Abstract
Password authentication is an important mechanism for remote login systems, where only authorized users can be authenticated via using their passwords and/or some similar secrets. In 1999, Yang and Shieh [14] proposed two password authentication schemes using smart cards. Their schemes are not only very efficient, but also allow users to change their passwords freely and the server has no need to maintain a verification table for authenticating users. However, their schemes are later identified to be flawed. To overcome those security flaws, Shen et al. [9] and Yoon et al. [17] proposed further improvements and claimed their new schemes are secure. In this paper, we first point out that Yang et al.’s attack [15] against Shen et al.’s scheme is actually invalid, since we can show that in a real implementation it is extremely difficult to find two hash values such that one is divisible by the other. After that, we show that both of Shen et al.’ scheme and Yoon et al.’s scheme are insecure by identifying several effective impersonation attacks. Those attacks enable an outsider to be successfully authenticated and then enjoy the resources and/or services provided by the server.
Keywords
Download to read the full chapter text
Chapter PDF
References
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Proc. of the 1st ACM Conference on Computer and Communications Security (CCS 1993), pp. 62–73. ACM press, New York (1993)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)
Chan, C.K., Cheng, L.M.: Cryptanalysis of timestamp-based password authentication scheme. Computers & Security 21(1), 74–76 (2002)
Fan, L., Li, J.H., Zhu, H.W.: An enhancement of timestamp-based password authentication scheme. Computers & Security 21(7), 665–667 (2002)
Hwang, M.S., Li, L.H.: A new remote user authentication scheme smart cards. IEEE Transactions on Consumer Electronics 46, 28–30 (2000)
Lamport, L.: Password authentication with insecure communication. Communications of the ACM 24, 770–772 (1981)
PKCS, Public key cryptography standards, PKCS #1 v2.1, RSA Cryptography Standard, Draft 2 (2001), http://www.rsasecurity.com/rsalabs/pkcs/
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)
Shen, J.J., Lin, C.W., Hwang, M.S.: Security enhancement for the timestamp-based password authentication scheme using smart cards. Computers & Security 22(7), 591–595 (2003)
Tenenbaum, G.: Introduction to Analytic and Probabilistic Number Theory (Theorem 5). Cambridge studies in advanced mathematics, vol. 46, p. 41. Cambridge University Press, Cambridge (1995)
Wang, B., Li, J.-H., Tong, Z.-P.: Cryptanalysis of an enhanced timestamp-based password authentication scheme. Computers & Security 22(7), 643–645 (2003)
Wang, G.: On the security of a group signature scheme with forward security. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 27–39. Springer, Heidelberg (2004)
Yang, W.H., Shieh, S.P.: Password authentication schemes with smart cards. Computers & Security 18(8), 727–733 (1999)
Yang, C.-C., Yang, H.-W., Wang, R.-C.: Cryptanalysis of security enhancement for the timestamp-based password authentication scheme using smart cards. IEEE Transactions on Consumer Electronics 50(2), 578–579 (2004)
Yang, C.C., Wang, R.C., Chang, T.Y.: An improvement of the Yang-Shieh password authentication schemes. Applied Mathematics and Computation 162(3), 1391–1396 (2005)
Yoon, E.-J., Kim, W.-H., Yoo, K.-Y.: Security enhancement for password authentication schemes with smart cards. In: Katsikas, S.K., López, J., Pernul, G. (eds.) TrustBus 2005. LNCS, vol. 3592, pp. 311–320. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, G., Bao, F. (2006). Cryptanalysis of Timestamp-Based Password Authentication Schemes Using Smart Cards. In: Ning, P., Qing, S., Li, N. (eds) Information and Communications Security. ICICS 2006. Lecture Notes in Computer Science, vol 4307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11935308_28
Download citation
DOI: https://doi.org/10.1007/11935308_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-49496-6
Online ISBN: 978-3-540-49497-3
eBook Packages: Computer ScienceComputer Science (R0)