×

A password authentication scheme over insecure networks. (English) Zbl 1094.68027

Summary: Authentication ensures that system’s resources are not obtained fraudulently by illegal users. Password authentication is one of the simplest and the most convenient authentication mechanisms over insecure networks. The problem of password authentication in an insecure networks is present in many application areas. Since computing resources have grown tremendously, password authentication is more frequently required in areas such as computer networks, wireless networks, remote login, operation systems, and database management systems. Many schemes based on cryptography have been proposed to solve the problem. However, previous schemes are vulnerable to various attacks and are neither efficient, nor user friendly. Users cannot choose and change their passwords at will. We propose a new password authentication scheme to achieve the all proposed requirements. Furthermore, our scheme can support the Diffie-Hellman key agreement protocol over insecure networks. Users and the system can use the agreed session key to encrypt/decrypt their communicated messages using the symmetric cryptosystem.

MSC:

68P25 Data encryption (aspects in computer science)
94A62 Authentication, digital signatures and secret sharing
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] Chan, C.-K.; Cheng, L. M., Cryptanalysis of a remote user authentication scheme using smart cards, IEEE Trans. Consumer Electron., 46, 992-993 (2000)
[2] Chang, C. C.; Wu, T. C., Remote password authentication with smart cards, IEE Proceedings-E, 138, 165-168 (1991)
[3] Chen, C.-M.; Ku, W.-C., Stolen-verifier attack on two new strong-password authentication protocols, IEICE Trans. Commun. E85-B, 2519-2521 (2002)
[4] Chien, H.-Y.; Jan, J.-K.; Tseng, Y.-M., An efficient and practical solution to remote authentication: Smart card, Computers & Security, 21, 372-375 (2002)
[5] Choo, K.-K. R., Revisit of McCullagh-Barreto two-party id-based authenticated key agreement protocols, Internat. J. Network Security, 1, 3, 154-160 (2005)
[6] Diffie, W.; Hellman, M. E., New directions in cryptography, IEEE Trans. Inform. Theory, 22, 644-654 (1976) · Zbl 0435.94018
[7] ElGamal, T., A public-key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory, 31, 469-472 (1985) · Zbl 0571.94014
[8] Evans, A.; Kantrowitz, W.; Weiss, E., A user authentication scheme not requiring secrecy in the computer, Commun. ACM, 17, 437-442 (1974)
[9] Haller, N., The S/KEY (TM) one-time password system, (Proceedings of Internet Society Symposium on Network and Distributed System Security (1994), Internet Society), 151-158
[10] N. Haller, The S/KEY one-time password system, RFC Technical Report 1760, February 1995; N. Haller, The S/KEY one-time password system, RFC Technical Report 1760, February 1995
[11] Hwang, M.-S., Cryptanalysis of remote login authentication scheme, Comput. Commun., 22, 8, 742-744 (1999)
[12] Hwang, M.-S.; Lee, C.-C.; Tang, Y.-L., An improvement of SPLICE/AS in WIDE against guessing attack, Internat. J. Inform., 12, 2, 297-302 (2001) · Zbl 0994.68067
[13] Hwang, M.-S.; Lee, C.-C.; Tang, Y.-L., A simple remote user authentication scheme, Math. Comput. Model., 36, 103-107 (2002) · Zbl 1028.94510
[14] Hwang, M.-S.; Li, L.-H., A new remote user authentication scheme using smart cards, IEEE Trans. Consumer Electron., 46, 1, 28-30 (2000)
[15] Jan, J. K.; Chen, Y. Y., ‘Paramita wisdom’ password authentication scheme without verification tables, J. Syst. Softw., 42, 45-57 (1998)
[16] Joyce, R.; Gupta, G., Identity authentication based on keystroke latencies, Commun. ACM, 33, 168-176 (1990)
[17] Kim, H. J., Biometrics, is it a viable proposition for identity authentication and access control, Comput. Secur., 14, 205-214 (1995)
[18] Kim, M.; Koc, C. K., A simple attack on a recently introduced hash-based strong-password authentication scheme, Internat. J. Network Security, 1, 2, 77-80 (2005)
[19] Lamport, L., Password authentication with insecure communication, Commun. ACM, 24, 770-772 (1981)
[20] Lee, C. C., Two attacks on the Wu-Hsu user identification scheme, Internat. J. Network Security, 1, 3, 147-148 (2005)
[21] Lin, C. L.; Sun, H. M.; Hwang, T., Attacks and solutions on strong-password authentication, IEICE Trans. Commun. E84-B, 2622-2627 (2001)
[22] Mitchell, C. J.; Chen, L., Comments on the S/KEY user authentication scheme, ACM Operating Syst. Rev., 30, 12-16 (1996)
[23] National Bureau of Standards, Data Encryption Standards, NBS: FIPS, 1977; National Bureau of Standards, Data Encryption Standards, NBS: FIPS, 1977
[24] NIST, Secure hash standard, Technical report FIPS 180-1, NIST, US Department of Commerce, April 1995; NIST, Secure hash standard, Technical report FIPS 180-1, NIST, US Department of Commerce, April 1995
[25] NIST, Advanced encryption standard, Technical report FIPS 197, NIST, US Department of Commerce, November 2001; NIST, Advanced encryption standard, Technical report FIPS 197, NIST, US Department of Commerce, November 2001
[26] Purdy, G. B., A high security log-in procedure, Commun. ACM, 17, 442-445 (1974)
[27] R. Rivest, The MD5 message digest algorithm, Technical report RFC 1321, IETF, April 1992; R. Rivest, The MD5 message digest algorithm, Technical report RFC 1321, IETF, April 1992
[28] Rivest, R. L.; Shamir, A.; Adleman, L., A method for obtaining digital signatures and public key cryptosystems, Commun. ACM, 21, 120-126 (1978) · Zbl 0368.94005
[29] Sandirigama, M.; Shimizu, A.; Noda, M. T., Simple and secure password authentication protocol (SAS), IEICE Trans. Commun. E83-B, 1363-1365 (2000)
[30] Shen, J.-J.; Lin, C.-W.; Hwang, M.-S., A modified remote user authentication scheme using smart cards, IEEE Trans. Consumer Electron., 49, 2, 414-416 (2003)
[31] Shen, J.-J.; Lin, C.-W.; Hwang, M.-S., Security enhancement for the timestamp-based password authentication scheme using smart cards, Comput. Secur., 22, 7, 591-595 (2003)
[32] Shimizu, A., A dynamic password authentication method by one-way function, IEICE Trans. Inform. Syst. J73-D-I, 630-636 (1990)
[33] Shimizu, A.; Horioka, T.; Inagaki, H., A password authentication method for contents communication on the Internet, IEICE Trans. Commun. E81-B, 1666-1763 (1998)
[34] Sun, H.-M., An efficient remote use authentication scheme using smart cards, IEEE Trans. Consumer Electron., 46, 4, 958-961 (2000)
[35] Wang, B.; Li, J. H.; Tong, Z. P., Cryptanalysis of an enhanced timestamp-based password authentication scheme, Comput. Secur., 22, 7, 643-645 (2003)
[36] Wu, H.-C.; Liu, C.-Y.; Chiou, S.-F., Cryptanalysis of a secure one-time password authentication scheme with low-communication for mobile communications, Internat. J. Network Security, 1, 2, 74-76 (2005)
[37] Wu, T. C., Remote login authentication scheme based on a geometric approach, Comput. Commun., 18, 12, 959-963 (1995)
[38] Yamaguchi, S.; Okayama, K.; Miyahara, H., Design and implementation of an authentication system in WIDE Internet environment, (Proceedings of IEEE Region Conference on Computer and Communication System (1990), IEEE Press)
[39] Yang, W. H.; Shieh, S. P., Password authentication schemes with smart cards, Comput. Secur., 18, 8, 727-733 (1999)
[40] Yang, C.-Y.; Lee, C.-C.; Hsiao, S.-Y., Man-in-the-middle attack on the authentication of the user from the remote autonomous object, Internat. J. Network Security, 1, 2, 81-83 (2005)
[41] Yeh, T.-C.; Shen, H.-Y.; Hwang, J.-J., A secure one-time password authentication scheme using smart cards, IEICE Trans. Commun. E85-B, 2515-2518 (2002)
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.