TY - GEN
T1 - Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme
AU - Kim, Mijin
AU - Lee, Byunghee
AU - Kim, Seungjoo
AU - Won, Dongho
N1 - Funding Information:
This work was supported by the Ministry of Knowledge Economy, Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Advancement) (IITA-2009-(C1090-0902-0016)) and the Defense Acquisition Program Administration and Agency for Defense Development under the contract UD070054AD.
PY - 2009
Y1 - 2009
N2 - Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.
AB - Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.
KW - Authentication scheme
KW - Impersonation attack
KW - One-time password
UR - http://www.scopus.com/inward/record.url?scp=73349125746&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-10844-0_49
DO - 10.1007/978-3-642-10844-0_49
M3 - Conference contribution
AN - SCOPUS:73349125746
SN - 9783642108433
T3 - Communications in Computer and Information Science
SP - 421
EP - 430
BT - Communication and Networking
A2 - Slezak, Dominik
A2 - Kim, Tai-hoon
A2 - Chang, Alan Chin-Chen
A2 - Vasilakos, Thanos
A2 - Li, MingChu
A2 - Sakurai, Kouichi
ER -