hash function. However, we find that novel as it is, the scheme still has some severe security and performance weaknesses such as a verification table should stored in their scheme, it is easy to suffer the stolen verifier attack. Besides, it has the problem of synchronization between the server and users, failure of protecting users' anonymity and it is unfriendly to users since the inability of supporting changing the password freely. In this paper, we propose an improved authentication scheme supporting the Diffie-Hellman key exchange protocol using hash functions and the ElGamal cryptosystem. Besides the drawbacks in Lee et al.'s scheme, our proposed scheme overcomes the offline password guessing attack, man-in-the-middle attack and so on. At last, we show that our scheme is more suitable and secure for practical use.

Yajuan Shi,Han Shen,Yuanyuan Zhang,Jianhua Chen

DOI: https://doi.org/10.14257/ijseia.2015.9.5.25

2015-01-01

International Journal of Software Engineering and Its Applications

Abstract:To keep the pace with the development of internet technology, remote user authentication techniques become more and more important to protect user's privacy. Recently, Kumari, et al., presented an improved remote user authentication scheme with key agreement based on dynamic-identity using smart card. This scheme allows legal users to change the password at his will without the need to connect the server. They claimed that their scheme could resist smart card stolen or loss attack, user impersonation and server masquerading attack, and provide user anonymity and untraceability and so on. However, our research indicates that their scheme is completely unsafe. Furthermore, the scheme can't provide the proper mutual authentication. In this manuscript, we will propose a new scheme, which can withstand those attacks mentioned above and provide the perfect user anonymity and forward secrecy. Security analysis makes it clear that the improved scheme apparently is more secure and practical.

Zhen-Fu Cao,Da-Zhi Sun

DOI: https://doi.org/10.1109/ICMLC.2006.259062

2006-01-01

Abstract:For providing the login service in multi-server environments, Fan, Xu, and Li presented a remote user authentication scheme using smart cards. In this paper, we demonstrate that Fan-Xu-Li's scheme is vulnerable to the parallel session attack. That is, when a legal user logs in a server, an adversary without knowing any secret information can easily impersonate the user to log in other authorized servers. It means that a serious security flaw exists in Fan-Xu-Li's scheme. In addition to being practical, it is desirable to avoid relying on timestamps for security in their scheme. We therefore propose an improved scheme to overcome above disadvantages. As a unilateral authentication mechanism, our improved scheme is more suitable for real-life cryptographic applications than Fan-Xu-Li's scheme.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1016/j.jnca.2013.02.034

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.