For Full-Text PDF, please login, if you are a member of IEICE,|
or go to Pay Per View on menu list, if you are a nonmember of IEICE.
Attacks and Solutions on Strong-Password Authentication
Chun-Li LIN Hung-Min SUN Tzonelih HWANG
IEICE TRANSACTIONS on Communications
Publication Date: 2001/09/01
Print ISSN: 0916-8516
Type of Manuscript: PAPER
Category: Fundamental Theories
cryptography, strong-password authentication, strong one-way hash function, one-time password,
Full Text: PDF(286KB)>>
A password-based mechanism is the most widely used method of authentication in distributed environments. However, because people are used to choosing easy-to-remember passwords, so-called "weak-passwords," dictionary attacks on them can succeed. The techniques used to prevent dictionary attacks lead to a heavy computational load. Indeed, forcing people to use well-chosen passwords, so-called "strong passwords," with the assistance of tamper-resistant hardware devices can be regarded as another fine authentication solution. In this paper, we examine a recent solution, the SAS protocol, and demonstrate that it is vulnerable to replay and denial of service attacks. We also propose an Optimal Strong-Password Authentication (OSPA) protocol that is secure against stolen-verifier, replay, and denial of service attacks, and minimizes computation, storage, and transmission overheads.