XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1016/j.jnca.2013.02.034

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.

Xiong Li,Jian-Wei Niu,Jian Ma,Wen-Dong Wang,Cheng-Lian Liu

DOI: https://doi.org/10.1016/j.jnca.2010.09.003

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:Recently, Li and Hwang proposed a biometrics-based remote user authentication scheme using smart cards [Journal of Network and Computer Applications 33 (2010) 1–5]. The scheme is based on biometrics verification, smart card and one-way hash function, and it uses the nonce rather than a synchronized clock, so it is very efficient in computational cost. Unfortunately, the scheme has some security weaknesses, that is to say Li and Hwang's scheme does not provide proper authentication and it cannot resist the man-in-the-middle attacks. If an attacker controls the insecure channel, she/he can easily fabricate messages to pass the user's or server's authentication. Besides, the malicious attacker can impersonate the user to cheat the server and can impersonate the server to cheat the user without knowing any secret information. This paper proposes an improved biometrics-based remote user authentication scheme that removes the aforementioned weaknesses and supports session key agreement.

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Siqiong Fan,Zhenfu Cao,Xiaolei Dong

DOI: https://doi.org/10.1049/cp.2014.1279

2014-01-01

Abstract:Remote user authentication scheme has been widely adopted in the cyberworld to provide security and privacy because of various online threats and insecure communications. In the past few decades, many smart card-based authentication schemes are put forward. In such schemes, a user only need to maintain an identity and a password and employ a smart card to fulfill the authentication with a remote server. In 2014, Lee et al. put forward an authentication scheme using smart based on the hash function. However, we find that novel as it is, the scheme still has some severe security and performance weaknesses such as a verification table should stored in their scheme, it is easy to suffer the stolen verifier attack. Besides, it has the problem of synchronization between the server and users, failure of protecting users' anonymity and it is unfriendly to users since the inability of supporting changing the password freely. In this paper, we propose an improved authentication scheme supporting the Diffie-Hellman key exchange protocol using hash functions and the ElGamal cryptosystem. Besides the drawbacks in Lee et al.'s scheme, our proposed scheme overcomes the offline password guessing attack, man-in-the-middle attack and so on. At last, we show that our scheme is more suitable and secure for practical use.

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.

Baoyuan Kang,Jinguang Han,Qingju Wang

DOI: https://doi.org/10.1109/ICCET.2010.5486299

2010-01-01

Abstract:Wang et al. presented a remote password authentication scheme using IC (integrated Circuit)cards in 2004. Recently, Cheng et al. pointed that the Wang et al.'s scheme is unable to withstand the forgery attack. They consequently proposed a novel version to resist the forgery attack. Although Cheng et al. claimed that their scheme is secure against all known attacks and more practical in application than other IC-card-based authentication schemes, in this paper, we show that Cheng et al. scheme is vulnerable to the guessing attack, parallel session attack and key-compromise attack. To remedy these flaws, this paper proposes an improvement over Cheng et al. scheme with more security.

Ding Wang,Chunguang Ma,Sendong Zhao,ChangLi Zhou

DOI: https://doi.org/10.1007/978-3-642-35606-3_13

2012-01-01

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. Recently, Yeh et al. showed that Hsiang and Shih's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is nontamper resistant, and proposed an improved version which was claimed to be efficient and secure. In this study, however, we find that, although Yeh et al.'s scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack and key-compromise impersonation attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity and forward secrecy; (3) It has some other minor defects. The proposed cryptanalysis discourages any use of the scheme under investigation in practice. Remarkably, rationales for the security analysis of password-based authentication schemes using smart cards are discussed in detail. © IFIP International Federation for Information Processing 2012.

XiaoYi Duan,Jianwei Liu,Qishan Zhang

DOI: https://doi.org/10.1109/ICCIAS.2006.295440

2006-01-01

Abstract:A smart card based scheme is very practical to authenticate remote user. In 2002, Chien-Jan-Tseng proposed a mutual authentication scheme using smart card. But in 2004, Ku-chen pointed out the weaknesses of Chien et al's scheme and proposed an improvement to Chien et al.'s scheme to prevent from some weaknesses. However, Hsu pointed out there is still susceptible to parallel session attack in Ku-Chen's scheme. Later, Chien et al.'s indicated there is another weakness in Ku-Chen's scheme and made an enhancement to resolve such problems. But we find Chien et al's scheme can't resist parallel session attack too. In this paper, we make a modification of Chien et al.'s scheme to resolve the problem.

Jie Liu,Lei Fan,Jianhua Li

DOI: https://doi.org/10.1145/1501434.1501509

2006-01-01

Abstract:Yang and Shieh proposed two password authentication schemes based on smart cards. The best merit of their schemes is that the remote server can verify a login user without any prior knowledge except a login request message. Unfortunately, some security weaknesses had been found and kinds of attacks were presented later. Although some improvements were proposed to fix those weaknesses, part of these improvements need the remote server to maintain verification tables and the other improvements were proved insecure either. In this paper, we will propose two improved schemes that can withstand all existed attacks while keeping the best merit of the original schemes. The remote server in our improved schemes is still able to verify a login user only by a request message.

Debiao He,Jianhua Chen,Jin Hu

DOI: https://doi.org/10.6138/jit.2012.13.3.04

2012-01-01

Abstract:As an important mechanism to guarantee secure communication, the authentication scheme has attracted wide attention. Recently, Xu et al. proposed a new authentication scheme and show their scheme is provably secure in the random oracle model under the computational Diffie-Hellman assumption. Unfortunately, in this paper, we will demonstrate that Xu et al.'s scheme is vulnerable to the impersonation attack and the privileged insider attack. We also propose an improved scheme to eliminate the security vulnerability.

Ahmed Yaser Fahad Alsahlani,Songfeng Lu

2016-01-01

Abstract:Authentication using smart card is a mechanism to verify the legitimacy of the user over insecure communication. Recently, Chen et al. figured out some weaknesses in previously published schemes, they proposed a robust smart card based remote user password authentication scheme. They claimed that, their scheme is efficient and can ensure the session key forward secrecy. We analyzed their scheme, we found that, it cannot detect incorrect password within login phase. Furthermore, the user required to communicate with the server to change or update his/her password. Besides, it cannot securely forward the secrecy. In this paper, we propose a scheme to overcome the aforesaid weaknesses and produce an enhanced authentication scheme based remote user password using smart card. We use a TRPT (Temporary Registration Password Technique) within registration phase to secure user's password. Our proposed scheme can resist various malicious attacks, achieve mutual authentication, user can choose and change his/her password freely without need to communicates with the server, securely forward secrecy, and the login password never been exposed or transferred over channel. We show that, our proposed scheme achieved the goal, and it is more legible to practical use compared to the other related schemes.

Zhen-Fu Cao,Da-Zhi Sun

DOI: https://doi.org/10.1109/ICMLC.2006.259062

2006-01-01

Abstract:For providing the login service in multi-server environments, Fan, Xu, and Li presented a remote user authentication scheme using smart cards. In this paper, we demonstrate that Fan-Xu-Li's scheme is vulnerable to the parallel session attack. That is, when a legal user logs in a server, an adversary without knowing any secret information can easily impersonate the user to log in other authorized servers. It means that a serious security flaw exists in Fan-Xu-Li's scheme. In addition to being practical, it is desirable to avoid relying on timestamps for security in their scheme. We therefore propose an improved scheme to overcome above disadvantages. As a unilateral authentication mechanism, our improved scheme is more suitable for real-life cryptographic applications than Fan-Xu-Li's scheme.

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Rahul Kumar

DOI: https://doi.org/10.1109/ISBAST.2014.7013105

2014-01-01

Abstract:Recently, Chen et al. proposed a remote user authentication scheme for non-tamper-proof storage devices like Universal Serial Bus (USB) stick. A little later, He et al. found that Chen et al.'s scheme suffers from device stolen attack, insider attack and lack of forward secrecy. He et al. improved the scheme by Chen et al. by presenting another scheme. Nonetheless, we detect some security problems in the scheme by He et al.. We show that He et al.'s scheme is vulnerable to off-line password guessing attack. Besides, an attacker can not only impersonate the user impersonation but can also establish a session key with the server, as a result, the scheme lacks proper mutual authentication. Further, the scheme does not protect user's privacy and a user cannot freely change his password at his will as password updating requires interaction with the server.

Xiaoyi Duan,Jianwei Liu,Qishan Zhang

2006-01-01

Abstract:A smartcardbasedschemeisverypractical to authenticate remote user. In2002,Chien-Jan-Tseng proposed amutual authentication scheme using smart card. Butin2004, Ku-chen pointed outtheweaknesses ofChien etal'sscheme andproposed animprovement toChienetal.'s schemetoprevent fromsome weaknesses. However, Hsupointed outthere isstill susceptible toparallel session attack inKu-Chen's scheme. Later, Chien etal. 'sindicated there isanother weakness inKu-Chen's schemeand madean enhancement toresolve suchproblems. Butwefind Chienetal'sschemecan'tresist parallel session attack too. Inthis paper, wemakeamodification of Chien etal. 'sscheme toresolve theproblem.

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Fan Wu

DOI: https://doi.org/10.1002/dac.2853

2014-01-01

International Journal of Communication Systems

Abstract:SummaryRecently, Jiang et al. and He et al. independently found security problems in Chen et al.'s remote user authentication scheme for non‐tamper‐proof storage devices like Universal Serial Bus stick and proposed improvements. Nonetheless, we detect that the schemes proposed by Jiang et al. and He et al. overlook a user's privacy. We also observe that Jiang et al.'s scheme is vulnerable to insider attack and denial of service attacks and lacks forward secrecy. We point out that the password changing facility in He et al.'s scheme is equivalent to undergoing registration, whereas in Jiang et al.'s scheme, it is unsuitable. Moreover, the login phase of both the schemes is incapable to prevent the use of wrong password leading to the computation of an unworkable login request. Therefore, we design a new scheme with user anonymity to surmount the identified weaknesses. Without adding much in communication/computational cost, our scheme provides more security characteristics and keeps the merits of the original schemes. As compared with its predecessor schemes, the proposed scheme stands out as a more apt user authentication method for common storage devices. We have also presented a formal proof of security of the proposed scheme based on the logic proposed by Burrows, Abadi and Needham (BAN logic). Copyright © 2014 John Wiley & Sons, Ltd.

HM Sun,HT Yeh

2003-01-01

IEICE Transactions on Communications

Abstract:Following the developments in the use of ID-based schemes and smart cards, Yang and Shieh proposed two password authentication schemes to achieve two purposes: (1) to allow users to choose and change their passwords freely, and (2) to make it unnecessary for the remote server to maintain a directory of passwords or a verification table to authenticate users. Recently, Chan and Cheng showed that Yang and Shieh's timestamp-based password authentication scheme is insecure against forgery. In this paper, we point out that Chan and Cheng's forgery attack can not work. Thus, we further examine the security of Yang and Shieh's password authentication schemes and find that they are insecure against forgery because one adversary can easily pretend to be a valid user and pass the server's verification which allows the adversary to login to the the remote server.

Fang-fang KE,Xi-lin TANG,Qi-heng ZHANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.07.048

2010-01-01

Abstract:Thel protocol proposed by Rhee H S et al(Computer Standards & Interfaces, 2009, No.1) uses mobile equipment to replace smart card to reduce risk and cost, but it exists some demerits. Aiming at this problem, based on Chan-Cheng attack case, it points out that the protocol can not resist impersonation attack and off-line password guessing attack. In order to overcome these drawbacks, it gives the improved scheme. Experimental results show this scheme is strongly resistant to both of these attacks, which keeps the password secret and authenticating ID.