Weaknesses and Improvement of Secure Hash-Based Strong-Password Authentication Protocol

In 2008, Kim-Koc proposed a secure hash-based strong-password authentication protocol using one-time public key cryptography. He claimed that the protocol was secure against guessing, stolen-verifier, replay, denial-of-service, and impersonation attacks. However, we show that the protocol is vulnerable to impersonation, guessing, and stolen-verifier attacks. We propose improvements to increase the security level of the protocol.

[1]  Manik Lal Das,et al.  A Simple and Secure Authentication and Key Establishment Protocol , 2008, 2008 First International Conference on Emerging Trends in Engineering and Technology.

[2]  Wei-Chi Ku,et al.  Weaknesses of Yoon-Ryu-Yoo's hash-based password authentication scheme , 2005, OPSR.

[3]  Akihiro Shimizu,et al.  An Impersonation Attack on One-Time Password Authentication Protocol OSPA , 2003 .

[4]  Mohammed Misbahuddin,et al.  A smart card based remote user authentication scheme , 2008, J. Digit. Inf. Manag..

[5]  Dong Hoon Lee,et al.  A remote user authentication scheme without using smart cards , 2009, Comput. Stand. Interfaces.

[6]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[7]  Cheng-Chi Lee,et al.  A remote user authentication scheme using hash functions , 2002, OPSR.

[8]  Eun-Jun Yoon,et al.  A secure user authentication scheme using hash functions , 2004, OPSR.

[9]  Nevenko Zunic,et al.  Methods for Protecting Password Transmission , 2000, Comput. Secur..

[10]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[11]  Minho Kim,et al.  A Secure Hash-Based Strong-Password Authentication Protocol Using One-Time Public-Key Cryptography , 2008, J. Inf. Sci. Eng..

[12]  Chien-Ming Chen,et al.  Stolen-Verifier Attack on Two New Strong-Password Authentication Protocols , 2002 .

[13]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.

[14]  Hung-Min Sun,et al.  Attacks and Solutions on Strong-Password Authentication , 2001 .

[15]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[16]  Min-Shiang Hwang,et al.  A new strong-password authentication scheme using one-way hash functions , 2006 .

[17]  Matu-Tarow Noda,et al.  Simple and Secure Password Authentication Protocol (SAS) , 2000 .

[18]  Akihiro Shimizu,et al.  Simple And Secure password authentication protocol, ver.2(SAS-2) (メディア工学) , 2002 .