Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

SH Wang,F Bao,J Wang

DOI: https://doi.org/10.1093/ietcom/e88-b.4.1641

2005-01-01

IEICE Transactions on Communications

Abstract:In 2002, Zhu et al. proposed a password authenticated key exchange protocol based on RSA such that it is efficient enough to be implemented on most of the target low-power devices such as smart cards and low-power Personal Digital Assistants in imbalanced wireless networks. Recently, YEH et al. claimed that Zhu et al.'s protocol not only is insecure against undetectable on-line password guessing attack but also does not achieve explicit key authentication. Thus they presented an improved version. Unfortunately, we find that YEH et al.'s password guessing attack does not come into existence, and that their improved protocol is vulnerable to off-line dictionary attacks. In this paper we describe our observation in details, and also comment for the original protocol on how to achieve explicit key authentication as well as resist against other existent attacks.

Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

Ding WANG,Ping WANG,Zeng-peng LI,Chun-guang MA

2015-01-01

Systems Engineering - Theory & Practice

Abstract:With identity authentication becoming an essential mechanism to ensure robust system security in information systems,RSA-based authentication protocols have been studied intensively for their great practicality.This paper points out that a recent RSA-based remote user two-factor authentication protocol proposed by Xie et al.cannot achieve the claimed security and reports its following flaws:(1) It is vulnerable to replay attack and key compromise impersonation attack;(2) It suffers from the problem of user privacy violation and poor repairability.As our main contribution,an improved scheme is put forward and formally proved secure under the RSA assumption in the random oracle model.As compared with other related schemes,our scheme is the first one that can achieve provable security while keeping the merit of high performance.Consequently,our scheme is more well-suited for mobile application scenarios where resource is severely constrained and security is particularly concerned.

BT Hsieh,HM Sun,T Hwang

DOI: https://doi.org/10.15388/informatica.2003.014

2003-01-01

Informatica

Abstract:In an internet environment, such as UNIX, a remote user has to obtain the access right from a server before doing any job. The procedure of obtaining acess right is called a user authentication protocol. User authentication via user memorable password provides convenience without needing any auxiliary devices, such as smart card. A user authentication protocol via username and password should basically withstand the off-line password guessing attack, the stolen verifier attack, and the DoS attack. Recently, Peyravian and Zunic proposed one password transmission protocol and one password change protocol. Later, Tseng et al. (2001) pointed out that Peyravian and Zunic's protocols can not withstand the off-line password guessing attack, and therefore proposed an improved protocol to defeat the attack. Independently, Hwang and Yeh also showed that Peyravian and Zunic's protocols suffer from some secury flaws, and an improved protocol was also presented. In this paper, we show that both Peyravian and Zunic's protocols and Tseng et al.'s improved protocol are insecure against the stolen verifier attack. Moreover, we show that all Peyravian and Zunic's, Tseng et al.'s, and Hwang and Yeh's protocols are insecure against DoS attack.

Zhuo Hao,Nenghai Yu

DOI: https://doi.org/10.1109/ISDPE.2010.15

2010-01-01

Abstract:Remote user authentication is a critical component of accessing remote services in distributed applications. In this paper we investigate the security vulnerabilities of a previously proposed remote user authentication scheme. After that we propose a security enhanced remote user password authentication scheme, which effectively prevents the adversary's attacks. The proposed authentication scheme is shown to be secure against password guessing attack, masquerade attack and replay attack. By performance analysis, the proposed scheme is shown to be very efficient, both in the computation and the storage cost. The proposed password authentication scheme is very suitable for providing remote authentication in distributed applications.

HM Sun,HT Yeh

2003-01-01

IEICE Transactions on Communications

Abstract:Following the developments in the use of ID-based schemes and smart cards, Yang and Shieh proposed two password authentication schemes to achieve two purposes: (1) to allow users to choose and change their passwords freely, and (2) to make it unnecessary for the remote server to maintain a directory of passwords or a verification table to authenticate users. Recently, Chan and Cheng showed that Yang and Shieh's timestamp-based password authentication scheme is insecure against forgery. In this paper, we point out that Chan and Cheng's forgery attack can not work. Thus, we further examine the security of Yang and Shieh's password authentication schemes and find that they are insecure against forgery because one adversary can easily pretend to be a valid user and pass the server's verification which allows the adversary to login to the the remote server.

Lili Xu,Fan Wu

DOI: https://doi.org/10.1007/s10916-014-0179-x

Abstract:Nowadays, connected health care applications are used more and more in the world. Service through the applications can save the patients' time and expense, such as telecare medical information system (TMIS) and integrated electronic patient record (EPR) information system. In the applications, preserving patients' privacy, transmitting messages securely and keeping mutual authentication should all be paid attention. Many authentication schemes have been proposed to make a secure communicating environment. Recently Xie et al. showed that Wen's scheme was insecure because it was under the off-line password guessing attack and without user anonymity and forward security. They gave a new three-factor authentication scheme and claimed that it was secure. However, we find that Xie et al's scheme is vulnerable to the De-synchronization attack and the server has too much storage burden in the scheme. Then we present an improved scheme which overcomes the usual weaknesses and keeps ordinary security characters. Compared with recent schemes of the same kind, our scheme is secure and practical.

Wenting Li,Yaosheng Shen,Ping Wang

DOI: https://doi.org/10.1007/s11265-017-1305-z

2017-01-01

Abstract:Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

HT Yeh,HM Sun,CT Yang,BC Chen,SM Tseng

2003-01-01

IEICE Transactions on Communications

Abstract:Recently, Zhu et al. proposed an password-based authenticated key exchange protocol based on RSA such that it is efficient enough to be implemented on most of the target low-power devices such as smart cards and low-power Personal Digital Assistants in wireless networks. They claimed that the proposed scheme is secure against dictionary attacks. In this paper, we show that the scheme proposed by Zhu et al. is insecure against undetectable on-line password guessing attacks. Furthermore, we examine Zhu et al.'s protocol and find that Zhu et al.'s protocol does not, achieve explicit key authentication. An improved version is then proposed to defeat the undetectable on-line password guessing attacks and also provide explicit key authentication.

Hongwei Sun,Kwokyan Lam,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/ICCCAS.2007.6251608

2008-01-01

Abstract:Remote user authentication is important to protect web-based services offered over the Internet. The use of smart cards was proposed to avoid the storage of password table in the server. Further protection of user information in the smart cards can be done by imposing a fingerprint verification mechanism. The Lee, Ryu and Yoo (LRY) scheme which provides both smart card based authentication and fingerprint verification is found to be vulnerable to various attacks. This paper proposed an improvement to the LRY scheme which is able to withstand the attacks of the LRY scheme.

Ding Wang,Ping Wang,Jing Liu

DOI: https://doi.org/10.1109/WCNC.2014.6953015

2014-01-01

Abstract:User authentication is an important security mechanism that allows mobile users to be granted access to roaming service offered by the foreign agent with assistance of the home agent in mobile networks. While security-related issues have been well studied, how to preserve user privacy in this type of protocols still remains an open problem. In this paper, we revisit the privacy-preserving two-factor authentication scheme presented by Li et al. at WCNC 2013. We show that, despite being armed with a formal security proof, this scheme actually cannot achieve the claimed feature of user anonymity and is insecure against offline password guessing attacks, and thus, it is not recommended for practical applications. Then, we figure out how to fix these identified drawbacks, and suggest an enhanced scheme with better security and reasonable efficiency. Further, we conjecture that under the non-tamper-resistant assumption of the smart cards, only symmetric-key techniques are intrinsically insufficient to attain user anonymity.

WANG Ding,WANG Ping,LEI Ming

DOI: https://doi.org/10.3969/j.issn.0372-2112.2015.01.028

2015-01-01

Abstract:It remains an open problem to design a secure and efficient RSA-based password-authenticated key exchange (PAKE )protocol in the areas of cryptography .In 2011 ,Wei proposed the first provably secure gateway-oriented PAKE protocol us-ing RSA ,and claimed that the protocol is provably secure in the random oracle model based on the intractability of the integer fac-torization problem .However ,in this short paper ,we point out that an adversary can launch the separation attack on their protocol by exploiting the oracle service unwittingly provided by the server ,and a user’s password can thus be guessed just after tens of mali-cious sessions .Our cryptanalysis result invalidates Wei’s claim that their protocol can achieve the security goal of password protec-tion ,and highlights the damaging threat that separation attack poses to RSA-based PAKE protocols .Furthermore ,we uncover the flaws in their formal security proof and put forward an enhancement to overcome the identified defect .The analysis results show that the improved protocol eliminates the vulnerability of Wei’s protocol while keeping the merit of high performance ,suitable for mo-bile application scenarios .

Manoj Kumar

DOI: https://doi.org/10.48550/arXiv.0711.0128

2007-11-01

Abstract:Yoon et al. proposed a new efficient remote user authentication scheme using smart cards to solve the security problems of W. C. Ku and S. M. Chen scheme. This paper reviews Yoon et al. scheme and then proves that the password change phase of Yoon et al. scheme is still insecure. This paper also proves that the Yoon et al. is still vulnerable to parallel session attack.

Cryptography and Security

De-song Wang,Jian-ping Li,Yuan Tang,Fu-long Xu,Yue-hao Yan

DOI: https://doi.org/10.1142/9789812799524_0026

2008-01-01

Abstract:In the recent several years, Lee et al. and Lin-Lai proposed fingerprint-based remote user authentication schemes using smart cards. But their schemes are vulnerable and susceptible to the attack and have practical pitfalls. Their schemes perform only unilateral authentication (only client authentication). In order to overcome the flaw, Khan and Zhang present a strong remote user authentication scheme by using fingerprint-biometric and smart cards. The proposed scheme is an extended and generalized form of ElGamal's signature scheme whose security is based on discrete logarithm problem, which is not yet forged. In addition, computational costs and efficiency of the proposed scheme are better than other related schemes. But as the time lapses, fingerprint of some people will be changed, such as being burned or being wounded. Once such case happened, the user won't be authentication. So we propose the authentication scheme of remote users by using multimodal biometric (fingerprint and face features) and smart cards. Proposed scheme not only overcome drawbacks and problems of previous schemes, but also provide a stronger and more secure authentication of remote users over insecure network.

Yongge Wang

DOI: https://doi.org/10.48550/arXiv.1207.5497

2012-07-23

Cryptography and Security

Abstract:In this paper, we study the security requirements for remote authentication with password protected smart card. In recent years, several protocols for password-based authenticated key exchange have been proposed. These protocols are used for the protection of password based authentication between a client and a remote server. In this paper, we will focus on the password based authentication between a smart card owner and smart card via an untrusted card reader. In a typical scenario, a smart card owner inserts the smart card into an untrusted card reader and input the password via the card reader in order for the smart card to carry out the process of authentication with a remote server. In this case, we want to guarantee that the card reader will not be able to impersonate the card owner in future without the smart card itself. Furthermore, the smart card could be stolen. If this happens, we want the assurance that an adversary could not use the smart card to impersonate the card owner even though the sample space of passwords may be small enough to be enumerated by an off-line adversary. At the end of this paper, we further extend our results to credential storage on portable non-tamper resistant storage devices such as USB memory sticks.

Hossen Asiful Mustafa,Hasan Muhammad Kafi

DOI: https://doi.org/10.48550/arXiv.1711.01198

2017-11-03

Abstract:Password security can no longer provide enough security in the area of remote user authentication. Considering this security drawback, researchers are trying to find solution with multifactor remote user authentication system. Recently, three factor remote user authentication using biometric and smart card has drawn a considerable attention of the researchers. However, most of the current proposed schemes have security flaws. They are vulnerable to attacks like user impersonation attack, server masquerading attack, password guessing attack, insider attack, denial of service attack, forgery attack, etc. Also, most of them are unable to provide mutual authentication, session key agreement and password, or smart card recovery system. Considering these drawbacks, we propose a secure three factor user authentication scheme using biometric and smart card. Through security analysis, we show that our proposed scheme can overcome drawbacks of existing systems and ensure high security in remote user authentication.

Cryptography and Security

Daojing He,Maode Ma,Yan Zhang,Chun Chen,Jiajun Bu

DOI: https://doi.org/10.1016/j.comcom.2010.02.031

IF: 5.047

2011-01-01

Computer Communications

Abstract:Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.

Yalin Chen,Jue-Sam Chou*,Chun-Hui Huang

DOI: https://doi.org/10.48550/arXiv.1007.0057

2010-07-01

Abstract:In this paper, we use the ten security requirements proposed by Liao et al. for a smart card based authentication protocol to examine five recent work in this area. After analyses, we found that the protocols of Juang et al.'s , Hsiang et al.'s, Kim et al.'s, and Li et al.'s all suffer from offline password guessing attack if the smart card is lost, and the protocol of Xu et al.'s is subjected to an insider impersonation attack.

Cryptography and Security