Paper 2012/190

On the Security of an Improved Password Authentication Scheme Based on ECC

Ding Wang and Chun-guang Ma

Abstract

The design of secure remote user authentication schemes for mobile applications is still an open and quite challenging problem, though many schemes have been published lately. Recently, Islam and Biswas pointed out that Lin and Hwang et al.'s password-based authentication scheme is vulnerable to various attacks, and then presented an improved scheme based on elliptic curve cryptography (ECC) to overcome the drawbacks. Based on heuristic security analysis, Islam and Biswas claimed that their scheme is secure and can withstand all related attacks. In this paper, however, we show that Islam and Biswas's scheme cannot achieve the claimed security goals and report its flaws: (1) It is vulnerable to offline password guessing attack, stolen verifier attack and denial of service (DoS) attack; (2) It fails to preserve user anonymity. The cryptanalysis demonstrates that the scheme under study is unfit for practical use.

Note: None.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. The work submitted in the manuscript is original and has not been published elsewhere.
Keywords
Authentication protocolSmart cardCryptanalysisUser anonymityElliptic curve cryptography
Contact author(s)
wangdingg @ mail nankai edu cn
History
2012-08-10: last of 3 revisions
2012-04-13: received
See all versions
Short URL
https://ia.cr/2012/190
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/190,
      author = {Ding Wang and Chun-guang Ma},
      title = {On the Security of an Improved Password Authentication Scheme Based on {ECC}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2012/190},
      year = {2012},
      url = {https://eprint.iacr.org/2012/190}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.