LiuJiqiang,ZhongSheng

DOI: https://doi.org/10.5555/1568357.1568366

2009-01-01

Cryptologia

Abstract:Password authentication is a type of authentication protocol for communications over an insecure network. Recently, Kim, Jeon, and Yoo gave an improvement of Yang-Shieh password authentication sche...

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

R Jiang,L Pan,JH Li

DOI: https://doi.org/10.1016/j.cose.2004.04.002

IF: 5.105

2004-01-01

Computers & Security

Abstract:In this paper, we present further analysis of Yang–Shieh's password authentication schemes. At first, we formally analyze Yang–Shieh's two password authentication schemes on the basis of authentication tests to disclose the insecurity of the two schemes, and then give two kind of examples, one is our attack to the nonce-based scheme and the other is Chan–Cheng's attack (Comput Secur 21 (2002) 74) and Fan–Li–Zhu's attack (Comput Secur 21 (2002) 665) to the timestamp-based scheme. Secondly, we propose an amendment of the timestamp-based scheme to withstand the attacks of Chan–Cheng and Fan–Li–Zhu, and propose our improved nonce-based scheme. Finally, we formally analyze our two improved schemes with the authentication tests, and prove they are secure in password authentication. Our improved schemes preserve the merits of Yang–Shieh's schemes, and the improved timestamp-based scheme can withstand the attacks of Chan–Cheng and Fan–Li–Zhu, and the improved nonce-based scheme is able to prevent malicious replay attacks in the network without synchronized clock or with long transmission delay.

Jie Liu,Lei Fan,Jianhua Li

DOI: https://doi.org/10.1145/1501434.1501509

2006-01-01

Abstract:Yang and Shieh proposed two password authentication schemes based on smart cards. The best merit of their schemes is that the remote server can verify a login user without any prior knowledge except a login request message. Unfortunately, some security weaknesses had been found and kinds of attacks were presented later. Although some improvements were proposed to fix those weaknesses, part of these improvements need the remote server to maintain verification tables and the other improvements were proved insecure either. In this paper, we will propose two improved schemes that can withstand all existed attacks while keeping the best merit of the original schemes. The remote server in our improved schemes is still able to verify a login user only by a request message.

HM Sun,HT Yeh

2003-01-01

IEICE Transactions on Communications

Abstract:Following the developments in the use of ID-based schemes and smart cards, Yang and Shieh proposed two password authentication schemes to achieve two purposes: (1) to allow users to choose and change their passwords freely, and (2) to make it unnecessary for the remote server to maintain a directory of passwords or a verification table to authenticate users. Recently, Chan and Cheng showed that Yang and Shieh's timestamp-based password authentication scheme is insecure against forgery. In this paper, we point out that Chan and Cheng's forgery attack can not work. Thus, we further examine the security of Yang and Shieh's password authentication schemes and find that they are insecure against forgery because one adversary can easily pretend to be a valid user and pass the server's verification which allows the adversary to login to the the remote server.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Yingjie Wang,Jianhua Li,Ling Tie

DOI: https://doi.org/10.1109/ICCCAS.2004.1345926

2004-01-01

Abstract:In 1999, Yang and Shieh proposed a timestamp-based password authentication scheme using smart cards. However, Chan and Fan showed its vulnerability to the forged login attacks, respectively. Also Fan gave a slight modification of the original scheme, which however increases the computation cost of the system. In this paper a more efficient modification of the original scheme is proposed to withstand the forged login attacks.

Xiong Li,Jianwei Niu,Junguo Liao,Wei Liang

DOI: https://doi.org/10.1002/dac.2676

2015-01-01

Abstract:AbstractIn the authentication scheme, it is important to ensure that the user's identity changed dynamically with the different sessions, which can protect the user's privacy information from being tracked. Recently, Chang et al. proposed an untraceable dynamic identity-based remote user authentication scheme with verifiable password update. However, our analysis show that the property of untraceability can easily be broken by the legal user of the system. Besides, we find the scheme of Chang et al. vulnerable to offline password guessing attack, impersonation attack, stolen smart card attack, and insider attack. Copyright © 2013 John Wiley & Sons, Ltd.

Tianjie Cao,Yong Zhang

2009-01-01

Journal of Computational Information Systems

Abstract:Lee, Kim and Yoo proposed an efficient remote user authentication scheme based smart cards. The Lee-Kim-Yoo scheme uses random nonces to resist replay attack and allows users to choose and change their passwords freely. Moreover, the Lee-Kim-Yoo scheme is very efficient in computation. However, this paper shows that the Lee-Kim-Yoo scheme is vulnerable to a parallel session attack and a denial-of-service attack. We also propose an improved protocol on the Lee-Kim-Yoo scheme to solve these problems. Copyright © 2009 Binary Information Press.

BT Hsieh,HM Sun,T Hwang

DOI: https://doi.org/10.15388/informatica.2003.014

2003-01-01

Informatica

Abstract:In an internet environment, such as UNIX, a remote user has to obtain the access right from a server before doing any job. The procedure of obtaining acess right is called a user authentication protocol. User authentication via user memorable password provides convenience without needing any auxiliary devices, such as smart card. A user authentication protocol via username and password should basically withstand the off-line password guessing attack, the stolen verifier attack, and the DoS attack. Recently, Peyravian and Zunic proposed one password transmission protocol and one password change protocol. Later, Tseng et al. (2001) pointed out that Peyravian and Zunic's protocols can not withstand the off-line password guessing attack, and therefore proposed an improved protocol to defeat the attack. Independently, Hwang and Yeh also showed that Peyravian and Zunic's protocols suffer from some secury flaws, and an improved protocol was also presented. In this paper, we show that both Peyravian and Zunic's protocols and Tseng et al.'s improved protocol are insecure against the stolen verifier attack. Moreover, we show that all Peyravian and Zunic's, Tseng et al.'s, and Hwang and Yeh's protocols are insecure against DoS attack.

SH Wang,F Bao,J Wang

DOI: https://doi.org/10.1093/ietcom/e88-b.4.1641

2005-01-01

IEICE Transactions on Communications

Abstract:In 2002, Zhu et al. proposed a password authenticated key exchange protocol based on RSA such that it is efficient enough to be implemented on most of the target low-power devices such as smart cards and low-power Personal Digital Assistants in imbalanced wireless networks. Recently, YEH et al. claimed that Zhu et al.'s protocol not only is insecure against undetectable on-line password guessing attack but also does not achieve explicit key authentication. Thus they presented an improved version. Unfortunately, we find that YEH et al.'s password guessing attack does not come into existence, and that their improved protocol is vulnerable to off-line dictionary attacks. In this paper we describe our observation in details, and also comment for the original protocol on how to achieve explicit key authentication as well as resist against other existent attacks.

KF Chen,S Zhong

DOI: https://doi.org/10.1016/s0167-4048(03)00012-9

IF: 5.105

2003-01-01

Computers & Security

Abstract:The Yang-Shieh authentication is a time-stamp based password authentication scheme that uses smart cards [1]. In [2,3], various attacks on this scheme are described. However, an enhancement of the scheme is proposed in [3] and enables the scheme to resist these existing attacks. In this paper, we show two new attack that can break the enhanced scheme. We further point out that the fundamental computational assumption of the Yang-Shieh authentication scheme is incorrect.

Juan E. Tapiador,Julio C. Hernandez-Castro,P. Peris-Lopez,John A. Clark

DOI: https://doi.org/10.48550/arXiv.1111.2744

2011-11-11

Abstract:Song \cite{Song10} proposed very recently a password-based authentication and key establishment protocol using smart cards which attempts to solve some weaknesses found in a previous scheme suggested by Xu, Zhu, and Feng \cite{XZF09}. In this paper, we present attacks on the improved protocol, showing that it fails to achieve the claimed security goals.

Cryptography and Security

Bin Wang,Jian-Hua Li,Zhi-Peng Tong

DOI: https://doi.org/10.1016/S0167-4048(03)00713-2

IF: 5.105

2003-01-01

Computers & Security

Abstract:Recently, Fan proposed an enhanced scheme to improve the security of Yang-Shieh’s timestamp-based password authentication scheme. The enhanced scheme can withstand the attacks presented by Chan, Cheng and Fan. In this paper, we show that the enhanced scheme is still insecure. An intruder is able to construct a forged login request by intercepting the legitimate login requests and pass the system authentication with a non-negligible probability.

Xun Yi

DOI: https://doi.org/10.1109/nss.2010.97

2010-09-01

Abstract:Typical protocols for password-based authentication assumes a single server which stores all the passwords necessary to authenticate users. If the server is compromised, user passwords are disclosed. To address this issue, Yang et al. proposed a practical password-based two-server authentication and key exchange protocol, where a front-end server, keeping one share of a password, and a back-end server, holding another share of the password, cooperate in authenticating a user and, meanwhile, establishing a secret key with the user. In this paper, we present two “half-online and half-offline” attacks to Yang et al.'s protocol. By these attacks, user passwords can be determined once the back-end server is compromised. Therefore, Yang et al.'s protocol has no essential difference from a password-based single-server authentication protocol.

L Fan,Jh Li,Hw Zhu

DOI: https://doi.org/10.1016/S0167-4048(02)01118-5

2002-01-01

Abstract:Yang and Shieh proposed a timestamp-based password authentication scheme. Chan and Cheng proved that it is insecure. In this paper, we will give a further cryptanalysis of the scheme, and give an easier attack on it. Finally, we will propose an improved scheme that can withstand both of the attacks. Compared to other authentication schemes, this improved scheme allows the host to authenticate a user only with his login request. The host need not keep any secret or information of the user.

Jingxuan Zhai,Tianjie Cao,Xiuqing Chen,Shi Huang

DOI: https://doi.org/10.14257/ijsia.2015.9.1.37

2015-01-01

International Journal of Security and Its Applications

Abstract:Dynamic ID-based authentication schemes based on password and smart card are widely used to provide two-factor authentication and user anonymity. However, these schemes have one or the other possible security weaknesses. In this paper, we analyze the schemes of Li et al. and Wang et al. published in recent years. After the analysis, we demonstrates that Li et al. 's schemes are vulnerable to off-line password guessing attack if the user's identity is compromised, Li et al.'s scheme cannot withstand the impersonation attack and linkability attack, Wang et al.'s schemes cannot resist off-line password guessing attack if the attacker steals a smart card, Wang et al. 's schemes fail to provide forward security. Our result shows that none of the existing dynamic ID based authentication schemes can achieve all the desirable security goals.

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.

Marimuthu Karuppiah,Ashok Kumar Das,Xiong Li,Saru Kumari,Fan Wu,Shehzad Ashraf Chaudhry,R. Niranchana

DOI: https://doi.org/10.1007/s11036-018-1061-8

2018-01-01

Abstract:Authentication schemes are widely used mechanisms to thwart unauthorized access of resources over insecure networks. Several smart card based password authentication schemes have been proposed in the literature. In this paper, we demonstrate the security limitations of a recently proposed password based authentication scheme, and show that their scheme is still vulnerable to forgery and offline password guessing attacks and it is also unable to provide user anonymity, forward secrecy and mutual authentication. With the intention of fixing the weaknesses of that scheme, we present a secure authentication scheme. We show that the proposed scheme is invulnerable to various attacks together with attacks observed in the analyzed scheme through both rigorous formal and informal security analysis. Furthermore, the security analysis using the widely-accepted Real-Or-Random (ROR) model ensures that the proposed scheme provides the session key (SK) security. Finally, we carry out the performance evaluation of the proposed scheme and other related schemes, and the result favors that the proposed scheme provides better trade-off among security and performance as compared to other existing related schemes.

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Fan Wu

DOI: https://doi.org/10.1002/dac.2853

2014-01-01

International Journal of Communication Systems

Abstract:SummaryRecently, Jiang et al. and He et al. independently found security problems in Chen et al.'s remote user authentication scheme for non‐tamper‐proof storage devices like Universal Serial Bus stick and proposed improvements. Nonetheless, we detect that the schemes proposed by Jiang et al. and He et al. overlook a user's privacy. We also observe that Jiang et al.'s scheme is vulnerable to insider attack and denial of service attacks and lacks forward secrecy. We point out that the password changing facility in He et al.'s scheme is equivalent to undergoing registration, whereas in Jiang et al.'s scheme, it is unsuitable. Moreover, the login phase of both the schemes is incapable to prevent the use of wrong password leading to the computation of an unworkable login request. Therefore, we design a new scheme with user anonymity to surmount the identified weaknesses. Without adding much in communication/computational cost, our scheme provides more security characteristics and keeps the merits of the original schemes. As compared with its predecessor schemes, the proposed scheme stands out as a more apt user authentication method for common storage devices. We have also presented a formal proof of security of the proposed scheme based on the logic proposed by Burrows, Abadi and Needham (BAN logic). Copyright © 2014 John Wiley & Sons, Ltd.