Attacks and Solutions on Strong-Password Authentication

Chun-Li LIN  Hung-Min SUN  Tzonelih HWANG  

IEICE TRANSACTIONS on Communications   Vol.E84-B   No.9   pp.2622-2627
Publication Date: 2001/09/01
Online ISSN: 
Print ISSN: 0916-8516
Type of Manuscript: PAPER
Category: Fundamental Theories
cryptography,  strong-password authentication,  strong one-way hash function,  one-time password,  

Full Text: PDF(286KB)>>
Buy this Article

A password-based mechanism is the most widely used method of authentication in distributed environments. However, because people are used to choosing easy-to-remember passwords, so-called "weak-passwords," dictionary attacks on them can succeed. The techniques used to prevent dictionary attacks lead to a heavy computational load. Indeed, forcing people to use well-chosen passwords, so-called "strong passwords," with the assistance of tamper-resistant hardware devices can be regarded as another fine authentication solution. In this paper, we examine a recent solution, the SAS protocol, and demonstrate that it is vulnerable to replay and denial of service attacks. We also propose an Optimal Strong-Password Authentication (OSPA) protocol that is secure against stolen-verifier, replay, and denial of service attacks, and minimizes computation, storage, and transmission overheads.