Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards

  • Ding WangEmail author
  • Ping Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7807)


The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals, namely, Hsieh-Leu’s scheme and Wang’s PSCAV scheme. We show that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim’s password when getting temporary access to the victim’s smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang’s original protocol security model, reveals a new attacking scenario and gives rise to the strongest adversary model so far. In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.


Password authentication Offline dictionary attack Smart card Common memory device Non-tamper resistant 



The corresponding author is Ping Wang. We are grateful to Prof. Yongge Wang from UNC Charlotte, USA, for the constructive discussions and Prof. David Naccache for referring us to [41]. This research was partially supported by the National Natural Science Foundation of China under No. 61472016.


  1. 1.
    Asokan, N., Ekberg, J.-E., Kostiainen, K.: The untapped potential of trusted execution environments on mobile devices. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 293–294. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  2. 2.
    Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)CrossRefGoogle Scholar
  3. 3.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of IEEE S&P 1992, pp. 72–84. IEEE (1992)Google Scholar
  4. 4.
    Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of ACM CCS 2012, pp. 833–844. ACM (2012)Google Scholar
  5. 5.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of IEEE S&P 2012, pp. 538–552. IEEE Computer Society (2012)Google Scholar
  6. 6.
    Boyd, C., Montague, P., Nguyen, K.: Elliptic curve based password authenticated key exchange protocols. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, p. 487. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  7. 7.
    Bresson, E., Chevassut, O., Pointcheval, D.: New security results on encrypted key exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  8. 8.
    Burr, W., Dodson, D., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: NIST Special Publication 800–63-1: Electronic Authentication Guideline. National Institute of Standards and Technology, Gaithersburg (2011) CrossRefGoogle Scholar
  9. 9.
    Chang, C.C., Wu, T.C.: Remote password authentication with smart cards. IEE Proc. Comput. Digital Tech. 138(3), 165–168 (1991)CrossRefGoogle Scholar
  10. 10.
    Chen, B.L., Kuo, W.C., Wuu, L.C.: A secure password-based remote user authentication scheme without smart cards. Inf. Technol. Control 41(1), 53–59 (2012)Google Scholar
  11. 11.
    Chen, B.L., Kuo, W.C., Wuu, L.C.: Robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 27(2), 377–389 (2014)CrossRefGoogle Scholar
  12. 12.
    Chen, T.H., Hsiang, H.C., Shih, W.K.: Security enhancement on an improvement on two remote user authentication schemes using smart cards. Future Gener. Comput. Syst. 27(4), 377–380 (2011)zbMATHCrossRefGoogle Scholar
  13. 13.
    Constantin, L.: Sony stresses that PSN passwords were hashed. Online news (2011).
  14. 14.
    Das, M.L.: Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun. 8(3), 1086–1090 (2009)CrossRefGoogle Scholar
  15. 15.
    Das, M., Saxena, A., Gulati, V.: A dynamic id-based remote user authentication scheme. IEEE Trans. Consum. Electron. 50(2), 629–631 (2004)CrossRefGoogle Scholar
  16. 16.
    Dazzlepod Inc.: CSDN cleartext passwords. Online news (2013).
  17. 17.
    Degabriele, J.P., Paterson, K., Watson, G.: Provable security in the real world. IEEE Secur. Priv. 9(3), 33–41 (2011)CrossRefGoogle Scholar
  18. 18.
    Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: Proceedings of INFOCOM 2010, pp. 1–9. IEEE (2010)Google Scholar
  19. 19.
    Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing. In: Proceedings IEEE S&P 2008, pp. 281–295. IEEE (2008)Google Scholar
  20. 20.
    Fan, C., Chan, Y., Zhang, Z.: Robust remote authentication scheme with smart cards. Comput. Secur. 24(8), 619–628 (2005)CrossRefGoogle Scholar
  21. 21.
    Focus Technology Co., Ltd: Prices for 1GB Usb Flash Drive (2013).
  22. 22.
    Hao, F.: On robust key agreement based on public key authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 383–390. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  23. 23.
    He, D., Ma, M., Zhang, Y., Chen, C., Bu, J.: A strong user authentication scheme with smart cards for wireless communications. Comput. Commun. 34(3), 367–374 (2011)CrossRefGoogle Scholar
  24. 24.
    Hsiang, H., Shih, W.: Weaknesses and improvements of the yoon-ryu-yoo remote user authentication scheme using smart cards. Comput. Commun. 32(4), 649–652 (2009)CrossRefGoogle Scholar
  25. 25.
    Hsieh, W., Leu, J.: Exploiting hash functions to intensify the remote user authentication scheme. Comput. Secur. 31(6), 791–798 (2012)CrossRefGoogle Scholar
  26. 26.
    Juang, W.S., Chen, S.T., Liaw, H.T.: Robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Industr. Electron. 55(6), 2551–2556 (2008)CrossRefGoogle Scholar
  27. 27.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient and secure authenticated key exchange using weak passwords. J. ACM 57(1), 1–41 (2009)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Khan, M., Kim, S.: Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme. Comput. Commun. 34(3), 305–309 (2011)CrossRefGoogle Scholar
  29. 29.
    Kim, T.H., Kim, C., Park, I.: Side channel analysis attacks using am demodulation on commercial smart cards with seed. J. Syst. Soft. 85(12), 2899–2908 (2012)CrossRefGoogle Scholar
  30. 30.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  31. 31.
    Li, X., Qiu, W., Zheng, D., Chen, K., Li, J.: Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Ind. Electron. 57(2), 793–800 (2010)CrossRefGoogle Scholar
  32. 32.
    Long, J.: No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Syngress, Burlington (2011) Google Scholar
  33. 33.
    Ma, C.G., Wang, D., Zhao, S.: Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun. Syst. 27(10), 2215–2227 (2014)CrossRefGoogle Scholar
  34. 34.
    Madhusudhan, R., Mittal, R.: Dynamic id-based remote user password authentication schemes using smart cards: a review. J. Netw. Comput. Appl. 35(4), 1235–1248 (2012)CrossRefGoogle Scholar
  35. 35.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007) Google Scholar
  36. 36.
    Menezes, A.: Another look at HMQV. J. Math. Cryptol. 1(1), 47–64 (2007)zbMATHMathSciNetCrossRefGoogle Scholar
  37. 37.
    Menezes, A.: Another look at provable security. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 8–8. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  38. 38.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5), 541–552 (2002)MathSciNetCrossRefGoogle Scholar
  39. 39.
    Moradi, A., Barenghi, A., Kasper, T., Paar, C.: On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs. In: Proceedings of ACM CCS 2011, pp. 111–124. ACM (2011)Google Scholar
  40. 40.
    Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and pin is broken. In: Proceedings of IEEE Security & Privacy 2010, pp. 433–446. IEEE Computer Society (2010)Google Scholar
  41. 41.
    Naccache, D.: National security, forensics and mobile communications. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 1–1. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  42. 42.
    Nohl, K., Evans, D., Starbug, S., Plötz, H.: Reverse-engineering a cryptographic rfid tag. In: Proceedings of USENIX Security 2008, pp. 185–193. USENIX Association (2008)Google Scholar
  43. 43.
    Pointcheval, D.: Password-based authenticated key exchange. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 390–397. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  44. 44.
    Rhee, H.S., Kwon, J.O., Lee, D.H.: A remote user authentication scheme without using smart cards. Comput. Stan. Interfaces 31(1), 6–13 (2009)CrossRefGoogle Scholar
  45. 45.
    Scott, M.: Replacing username/password with software-only two-factor authentication. Technical report, Cryptology ePrint Archive, Report 2012/148 (2012).
  46. 46.
    Shamus Software Ltd.: Miracl library (2013).
  47. 47.
    Smart Card Alliance: Philips Advances Smart Card Security for Mobile Applications (2013).
  48. 48.
    Son, K., Han, D., Won, D.: A privacy-protecting authentication scheme for roaming services with smart cards. IEICE Trans. Commun. 95(5), 1819–1821 (2012)CrossRefGoogle Scholar
  49. 49.
    Song, R.: Advanced smart card based password authentication protocol. Comput. Stand. Interfaces 32(5), 321–325 (2010)CrossRefGoogle Scholar
  50. 50.
    Sun, D.Z., Huai, J.P., Sun, J.Z.: Improvements of juang et al’.s password-authenticated key agreement scheme using smart cards. IEEE Trans. Industr. Electron. 56(6), 2284–2291 (2009)CrossRefGoogle Scholar
  51. 51.
    Wang, D., Ma, C., Wu, P.: Secure password-based remote user authentication scheme with non-tamper resistant smart cards. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 114–121. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  52. 52.
    Wang, D., Ma, C., Wang, P., Chen, Z.: Robust smart card based password authentication scheme against smart card security breach. In: Cryptology ePrint Archive, Report 2012/439 (2012).
  53. 53.
    Wang, Y., Liu, J., Xiao, F., Dan, J.: A more efficient and secure dynamic id-based remote user authentication scheme. Comput. Commun. 32(4), 583–585 (2009)CrossRefGoogle Scholar
  54. 54.
    Wang, Y.: Password protected smart card and memory stick authentication against off-line dictionary attacks. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 489–500. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  55. 55.
    Wu, S.H., Zhu, Y.F., Pu, Q.: Robust smart-cards-based user authentication scheme with user anonymity. Secur. Commun. Netw. 5(2), 236–248 (2012)CrossRefGoogle Scholar
  56. 56.
    Wu, T.: A real-world analysis of kerberos password security. In: Proceedings of NDSS 1999, pp. 13–22. Internet Society (1999)Google Scholar
  57. 57.
    Xu, J., Zhu, W., Feng, D.: An improved smart card based password authentication scheme with provable security. Comput. Stand. Inter. 31(4), 723–728 (2009)CrossRefGoogle Scholar
  58. 58.
    Xue, K., Hong, P., Ma, C.: A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J. Comput. Syst. Sci, 80(1), 195–206 (2014)zbMATHMathSciNetCrossRefGoogle Scholar
  59. 59.
    Yang, G., Wong, D., Wang, H., Deng, X.: Two-factor mutual authentication based on smart cards and passwords. J. Comput. Syst. Sci. 74(7), 1160–1172 (2008)zbMATHMathSciNetCrossRefGoogle Scholar
  60. 60.
    Zhao, Z., Dong, Z., Wang, Y.G.: Security analysis of a password-based authentication protocol proposed to IEEE 1363. Theoret. Comput. Sci. 352(1), 280–287 (2006)zbMATHMathSciNetCrossRefGoogle Scholar
  61. 61.
    Zhao, Z., Wang, Y.G.: Secure communication and authentication against off-line dictionary attacks in smart grid systems (2013).

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.School of EECSPeking UniversityBeijingChina
  2. 2.National Engineering Research Center for Software EngineeringBeijingChina
  3. 3.School of Software and MicroelectronicsPeking UniversityBeijingChina

Personalised recommendations