A password-based mechanism is the most widely used method of authentication in distributed environments. However, because people are used to choosing easy-to-remember passwords, so-called "weak-passwords," dictionary attacks on them can succeed. The techniques used to prevent dictionary attacks lead to a heavy computational load. Indeed, forcing people to use well-chosen passwords, so-called "strong passwords," with the assistance of tamper-resistant hardware devices can be regarded as another fine authentication solution. In this paper, we examine a recent solution, the SAS protocol, and demonstrate that it is vulnerable to replay and denial of service attacks. We also propose an Optimal Strong-Password Authentication (OSPA) protocol that is secure against stolen-verifier, replay, and denial of service attacks, and minimizes computation, storage, and transmission overheads.

We will propose a key-agreement-type three-party password-authenticated key exchange protocol. The proposed protocol is quite efficient and, among the same type of protocols, is the first to be formally proven to be secure. A three-party formal model for security proof is proposed based on [25] and [26]. We construct a simulator in this model to show that our proposed protocol is secure under reasonable and well-defined cryptographic primitives.

Mobile agent systems are essential in the next generation of electronic commercial applications. However, existing solutions for mobile agents to sign documents without user intervention are problematic because there is no restriction on who can generate the signatures. In this paper, we present a modified version of undetachable signature scheme with which the power to generate digital signatures can be designated to a neutral party. We also give a transaction model to support the scheme. Discussions regarding the security of the signature scheme as well as some attacks on its application in our model are presented too.