Online citations, reference lists, and bibliographies.
← Back to Search

Security Flaws In Two Improved Remote User Authentication Schemes Using Smart Cards

C. Ma, Ding Wang, Sendong Zhao
Published 2014 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
SUMMARY Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced by Wen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen–Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright © 2012 John Wiley & Sons, Ltd.
This paper references
10.1016/j.jcss.2007.05.001
Cryptanalysis of a password authentication scheme over insecure networks
T. Xiang (2008)
10.1007/978-3-642-28073-3_13
Cryptanalysis and Improvement of Sood et al.'s Dynamic ID-Based Authentication Scheme
C. Ma (2012)
10.1002/sec.315
Robust smart-cards-based user authentication scheme with user anonymity
Shuhua Wu (2012)
Cryptanalysis of Song's advanced smart card based password authentication protocol
J. Tapiador (2011)
Robust Smart Card based Password Authentication Scheme against Smart Card Security Breach ⋆
D. Wang (2012)
10.1016/j.jnca.2010.11.011
A secure dynamic identity based authentication protocol for multi-server architecture
S. Sood (2011)
10.6633/IJNS.200609.3(2).01
Password Authentication Schemes: Current Status and Key Issues
C. Tsai (2006)
10.1002/dac.1184
Cryptanalysis of Hsiang-Shih's authentication scheme for multi-server architecture
K. Yeh (2011)
DOI: 10.1002/dac SECURITY FLAWS IN TWO REMOTE USER AUTHENTICATION SCHEMES
(2012)
10.1049/IP-E.1991.0022
Remote password authentication with smart cards
C. Chang (1991)
A secure remote authentication scheme preserving user anonymity with non-tamper resistant smart cards
W. Horng (2010)
10.1587/TRANSFUN.E94.A.1426
Further Improved Remote User Authentication Scheme
Jung-Yoon Kim (2011)
10.1007/978-3-642-31540-4_9
Secure password-based remote user authentication scheme with non-tamper resistant smart cards
Ding Wang (2012)
10.1007/S11277-012-0696-1
Security Flaws in a Smart Card Based Authentication Scheme for Multi-server Environment
D. He (2013)
10.1002/dac.1118
New dynamic ID authentication scheme using smart cards
Jia-Lun Tsai (2010)
10.1145/1242572.1242661
A large-scale study of web password habits
D. Florêncio (2007)
10.1109/INFCOM.2010.5461951
Password Strength: An Empirical Analysis
Matteo Dell'Amico (2010)
A Real-World Analysis of Kerberos Password Security
T. D. Wu (1999)
10.1007/978-3-642-25286-0_5
Side-Channel Analysis of Cryptographic RFIDs with Analog Demodulation
T. Kasper (2011)
10.1007/978-3-642-34601-9_35
Cryptanalysis of Two Dynamic ID-Based Remote User Authentication Schemes for Multi-server Architecture
Ding Wang (2012)
10.1016/j.comcom.2010.04.005
Robust authentication and key agreement scheme preserving the privacy of secret key
Ren-Chiun Wang (2011)
10.1109/SP.2012.49
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
J. Bonneau (2012)
10.1016/j.jcss.2008.04.002
Two-factor mutual authentication based on smart cards and passwords
G. Yang (2008)
Foiling the cracker: A survey of, and improvements to, password security
Daniel V. Klein (1992)
10.1007/3-540-45600-7_23
Privacy Protection for Transactions of Digital Goods
F. Bao (2001)
10.1002/dac.2368
Robust smart-card-based remote user password authentication scheme
Bae-Ling Chen (2014)
10.1504/IJESDF.2010.038613
Weaknesses of a dynamic ID-based remote user authentication scheme
Debiao He (2010)
10.1109/TWC.2008.060802
Mobile Privacy in Wireless Networks-Revisited
C. Tang (2008)
10.1109/TCE.2004.1309441
A dynamic ID-based remote user authentication scheme
M. Das (2004)
10.1007/springerreference_213
Differential Power Analysis
Siva Sai Yerubandi (2002)
10.1016/j.jss.2010.07.062
Two robust remote user authentication protocols using smart cards
K. Yeh (2010)
10.1109/TIE.2009.2028351
Anonymity Enhancement on Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards
Xiangxue Li (2010)
Robust Smart Card based Password Authentication Scheme against Smart Card Loss Problem
Ding Wang (2012)
10.1080/19393555.2011.560921
Secure Dynamic Identity-Based Authentication Scheme Using Smart Cards
S. Sood (2011)
10.1093/ietfec/e90-a.1.299
Security Analysis of a Nonce-Based User Authentication Scheme Using Smart Cards
Junghyun Nam (2007)
10.4304/jnw.8.1.148-155
Secure Password-based Remote User Authentication Scheme Against Smart Card Security Breach
Ding Wang (2013)
10.1145/358790.358797
Password authentication with insecure communication
L. Lamport (1981)
An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards
X Li (2012)
10.1007/978-3-642-29426-6_24
A New Dynamic ID-Based Remote User Authentication Scheme with Forward Secrecy
C. Ma (2012)
10.1109/TC.2002.1004593
Examining Smart-Card Security under the Threat of Power Analysis Attacks
Thomas S. Messerges (2002)
Weaknesses of a dynamic idbased remote user authentication scheme
D He (2010)
10.1016/j.comcom.2010.02.011
Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme'
M. Khan (2011)
10.1016/S1005-8885(11)60307-5
Cryptanalysis and security enhancement of a remote user authentication scheme using smart cards
Ding Wang (2012)
10.1080/01611194.2011.606352
Security Flaws in Three Password-Based Remote User Authentication Schemes with Smart Cards
Kyung-Ah Shim (2012)
10.1007/978-3-540-46588-1_29
Forward Secrecy and Its Application to Future Mobile Communications Security
DongGook Park (2000)
10.1016/j.comcom.2008.11.008
A more efficient and secure dynamic ID-based remote user authentication scheme
Y. Wang (2009)
10.1016/j.csi.2008.09.006
An improved smart card based password authentication scheme with provable security
J. Xu (2009)
Robust smartcard - based remote user password authentication scheme
B Chen (2012)
10.1145/288090.288118
Public-key cryptography and password protocols
S. Halevi (1998)
10.1016/j.jnca.2011.11.009
An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards
X. Li (2012)
Copyright Int. J. Commun. Syst
(2012)
Cryptanalysis of a more efficient and secure dynamic id-based remote user authentication scheme
M. A. Ahmed (2010)
10.1016/j.csi.2010.03.008
Advanced smart card based password authentication protocol
R. Song (2010)
10.1016/j.future.2010.08.007
Security enhancement on an improvement on two remote user authentication schemes using smart cards
Tien-Ho Chen (2011)
10.1155/2013/786587
An Improved Dynamic ID-Based Remote User Authentication with Key Agreement Scheme
Juan Qu (2013)
10.1007/978-94-007-5083-8_29
Weaknesses of a Dynamic ID-Based Remote User Authentication Scheme with Session Key Agreement for Multi-server Environment
Mijin Kim (2012)



This paper is referenced by
10.1007/978-3-030-01950-1_50
Revisiting Anonymous Two-Factor Authentication Schemes for Multi-server Environment
P. Wang (2018)
10.1117/1.OE.56.3.033106
Line-scan system for continuous hand authentication
X. Liu (2017)
10.1109/ICECCT.2019.8869401
Cryptanalysis and Improvement of a Secure Mutual Authentication Scheme for Remote Users
Preeti Chandrakar (2019)
10.1002/SEC.1246
A biometrics and smart cards-based authentication scheme for multi-server environments
Y. Lu (2015)
Graphical Password Authentication using Images Sequence
M. Ahsan (2017)
10.1007/S13369-017-2709-6
An Efficient Two-Factor Remote User Authentication and Session Key Agreement Scheme Using Rabin Cryptosystem
Preeti Chandrakar (2018)
10.1155/2017/1619741
Cryptanalysis of Three Password-Based Remote User Authentication Schemes with Non-Tamper-Resistant Smart Card
Chenyu Wang (2017)
10.1007/978-3-030-00012-7_45
An Efficient Privacy-Preserving Handover Authentication Scheme for Mobile Wireless Network
Jiaqing Mo (2018)
A Secure Intrusion Detection System for Heterogeneous Wireless Sensor Networks
S. Biswas (2019)
10.1371/journal.pone.0142716
Cryptanalysis and Improvement of "A Secure Password Authentication Mechanism for Seamless Handover in Proxy Mobile IPv6 Networks"
Mojtaba Alizadeh (2015)
Addressing Security and Privacy Challenges in Internet of Things
A. Mosenia (2018)
10.1007/978-3-319-62024-4_3
A Robust Authentication Protocol with Privacy Protection for Wireless Sensor Networks
X. Li (2016)
10.1177/155014772174720
A Chaotic Maps-Based Authentication Scheme for Wireless Body Area Networks
Gaimei Gao (2016)
10.1080/09720529.2015.1013693
Cryptanalysis and an Improvement of New Remote Mutual Authentication Scheme using Smart Cards
M. Karuppiah (2015)
10.1007/s11277-015-2737-z
A New Dynamic ID-Based User Authentication Scheme Using Mobile Device: Cryptanalysis, the Principles and Design
X. Li (2015)
Provably secure RSA-based remote user authentication protocol using passwords
W. Din (2015)
10.1109/ACCESS.2017.2764913
On the Design of Provably Secure Lightweight Remote User Authentication Scheme for Mobile Cloud Computing Services
S. Roy (2017)
Cryptanalysis of Two Efficient Password-based Authentication Schemes Using Smart Cards
Y. Wang (2015)
10.1002/dac.2793
Design and analysis of an improved smartcard-based remote user password authentication scheme
S. H. Islam (2016)
10.1016/j.future.2017.07.040
Anonymous biometrics-based authentication scheme with key distribution for mobile multi-server environment
Qi Feng (2018)
10.1002/sec.1214
A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity
X. Li (2016)
10.1007/978-981-15-0758-8_8
Cloud-Aided Privacy Preserving User Authentication and Key Agreement Protocol for Internet of Things
Chenyu Wang (2019)
10.2991/978-94-6239-145-1_9
Offline Password Guessing Attacks on Smart-Card-Based Remote User Authentication Schemes
Xuelei Li (2016)
10.1109/TIFS.2018.2866304
Comments on "Provably Secure Dynamic Id-Based Anonymous Two-Factor Authenticated Key Exchange Protocol With Extended Security Model"
Xiaowei Li (2019)
10.1016/J.IMU.2018.02.003
An efficient and secure remote user mutual authentication scheme using smart cards for Telecare medical information systems
N. Radhakrishnan (2018)
for free : Efficient and provably secure two-factor authentication scheme with user
D. Wang (2015)
10.1155/2019/2516963
Revisiting Anonymous Two-Factor Authentication Schemes for IoT-Enabled Devices in Cloud Computing Environments
P. Wang (2019)
10.1371/journal.pone.0149173
Cryptanalysis and Improvement of a Biometric-Based Multi-Server Authentication and Key Agreement Scheme
Chengqi Wang (2016)
10.1016/J.FUTURE.2019.06.020
Two-factor authentication in industrial Internet-of-Things: Attacks, evaluation and new construction
W. Li (2019)
10.1155/2018/9062675
A Secure and Anonymous Two-Factor Authentication Protocol in Multiserver Environment
Chenyu Wang (2018)
10.1371/journal.pone.0176250
Security enhanced multi-factor biometric authentication scheme using bio-hash function
Younsung Choi (2017)
10.1002/sec.1464
An efficient multi-gateway-based three-factor user authentication and key agreement scheme in hierarchical wireless sensor networks
A. K. Das (2016)
See more
Semantic Scholar Logo Some data provided by SemanticScholar