Abstract
Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee’s one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu’s one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee’s scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee’s scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee’s scheme.
This work was supported by the Ministry of Knowledge Economy, Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Advancement) (IITA-2009-(C1090-0902-0016)) and the Defense Acquisition Program Administration and Agency for Defense Development under the contract UD070054AD.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Lamport, L.: Password authentication with insecure communication. Commun. ACM 24(11), 770–772 (1981)
Shimizu, A.: A dynamic password authentication method by oneway function. System and Computers in Japan 22(7), 32–40 (1991)
Haller, N.M.: The S/KEY (TM) one-time password system. In: Proc. Internet Society Symposium on Network and Distributed System Security, February 1994, pp. 151–158 (1994)
Shimizu, A., Horioka, T., Inagaki, H.: A password authentication method for contents communication on the Internet. IEICE Trans. Commun. E81-B(8), 1666–1673 (1998)
Sandirigama, M., Shimizu, A., Noda, M.T.: Simple and Secure password authentication protocol (SAS). IEICE Trans. Commun. E83-B(6), 1363–1365 (2000)
Lin, C.L., Sun, H.M., Hwang, T.: Attack and solutions on strong-password authentication. IEICE Trans. Commun. E84-B(9), 2622–2627 (2001)
Tsuji, T., Kamioka, T., Shimizu, A.: Simple and Secure password authentication protocol, ver.2 (SAS-2), IEICE Technical Report, OIS 2002–30 (September 2002)
Chien, H.Y., Jan, J.K.: Robust and simple authentication protocol. Comput. J. 46(2), 193–201 (2003)
Tsuji, T., Shimizu, A.: One-time password authentication protocol against theft attacks. IEICE Trans. on Commun. E87-B(3), 523–529 (2004)
Lin, C.L., Hung, C.P.: One-Time password authentication protocol against theft attacks. IEICE Trans. on Commun. E89-B(12), 3425–3427 (2006)
Kuo, W.C., Lee, Y.C.: Attack and improvement on the one-time password authentication protocol against theft attacks. In: Proc. of the Sixth International Conference on Machine Learning and Cybernetics, Hong Kong, August 2007, pp. 19–22 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, M., Lee, B., Kim, S., Won, D. (2009). Weaknesses and Improvements of Kuo-Lee’s One-Time Password Authentication Scheme. In: Ślęzak, D., Kim, Th., Chang, A.CC., Vasilakos, T., Li, M., Sakurai, K. (eds) Communication and Networking. FGCN 2009. Communications in Computer and Information Science, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10844-0_49
Download citation
DOI: https://doi.org/10.1007/978-3-642-10844-0_49
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10843-3
Online ISBN: 978-3-642-10844-0
eBook Packages: Computer ScienceComputer Science (R0)