Yoon et al. proposed a new efficient remote user authentication scheme using smart cards to solve the security problems of W. C. Ku and S. M. Chen scheme. This paper reviews Yoon et al. scheme and then proves that the password change phase of Yoon et al. scheme is still insecure. This paper also proves that the Yoon et al. is still vulnerable to parallel session attack.
To gain the access rights on an authentication server (AS), a password based remote user authentication schemes is used. The remote user makes a login request with the help of some secret information which are provided by the AS. On the other side the AS checks the validity of a login request made by a remote user U. In these schemes, the AS and the remote user U share a secret, which is often called as password. With the knowledge of this password, the remote user U uses it to create a valid login request to the AS. AS checks the validity of the login request to provide the access rights to the user U.
Password authentication schemes with smart cards have a long history in the remote user authentication environment. So far different types of password authentication schemes with smarts cards [3,4,5,6,12,13,14,18,20,21,22,23,26,31] have been proposed.
In 1981, Lamport [17] proposed the first well-known remote password authentication scheme using smart cards. In Lamport’s scheme, the AS stores a password table at the server to check the validity of the login request made by the user. However, high hash overhead and the necessity for password resetting decrease the suitability and practical ability of Lamport’s scheme. In addition, the Lamport scheme is vulnerable to a small n attack [7]. Since then, many similar schemes [25,28] have been proposed. They all have a common feature: a verification password table should be securely stored in the AS.
Actually, this property is a disadvantage for the security point of view. Keep in mind all the security requirements for a secure remote user authentication scheme,in 2002, Chien-Jan-Tseng [13] introduced an efficient remote user authentication scheme using smart cards. In 2004, Ku and Chen [33] pointed out some attacks [7,30,32] on Chien -Jan and Tseng’s scheme. According to Ku and Chen, Chien et al.’s scheme is vulnerable to a reflection attack [7] and an insider attack [32]. Ku and Chen claimed that Chien et al.’s scheme is also not reparable [32]. In addition, they also proposed an improved scheme to prevent these attacks: reflection attack and an insider attack on Chien-Jan-Tseng’s scheme. In the same year, Hsu [10] pointed out that the Chien-Jan-Tseng’s scheme is still vulnerable to a parallel session attack and Yoon et al. [11] claimed that the password change phase of improved scheme of Chien-Jan-Tseng’s scheme is still insecure. This paper proves that security vulnerabilities still exit in Yoon et al.’s scheme is still vulnerable to parallel session attack.
Section II reviews Yoon et al.’s scheme [11]. Section III is about our observations on the security vulnerabilities of Yoon et al.’s scheme. Finally, comes to a conclusion in section IV.
This section briefly describes Yoon et al.’s scheme [11]. This scheme has four phases: the registration phase, login phase, verification phase and the password change phase. All these four phases are described below.
This phase is invoked whenever U initially or re-registers to AS. Let n denotes the number of times U re-registers to AS. The following steps are involved in this phase.
User U selects a random number b and computes PW S = f (b ⊕ PW) and submits her/his identity ID and PW S to the AS through a secure channel.
where EID = (ID║n) and creates an entry for the user U in his account database and stores n = 0 for initial registration, otherwise set n= n+1, and n denotes the present registration.
AS provides a smart card to the user U through a secure channel. The smart card contains two secret numbers V, R and a one-way function f. User U enters her/his random number b into his smart card.
For login, the user U inserts her/his smart card to the smart card reader and then keys the identity and the password to gain access services. The smart card will perform the following operations:
Here T U denotes the current date and time of the smart card reader.
Sends a login request C = (ID, C 2 , T U ) to the AS.
Assume AS receives the message C at time T S , where T S is the current date and time at AS. Then the AS takes the following actions:
If the identity ID and the time T U is invalid i.e. T U =T S , then AS will rejects this login request.
This phase is invoked whenever U wants to change his password PW with a new one, say PW new . This phase has the following steps.
U inserts her/his smart card to the smart card reader and then keys her/his identity and the old password PW and then requests to change the password.
Although, Ku and Chen’s scheme is modified by Yoon et al. [11] But, we analyze that Yoon et al.’ scheme is still not secure. This section discusses the security weaknesses of the Yoon et al.’s scheme.
This section discusses the security weaknesses of the password change of Yoon et al.’s scheme. The discussion is divided into two subsections, which are described below.
Observe the password change phase of Yoon el al.’s scheme, to replace/change the old password PW with a new password PW new
This content is AI-processed based on open access ArXiv data.