Security Weaknesses of Song's Advanced Smart Card Based Password Authentication Protocol

[[abstract]]Password based authentication with smart cards has been adopted as a more secure means in insecure networks to validate the legitimacy of users. Traditional authentication schemes are based on the tamper-resistant smart card; that is, the data stored in the smart card cannot be revealed. However, it is a challenging problem for considering non-tamper-resistant smart cards used in user authentication. Very recently, in 2010, Song proposed an efficient authentication scheme with such non-tamper resistant smart cards based on symmetric key cryptosystems as well as modular exponentiations. In this paper, we will show that Song's scheme is vulnerable to the offline password guessing attack and the insider attack. Besides, this scheme does not provide perfect forward secrecy and does not preserve user anonymity.[[conferencetype]]國際[[conferencelocation]]Shanghai, Chin

An Improved Timestamp-Based Password Authentication Scheme Using Smart Cards

With the recent proliferation of distributed systems and networking, remote authentication has become a crucial task in many networking applications. Various schemes have been proposed so far for the two-party remote authentication; however, some of them have been proved to be insecure. In this paper, we propose an efficient timestamp-based password authentication scheme using smart cards. We show various types of forgery attacks against a previously proposed timestamp-based password authentication scheme and improve that scheme to ensure robust security for the remote authentication process, keeping all the advantages that were present in that scheme. Our scheme successfully defends the attacks that could be launched against other related previous schemes. We present a detailed cryptanalysis of previously proposed Shen et. al scheme and an analysis of the improved scheme to show its improvements and efficiency.Comment: 6 page

A review and cryptanalysis of similar timestamp-based password authentication schemes using smart cards

The intent of this paper is to review some timestampbased password authentication schemes using smart cards which have similar working principles. Many of the proposed timestampbased password authentication schemes were subsequently found to be insecure. Here, we investigate three schemes with similar working principles, show that they are vulnerable to tricky forgery attacks, and thus they fail to ensure the level of security that is needed for remote login procedure using smart cards. Though there are numerous works available in this field, to the best of our knowledge this is the first time we have found some critical flaws in these schemes that were not detected previously. Along with the proofs of their flaws and inefficiencies, we note down our solution which could surmount all sorts of known attacks and thus reduces the probability of intelligent forgery attacks. We provide a detailed literature review how the schemes have been developed and modified throughout years. We prove that some of the schemes which so far have been thought to be intractable are still flawed, in spite of their later improvements

Cryptanalysis of a DoS-resistant ID-based password authentication

Remote authentication is a method to authenticate remote users over insecure communication channel. Password-based authentication schemes have been widely deployed to verify the legitimacy of remote users. Very recently, Hwang et al. proposed a DoS-resistant ID-based password authentication scheme using smart cards. In the current work, we are concerned with the password security of the Hwang et al.’s scheme. We first show that their scheme is vulnerable to a password guessing attack in which an attacker exhaustively enumerates all possible passwords in an off-line manner to determine the correct one. We then figure out how to eliminate the security vulnerability of their scheme

Robust two-factor smart card authentication

Being very resilient devices, smart cards have been commonly used for two-factor authentication schemes. However, the possibility of side-channel attacks renders private data stored in the cards vulnerable to compromise. With this in mind, we propose an authentication protocol that incorporates a second factor, which is as a password, in addition to the smart card. The scheme is aimed to withstand most common security breaches as well as compromised smart card scenarios and offline dictionary attacks on the passwords. Details of a reference implementation are also given along with performance evaluation of the proposed protocol comparing to the literature. Performance analyses show that the proposed protocol outperforms existing solutions in the literature. Moreover, the computational cost of the proposed protocol is less than 2 seconds on our reference implementation that uses commercially available smart cards