Browse > Article
http://dx.doi.org/10.9708/jksci.2010.15.1.139

Cryptanalysis and Enhancement of a Remote User Authentication Scheme Using Smart Cards  

Lee, Young-Sook (호원대학교 사이버수사 경찰학부)
Won, Dong-Ho (성균관대학교 전기전자컴퓨터공학부)
Publication Information
Journal of the Korea Society of Computer and Information / v.15, no.1, 2010 , pp. 139-147 More about this Journal
Abstract
A remote user authentication scheme is a two-party protocol whereby an authentication server in a distributed system confirms the identity of a remote individual logging on to the server over an untrusted, open network. In 2005, Liao et al. proposed a remote user authentication scheme using a smart card, in which users can be authenticated anonymously. Recently, Yoon et al. have discovered some security flaws in Liao et al.'s authentication scheme and proposed an improved version of this scheme to fix the security flaws. In this article, we review the improved authentication scheme by Yoon et al. and provide a security analysis on the scheme. Our analysis shows that Yoon et al.'s scheme does not guarantee not only any kind of authentication, either server-to-user authentication or user-to-server authentication but also password security. The contribution of the current work is to demonstrate these by mounting two attacks, a server impersonation attack and a user impersonation attack, and an off-line dictionary attack on Yoon et al.'s scheme. In addition, we propose the enhanced authentication scheme that eliminates the security vulnerabilities of Yoon et al.'s scheme.
Keywords
Authentication scheme; User anonymity; Impersonation attack; Off-line dictionary attack;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 E.-J. Yoon, W.-H. Kim, K.-Y. Yoo, "Security enhancement for password authentication schemes with smart cards," Proceedings of the 2nd International Conference on Trust, Privacy, and Security in Digital Business (TrustBus 2005), Lecture Notes in Computer Science, Vol. 3592, pp. 90-99, 2005.
2 L. Lamport, "Password authentication with insecure communication," Communications of the ACM, Vol. 24, No. 11, pp. 770-772, 1981.   DOI
3 C.-C. Chang, T.-C. Wu, "Remote password authentication with smart cards," IEE Proceedings E - Computers and Digital Techniques, Vol. 138, No. 3, pp. 165-168, 1991.   DOI
4 W.-C. Ku, S.-T. Chang, M.-H. Chiang, "Weaknesses of a remote user authentication scheme using smart cards for multi-server architecture," IEICE Transactions on Communications, Vol. E88-B, No. 8, pp. 3451-3454, 2005.   DOI
5 P. Kocher, J. Jaffe, B. Jun, "Differential power analysis," Advances in Cryptology{CRYPTO99}, pp. 388-397, 1999.
6 T.-S. Messerges, E.-A. Dabbish, R.-H. Sloan, "Examining smart card security under the threat of power analysis attacks," IEEE Transaction on Computers, Vol. 51, No. 5, pp. 541-552, 2002.   DOI
7 M.L. Das, A. Saxena, V.P. Gulati, "A dynamic ID-based remote user authentication scheme," IEEE Transaction on Consumer Electronics, Vol. 50, No. 2, pp. 629-631, 2004.   DOI
8 I.-E. Liao, C.-C. Lee, M.-S. "Hwang, Security enhancement for a dynamic ID-based remote user authentication scheme," Proceedings of the IEEE International Conference on Next Generation Web Services Practices (NWeSp'05), pp. 437-440, 2005.
9 E.-J. Yoon, K.-Y. Yoo, "Improving the Dynamic ID-Based Remote Mutual Authentication Scheme," Proceedings of 2006 OTM Confederated International workshops (OTM 2006), Lecture Notes in Computer Science, Vol. 4277, pp. 499-507, 2006.
10 W.-H. Yang, S.-P. Shieh, "Password authentication schemes with smart card," Computers & Security, Vol. 18, No. 8, pp. 727-733, 1999.   DOI
11 M.-S. Hwang, L.-H. Li, "A new remote user authentication scheme using smart cards," IEEE Transaction on Consumer Electronics, Vol. 46, No. 1, pp. 28-30, 2000.   DOI
12 H.-M. Sun, "An efficient remote user authentication scheme using smart cards," IEEE Transaction on Consumer Electronics, Vol. 46, No. 4, pp. 958-961, 2000.   DOI
13 최병훈, 김상근, 배제민. "다중체계 인증을 이용한 중요 시스템 보안 접근에 관한 연구," 한국컴퓨터정보학회논문지, 제 14권, 제 7호, 2009년 7월.   과학기술학회마을
14 H.-Y. Chien, J.-K. Jan, Y.-M. Tseng, "An efficient and practical solution to remote authentication: smart card," Computers & Security, Vol. 21, No. 4, pp. 372-375, 2002.   DOI
15 E.-J. Yoon, E.-K. Ryu, K.-Y. "Yoo, An improvement of Hwang-Lee-Tang's simple remote user authentication scheme," Computers & Security, Vol. 24, No. 1, pp. 50-56, 2005.   DOI
16 Anti-Phishing Working Group (http://www.antiphishing.org).
17 W. Diffie, P. C. van Oorschot, M. J. Wiener, "Authentication and authenticated key exchange," Designs, Codes and Cryptography, Vol. 2, No. 2, pp. 107-125, 1992.   DOI
18 R. Bird, I. Gopal, A. Herzberg, P. A. Janson, S. Kutten, R. Molva, M. Yung, "Systematic design of a family of attack-resistant authentication protocols," IEEE Journal on Selected Areas in Communications, Vol. 11, No. 5, pp. 679-693, 1993.   DOI
19 U. Carlsen, "Cryptographic protocol flaws: know your enemy," Proceedings of the 7th IEEE Computer Security Foundations Workshop, pp. 192-200, 1994.
20 G. Lowe, "An attack on the Needham-Schroeder public-key authentication protocol," Information Processing Letters, Vol. 56, No. 3, pp. 131-133, 1995.   DOI
21 C.-L. Hsu, "Security of Chien et al.'s remote user authentication scheme using smart cards," Computer Standards and Interfaces, Vol. 26, No. 3, pp. 167-169, 2004.   DOI