| Summary: | 碩士 === 國立臺灣科技大學 === 資訊管理系 === 97 === Due to the simplicity of only requiring to maintain a simple and human-memorable password at client side, password based remote authentication method has been extensively investigated by research community and scholars in the history of secure communcation area. Nevertheless, most of previously published schemes are static ID-based in which user’s identity is transmitted in plaintext under an insecure network environment. This may expose user’s transaction behaviors and personal preference. As the customer privacy disclosure had been concerned by organizaiton and individual, in 2004, Das et al. [10] were motivated to propose a dynamic ID-based remote user authentication scheme for preventing ID-theft attack and individual-privacy exposing. Unfortunately, several studies had been done to point out that Das et al.’s mechanism is insecure against various malicious attacks. Meanwhile, many security enhanced remedies are also developed to eliminate the identified security vulnerabilites. Recently, a more effieicn and robust dynamic ID-based authentication scheme [19] is introduced by Wang et al. to possess security criteria and system efficiency at the same time, where only lightweight computation modules such as one-way hash function and bit exclusive-or operation are required in their scheme. At first glance, the proposed protocol seems to be secure. However, Wang et al.’s scheme is not without its flaws. According to our analysis, we find that Wang et al.’s scheme is vulnerable to replay attack, user impersonation attack, server counterfeit attack, man-in-the-middle attack and password guessing attack. In this article, we first introduce these security weaknesses on Wang et al.’s scheme. A modified remote authentication scheme is then developed to overcom the identified authentication flaws with better system efficiency.
|
|---|
