Paper 2014/208

Offline Dictionary Attack on Password Authentication Schemes using Smart Cards

Ding Wang and Ping Wang

Abstract

The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals in this area, namely, Hsieh-Leu's scheme and Wang's PSCAV scheme. We demonstrate that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim's password when getting temporary access to the victim's smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang's original protocol security model, reveals a new and realistic attacking scenario and gives rise to the strongest adversary model so far (Note that Wang's PSCAV scheme is secure within its own but weak security model). In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.

Note: This is a full version of the paper that appears in the proceedings of the 16th Information Security Conference (ISC 2013), November 13-15, 2013, Dallas, Texas, LNCS, Springer--Verlag, pp.1-16.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Major revision. Proceedings of the 16th Information Security Conference (ISC 2013), November 13-15, 2013, Dallas, Texas.
Contact author(s)
wangdingg @ mail nankai edu cn
History
2015-11-25: last of 5 revisions
2014-03-22: received
See all versions
Short URL
https://ia.cr/2014/208
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/208,
      author = {Ding Wang and Ping Wang},
      title = {Offline Dictionary Attack on Password Authentication Schemes using Smart Cards},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/208},
      year = {2014},
      url = {https://eprint.iacr.org/2014/208}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.