Weaknesses and Improvements of Kuo-Lee’s One-Time Password Authentication Scheme
Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee’s one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu’s one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee’s scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee’s scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee’s scheme.
KeywordsOne-time password authentication scheme impersonation attack
Unable to display preview. Download preview PDF.
- 3.Haller, N.M.: The S/KEY (TM) one-time password system. In: Proc. Internet Society Symposium on Network and Distributed System Security, February 1994, pp. 151–158 (1994)Google Scholar
- 4.Shimizu, A., Horioka, T., Inagaki, H.: A password authentication method for contents communication on the Internet. IEICE Trans. Commun. E81-B(8), 1666–1673 (1998)Google Scholar
- 5.Sandirigama, M., Shimizu, A., Noda, M.T.: Simple and Secure password authentication protocol (SAS). IEICE Trans. Commun. E83-B(6), 1363–1365 (2000)Google Scholar
- 6.Lin, C.L., Sun, H.M., Hwang, T.: Attack and solutions on strong-password authentication. IEICE Trans. Commun. E84-B(9), 2622–2627 (2001)Google Scholar
- 7.Tsuji, T., Kamioka, T., Shimizu, A.: Simple and Secure password authentication protocol, ver.2 (SAS-2), IEICE Technical Report, OIS 2002–30 (September 2002)Google Scholar
- 9.Tsuji, T., Shimizu, A.: One-time password authentication protocol against theft attacks. IEICE Trans. on Commun. E87-B(3), 523–529 (2004)Google Scholar
- 11.Kuo, W.C., Lee, Y.C.: Attack and improvement on the one-time password authentication protocol against theft attacks. In: Proc. of the Sixth International Conference on Machine Learning and Cybernetics, Hong Kong, August 2007, pp. 19–22 (2007)Google Scholar