SciELO - Scientific Electronic Library Online
 
vol.11 número4Structure Learning of Bayesian Networks by Estimation of Distribution Algorithms with Transpose MutationAdaptive Transmission Opportunity Scheme Based on Delay Bound and Network Load in IEEE 802.11e Wireless LANs índice de autoresíndice de materiabúsqueda de artículos 		Home Pagelista alfabética de revistas  

Servicios Personalizados

Revista

Articulo

Indicadores

Links relacionados

  • No hay artículos similaresSimilares en SciELO

Compartir

Journal of applied research and technology

versión On-line ISSN 2448-6736versión impresa ISSN 1665-6423

J. appl. res. technol vol.11 no.4 Ciudad de México ago. 2013

 

Smart-card-loss-attack and Improvement of Hsiang et al.'s Authentication Scheme

 

Y. C. Lee

 

Department of Security Technology and Management WuFeng University, Chiayi, 62153, Taiwan. yclee@wfu.edu.tw.

 

ABSTRACT

Due to the open environment, all network systems suffer from various security threats. The remote user authentication scheme is a secure mechanism to allow users obtaining a variety of information services through insecure channels. For efficiency and security, many remote user authentication schemes identify users with smart cards. However, many smart card based schemes are vulnerable to lots of attacks. Recently, Hsiang et al. proposed a smart card based remote authentication scheme. In this article, we show that their scheme is vulnerable to the smart-card-loss-attack. That is, if an unauthorized person obtains the smart card, he/she can guess the correct password to masquerade as a legitimate user to login the system. The attack is caused by the smart card outputs fixed message for the same inputs. We propose an improved scheme to fix the flaw. The improved scheme withstands the off-line password guessing attack, parallel session attack and smart-card-loss-attack. Moreover, it also has the merits of providing mutual authentication, no verification table and users can freely update their passwords.

Keywords: Smart-card-loss-attack, off-line guessing attack, authentication scheme.

 

DESCARGAR ARTÍCULO EN FORMATO PDF

 

Acknowledgements

This work was partially supported by the National Science Council of the Republic of China under the contract number NSC 101-2632-E-274-001-MY3.

 

References

[1] C. C. Chang and T. C. Wu, "Remote password authentication with smart cards," IEE Proc E-Comput Digit Tech, vol.138, is. 3, pp. 65-168. 1993.         [ Links ]

[2] Y. C. Lee and Y. C. Hsieh, "A password authentication scheme with forward secrecy," ICIC EL, vol. 5, no. 4 (A), pp. 1101-1105, 2011.         [ Links ]

[3] I. E. Liao et al., "A password authentication scheme over insecure networks," J Comput Sys Sci, vol. 72, no. 4, pp. 727-740, 2006.         [ Links ]

[4] C. S. Tsai et al., "Password authentication schemes: current status and key issues," Int J Net Sec, vol. 3, no. 2, pp. 101-115, 2006.         [ Links ]

[5] M. Kumar, "A new secure remote user authentication scheme with smart cards," Int J Net Sec, vol. 11, no. 2, pp. 88-93, 2010.         [ Links ]

[6] L. Lamport, "Password authentication with insecure communication," Commun ACM, vol. 24, no. 11, pp. 770-772, 1981.         [ Links ]

[7] M. S. Hwang and L. H. Li, "A new remote user authentication scheme using smart cards," IEEE T Consum Electr, vol. 1, no. 46, pp. 28-30, 2000.         [ Links ]

[8] H. M. Sun, "An efficient remote user authentication scheme using smart cards," IEEE T Consum Electr, vol. 4, no. 46, pp. 958-961, 2000.         [ Links ]

[9] W. H. Yang and S. P. Shieh, "Password authentication schemes with smart card," COMPSEC, vol. 8, no. 18, pp. 727-733, 1999.         [ Links ]

[10] C. M. Chen and W. C. Ku, "Stolen-verifier attack on two new strong-password authentication protocols," IEICE T Commun, vol. E85-B, pp. 2519-2521, 2002.         [ Links ]

[11] B. T. Hsieh et al., "On the security of some password authentication protocols," Informatica, vol. 14, no. 2, pp. 195-204, 2003.         [ Links ]

[12] S. M. Yen and K. H. Liao, "Shared authentication token secure against replay and weak key attacks," Inform Process Lett, vol. 62, no. 2, pp. 77-80, 1997.         [ Links ]

[13] H. Y. Chien et al., "An efficient and practical solution to remote authentication: smart card," COMPSEC, vol. 4, no. 21, pp. 372-375, 2002.         [ Links ]

[14] W. C. Ku and S. M. Chen, "Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards," IEEE T Consum Electr, vol. 50, no. 1, pp. 204-207, 2004.         [ Links ]

[15] E. J. Yoon et al., "Further improvement of an efficient password based remote user authentication scheme using smart cards," IEEE T Consum Electr, vol. 50, no. 2, pp. 612-614, 2004.         [ Links ]

[16] H. C. Hsiang and W. K. Shih, "Weaknesses and improvements of the Yoon-Ryu-Yoo remote user authentication scheme using smart cards," Comput Commun, vol. 32, pp. 649-652, 2009.         [ Links ]

[17] D. He et al., "Weaknesses of a remote user password authentication scheme using smart card," Int J Net Sec, vol. 13, no. 1, pp. 58-60, 2011.         [ Links ]

[18] P. Kocher et al., "Introduction to differential power analysis," J Crypto Eng, vol. 1, is. 1, pp. 5-27, 2011.         [ Links ]

Creative Commons License Todo el contenido de esta revista, excepto dónde está identificado, está bajo una Licencia Creative Commons

Instituto de Ciencias Aplicadas y Tecnología, Circuito exterior s/n, Ciudad Universitaria, A.P. 70-186, Ciudad de México, Ciudad de México, MX, 04510, (52-55)5622-8602