Security of a Remote User Authentication Scheme Using Smart Cards

Her-Tyan YEH  Hung-Min SUN  Bin-Tsan HSIEH  

IEICE TRANSACTIONS on Communications   Vol.E87-B   No.1   pp.192-194
Publication Date: 2004/01/01
Online ISSN: 
Print ISSN: 0916-8516
Type of Manuscript: LETTER
Category: Internet
password authentication,  smart card,  network security,  remote login,  cryptanalysis,  

Full Text: PDF(105KB)>>
Buy this Article

Recently, Hwang and Li proposed a smartcard-based remote user authentication scheme. Later, Chan and Cheng showed that Hwang and Li's scheme is insecure against a kind of impersonation attack where a legitimate user can create another valid pair of user identity and password without knowing the secret key of the remote system. However, an assumption under Chan and Cheng's attack is that the attacker must be a legal user. In this paper, we further present a more fundamental and efficient impersonation attack on Hwang and Li's scheme. Using our attack, any users (including legal and illegal users) can easily get a specific legal user's password, impersonate this specific user to login to the remote system, and pass the system authentication.