Two-factor mutual authentication based on smart cards and passwords

Yang, Guomin; Wong, Duncan S.; Wang, Huaxiong; Deng, Xiaotie

doi:10.1016/j.jcss.2008.04.002

Cited by 170 publications

(116 citation statements)

References 25 publications

Supporting

Mentioning

110

Contrasting

Order By: Relevance

“…Note that the above two assumptions, which are also made in the latest works [7,9,10], are indeed reasonable: (1) Assumption i is accordant with the common adversary model introduced in Section 1; and (2) Assumption ii is also practical in consideration of the state-of-art side-channel attack techniques [12][13][14]. In the following discussions of the security flaws of Yeh et al's scheme, based on the above two assumptions, we assume that  can extract the secret values {V, R, b} stored in the legitimate user's smart card, and the attacker can also intercept or block the login request message {C 2 , h(ID i ), T u } from U i and the reply message {C 3 , T s } from S. As described in Yeh et al's scheme, mainly two countermeasures are employed to remedy the identified flaws in Hsiang and Shih's scheme: (1) user's ID is concealed by use of a non-invertible hash function to double the difficulty of mounting an offline password guessing attack; (2) a session key is agreed to resist against server impersonation attack.…”

Section: Cryptanalysis Of Yeh Et Al's Schemementioning

confidence: 93%

“…This seminal scheme was later refined and used in a number of applications, notably Haller's famous S/KEY onetime password system [4]. Later on, Chang and Wu [5] introduced the smart cards into remote user authentication schemes, since then there have been many smart card based password authentication schemes proposed [6][7][8][9][10]. In such schemes, the user is equipped with a smart card and a password as identification verifiers.…”

Section: Introductionmentioning

confidence: 99%

“…The common adversary model to evaluate the security of authentication protocols using smart cards assumes an attacker with full control over the communication channel between the user and the remote server [7,10,11]. Accordingly, all the messages exchanged can be blocked, intercepted, deleted, or modified by the attacker, and the attacker can also insert his/her own fabricated messages.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Breaking a Robust Remote User Authentication Scheme Using Smart Cards

Wang

Zhao

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. Recently, Yeh et al. showed that Hsiang and Shih's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is nontamper resistant, and proposed an improved version which was claimed to be efficient and secure. In this study, however, we find that, although Yeh et al.'s scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack and key-compromise impersonation attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity and forward secrecy; (3) It has some other minor defects. The proposed cryptanalysis discourages any use of the scheme under investigation in practice. Remarkably, rationales for the security analysis of password-based authentication schemes using smart cards are discussed in detail.

show abstract

Section: Cryptanalysis Of Yeh Et Al's Schemementioning

confidence: 93%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Breaking a Robust Remote User Authentication Scheme Using Smart Cards

Wang

Zhao

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Now that smart cards can be tampered, why we do not choose cheap USB memory sticks instead of expensive smart cards? Or equally, what's the rationale under these propositions [20,25,31,50,51,55,57,59] that endeavor to construct two-factor authentication schemes using non-tamper resistant smart cards rather than memory sticks? To the best of our knowledge, until now, little attention has been given to this question.…”

Section: Adversary Models For Smart-card-based Authentication and Formentioning

confidence: 99%

“…To identify the differences in security provisions offered by two-factor authentication schemes using these two different devices, we need to discuss the realistic capabilities that an attacker may have under these two different authentication environments. On the basis of the studies [50,54,57,59], the following assumptions are made on the capabilities of the adversary M in the smart-card-based environment: S(i) M can fully control the communication channel between the user and the server. In other words, she can inject, modify, block, and delete messages exchanged in the channel at will.…”

Section: Adversary Models For Smart-card-based Authentication and Formentioning

confidence: 99%

Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards

Wang

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals, namely, Hsieh-Leu's scheme and Wang's PSCAV scheme. We show that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim's password when getting temporary access to the victim's smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang's original protocol security model, reveals a new attacking scenario and gives rise to the strongest adversary model so far. In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.

show abstract

Mobile device integration of a fingerprint biometric remote authentication scheme

Lee

Hsu

2011

Int J Communication

View full text Add to dashboard Cite

Various user authentication schemes with smart cards have been proposed. Generally, researchers implicitly assume that the contents of a smart card cannot be revealed. However, this is not true. An attacker can analyze the leaked information and obtain the secret values in a smart card. To improve on this drawback, we involve a fingerprint biometric and password to enhance the security level of the remote authentication scheme Our scheme uses only hashing functions to implement a robust authentication with a low computation property. Copyright (C) 2011 John Wiley & Sons, Ltd

show abstract

Two-factor mutual authentication based on smart cards and passwords

Cited by 170 publications

References 25 publications

Breaking a Robust Remote User Authentication Scheme Using Smart Cards

Breaking a Robust Remote User Authentication Scheme Using Smart Cards

Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards

Mobile device integration of a fingerprint biometric remote authentication scheme

Contact Info

Product

Resources

About