Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Analysis of the Secure Password Authentication Protocol_1_

VIEWS: 15 PAGES: 5

Password Authentication Protocol (PAP), is the focus of a PPP link control protocol agreements, mainly through the use of 2 to provide a handshake on the other nodes to establish a simple method of authentication, which is determined based on the initial link basis.

More Info
									ECE 679 PROJECT, SPRING 2004                                                                                                1




     Analysis of the Secure Password Authentication
                         Protocol
                                                    Minho Kim
                                        Electrical & Computer Engineering
                                              Oregon State University
                                              Corvallis, Oregon 97331
                                           E-mail: mhkim@ece.orst.edu

   Abstract—                                                    authentication scheme, the SAS protocol, which was in-
   In the Internet and Mobile communication environment,        tended to be superior to several well-known scheme as
authentication of the users is very important. Although at
present password is extensively used for authentication, bare
                                                                mentioned above. However, Lin et al.[8] showed that the
password transmission suffers from some inherent shortcom-       SAS protocol is vulnerable to the replay attack and the
ings. Several password-based authentication methods have        denial of service attack, and then proposed a Optimal
been proposed to eliminate such shortcomings. In 2000           Strong-Password Authentication scheme, the OSPA proto-
and 2001, Lin et al. addressed two weaknesses of a new
strong-password authentication scheme, the SAS protocol,        col, which was asserted to be secure against stolen-verifier
and then proposed an improved one called the OSPA Pro-          attacks, replay attacks, and the denial of service attacks.
tocol. However, Chen et al. found that both the SAS and         Also, Chen et al.[9] found that the SAS and the OSPA pro-
OSPA protocol are vulnerable to the stolenverifier attack.
Also, Tsuji et al. devise an impersonation attack on the        tocol cannot effectively resist the stolen-verifier attack as
OSPA method and discuss how to break down the OSPA              the claimed. Even though, Chen et al.’s attack to the SAS
method. Later, Lin et al. proposed an enhanced protocol         and OSPA methods, this problem is solved if the server
of OSPA and showed that the improved protocol can resist
the guessing attack, the reply attack, the impersonation at-
                                                                provides strong management. So, Tsuji et al.[10] devise
tack, and the stolen-verifier attack. But, Ku et al. found       an impersonation attack on the OSPA method without an
that their protocol is still vulnerable to a reply attack and   active attack on the server.
a denial-of-service attack. Recently, Wei-Chi Ku propose
a more secure hash-based strong-password authentication           Later, Lin et al.[11] proposed an enhanced protocol of
scheme without using smart cards. However, we find that          OSPA and showed that the improved protocol can resist
Ku’s proposed scheme is still vulnerable to a replay attack,    the guessing attack, the reply attack, the impersonation at-
stolen verifier attack, and an impersonation attack.
                                                                tack, and the stolen-verifier attack. But, Ku et al.[12] found
                                                                that their protocol is still vulnerable to a reply attack and
                    I. Introduction                             a denial-of-service attack. Also, these two simple attacks
   Password authentication is regard as one of the sim-         can be easily performed without compromising the server in
plest and the most convenient authentication mechanisms.        advance. Recently, Wei-Chi Ku[13] propose a more secure
However, they are neither cost effective nor suitable for        hash-based strong-password authentication scheme with-
distributed environments as like modern mobile applica-         out using smart cards that can withstand the replay attack,
tions. Usually the password is hashed and stored in the         the password-file compromise attack, the denial-of-service
computer to prevent stealing by others. Several such            attack, the predictable n attack, and the insider attack.
hash functions are available. Most famous are DES[1],
FEAL[2], MISTY[3] etc. In the Lamport[4] one time pass-           Stolen-verifier problem. In most applications, the server
word method, those problems are eliminated. But there               stores verifiers of users’ passwords instead of the clear
are two practical difficulties in Lamport method. One is              text of passwords. The stolen-verifier problem means
the high hash overhead and the other is the necessity for           that a thief who steals the password-verifier from the
password resetting. High hash overhead and password re-             server can use it directly to masquerade as a legitimate
setting are solved in CINON[5]. But this method need two            user in the authentication protocol.
random numbers which was generated by the user and the            Replay attack. A replay attack is an offensive action in
user is required to memorize them in some sort of mem-              which an adversary impersonates or deceives an other
ory. This random number memorizing problem is solved                legitimate participant through the reuse of information
in the PERM[6]. In this method one random number (in                obtained in a protocol.
the form of an initial value incremented at each authenti-        Denial of service attack. The denial of service attack
cation) is stored in the host and sent to the user at each          prevents or inhibits the normal use or management
authentication. However, there is a possible security flaw           of communications facilities. This attack may act on
in the system. It is a kind of man in the middle attack             a specific user as like an adversary who may cause
where an adversary would be able to login after tapping             the server to reject all logins of a specific user until
the communication line in two consecutive sessions.                 re-registration.
   Sandirigama et al.[7] proposed a simple strong-password        Impersonation attack. This attack deceives the identity
2                                                                                                ECE 679 PROJECT, SPRING 2004


        of one of the legitimate parties. An attacker inserts a   A.1 Registration Phase
        message and claims it comes from a real sender.           Step R1. U calculates h 2 (P  1).
                                                                  Step R2. U =⇒ S : U, h 2 (P    1).
                     II. SAS Description                          Step R3. S stores U, h 2 (P  1), and T = 1.

A. Notations                                                      A.2 Authentication Phase
    •   U denotes the user.                                       For U’s nth login:
    •   S denotes the authentication server.                       Step A1. U −→ S : U, service request.
    •   E denotes the adversary.                                   Step A2. S −→ U : n.
    •   P represents the strong password of U.                     Step A3. U −→ S : c1 , c2 , c3 ,
    •   T denotes a positive integer indicating the number of           where
        times the authentication is being executed.                       c1 = h(P       n)    h 2 (P     n),
    •   Nn denotes a random number used for the nth authen-               c2 = h 2 (P     (n+1))      h(P     n),
        tication.                                                         c3 = h 3 (P     (n+1)).
    •   h denotes a cryptographic hash function. h(m) means        Step A4. S checks if c1 = c2 holds. If it does,
        m is hashed once, h 2 (m) means m is hashed twice.              S uses the stored h 2 (P      n) to compute
    •      denotes the bitwise XOR operation.                             y1 = c 1     h 2 (P    n),
    •     denotes the concatenation.                                      y2 = c 2      y1 ,
    •   The expression A −→ B : X represents that A sends               If h(y1 ) equals the stored h 2 (P    n) and
        X to B through a common channel.                                h(y2 ) = c3 holds, S replaces h 2 (P      n) with
    •   The expression A =⇒ B : X represents that A sends               y2 (=h 2 (P    (n+1))), and sets T = n+1
        X to B through a secure channel.                                for U’s next login.

B. SAS Protocol
  The protocol consists of two phases namely registration               IV. Impersonation Attack on the OSPA
phase and authentication phase. The registration is done    When the server authenticates the user using the OSPA
only once and authentication is done every time the user  system, the server receives data consisting of two verifiers.
logs in.                                                  Then the attacker impersonates a regular user with that au-
                                                          thentication data. In an attack on the OSPA, the attacker
B.1 Registration Phase                                    replays and forges authentication data with communication
 Step R1. U choose an initial random number No , and then data from the previous authentication session.
             computes h 2 (P No ).
 Step R2. U =⇒ S : U, h 2 (P No ), No .                   A. Impersonation Attack with Two Previous Verifiers
                         2
 Step R3. S stores U, h (P No ), and No .                   When the user tries to be authenticated by the server
                                                          on the (n+1)th authentication session, it is assumed that
B.2 Authentication Phase                                  an attacker has intercepted transmission data from the (n–
For U’s nth login:                                        1)th to the (n+1)th authentication sessions. Those data
 Step A1. U −→ S : U, service request.                    are as follows:
 Step A2. S −→ U : Nn .
                                                           The (n–1)th authentication data are
 Step A3. U −→ S : c1 , c2 , c3 ,
                                                                 c(n−1)1 = h(P       (n-1))      h 2 (P     (n-1)),
       where                                                                  2
                              2                                  c(n−1)2 = h (P       n)       h(P      (n-1)),
         c1 = h(P Nn )      h (P Nn ),
                                                                 c(n−1)3 = h 3 (P     n),
         c2 = h 2 (P Nn+1 )     h 2 (P Nn ),
                                                           the nth authentication data are
         c3 = Nn+1 .
                                                                 c(n)1 = h(P      n)      h 2 (P      n),
 Step A4. S uses the stored h 2 (P Nn ) to compute                         2
                       2                                         c(n)2 = h (P      (n+1))        h(P      n),
         y 1 = c1     h (P Nn ),
                       2                                         c(n)3 = h 3 (P    (n+1)),
         y 2 = c2     h (P Nn ),
                                                           the (n+1)th authentication data are
     If h(y1 ) equals the stored h 2 (P Nn ),
                   2                                             c(n+1)1 = h(P       (n+1)       h 2 (P     (n+1)),
     S replaces h (P Nn ) and Nn with                                         2
             2                                                   c(n+1)2 = h (P       (n+2))        h(P      (n+1)),
     y2 (=h (P Nn+1 )) and Nn+1 for A’s next login.
                                                                 c(n+1)3 = h 3 (P     (n+2)).
                                                                     When the attacker impersonates the user, he first com-
                   III. OSPA Description                          putes h 2 (P   n)     h(P     (n+1)) from c(n)1       c(n)2
A. OSPA Protocol                                                  c(n+1)1 and replaces c (n+1)3 with c(n−1)3 . Next the at-
                                                                  tacker sends the following data to the server for the (n+1)th
   The OSPA protocol also consists of two phases: the reg-
                                                                  authentication session.
istration phase and the authentication phase. I describe
these two phases as follows.                                            c (n+1)1 = h(P      (n+1))      h 2 (P   (n+1)),
KIM, MINHO                                                                                                                           3


       c (n+1)2 = h 2 (P    n)     h(P     (n+1)),                        c   (n+1)3   = h 3 (P     s).
       c (n+1)3 = h 3 (P    n).
                                                                    Therefore, the attacker can change the verifier using pre-
   After receiving the authentication data, the server            vious verifiers.
first checks whether c(n+1)1 = c (n+1)2 .          The data
is accepted because h 2 (P        (n+1)) is different from         C. Impersonation Attack with Various Verifiers
h 2 (P    n). Next the server retrieves h(P     (n+1)) from         In above subsection A and B, the attacker can change
c(n+1)1      h 2 (P     (n+1)), and gets h 2 (P    n) from        the verifier to one of the previous verifiers. Then it is as-
c (n+1)2      h(P      (n+1)). Then the server compares           sumed that the attacker changes the verifier used in the
h(h(P      (n+1))) with the stored verifier h 2 (P   (n+1)),       sth authentication session. Next the attacker logs in to the
and compares h(h 2 (P        n)) with the received c (n+1)3 .     system, and changes the verifier. However, the new ver-
There are the same so the user is authenticated. Then             ifier is limited to h 2 (P    t) (t is an integer, 1 < t < s
the server stores h 2 (P    n) and sets n=n+1 for the next        or t = s + 1). This means that the attacker changes the
authentication.                                                   verifier to the next one h 2 (P      (s+1)) if s is small. For
   In the future, if the attacker wants to login, he alter-       example, an attacker could change verifiers as follows:
nately sends the following two sets. The attacker uses the
first set in the (n+2k)th authentication session (k is a nat-        · · ·, h 2 (P      7), h 2 (P   4), h 2 (P   2), h 2 (P   3), · · ·
ural number)
      c1 = h(P      n)    h 2 (P      n),                            Then the attacker changes verifiers sequentially, like
             2
      c2 = h (P      (n+1))      h(P      n),                     h 2 (P   2), h 2 (P   3). In that case, the crime can easily
      c3 = h 3 (P    (n+1)),                                      be detected because the verifiers are changed sequentially.
and the attacker uses the second set in the (n+2k+1)th            Then the server memorizes only two sequential verifiers.
authentication session                                               This problem is solved then: the attacker doesn’t change
      c1 = h(P      (n+1))      h 2 (P    (n+1)),                 the verifier sequentially. For example, when the attacker
      c2 = h 2 (P    n)    h(P        (n+1)),                     changes the verifier from h 2 (P    s) to h 2 (P  (s+2)), he
      c3 = h 3 (P    n),                                          generates the following transmission data.

then the verifier in the server is changed to h 2 (P (n+1))          The attacker uses the sth authentication data
and h 2 (P    n) in turns. In this way, the attacker can                c(s)1 = h(P      s)    h 2 (P      s),
                                                                                  2
impersonate the regular user.                                           c(s)2 = h (P      (s+1))        h(P     s),
                                                                        c(s)3 = h 3 (P    (s+1)),
B. Impersonation Attack Using Many Previous Verifiers              and the (s+1)th authentication data
                                                                        c(s+1)1 = h(P       s)     h 2 (P     (s+1)),
   In an impersonation attack with two previous verifiers,                            2
                                                                        c(s+1)2 = h (P       (s+2))       h(P      (s+1)),
the invasion can be detected if the server has stored two
                                                                        c(s+1)3 = h 3 (P     (s+2)).
verifiers. As a result, the attacker has to change the next
verifier intentionally.                                               The attacker computes c2 from c(s)2          c(s+1)1  c(s+1)2 ,
   As above mentioned, the attacker makes c(n+1)1 , c (n+1)2 ,    and replaces c3 and c(s+1)3 . Then he sends the following
c (n+1)3 using transmission data from the (n–1)th to the          data and changes the verifier to h 2 (P          (s+2)).
(n+1)th authentication sessions. In the same manner, the                   c1 = h(P      s)     h 2 (P    s),
attacker can generate the following data using communica-                  c2 = h 2 (P    (s+2))       h(P     s),
tion data from the (n–2)th to the (n+1)th authentication                   c3 = h 3 (P    (s+2)).
sessions, and changes the verifier from h 2 (P      (n+1)) to           Similarly, the attacker computes c2 from c(s)2       c(s+1)1
h 2 (P   (n–1)). Then the attacker computes c (n+1)2 from              c(s+1)2      ···     c(u−1)1      c(u−1)2 , and replaces c3
c(n−1)1    c(n−1)2     c(n)1   c(n)2   c(n+1)1 , and replaces     with c(u−1)3 . Then the attacker can change the verifier to
c (n+1)3 with c(n−2)3 .                                           h 2 (P     u) using the sth to (u-1)th authentication data (u
       c(n+1)1 = h(P     (n+1))    h 2 (P       (n+1)),           is an integer, s < u < n + 2) as below:
                    2
       c (n+1)2 = h (P     (n–1))    h(P         (n+1)),                   c1 = h(P      s)     h 2 (P    s),
                                                                                  2
       c (n+1)3 = h 3 (P   (n–1)).                                         c2 = h (P      u)      h(P      s),
                                                                           c3 = h 3 (P    u).
   The attacker can generate the following data in                   Therefore, the attacker can change the next verifier using
a similar manner, and the change the verifier from                 various verifiers.
h 2 (P       (n+1)) to h 2 (P         s) (s is an integer, 1 <
s < n + 1). Then the attacker computes c (n+1)2 from D. Hybrid Impersonation Attack
c(s)1     c(s)2     c(s+1)1     c(s+1)2    ···     c(n−1)1   c(n−1)2
                                                                       The attacker can change the verifier in various ways us-
     c(n)1      c(n)2      c(n+1)1 , and replaces c (n+1)3 with
                                                                     ing a combination of the three techniques explained above
c(s−1)3 .
                                                                     section A, B, and C.
        c(n+1)1 = h(P         (n+1))      h 2 (P     (n+1)),           However, the crime can be detected if the server has
        c (n+1)2 = h 2 (P        s)     h(P      (n+1)),             stored all verifiers, because the attacker changes to the ver-
4                                                                                                     ECE 679 PROJECT, SPRING 2004


ifier used before, but storing all the verifiers isn’t practical.   A. Denial-of-Service Attack
Further, the user can’t use the same verifier if the server          A denial-of-service attack is an offensive action whereby
stores and checks all verifiers. Such a mechanism can’t en-        the adversary could use some method to work upon the
sure security if the user has used the system for a long time.    server so that the access requests issued by the legitimate
                                                                  user will be denied by the server. During Step A2 of Lin-
        V. Security Enhancement for Optimal                       Shen-hwang’s protocol, E can replace the transmitting c3
       Strong-Password Authentication Protocol                    with an equal-sized random number, denoted by c3 while
                                                                  the transmitting U and c2 are left unchanged. After receiv-
A. Lin-Shen-Hwang’s Protocol                                      ing this modified message, S will compute
  This scheme propose a new scheme to withstand the                              c2 = h(X U)           c2 = h(P         N)
stolen verifier problem. Also, it is composed of two phases:
the registration phase and the authentication phase.              where c2 = h(X U)              h(P    N). Since h(c2 ) equals the
                                                                  stored verifier h 2 (P          N), S will grant U’s login request
A.1 Registration Phase                                            and compute
Step R1. U calculates h 2 (P    N),                                                         h 2 (X U)         c3
     where N is a nonce.
Step R2. U =⇒ S : U, h 2 (P      N).                              Then, S updates the verifier h 2 (P                 N) with
Step R3. S checks U and stores U, h 2 (P  N).                     h 2 (X U)    c3 for U’s next login. Although U can success-
Step R4. S stores K and N into U’s SC and                         fully login S in this session, his succeeding login requests
     releases it to U,                                            will be denied unless he re-registers to S again. That is, E
     where                                                        can easily lock the account of any user without using any
       SC is the smart card,                                      cryptographic technique. Thus, Lin-Shen-hwang’s protocol
       K = h 2 (P     N)     h(X U),                              is vulerable to a denial-of-service attack.
       X is the secret key of the server.                         B. Replay Attack
A.2 Authentication Phase                                             Suppose that, before U’s nth login, the E has eaves-
                                                                  dropped U’s two previous authentication messages (U,
   For U’s login, U inserts U’s SC into a login device and         (n−2)    (n−2)              (n−1)    (n−1)
keys in the password(U,P). The smart card perform the             c2     , c3     ) and (U, c2       , c3     ). During U’s nth
                                                                                                                            (n)
following operations:                                             login process, E can replace the transmitting (U, c2 ,
                                                                   (n)               (n)   (n−2)           (n)
Step A1. U −→ S : U, c2 , and c3 as a login request.              c3 ) with (U, c2 , c3          ), i.e., c3 is replaced with
                                                                   (n−2)
     where                                                        c3      (=h 2 (X U)    h 2 (P     N(n−1) )), N(n−2) = N(n−1) ,
       c1 = K      h 2 (P  N) = h(X U). Here K is                 which was used in U’s (n–2)th authentication session.
       stored in the smart card.                                  Next, S will compute
       c 2 = c1    h(P     N),                                              c2   (n)
                                                                                       = h(X U)       c2
                                                                                                        (n)
                                                                                                              = h(P      N(n) )
       c3 = h(c1 ) h 2 (P      N )).
                                                                           (n)
       where N is a new random nonce and                          where c2 = h(X U)          h(P               N(n) ). Since h(c2 (n) )
       h 2 (P   N ) is a new verifier for the next login.          equals the stored verifier h 2 (P             N(n) ), S will grant U’s
                                                                  login request and compute
S performs the following operations to identify: the login                               (n−2)
user                                                                   h 2 (X U)     c3
                                                                       =h 2 (X U)      h 2 (X U)           h 2 (P     N(n−1) )
Step A2. Check the format of U.                                        =h (P2
                                                                                  N (n−1)
                                                                                            )
Step A3. Check the identity of the login user by c2 .
     The server computes h(X U) and c2 ,                             Next, S replaces the verifier h 2 (P                  N(n) ) with
     where c2 = h(X U)          c2 = h(P     N) and                2
                                                                  h (P       N (n−1)
                                                                                     ) for U’s next login. Before U’s next login,
     checks h(c2 ) with the stored verifier h 2 (P     N).         E can impersonate as A to login S by sending (U, c2
                                                                                                                                 (n−1)
                                                                                                                                       ,
     If it passes, then the server accepts the login request       (n−1)                                   (n−1)
                                                                  c3     ) to S. Because h(h(X U)         c2       ) equals the stored
     and permits the accessing power.
                                                                  verifier h 2 (P      N(n−1) ), S will grant E’s login request and
Step A4. Calculate h 2 (P     N ) and update h 2 (P     N)
             2                                                    replace the verifier h 2 (P         N(n−1) ) with h 2 (P        N(n) ).
     with h (P       N ) for the next login.
                                                                  In addition, E can impersonate as A to login S by using
     h 2 (P    N ) = h 2 (X U)      c3                                  (n)   (n−2)
                                                                  (U, c2 , c3       ) as his next authentication message. Simi-
                                                                                                        (n−1)    (n−1)             (n)
                                                                  larly, E can repeatedly use (U, c2          , c3     ) and (U, c2 ,
    VI. Weaknesses of Lin-Shen-Hwang’s Protocol                    (n−2)                                               (n)   (n)
                                                                  c3     ) to impersonate as he can send (U, c2 , c3 ) with
                                                                        (n)   (n−2)
  In this section, we are shown Lin-Shen-hwang’s proto-           (U, c2 , c3       ) to S. If this replay attack is completed be-
col is vulnerable to a denial-of-service attack and a replay      fore U’s next login, it will not be detected easily by U.
attack.
KIM, MINHO                                                                                                                           5


        VII. A Hash-Based Strong-Password                         VIII. Stolen-Verifier Attack on the Ku’s Scheme
         Authentication Scheme without Using                     Assume that an adversary E has stolen the the password-
                     Smart Cards                              verifier, h 2 (S P n t) when U’s nth registration. Then,
  There are two protocol, the registration and the login during U’s nth login process, E blocks and copies the
protocol, which can be described as in the following.         message n, r, t in step L2, and c1 , c2 , and c3 in Step
                                                              L3. E derives h(S P n t) by XORing the previous stolen
A. Registration Protocol                                      h 2 (S P n t) with the captured c1 , and derives h 2 (S P n+
                                                              1 t) with h(S P n t). Then E sends c1 , c2 , and c3 to
  This protocol is invoked whenever U initially registers or server S. After receiving the authentication message, S first
re-registers to S. Let T denote the latest time U initially retrieves k(t) = h(S P n t) and the uses the computed k(t)
                                                                            A                                                   A
registers or re-registers to S and N denotes a sequence num- to derive the verifier h 2 (S P n t) from the stored sealed
ber starting from 1 since U’s initial registration.           verifier sv (n) (=h 2 (S P n t)
                                                                                                        (t)
                                                                                                      kA ). Next, S computes
                                                              u1 = c1          h 2 (S P n t) and u2 = c2           u1 . If h(u1 )
 Step R1. U sends his registration request to S.
                                                              equals the retrieved h 2 (S P n t) and h(u2 r)=c3 holds, S
 Step R2. S sets T to the value of his current timestamp.
                                                              authenticates U.
            If it is U’s initial registration, S sets N to 1.
                                                                 After that E compute and change c1 , c2 , and c3 with
            Otherwise, S sets N=N+1.
                                                              c1 , c2 , and c3 with new password P , n, r, and t what E
            U =⇒ S : N, T.
                                                              received in the Step L2. Then E’ll always success to login.
 Step R3. U computes the verifier h 2 (S P N T), and then
                                                                 .........
            U =⇒ S : h 2 (S P N T).
                                               (T)
 Step R4. S computes the storage key kA :
              (T)
            kA =h(A h(k T )),                                                            References
            and then computes the sealed verifier              [1] NBS, “Data encryption standard,” FIPS-PUB-45, 1997.
                                           (T)                [2] A.Shimizu and S.Miyaguchi, “Fast data encipherment algorithm
            sv (T ) =h 2 (S P N T)       kA . Next, S stores        feal,” IEICE Transactions, , no. 7, pp. 1413–1423, July 1987.
               (T )
            sv , T, and N in his password file.                [3] M.Matsui, “New block encryption algorithm misty,” Lecture
         where                                                      Note in Computer Science, FSE 1997, pp. 54–68, 1997.
                                                              [4] L.Lamport, “Password authentication with insecure communica-
           k denotes S’s secret key commonly used for               tion,” Communications of the ACM, vol. 24, no. 11, pp. 770–772,
           generating a unique storage key for each user.           1981.
                                                                  [5]    A.Shimizu, “A dynamic password authentication method by
                                                                         one-way function,” IEICE Transactions, , no. 7, pp. 630–636,
B. Login Protocol                                                        July 1990.
                                                                  [6]    A.Shimizu, T.Horioka, and H.Inagaki, “A password authentica-
  This protocol is invoked whenever U logins S. Suppose                  tion method for contents communication on the internet,” IE-
that N=n and T=t.                                                        ICE Transactions on Communications, , no. 8, pp. 1666–1673,
                                                                         Aug. 1998.
                                                                  [7]    Manjula Sandirigama, Akihiro Shimizu, and Matu-Tarow Noda,
Step L1. U −→ S : login request.                                         “Simple and secure password authentication protocol(sas),” IE-
Step L2. S −→ U : n, r, t.                                               ICE Transactions on Communications, , no. 6, pp. 1363–1365,
                                                                         June 2000.
     where r is a random nonce selected by S.                     [8]    Chun-Li Lin, Hung-Min SUN, and Tzonelih Hwang, “At-
Step L3. U −→ S : c1 , c2 , c3 ,                                         tacks and solutions on strong-password authentication,” IEICE
     where                                                               Transactions on Communications, , no. 9, pp. 2622–2627, Sept.
                                                                         2001.
       c1 = h 2 (S P n t)        h(S P n t),                      [9]    Chien-Ming Chen and Wei-Chi Ku, “Stolen-verifier attack on
       c2 = h(S P n t)        h 2 (S P n + 1 t),                         two new strong-password authentication protocols,” IEICE
       c3 = h(h 2 (S P n + 1 t) r).                                      Transactions on Communications, , no. 11, pp. 2519–2521, Nov.
                                                                         2002.
Step L4. S retrieves t from his password file and computes         [10]   T.Tsuji and A.Shimizu, “An implementation attack on one-time
                                                                         password authentication protocol ospa,” IEICE Transactions on
        (t)
      kA =h(A h(k t)), and then uses the computed                        Communications, , no. 7, pp. 2182–2185, July 2003.
        (t)                                                       [11]   Chih-Wei Lin, Jau-Ji Shen, and Min-Shiang Hwang, “Security
       kA to derive the verifier h 2 (S P n t) from the                   enhancement for optimal strong-password authentication proto-
                                                           (t)           col,” ACM Operating System Review, vol. 37, no. 2, pp. 7–12,
       stored sealed verifier sv (n) (=h 2 (S P n t)   kA ).              Apr. 2003.
       Next, S computes                                           [12]   Wei-Chi Ku, Hao-Chuan Tsai, and Shuai-Min Chen, “Two sim-
                                                                         ple attacks on lin-shen-hwang’s strong-password authentication
         u1 = c1     h 2 (S P n t),                                      protocol,” ACM Operating System Review, vol. 37, no. 4, pp.
         u2 = c2     u1 .                                                26–31, Oct. 2003.
                                                                  [13]   Wei-Chi Ku, “A hash-based strong-password authentication
  If h(u1 ) equals the retrieved h 2 (S P n t) and                       scheme without using smart cards,” ACM Operating System
h(u2 r)=c3 holds, S authenticates U. Otherwise, S rejects                Review, vol. 38, no. 1, pp. 29–34, Jan. 2004.
U’s login request and terminates this session. Then, S com-
                            (t)                         (t)
putes sv (n+1) = u2        kA (=h 2 (S P n + 1 t)      kA ),
            (n)         (n+1)
replaces sv     with sv       , and sets N=n+1 for U’s next
login protocol, the value of T is unchanged, i.e., T=t.

								
To top