Impersonation Attack on Two-Gene-Relation Password Authentication Protocol (2GR)

Chun-Li LIN  Ching-Po HUNG  

IEICE TRANSACTIONS on Communications   Vol.E89-B   No.12   pp.3425-3427
Publication Date: 2006/12/01
Online ISSN: 1745-1345
DOI: 10.1093/ietcom/e89-b.12.3425
Print ISSN: 0916-8516
Type of Manuscript: LETTER
Category: Fundamental Theories for Communications
network security,  user authentication,  one-time password,  impersonation attack,  

Full Text: PDF(111.9KB)>>
Buy this Article

In 2004, Tsuji and Shimizu proposed a one-time password authentication protocol, named 2GR (Two-Gene-Relation password authentication protocol). The design goal of the 2GR protocol is to eliminate the stolen-verifier attack on SAS-2 (Simple And Secure password authentication protocol, ver.2) and the theft attack on ROSI (RObust and SImple password authentication protocol). Tsuji and Shimizu claimed that in the 2GR an attacker who has stolen the verifiers from the server cannot impersonate a legitimate user. This paper, however, will point out that the 2GR protocol is still vulnerable to an impersonation attack, in which any attacker can, without stealing the verifiers, masquerade as a legitimate user.