• Title/Summary/Keyword: Password guessing attack

Search Result 70, Processing Time 0.031 seconds

Analysis on Security Vulnerability of Password-based key Exchange and Authentication Protocols (패스워드 기반 키 교환 및 인증 프로토콜의 안전성에 관한 분석)

  • Park, Choon-Sik
    • Journal of Korea Multimedia Society
    • /
    • v.11 no.10
    • /
    • pp.1403-1408
    • /
    • 2008
  • A number of three party key exchange protocols using smart card in effort to reduce server side workload and two party password based key exchange authentication protocols has been proposed. In this paper, we introduce the survey and analysis on security vulnerability of smart card based three party authenticated key exchange protocols. Furthermore, we analyze Kwak et al's password based key exchange and authentication protocols which have shown security weakness such as Shim et al's off-line password guessing attack and propose the countermeasure to deter such attack.

  • PDF

Security Improvement of Remote User Authentication Scheme based on Smart Cards (스마트 카드 기반 사용자 인증 스킴의 보안 개선)

  • Joo, Young-Do;An, Young-Hwa
    • The Journal of the Institute of Internet, Broadcasting and Communication
    • /
    • v.11 no.5
    • /
    • pp.131-137
    • /
    • 2011
  • Recently Lin et al. proposed a simple remote user authentication scheme using smart cards. But the proposed scheme has not satisfied security requirements which should be considered in the user authentication scheme using the password based smart card. In this paper, we show that Lin et al.'s scheme is insecure against off-line password guessing attack. In their scheme, any legal user's password may be derived from the password guessing when his/her smart card is stolen and the secret information is leaked from the smart card by an attacker. Accordingly, we demonstrate the vulnerability of their scheme and present an enhancement to resolve such security weakness. Our proposed scheme can withstand various possible attacks including password guessing attack. Furthermore, this improved scheme can provide mutual authentication to improve the security robustness. Performance evaluation shows that the proposed scheme is relatively more effective than Lin et al.'s scheme.

A Study on Smart-Card Based User Authentication (스마트카드 기반의 사용자 인증 기법에 관한 연구)

  • Lee, Jaeyoung
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.14 no.2
    • /
    • pp.27-33
    • /
    • 2018
  • User authentication scheme is a method for controlling unauthorized users' access to securely share the services and resources provided by the server and for verifying users with access rights. Initial user authentication scheme was based on passwords. Nowadays, various authentication schemes such as ID based, smart-card based, and attribute based are being researched. The study of Lee et al. suggested a user authentication scheme that provides forward secrecy and protects anonymity of users. However, it is vulnerable to attacks by outsiders and attackers who have acquired smart-cards. In this paper, we propose a modified smart-card authentication scheme to complement the weakness of the previous studies. The proposed user authentication scheme provides the security for the ID guessing attack and the password guessing attacks of the attacker who obtained the login request message and the user's smart-card.

Vulnerability Attack for Mutual Password Authentication Scheme with Session Key agreement (세션 키 동의를 제공하는 상호인증 패스워드 인증 스킴에 대한 취약점 공격)

  • Seo Han Na;Choi Youn Sung
    • Convergence Security Journal
    • /
    • v.22 no.4
    • /
    • pp.179-188
    • /
    • 2022
  • Password authentication schemes (PAS) are the most common mechanisms used to ensure secure communication in open networks. Mathematical-based cryptographic authentication schemes such as factorization and discrete logarithms have been proposed and provided strong security features, but they have the disadvantage of high computational and message transmission costs required to construct passwords. Fairuz et al. therefore argued for an improved cryptographic authentication scheme based on two difficult fixed issues related to session key consent using the smart card scheme. However, in this paper, we have made clear through security analysis that Fairuz et al.'s protocol has security holes for Privileged Insider Attack, Lack of Perfect Forward Secrecy, Lack of User Anonymity, DoS Attack, Off-line Password Guessing Attack.

Smart Card Based User Authentication Scheme Secure Against Password Guessing Attack

  • Joo, Young-Do
    • The Journal of Korea Institute of Information, Electronics, and Communication Technology
    • /
    • v.4 no.3
    • /
    • pp.182-188
    • /
    • 2011
  • Recently Yoon et al. proposed the remote user authentication scheme using smart cards. But their scheme has not satisfied security requirements which should be considered in the user authentication scheme using the password based smart card. In this paper, we prove that Yoon et al.'s scheme is vulnerable to a password guessing attack in case that the attacker steals the user's smart card and extracts the information from the smart card. Accordingly, this paper proposes the improved user authentication scheme based on the hash functin and random nonce that can withstand various possible attacks including a password guessing attack. The result of comparative analysis demonstrates that the proposed scheme is more secure and efficient than Yoon et al.'s scheme, with a trivial trade-off to require just a few more exclusive-OR operations.

Security Analysis of Partially Hidden Password Systems Resistant to Shoulder Surfing Attacks

  • Seong, Jin-Taek
    • The Journal of Korea Institute of Information, Electronics, and Communication Technology
    • /
    • v.13 no.1
    • /
    • pp.17-26
    • /
    • 2020
  • As more users use mobile devices, shoulder surfing attacks have emerged as an important issue in security. According to research report, in fact, the result showed that about 30% of smartphone users are hit by shoulder surfing attacks. To this end, in this paper, we consider a shoulder surfing attack and propose a partially hidden password system to resistant to its attack. In order to help readers understand, we describe the proposed password system in more detail using one simple example. The core idea behind the proposed system is to place the user's password randomly in the specified grid instead of entering a password directly. As a result, even if an attacker makes a shoulder surfing attack to observe the password, the user can hide the preset password and defend against the attack. We also show how the security of the password system proposed in this paper is improved. In addition, even if there are consecutive shoulder surfing attacks, the security of the proposed password system is robust.

An Efficient and Reliable Authentication Protocol for Password-based Systems (패스워드 기반 시스템을 위한 효율적이고 안전한 인증 프로토콜의 설계 및 검증)

  • 권태경;강명호;송주석
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.7 no.2
    • /
    • pp.27-42
    • /
    • 1997
  • We propose a new authentication and key distribution protocol which is efficient and reliable for password-based systems. Various guessing attacks have been detected in applying conventional protocols to the password-based systems and additional overheads have been made in refined protocols to defeat those attacks. Using a one-time pad and a strong hash function, our proposed protocol promotes reliability and efficiency. Compared with other protocols, our protocol is secure against various protocol attacks including guessing attacks. In addition, this protocol is efficient in reducing communication and computation costs.

Cryptanalysis of a Remote User Authentication scheme using Smart Cards (스마트카드를 이용한 원격 사용자 인증 스킴의 안전성 분석)

  • Shin, Seung-Soo;Han, Kun-Hee;Chun, Je-Ran
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.12 no.11
    • /
    • pp.5245-5251
    • /
    • 2011
  • Seo et al. criticizes that Hu-Niu-Yang's certification scheme is not enough to satisfy the security requirements of a smart card-based certification scheme because it has a weakness of password guessing attack as well as gives attackers opportunities to be disguised as legitimate users. However, Seo et al. also has a weakness not satisfying the security requirements. This paper suggests a new scheme that contains the characteristics of certification scheme provided by Seo et al. but compensates weak points. The findings show that the new scheme is more safety and efficient than Seo et al.'s

Security Improvement to a Remote User Authentication Scheme for Multi-Server Environment (Multi-Server 환경에서의 사용자 인증 스킴의 안전성 향상)

  • Lee, Young Sook;Kim, Jee Yeon;Won, Dong Ho
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.7 no.4
    • /
    • pp.23-30
    • /
    • 2011
  • Recently, Tsai proposed a remote user authentication scheme suited for multi-server environments, in which users can be authenticated using a single password shared with the registration center. Our analysis shows that Tsai et al's scheme does not achieve its fundamental goal of password security. We demonstrate this by mounting an undetectable on-line password guessing attack on Tsai et al.'s scheme.

Cryptanalysis and Enhancement of the An's Remote User Authentication Scheme using the Smart Cards (스마트카드를 이용한 An의 원격 사용자 인증 스킴의 안전성 분석 및 개선)

  • Shin, Seung-Soo;Han, Kun-Hee
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.12 no.10
    • /
    • pp.4612-4617
    • /
    • 2011
  • Hsiang-Shin proposed a user authentication scheme which was created by improving Yoon's scheme. Afterwards, An showed the failure to meet security requirements which are considered in user authentication using password-based smart card in Hsiang-Shih-suggested scheme. In other words, it was found that an attacker can steal a user's card, and detect a user's password by temporarily accessing it and extracting the information stored in it. However, An-proposed scheme also showed its vulnerability to password-guessing attack and forgery/impersonation attack, etc. and thus, this paper proposed the improved user authentication scheme. The proposed authentication scheme can thwart the password-guessing attack completely and this paper proposed scheme also includes an efficient mutual authentication method that can make it possible for users and authentication server to certify the other party.