On the security of an improved password authentication scheme based on ECC

Authors:
Ding Wang;Chun-guang Ma;Lan Shi;Yu-heng Wang
Affiliations:
College of Computer Science and Technology, Harbin Engineering University, Harbin City, Chinutomobile Management Institute of PLA, Bengbu City, China;College of Computer Science and Technology, Harbin Engineering University, Harbin City, China;College of Computer Science and Technology, Harbin Engineering University, Harbin City, China;Golisano College of Computing and Information Sciences, Rochester Institute of Technology, Rochester, NY
Venue:
ICICA'12 Proceedings of the Third international conference on Information Computing and Applications
Year:
2012

Citing 12
Cited 1

Password authentication with insecure communication

Communications of the ACM
A password authentication scheme over insecure networks

Journal of Computer and System Sciences
Information hiding, anonymity and privacy: a modular approach

Journal of Computer Security - Special issue on WITS'02
A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges

Information Sciences: an International Journal
Advanced smart card based password authentication protocol

Computer Standards & Interfaces
Two robust remote user authentication protocols using smart cards

Journal of Systems and Software
Robust authentication and key agreement scheme preserving the privacy of secret key

Computer Communications
Cryptanalysis and improvement of sood et al.'s dynamic ID-Based authentication scheme

ICDCIT'12 Proceedings of the 8th international conference on Distributed Computing and Internet Technology
A new dynamic ID-Based remote user authentication scheme with forward secrecy

APWeb'12 Proceedings of the 14th international conference on Web Technologies and Applications
Robust smart-cards-based user authentication scheme with user anonymity

Security and Communication Networks
Strong Authentication Scheme for Telecare Medicine Information Systems

Journal of Medical Systems
Cryptanalysis and security enhancement of an advanced authentication scheme using smart cards, and a key agreement scheme for two-party communication

PCCC '11 Proceedings of the 30th IEEE International Performance Computing and Communications Conference

Cryptanalysis of a remote user authentication scheme for mobile client-server environment based on ECC

Information Fusion

Quantified Score

Hi-index	0.00

Visualization

Abstract

The design of secure remote user authentication schemes for mobile applications is still an open and quite challenging problem, though many schemes have been published lately. Recently, Islam and Biswas pointed out that Lin and Hwang et al.'s password-based authentication scheme is vulnerable to various attacks, and then presented an improved scheme based on elliptic curve cryptography (ECC) to overcome the drawbacks. Based on heuristic security analysis, Islam and Biswas claimed that their scheme is secure and can withstand all related attacks. In this paper, however, we show that Islam and Biswas's scheme cannot achieve the claimed security goals and report its flaws: (1) It is vulnerable to offline password guessing attack, stolen verifier attack and denial of service (DoS) attack; (2) It fails to preserve user anonymity. The cryptanalysis demonstrates that the scheme under study is unfit for practical use.