One-Time Password Authentication Protocol against Theft Attacks

Takasuke TSUJI  Akihiro SHIMIZU  

IEICE TRANSACTIONS on Communications   Vol.E87-B    No.3    pp.523-529
Publication Date: 2004/03/01
Online ISSN: 
Print ISSN: 0916-8516
Type of Manuscript: Special Section PAPER (Special Section on Internet Technology IV)
Category: Security
password authentication,  one-time password,  stolen-verifier problem,  Internet protocol,  

Full Text: PDF>>
Buy this Article

Software applications for the transfer of money or personal information are increasingly common on the Internet. These applications require user authentication for confirming legitimate users. One-time password authentication methods risk a stolen-verifier problem or other steal attacks because the authentication on the Internet server stores the user's verifiers and secret keys. The SAS-2 (Simple And Secure password authentication protocol, ver.2) and the ROSI (RObust and SImple password authentication protocol) are secure password authentication protocols. However, we have found attacks on SAS-2 and ROSI. Here, we propose a new method which eliminates such problems without increasing the processing load and can perform high security level same as S/Key systems without resetting the verifier.