Skip to main content
Log in

On vulnerability analysis of several password authentication protocols

  • S.I. : ICACNI 2014
  • Published:
Innovations in Systems and Software Engineering Aims and scope Submit manuscript

Abstract

In this work, we argue that the usage of computationally intensive mathematical operations in password authentication protocols can lead to security vulnerability in the protocol. We formulate a generalized algorithm for cryptanalysis to perform clogging attack (a form of denial of service) on protocols which use the computationally intensive modular exponentiation to guarantee security. We then apply this technique to cryptanalyze four recent password authentication protocols, and observe all four of them to be prone to the clogging attack. The first one by Yang et al. is a password-based authentication scheme to preserve identity privacy. This protocol does not use timestamps. The second protocol we consider for analysis is by Islam. This is a smart card-based remote user password authentication protocol that uses timestamps. The third protocol by Jiang et al. is a password-based authentication protocol that does not use smart cards. Finally, the last protocol we consider for analysis is by Wang et al. This is a recent smart card-based authentication protocol claimed to be immune to the DoS attack. The protocols differ in either their usage of factors (smart cards, memory drives etc.), or their way of communications (usage of encryption, nonces, timestamps etc.). But their similarity lies in their usage of the computationally intensive modular exponentiation as a medium of authentication. We conclude that the strengths of all the protocols, e.g., Yang et al. (usage of nonce, and encryption), or, e.g., Islam (usage of timestamps) can be combined to prevent the clogging attack on the protocols.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Chen BL, Kuo WC, Wuu LC (2012) A secure password-based remote user authentication scheme without smart cards. Inf Technol Control 41(1):53–59

    Google Scholar 

  2. Chen BL, Kuo WC, Wuu LC (2014) Robust smart-card-based remote user password authentication scheme. Int J Commun Syst 27(2):377–389. doi:10.1002/dac.2368

    Article  Google Scholar 

  3. Harish P, Roy S (2014) Energy oriented vulnerability analysis on authentication protocols for cps. In: 2014 IEEE international conference on distributed computing in sensor systems (DCOSS), pp 367–371. doi:10.1109/DCOSS.2014.52

  4. Islam SH (2014) Design and analysis of an improved smartcard-based remote user password authentication scheme. Int J Commun Syst. doi:10.1002/dac.2793

  5. Jiang Q, Ma J, Li G, Ma Z (2013) An improved password-based remote user authentication protocol without smart cards. Inf Technol Control 42(2):113–123

  6. Jiang Q, Ma J, Li G, Ma Z (2013) Improvement of robust smart-card-based password authentication scheme. Int J Commun Syst

  7. Li CT, Lee CC (2012) A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Math Comput Model 55(12):35–44. doi:10.1016/j.mcm.2011.01.010. http://www.sciencedirect.com/science/article/pii/S0895717711000136. (Advanced Theory and Practice for Cryptography and Future Security)

  8. Li X, Niu J, Khan MK, Liao J (2013) An enhanced smart card based remote user password authentication scheme. J Netw Comput Appl 36(5):1365–1371. doi:10.1016/j.jnca.2013.02.034. http://www.sciencedirect.com/science/article/pii/S1084804513000726

  9. Orman H (1998) The OAKLEY key determination protocol

  10. Rhee HS, Kwon JO, Lee DH (2009) A remote user authentication scheme without using smart cards. Comput Stand Interfaces 31(1):6–13. doi:10.1016/j.csi.2007.11.017. http://www.sciencedirect.com/science/article/pii/S0920548907001158

  11. Song R (2010) Advanced smart card based password authentication protocol. Comput Stand Interfaces 32(5–6):321–325. doi:10.1016/j.csi.2010.03.008

    Article  Google Scholar 

  12. Wang D, Ma C, Zhang QM, Zhao S (2013) Secure password-based remote user authentication scheme against smart card security breach. JNW 8(1):148–155

    MathSciNet  Google Scholar 

  13. Yang FY, Hsu CW, Chiu SH (2014) Password authentication scheme preserving identity privacy. In: 2014 Sixth international conference on measuring technology and mechatronics automation (ICMTMA), pp 443–447. doi:10.1109/ICMTMA.2014.108

Download references

Acknowledgments

The authors would like to thank the anonymous reviewers of ICACNI 2014 who helped to improve the quality of the paper.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Swapnoneel Roy.

Additional information

A preliminary version of this paper received the Best Paper award at ICACNI 2014.

We use the terms scheme and protocol interchangeably in this work.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Garrett, K., Talluri, S.R. & Roy, S. On vulnerability analysis of several password authentication protocols. Innovations Syst Softw Eng 11, 167–176 (2015). https://doi.org/10.1007/s11334-015-0250-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11334-015-0250-x

Keywords

Navigation