Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

HT Yeh,HM Sun,BT Hsieh

2004-01-01

IEICE Transactions on Communications

Abstract:Recently, Hwang and Li proposed a smartcard-based remote user authentication scheme. Later, Chan and Cheng showed that Hwang and Li's scheme is insecure against a kind of impersonation attack where a legitimate user can create another valid pair of user identity arid password without knowing the secret key of the remote system. However, an assumption under Chan and Cheng's attack is that the attacker must be a legal user. In this paper, we further present a more fundamental and efficient impersonation attack on Hwang and Li's scheme. Using our attack, any users (including legal and illegal users) can easily get a specific legal user's password, impersonate this specific user to login to the remote system, arid pass the system authentication.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Zhuo Hao,Nenghai Yu

DOI: https://doi.org/10.1109/ISDPE.2010.15

2010-01-01

Abstract:Remote user authentication is a critical component of accessing remote services in distributed applications. In this paper we investigate the security vulnerabilities of a previously proposed remote user authentication scheme. After that we propose a security enhanced remote user password authentication scheme, which effectively prevents the adversary's attacks. The proposed authentication scheme is shown to be secure against password guessing attack, masquerade attack and replay attack. By performance analysis, the proposed scheme is shown to be very efficient, both in the computation and the storage cost. The proposed password authentication scheme is very suitable for providing remote authentication in distributed applications.

Ding Wang,Chunguang Ma,Sendong Zhao,ChangLi Zhou

DOI: https://doi.org/10.1007/978-3-642-35606-3_13

2012-01-01

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. Recently, Yeh et al. showed that Hsiang and Shih's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is nontamper resistant, and proposed an improved version which was claimed to be efficient and secure. In this study, however, we find that, although Yeh et al.'s scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack and key-compromise impersonation attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity and forward secrecy; (3) It has some other minor defects. The proposed cryptanalysis discourages any use of the scheme under investigation in practice. Remarkably, rationales for the security analysis of password-based authentication schemes using smart cards are discussed in detail. © IFIP International Federation for Information Processing 2012.

Debiao He,Jianhua Chen,Rui Zhang

DOI: https://doi.org/10.1504/IJESDF.2010.038613

2010-01-01

Abstract:The security of a password authentication scheme using smart cards proposed by Khan et al. is analysed. Four kinds of weakness are presented in different scenarios. The analyses show that the scheme is insecure for practical application.

Manoj Kumar

DOI: https://doi.org/10.48550/arXiv.0711.0128

2007-11-01

Abstract:Yoon et al. proposed a new efficient remote user authentication scheme using smart cards to solve the security problems of W. C. Ku and S. M. Chen scheme. This paper reviews Yoon et al. scheme and then proves that the password change phase of Yoon et al. scheme is still insecure. This paper also proves that the Yoon et al. is still vulnerable to parallel session attack.

Cryptography and Security

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.

Xiong Li,Jianwei Niu,Yazhi Liu,Junguo Liao,Wei Liang

DOI: https://doi.org/10.1504/ijahuc.2014.066423

2014-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:Smart card-based password authentication scheme is one of the most simple and efficient method to identify the legitimacy of a user via an insecure channel. To protect the user from tracking by the attacker, many dynamic ID-based user authentication schemes have been proposed. Recently, Chen et al. proposed an efficient and secure dynamic ID-based authentication scheme using smart cards. However, we find that Chen et al.'s scheme cannot really protect user's anonymity and forward secrecy. Besides, their scheme is inefficient in the authentication phase and cannot resist stolen smart card attack. In this paper, we propose a robust dynamic ID-based user authentication scheme using smart cards to cover the above weaknesses, the proposed scheme can really protect the user's anonymity and is more secure comparing with other related schemes.

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Rahul Kumar

DOI: https://doi.org/10.1109/ISBAST.2014.7013105

2014-01-01

Abstract:Recently, Chen et al. proposed a remote user authentication scheme for non-tamper-proof storage devices like Universal Serial Bus (USB) stick. A little later, He et al. found that Chen et al.'s scheme suffers from device stolen attack, insider attack and lack of forward secrecy. He et al. improved the scheme by Chen et al. by presenting another scheme. Nonetheless, we detect some security problems in the scheme by He et al.. We show that He et al.'s scheme is vulnerable to off-line password guessing attack. Besides, an attacker can not only impersonate the user impersonation but can also establish a session key with the server, as a result, the scheme lacks proper mutual authentication. Further, the scheme does not protect user's privacy and a user cannot freely change his password at his will as password updating requires interaction with the server.

Hossen Asiful Mustafa,Hasan Muhammad Kafi

DOI: https://doi.org/10.48550/arXiv.1711.01198

2017-11-03

Abstract:Password security can no longer provide enough security in the area of remote user authentication. Considering this security drawback, researchers are trying to find solution with multifactor remote user authentication system. Recently, three factor remote user authentication using biometric and smart card has drawn a considerable attention of the researchers. However, most of the current proposed schemes have security flaws. They are vulnerable to attacks like user impersonation attack, server masquerading attack, password guessing attack, insider attack, denial of service attack, forgery attack, etc. Also, most of them are unable to provide mutual authentication, session key agreement and password, or smart card recovery system. Considering these drawbacks, we propose a secure three factor user authentication scheme using biometric and smart card. Through security analysis, we show that our proposed scheme can overcome drawbacks of existing systems and ensure high security in remote user authentication.

Cryptography and Security

Wenting Li,Yaosheng Shen,Ping Wang

DOI: https://doi.org/10.1007/s11265-017-1305-z

2017-01-01

Abstract:Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

Debiao He,Jianhua Chen,Jin Hu

DOI: https://doi.org/10.6138/jit.2012.13.3.04

2012-01-01

Abstract:As an important mechanism to guarantee secure communication, the authentication scheme has attracted wide attention. Recently, Xu et al. proposed a new authentication scheme and show their scheme is provably secure in the random oracle model under the computational Diffie-Hellman assumption. Unfortunately, in this paper, we will demonstrate that Xu et al.'s scheme is vulnerable to the impersonation attack and the privileged insider attack. We also propose an improved scheme to eliminate the security vulnerability.

Daojing He,Maode Ma,Yan Zhang,Chun Chen,Jiajun Bu

DOI: https://doi.org/10.1016/j.comcom.2010.02.031

IF: 5.047

2011-01-01

Computer Communications

Abstract:Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1109/ISBAST.2013.27

2013-01-01

Abstract:Remote user authentication is an important and efficient method to ensure security for many network-based application systems. So far, several dynamic identity based authentication schemes have been proposed to protect the user's anonymity. Recently, Sood pointed out the security weaknesses of a dynamic identity based authentication scheme, which was proposed by Wang et al. presented an improved scheme. However, in this paper, we demonstrate that Sood's scheme cannot resist leak of verifier attack, impersonation attack and server spoofing attack. Furthermore, Sood's scheme cannot achieve mutual authentication between the user and the server. Consequently, in this paper, we propose a new dynamic identity based user authentication scheme using elliptic curve cryptosystem to resolve all the aforementioned problems.

Xiong Li,Junguo Liao,Jiao Zhang,Jianwei Niu,Saru Kumari

DOI: https://doi.org/10.1109/comcomap.2014.7017176

2014-01-01

Abstract:Recently, Yang et al. Proposed a remote user authentication scheme using smart card. Through careful cryptanalysis, we find that Yang et al.'s scheme is not repairable, and cannot achieve mutual authentication and session key agreement. To overcome these security flaws, we propose a new remote user authentication scheme with smart card. In the proposed scheme, the user can choose his/her password freely and renew the password anytime. At the same time, the proposed scheme provides more functions and security features, such as mutual authentication, session key agreement, perfect forward secrecy and so on.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1016/j.jnca.2013.02.034

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.

Ahmed Yaser Fahad Alsahlani,Songfeng Lu

2016-01-01

Abstract:Authentication using smart card is a mechanism to verify the legitimacy of the user over insecure communication. Recently, Chen et al. figured out some weaknesses in previously published schemes, they proposed a robust smart card based remote user password authentication scheme. They claimed that, their scheme is efficient and can ensure the session key forward secrecy. We analyzed their scheme, we found that, it cannot detect incorrect password within login phase. Furthermore, the user required to communicate with the server to change or update his/her password. Besides, it cannot securely forward the secrecy. In this paper, we propose a scheme to overcome the aforesaid weaknesses and produce an enhanced authentication scheme based remote user password using smart card. We use a TRPT (Temporary Registration Password Technique) within registration phase to secure user's password. Our proposed scheme can resist various malicious attacks, achieve mutual authentication, user can choose and change his/her password freely without need to communicates with the server, securely forward secrecy, and the login password never been exposed or transferred over channel. We show that, our proposed scheme achieved the goal, and it is more legible to practical use compared to the other related schemes.

Jingxuan Zhai,Tianjie Cao,Xiuqing Chen,Shi Huang

DOI: https://doi.org/10.14257/ijsia.2015.9.1.37

2015-01-01

International Journal of Security and Its Applications

Abstract:Dynamic ID-based authentication schemes based on password and smart card are widely used to provide two-factor authentication and user anonymity. However, these schemes have one or the other possible security weaknesses. In this paper, we analyze the schemes of Li et al. and Wang et al. published in recent years. After the analysis, we demonstrates that Li et al. 's schemes are vulnerable to off-line password guessing attack if the user's identity is compromised, Li et al.'s scheme cannot withstand the impersonation attack and linkability attack, Wang et al.'s schemes cannot resist off-line password guessing attack if the attacker steals a smart card, Wang et al. 's schemes fail to provide forward security. Our result shows that none of the existing dynamic ID based authentication schemes can achieve all the desirable security goals.