Abstract
In this work, we argue that the usage of computationally intensive mathematical operations in password authentication protocols can lead to security vulnerability in the protocol. We formulate a generalized algorithm for cryptanalysis to perform clogging attack (a form of denial of service) on protocols which use the computationally intensive modular exponentiation to guarantee security. We then apply this technique to cryptanalyze four recent password authentication protocols, and observe all four of them to be prone to the clogging attack. The first one by Yang et al. is a password-based authentication scheme to preserve identity privacy. This protocol does not use timestamps. The second protocol we consider for analysis is by Islam. This is a smart card-based remote user password authentication protocol that uses timestamps. The third protocol by Jiang et al. is a password-based authentication protocol that does not use smart cards. Finally, the last protocol we consider for analysis is by Wang et al. This is a recent smart card-based authentication protocol claimed to be immune to the DoS attack. The protocols differ in either their usage of factors (smart cards, memory drives etc.), or their way of communications (usage of encryption, nonces, timestamps etc.). But their similarity lies in their usage of the computationally intensive modular exponentiation as a medium of authentication. We conclude that the strengths of all the protocols, e.g., Yang et al. (usage of nonce, and encryption), or, e.g., Islam (usage of timestamps) can be combined to prevent the clogging attack on the protocols.
Similar content being viewed by others
References
Chen BL, Kuo WC, Wuu LC (2012) A secure password-based remote user authentication scheme without smart cards. Inf Technol Control 41(1):53–59
Chen BL, Kuo WC, Wuu LC (2014) Robust smart-card-based remote user password authentication scheme. Int J Commun Syst 27(2):377–389. doi:10.1002/dac.2368
Harish P, Roy S (2014) Energy oriented vulnerability analysis on authentication protocols for cps. In: 2014 IEEE international conference on distributed computing in sensor systems (DCOSS), pp 367–371. doi:10.1109/DCOSS.2014.52
Islam SH (2014) Design and analysis of an improved smartcard-based remote user password authentication scheme. Int J Commun Syst. doi:10.1002/dac.2793
Jiang Q, Ma J, Li G, Ma Z (2013) An improved password-based remote user authentication protocol without smart cards. Inf Technol Control 42(2):113–123
Jiang Q, Ma J, Li G, Ma Z (2013) Improvement of robust smart-card-based password authentication scheme. Int J Commun Syst
Li CT, Lee CC (2012) A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Math Comput Model 55(12):35–44. doi:10.1016/j.mcm.2011.01.010. http://www.sciencedirect.com/science/article/pii/S0895717711000136. (Advanced Theory and Practice for Cryptography and Future Security)
Li X, Niu J, Khan MK, Liao J (2013) An enhanced smart card based remote user password authentication scheme. J Netw Comput Appl 36(5):1365–1371. doi:10.1016/j.jnca.2013.02.034. http://www.sciencedirect.com/science/article/pii/S1084804513000726
Orman H (1998) The OAKLEY key determination protocol
Rhee HS, Kwon JO, Lee DH (2009) A remote user authentication scheme without using smart cards. Comput Stand Interfaces 31(1):6–13. doi:10.1016/j.csi.2007.11.017. http://www.sciencedirect.com/science/article/pii/S0920548907001158
Song R (2010) Advanced smart card based password authentication protocol. Comput Stand Interfaces 32(5–6):321–325. doi:10.1016/j.csi.2010.03.008
Wang D, Ma C, Zhang QM, Zhao S (2013) Secure password-based remote user authentication scheme against smart card security breach. JNW 8(1):148–155
Yang FY, Hsu CW, Chiu SH (2014) Password authentication scheme preserving identity privacy. In: 2014 Sixth international conference on measuring technology and mechatronics automation (ICMTMA), pp 443–447. doi:10.1109/ICMTMA.2014.108
Acknowledgments
The authors would like to thank the anonymous reviewers of ICACNI 2014 who helped to improve the quality of the paper.
Author information
Authors and Affiliations
Corresponding author
Additional information
A preliminary version of this paper received the Best Paper award at ICACNI 2014.
We use the terms scheme and protocol interchangeably in this work.
Rights and permissions
About this article
Cite this article
Garrett, K., Talluri, S.R. & Roy, S. On vulnerability analysis of several password authentication protocols. Innovations Syst Softw Eng 11, 167–176 (2015). https://doi.org/10.1007/s11334-015-0250-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11334-015-0250-x