Privacy-Preserving Authentication of Users with Smart Cards Using One-Time Credentials

Jun-Cheol PARK  

IEICE TRANSACTIONS on Information and Systems   Vol.E93-D   No.7   pp.1997-2000
Publication Date: 2010/07/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.E93.D.1997
Print ISSN: 0916-8532
Type of Manuscript: LETTER
Category: Information Network
authentication,  user privacy,  smart card,  one-time credentials,  

Full Text: PDF(70.3KB)
>>Buy this Article

User privacy preservation is critical to prevent many sophisticated attacks that are based on the user's server access patterns and ID-related information. We propose a password-based user authentication scheme that provides strong privacy protection using one-time credentials. It eliminates the possibility of tracing a user's authentication history and hides the user's ID and password even from servers. In addition, it is resistant against user impersonation even if both a server's verification database and a user's smart card storage are disclosed. We also provide a revocation scheme for a user to promptly invalidate the user's credentials on a server when the user's smart card is compromised. The schemes use lightweight operations only such as computing hashes and bitwise XORs.