Abstract
The design of secure remote user authentication schemes for mobile applications is still an open and quite challenging problem, though many schemes have been published lately. Recently, Islam and Biswas pointed out that Lin and Hwang et al.’s password-based authentication scheme is vulnerable to various attacks, and then presented an improved scheme based on elliptic curve cryptography (ECC) to overcome the drawbacks. Based on heuristic security analysis, Islam and Biswas claimed that their scheme is secure and can withstand all related attacks. In this paper, however, we show that Islam and Biswas’s scheme cannot achieve the claimed security goals and report its flaws: (1) It is vulnerable to offline password guessing attack, stolen verifier attack and denial of service (DoS) attack; (2) It fails to preserve user anonymity. The cryptanalysis demonstrates that the scheme under study is unfit for practical use.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Lamport, L.: Password authentication with insecure communication. Communications of the ACM 24(11), 770–772 (1981)
Liao, I.E., Lee, C.C., Hwang, M.S.: A password authentication scheme over insecure networks. Journal of Computer and System Sciences 72(4), 727–740 (2006)
Song, R.: Advanced smart card based password authentication protocol. Computer Standards & Interfaces 32(5), 321–325 (2010)
Yeh, K.H., Su, C., Lo, N.W., Li, Y., Hung, Y.X.: Two robust remote user authentication protocols using smart cards. Journal of Systems and Software 83(12), 2556–2565 (2010)
Ma, C.-G., Wang, D., Zhang, Q.-M.: Cryptanalysis and Improvement of Sood et al.’s Dynamic ID-Based Authentication Scheme. In: Ramanujam, R., Ramaswamy, S. (eds.) ICDCIT 2012. LNCS, vol. 7154, pp. 141–152. Springer, Heidelberg (2012)
Ma, C.-G., Wang, D., Zhao, P., Wang, Y.-H.: A New Dynamic ID-Based Remote User Authentication Scheme with Forward Secrecy. In: Wang, H., Zou, L., Huang, G., He, J., Pang, C., Zhang, H.L., Zhao, D., Yi, Z. (eds.) APWeb 2012 Workshops. LNCS, vol. 7234, pp. 199–211. Springer, Heidelberg (2012)
Klein, D.V.: Foiling the cracker: A survey of, and improvements to, password security. In: Proceedings of the 2nd USENIX Security Workshop, pp. 5–14 (1990)
Wang, R.C., Juang, W.S., Lei, C.L.: Robust authentication and key agreement scheme preserving the privacy of secret key. Computer Communications 34(3), 274–280 (2011)
Wu, S.H., Zhu, Y.F., Pu, Q.: Robust smart-cards-based user authentication scheme with user anonymity. Security and Communication Networks 5(2), 236–248 (2012)
Wei, J., Hu, X., Liu, W.: An improved authentication scheme for telecare medicine information systems. Journal of Medical Systems (2011), doi:10.1007/s10916-012-9835-1
Pu, Q., Wang, J., Zhao, R.: Strong authentication scheme for telecare medicine information systems. Journal of Medical Systems (2011), doi:10.1007/s10916-011-9735-9
He, D.B., Chen, J.H., Zhang, R.: A more secure authentication scheme for telecare medicine information systems. Journal of Medical Systems (2011), doi:10.1007/s10916-011-9658-5
Islam, S.H., Biswas, G.P.: Design of improved password authentication and update scheme based on elliptic curve cryptography. Mathematical and Computer Modelling (2011), doi:10.1016/j.mcm.2011.07.001
He, D.B.: Comments on a password authentication and update scheme based on elliptic curve cryptography. Cryptology ePrint Archive, Report 2011/411 (2011), http://eprintH.iacr.org/2011/411.pdf
Wan, Z., Zhu, B., Deng, R.H., Bao, F., Ananda, A.L.: Dos-resistant access control protocol with identity confidentiality for wireless networks. In: 2005 IEEE Wireless Communications and Networking Conference (WCNC), vol. 3, pp. 1521–1526. IEEE Press, New York (2005)
Hughes, D., Shmatikov, V.: Information hiding, anonymity and privacy: a modular approach. Journal of Computer Security 12(1), 3–36 (2004)
Roy, S., Das, A.K., Li, Y.: Cryptanalysis and security enhancement of an advanced authentication scheme using smart cards, and a key agreement scheme for two-party communication. In: 2011 IEEE 30th International Performance Computing and Communications Conference (IPCCC), pp. 1–7. IEEE Press, New York (2011)
Cao, X., Kou, W., Du, X.: A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges. Information Sciences 180(15), 2895–2903 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, D., Ma, Cg., Shi, L., Wang, Yh. (2012). On the Security of an Improved Password Authentication Scheme Based on ECC. In: Liu, B., Ma, M., Chang, J. (eds) Information Computing and Applications. ICICA 2012. Lecture Notes in Computer Science, vol 7473. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34062-8_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-34062-8_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34061-1
Online ISBN: 978-3-642-34062-8
eBook Packages: Computer ScienceComputer Science (R0)