Abstract
Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.
| Original language | English |
|---|---|
| Title of host publication | Communications in Computer and Information Science |
| Pages | 421-430 |
| Number of pages | 10 |
| Volume | 56 |
| DOIs | |
| Publication status | Published - 2009 Dec 1 |
| Externally published | Yes |
Publication series
| Name | Communications in Computer and Information Science |
|---|---|
| Volume | 56 |
| ISSN (Print) | 18650929 |
Fingerprint
Keywords
- Authentication scheme
- Impersonation attack
- One-time password
ASJC Scopus subject areas
- Computer Science(all)
Cite this
Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. / Kim, Mijin; Lee, Byunghee; Kim, Seung-Joo; Won, Dongho.
Communications in Computer and Information Science. Vol. 56 2009. p. 421-430 (Communications in Computer and Information Science; Vol. 56).Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme
AU - Kim, Mijin
AU - Lee, Byunghee
AU - Kim, Seung-Joo
AU - Won, Dongho
PY - 2009/12/1
Y1 - 2009/12/1
N2 - Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.
AB - Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.
KW - Authentication scheme
KW - Impersonation attack
KW - One-time password
UR - http://www.scopus.com/inward/record.url?scp=73349125746&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=73349125746&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-10844-0_49
DO - 10.1007/978-3-642-10844-0_49
M3 - Conference contribution
AN - SCOPUS:73349125746
SN - 9783642108433
VL - 56
T3 - Communications in Computer and Information Science
SP - 421
EP - 430
BT - Communications in Computer and Information Science
ER -