Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme

Mijin Kim, Byunghee Lee, Seung-Joo Kim, Dongho Won

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.

Original languageEnglish
Title of host publicationCommunications in Computer and Information Science
Pages421-430
Number of pages10
Volume56
DOIs
Publication statusPublished - 2009 Dec 1
Externally publishedYes

Publication series

NameCommunications in Computer and Information Science
Volume56
ISSN (Print)18650929

Fingerprint

Authentication
Mobile devices
Defects

Keywords

  • Authentication scheme
  • Impersonation attack
  • One-time password

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Kim, M., Lee, B., Kim, S-J., & Won, D. (2009). Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. In Communications in Computer and Information Science (Vol. 56, pp. 421-430). (Communications in Computer and Information Science; Vol. 56). https://doi.org/10.1007/978-3-642-10844-0_49

Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. / Kim, Mijin; Lee, Byunghee; Kim, Seung-Joo; Won, Dongho.

Communications in Computer and Information Science. Vol. 56 2009. p. 421-430 (Communications in Computer and Information Science; Vol. 56).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kim, M, Lee, B, Kim, S-J & Won, D 2009, Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. in Communications in Computer and Information Science. vol. 56, Communications in Computer and Information Science, vol. 56, pp. 421-430. https://doi.org/10.1007/978-3-642-10844-0_49
Kim M, Lee B, Kim S-J, Won D. Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. In Communications in Computer and Information Science. Vol. 56. 2009. p. 421-430. (Communications in Computer and Information Science). https://doi.org/10.1007/978-3-642-10844-0_49
Kim, Mijin ; Lee, Byunghee ; Kim, Seung-Joo ; Won, Dongho. / Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. Communications in Computer and Information Science. Vol. 56 2009. pp. 421-430 (Communications in Computer and Information Science).
@inproceedings{205167112196421f9098581652509521,
title = "Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme",
abstract = "Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.",
keywords = "Authentication scheme, Impersonation attack, One-time password",
author = "Mijin Kim and Byunghee Lee and Seung-Joo Kim and Dongho Won",
year = "2009",
month = "12",
day = "1",
doi = "10.1007/978-3-642-10844-0_49",
language = "English",
isbn = "9783642108433",
volume = "56",
series = "Communications in Computer and Information Science",
pages = "421--430",
booktitle = "Communications in Computer and Information Science",

}

TY - GEN

T1 - Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme

AU - Kim, Mijin

AU - Lee, Byunghee

AU - Kim, Seung-Joo

AU - Won, Dongho

PY - 2009/12/1

Y1 - 2009/12/1

N2 - Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.

AB - Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.

KW - Authentication scheme

KW - Impersonation attack

KW - One-time password

UR - http://www.scopus.com/inward/record.url?scp=73349125746&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=73349125746&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-10844-0_49

DO - 10.1007/978-3-642-10844-0_49

M3 - Conference contribution

AN - SCOPUS:73349125746

SN - 9783642108433

VL - 56

T3 - Communications in Computer and Information Science

SP - 421

EP - 430

BT - Communications in Computer and Information Science

ER -