Ya-Fen Chang
Abstract
Password authentication protocols are divided into two types. One employs the easy-to-remember password while the other requires the strong password. In 2001, Lin et al. proposed an optimal strong-password authentication protocol (OSPA) to resist the replay attack and the denial-of-service attack. However, Chen and Ku pointed out that the OSPA protocol is vulnerable to the stolen-verifier attack. Hence, Lin et al. presented an enhancement in 2003. Nevertheless, mutual authentication is not ensured in Lin et al.'s protocol such that it suffers from the server spoofing attack. Moreover, Lin et al.'s protocol is also vulnerable to the denial-of-service attack. As a result, we present a secure strong-password authentication protocol in this paper to overcome their disadvantages.
- Bellovin, S. and Merritt, M., "Encrypted Key Exchange: Password-based Protocols Secure against Dictionary Attacks," Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, California, May 1992, pp. 72--84. Google Scholar
Digital Library
- Bellovin, S. and Merritt, M., "Augmented Encrypted Key Exchange: A Password-based Protocol Secure against Dictionary Attacks and Password-file Compromise," Proceedings of 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, November 1993, pp. 244--250. Google ScholarDigital Library
- Boyko, V., MacKenzie, P., and Patel S., "Provably Secure Password Authentication Key Exchange Using Diffie-Hellman," Proceedings of EuroCrypt 2000, May 2000, pp. 156--171. Google ScholarDigital Library
- Chen, C. M. and Ku, W. C., "Stolen-verifier Attack on Two New Strong-password Authentication Protocol," IEICE Transactions on Communications, Vol. E85-B, No. 11, November 2002, pp. 2519--2521.Google Scholar
- Ding, Y. and Horster, P., "Undetectable On-line Password Guessing Attacks," ACM Operating Systems Review, Vol. 29, No. 4, 1995, pp. 77--86. Google ScholarDigital Library
- Haller, N., "The S/KEY One-time Password System," Proceedings of Internet Society Symposium on Network and Distributed System Security, San Diego, California, February 1994, pp. 151--158.Google Scholar
- Jablon, D., "Strong Password-only Authenticated Key Exchange," ACM Computer Communication Review, Vol. 26, No. 5, September 1996, pp. 5--26. Google ScholarDigital Library
- Jablon, D., "B-SPEKE," Integrity Science White Paper, September 1999.Google Scholar
- Kwon, T., "Ultimate Solution to Authentication via Memorable Password," A Proposal for IEEE P13631: Password-based Authentication, May 2000.Google Scholar
- Kwon, T., "Authentication and Key Agreement via Memorable Password," Proceedings on NDSS 2001 Symposium Conference, San Diego, California, February 2001.Google Scholar
- Lamport, L., "Password Authentication with Insecure Communication," Communications of ACM, Vol. 24, No. 11, November 1981, pp. 770--772. Google ScholarDigital Library
- Lin, C. L., Sun, H. M., Steiner, M., and Hwang, T., "Attacks and Solutions on Strong-password Authentication," IEICE Transactions on Communications, Vol. E84-B, No. 9, September 2001, pp. 2622--2627.Google Scholar
- Lin, C. W., Shen, J. J., and Hwang, M. S., "Security Enhancement for Optimal Strong-password Authentication Protocol," ACM Operating Systems Review, Vol. 37, No. 3, July 2003, pp. 12--16. Google ScholarDigital Library
- Lomas, M., Gong, L., Saltzer, J., and Needham, R., "Reducing Risks from Poorly Chosen Key," Proceedings of the 12th ACM Symposium on Operating Systems Principles, Litchfield Park, Arizona, December 1989, pp. 14--18. Google ScholarDigital Library
- Sandirigama, M., Shimizu, A., and Noda, M. T., "Simple and Secure Password Authentication Protocol (SAS)," IEICE Transactions on Communications, Vol. E83-B, No. 6, June 2000, pp. 1363--1365.Google Scholar
- Shimizu, A., "A Dynamic Password Authentication Method by One-way Function," IEICE Transactions on Information and Systems, Vol. J73-D-I, No. 7, July 1990, pp. 630--636.Google Scholar
- Shimizu, A., "A Dynamic Password Authentication Method by One-way Function," System and Computers in Japan, Vol. 22, No. 7, 1991.Google Scholar
- Shimizu, A., Horioka, T., and Inagaki, H., "A Password Authentication Method for Contents Communication on the Internet," IEICE Transactions on Communications, Vol. E81-B, No. 8, August 1998, pp. 1666--1763.Google Scholar
- Wu, T., "The Secure Remote Password Protocol," Proceedings of Internet Society Symposium on Network and Distributed System Security, San Diego, California, March 1999, pp. 97--111.Google Scholar
Index Terms
- A secure and efficient strong-password authentication protocol
Recommendations
A hash-based strong-password authentication scheme without using smart cards
So far, many strong-password authentication schemes have been proposed, however, none is secure enough. In 2003, Lin, Shen, and Hwang proposed a strong-password authentication scheme using smart cards, and claimed that their scheme can resist the ...
Two simple attacks on Lin-Shen-Hwang's strong-password authentication protocol
In 2001, Lin, Sun, and Hwang proposed a strong-password authentication protocol, OSPA, which was later found to be vulnerable to a stolen-verifier attack and a man-in-the-middle attack. Recently, Lin, Shen, and Hwang [10] proposed an improved protocol ...
Weaknesses of Yoon-Ryu-Yoo's hash-based password authentication scheme
In 2000, Peyravian and Zunic proposed an efficient hash-based password authentication scheme that can be easily implemented. Later, Lee, Li, and Hwang demonstrated that Peyravian-Zunic's scheme is vulnerable to an off-line guessing attack, and then ...
Comments