In 2003, Wu and Chieu proposed a scheme that was claimed to be an enhanced version of Sun's password authentication scheme. Recently, Wu and Chieu themselves showed that their scheme is vulnerable to a forgery attack and then proposed an improved scheme. Herein, we demonstrate that Wu-Chieu's improved scheme is still vulnerable to several attacks.

In 2002, Yeh, Shen, and Hwang proposed a one-time password authentication scheme using smart cards. However, Tsuji et al. and Ku et al. showed that it is vulnerable to the stolen verifier attack. Therefore, this paper proposes an improved one-time password authentication scheme, which not only keeps the security of the scheme of Yeh-Shen-Hwang but also can withstand the stolen verifier attack.

Recently, Lin, Hwang, and Li proposed an efficient remote authentication scheme using smart cards for multi-server architecture based on the geometric property of the Euclidean plane. Herein, we show that their scheme is vulnerable to two forgery attacks and a password-guessing attack, and is not easily repairable. Furthermore, their scheme lacks a proper user eviction mechanism.

Recently, Das et al. proposed a dynamic ID-based verifier-free password authentication scheme using smart cards. To resist the ID-theft attack, the user's login ID is dynamically generated and one-time used. Herein, we demonstrate that Das et al.'s scheme is vulnerable to an impersonation attack, in which the adversary can easily impersonate any user to login the server at any time. Furthermore, we also show several minor weaknesses of Das et al.'s scheme.

In recent years, there is an increasing trend of using biometric identifiers for personal authentication. Encouraged by advances in smart card technologies, the fingerprint matching gets increasingly embedded into smart cards for an effective personal authentication method. However, current generation of low cost smart cards are usually equipped with limited hardware resources such as an 8-bit or 16-bit microcontroller. The fingerprint matching typically is a time consuming, computationally intensive and costly process. Therefore, it is still a challenge to integrate the fingerprint matching into a smart card. In this paper, we present a fast memory-efficient fingerprint matching using minutia ridge shape feature. This feature offers advantages of smaller template size, smaller memory requirement, faster matching time and robust matching against image distortion over conventional minutiae-based feature. The implementation result shows that the proposed method can be embedded in smart cards for a real-time Match-on-Card system.

Recently, Yeh, Shen and Hwang proposed an one-time password authentication scheme, which enhances the S/KEY scheme to resist server spoofing attacks, preplay attacks and off-line dictionary attacks. In this letter, the weaknesses and inconveniences of their scheme are demonstrated.

In 2003, Shen et al. proposed an improvement on Yang-Shieh's timestamp-based password authentication scheme using smart cards. Then they claimed that their scheme cannot withstand a forged login attack, but also eliminate a problem of Yang-Shieh's. However, their scheme is still susceptible to forged login attack. In this letter, we show how the forged login attack can be worked out on Shen et al.'s scheme.

In this letter, we indicate that a proposed user-friendly remote authentication scheme with smart card is insecure. The authentication scheme suffers from the replay attack. An adversity can eavesdrop valid authentication information from the communicating data, modify it, and impersonate the legitimate user to login the remote system. We also present a modified scheme to overcome this vulnerability and improve the robustness. In the modified scheme, the replay attack cannot work successfully. To crack the password from the communicating message is infeasible. Even if the password is compromised, the attacker still cannot pass the authentication and gain the authority of the legitimate user.

The Internet and mobile communication systems are being developed, and related applications for managing personal information require user authentication for confirming legitimate users. One-time password authentication methods secure user's authorities by changing the verifier every time. The S/Key is a famous one-time password authentication scheme, which is based on Lamport's scheme. T.-C. Yeh et al. have point out security problems of the S/Key scheme and have proposed a variant of the S/Key scheme, which can be applied to smart cards. However, this method risks certain attacks, too. Those two proposed schemes use counter value, which can easily be modified by an attacker. Herein we discuss security problems of the S/Key and Yeh-Shen-Hwang's password authentication schemes using forgery attacks and stolen-verifier attacks.

The demand for multi-application smart card platform has been increasing in various business sectors recently. When it comes to the actual implementation of the platform, however, network-based dynamic downloading in a Card Issuer-Service Provider separated environment has not made much progress. This paper introduces the smart card information sharing platform that uses licensing/policy/profile management and PKI-based technologies to enable multiple CIs and multiple SPs to reflect their own business policy flexibly via network. It makes the paradigm shift from card-oriented scheme to service-oriented scheme. By through world's first implementation of the scheme and some experiments including deployment, we confirmed that this technology is well-accepted and applicable to various business sectors and it can be of practical use.

Recently, Hwang and Li proposed a smartcard-based remote user authentication scheme. Later, Chan and Cheng showed that Hwang and Li's scheme is insecure against a kind of impersonation attack where a legitimate user can create another valid pair of user identity and password without knowing the secret key of the remote system. However, an assumption under Chan and Cheng's attack is that the attacker must be a legal user. In this paper, we further present a more fundamental and efficient impersonation attack on Hwang and Li's scheme. Using our attack, any users (including legal and illegal users) can easily get a specific legal user's password, impersonate this specific user to login to the remote system, and pass the system authentication.

We propose a public-key primitive modulo pkq based on the RSA primitive. The decryption process of the proposed scheme is faster than those of two variants of PKCS #1 version 2.1, namely the RSA cryptosystem using Chinese remainder theorem (CRT) and the Multi-Prime RSA. The message M of the proposed scheme is decrypted from M mod pk and M mod q using the CRT, where we apply the Hensel lifting to calculate M mod pk from M mod p that requires only quadratic complexity ((log2p)2). Moreover, we propose a trick that avoids modular inversions used for the Hensel lifting, and thus the proposed algorithm can be computed without modular inversion. We implemented in software both the proposed scheme with 1024-bit modulus p2q and the 1024-bit Multi-Prime RSA for modulus p1p2p3, where p,q,p1,p2,p3 are 342 bits. The improvements of the proposed scheme over the Multi-Prime RSA are as follows: The key generation is about 49% faster, the decryption time is about 42% faster, and the total secret key size is 33% smaller.

The side channel attack (SCA) is a serious attack on wearable devices that have scarce computational resources. Cryptographic algorithms on them should be efficient using small memory--we have to make efforts to optimize the trade-off between efficiency and memory. In this paper we present efficient SCA-resistant scalar multiplications based on window method. Moller proposed an SPA-resistant window method based on 2w-ary window method, which replaces w-consecutive zeros to 1 plus w-consecutive and it requires 2w points of table (or 2w-1 + 1 points if the signed 2w-ary is used). The most efficient window method with small memory is the width-w NAF, which requires 2w-2 points of table. In this paper we convert the width-w NAF to an SPA-resistant addition chain. Indeed we generate a scalar sequence with the fixed pattern, e.g. |00x|00x||00x|, where x is positive odd points < 2w. Thus the size of the table is 2w-1, which is optimal in the construction of the SPA-resistant chain based on width-w NAF. The table sizes of the proposed scheme are 6% to 50% smaller than those of Moller's scheme for w = 2,3,4,5, which are relevant choices in the sense of efficiency for 160-bit ECC.

The application of Elliptic Curve Cryptosystem has gained more and more attention. ECC uses smaller key size and lower memory requirement to retain the security level and can be a crucial factor in the smart card system. In this paper, an ECC based implementation of security schemes in smart card system to access control the door of some confidential places is proposed. The confidential place, for example a coffer, a strong room in the bank is used to store treasures as well as cashes, and where the mutual vigilance could be required. For the safety consideration, the going in and out a coffer by a person is not permissive but a group of authorized people. It involves the problem of secret sharing. The adopted solution of sharing secret is threshold scheme. Every participant possesses a secret shadow, which will be saved in the smart card. After correct reconstructing the shared secrets, it is permissible to access the coffer's door. For resisting dishonest participants, cheating detection and cheater identification will be included. The user can change his password of smart card freely and need not memorize his assigned lengthy password and shadow as traditional ID-based schemes makes our implementation much more user friendly.

Following the developments in the use of ID-based schemes and smart cards, Yang and Shieh proposed two password authentication schemes to achieve two purposes: (1) to allow users to choose and change their passwords freely, and (2) to make it unnecessary for the remote server to maintain a directory of passwords or a verification table to authenticate users. Recently, Chan and Cheng showed that Yang and Shieh's timestamp-based password authentication scheme is insecure against forgery. In this paper, we point out that Chan and Cheng's forgery attack can not work. Thus, we further examine the security of Yang and Shieh's password authentication schemes and find that they are insecure against forgery because one adversary can easily pretend to be a valid user and pass the server's verification which allows the adversary to login to the the remote server.

Using the great one-time password concept, the widely utilized one-way authentication scheme S/Key provides well protection against replay attacks. In this paper, S/key is enhanced to secure transactions in a critical environment. The proposed scheme is free from any of server spoofing attacks, preplay attacks, and off-line dictionary attacks. A session key here is also established to provide confidentiality. Moreover, simplicity and efficiency are taken into consideration from the user's point of view. A smart card is applied to simplify the user login process and only the hash function is used to keep its efficiency. Therefore, the scheme proposed hereinafter is able to build a safer shield for sensitive transactions like on-line banking or on-line trading in bonds and securities.

Smart cards and biometrics can be effectively combined for personal authentication over an open network. The combination is achieved as two-step authentication in which the smart card is authenticated based on a public key infrastructure, and the card holder is authenticated using the template stored in the smart card based on the biometric data. The biometric verification has to be executed in the card for security purposes. This paper describes a fingerprint verification method based on a popular biometric verification technique that can be embedded in a smart card. The prototype system that uses this verification method can verify fingerprints in a few seconds by using the data stored on the smart card.

A group-oriented cipher communication method is developed and implemented on a WWW-based (World Wide Web) network system. In this method, a group key common to all entities of the group is generated based on the group name or the identities of entities belonging to the group. The group key, in turn, is used for encrypting the data being shared among the group via the WWW server. The data theft at the WWW cache sites on the intermediate communication line is prevented, establishing a unified feature of the good WWW cache performance and security. A prototype of our method proved the feasibility and the efficiency.

We propose an interactive identification scheme based on the quadratic residue problem. Prover's identity can be proved without revealing his secret information with only one accreditation. The proposed scheme requires few computations in the verification process, and a small amount of memory to store the secret information, A digital signature based on this scheme is proposed, and its validity is then proved. Lastly, analysis about the proposed scheme is presented at the end of the paper.

Koblitz and Miller proposed a method by which the group of points on an elliptic curve over a finite field can be used for the public key cryptosystems instead of a finite field. To realize signature or identification schemes by a smart card, we need less data size stored in a smart card and less computation amount by it. In this paper, we show how to construct such elliptic curves while keeping security high.