원문정보
초록
영어
Authentication of communicating entities and confidentiality of transmitted data are fundamental procedures to establish secure communications over public insecure networks. Recently, many researchers proposed a variety of authentication schemes to confirm legitimate users. Among the authentication schemes, a one-time password authentication scheme requires less computation and considers the limitations of mobile devices. The purpose of a one-time password authentication is to make it more difficult to gain unauthorized access to restricted resources. This paper discusses the security of Kuo-Lee's one-time password authentication scheme. Kuo-Lee proposed to solve the security problem based on Tsuji-Shimizu's one-time password authentication scheme. It was claimed that their proposed scheme could withstand a replay attack, a theft attack and a modification attack. Therefore, the attacker cannot successfully impersonate the user to log into the system. However, contrary to the claim, Kuo-Lee's scheme does not achieve its main security goal to authenticate communicating entities. We show that Kuo-Lee's scheme is still insecure under a modification attack, a replay attack and an impersonation attack, in which any attacker can violate the authentication goal of the scheme without intercepting any transmitted message. We also propose a scheme that resolves the security flaws found in Kuo-Lee's scheme.
목차
1. Introduction
2. Review of Kuo-Lee's scheme
2.1 Registration phase
2.2 Authentication phase
3. Attacks on Kuo-Lee's scheme
3.1. Modification attack and replay attack
3.2. Impersonation attack
4. Proposed scheme
4.1. Registration Phase
4.2. Authentication phase
5. Security analysis
5.1 Resistance to Modification Attack
5.2 Resistance to Replay Attack and Impersonation Attack
6. Conclusion
References