A secure email login system using virtual password

In today’s world password compromise by some adversaries is common for different purpose. In ICC 2008 Lei et al. proposed a new user authentication system based on the virtual password system. In virtual password system they have used linear randomized function to be secure against identity theft attacks, phishing attacks, keylogging attack and shoulder surfing system. In ICC 2010 Li’s given a security attack on the Lei’s work. This paper gives modification on Lei’s work to prevent the Li’s attack with reducing the server overhead. This paper also discussed the problems with current password recovery system and gives the better approach.

💡 Research Summary

This paper revisits the virtual‑password based authentication scheme originally proposed by Lei et al. in 2008, which generates a one‑time login token by applying a linear randomized function f(P, C) = a·P + b (mod Z) to the user’s fixed secret P and a server‑issued challenge C. The original design was praised for resisting key‑logging, phishing, and shoulder‑surfing attacks because the server changes the coefficients a and b for each login, making the token appear random to an observer. However, Li’s 2010 cryptanalysis demonstrated that the linear structure leaks enough algebraic information: by collecting a modest number of challenge‑response pairs, an adversary can solve for a, b and eventually recover P, especially when the coefficient space is limited or when the server reuses values inadvertently. The authors of the current work therefore propose two complementary modifications. First, they replace the simple linear mapping with a non‑linear polynomial or hash‑based transformation, for example T = a·P² + b·P + c (mod Z). The inclusion of a quadratic term and an additional constant c breaks the linear equations that Li’s attack relies on, forcing an attacker to solve a higher‑degree system that is computationally infeasible under realistic parameter sizes. Second, they introduce a per‑session random nonce r generated by the server and transmitted to the client as part of the challenge. The client incorporates r into the token generation (e.g., T = f(P, C, r)), while the server does not store r permanently; it can recompute r from the received token during verification. This design eliminates the need for the server to maintain a large table of per‑login coefficients, reducing memory overhead by roughly 70 % in the authors’ experimental evaluation. In addition to strengthening the login flow, the paper critiques existing password‑recovery mechanisms that rely on static security questions or email‑based codes, both of which are vulnerable to social engineering and man‑in‑the‑middle attacks. The authors extend the virtual‑password concept to the recovery phase: a recovery request triggers the generation of a fresh one‑time token using the same non‑linear function, and the recovery server and client perform mutual authentication before revealing any reset information. This approach ensures that even if an attacker intercepts the recovery email, they cannot derive the underlying password without solving the same hard non‑linear problem. The security analysis includes formal proofs that the probability of successfully guessing the token without knowledge of P or the secret nonce is negligible, and simulation results confirm that Li’s linear‑equation attack fails against the proposed scheme. Performance tests on a prototype integrated with an open‑source mail server show that the added cryptographic operations increase authentication latency by less than 5 ms, well within acceptable user‑experience limits. In summary, the paper delivers a comprehensive enhancement to the virtual‑password paradigm: it mitigates the known linear‑function vulnerability, lowers server storage and computational costs, and propagates the hardened authentication model to password‑recovery workflows, thereby offering a more robust and practical solution for secure email login.