Refereed PaperCryptanalysis of an enhanced timestamp-based password authentication scheme
Section snippets
1. Introduction
Yang and Shieh [1] proposed a timestamp-based password authentication scheme with smart cards in 1999. Their scheme keeps the merits of ID-based schemes, but eliminates the weakness that users cannot change their passwords. In addition, the remote system does not need to maintain a password table to authenticate users. However, Chan and Cheng [2] pointed out that an intruder is able to construct a forged login request from the intercepted login requests and pass the system authentication.
2. Review of Yang- Shieh’s scheme
Yang- Shieh’s scheme can be divided into three phases: registration, login and authentication. The key information centre (KIC) should perform the following steps at first:
Generates two large primes p and q. Let n=pq.
Chooses a primitive element g in both GF(p) and GF(q).
e, g and n are public values. d, p and q are kept secret by the KIC.
In the registration phase, a new user Ui submits his identifier IDi and chosen password PWi to the KIC. Then the KIC performs the
3. Cryptanalysis of the enhanced scheme
At this point, we will show that an intruder can impersonate a legitimate user Ui by intercepting the legitimate login requests. The attack can be described as follows.
Suppose that there are two legitimate login requests < IDi, CIDi, Xi(1), Yi(1), n, e, g, T1 > and < IDi, CIDi, Xi(2), Yi(2), n, e, g, T2 > originated from a user Ui associated with identifier IDi. An intruder who intercepts the two tuples can perform the following steps to successfully impersonate Ui:
The intruder computes f(CIDi,
4. An example
We will give an example to illustrate the attack proposed in this paper. Let n=187, e=3, p=17, q=11, IDi=8, PWi=15. Then we can compute d=107, g=7, Si=(IDi)d modn=2, hi=gPWid modn=164. Assume f(CIDi, T1)=168, f(CIDi, T2)=78, f(CIDi, T3)=123. We have u=161, v=28. Let ri(1)=37, ri(2)=93 be the two random numbers selected by the smart card during the two login phases respectively.
5. Conclusion
In this paper, we present a cryptanalysis of an enhanced timestamp-based password authentication scheme based on Yang-Shieh’s scheme. We show that an intruder is able to construct a forged login request from the intercepted legitimate login requests and pass the system authentication with a non-negligible probability to impersonate a legal user.
Bin Wang
Bin Wang is currently a Ph.D. candidate at Department of Electronics Engineering in Shanghai Jiaotong University. His research interests include network security, multicast security.
References (3)
- W.H.Yang and S.P.Shieh, 1999. Password authentication schemes with smart cards, Computer &Security, Vol.18, No.8, 1999,...
Cited by (27)
Smart card based remote user authentication schemes: A survey
2012, Procedia EngineeringTwo-factor mutual authentication based on smart cards and passwords
2008, Journal of Computer and System SciencesA password authentication scheme over insecure networks
2006, Journal of Computer and System SciencesLiterature review of authentication layer for public cloud computing: A meta-analysis
2019, Journal of Theoretical and Applied Information TechnologyDesign and analysis of an enhanced multifactor authentication through a covert approach
2019, Studies in Computational IntelligenceGD2SA: Geo detection and digital signature authorization for secure accessing to cloud computing environments
2015, ISCAIE 2014 - 2014 IEEE Symposium on Computer Applications and Industrial Electronics
Bin Wang
Bin Wang is currently a Ph.D. candidate at Department of Electronics Engineering in Shanghai Jiaotong University. His research interests include network security, multicast security.
Jian-Hua Li
Jian-Hua Li is a professor, Advisor of Ph.D. at Department of Electronics Engineering in Shanghai Jiaotong University. His research interests include CSCW, network security, content security, and data communication. Professor Li has published over 100 technical papers.
Zhi-Peng Tong
Zhi-Peng Tong is a national academician of Chinese Academy of Engineering. His research interests include software engineering and data communication.