• Journal of the Korea Society of Computer and Information
• /
• v.24 no.10
• /
• pp.41-48
• /
• 2019

In 2018, Cui et al proposed a three-factor remote user authentication scheme using biometrics. Cui et al claimed that their authentication scheme is vulnerable to eavesdropping attack, stolen smart card attack, and especially Dos(denial-of-service) attack. Also they claimed that it is safe to password guessing attack, impersonation attack, and anonymity attack. In this paper, however, we analyze Cui et al's authentication scheme and show that it is vulnerable to replay attack, insider attack, stolen smart card attack, and user impersonation attack, etc. In addition, we present the design flaws in Cui et al's authentication scheme as well.

• Journal of the Korea Society of Computer and Information
• /
• v.26 no.10
• /
• pp.101-108
• /
• 2021

In this paper, we analyze Shin's proposed dynamic ID-based user authentication scheme for TMIS(Telecare Medicine Information System), and Shin's authentication scheme is vulnerable to smart card loss attacks, allowing attackers to acquire user IDs, which enables user impersonation attack. In 2019, Shin's proposed authentication scheme attempted to generate a strong random number using ECC, claiming that it is safe to lose a smart card because it is impossible to calculate random number r'i due to the difficulty of the ECC algorithm without knowing random number ri. However, after analyzing Shin's authentication scheme in this paper, the use of transmission messages and smart cards makes it easy to calculate random numbers r'i, which also enables attackers to generate session keys. In addition, Shin's authentication scheme were analyzed to have significantly greater overhead than other authentication scheme, including vulnerabilities to safety analysis, the lack of a way to pass the server's ID to users, and the lack of biometric characteristics with slightly different templates.

• Journal of the Korea Society of Computer and Information
• /
• v.28 no.7
• /
• pp.67-75
• /
• 2023

In this paper, we analyze the problem of the user authentication scheme that provides dynamic ID in a multi-server environment proposed by Andola et al. and propose an improved authentication one to solve this problem. As a result of analyzing the authentication scheme of Andrea et al. in this paper, it is not safe for smart card loss attack, and this attack allows users to guess passwords, and eventually, the attacker was able to generate session key. This paper proposed an improved authentication scheme to solve these problems, and as a result of safety analysis, it was safe from various attacks such as smart card loss attack, password guess attack, and user impersonation attack. Also the improved authentication scheme not only provides a secure dynamic ID, but is also effective in terms of the computational complexity of the hash function. In addition, the improved authentication scheme does not significantly increase the amount of transmission, so it can be said to be an efficient authentication scheme in terms of transmission cost.

• Journal of the Korea Society of Computer and Information
• /
• v.29 no.6
• /
• pp.53-60
• /
• 2024

In this paper, we analyze the authentication scheme of Hwang et al. proposed in 2023 and propose a new authentication scheme that improves its problems. Hwang et al. claimed that their authentication scheme was practical and secure, but as a result of analysis in this paper, it is possible to attack the password/ID guessing attack and session key disclosure attack due to insider attack and stolen smart card attack. In addition, Hwang et al.'s authentication scheme, which provides user anonymity, does not provide user untraceability due to its unstable design. The proposed authentication scheme, which improves these problems, not only provides user untraceability, but also is secure for stolen smart card attack, insider attack, session key disclosure attack, and replay attack. In addition, except for one fuzzy extraction operation, it shows the same complexity or very similar one as related authentication schemes. Therefore, the proposed authentication scheme can be said to be an authentication scheme with safety and practicality.

• Journal of the Korea Society of Computer and Information
• /
• v.18 no.2
• /
• pp.87-94
• /
• 2013

In this paper, we analyse the weaknesses of authentication scheme preserving user anonymity proposed by Khan et al in 2011 and we propose a new authentication schemes preserving user anonymity that improved these weaknesses. Khan et al's authentication scheme is vulnerable to insider attack and doesn't provide user anonymity to the server. Also, this scheme is still a weakness of wrong password input by mistake in spite of proposing the password change phase. In this paper, we will show that Khan et al's scheme is vulnerable to the stolen smart card attack and the strong server/user masquerade attack. The proposed authentication scheme propose the improved user anonymity, which can provide more secure privacy to user by improving these weaknesses.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.6
• /
• pp.95-101
• /
• 2016

With the rapid development of Internet and communication network technology, various studies had proceeded to develop the technology of wireless sensor networks. Authentication schemes for user and sensor are critical and important security issue to use wireless sensors legally. First, Das introduce a user authentication scheme using smart card and password for wireless sensor networks, various studies had proceeded. Chem et al. suggested a secure user authentication scheme against smart card loss attack but Chen et al. scheme does not still resolve some security vulnerability such as perfect forward secrecy, session key exposure by gateway node, anonymity, and the password check. To resolve the problems, this paper proposes a security enhanced user authentication using the fuzzy extraction, elliptic curves cryptography and dynamic ID and analyzes the security.

• Journal of the Korea Society of Computer and Information
• /
• v.19 no.10
• /
• pp.99-106
• /
• 2014

In this paper, we analyze weaknesses of the biometrics-based user authentication scheme proposed by An. The result of analysis An's authentication scheme by the login success scenario proposed in this paper, if the attacker successes to get user's random number, he/she can pass user authentication phase of the legal server. Also the biometrics guessing scenario proposed in this paper shows the legal user's the biometric information is revealed in lost smart card. Since An's authentication scheme submit user ID and biometrics in plain text to the server, it is very vulnerable to inner attack and it is not provide the user anonymity to the server as well as the one to the third by user ID in plain text. Besides An's authentication scheme is contextual error too, due to this, it has weakness and so on that it did not check the validity of the smart card holder.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.39B no.6
• /
• pp.333-340
• /
• 2014

Despite the security weakness of reusing passwords, many Internet users are likely to use a single ID and password on various sites to avoid the inconvenience of remembering multiple credentials. This paper proposes a scheme for securely storing, retrieving, and updating randomly chosen (ID, password) pairs by using smart cards as secure and portable storages. The scheme makes a user free from remembering her (ID, password) pairs for Internet accesses. By splitting and scattering the (ID, password) pairs of a user across the user's smart card memory and a remote server's storage, it can protect the logon credentials even from the theft or loss of the smart card. Also, a user, if deemed necessary, can issue and let the server to delete all information belonging to the user. Hence even an attacker who cracked the smart card memory would not be able to obtain any (ID, password) pair of the victim thereafter. The scheme requires a user to input a site information and pass-phrase to her smart card to obtain the logon credentials, but it should be an acceptable overhead considering the benefits of not remembering the freely chosen (ID, password) pairs at all.

• Journal of the Korea Society of Computer and Information
• /
• v.25 no.2
• /
• pp.93-103
• /
• 2020

The telecare medical information system (TMIS) supports convenient and rapid health-care services. A secure and efficient authentication and key agreement scheme for TMIS provides safeguarding electronic patient records (EPRs) and helps health care workers and medical personnel to rapidly making correct clinical decisions. Giri et al. proposed an RSA-based remote user authentication scheme using smart cards for TMIS and claimed that their scheme could resist various malicious attacks. In this paper, we point out that their scheme is still vulnerable to lost smart card attacks and replay attacks and propose an improved scheme to prevent the shortcomings. As compared with the previous authentication schemes for TMIS, the proposed scheme is more secure and practical.

• Journal of the Korea Society of Computer and Information
• /
• v.28 no.10
• /
• pp.93-101
• /
• 2023

In this paper, as a result of analyzing the TMIS authentication protocol using ECC and biometric information proposed by Chen-Chen in 2023, there were security problems such as user impersonation attack, man-in-the-middle attack, and user anonymity. Therefore, this paper proposes an improved authentication protocol that provides user anonymity to solve these problems. As a result of analyzing the security of the protocol proposed in this paper, it was analyzed to be secure for various attacks such as offline password guessing attack, user impersonation attack, smart-card loss attack, insider attack, perfect forward attack. It has also been shown to provided user privacy by guaranteeing user anonymity and untraceability, which must be guaranteed in TMIS. In addition, there was no significant increase in computational complexity, so the efficiency of execution time was achieved. Therefore, the proposed protocol in this paper is a suitable user authentication protocol for TMIS.