• Title/Summary/Keyword: password guessing attack

Search Result 71, Processing Time 0.022 seconds

Secure Password Authenticated Key Exchange Protocol for Imbalanced Wireless Networks (비대칭 무선랜 환경을 위한 안전한 패스워드 인증 키 교환 프로토콜)

  • Yang, Hyung-Kyu
    • Journal of the Korea Society of Computer and Information
    • /
    • v.16 no.2
    • /
    • pp.173-181
    • /
    • 2011
  • User authentication and key exchange protocols are the most important cryptographic applications. For user authentication, most protocols are based on the users' secret passwords. However, protocols based on the users' secret passwords are vulnerable to the password guessing attack. In 1992, Bellovin and Merritt proposed an EKE(Encrypted Key Exchange) protocol for user authentication and key exchage that is secure against password guessing attack. After that, many enhanced and secure EKE protocols are proposed so far. In 2006, Lo pointed out that Yeh et al.'s password-based authenticated key exchange protocol has a security weakness and proposed an improved protocol. However, Cao and Lin showed that his protocol is also vulnerable to off-line password guessing attack. In this paper, we show his protocol is vulnerable to on-line password guessing attack using new attack method, and propose an improvement of password authenticated key exchange protocol for imbalanced wireless networks secure against password guessing attack.

Cryptanalysis on a Three Party Key Exchange Protocol-STPKE'

  • Tallapally, Shirisha;Padmavathy, R.
    • Journal of Information Processing Systems
    • /
    • v.6 no.1
    • /
    • pp.43-52
    • /
    • 2010
  • In the secure communication areas, three-party authenticated key exchange protocol is an important cryptographic technique. In this protocol, two clients will share a human-memorable password with a trusted server, in which two users can generate a secure session key. On the other hand the protocol should resist all types of password guessing attacks. Recently, STPKE' protocol has been proposed by Kim and Choi. An undetectable online password guessing attack on STPKE' protocol is presented in the current study. An alternative protocol to overcome undetectable online password guessing attacks is proposed. The results show that the proposed protocol can resist undetectable online password guessing attacks. Additionally, it achieves the same security level with reduced random numbers and without XOR operations. The computational efficiency is improved by $\approx$ 30% for problems of size $\approx$ 2048 bits. The proposed protocol is achieving better performance efficiency and withstands password guessing attacks. The results show that the proposed protocol is secure, efficient and practical.

Password Guessing Attack Resistant Circular Keypad for Smart Devices (패스워드 추정 공격에 강인한 스마트 기기용 순환식 키패드)

  • Tak, Dongkil;Choi, Dongmin
    • Journal of Korea Multimedia Society
    • /
    • v.19 no.8
    • /
    • pp.1395-1403
    • /
    • 2016
  • In recent years, researches of security threats reported that various types of social engineering attack were frequently observed. In this paper, we propose secure keypad scheme for mobile devices. In our scheme, every edge of keypad is linked each other, and it looks like a sphere. With this keypad, users input their password using pre-selected grid pointer. Because of circulation of the keypad layout, even though the attacker snatch the user password typing motion through the human eyes or motion capture devices, attacker do not estimate the original password. Moreover, without the information of grid pointer position, the attacker do not acquire original password. Therefore, our scheme is resistant to password guessing attack.

Security Analysis and Enhancement on Smart card-based Remote User Authentication Scheme Using Hash Function (효율적인 스마트카드 기반 원격 사용자 인증 스킴의 취약점 분석 및 개선 방안)

  • Kim, Youngil;Won, Dongho
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.6
    • /
    • pp.1027-1036
    • /
    • 2014
  • In 2012, Sonwanshi et al. suggested an efficient smar card based remote user authentication scheme using hash function. In this paper, we point out that their scheme is vulnerable to offline password guessing attack, sever impersonation attack, insider attack, and replay attack and it has weakness for session key vulnerability and privacy problem. Furthermore, we propose an improved scheme which resolves security flaws and show that the scheme is more secure and efficient than others.

Cryptanalysis on Lu-Cao's Key Exchange Protocol (Lu-Cao 패스워드기반 키 교환 프로토콜의 안전성 분석)

  • Youn, Taek-Young;Cho, Sung-Min;Park, Young-Ho
    • 한국정보통신설비학회:학술대회논문집
    • /
    • 2008.08a
    • /
    • pp.163-165
    • /
    • 2008
  • Recently, Lu and Cao proposed a password-authenticated key exchange protocol in the three party setting, and the authors claimed that their protocol works within three rounds. In this paper, we analyze the protocol and show the protocol cannot work within three rounds. We also find two security flaws in the protocol. The protocol is vulnerable to an undetectable password guessing attack and an off-line password guessing attack.

  • PDF

Improvements of the Hsiang-Shih's remote user authentication scheme using the smart cards (스마트카드를 이용한 Hsiang-Shih의 원격 사용자 인증 스킴의 개선에 관한 연구)

  • An, Young-Hwa
    • Journal of the Korea Society of Computer and Information
    • /
    • v.15 no.2
    • /
    • pp.119-125
    • /
    • 2010
  • Recently Hsiang-Shih proposed the user authentication scheme to improve Yoon et al's scheme. But the proposed scheme has not been satisfied security requirements considering in the user authentication scheme using the password based smart card. In this paper, we proved that Hsiang-Shih's scheme is vulnerable to the off-line password guessing attack. In other words, the attacker can get the user's password using the off-line password guessing attack on the scheme when the attacker steals the user's smart card and extracts the information in the smart card. Also, the improved scheme based on the hash function and random number was introduced, thus preventing the attacks, such as password guessing attack, forgery attack and impersonation attack etc. And we suggested the effective mutual authentication scheme that can authenticate each other at the same time between the user and server.

Password-based Authenticated Key Agreement Protocol Secure Against Advanced Modification Attack (Advanced Modification 공격에 안전한 패스워드 기반 키 동의 프로토콜)

  • Kwak, Jin;Oh, Soo-Hyun;Yang, Hyung-Kyu;Won, Dong-Ho
    • The KIPS Transactions:PartC
    • /
    • v.11C no.3
    • /
    • pp.277-286
    • /
    • 2004
  • Password-based mechanism is widely used methods for user authentication. Password-based mechanisms are using memorable passwords(weak ferrets), therefore Password-based mechanism are vulnerable to the password guessing attack. To overcome this problem, man password-based authenticated key exchange protocols have been proposed to resist password guessing attacks. Recently, Seo-Sweeny proposed password-based Simple Authenticated Key Agreement(SAKA) protocol. In this paper, first, we will examine the SAKA and authenticated key agreement protocols, and then we will show that the proposed simple authenticated key agreement protocols are still insecure against Advanced Modification Attack. And we propose a password-based Simple Authenticated Key Agreement Protocol secure against Advanced Modification Attack.

A Novel Two-party Scheme against Off-line Password Guessing Attacks using New Theorem of Chaotic maps

  • Zhu, Hongfeng
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.11 no.12
    • /
    • pp.6188-6204
    • /
    • 2017
  • Over the years, more password-based authentication key agreement schemes using chaotic maps were susceptible to attack by off-line password guess attack. This work approaches this problem by a new method--new theorem of chaotic maps: $T_{a+b}(X)+T_{a-b}(X)=2T_a(X)T_b(X)$,(a>b). In fact, this method can be used to design two-party, three-party, even in N-party intelligently. For the sake of brevity and readability, only a two-party instance: a novel Two-party Password-Authenticated Key Agreement Protocol is proposed for resisting password guess attack in this work. Compared with the related literatures recently, our proposed scheme can be not only own high efficiency and unique functionality, but is also robust to various attacks and achieves perfect forward secrecy. For capturing improved ratio of security and efficiency intuitively, the paper firstly proposes a new parameter called security/efficiency ratio(S/E Ratio). The higher the value of the S/E Ratio, the better it is. Finally, we give the security proof and the efficiency analysis of our proposed scheme.

Vulnerability of Two Password-based Key Exchange and Authentication Protocols against Off-line Password-Guessing Attacks (두 패스워드 기반 키 교환 및 인증 프로토콜들에 대한 오프라인 패스워드 추측 공격의 취약성 분석)

  • Shim, Kyung-Ah;Lee, Hyang-Sook;Lee, Ju-Hee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.18 no.1
    • /
    • pp.3-10
    • /
    • 2008
  • Since a number of password-based protocols are using human memorable passwords they are vulnerable to several kinds of password guessing attacks. In this paper, we show that two password-based key exchange and authentication protocols are insecure against off-line password-guessing attacks.

Secure Remote User Authentication Scheme for Password Guessing Attack (패스워드 추측공격에 안전한 원격 사용자 인증 스킴)

  • Shin, Seung-Soo;Han, Kun-Hee
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.12 no.12
    • /
    • pp.5895-5901
    • /
    • 2011
  • This paper shows that a scheme provided by An[7] is not enough to satisfy security requirements for a user certification using a password-based smart card. In order to compensate this weakness, this study provides an improved user scheme with a hash function and ElGamal signature. This new scheme has some advantages protecting password guessing attack, masquerade, and replay attack as well as providing forward secrecy. Compared to An's certification scheme, this scheme suggests that the effect of computational complexity is similar but the efficiency of safety is better.