Cryptanalysis and improvement of 'a robust smart-card-based remote user password authentication scheme'

Cryptanalysis and improvement of 'a robust smart-card-based remote user password authentication scheme'

SUMMARY With the use of smart card in user authentication mechanisms, the concept of two‐factor authentication came into existence. This was a forward move towards more secure and reliable user authentication systems. It elevated the security level by requiring a user to possess something in additio...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:International journal of communication systems 2014-12, Vol.27 (12), p.3939-3955
Hauptverfasser: Kumari, Saru, Khan, Muhammad Khurram
Format: Artikel
Sprache:eng
Schlagworte:
Authentication
Communication systems
Cryptography
Elevated
Messages
password-guessing attack
Passwords
Security
session-key disclosure
smart card
Smart cards
two-factor security
user anonymity
user impersonation attack
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:SUMMARY With the use of smart card in user authentication mechanisms, the concept of two‐factor authentication came into existence. This was a forward move towards more secure and reliable user authentication systems. It elevated the security level by requiring a user to possess something in addition to know something. In 2010, Sood et al. and Song independently examined a smart‐card‐based authentication scheme proposed by Xu et al. They showed that in the scheme of Xu et al., an internal user of the system can turn hostile to impersonate other users of the system. Both of them also proposed schemes to improve the scheme of Xu et al. Recently, Chen et al. identified some security problems in the improved schemes proposed by Sood et al. and Song. To fix these problems, Chen et al. presented another scheme, which they claimed to provide mutual authentication and withstand lost smart card attack. Undoubtedly, in their scheme, a user can also verify the legitimacy of server, but we find that the scheme fails to resist impersonation attacks and privileged insider attack. We also show that the scheme does not provide important features such as user anonymity, confidentiality to air messages, and revocation of lost/stolen smart card. Besides, the scheme defies the very purpose of two‐factor security. Furthermore, an attacker can guess a user's password from his or her lost/stolen smart card. To meet these challenges, we propose a user authentication method with user anonymity. We show through analysis and comparison that the proposed scheme exhibits enhanced efficiency in contrast to related schemes, including the scheme of Chen et al. Copyright © 2013 John Wiley & Sons, Ltd. The concept of two‐factor authentication was a forward move towards more secure user authentication. In 2012, Chen et al. designed a user authentication scheme motivated with their cryptanalysis of some already published schemes. This article analyzes security aspects of the scheme of Chen et al. We expose its vulnerabilities including weak two‐factor security. To meet these challenges, we propose a user authentication method with user anonymity. We also demonstrate its enhanced efficiency in contrast to related schemes including the scheme of Chen et al.
ISSN:1074-5351
1099-1131
DOI:10.1002/dac.2590