Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Integrity Checking of Function Pointers in Kernel Pools via Virtual Machine Introspection Kapitel lesen Erstes Kapitel lesen

2015 | OriginalPaper | Buchkapitel

Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards

verfasst von : Ding Wang, Ping Wang

Erschienen in: Information Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals, namely, Hsieh-Leu’s scheme and Wang’s PSCAV scheme. We show that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim’s password when getting temporary access to the victim’s smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang’s original protocol security model, reveals a new attacking scenario and gives rise to the strongest adversary model so far. In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Merging the Camellia, SMS4 and AES S-Boxes in a Single S-Box with Composite Bases
Nächstes Kapitel Self-blindable Credential: Towards Anonymous Entity Authentication Upon Resource Constrained Devices
Fußnoten
1
Note that the terms “protocol” and “scheme” will be used interchangeably thereafter.
 
2
Hereafter, we use “USB sticks” and “common memory devices" interchangeably. In this work, we do not consider hybrid devices like Trust Extension Devices [1].
 
3
This ambiguity and our suggested remedy have been confirmed by the author of [54], and he earns our deep respect for his frankly and quickly acknowledgement.
 
Literatur
1.
Asokan, N., Ekberg, J.-E., Kostiainen, K.: The untapped potential of trusted execution environments on mobile devices. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 293–294. Springer, Heidelberg (2013) CrossRef
2.
Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)CrossRef
3.
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of IEEE S&P 1992, pp. 72–84. IEEE (1992)
4.
Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of ACM CCS 2012, pp. 833–844. ACM (2012)
5.
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of IEEE S&P 2012, pp. 538–552. IEEE Computer Society (2012)
6.
Boyd, C., Montague, P., Nguyen, K.: Elliptic curve based password authenticated key exchange protocols. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, p. 487. Springer, Heidelberg (2001) CrossRef
7.
Bresson, E., Chevassut, O., Pointcheval, D.: New security results on encrypted key exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004) CrossRef
8.
Burr, W., Dodson, D., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: NIST Special Publication 800–63-1: Electronic Authentication Guideline. National Institute of Standards and Technology, Gaithersburg (2011) CrossRef
9.
Chang, C.C., Wu, T.C.: Remote password authentication with smart cards. IEE Proc. Comput. Digital Tech. 138(3), 165–168 (1991)CrossRef
10.
Chen, B.L., Kuo, W.C., Wuu, L.C.: A secure password-based remote user authentication scheme without smart cards. Inf. Technol. Control 41(1), 53–59 (2012)
11.
Chen, B.L., Kuo, W.C., Wuu, L.C.: Robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 27(2), 377–389 (2014)CrossRef
12.
Chen, T.H., Hsiang, H.C., Shih, W.K.: Security enhancement on an improvement on two remote user authentication schemes using smart cards. Future Gener. Comput. Syst. 27(4), 377–380 (2011)MATHCrossRef
13.
14.
Das, M.L.: Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun. 8(3), 1086–1090 (2009)CrossRef
15.
Das, M., Saxena, A., Gulati, V.: A dynamic id-based remote user authentication scheme. IEEE Trans. Consum. Electron. 50(2), 629–631 (2004)CrossRef
16.
17.
Degabriele, J.P., Paterson, K., Watson, G.: Provable security in the real world. IEEE Secur. Priv. 9(3), 33–41 (2011)CrossRef
18.
Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: Proceedings of INFOCOM 2010, pp. 1–9. IEEE (2010)
19.
Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing. In: Proceedings IEEE S&P 2008, pp. 281–295. IEEE (2008)
20.
Fan, C., Chan, Y., Zhang, Z.: Robust remote authentication scheme with smart cards. Comput. Secur. 24(8), 619–628 (2005)CrossRef
21.
22.
Hao, F.: On robust key agreement based on public key authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 383–390. Springer, Heidelberg (2010) CrossRef
23.
He, D., Ma, M., Zhang, Y., Chen, C., Bu, J.: A strong user authentication scheme with smart cards for wireless communications. Comput. Commun. 34(3), 367–374 (2011)CrossRef
24.
Hsiang, H., Shih, W.: Weaknesses and improvements of the yoon-ryu-yoo remote user authentication scheme using smart cards. Comput. Commun. 32(4), 649–652 (2009)CrossRef
25.
Hsieh, W., Leu, J.: Exploiting hash functions to intensify the remote user authentication scheme. Comput. Secur. 31(6), 791–798 (2012)CrossRef
26.
Juang, W.S., Chen, S.T., Liaw, H.T.: Robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Industr. Electron. 55(6), 2551–2556 (2008)CrossRef
27.
Katz, J., Ostrovsky, R., Yung, M.: Efficient and secure authenticated key exchange using weak passwords. J. ACM 57(1), 1–41 (2009)MathSciNetCrossRef
28.
Khan, M., Kim, S.: Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme. Comput. Commun. 34(3), 305–309 (2011)CrossRef
29.
Kim, T.H., Kim, C., Park, I.: Side channel analysis attacks using am demodulation on commercial smart cards with seed. J. Syst. Soft. 85(12), 2899–2908 (2012)CrossRef
30.
Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) CrossRef
31.
Li, X., Qiu, W., Zheng, D., Chen, K., Li, J.: Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Ind. Electron. 57(2), 793–800 (2010)CrossRef
32.
Long, J.: No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Syngress, Burlington (2011)
33.
Ma, C.G., Wang, D., Zhao, S.: Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun. Syst. 27(10), 2215–2227 (2014)CrossRef
34.
Madhusudhan, R., Mittal, R.: Dynamic id-based remote user password authentication schemes using smart cards: a review. J. Netw. Comput. Appl. 35(4), 1235–1248 (2012)CrossRef
35.
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007)
36.
37.
Menezes, A.: Another look at provable security. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 8–8. Springer, Heidelberg (2012) CrossRef
38.
Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5), 541–552 (2002)MathSciNetCrossRef
39.
Moradi, A., Barenghi, A., Kasper, T., Paar, C.: On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs. In: Proceedings of ACM CCS 2011, pp. 111–124. ACM (2011)
40.
Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and pin is broken. In: Proceedings of IEEE Security & Privacy 2010, pp. 433–446. IEEE Computer Society (2010)
41.
Naccache, D.: National security, forensics and mobile communications. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 1–1. Springer, Heidelberg (2006) CrossRef
42.
Nohl, K., Evans, D., Starbug, S., Plötz, H.: Reverse-engineering a cryptographic rfid tag. In: Proceedings of USENIX Security 2008, pp. 185–193. USENIX Association (2008)
43.
Pointcheval, D.: Password-based authenticated key exchange. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 390–397. Springer, Heidelberg (2012) CrossRef
44.
Rhee, H.S., Kwon, J.O., Lee, D.H.: A remote user authentication scheme without using smart cards. Comput. Stan. Interfaces 31(1), 6–13 (2009)CrossRef
45.
46.
47.
48.
Son, K., Han, D., Won, D.: A privacy-protecting authentication scheme for roaming services with smart cards. IEICE Trans. Commun. 95(5), 1819–1821 (2012)CrossRef
49.
Song, R.: Advanced smart card based password authentication protocol. Comput. Stand. Interfaces 32(5), 321–325 (2010)CrossRef
50.
Sun, D.Z., Huai, J.P., Sun, J.Z.: Improvements of juang et al’.s password-authenticated key agreement scheme using smart cards. IEEE Trans. Industr. Electron. 56(6), 2284–2291 (2009)CrossRef
51.
Wang, D., Ma, C., Wu, P.: Secure password-based remote user authentication scheme with non-tamper resistant smart cards. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 114–121. Springer, Heidelberg (2012) CrossRef
52.
53.
Wang, Y., Liu, J., Xiao, F., Dan, J.: A more efficient and secure dynamic id-based remote user authentication scheme. Comput. Commun. 32(4), 583–585 (2009)CrossRef
54.
Wang, Y.: Password protected smart card and memory stick authentication against off-line dictionary attacks. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 489–500. Springer, Heidelberg (2012) CrossRef
55.
Wu, S.H., Zhu, Y.F., Pu, Q.: Robust smart-cards-based user authentication scheme with user anonymity. Secur. Commun. Netw. 5(2), 236–248 (2012)CrossRef
56.
Wu, T.: A real-world analysis of kerberos password security. In: Proceedings of NDSS 1999, pp. 13–22. Internet Society (1999)
57.
Xu, J., Zhu, W., Feng, D.: An improved smart card based password authentication scheme with provable security. Comput. Stand. Inter. 31(4), 723–728 (2009)CrossRef
58.
Xue, K., Hong, P., Ma, C.: A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J. Comput. Syst. Sci, 80(1), 195–206 (2014)MATHMathSciNetCrossRef
59.
Yang, G., Wong, D., Wang, H., Deng, X.: Two-factor mutual authentication based on smart cards and passwords. J. Comput. Syst. Sci. 74(7), 1160–1172 (2008)MATHMathSciNetCrossRef
60.
Zhao, Z., Dong, Z., Wang, Y.G.: Security analysis of a password-based authentication protocol proposed to IEEE 1363. Theoret. Comput. Sci. 352(1), 280–287 (2006)MATHMathSciNetCrossRef
61.
Metadaten
Titel
Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards
verfasst von
Ding Wang
Ping Wang
Copyright-Jahr
2015
Buch
Information Security

Print ISBN: 978-3-319-27658-8

Electronic ISBN: 978-3-319-27659-5

Copyright-Jahr: 2015

DOI
https://doi.org/10.1007/978-3-319-27659-5_16