Information Technology Reference
In-Depth Information
Secure Protected Password Change Scheme
Eun-Jun Yoon, Eun-Kyung Ryu, and Kee-Young Yoo
Department of Computer Engineering, Kyungpook National University,
Daegu 702-701, Republic of Korea
{
ejyoon, ekryu
}
@infosec.knu.ac.kr, yook@knu.ac.kr
Abstract.
Recently, Lin-Hwang proposed a password authentication
scheme with secure password updating. The current paper demonstrates
the vulnerability of Lin-Hwang's scheme to server data eavesdropping
and presents improvements to resolve this problem. In contrast to Lin-
Hwang's scheme, the proposed scheme can simply update user passwords
without a complicated process and provide explicit key authentication
in the case of a session key agreement.
Keyword:
Cryptography, Password authentication, Key agreement.
1
Introduction
User authentication is an important part of security, along with confidentiality
and integrity, for systems that allow remote access over untrustworthy networks,
like the Internet. In 2000, Peyravian and Zunic [1] proposed a protected pass-
word authentication scheme based on a one-way hash function to achieve user
authentication and to arbitrarily change a password. Subsequently, Hwang-Yeh
[2] pointed out that Peyravian-Zunic's scheme was vulnerable to guessing, server
spoofing, and stolen-verifier attacks and proposed a new protected password au-
thentication scheme by using a public server key to eliminate security flaws.
Thereafter, in 2003, Lin-Hwang [3] pointed out that Hwang-Yeh's scheme was
vulnerable to a Denial-of-Service attacks and proposed an improved scheme that
could withstand such attacks and could provide forward secrecy property. They
also claimed that if the password-verifier were stolen from a server, it could not
be used to masquerade as a legitimate user in a user authentication execution (a
stolen-verifier attack). Yet, Lin-Hwang's improved scheme is still susceptible to
server data eavesdropping [4], where obtaining the secret data stored in a server
can allow an illegitimate user to login to the server as a legitimate user.
Accordingly, the current paper demonstrates that Lin-Hwang's scheme [3]
is vulnerable to server data eavesdropping and improvements to the scheme to
isolate such a problem are presented. In contrast to Lin-Hwang's protected pass-
word change scheme, the proposed protected password change scheme can simply
update user passwords without the need for a complicated process. Our proposed
protected password change scheme is similar to Yang-Chang-Li's scheme [4], but
the proposed scheme provides explicit key authentication and perfect forward
secrecy in the case of a session key agreement [5].
