Cryptanalysis of Yang-Wang-Changs Password Authentication Scheme with Smart Cards

In 2005, Yang, Wang, and Chang proposed an improved timestamp-based password authentication scheme in an attempt to overcome the flaws of Yang-Shieh_s legendary timestamp-based remote authentication scheme using smart cards. After analyzing the improved scheme proposed by Yang-Wang-Chang, we have found that their scheme is still insecure and vulnerable to four types of forgery attacks. Hence, in this paper, we prove that, their claim that their scheme is intractable is incorrect. Also, we show that even an attack based on Sun et al._s attack could be launched against their scheme which they claimed to resolve with their proposal.

💡 Research Summary

The paper presents a comprehensive cryptanalysis of the Yang‑Wang‑Chang (YWC) timestamp‑based password authentication scheme that was proposed in 2005 as an improvement over the earlier Yang‑Shieh scheme. The authors first describe the three‑phase operation of YWC—registration, login, and verification—detailing how the Key Information Center (KIC) generates two large primes p and q, computes n = p·q, selects a public exponent e and its inverse d, and chooses a primitive element g. During registration the user’s identity ID and password PW are combined with the secret exponent d to store values such as S = ID·CID·d (mod n) and h = PW·d (mod n) on a smart card. In the login phase the card generates a random r, computes X = g^{PW}·r (mod n) and Y = S·h^{r}·T (mod n) (where T is the current timestamp), and sends the tuple (ID, CID, X, Y, n, e, g, T) to the server. The server validates the request by checking the freshness of T and the equation Y^{e} ≡ ID·CID·X·T (mod n).

The authors identify a fundamental weakness: the verification equation is linear in the publicly known parameters (e, n, g) and the timestamp T, which can be manipulated using the extended Euclidean algorithm. By solving e·u − T·v = 1 (or more generally gcd(e,T)=k) they can construct forged values X_f = ID·CID·v (mod n) and Y_f = ID·CID·u (mod n) that satisfy the verification equation for an attacker‑chosen timestamp T_a. Consequently, the server accepts the forged login as legitimate.

Four distinct forgery attacks are demonstrated.

1. Extended Euclidean Attack (based on Sun‑Ye) – The attacker computes coefficients u and v such that e·u − T·v = 1 (or any gcd(e,T)=k) and forges (X_f, Y_f) as described above. This works even when e and T are not coprime.
2. Timestamp Scaling Attack (adapted from Yang et al.) – By choosing a multiplier w satisfying w·T_a ≡ T (mod n), the attacker sets X_f = X·w while keeping Y unchanged; the verification equation remains valid, allowing a replay with a different timestamp.
3. Impersonation Attack (novel) – The attacker intercepts a legitimate login, computes the modular inverse ID_f = ID^{−1} (mod n), registers a new smart card with a fabricated password to obtain a fresh set of parameters, then derives the original S_i from the newly issued S_k. Using arbitrary values y and r, the attacker constructs X_f = y and Y_f = S_i·y·T_f (mod n), which again satisfies the verification equation for a chosen timestamp T_f. This effectively impersonates the legitimate user without knowing the password.
4. Direct Sun‑Ye Reuse – The original Sun‑Ye attack is shown to be applicable without modification; the authors extend it to cases where gcd(e,T) > 1, demonstrating that the scheme’s security claim of resistance to this attack is unfounded.

All four attacks exploit the linearity of the verification equation and the lack of cryptographic binding between the timestamp and secret values. The timestamp T is used only as a multiplicative factor, providing no entropy or secrecy, and the public exponent e is static and known. Consequently, the YWC scheme fails to provide the “intrinsic security” claimed by its authors.

The paper concludes that the YWC protocol is insecure against realistic forgery and impersonation attacks. It recommends that future designs incorporate stronger randomness, bind timestamps cryptographically (e.g., via hash‑based MACs), and possibly replace the linear verification with a non‑linear, provably secure construction such as a full public‑key signature or a zero‑knowledge proof. The authors suggest that addressing these fundamental design flaws is essential before deploying smart‑card based password authentication in sensitive applications.