Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme

Mijin Kim; Byunghee Lee; Seungjoo Kim; Dongho Won

doi:10.1007/978-3-642-10844-0_49

Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme

Mijin Kim, Byunghee Lee, Seungjoo Kim, Dongho Won

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.

Original language	English
Title of host publication	Communication and Networking
Subtitle of host publication	International Conference, FGCN/ACN 2009, Held as Part of the Future Generation Information Technology Conference, FGIT 2009, Jeju Island, Korea, December 10-12, 2009. Pro
Editors	Dominik Slezak, Tai-hoon Kim, Alan Chin-Chen Chang, Thanos Vasilakos, MingChu Li, Kouichi Sakurai
Pages	421-430
Number of pages	10
DOIs	https://doi.org/10.1007/978-3-642-10844-0_49
Publication status	Published - 2009
Externally published	Yes

Publication series

Name	Communications in Computer and Information Science
Volume	56
ISSN (Print)	1865-0929

Keywords

Authentication scheme
Impersonation attack
One-time password

ASJC Scopus subject areas

Computer Science(all)
Mathematics(all)

Access to Document

10.1007/978-3-642-10844-0_49

Fingerprint Dive into the research topics of 'Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme'. Together they form a unique fingerprint.

Cite this

Kim, M., Lee, B., Kim, S., & Won, D. (2009). Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. In D. Slezak, T. Kim, A. C-C. Chang, T. Vasilakos, M. Li, & K. Sakurai (Eds.), Communication and Networking: International Conference, FGCN/ACN 2009, Held as Part of the Future Generation Information Technology Conference, FGIT 2009, Jeju Island, Korea, December 10-12, 2009. Pro (pp. 421-430). (Communications in Computer and Information Science; Vol. 56). https://doi.org/10.1007/978-3-642-10844-0_49

Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. / Kim, Mijin; Lee, Byunghee; Kim, Seungjoo; Won, Dongho.

Communication and Networking: International Conference, FGCN/ACN 2009, Held as Part of the Future Generation Information Technology Conference, FGIT 2009, Jeju Island, Korea, December 10-12, 2009. Pro. ed. / Dominik Slezak; Tai-hoon Kim; Alan Chin-Chen Chang; Thanos Vasilakos; MingChu Li; Kouichi Sakurai. 2009. p. 421-430 (Communications in Computer and Information Science; Vol. 56).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kim, M, Lee, B, Kim, S & Won, D 2009, Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. in D Slezak, T Kim, AC-C Chang, T Vasilakos, M Li & K Sakurai (eds), Communication and Networking: International Conference, FGCN/ACN 2009, Held as Part of the Future Generation Information Technology Conference, FGIT 2009, Jeju Island, Korea, December 10-12, 2009. Pro. Communications in Computer and Information Science, vol. 56, pp. 421-430. https://doi.org/10.1007/978-3-642-10844-0_49

Kim M, Lee B, Kim S, Won D. Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. In Slezak D, Kim T, Chang AC-C, Vasilakos T, Li M, Sakurai K, editors, Communication and Networking: International Conference, FGCN/ACN 2009, Held as Part of the Future Generation Information Technology Conference, FGIT 2009, Jeju Island, Korea, December 10-12, 2009. Pro. 2009. p. 421-430. (Communications in Computer and Information Science). https://doi.org/10.1007/978-3-642-10844-0_49

Kim, Mijin ; Lee, Byunghee ; Kim, Seungjoo ; Won, Dongho. / Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme. Communication and Networking: International Conference, FGCN/ACN 2009, Held as Part of the Future Generation Information Technology Conference, FGIT 2009, Jeju Island, Korea, December 10-12, 2009. Pro. editor / Dominik Slezak ; Tai-hoon Kim ; Alan Chin-Chen Chang ; Thanos Vasilakos ; MingChu Li ; Kouichi Sakurai. 2009. pp. 421-430 (Communications in Computer and Information Science).

@inproceedings{205167112196421f9098581652509521,

title = "Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme",

abstract = "Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.",

keywords = "Authentication scheme, Impersonation attack, One-time password",

author = "Mijin Kim and Byunghee Lee and Seungjoo Kim and Dongho Won",

year = "2009",

doi = "10.1007/978-3-642-10844-0_49",

language = "English",

isbn = "9783642108433",

series = "Communications in Computer and Information Science",

pages = "421--430",

editor = "Dominik Slezak and Tai-hoon Kim and Chang, {Alan Chin-Chen} and Thanos Vasilakos and MingChu Li and Kouichi Sakurai",

booktitle = "Communication and Networking",

}

TY - GEN

T1 - Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme

AU - Kim, Mijin

AU - Lee, Byunghee

AU - Kim, Seungjoo

AU - Won, Dongho

PY - 2009

Y1 - 2009

N2 - Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.

AB - Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.

KW - Authentication scheme

KW - Impersonation attack

KW - One-time password

UR - http://www.scopus.com/inward/record.url?scp=73349125746&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=73349125746&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-10844-0_49

DO - 10.1007/978-3-642-10844-0_49

M3 - Conference contribution

AN - SCOPUS:73349125746

SN - 9783642108433

T3 - Communications in Computer and Information Science

SP - 421

EP - 430

BT - Communication and Networking

A2 - Slezak, Dominik

A2 - Kim, Tai-hoon

A2 - Chang, Alan Chin-Chen

A2 - Vasilakos, Thanos

A2 - Li, MingChu

A2 - Sakurai, Kouichi

ER -