Cryptanalysis and Improvement of Remote User Authentication Schemes Using Strong Passwords

• Main Authors: Min-Hung Chiang, 江旻紘
• Other Authors: Wei-Chi Ku
• Format: Others
• Language: en_US
• Published: 2005
• Online Access: http://ndltd.ncl.edu.tw/handle/72920323916029131574

碩士 === 輔仁大學 === 資訊工程學系 === 93 === Authentication using passwords is a popular approach often used today to authenticate users logining any kind of server. Password authentication involves the requesting entity, a user, providing a secret to the receiving entity, a server, which then checks the secret against a value recorded earlier to confirm the authenticity of the user. Conventional static password authentication schemes are vulnerable to direct wiretapping attacks, and therefore are unsuitable for open network environments. To meet today’s security requirements, one-time (or dynamic) password authentication schemes have been proposed. Existing one-time password authentication schemes can be categorized into two types, one requires only weak passwords and the other must use strong passwords. A weak password is a password with low entropy, and thus is easily guessable, while a strong password is a password with high entropy, and thus cannot be easily guessed. Up to now, many strongpassword authentication schemes have been proposed, e.g. S/KEY, SAS, and the OSPA scheme. However, none is both secure and practical enough. In 2003, Lin, Shen, and Hwang proposed an improved version of OSPA using smart cards, and is abbreviated as the LSH scheme herein. Unfortunately, Ku, Tsai, and Chen found that the LSH scheme is still vulnerable to a denial-of-service attack and a replay attack. In July 2004, Chang and Chang proposed a token-based strong-password authentication scheme, which was claimed to be an improved version of the LSH scheme. In November 2004, Chen, Lee, and Horng proposed two SAS-like schemes based on smart cards. However, we find that Chang-Chang’s scheme and Chen- Lee-Horng’s schemes still have weaknesses. In this thesis, we analyze the security strength of Chang-Chang’s scheme and Chen-Lee-Horng’s schemes, and then propose two improved strong-password authentication schemes that can withstand the well-known attacks. The first improved scheme, which can be viewed as an improved version of Chang-Chang’s scheme, has been proven to be secure against well-known attacks. In particular, the first improved scheme does not use smart cards, which are required in Chang-Chang’s scheme. However, as the password change cannot be easily and subtly incorporated into the first improved scheme, we propose the second improved scheme, in which the functionality of password change is included within the login phase and can be efficiently executed. Furthermore, the second improved scheme can withstand the well-known attacks as the first improved scheme does. Finally, to improve the practicability of the proposed improved schemes, we suggest that graphical strong passwords can be used as alternatives of textual strong passwords to decrease the memory burden of the user.