Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Xiong Li,Junguo Liao,Jiao Zhang,Jianwei Niu,Saru Kumari

DOI: https://doi.org/10.1109/comcomap.2014.7017176

2014-01-01

Abstract:Recently, Yang et al. Proposed a remote user authentication scheme using smart card. Through careful cryptanalysis, we find that Yang et al.'s scheme is not repairable, and cannot achieve mutual authentication and session key agreement. To overcome these security flaws, we propose a new remote user authentication scheme with smart card. In the proposed scheme, the user can choose his/her password freely and renew the password anytime. At the same time, the proposed scheme provides more functions and security features, such as mutual authentication, session key agreement, perfect forward secrecy and so on.

Debiao He,Jianhua Chen,Jin Hu

DOI: https://doi.org/10.6138/jit.2012.13.3.04

2012-01-01

Abstract:As an important mechanism to guarantee secure communication, the authentication scheme has attracted wide attention. Recently, Xu et al. proposed a new authentication scheme and show their scheme is provably secure in the random oracle model under the computational Diffie-Hellman assumption. Unfortunately, in this paper, we will demonstrate that Xu et al.'s scheme is vulnerable to the impersonation attack and the privileged insider attack. We also propose an improved scheme to eliminate the security vulnerability.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1016/j.jnca.2013.02.034

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.

Fan Wu,Lili Xu,Saru Kumari,Xiong Li,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1002/sec.1305

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Nowadays, smart-card-based user authentication becomes one of the most important security issues. But many schemes of that kind are under different attacks. Recently, Kumari et al. pointed that Chen et al.'s scheme and Li et al.'s scheme with the smart card were not secure. They proposed two improved schemes. Unfortunately, we find that the two schemes are not secure. The first scheme of Kumari et al. is under the de-synchronization attack and lacks strong forward security. The second has the weaknesses including no user anonymity and password leaking. Also, it cannot withstand the user-impersonation attack. We present a new scheme also based on the smart card overcoming common disadvantages and give a formal proof. We also use the tool ProVerif to verify the security of our scheme. Compared with some recent schemes, our scheme performs well, and it is fit for network applications. Copyright (C) 2015 John Wiley & Sons, Ltd.

Guomin Yang,Duncan S. Wong,Huaxiong Wang,Xiaotie Deng

DOI: https://doi.org/10.1016/j.jcss.2008.04.002

IF: 1.043

2008-01-01

Journal of Computer and System Sciences

Abstract:One of the most commonly used two-factor user authentication mechanisms nowadays is based on smart-card and password. A scheme of this type is called a smart-card-based password authentication scheme. The core feature of such a scheme is to enforce two-factor authentication in the sense that the client must have the smart-card and know the password in order to gain access to the server. In this paper, we scrutinize the security requirements of this kind of schemes, and propose a new scheme and a generic construction framework for smart-card-based password authentication. We show that a secure password based key exchange protocol can be efficiently transformed to a smart-card-based password authentication scheme provided that there exist pseudorandom functions and target collision resistant hash functions. Our construction appears to be the first one with provable security. In addition, we show that two recently proposed schemes of this kind are insecure.

Anyang Tang,Chunxiang Xu

DOI: https://doi.org/10.1109/icccas.2007.6251611

2007-01-01

Abstract:In this paper, we present a password authenticated key agreement scheme for remote systems. The proposed sheme is built on bilinear pairings. Compared with Juang et al's scheme and Shieh et al's, the proposed scheme provides perfect forward secrecy. Moreover, the proposed scheme has a password update option, which enables the users to update their passwords freely and securely.

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.

Ahmed Yaser Fahad Alsahlani,Songfeng Lu

2016-01-01

Abstract:Authentication using smart card is a mechanism to verify the legitimacy of the user over insecure communication. Recently, Chen et al. figured out some weaknesses in previously published schemes, they proposed a robust smart card based remote user password authentication scheme. They claimed that, their scheme is efficient and can ensure the session key forward secrecy. We analyzed their scheme, we found that, it cannot detect incorrect password within login phase. Furthermore, the user required to communicate with the server to change or update his/her password. Besides, it cannot securely forward the secrecy. In this paper, we propose a scheme to overcome the aforesaid weaknesses and produce an enhanced authentication scheme based remote user password using smart card. We use a TRPT (Temporary Registration Password Technique) within registration phase to secure user's password. Our proposed scheme can resist various malicious attacks, achieve mutual authentication, user can choose and change his/her password freely without need to communicates with the server, securely forward secrecy, and the login password never been exposed or transferred over channel. We show that, our proposed scheme achieved the goal, and it is more legible to practical use compared to the other related schemes.

DENG Feijin,FAN Lei,SHI Jianjun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.24.062

2005-01-01

Abstract:The dynamic password authentication mechanism is an important development direction of authentication.But in many dynamic password authentication schemes,user’s authentication data are transferred masking with the verifiers stored in the server.Once the verifier is stolen,the attacker can forge authentication data.Therefore,those schemes are vulnerable to theft attacks.Recently a new scheme named 2GR is proposed and showes that it can resist stolen-verifier attack.But the 2GR can’t provide protection against denial of service attack,and doesn’t provide mutual authentication.This paper proposes a revised scheme using smart cards,which eliminates such problems.

HM Sun,HT Yeh

2003-01-01

IEICE Transactions on Communications

Abstract:Following the developments in the use of ID-based schemes and smart cards, Yang and Shieh proposed two password authentication schemes to achieve two purposes: (1) to allow users to choose and change their passwords freely, and (2) to make it unnecessary for the remote server to maintain a directory of passwords or a verification table to authenticate users. Recently, Chan and Cheng showed that Yang and Shieh's timestamp-based password authentication scheme is insecure against forgery. In this paper, we point out that Chan and Cheng's forgery attack can not work. Thus, we further examine the security of Yang and Shieh's password authentication schemes and find that they are insecure against forgery because one adversary can easily pretend to be a valid user and pass the server's verification which allows the adversary to login to the the remote server.

Debiao He,Jianhua Chen,Jin Hu

2011-01-01

Abstract:Very recently, Sun et al. proposed an improved password authenticated key agreement scheme based on Juang et al.'s scheme. However, after reviewing their scheme and analyzing its security, we find their scheme is vulnerable to two kinds of attacks, i.e., the offline password guessing attack, and the Denial-of-Service (DoS) attack. The analysis shows that Sun's scheme is insecure for practical application. Then, we propose a further improved scheme to eliminate the security vulnerability. Compared with Juang et al.'s scheme and Sun et al.'s scheme, our scheme is more secure and more suitable for real-life applications.

Yingjie Wang,Jianhua Li,Ling Tie

DOI: https://doi.org/10.1109/ICCCAS.2004.1345926

2004-01-01

Abstract:In 1999, Yang and Shieh proposed a timestamp-based password authentication scheme using smart cards. However, Chan and Fan showed its vulnerability to the forged login attacks, respectively. Also Fan gave a slight modification of the original scheme, which however increases the computation cost of the system. In this paper a more efficient modification of the original scheme is proposed to withstand the forged login attacks.

Xiangxue Li,Weidong Qiu,Dong Zheng,Kefei Chen,Jianhua Li

DOI: https://doi.org/10.1109/TIE.2009.2028351

IF: 7.7

2010-01-01

IEEE Transactions on Industrial Electronics

Abstract:By exploiting a smart card, this paper presents a robust and efficient password-authenticated key agreement scheme. This paper strengthens the security of the scheme by addressing untraceability property such that any third party over the communication channel cannot tell whether or not he has seen the same (unknown) smart card twice through the authentication sessions. The proposed remedy also pr...

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Ding Wang,Chunguang Ma,Sendong Zhao,ChangLi Zhou

DOI: https://doi.org/10.1007/978-3-642-35606-3_13

2012-01-01

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. Recently, Yeh et al. showed that Hsiang and Shih's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is nontamper resistant, and proposed an improved version which was claimed to be efficient and secure. In this study, however, we find that, although Yeh et al.'s scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack and key-compromise impersonation attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity and forward secrecy; (3) It has some other minor defects. The proposed cryptanalysis discourages any use of the scheme under investigation in practice. Remarkably, rationales for the security analysis of password-based authentication schemes using smart cards are discussed in detail. © IFIP International Federation for Information Processing 2012.

Tianjie Cao,Shi Huang

DOI: https://doi.org/10.12733/jcis8346

2013-01-01

Journal of Computational Information Systems

Abstract:Two-factor anonymous authentication using password and smart card could preserve user privacy and reduce the risk than the use of a single authentication factor. Recently, Chang et al. pointed some security weaknesses in Wang et al.’s anonymous authentication scheme and proposed enhanced scheme. They claimed that their scheme provides desired security properties. However, we show that Chang et al.’s scheme is still vulnerable to the off-line dictionary attack and denial of service attacks. To resist these attacks, we propose an improved two-factor authentication and key agreement scheme with user anonymity.

TANG Hongbin,LIU Xinsoug

DOI: https://doi.org/10.3778/j.issn.1002-8331.2012.19.016

2012-01-01

Computer Engineering and Applications Journal

Abstract:A smart card based remote user authentication scheme is more secure than a password-based authentication scheme.In 2011,Chen et al.proposed an improvement on Hsiang et al.'s remote user authentication scheme,and claimed their scheme was more secure than Hsiang et al.'s scheme.However,their scheme is still vulnerable to insider attack,lost smart card attack,replay attack,and impersonation attack.To overcome the dictionary attack against lost smart card,a user authentication scheme based on smart card and elliptic curve discrete logarithm problem is proposed.This scheme is proved to be secure agaisnt various attacks and needs only one elliptic curve scale multiplication in the login and authentication phases.

Yuesheng Zhu,Bojun Wang,Cheng Cai

DOI: https://doi.org/10.17706/ijcce.2016.5.3.196-205

2016-01-01

International Journal of Computer and Communication Engineering

Abstract:Traditional smart-card oriented authentication schemes provide a secure method for authorized users to login a remote server through insecure networks. Many modified schemes are presented to enhance the security properties, which include mutual authentication, various attacks resistance, table-free in server, etc. However, the authentication procedures become complicated with abovementioned enhancements, so these enhanced schemes are not practical solutions for the smart card based authentication system. Moreover, since the master key stored in a single server is a sensitive and long-lived secrecy, it is vulnerable to an adversary's agelong attack. Therefore, in this paper, we present an efficient mutual authentication scheme, which provides a practical solution for an industrial application system using smart cards. In addition, our scheme implements the proactive secret sharing method, namely, the master key is divided into several distributed keys, which are separately stored in different servers. Our scheme provides a mechanism to update all distributed keys in every time interval, and detect and then recover the corrupted distributed keys, as well.