Skip to main content
SpringerLink
Log in

On the Security of an Improved Password Authentication Scheme Based on ECC

  • Conference paper
Information Computing and Applications (ICICA 2012)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 7473))

Included in the following conference series:

Abstract

The design of secure remote user authentication schemes for mobile applications is still an open and quite challenging problem, though many schemes have been published lately. Recently, Islam and Biswas pointed out that Lin and Hwang et al.’s password-based authentication scheme is vulnerable to various attacks, and then presented an improved scheme based on elliptic curve cryptography (ECC) to overcome the drawbacks. Based on heuristic security analysis, Islam and Biswas claimed that their scheme is secure and can withstand all related attacks. In this paper, however, we show that Islam and Biswas’s scheme cannot achieve the claimed security goals and report its flaws: (1) It is vulnerable to offline password guessing attack, stolen verifier attack and denial of service (DoS) attack; (2) It fails to preserve user anonymity. The cryptanalysis demonstrates that the scheme under study is unfit for practical use.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Lamport, L.: Password authentication with insecure communication. Communications of the ACM 24(11), 770–772 (1981)

    Article  MathSciNet  Google Scholar 

  2. Liao, I.E., Lee, C.C., Hwang, M.S.: A password authentication scheme over insecure networks. Journal of Computer and System Sciences 72(4), 727–740 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  3. Song, R.: Advanced smart card based password authentication protocol. Computer Standards & Interfaces 32(5), 321–325 (2010)

    Article  Google Scholar 

  4. Yeh, K.H., Su, C., Lo, N.W., Li, Y., Hung, Y.X.: Two robust remote user authentication protocols using smart cards. Journal of Systems and Software 83(12), 2556–2565 (2010)

    Article  Google Scholar 

  5. Ma, C.-G., Wang, D., Zhang, Q.-M.: Cryptanalysis and Improvement of Sood et al.’s Dynamic ID-Based Authentication Scheme. In: Ramanujam, R., Ramaswamy, S. (eds.) ICDCIT 2012. LNCS, vol. 7154, pp. 141–152. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  6. Ma, C.-G., Wang, D., Zhao, P., Wang, Y.-H.: A New Dynamic ID-Based Remote User Authentication Scheme with Forward Secrecy. In: Wang, H., Zou, L., Huang, G., He, J., Pang, C., Zhang, H.L., Zhao, D., Yi, Z. (eds.) APWeb 2012 Workshops. LNCS, vol. 7234, pp. 199–211. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  7. Klein, D.V.: Foiling the cracker: A survey of, and improvements to, password security. In: Proceedings of the 2nd USENIX Security Workshop, pp. 5–14 (1990)

    Google Scholar 

  8. Wang, R.C., Juang, W.S., Lei, C.L.: Robust authentication and key agreement scheme preserving the privacy of secret key. Computer Communications 34(3), 274–280 (2011)

    Article  Google Scholar 

  9. Wu, S.H., Zhu, Y.F., Pu, Q.: Robust smart-cards-based user authentication scheme with user anonymity. Security and Communication Networks 5(2), 236–248 (2012)

    Article  Google Scholar 

  10. Wei, J., Hu, X., Liu, W.: An improved authentication scheme for telecare medicine information systems. Journal of Medical Systems (2011), doi:10.1007/s10916-012-9835-1

    Google Scholar 

  11. Pu, Q., Wang, J., Zhao, R.: Strong authentication scheme for telecare medicine information systems. Journal of Medical Systems (2011), doi:10.1007/s10916-011-9735-9

    Google Scholar 

  12. He, D.B., Chen, J.H., Zhang, R.: A more secure authentication scheme for telecare medicine information systems. Journal of Medical Systems (2011), doi:10.1007/s10916-011-9658-5

    Google Scholar 

  13. Islam, S.H., Biswas, G.P.: Design of improved password authentication and update scheme based on elliptic curve cryptography. Mathematical and Computer Modelling (2011), doi:10.1016/j.mcm.2011.07.001

    Google Scholar 

  14. He, D.B.: Comments on a password authentication and update scheme based on elliptic curve cryptography. Cryptology ePrint Archive, Report 2011/411 (2011), http://eprintH.iacr.org/2011/411.pdf

  15. Wan, Z., Zhu, B., Deng, R.H., Bao, F., Ananda, A.L.: Dos-resistant access control protocol with identity confidentiality for wireless networks. In: 2005 IEEE Wireless Communications and Networking Conference (WCNC), vol. 3, pp. 1521–1526. IEEE Press, New York (2005)

    Chapter  Google Scholar 

  16. Hughes, D., Shmatikov, V.: Information hiding, anonymity and privacy: a modular approach. Journal of Computer Security 12(1), 3–36 (2004)

    Google Scholar 

  17. Roy, S., Das, A.K., Li, Y.: Cryptanalysis and security enhancement of an advanced authentication scheme using smart cards, and a key agreement scheme for two-party communication. In: 2011 IEEE 30th International Performance Computing and Communications Conference (IPCCC), pp. 1–7. IEEE Press, New York (2011)

    Chapter  Google Scholar 

  18. Cao, X., Kou, W., Du, X.: A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges. Information Sciences 180(15), 2895–2903 (2010)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Computer Science and Technology, Harbin Engineering University, 145 Nantong Street, Harbin City, 150001, China

    Ding Wang, Chun-guang Ma & Lan Shi

  2. Automobile Management Institute of PLA, Bengbu City, 233011, China

    Ding Wang

  3. Golisano College of Computing and Information Sciences, Rochester Institute of Technology, 102 Lomb Memorial Dr., Rochester, NY, 14623, USA

    Yu-heng Wang

Authors
  1. Ding Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chun-guang Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lan Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yu-heng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. College of Science, Hebei United University, 063000, Tangshan, Hebei, China

    Baoxiang Liu

  2. Nanyang Technological University, Singapore

    Maode Ma

  3. College of Science, Hebei United University, 063009, Tangshan, Hebei, China

    Jincai Chang

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wang, D., Ma, Cg., Shi, L., Wang, Yh. (2012). On the Security of an Improved Password Authentication Scheme Based on ECC. In: Liu, B., Ma, M., Chang, J. (eds) Information Computing and Applications. ICICA 2012. Lecture Notes in Computer Science, vol 7473. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34062-8_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34062-8_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34061-1

  • Online ISBN: 978-3-642-34062-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation