Security Analysis of Secure Password Authentication for Keystroke Dynamics

  • Hyunsoo Song
  • Taekyoung Kwon
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4251)


Password-based authentication and key distribution are important in today’s computing environment. Since passwords are easy to remember for human users, the password-based system is used widely. However, due to the fact that the passwords are chosen from small space, the password-based schemes are more susceptible to various attacks including password guessing attacks. Recently, Choe and Kim proposed a new password authentication scheme for keystroke dynamics. However, in this paper, we cryptanalyze the Choe-Kim scheme and show it is vulnerable to various types of attacks such as server-deception attacks, server-impersonation attacks and password guessing attacks. We also comment on the scheme that more care must be taken when designing password-based schemes and briefly show how the standard like IEEE P1363.2 can be used for strengthening those schemes.


Dictionary Attack Password Authentication Keystroke Dynamic Password Authentication Scheme Guess Attack Password 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellovin, S., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 77–84 (1992)Google Scholar
  2. 2.
    Bellovin, S., Merritt, M.: Augmented encrypted key exchange: a password-based protocols secure against dictionary attacks and password-file compromise. In: ACM Conference on Computer and Communications Security, pp. 244–250 (1993)Google Scholar
  3. 3.
    Boyko, V., MacKenzie, P., Patel, S.: Provably secure password authenticated key exchange using Diffie-Hellman. In: Eurocrypt 2000, pp. 156–171 (2000)Google Scholar
  4. 4.
    Choe, Y., Kim, S.: Secure Password Authentication for Keystroke Dynamics. In: Khosla, R., Howlett, R.J., Jain, L.C. (eds.) KES 2005. LNCS (LNAI), vol. 3683, pp. 317–324. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Diffie, W., Hellman, M.: New directions in cryptograpy. IEEE Transactions on Information Theory 22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Gong, L., Lomas, M., Needham, R., Saltzer, J.: Protecting Poorly Chosen Secrets from Guessing Attacks. IEEE Journal on Selected Areas in Commuinications 11(5), 648–656 (1993)CrossRefGoogle Scholar
  7. 7.
    Jablon, D.: Strong password-only authenticated key exchange. ACM Computer Communications Review 26(5), 5–26 (1996)CrossRefGoogle Scholar
  8. 8.
    Jablon, D.: Extended password key exchange protocols immune to dictionary attacks. In: WETICE 1997 Workshop on Enterprise Security, pp. 248–255 (1997)Google Scholar
  9. 9.
    Kwon, T.: Authentication and Key agreement via Memorable Passwords. In: Network and Distributed System Security Symposium Conference Proceedings (2001)Google Scholar
  10. 10.
    MacKenzie, P.: More Efficient Password-Authenticated Key Exchange. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 361–377. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    MacKenzie, P.: The PAK suites: Protocols for Password-Authenticated Key Exchange (2002), available from
  12. 12.
    Wu, T.: Secure remote password protocol. In: Network and Distributed System Security Symposium Conference Proceedings (1998)Google Scholar
  13. 13.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Hyunsoo Song
    • 1
  • Taekyoung Kwon
    • 1
  1. 1.Information Security Lab.Sejong UniversitySeoulKorea

Personalised recommendations