Cryptanalysis and security enhancement of a ‘more efficient &amp; secure dynamic ID-based remote user authentication scheme’

Khan, Muhammad Khurram; Kim, Soo-Kyun; Alghathbar, Khaled

doi:10.1016/j.comcom.2010.02.011

Cited by 214 publications

(140 citation statements)

References 24 publications

Supporting

Mentioning

139

Contrasting

Unclassified

Order By: Relevance

“…Since Chang and Wu [9] developed the first smart-card-based password authentication scheme in 1991, there have been ample (in the hundreds) of this type of schemes proposed [15,20,23,26,28,31,48,53,57,58]. Unfortunately, as stated in [34,45], although there has been no lack of literature, it remains an immature area -all existing schemes are far from ideal and each has been shown to be either insecure or short of important features.…”

Section: Introductionmentioning

confidence: 97%

Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards

Wang

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals, namely, Hsieh-Leu's scheme and Wang's PSCAV scheme. We show that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim's password when getting temporary access to the victim's smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang's original protocol security model, reveals a new attacking scenario and gives rise to the strongest adversary model so far. In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.

show abstract

Section: Introductionmentioning

confidence: 97%

Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards

Wang

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In recent years, many dynamic identity-based remote login schemes [6,[16][17][18][19][20][21] have been proposed to provide mutual authentication between the user and the remote server. In any dynamic identity-based remote login scheme, users' anonymity [6,7,22] is an important security requirement.…”

Section: Users' Anonymity Problemmentioning

confidence: 99%

“…The ability to provide security guarantees is of paramount importance and several initiatives have been proposed to address this concern. Due to the low computation cost and portability of smartcard and easy memorization of user chosen password, two-factor smartcard authentication [2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21] using password is commonly used in Internet-based applications such as remote user/server login, online banking, Pay-TV, electronic voting, secret online order placement.…”

Section: Introductionmentioning

confidence: 99%

Cryptanalysis of an Improved Smartcard-based Remote Password Authentication Scheme

Islam¹,

Biswas²,

Choo³

2014

Inf. Sci. Lett.

View full text Add to dashboard Cite

Abstract:In recent years, several dynamic identity-based two-factor user authentication using password and smartcard have been proposed to provide mutual authentication between the user and server over unreliable networks. However, the design of secure cryptographic schemes is still notoriously hard, and there have been several instances of detected flaws in published schemes. For example in 2010, Hao and Yu demonstrated that Wang et al.'s user authentication scheme is insecure against off-line password guessing and server masquerade attacks, and proposed an improved scheme. Subsequently in 2012, Chao pointed out that the improved scheme of Hao and Yu is, unfortunately, susceptible to off-line password guessing and server masquerade attacks, and prone to password backward security problem; and proposed an enhanced scheme. In this paper, we demonstrated that Chao's enhanced scheme is not secure against user masquerade attack, server masquerade attack, insider attack and off-line password guessing attack in violation of its security claim as well as it fails to achieve users' anonymity.

show abstract

“…As a good and new method to deal with ID theft, Das's scheme draws much attention. However, from then on, many authors raised concerns [19,20] about Das's scheme and devised a variety of improved schemes. In 2005, Chien and Chen [21] criticized Das's scheme of its incapability of preserving user anonymity and proposed an enhanced one.…”

Section: Introductionmentioning

confidence: 99%

Cryptanalysis of Three Password-Based Remote User Authentication Schemes with Non-Tamper-Resistant Smart Card

Wang¹,

Xu²

2017

Security and Communication Networks

View full text Add to dashboard Cite

Remote user authentication is the first step to guarantee the security of online services. Online services grow rapidly and numerous remote user authentication schemes were proposed with high capability and efficiency. Recently, there are three new improved remote user authentication schemes which claim to be resistant to various attacks. Unfortunately, according to our analysis, these schemes all fail to achieve some critical security goals. This paper demonstrates that they all suffer from offline dictionary attack or fail to achieve forward secrecy and user anonymity. It is worth mentioning that we divide offline dictionary attacks into two categories: (1) the ones using the verification from smart cards and (2) the ones using the verification from the open channel. The second is more complicated and intractable than the first type. Such distinction benefits the exploration of better design principles. We also discuss some practical solutions to the two kinds of attacks, respectively. Furthermore, we proposed a reference model to deal with the first kind of attack and proved its effectiveness by taking one of our cryptanalysis schemes as an example.

show abstract

Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic ID-based remote user authentication scheme’

Cited by 214 publications

References 24 publications

Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards

Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards

Cryptanalysis of an Improved Smartcard-based Remote Password Authentication Scheme

Cryptanalysis of Three Password-Based Remote User Authentication Schemes with Non-Tamper-Resistant Smart Card

Contact Info

Product

Resources

About