Elsevier

Computers & Security

Volume 22, Issue 7, October 2003, Pages 643-645
Computers & Security

Refereed Paper
Cryptanalysis of an enhanced timestamp-based password authentication scheme

https://doi.org/10.1016/S0167-4048(03)00713-2Get rights and content

Abstract

Recently, Fan proposed an enhanced scheme to improve the security of Yang-Shieh’s timestamp-based password authentication scheme. The enhanced scheme can withstand the attacks presented by Chan, Cheng and Fan. In this paper, we show that the enhanced scheme is still insecure. An intruder is able to construct a forged login request by intercepting the legitimate login requests and pass the system authentication with a non-negligible probability.

Section snippets

1. Introduction

Yang and Shieh [1] proposed a timestamp-based password authentication scheme with smart cards in 1999. Their scheme keeps the merits of ID-based schemes, but eliminates the weakness that users cannot change their passwords. In addition, the remote system does not need to maintain a password table to authenticate users. However, Chan and Cheng [2] pointed out that an intruder is able to construct a forged login request from the intercepted login requests and pass the system authentication.

2. Review of Yang- Shieh’s scheme

Yang- Shieh’s scheme can be divided into three phases: registration, login and authentication. The key information centre (KIC) should perform the following steps at first:

Generates two large primes p and q. Let n=pq.

Computes ed=1 modp − 1q − 1

Chooses a primitive element g in both GF(p) and GF(q).

e, g and n are public values. d, p and q are kept secret by the KIC.

In the registration phase, a new user Ui submits his identifier IDi and chosen password PWi to the KIC. Then the KIC performs the

3. Cryptanalysis of the enhanced scheme

At this point, we will show that an intruder can impersonate a legitimate user Ui by intercepting the legitimate login requests. The attack can be described as follows.

Suppose that there are two legitimate login requests < IDi, CIDi, Xi(1), Yi(1), n, e, g, T1 > and < IDi, CIDi, Xi(2), Yi(2), n, e, g, T2 > originated from a user Ui associated with identifier IDi. An intruder who intercepts the two tuples can perform the following steps to successfully impersonate Ui:

The intruder computes f(CIDi,

4. An example

We will give an example to illustrate the attack proposed in this paper. Let n=187, e=3, p=17, q=11, IDi=8, PWi=15. Then we can compute d=107, g=7, Si=(IDi)d modn=2, hi=gPWid modn=164. Assume f(CIDi, T1)=168, f(CIDi, T2)=78, f(CIDi, T3)=123. We have u=161, v=28. Let ri(1)=37, ri(2)=93 be the two random numbers selected by the smart card during the two login phases respectively.

Xi1=gri1PWimodn=65, Yi1=Si × hiri1fCIDi,T1modn =134.

Xi2=gri2PWimodn=54, Yi2=Si × hiri2fCIDi,T2modn =101.

Xi3=Xi12umod

5. Conclusion

In this paper, we present a cryptanalysis of an enhanced timestamp-based password authentication scheme based on Yang-Shieh’s scheme. We show that an intruder is able to construct a forged login request from the intercepted legitimate login requests and pass the system authentication with a non-negligible probability to impersonate a legal user.

Bin Wang

Bin Wang is currently a Ph.D. candidate at Department of Electronics Engineering in Shanghai Jiaotong University. His research interests include network security, multicast security.

References (3)

  • W.H.Yang and S.P.Shieh, 1999. Password authentication schemes with smart cards, Computer &Security, Vol.18, No.8, 1999,...
There are more references available in the full text version of this article.

Cited by (27)

  • Two-factor mutual authentication based on smart cards and passwords

    2008, Journal of Computer and System Sciences
  • A password authentication scheme over insecure networks

    2006, Journal of Computer and System Sciences
  • Literature review of authentication layer for public cloud computing: A meta-analysis

    2019, Journal of Theoretical and Applied Information Technology
  • GD2SA: Geo detection and digital signature authorization for secure accessing to cloud computing environments

    2015, ISCAIE 2014 - 2014 IEEE Symposium on Computer Applications and Industrial Electronics
View all citing articles on Scopus

Bin Wang

Bin Wang is currently a Ph.D. candidate at Department of Electronics Engineering in Shanghai Jiaotong University. His research interests include network security, multicast security.

Jian-Hua Li

Jian-Hua Li is a professor, Advisor of Ph.D. at Department of Electronics Engineering in Shanghai Jiaotong University. His research interests include CSCW, network security, content security, and data communication. Professor Li has published over 100 technical papers.

Zhi-Peng Tong

Zhi-Peng Tong is a national academician of Chinese Academy of Engineering. His research interests include software engineering and data communication.

View full text