Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme

Mijin Kim, Byunghee Lee, Seungjoo Kim, Dongho Won

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources.This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.

Original languageEnglish
Title of host publicationCommunication and Networking
Subtitle of host publicationInternational Conference, FGCN/ACN 2009, Held as Part of the Future Generation Information Technology Conference, FGIT 2009, Jeju Island, Korea, December 10-12, 2009. Pro
EditorsDominik Slezak, Tai-hoon Kim, Alan Chin-Chen Chang, Thanos Vasilakos, MingChu Li, Kouichi Sakurai
Number of pages10
Publication statusPublished - 2009
Externally publishedYes

Publication series

NameCommunications in Computer and Information Science
ISSN (Print)1865-0929


  • Authentication scheme
  • Impersonation attack
  • One-time password

ASJC Scopus subject areas

  • Computer Science(all)
  • Mathematics(all)


Dive into the research topics of 'Weaknesses and improvements of Kuo-Lee's one-time password authentication scheme'. Together they form a unique fingerprint.

Cite this