The Weaknesses of the Virtual Password Authentication Protocol with Cookie (original) (raw)
Related papers
Password-based authentication protocols are susceptible to various attacks. Recently, Sood, Sarje, and Singh proposed an inverse cookie-based virtual password authentication protocol. Their protocol is practical and easy to implement. They claim that their scheme is secure to against various attacks, include online dictionary attack, offline dictionary attack, eavesdropping attack, denial of service attack, phishing attack, pharming attack, man-in-the-middle attack, replay attack, leak of verifier attack, message modification or insertion attack, and brute force attack. However, we find that some weaknesses of Sood et al.'s scheme. In this article, we will show that Sood et al.'s scheme is vulnerable to the on-line guessing password attack and the denial of service attack.
Improvements on two password-based authentication protocols
2009
Recently, Liao et al. and Hölbl et al. each proposed a user authentication protocol, respectively. Both claimed that their schemes can withstand various attacks. However, Xiang et al. pointed out Liao et al.' s protocol suffers from three kinds of attacks, the replay attack, the guessing attack, and the Denial-of-service (DoS) attack. Moreover, we and Munilla et al. also found Hölbl et al.' s p r o t o c o l s u f f e r s f r o m the password guessing attack. In this paper, we will propose the two protocols'improvements respectively. After analyses and comparisons, we conclude that our improvements are not only more secure but also more efficient in communication cost than all of the password based schemes that we know.
Preventing Password Reuse Attacks Using Authentication Protocol
2014
Wording password is typically the most popular form involving user authentication on websites car without any convenience in addition to simplicity. On the other hand, users’ passwords are inclined to be ripped off and sacrificed under various threats in addition to vulnerabilities. To begin with, users usually select vulnerable passwords in addition to reuse exactly the same passwords all over different web sites. Routinely reusing accounts causes a domino effect; when the adversary compromises one password, she may exploit the item to gain access to more web sites. Second, keying in passwords in untrusted personal computers suffers pass word thief risk. An adversary can start several pass word stealing attacks to snatch passwords, including phishing, keyloggers in addition to malware. Within this paper, we design a user authentication process named oPass which usually leverages a user’s cellular and limited message support to thwart password thieving and pass word reuse attacks. o...
The Surfing Attacks Secured Password Authentication System
INTERNATIONAL JOURNAL OF ADVANCED INFORMATION AND COMMUNICATION TECHNOLOGY, 2020
People enjoy the convenience of on-line services, but online environments may bring many risks. We propose a virtual password concept involving a small amount of human computing to secure users’ passwords in on-line environments. We adopt user determined randomized linear generation functions to secure users’ passwords based on the fact that a server has more information than any adversary does. We analyze how the proposed scheme defends against phishing, key logger, and shoulder-surfing attacks. To the best of our knowledge, our virtual password mechanism is the first one which is able to defend against all three attacks together. In this work, we discussed how to prevent users’ passwords from being stolen by adversaries. We proposed a virtual password concept involving a small amount of human computing to secure users’ passwords in on-line environments. We also implemented the system to do some tests and survey feedback indicates the feasibility of such a system. In this paper, we...
Weaknesses and Improvement of Secure Hash-Based Strong-Password Authentication Protocol
Journal of Information Science and Engineering, 2010
In 2008, Kim-Koç proposed a secure hash-based strong-password authentication protocol using one-time public key cryptography. He claimed that the protocol was secure against guessing, stolen-verifier, replay, denial-of-service, and impersonation attacks. However, we show that the protocol is vulnerable to impersonation, guessing, and stolen-verifier attacks. We propose improvements to increase the security level of the protocol.
An Efficient Authentication Scheme
International Journal for Infonomics, 2011
In 2000, Peyravian and Zunic presented a simple password authentication scheme using collisionresistant hash function. Later, Hwang and Yeh denoted that Peyravian and Zunic scheme is insecure and suggested an improvement one using the server public key. However, in practice, services that do not use public keys are quite often superior to PKIs. Simultaneously, Lee, Kim and Yoo denoted that Peyravian and Zunic scheme undergoes from offline password guessing attacks and presented an improved version. However, Lee, Kim and Yoo proposed scheme is still vulnerable to the same attacks and denial-of-service attacks. Therefore, this paper presents a secure and efficient improvement . Lee, Kim and Yoo suggested a password scheme for three participants without trusted server. They claimed that the scheme can withstand different attacks and give the perfect secrecy. In this paper, we will demonstrate that their scheme undergoes from the imitation attack. Simultaneously, we will suggest an enhanced algorithm to resist the mentioned attacks.
A simple attack on a recently introduced hash-based strong-password authentication scheme
International Journal of Network Security, 2005
User authentication is an important service in network security. Recently, several user authentication protocols have been proposed. However, a scheme which withstands all known attacks is not yet available. The Lee-Li-Hwang (LLH) authentication scheme [3] was proposed to circumvent the guessing attack in the Peyravian-Zunic (PZ) password scheme [6]. However, Yoon, Ryu, and Yoo (YRY) [9] discovered that the LLH scheme still suffers from the denial of service attack, and proposed an enhancement for the LLH scheme to solve its security problems. More recently, Ku, Chiang, and Chang (KCC) [2] demonstrated that the YRY scheme is vulnerable to the offline guessing and the stolen-verifier attacks. In this paper, we show that the YRY scheme is also vulnerable to the denial-ofservice attack. Furthermore, it was also claimed in [2] that the YRY scheme cannot achieve backward secrecy. We show in this paper that this claim is not entirely valid.
The Weakness of Moon et al.’s Password Authentication Scheme
Journal of Physics: Conference Series, 2018
Using smart cards make remote transactions easier for users in Internet. It's important to identity the legal users to have the access right to obtain the resources. In 2017, Liu et al. proposed an efficient and secure smart card based password authentication scheme. Recently, Moon et al. pointed some weaknesses of Liu et al.'s scheme. They also proposed a password authentication scheme to overcome Liu et al.'s weaknesses. They claim that their scheme is more secure and practical as a remote user authentication scheme. However, we find that some weaknesses of Moon et al.'s scheme. In this article, we will show that Moon et al.'s scheme is vulnerable to the guessing identity and impersonation attacks.
IJERT-Secured and implicit password authentication to avoid attacks
International Journal of Engineering Research and Technology (IJERT), 2013
https://www.ijert.org/secured-and-implicit-password-authentication-to-avoid-attacks https://www.ijert.org/research/secured-and-implicit-password-authentication-to-avoid-attacks-IJERTV2IS2323.pdf Authentication is the first line of defense against compromising confidentiality and integrity. Though traditional login/password based schemes are easy to implement, they have been subjected to several attacks. As an alternative, token and biometric based authentication systems were introduced. However, they have not improved. Thus, a variation to the login/password scheme, viz. graphical scheme was introduced. But it also suffered due to shoulder-surfing and screen dump attacks. In this paper, we introduce a framework of our proposed IPAS, which is immune to the common attacks suffered by other authentication schemes. At the time of registration, a user should pick some questions from the database depending upon the level of security required and provide answers to the selected questions. For each question, the server may create an intelligent authentication space using images, where the answers to the particular question for various users are implicitly embedded into the images. During the time of authentication, the server may pick one or more questions selected by the users at the time of registration. For each chosen question, the server may choose an image randomly from the authentication space and present it to the user as a challenge. The user needs to navigate the image and click the right answer. Once the key is matched, the verification is done and processes are preceded. Then, encryption and decryption processes are performed. If the key match is confirmed, further functions are done and then user login is successful. Else it is rejected and again the process initiates from the beginning leading to secure authentication. The advantage of the system is that it is immune to shoulder surfing and screen dump attack and the authentication information is presented to the user in an implicit form that can be understood and decoded only by the legitimate user. .
IJERT-An Enhanced Authentication Protocol Resistant to Password Stealing and Reuse Attack
International Journal of Engineering Research and Technology (IJERT), 2014
https://www.ijert.org/an-enhanced-authentication-protocol-resistant-to-password-stealing-and-reuse-attack https://www.ijert.org/research/an-enhanced-authentication-protocol-resistant-to-password-stealing-and-reuse-attack-IJERTV3IS061302.pdf With the fast propagation of time, most of the activities are now available on internet. In this environment, users have to be authenticated before to being granted access to sensitive contents. Password is the predominant tool which protects data and keeps information digitally safe. It is been seen that text password stays popular than the other forms of passwords due to its simplicity and convenience. Therefore, it can be easily stolen and misused under different vulnerabilities such as hacking, identity theft, Cyber stalking and website cloning. Users are likely to choose weak passwords and reuse the password for various websites. In this case if one password is revealed, it can be used for all other websites. This is called as the Domino Effect. Another issue is when a person enters his/her password into an untrusted computer; the adversary can steal password by launching attacks such as phishing, malware and key loggers etc. In this paper, we propose a simple approach which allows a client to counter such attacks by separately entering a long-term secret used to generate one-time password for each login session on all websites through an independent personal trusted device such as a cell phone, which provides two-factor authentication. Along with this, system requires each participating website possesses a user's unique cell phone number and involves telecommunication services in registration and recovery phases.