Abstract
In 2010, Hwang, et al. proposed a ‘DoS-resistant ID-based password authentication scheme using smart cards’ as an improvement of Kim-Lee-Yoo’s ‘ID-based password authentication scheme’. In this paper, we cryptanalyze Hwang, et al.’s scheme and point out that the revealed session key could threat the security of the scheme. We demonstrate that extracting information from smart cards is equal to knowing the session key. Thus known session key attacks are also effective under the assumption that the adversary could obtain the information stored in the smart cards. We proposed an improved scheme with security analysis to remedy the weaknesses of Hwang, et al.’s scheme. The new scheme does not only keep all the merits of the original, but also provides several additional phases to improve the flexibility. Finally, the improved scheme is more secure, efficient, practical, and convenient, because elliptic curve cryptosystem is introduced, the expensive smart cards and synchronized clock system are replaced by mobile devices and nonces.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
L. Lamport. Password authenticated with insecure communication. Communications of the Association for Computing Machinery, 24(1981)11, 770–772.
H. S. Kim, S. W. Lee, and K. Y. Yoo. ID-based password authentication scheme using smart cards and fingerprints. ACM SIGOPS Operating Systems Review, 37(2003)4, 32–41.
X. F. Leng. Smart card application and security. Information Security Tech. Report, 14(2009)2, 36–45.
P. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Proceedings of 19th Annual International Cryptology Conference, California, USA, August 1999, 388–397.
T. S. Messerges, E. A. Dabbish, and R. H. Sloan. Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(2002)5, 541–552.
S. K. Kim and M. G. Chung. More secure remote user authentication scheme. Computer Communications, 32(2009)6, 1018–1021.
M. S. Hwang, S. K. Chong, and T. Y. Chen. DoS-resistant ID-based password authentication scheme using smart cards. Journal of System and Software, 83 (2010)1, 163–172.
J. Xu, W. T. Zhu, and D. G. Feng. An improved smart card based password authentication scheme with provable security. Computer Standards & Interfaces, 31(2009)4, 723–728.
S. W. Lee, H. S. Kim, and K. Y. Yoo. Improvement of Chien et al.’s remote user authentication scheme using smart cards. Computer Standards & Interfaces, 27 (2005)2, 181–183.
N. Y. Lee and Y. C. Chiu. Improved remote authentication scheme with smart card. Computer Standards & Interfaces, 27(2005)2, 177–180.
H. S. Rhee, J. O. Kwon, and D. H. Lee. A remote user authentication scheme without using smart cards. Computer Standards & Interfaces, 31(2009)1, 6–13.
C. I. Fan, Y. C. Chan, and Z. K. Zhang. Robust remote authentication scheme with smart cards. Computers & Security, 24(2005)8, 619–628.
M. K. Khan and J. Zhang. Improving the security of a flexible biometrics remote user authentication scheme. Computer Standards & Interfaces, 29(2007)1, 82–85.
J. H. Yang and C. C. Chang. An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. Computers & Security, 28(2009)3–4, 138–143.
D. Hankerson, A. Menezes, and S. Vanstone. Guide to elliptic curve cryptography. New York, USA, Springer-Verlag, 2004, 75–147.
N. Koblitz. Elliptic curve cryptosystem. Mathematics of Computation, 48(1987), 203–209.
V. S. Miller. Use of elliptic curves in cryptography. Proceedings of 5th Annual International Cryptology Conference, California, USA, August 1985, 417–426.
T. Aura, P. Nikander, and J. Leiwo. DoS-resistant authentication with client puzzles. In Proceedings of the Eighth International Workshop on Security Protocols, Cambridge, UK, April 2011, Lecture Notes in Computer Science (2133), 170–177.
D. E. Denning and G. M. Sacco. Timestamps in key distribution protocols. Communications of the Association for Computing Machinery, 24(1981)8, 533–536.
M. Bellare and B. Yee. Forward-security in private-key cryptography. In Topics in Cryptology-CT-RSA’2003, San Francisco, USA, 2003, Lecture Notes in Computer Science (2612), 1–18.
Author information
Authors and Affiliations
Corresponding author
Additional information
Supported by the Natural Science Foundation of Shandong Province (No. Y2008A29), the Science and Technique Foundation of Shandong Province (No. 2008GG 30009008).
Communication author: Wen Fengtong, 1970, male, Ph.D.
About this article
Cite this article
Wen, F., Li, X. & Cui, S. An improved dos-resistant id-based password authentication scheme without using smart card. J. Electron.(China) 28, 580–586 (2011). https://doi.org/10.1007/s11767-012-0712-3
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11767-012-0712-3