Abstract
Password as an easy-to-remember credential plays an important role in remote user authentication schemes, while drawing from a space so small that an adversary may exhaustively search all possible candidate passwords to guess the correct one. In order to enhance the security of the password authentication scheme, smart card is introduced as the second factor to construct two-factor authentication scheme. However, we find out that two latest smart-card-based password authentication schemes are vulnerable to offline password guessing attacks under the definition of secure two-factor authentication. Furthermore, in order to show the serious consequence of offline password guessing attacks, we illustrate that the password compromise impersonation attacks as further threats are effective to break down the authentication schemes. Finally, we conclude the reasons why these weaknesses exist and present our improved ideas to avoid these problems in the future.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772
Halevi S, Krawczyk H (1999) Public-key cryptography and password protocols. ACM Trans Inf Syst Secur (TISSEC) 2(3):230–268
Hwang MS, Li LH (2000) A new remote user authentication scheme using smart cards. IEEE Trans Consum Electron 46(1):28–30
Sun HM (2000) An efficient remote use authentication scheme using smart cards. IEEE Trans Consum Electron 46(4):958–961
Chien HY, Jan JK, Tseng YM (2000) An efficient and practical solution to remote authentication: smart card. Comput Secur 21(4):372–375
Wu ST, Chieu BC (2003) A user friendly remote authentication scheme with smart cards. Comput Secur 22(6):547–550
Hsu CL (2004) Security of Chien et al.’s remote user authentication scheme using smart cards. Comput Stan Interfaces 26(3):167–169
Lee NY, Chiu YC (2005) Improved remote authentication scheme with smart card. Comput Stan Interfaces 27(2):177–180
Lee SW, Kim HS, Yoo KY (2005) Improvement of Chien et al.’s remote user authentication scheme using smart cards. Comput Stan Interfaces 27(2):181–183
Xu J, Zhu WT, Feng DG (2009) An improved smart card based password authentication scheme with provable security. Comput Stan Interfaces 31(4):723–728
Sood SK, Sarje AK, Singh K (2010) An improvement of Xu et al.’s authentication scheme using smart cards. In: Proceedings of the third annual ACM Bangalore conference
Song R (2010) Advanced smart card based password authentication protocol. Comput Stan Interfaces 32(5):321–325
Chen BL, Kuo WC, Wuu LC (2012) Robust smart-card-based remote user password authentication scheme. Int J Commun Syst. doi:10.1002/dac.2368
Ma CG, Wang D, Zhao SD (2012) Security flaws in two improved remote user authentication schemes using smart cards. Int J Commun Syst. doi:10.1002/dac.2468
Li X, Niu J, Khan MK, Liao J (2013) An enhanced smart card based remote user password authentication scheme. J Netw Comput Appl. doi:10.1016/j.jnca.2013.02.034
Peyravian M, Zunic N (2000) Methods for protecting password transmission. Comput Secur 19(5):466–469
Hwang JJ, Yeh TC (2002) Improvement on Peyravian-Zunic’s password authentication schemes. IEICE Trans Commun 85(4):823–825
Lin CL, Hwang T (2003) A password authentication scheme with secure password updating. Comput Secur 22(1):68–72
Islam SKH, Biswas GP (2011) Design of improved password authentication and update scheme based on elliptic curve cryptography. Math Comput Model 57(11–12):2703–2717. doi:10.1016/j.mcm.2011.07.001
He D (2011) Comments on a password authentication and update scheme based on elliptic curve cryptography. Cryptology ePrint Archive. https://eprint.iacr.org/2011/411.pdf
Wang D, Ma CG, Shi L, Wang YH (2012) On the security of an improved password authentication scheme based on ECC. Inf Comput Appl 7473:181–188
Li CT (2013) A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card. IET Inf Secur 7(1):3–10
Huang X, Xiang Y, Chonka A, Zhou J, Deng RH (2011) A generic framework for three-factor authentication: preserving security and privacy in distributed systems. IEEE Trans Parallel Distrib Syst 22(8):1390–1397
Li X, Wen Q, Zhang H, Jin Z (2013) An improved authentication with key agreement scheme on elliptic curve cryptosystem for global mobility networks. Int J Network Manage 23(5):311–324
Kocher P, Jaffe J, Jun B (1999) Differential power analysis, advances in cryptology-CRYPTO’99. LNCS 1666:388–397
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552
Acknowledgments
This work is supported by NSFC (Grant Nos. 61300181, 61272057, 61202434, 61170270, 61100203, 61121061), the Fundamental Research Funds for the Central Universities (Grant No. 2012RC0612, 2011YB01).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Atlantis Press and the author(s)
About this paper
Cite this paper
Li, Xl., Wen, Qy., Zhang, H., Jin, Zp., Li, Wm. (2016). Offline Password Guessing Attacks on Smart-Card-Based Remote User Authentication Schemes. In: Qi, E. (eds) Proceedings of the 6th International Asia Conference on Industrial Engineering and Management Innovation. Atlantis Press, Paris. https://doi.org/10.2991/978-94-6239-145-1_9
Download citation
DOI: https://doi.org/10.2991/978-94-6239-145-1_9
Published:
Publisher Name: Atlantis Press, Paris
Print ISBN: 978-94-6239-144-4
Online ISBN: 978-94-6239-145-1
eBook Packages: Business and ManagementBusiness and Management (R0)