Information Technology Reference
In-Depth Information
(3) Client
→
Server:
id, H
(
rc, rs
)
,H
(
newpw
)
⊕
H
(
rc
+1
,rs
)
,H
(
H
(
newpw
)
,rs
)
The client retrieves
rs
by computing
rc
rc
, then verifies the consistency
between the retrieved
rs
and the received
H
(
rs
). If the result is positive,
the client computes 'one-time' values as follows:
C auth token
=
H
(
rc, rs
),
C auth token mask
=
H
(
newpw
)
⊕
rs
⊕
H
(
rc
+1
,rs
),
C auth token mask verifier
=
H
(
H
(
newpw
)
,rs
).
Finally, the client sends these 'one-time' values with the
id
to the server.
(4) Server
⊕
Client:
Access granted / denied
The server computes the hash value
H
(
rc, rs
) using its own copies of
rc
and
rs
, and checks whether
H
(
rc, rs
)=
C auth token
holds or not. If it
holds, the server can obtain
H
(
newpw
) by computing
C auth token mask
→
⊕
H
(
rc
+1
,rs
). Then, the server replaces
H
(
pw
)with
H
(
newpw
), only if the
hashed result of the obtained
H
(
newpw
)and
rs
is equivalent to the received
C auth token mask verifier
.
3
Cryptanalysis of Lin-Hwang's Schemes
This section demonstrates that Lin-Hwang's protected password authentication
scheme and protected password change scheme [3] are both vulnerable to server
data eavesdropping [4]. Also, it can be shown that Lin-Hwang's protected pass-
word change scheme is complex.
Server Data Eavesdropping:
The hash value of the user password stored
in the server can be eavesdropped and then used to masquerade as the original
user. Lin-Hwang claimed that their schemes were resistant to security flaws when
secret data
vpw
=
H
(
pw
) is eavesdropped by an attacker, in order to forge the
login request to pass authentication. In practice, a long random string password
is dicult to use and remember, whereas a meaningful string that people can
recognize easily, such as a natural language phrase, is much more user-friendly as
a password. Natural language phrases, however, narrow down the possibilities for
attackers. Thus, if an attacker somehow acquires the secret data
vpw
=
H
(
pw
)
stored in the server, they can verify the guessed password
guess pw
by checking
whether
H
(
guess pw
)=
vpw
holds. If the password is guessed, the login request
can then be easily forged to pass authentication.
Ine
cient Password Change:
In Step (3) of Lin-Hwang's protected password
change scheme, the client sends three 'one-time' values with the
id
to the server
as follows:
C auth token
=
H
(
rc, rs
),
C auth token mask
=
H
(
newpw
)
H
(
rc
+1
,rs
),
C auth token mask verifier
=
H
(
H
(
newpw
)
,rs
).
Then, the server replaces
H
(
pw
)with
H
(
newpw
) in Step (4). For a password
change and to avoid a Denial-of-Service attack, the scheme requires additional
calculations between the client and the server. This can be solved by the client
sending a new password by using the server's public key in Step (1). Therefore,
Lin-Hwang's protected password change scheme is inecient.
⊕