Weaknesses and Improvements of Kuo-Lee’s One-Time Password Authentication Scheme

  • Mijin Kim
  • Byunghee Lee
  • Seungjoo Kim
  • Dongho Won
Part of the Communications in Computer and Information Science book series (CCIS, volume 56)


Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee’s one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu’s one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee’s scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee’s scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee’s scheme.


One-time password authentication scheme impersonation attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Lamport, L.: Password authentication with insecure communication. Commun. ACM 24(11), 770–772 (1981)CrossRefMathSciNetGoogle Scholar
  2. 2.
    Shimizu, A.: A dynamic password authentication method by oneway function. System and Computers in Japan 22(7), 32–40 (1991)CrossRefGoogle Scholar
  3. 3.
    Haller, N.M.: The S/KEY (TM) one-time password system. In: Proc. Internet Society Symposium on Network and Distributed System Security, February 1994, pp. 151–158 (1994)Google Scholar
  4. 4.
    Shimizu, A., Horioka, T., Inagaki, H.: A password authentication method for contents communication on the Internet. IEICE Trans. Commun. E81-B(8), 1666–1673 (1998)Google Scholar
  5. 5.
    Sandirigama, M., Shimizu, A., Noda, M.T.: Simple and Secure password authentication protocol (SAS). IEICE Trans. Commun. E83-B(6), 1363–1365 (2000)Google Scholar
  6. 6.
    Lin, C.L., Sun, H.M., Hwang, T.: Attack and solutions on strong-password authentication. IEICE Trans. Commun. E84-B(9), 2622–2627 (2001)Google Scholar
  7. 7.
    Tsuji, T., Kamioka, T., Shimizu, A.: Simple and Secure password authentication protocol, ver.2 (SAS-2), IEICE Technical Report, OIS 2002–30 (September 2002)Google Scholar
  8. 8.
    Chien, H.Y., Jan, J.K.: Robust and simple authentication protocol. Comput. J. 46(2), 193–201 (2003)zbMATHCrossRefGoogle Scholar
  9. 9.
    Tsuji, T., Shimizu, A.: One-time password authentication protocol against theft attacks. IEICE Trans. on Commun. E87-B(3), 523–529 (2004)Google Scholar
  10. 10.
    Lin, C.L., Hung, C.P.: One-Time password authentication protocol against theft attacks. IEICE Trans. on Commun. E89-B(12), 3425–3427 (2006)CrossRefGoogle Scholar
  11. 11.
    Kuo, W.C., Lee, Y.C.: Attack and improvement on the one-time password authentication protocol against theft attacks. In: Proc. of the Sixth International Conference on Machine Learning and Cybernetics, Hong Kong, August 2007, pp. 19–22 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Mijin Kim
    • 1
  • Byunghee Lee
    • 1
  • Seungjoo Kim
    • 1
  • Dongho Won
    • 1
  1. 1.School of Information and Communication EngineeringSungkyunkwan UniversitySuwonRepublic of Korea

Personalised recommendations