Paper 2014/208
Offline Dictionary Attack on Password Authentication Schemes using Smart Cards
Ding Wang and Ping Wang
Abstract
The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals in this area, namely, Hsieh-Leu's scheme and Wang's PSCAV scheme. We demonstrate that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim's password when getting temporary access to the victim's smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang's original protocol security model, reveals a new and realistic attacking scenario and gives rise to the strongest adversary model so far (Note that Wang's PSCAV scheme is secure within its own but weak security model). In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.
Note: This is a full version of the paper that appears in the proceedings of the 16th Information Security Conference (ISC 2013), November 13-15, 2013, Dallas, Texas, LNCS, Springer--Verlag, pp.1-16.
Metadata
- Available format(s)
- Publication info
- Published elsewhere. Major revision. Proceedings of the 16th Information Security Conference (ISC 2013), November 13-15, 2013, Dallas, Texas.
- Contact author(s)
- wangdingg @ mail nankai edu cn
- History
- 2015-11-25: last of 5 revisions
- 2014-03-22: received
- See all versions
- Short URL
- https://ia.cr/2014/208
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2014/208, author = {Ding Wang and Ping Wang}, title = {Offline Dictionary Attack on Password Authentication Schemes using Smart Cards}, howpublished = {Cryptology {ePrint} Archive, Paper 2014/208}, year = {2014}, url = {https://eprint.iacr.org/2014/208} }