 |
    |
Enhancing of a Password-Based Authentication Scheme Using Smart Cards*
Youngsook Lee1** and Dongho Won2***
1Department of Cyber Investigation Police, Howon University, Korea
ysooklee@howon.ac.kr
2Department of Computer Engineering, Sungkyunkwan University, Korea
dhwon@security.re.kr
Abstract. A password based remote user authentication scheme is a two-party protocol whereby an authentication server in a distributed system confirms the identity of a remote individual logging on to the server over an untrusted, open network. This paper discusses the security of Chen et al.’s remote user authentication scheme making use of smart cards. They have recently presented an improved version of Lin, Shen, and Hwang’s scheme. But, unlike their claims, in Chen et al.’s scheme, if an attacker gains access to some user’s smart card and extracts the information stored in the smart card, he/she can easily find out the user’s password. We show this by mounting a dictionary attack on the scheme. In addition, Chen et al.’s scheme does not support its main security goal of authenticating between a remote individual and the server. This is shown via a sever impersonation attack on the scheme. Motivated by these security flaws, we propose a more secure remote user authentication scheme that achieves both two-factor security and mutual authentication.
Keywords: Authentication scheme, smart card, dictionary attack, impersonation attack, two-factor security
*This work was supported by Howon University in 2009.
**The first author.
***Corresponding author.
LNCS 5871, p. 879 ff.
lncs@springer.com
© Springer-Verlag Berlin Heidelberg 2009