SH Wang,F Bao,J Wang

DOI: https://doi.org/10.1093/ietcom/e88-b.4.1641

2005-01-01

IEICE Transactions on Communications

Abstract:In 2002, Zhu et al. proposed a password authenticated key exchange protocol based on RSA such that it is efficient enough to be implemented on most of the target low-power devices such as smart cards and low-power Personal Digital Assistants in imbalanced wireless networks. Recently, YEH et al. claimed that Zhu et al.'s protocol not only is insecure against undetectable on-line password guessing attack but also does not achieve explicit key authentication. Thus they presented an improved version. Unfortunately, we find that YEH et al.'s password guessing attack does not come into existence, and that their improved protocol is vulnerable to off-line dictionary attacks. In this paper we describe our observation in details, and also comment for the original protocol on how to achieve explicit key authentication as well as resist against other existent attacks.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Tianjie Cao,Dongdai Lim

DOI: https://doi.org/10.1109/lcomm.2006.1665131

IF: 3.5529

2006-01-01

IEEE Communications Letters

Abstract:In 2002, Zhu et al. proposed a password-based authenticated key exchange protocol based on RSA. Many researchers pointed out that Zhu et al.'s protocol is vulnerable to off-line dictionary attack. In 2003, Yeh et al. proposed an improved protocol. Recently, Lo and Yang-Wang pointed out that Yeh et al.'s improved protocol is also vulnerable to offline dictionary attack. To avoid this weakness existed in Yeh et al.'s protocol, Lo and Yang-Wang proposed two improved protocols. However, in this letter, we show that the Lo protocol is vulnerable to an active off-line dictionary attack and the Yang-Wang protocol is vulnerable to a passive off-line dictionary attack

Ding WANG,Ping WANG,Zeng-peng LI,Chun-guang MA

2015-01-01

Systems Engineering - Theory & Practice

Abstract:With identity authentication becoming an essential mechanism to ensure robust system security in information systems,RSA-based authentication protocols have been studied intensively for their great practicality.This paper points out that a recent RSA-based remote user two-factor authentication protocol proposed by Xie et al.cannot achieve the claimed security and reports its following flaws:(1) It is vulnerable to replay attack and key compromise impersonation attack;(2) It suffers from the problem of user privacy violation and poor repairability.As our main contribution,an improved scheme is put forward and formally proved secure under the RSA assumption in the random oracle model.As compared with other related schemes,our scheme is the first one that can achieve provable security while keeping the merit of high performance.Consequently,our scheme is more well-suited for mobile application scenarios where resource is severely constrained and security is particularly concerned.

WANG Ding,WANG Ping,LEI Ming

DOI: https://doi.org/10.3969/j.issn.0372-2112.2015.01.028

2015-01-01

Abstract:It remains an open problem to design a secure and efficient RSA-based password-authenticated key exchange (PAKE )protocol in the areas of cryptography .In 2011 ,Wei proposed the first provably secure gateway-oriented PAKE protocol us-ing RSA ,and claimed that the protocol is provably secure in the random oracle model based on the intractability of the integer fac-torization problem .However ,in this short paper ,we point out that an adversary can launch the separation attack on their protocol by exploiting the oracle service unwittingly provided by the server ,and a user’s password can thus be guessed just after tens of mali-cious sessions .Our cryptanalysis result invalidates Wei’s claim that their protocol can achieve the security goal of password protec-tion ,and highlights the damaging threat that separation attack poses to RSA-based PAKE protocols .Furthermore ,we uncover the flaws in their formal security proof and put forward an enhancement to overcome the identified defect .The analysis results show that the improved protocol eliminates the vulnerability of Wei’s protocol while keeping the merit of high performance ,suitable for mo-bile application scenarios .

BT Hsieh,HM Sun,T Hwang

DOI: https://doi.org/10.15388/informatica.2003.014

2003-01-01

Informatica

Abstract:In an internet environment, such as UNIX, a remote user has to obtain the access right from a server before doing any job. The procedure of obtaining acess right is called a user authentication protocol. User authentication via user memorable password provides convenience without needing any auxiliary devices, such as smart card. A user authentication protocol via username and password should basically withstand the off-line password guessing attack, the stolen verifier attack, and the DoS attack. Recently, Peyravian and Zunic proposed one password transmission protocol and one password change protocol. Later, Tseng et al. (2001) pointed out that Peyravian and Zunic's protocols can not withstand the off-line password guessing attack, and therefore proposed an improved protocol to defeat the attack. Independently, Hwang and Yeh also showed that Peyravian and Zunic's protocols suffer from some secury flaws, and an improved protocol was also presented. In this paper, we show that both Peyravian and Zunic's protocols and Tseng et al.'s improved protocol are insecure against the stolen verifier attack. Moreover, we show that all Peyravian and Zunic's, Tseng et al.'s, and Hwang and Yeh's protocols are insecure against DoS attack.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1016/j.jnca.2013.02.034

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.

Ding Wang,Chunguang Ma,Sendong Zhao,ChangLi Zhou

DOI: https://doi.org/10.1007/978-3-642-35606-3_13

2012-01-01

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. Recently, Yeh et al. showed that Hsiang and Shih's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is nontamper resistant, and proposed an improved version which was claimed to be efficient and secure. In this study, however, we find that, although Yeh et al.'s scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack and key-compromise impersonation attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity and forward secrecy; (3) It has some other minor defects. The proposed cryptanalysis discourages any use of the scheme under investigation in practice. Remarkably, rationales for the security analysis of password-based authentication schemes using smart cards are discussed in detail. © IFIP International Federation for Information Processing 2012.

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Shuhong Wang,Jie Wang,Maozhi Xu

DOI: https://doi.org/10.1007/978-3-540-24852-1_30

2004-01-01

Abstract:A password-authenticated key exchange scheme allows two entities, who only share a memorable password, to authenticate each other and to agree on a. cryptographic session key. Instead of considering it in the classic client and server scenarios, Byun et al. recently proposed a password-authenticated key exchange protocol in a cross-realm setting where two clients in different realms obtain a secret session key as well as mutual authentication, with the help of respective servers. In this paper, we first, point out that the proposed protocol is not secure, due to the choice of invalid parameters (say, subgroup generator). Furthermore, we show in detail that, even with properly chosen parameters, the protocol has still some secure flaws. We provide three attacks to illustrate the insecurity of the protocol. Finally, countermeasures are also given, which are believed able to withstand our attacks.

Zhuo Hao,Nenghai Yu

DOI: https://doi.org/10.1109/ISDPE.2010.15

2010-01-01

Abstract:Remote user authentication is a critical component of accessing remote services in distributed applications. In this paper we investigate the security vulnerabilities of a previously proposed remote user authentication scheme. After that we propose a security enhanced remote user password authentication scheme, which effectively prevents the adversary's attacks. The proposed authentication scheme is shown to be secure against password guessing attack, masquerade attack and replay attack. By performance analysis, the proposed scheme is shown to be very efficient, both in the computation and the storage cost. The proposed password authentication scheme is very suitable for providing remote authentication in distributed applications.

Nishant Doshi,Saru Kumari,Dheerendra Mishra,Xiong Li,Kim-Kwang Raymond Choo,Arun Kumar Sangaiah

DOI: https://doi.org/10.1007/s11042-017-4701-2

IF: 2.577

2017-01-01

Multimedia Tools and Applications

Abstract:In this digital era, where Internet of Things (IoT) is increasing day by day, use of resource constrained devices is also increasing. Indeed, the features such as low cost, less maintenance, more adaptive to hostile environment, etc. make the wireless multimedia devices to be the best choice as the resource constrained devices. For the security, the end user device requires to establish the session key with the server before transferring the data. Mobile is one of the device having more and more usage as wireless multimedia device in recent years. In 2013, Li et al. proposed an efficient scheme for the wireless mobile communications and claimed it to be secure against various attacks. Recently, Shen et al. claimed that the scheme of Li et al. is still vulnerable to the privileged insider attack, the stolen verifier attack and finally proposed a scheme to withstand the mentioned and other attacks. However, in this paper we claim that the scheme of Shen et al. is still susceptible to the user anonymity, the session specific temporary information attack and the replay attack. In addition, Shen et al.’s scheme requires more time due to many operations. Further, we propose an efficient scheme that is secure against various known attacks and due to reduced time complexity our scheme is a preferred choice for the wireless mobile networks and hence for wireless multimedia systems.

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.

Ahmed Yaser Fahad Alsahlani,Songfeng Lu

2016-01-01

Abstract:Authentication using smart card is a mechanism to verify the legitimacy of the user over insecure communication. Recently, Chen et al. figured out some weaknesses in previously published schemes, they proposed a robust smart card based remote user password authentication scheme. They claimed that, their scheme is efficient and can ensure the session key forward secrecy. We analyzed their scheme, we found that, it cannot detect incorrect password within login phase. Furthermore, the user required to communicate with the server to change or update his/her password. Besides, it cannot securely forward the secrecy. In this paper, we propose a scheme to overcome the aforesaid weaknesses and produce an enhanced authentication scheme based remote user password using smart card. We use a TRPT (Temporary Registration Password Technique) within registration phase to secure user's password. Our proposed scheme can resist various malicious attacks, achieve mutual authentication, user can choose and change his/her password freely without need to communicates with the server, securely forward secrecy, and the login password never been exposed or transferred over channel. We show that, our proposed scheme achieved the goal, and it is more legible to practical use compared to the other related schemes.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

WANG Ying-jie,LUO Wei,XU Xiao-fei

DOI: https://doi.org/10.3969/j.issn.1002-0802.2009.11.031

2009-01-01

Abstract:Authenticated key exchange (AKE) protocols are designed to allow mutual authentication and generation of a cryptographically-secure session key. For wireless security, the password-based authentication scheme is usually vulnerable to dictionary attack though might have a low system cost. This paper proposes an ID authentication-based key exchange scheme for wireless security, which has light computational overhead, is resistant to impersonation attack, and also of other security attributes.

Debiao He,Jianhua Chen

DOI: https://doi.org/10.1504/ijesdf.2012.049754

2014-01-01

Abstract:Recently, Zeng et al. proposed a three-party password-based authenticated key exchange protocol, in which two users could generate a common secret key with the help of the server. Although Zeng et al. claimed that their protocol could withstand various attacks, we point out that their protocol cannot resist impersonation attacks and undetectable online dictionary attacks. The analysis shows Zeng et al.'s protocol is insecure for practical applications.

Daojing He,Maode Ma,Yan Zhang,Chun Chen,Jiajun Bu

DOI: https://doi.org/10.1016/j.comcom.2010.02.031

IF: 5.047

2011-01-01

Computer Communications

Abstract:Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.

He Debiao,Chen Jianhua,Hu Jin

2010-01-01

Abstract:He Debiao, Chen Jianhua, Hu Jin School of Mathematics and Statistics, Wuhan University, Wuhan, Hubei 430072, China hedebiao@163.com Abstract: Recently, Abdalla et al. proposed a new gateway-oriented password-based authenticated key exchange (GPAKE) protocol among a client, a gateway, and an authentication server, where each client shares a human-memorable password with a trusted server so that they can resort to the server for authentication when want to establish a shared session key with the gateway. In the letter, we show that a malicious client of GPAKE is still able to gain information of password by performing an undetectable on-line password guessing attack and can not provide the implicit key confirmation. At last, we present a countermeasure to against the attack.

Xiong Li,Jian-Wei Niu,Jian Ma,Wen-Dong Wang,Cheng-Lian Liu

DOI: https://doi.org/10.1016/j.jnca.2010.09.003

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:Recently, Li and Hwang proposed a biometrics-based remote user authentication scheme using smart cards [Journal of Network and Computer Applications 33 (2010) 1–5]. The scheme is based on biometrics verification, smart card and one-way hash function, and it uses the nonce rather than a synchronized clock, so it is very efficient in computational cost. Unfortunately, the scheme has some security weaknesses, that is to say Li and Hwang's scheme does not provide proper authentication and it cannot resist the man-in-the-middle attacks. If an attacker controls the insecure channel, she/he can easily fabricate messages to pass the user's or server's authentication. Besides, the malicious attacker can impersonate the user to cheat the server and can impersonate the server to cheat the user without knowing any secret information. This paper proposes an improved biometrics-based remote user authentication scheme that removes the aforementioned weaknesses and supports session key agreement.