Cryptology ePrint Archive: Report 2014/208

Offline Dictionary Attack on Password Authentication Schemes using Smart Cards

Ding Wang and Ping Wang

Abstract: The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals in this area, namely, Hsieh-Leu's scheme and Wang's PSCAV scheme. We demonstrate that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim's password when getting temporary access to the victim's smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang's original protocol security model, reveals a new and realistic attacking scenario and gives rise to the strongest adversary model so far (Note that Wang's PSCAV scheme is secure within its own but weak security model). In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.

Category / Keywords:

Original Publication (with major differences): Proceedings of the 16th Information Security Conference (ISC 2013), November 13-15, 2013, Dallas, Texas.

Date: received 21 Mar 2014, last revised 24 Nov 2015

Contact author: wangdingg at mail nankai edu cn

Available format(s): PDF | BibTeX Citation

Note: This is a full version of the paper that appears in the proceedings of the 16th Information Security Conference (ISC 2013), November 13-15, 2013, Dallas, Texas, LNCS, Springer--Verlag, pp.1-16.

Version: 20151125:014823 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]