Download presentation
Presentation is loading. Please wait.
1
A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications Vol. 32, issue4, 4 March 2009, p.p 583-585 1
2
outline Introduction Review Das et al ’s scheme Wang et al ’s scheme Analysis 2
3
Introduction Remote authentication – a mechanism to authenticate remote users over insecure communication network
4
Introduction (Lamport) 4 User Server Registration Login & Auth
5
Introduction 1981: Lamport proposed one-time password remote authentication scheme 2000: Hwang and Li proposed a new remote user authentication scheme using smart cards (based on Elgamal) 2004: Das et al. proposed a dynamic id-based remote user authentication scheme (based on One-way hash) 2005: Liao et al proposed an improved scheme by Das 2007: Liao and Wang’s scheme (verify on smart card) 2009: Wang et al.'s scheme (modify Das’s scheme)
6
Review of Das et al’s scheme(1/3) Registration phase User Server
7
Review of Das et al’s scheme(2/3) Login & verify phase User Server
8
Review of Das et al’s scheme(3/3) Password Change phase User Smart card 8
9
Security Flaw (1/3) The user’s authentication is independent of password. Server
10
Security Flaw (2/3) In Registration phase, sending of PW to the user is redundant. User Server
11
Security Flaw (3/3) Impersonate server attack User Server
12
Wang et al’s scheme(1/2) Registration phase User Server 12
13
Wang et al’s scheme(2/2) Login & verify phase User Server
14
Security analysis 14 Overcome an user authentication is independent of password: Withstand replay attack: Withstand impersonation server attack: When the user wants to change the password PW to new password PW new without taking any assistance from the remote system.
15
Conclusions A remote user authentication method that removes all those security flaws. Provide a more secure and efficient scheme to be applied to password authentication. 15
16
Remark (password guessing & impersonation attack) If a valid user determine the hash of the secret value h(x) by intercepting Ni and obtain the value y, then he can impersonate server/user. User Server
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.