Security Analysis of a Remote User Authentication Scheme Using Euclidean Plane for Multi-Server Architecture

全文

(1)Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Security Analysis of a Remote User Authentication Scheme Using Euclidean Plane for Multi-Server Architecture Wei-Chi Ku Department of Computer Science and Information Engineering Fu Jen Catholic University Email: wcku@csie.fju.edu.tw Shen-Tien Chang Department of Computer Science and Information Engineering Fu Jen Catholic University Email: figo@wcku1.csie.fju.edu.tw Min-Hung Chiang Department of Computer Science and Information Engineering Fu Jen Catholic University Email: grievous@wcku1.csie.fju.edu.tw Abstract-Recently, Lin, Hwang, and Li proposed an efficient user authentication scheme using smart cards for multi-server architecture based on the geometric property of the Euclidean plane. However, we find that their scheme is vulnerable to two forgery attacks and a password-guessing attack, and is not reparable. Herein, we first review Lin-Hwang-Li ’ s scheme, and then describe its weaknesses. Keywords: Euclidean plane, forgery attack, multiserver architecture, password authentication, smart card.. 1. Introduction One of the common features of conventional remote user password authentication schemes is that a verification table, which contains the verifiers of use r s ’pa s s wor ds ,s h ou l dbes e c u r e l yma i n t a i n e di nt h e server. If the verification table is stolen or modified by the adversary, the system will be breached. In 1990, Hwang, Chen, and Laih [1] initially proposed a non-interactive password authentication scheme that does not require storing verifiers in the server. However, the authors themselves showed that this scheme is vulnerable to a replay attack, and then described an enhanced version, which additionally uses smart cards. Unfortunately, Hwang-Chen-La i h ’ se n h a n c e d scheme still has several drawbacks and weaknesses. Since then, many verifier-free password authentication schemes using smart cards have been proposed, and each has its pros and cons. In 1991, Chang and Wu [2] also proposed a verifier-free password authentication scheme using smart cards based on the Chinese remainder theorem (CRT). However, ChangWu ’ ss c h e mei sv u l n e r a bl et oaf or g e r ya t t a c k[ 3] .I n 1995, Wu [5] proposed a verifier-free password au-. 1 109. thentication scheme using smart cards based on the geometric property of the Euclidean plane. The merits of his scheme are its simplicity of geometry and the property that users can freely choose passwords. Unfortun a t e l y ,Wu ’ ss c h e mehas been found to be flawed as indicated in [7], [13]. In 1996, Wang and Chang [6] proposed a verifier-free password authentication scheme using smart cards based on the difficulties of factoring a large number and discrete logarithm problem. In their scheme, users can also freely choose passwords. However, Wang-Ch a n g ’ ss c h e me was found to be vulnerable to a replay attack and a forgery attack [8], [12]. In 1999, Yang and Shieh [8] proposed two verifier-free password authentication schemes using smart cards, one uses timestamps and the other uses nonces. In their schemes, users can freely choose passwords. However, their nonce-based scheme is inefficient while their timestamp-based scheme was found to be vulnerable to several forgery attacks [18], [19], [21]. Later, Fan, Li, and Zhu [18] proposed an improved version of Yang-Sh i e h ’ st i mestamp-based scheme. Unfortunately, Fan-Li-Zh u ’ s scheme was found to be vulnerable to two forgery attacks [23], [26]. In 2000, Hwang and Li [9] proposed a verifierfree password authentication scheme using smart c a r dsba s e dont h eEl Ga ma l ’ spu bl i c -key technique. However, Hwang-Li ’ ss c h e medoe sn ota l l ow u s e r s freely choosing and changing their passwords. Furthermore, Hwang-Li ’ ss c h e mewa sf ou n dt obev u lnerable to various forgery attacks [10], [22], [27], [28]. To solve the security problems of Hwang-Li ’ s scheme, Shen, Lin, and Hwang [22] proposed a modified scheme. However, since the user ’ spa s sword is a pseudo-random number, the user can not easily remember it. Additionally, Shen-Lin-Hwa n g ’ s scheme was found to be vulnerable to a forgery at-.

(2) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. tack [25]. In 2003, Awasthi and Lal [24] proposed a verifier-free password authentication scheme using smart cards, and claimed that their scheme can achieve forward secrecy. In Awasthi-La l ’ ss c h e me , users can not freely choose and change passwords. In addition, Awasthi-La l ’ ss c h e mewa sf ou n dt obepotentially vulnerable to a forgery attack [30]. To avoid using high-complexity operations such as modular exponentiation, Sun [11] proposed an efficient verifier-free password authentication scheme using smart cards based on cryptographic hash functions. The major drawba c k s of Su n ’ s scheme are that the password is not easily memorable and users can not freely choose and change passwords. In 2002, Lee, Hwang, and Yang [16] also proposed a hash-based verifier-free password authentication scheme using smart cards as an improved v e r s i onofSu n ’ ss c h e mei nt h a tu sers are allowed to freely choose and change passwords. However, LeeHwang-Ya n g ’ ss c h e mei spot e n t i a l l yv u l n e r a bl et oa n insider attack and is not reparable [4]. Same security problems can also be found in the similar scheme proposed by Hwang, Lee, and Tang [15]. In 2002, Ch i e n ,J a n ,a n d Ts e n g[ 17]c r i t i c i z e dt h a tSu n ’ s scheme only achieves unilateral user authentication, and then proposed a hash-based verifier-free password authentication scheme using smart cards that can achieve mutual user authentication. In addition, users can freely choose and change passwords. Unfortunately, Ku and Chen [29] found that Chien-JanTs e n g ’ ss c h e mei sv u l n e r a bl et oar e f l e c t i ona t t a c k , a ni n s i de ra t t a c k ,a n di sn otr e pa r a bl eon c eau s e r ’ s permanent secret is compromised, and then proposed an improved scheme with better security. All previously mentioned schemes are designed for the single-server architecture. If there are multiple servers to access, the user has to register with each server individually and possibly should remember different identities and passwords for accessing different servers. In 2001, Li, Lin, and Hwang [14] described a verifier-free password authentication scheme for the multi-server architecture by using neural networks. The user does not need to individually register with each server. However, Li-LinHwang’ s scheme is inefficient because it spends too much time training neural networks. Later, Lin, Hwang, and Li [20] described an efficient verifierfree password authentication scheme using smart cards for the multi-server architecture based on the geometric property of the Euclidean plane. Their scheme allows users freely choosing and changing passwords. The service period for accessing each server can be assigned to each user independently, and the ElGama l ’ sdi g i t a ls i g n a t u r et e c h n i qu ei se mployed to prevent the user from illegally extending the service period. Additionally, Lin-Hwang-Li ’ s scheme was claimed to be resistant to the replay attack, the forgery attack, the guessing attack, and the modification attack. Unfortunately, we find that Lin-. 2 110. Hwang-Li ’ ss c h e mei sv u l n e r a bl et ot wof or g e r ya ttacks and a password-guessing attack, and is not reparable. In this paper, we will describe the weaknesses of Lin-Hwang-Li ’ ss c h e me .. 2. Review of Lin-Hwang-Li’ s Scheme Forr e a de r ’ sc on v e n i e n c e ,wef i r s tr e v i e w Li n Hwang-Li ’ ss c h e me[ 20]before demonstrating its weaknesses. In the multi-server architecture of LinHwang-Li ’ ss c h e me ,t h e r ea r et h r e ek i n dsofpa r t i c ipants: the login users, m servers, and a central manager (CM), where CM is assumed to be trusted and is responsible for setting up several public/secret parameters and publishing some system information. The user only has to register with CM once and then can obtain the services from a set of servers. That is, the user does not need to individually register with each server. The notations used throughout this paper can be summarized as follows: U denotes the user. ID denotes the identity of U. PW denotes the password of U. Sm denotes the set of all m servers. Seri denotes the server with identity i. p denotes a large prime. g denotes a primitive element of GF(p). ei denotes Seri’ s public key. di denotes Seri’ s private key. SPi denotes the service period, which contains ID and the expiration time, for accessing Seri assigned to U. Lin-Hwang-Li ’ ss c h e mei n v ol v e st h ei n i t i a l i z a t i on phase, the registration phase, the login phase, the authentication phase, and the password change phase, which can be described as in the following.. Initialization Phase This phase is invoked for the initialization of the whole system. Step I1. CM selects a large prime p and a primitive element of GF(p), say g. Step I2. For each server Seri ∈ Sm, CM selects the private key di and computes the corresponding public key ei as follows: d. ei = g i mod (p−1) Then, CM delivers (ei, di) to Seri through a secure channel..

(3) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. Step L1. U inserts his smart card into the smart card reader of a terminal, and then enters ID and PW.. Registration Phase This phase is invoked when U requests to register with CM. Assume that U is granted registration by a set of n servers Sn, where Sn ⊆ Sm.. Step L2. U’ ssmart card generates a secret random number Rani, and computes Ai and Bi: Ran Ai = g i mod p. Step R1. U chooses his own identity ID and password PW, and then delivers ID and PW to CM through a secure channel.. Ran T. Bi = ei i mod p where T denotes the current timestamp.. Step R2. For each Seri ∈ Sn, CM computes the following items: e. Step L3. U’ ssmart card uses the stored Ki to compute Qi based on the stored LS. Next, U’ ssmart card computes Di = eiID mod p and Wi = eiPW mod p, and then uses (Ki, Qi) and (Di, Wi) to reconstruct Li.. Xi = ID i mod p Yi = IDdi mod p Di = eiID mod p Wi = eiPW mod p (Xi, Yi) and (Di, Wi) are two points for U with respect to Seri on the Euclidean plane. Step R3. With respect to Seri, CM constructs a line Li passing through (Xi, Yi) and (Di, Wi), i.e., Li: Y = f(X) = aX + b mod p, where a = (Wi −Yi)∕(Di −Xi) mod p and b = Yi −Xi ((Wi −Yi)∕(Di −Xi)) mod p. Step R4. CM chooses a line LS: Y = g(X) = a′ X + b' mod p, where a′and b' are randomly selected in GF(p). With respect to Seri, CM computes the intersection point (Ki, Qi) of lines Li and LS. Step R5. With respect to Seri, CM chooses a random number ki that is relatively prime to p−1, and then computes ri = k g i mod p. In addition, CM assigns the service period SPi for accessing Seri to U. By using the extended Euclidean algorithm, the following equation can be solved for si:. Step L4. U’ ssmart card uses Bi to compute Zi based on Li, and then outputs (Ki, Qi), Zi, Ai, T, SPi, and (ri, si). Step L5. U sends {ID, (Ki, Qi), Zi, Ai, T, SPi, (ri, si)} to Seri through a common channel.. Authentication Phase This phase is invoked whenever Seri (∈ Sn) receives U’ sl og i nr e qu e s t .Le tT' denote the time Seri receives U’ slogin request. Step A1. If the difference between T' and T is greater than the acceptable legal time interval for the transmission delay and the inconsistency of clocks, Seri rejects U’ slogin request. Step A2. If the format of ID is incorrect, Seri rejects U’ slogin request. Step A3. If either service period SPi is invalid r s SP or the equation ei i × ri i ≡ g i mod p does not hold, Seri rejects U’ s login request.. SPi = (di × ri + ki × si) mod (p−1) Then, the signature of service period SPi with respect to Seri is (ri, si).. Step A4. Seri computes Bi: Bi = Aidi T mod p. Step R6. CM delivers a smart card containing. = (gRani)di T mod p. {SPi, (ri, si), Ki, LS}. = (gdi)Rani T mod p. for all i such that Seri ∈ Sn to U through a secure channel.. = eiRani T mod p Based on (Ki, Qi) and (Bi, Zi), Seri reconstructs Li.. Login Phase This phase is invoked whenever U requests to login Seri (∈ Sn).. Step A5. Seri uses ID, ei, and di to compute (Xi, Yi). If (Xi, Yi) is on Li, Seri accepts U’ slogin request. Otherwise, Seri rejects U’ slogin request.. 3 111.

(4) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. phase, Ua enters IDa and PWa into his smart card which will then output Ki,a and Qi,a. In addition, Ua ID PW can compute Di,a = ei a mod p and Wi,a = ei a mod p, and then construct the line Li,a passing through (Ki,a, Qi,a) and (Di,a, Wi,a). Based on Li,a, Ua can use e Xi,a (= IDa i mod p) to compute Yi,a. If (IDa × IDa) mod p equals the identity of any legal user, say Ub, i.e., IDb = (IDa × IDa) mod p, Ua can compute Xi,b and Yi,b as in the following: Xi,b = IDbei mod p. Password Change Phase This phase is invoked whenever U requests to change his password with respect to Seri for all i such that Seri ∈ Sn. Step C1. U inserts his smart card into the smart card reader of a terminal, and then enters ID, PW, and his new password PW(new). Step C2. U’ ssmart card uses Ki to compute Qi based on LS, computes Di = eiID mod p and Wi = eiPW mod p, and then reconstructs Li based on (Ki, Qi) and (Di, Wi).. Yi,b = IDbdi mod p = (IDa2)di mod p = (IDadi)2 mod p = Yi,a2 mod p Since Ua can intercept the Ki,b and Qi,b previously sent from Ub, he can construct the line Li,b passing through (Xi,b, Yi,b) and (Ki,b, Qi,b). Consequently, Ua can successfully use Li,b to impersonate Ub to login the remote server Seri. Similarly, Ua can compute Lj,b, for all j such that Serj ∈ Sn, to impersonate Ub to login the remote server Serj. However, if (IDa × IDa) mod p does not equal the identity of any legal user, we can further extend our attack by checking whether r IDa mod p, where r is an integer within the interval [3, p−1], equals the identity of a legal user [27]. Alternatively, two legal users, say Ua and Uc can conspire to check whether (IDa × IDc) mod p equals any l e g a lu s e r ’ si de n t i t y .I fIDb = (IDa × IDc) mod p, Ua and Uc can cooperate to perform the following computations:. ei. Step C3. U’ ssmart card computes Xi = ID mod p and Yi = f(Xi), and then computes Di = eiID mod p and Wi(new) = PW ei (new) mod p. Step C4. U’ ssmart card constructs the new line Li(new) based on (Di, Wi(new)) and (Xi, Yi), and then computes the intersection point (Ki(new), Qi(new)) of Li(new) and LS. Step C5. U’ ssmart card updates Ki with Ki(new). Note that U can simultaneously login multiple servers belonging to Sn in the login and authentication phase, and U’ spassword is changed off-line in the password change phase.. e. Xi,b = IDb i mod p d. d. Yi,b = IDb i mod p = (IDa × IDc) i mod p. 3. Weaknesses of Lin-Hwang-Li’ s Scheme. d. d. = (IDa i × IDc i) mod p = Yi,a × Yi,c mod p. Now, we will show that Lin-Hwang-Li ’ ss c h e me is vulnerable to two forgery attacks, the unspecified forgery attack and the specified forgery attack. The former one is similar to Chan-Ch e n g ’ sa t t a c k[ 10] , Chang-Hwa n g ’ sa t t a c k[ 27] ,a n dLe u n g -Cheng-FongCh a n ’ sa t t a c k[ 25]wh i l et h el a t t e ron ei ss i mi l a rt o Shen-Lin-Hwa n g ’ sa t t a c k[ 22]a n dYe h -Sun-Hs i e h ’ s attack [28]. Additionally, we will also demonstrate that Lin-Hwang-Li ’ ss c h e mei sv u l n e r a bl et oapa s sword-guessing attack and is not reparable [4].. Then, Ua and Uc can construct Li,b, for all i such that Seri ∈ Sn, based on the computed (Xi,b, Yi,b) and the intercepted (Ki,b, Qi,b). That is, Ua and Uc can use Li,b to impersonate Ub to login the remote server Seri, for all i such that Seri ∈ Sn. Note that the difficulty of the above described unspecified forgery attack to succeed depends on the redundancy contained in the identity format [27] and the number of legal users. Specified Forgery Attack Suppose that the attack target of the adversary is the specific valid user Ub. The adversary can try to r find IDa with valid format such that IDa = IDb mod p, where r is an integer within the interval [2, p−1]. If the adversary succeeds in finding such an IDa, he can select PWa, and then register IDa and PWa to CM as ID Ua. Clearly, the adversary can compute Di,a = ei a PWa mod p and Wi,a = ei mod p. In addition, the adversary can obtain the (Ki,a, Qi,a) sent out from his smart card during the login phase. Hence, the adversary can reconstruct the line Li,a passing through (Di,a, Wi,a). 3.1. Forgery Attacks The unspecified forgery attack and the specified forgery attack that can be mounted on Lin-HwangLi ’ ss c h e mea r ede s c r i be da si nt h ef ol l owi n g . Unspecified Forgery Attack Suppose that the adversary is also a legal user, say Ua with identity IDa and password PWa. In the login. 4 112.

(5) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. e. any of the previously described two forgery attacks succeeds, Ua can always impersonate Ub to login Seri ∈ Sn no matter Ub has changed his password or not. Recall that the values of Xi,b and Yi,b are determined only by Ub’ si de n t i t yIDb and Seri’ spe r ma n e n tk e y pair (ei, di). Therefore, CM can not change (Xi,b, Yi,b) for Ub unless either IDb or (ei, di) can be changed. However, since (ei, di) is commonly used for all users rather than specifically used for only Ub, it is unreasonable and inefficient that (ei, di) should be changed to recover the security for Ub only. Additionally, it is also impractical to change IDb, which should be tied to Ub uniquely in most application systems. Therefore, Lin-Hwang-Li ’ ss c h e me is not reparable [4].. and (Ki,a, Qi,a). After computing Xi,a = IDa i mod p, the adversary can use Xi,a to compute Yi,a based on Li,a. Next, the adversary can compute Xi,b and Yi,b as in the following: e. Xi,b = IDb i mod p d. −r d. Yi,b = IDb i mod p = (IDa ) i mod p d −r. −r. = (IDa i) mod p = Yi,a mod p Since the adversary can intercept the Ki,b and Qi,b previously sent from Ub, he can construct the line Li,b passing through (Xi,b, Yi,b) and (Ki,b, Qi,b). Then, the adversary can successfully use Li,b to impersonate the specific user Ub to login the remote server Seri. Similarly, the adversary can compute Lj,b, for all j such that Serj ∈ Sn, to impersonate the specific user Ub to login the remote server Serj. Note that the difficulty of the above described specified forgery attack to succeed is not closely related to the number of legal users.. 4. Conclusion Lin-Hwang-Li ’ sv e r i f i e r -free password authentication scheme using smart cards is interesting and novel in that it is specifically designed for the multiserver architecture based on the geometric property of the Euclidean plane. Lin-Hwang-Li ’ ss c h e mewa s claimed to be resistant to the replay attack, the forgery attack, the modification attack, and the guessing a t t a c k .Addi t i on a l l y ,t h eEl Ga ma l ’ sdi g i t a ls i g n a t u r e technique is used to prevent the user from illegally modifying the service period. In this paper, we have demonstrated that Lin-Hwang-Li ’ ss c h e me i ss t i l l vulnerable to two forgery attacks and a passwordguessing attack, and is not reparable.. 3.2. Password-Guessing Attack If any of the above described two forgery attacks succeeds, the adversary Ua can also perform a password-guessing attack as follows. Since Ua can conID struct Li,b and compute Di,b = ei b mod p, he can use Di,b to compute Wi,b based on Li,b. Next, Ua guesses a PW ' candidate password PWb' and computes ei b mod p. If the computed result equals Wi,b, Ua has correctly guessed PWb' = PWb. Otherwise, Ua tries another candidate password. If Ub also uses PWb to access the servers outside this system for his convenience, it is likely that Ua can impersonate Ub to access these servers [29].. Acknowledgment This work was partly supported by the National Science Council, R.O.C., under Grant NSC-932213-E-030-017.. 3.3. Poor Reparability In real application environments, it is impractical to assume that the secrets will never be compromised. Suppose that the adversary Ua has learned Ub’ s password PWb, possibly by the above described password-guessing attack or some other means, and intercepted (Ki,b, Qi,b) for any Seri ∈ Sn. Knowing PWb, Ua can compute (Di,b, Wi,b) and construct Li,b based on (Di,b, Wi,b) and (Ki,b, Qi,b), and then use Li,b to impersonate Ub to login Seri. Next, we will show that such a fraud can not be prohibited even if Ub has detected that PWb has been compromised and replaced it with a new one, say PWb(new), by invoking the password change phase. Clearly, Ua can compute e Xi,b = IDb i mod p, and then use Xi,b to compute Yi,b based on Li,b. Since Xi,b and Yi,b are irrelevant to Ub’ s password, their values will remain unchanged after completing the password change phase. Then, Ua still can use (Xi,b, Yi,b) and (Ki(new), Qi(new)), which can be obtained by interception, to construct Li,b(new). Henceforth, Ua can use Li,b(new) to impersonate Ub to login any remote server Seri ∈ Sn. On the other hand, if. 5 113. References [1] T.Hwa ng ,Y.Che n,a ndC.S.La i h,“ Non-interactive pa s s wor da ut he nt i c a t i onswi t houtpa s s wor dt a bl e s , ” IEEE Region 10 Conference on Computer and Communication Systems, Hong Kong, pp. 429-431, Sept. 1990. [2] C.C.Cha nga ndT.C.Wu,“ Re mot epa s s wor da ut he nt i c a t i onwi t hs ma r tc a r ds , ”IEE Proceedings-E, vol. 138, no. 3, pp. 165-168, May 1991. [3] C.C.Cha nga ndC.S.La i h,“ Cor r e s ponde nc e :Re mot e pa s s wor da ut he nt i c a t i onwi t hs ma r tc a r ds , ”IEE Proceedings-E, vol. 139, no. 4, pp. 372, July 1992. [4] T.Hwa nga ndW.C.Ku,“ Re pa r a bl ek e ydi s t r i but i on pr ot oc ol sf orI nt e r ne te nv i r onme nt s , ”IEEE Transactions on Communications, vol. 43, no. 5, pp. 19471949, May 1995. [5] T.C.Wu,“ Re mot el og i na ut he nt i c a t i ons c heme based onag e ome t r i ca ppr oa c h, ”Computer Communications, vol. 18, no. 12, pp. 959-963, Dec. 1995. [6] S.J .Wa nga ndJ .F.Cha ng ,“ Sma r tc a r dba s e ds e c ur e pa s s wor da ut he nt i c a t i ons c he me , ”Computers & Security, vol. 15, no. 3, pp. 231-237, 1996. [7] M. S. Hwang ,“ Cr y pt a na l y s i sofa remote login authent i c a t i ons c he me , ”Computer Communications, vol. 22,.

(6) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. no. 8, pp. 742-744, 1999. [8] W.H.Ya nga ndS.P.Shi e h,“ Pa s s wor dauthentication schemes with smart ca r ds , ”Computers & Security, vol. 18, no. 8, pp. 727-733, 1999. [9] M.S.Hwa nga ndL.H.Li ,“ A ne wr e mot eus e ra ut he nt i c a t i ons c he meus i ngs ma r tc a r d, ”IEEE Transactions on Consumer Electronics, vol. 46, no. 1, pp. 2830, Feb. 2000. [10] C.K.Cha na ndL.M.Che ng ,“ Cr y pt a na l y s i sofar emote user authentication scheme using s ma r tc a r ds , ” IEEE Transactions on Consumer Electronics, vol. 46, no. 4, pp. 992-993, Nov. 2000. [11] H.M.Sun,“ Ane f f i c i e ntr e mot eus e ra ut he nt i c a t i on s c he me us i ng s ma r tc a r ds , ” IEEE Transactions on Consumer Electronics, vol. 46, no. 4, pp. 958-961, Nov. 2000. [12] C.K.Cha na ndL.M.Che ng ,“ Re ma r k sonWa ng Chang's password aut he nt i c a t i ons c he me , ”Electronics Letters, vol. 37, no. 1, pp. 22-23, Jan. 2001. [13] H. Y. Chien, J. K. Jan, a ndY.M.Ts e ng ,“ Amodi f i e d remote login authentication scheme based on geometric appr oa c h, ”The Journal of Systems and Software, vol. 55, no. 3, pp. 287-290, Jan. 2001. [14] L. H. Li, I. C. Lin, and M. S. Hwang,“ A remote password authentication scheme for multiserver architecture using neural networks, ”IEEE Transactions on Neural Networks, vol. 12, no. 6, pp. 1498-1504, Nov. 2001. [15] M.S.Hwa ng ,C.C.Le e ,a ndY.L.Ta ng ,“ As i mpl e remote user authent i c a t i ons c he me , ”Mathematical and Computer Modelling, vol. 36, no. 1-2, pp. 103-107, July 2002. [16] C.C.Le e ,M.S.Hwa ng ,a ndW.P.Ya ng ,“ Af l e x i ble remote user aut he nt i c a t i ons c he meus i ngs ma r tc a r ds , ” ACM Operating Systems Review, vol. 36, no. 3, pp. 46-52, July 2002. [17] H. Y. Chien, J. K. Jan, a ndY.M.Ts e ng ,“ Ane f f i c i e nt and practical solution to remote authentication: smart c a r d, ”Computers & Security, vol. 21, no. 4, pp. 372375, Aug. 2002. [18] L.Fa n,J .H.Li ,a ndH.W.Zhu,“ Ane nha nc e me ntof timestamp-ba s e d pa s s wor da ut he nt i c a t i on s c he me , ” Computers & Security, vol. 21, no. 7, pp. 665-667, Nov. 2002. [19] C.K.Cha na ndL.M.Che ng ,“ Cr y pt a na l y s i sof a timestamp-ba s e dpa s s wor da ut he nt i c a t i ons c he me , ”Computers & Security, vol. 21, no. 1, pp. 74-76, 2002. [20] I. C. Lin, M. S. Hwang, and L. H. Li,“ A new remote user authentication scheme for multi-server architecture, ”Future Generation Computer Systems, vol. 19, no. 1, pp. 13-22, Jan. 2003. [21] H.M.Suna ndH.T.Ye h,“ Fur t he rc r y pt a na l y s i sofa password authent i c a t i on s c he me wi t hs ma r tc a r ds , ” IEICE Transactions on Communications, vol. E86-B, no. 4, pp. 1412-1415, April 2003. [22] J. J. Shen, C. W. Lin, and M. S. Hwa ng ,“ A modi f i e d remote user aut he nt i c a t i ons c he meus i ngs ma r tc a r ds , ” IEEE Transactions on Consumer Electronics, vol. 49, no. 2, pp. 414-416, May 2003. [23] B.Wa ng ,J .H.Li ,a ndZ.P.Tong ,“ Cr y pt a na l y s i sof an enhanced timestamp-based password authentication s c he me , ”Computers & Security, vol. 22, no. 7, pp. 643-645, Oct. 2003. [24] A.K.Awa s t hia ndS.La l ,“ Ar e mot eus e ra ut he nt i c at i ons c he meus i ngs ma r tc a r dswi t hf or wa r ds e c r e c y , ” IEEE Transactions on Consumer Electronics, vol. 49,. no. 4, pp. 1246-1248, Nov. 2003. [25] K. C. Leung, L. M. Cheng, A. S. Fong, and C. K. Chan, “ Cr y pt a na l y s i sofamodi f i e dr e mot eus e ra ut he nt i c at i ons c he meus i ngs ma r tc a r ds , ”IEEE Transactions on Consumer Electronics, vol. 49, no. 4, pp. 1243-1245, Nov. 2003. [26] K. F. Chen and S. Zhong, “ At t a c k sont he( e nha nc e d) Yang-Shi e ha ut he nt i c a t i on, ”Computers & Security, vol. 22, no. 8, pp. 725-727, Dec. 2003. [27] C.C.Cha nga ndK.F.Hwa ng ,“ Somef or g e r ya t t a c k s on a remote user authentication scheme using smart c a r ds , ”Informatica, vol. 14, no. 3, pp. 289-294, 2003. [28] H.T.Ye h,H.M.Sun,a ndB.T.Hs i e h,“ Se c ur i t yofa remote user aut he nt i c a t i ons c he meus i ngs ma r tc a r ds , ” IEICE Transactions on Communications, vol. E87-B, no. 1, pp. 192-194, Jan. 2004. [29] W. C. Ku and S.M.Che n,“ We a k ne s s e sa nd i mprovements of an efficient password based remote user a ut he nt i c a t i on s c he me us i ng s ma r tc a r ds , ” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 204-207, Feb. 2004. [30] W. C. Ku,S.M.Che n,a ndH.M.Chua ng ,“ As t udyof hash-based password authentication schemes without s t or i ng v e r i f i e r s , ” Proc. 14th Information Security Conference, Taiwan, pp. 429-435, June 2004.. 6 114.

(7)