Yingjie Wang,Jianhua Li,Ling Tie

DOI: https://doi.org/10.1109/ICCCAS.2004.1345926

2004-01-01

Abstract:In 1999, Yang and Shieh proposed a timestamp-based password authentication scheme using smart cards. However, Chan and Fan showed its vulnerability to the forged login attacks, respectively. Also Fan gave a slight modification of the original scheme, which however increases the computation cost of the system. In this paper a more efficient modification of the original scheme is proposed to withstand the forged login attacks.

HM Sun,HT Yeh

2003-01-01

IEICE Transactions on Communications

Abstract:Following the developments in the use of ID-based schemes and smart cards, Yang and Shieh proposed two password authentication schemes to achieve two purposes: (1) to allow users to choose and change their passwords freely, and (2) to make it unnecessary for the remote server to maintain a directory of passwords or a verification table to authenticate users. Recently, Chan and Cheng showed that Yang and Shieh's timestamp-based password authentication scheme is insecure against forgery. In this paper, we point out that Chan and Cheng's forgery attack can not work. Thus, we further examine the security of Yang and Shieh's password authentication schemes and find that they are insecure against forgery because one adversary can easily pretend to be a valid user and pass the server's verification which allows the adversary to login to the the remote server.

Jie Liu,Lei Fan,Jianhua Li

DOI: https://doi.org/10.1145/1501434.1501509

2006-01-01

Abstract:Yang and Shieh proposed two password authentication schemes based on smart cards. The best merit of their schemes is that the remote server can verify a login user without any prior knowledge except a login request message. Unfortunately, some security weaknesses had been found and kinds of attacks were presented later. Although some improvements were proposed to fix those weaknesses, part of these improvements need the remote server to maintain verification tables and the other improvements were proved insecure either. In this paper, we will propose two improved schemes that can withstand all existed attacks while keeping the best merit of the original schemes. The remote server in our improved schemes is still able to verify a login user only by a request message.

R Jiang,L Pan,JH Li

DOI: https://doi.org/10.1016/j.cose.2004.04.002

IF: 5.105

2004-01-01

Computers & Security

Abstract:In this paper, we present further analysis of Yang–Shieh's password authentication schemes. At first, we formally analyze Yang–Shieh's two password authentication schemes on the basis of authentication tests to disclose the insecurity of the two schemes, and then give two kind of examples, one is our attack to the nonce-based scheme and the other is Chan–Cheng's attack (Comput Secur 21 (2002) 74) and Fan–Li–Zhu's attack (Comput Secur 21 (2002) 665) to the timestamp-based scheme. Secondly, we propose an amendment of the timestamp-based scheme to withstand the attacks of Chan–Cheng and Fan–Li–Zhu, and propose our improved nonce-based scheme. Finally, we formally analyze our two improved schemes with the authentication tests, and prove they are secure in password authentication. Our improved schemes preserve the merits of Yang–Shieh's schemes, and the improved timestamp-based scheme can withstand the attacks of Chan–Cheng and Fan–Li–Zhu, and the improved nonce-based scheme is able to prevent malicious replay attacks in the network without synchronized clock or with long transmission delay.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Bin Wang,Jian-Hua Li,Zhi-Peng Tong

DOI: https://doi.org/10.1016/S0167-4048(03)00713-2

IF: 5.105

2003-01-01

Computers & Security

Abstract:Recently, Fan proposed an enhanced scheme to improve the security of Yang-Shieh’s timestamp-based password authentication scheme. The enhanced scheme can withstand the attacks presented by Chan, Cheng and Fan. In this paper, we show that the enhanced scheme is still insecure. An intruder is able to construct a forged login request by intercepting the legitimate login requests and pass the system authentication with a non-negligible probability.

L Fan,Jh Li,Hw Zhu

DOI: https://doi.org/10.1016/S0167-4048(02)01118-5

2002-01-01

Abstract:Yang and Shieh proposed a timestamp-based password authentication scheme. Chan and Cheng proved that it is insecure. In this paper, we will give a further cryptanalysis of the scheme, and give an easier attack on it. Finally, we will propose an improved scheme that can withstand both of the attacks. Compared to other authentication schemes, this improved scheme allows the host to authenticate a user only with his login request. The host need not keep any secret or information of the user.

YJ Wang,JH Li

DOI: https://doi.org/10.1109/tce.2004.1309429

2004-01-01

IEEE Transactions on Consumer Electronics

Abstract:In 1999, Yang and Shieh proposed a timestamp-based password authentication scheme using smart cards. However, Chan and Fan respectively showed its vulnerability to the forged login attacks proposed by them. Also Fan gave a slight modification of the original scheme, but his modification is not so practical. In this paper a more practical modification of the original scheme will be proposed, which can withstand the forged login attack.

Bin Wang,Jian-Hua Li,Zhi-Peng Tong

DOI: https://doi.org/10.1016/s0167-4048(03)00713-2

IF: 5.105

2003-01-01

Computers & Security

Abstract:Recently, Fan proposed an enhanced scheme to improve the security of Yang-Shieh's timestamp-based password authentication scheme. The enhanced scheme can withstand the attacks presented by Chan, Cheng and Fan. In this paper, we show that the enhanced scheme is still insecure. An intruder is able to construct a forged login request by intercepting the legitimate login requests and pass the system authentication with a non-negligible probability.

Ding Wang,Chunguang Ma,Sendong Zhao,ChangLi Zhou

DOI: https://doi.org/10.1007/978-3-642-35606-3_13

2012-01-01

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. Recently, Yeh et al. showed that Hsiang and Shih's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is nontamper resistant, and proposed an improved version which was claimed to be efficient and secure. In this study, however, we find that, although Yeh et al.'s scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack and key-compromise impersonation attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity and forward secrecy; (3) It has some other minor defects. The proposed cryptanalysis discourages any use of the scheme under investigation in practice. Remarkably, rationales for the security analysis of password-based authentication schemes using smart cards are discussed in detail. © IFIP International Federation for Information Processing 2012.

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Debiao He,Jianhua Chen,Jin Hu

2010-01-01

Abstract:The weakness of an exquisite authentication scheme based on smart cards and passwords proposed by Liao et al. (C. H. Liao, H. C. Chen, and C. T. Wang, An Exquisite Mutual Authentication Scheme with Key Agreement Using Smart Card, Informatica, Vol. 33, No. 2, 2009, 125-132.) is analyzed. Five kinds of weakness are presented in different scenarios. The analyses show that Liao et al.'s scheme is insecure for practical application.

Xiong Li,Junguo Liao,Jiao Zhang,Jianwei Niu,Saru Kumari

DOI: https://doi.org/10.1109/comcomap.2014.7017176

2014-01-01

Abstract:Recently, Yang et al. Proposed a remote user authentication scheme using smart card. Through careful cryptanalysis, we find that Yang et al.'s scheme is not repairable, and cannot achieve mutual authentication and session key agreement. To overcome these security flaws, we propose a new remote user authentication scheme with smart card. In the proposed scheme, the user can choose his/her password freely and renew the password anytime. At the same time, the proposed scheme provides more functions and security features, such as mutual authentication, session key agreement, perfect forward secrecy and so on.

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.

Debiao He,Jianhua Chen,Jin Hu

2011-01-01

Abstract:Very recently, Sun et al. proposed an improved password authenticated key agreement scheme based on Juang et al.'s scheme. However, after reviewing their scheme and analyzing its security, we find their scheme is vulnerable to two kinds of attacks, i.e., the offline password guessing attack, and the Denial-of-Service (DoS) attack. The analysis shows that Sun's scheme is insecure for practical application. Then, we propose a further improved scheme to eliminate the security vulnerability. Compared with Juang et al.'s scheme and Sun et al.'s scheme, our scheme is more secure and more suitable for real-life applications.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1016/j.jnca.2013.02.034

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.

Saru Kumari,Mridul K. Gupta,Muhammad Khurram Khan,Xiong Li

DOI: https://doi.org/10.1002/sec.906

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:In 2003, Shen et al. proposed a timestamp-based password authentication scheme by using smart card. Later, in 2005 and 2008, this scheme was found susceptible to forged login attacks by some researchers, and improved schemes were proposed. In 2011, Awasthi et al. pointed out an additional security threat on the scheme of Shen et al. and also suggested remedy by proposing an enhanced scheme. In this paper, we analyze the additional attack identified by Awasthi et al. on the scheme of Shen et al. show its flaws and rectify it. Further, we find that the scheme of Awasthi et al. still fails to withstand forged login attack, smart card loss attack, offline password guessing attack, and so on, and also inherits some weaknesses from the original scheme. Therefore, we propose an improved version of the scheme of Awasthi et al. Our improved scheme not only resists the attacks that we depict on the scheme of Awasthi et al. but is also free from the attacks pointed out so far on the scheme of Shen et al. Copyright © 2013 John Wiley & Sons, Ltd.

Ahmed Yaser Fahad Alsahlani,Songfeng Lu

2016-01-01

Abstract:Authentication using smart card is a mechanism to verify the legitimacy of the user over insecure communication. Recently, Chen et al. figured out some weaknesses in previously published schemes, they proposed a robust smart card based remote user password authentication scheme. They claimed that, their scheme is efficient and can ensure the session key forward secrecy. We analyzed their scheme, we found that, it cannot detect incorrect password within login phase. Furthermore, the user required to communicate with the server to change or update his/her password. Besides, it cannot securely forward the secrecy. In this paper, we propose a scheme to overcome the aforesaid weaknesses and produce an enhanced authentication scheme based remote user password using smart card. We use a TRPT (Temporary Registration Password Technique) within registration phase to secure user's password. Our proposed scheme can resist various malicious attacks, achieve mutual authentication, user can choose and change his/her password freely without need to communicates with the server, securely forward secrecy, and the login password never been exposed or transferred over channel. We show that, our proposed scheme achieved the goal, and it is more legible to practical use compared to the other related schemes.

JQ Liu,J Sun,TH Li

DOI: https://doi.org/10.1109/sips.2005.1579870

2005-01-01

Abstract:Based on one-way hash function, Sun proposed an efficient remote login authentication protocol with smart card in 2000. However, in 2002, Chien at al. pointed out a deficiency of Sun's scheme which only realized unilateral authentication and put forward an efficient and practical solution for remote mutual authentication scheme. But recently, Hsu discussed that this scheme was not secure enough since it was vulnerable to the parallel session attack again. In this paper, we give an enhanced remote login authentication with smart card, which inherits all the merits of the previous schemes as well as realizes secure mutual authentication without significantly increasing the computational cost.