In this paper, we treat (k, L, n) ramp secret sharing schemes (SSSs) that can detect impersonation attacks and/or substitution attacks. First, we derive lower bounds on the sizes of the shares and random number used in encoding for given correlation levels, which are measured by the mutual information of shares. We also derive lower bounds on the success probabilities of attacks for given correlation levels and given sizes of shares. Next we propose a strong (k, L, n) ramp SSS against substitution attacks. As far as we know, the proposed scheme is the first strong (k, L, n) ramp SSSs that can detect substitution attacks of at most k-1 shares. Our scheme can be applied to a secret SL uniformly distributed over GF(pm)L, where p is a prime number with p≥L+2. We show that for a certain type of correlation levels, the proposed scheme can achieve the lower bounds on the sizes of the shares and random number, and can reduce the success probability of substitution attacks within nearly L times the lower bound when the number of forged shares is less than k. We also evaluate the success probability of impersonation attack for our schemes. In addition, we give some examples of insecure ramp SSSs to clarify why each component of our scheme is essential to realize the required security.

An augmented PAKE (Password-Authenticated Key Exchange) protocol is said to be secure against server-compromise impersonation attacks if an attacker who obtained password verification data from a server cannot impersonate a client without performing off-line dictionary attacks on the password verification data. There are two augmented PAKE protocols where the first one [12] was proposed in the IEEE Communications Letters and the second one [15] was submitted to the IEEE P1363.2 standard working group [9]. In this paper, we show that these two augmented PAKE protocols [12], [15] (claimed to be secure) are actually insecure against server-compromise impersonation attacks. More specifically, we present generic server-compromise impersonation attacks on these augmented PAKE protocols [12],[15].

Kiyomoto-Fukushima-Tanaka proposed a perfectly anonymous attribute authentication scheme that realizes unidentifiable and untraceable authentication with offline revocation checking. The Kiyomoto-Fukushima-Tanaka scheme uses a self-blindable certificate that a user can change randomly. Thus, the certificate is modified for each authentication and the authentication scheme has the unidentifiable property and the untraceable property. However, in this letter, we show that the Kiyomoto-Fukushima-Tanaka scheme is insecure against the impersonation attack.

Pairing based cryptography has been researched intensively due to its beneficial properties. In 2005, Wu et al. [3] proposed an identity-based key agreement for peer group communication from pairings. In this letter, we propose attacks on their scheme, by which the group fails to agree upon a common communication key.

In 2004, Tsuji and Shimizu proposed a one-time password authentication protocol, named 2GR (Two-Gene-Relation password authentication protocol). The design goal of the 2GR protocol is to eliminate the stolen-verifier attack on SAS-2 (Simple And Secure password authentication protocol, ver.2) and the theft attack on ROSI (RObust and SImple password authentication protocol). Tsuji and Shimizu claimed that in the 2GR an attacker who has stolen the verifiers from the server cannot impersonate a legitimate user. This paper, however, will point out that the 2GR protocol is still vulnerable to an impersonation attack, in which any attacker can, without stealing the verifiers, masquerade as a legitimate user.

Hirose and Yoshida proposed an authenticated key agreement protocol based on the intractability of the Computational Diffie-Hellman problem. Recently, Hirose and Matsuura pointed out that Hirose and Yoshida's protocol is vulnerable to Denial-of-Service (DoS) attacks. And they proposed two key agreement protocols which are resistant to the DoS attacks. Their protocols are the first authenticated key agreement protocols resistant to both the storage exhaustion attack and the CPU exhaustion attack. In this paper we show that Hirose and Matsuura's DoS-resistant key agreement protocols and Hirose and Yoshida's key agreement protocol are vulnerable to impersonation attacks. We make suggestions for improvements.

Recently, Das et al. proposed a dynamic ID-based verifier-free password authentication scheme using smart cards. To resist the ID-theft attack, the user's login ID is dynamically generated and one-time used. Herein, we demonstrate that Das et al.'s scheme is vulnerable to an impersonation attack, in which the adversary can easily impersonate any user to login the server at any time. Furthermore, we also show several minor weaknesses of Das et al.'s scheme.

In 2003, Wu proposed a threshold access control scheme based on smart cards. In this letter, we show that the scheme is vulnerable to various attacks.

This paper analyzes a generalized secret-key authentication system from a viewpoint of the information-spectrum methods. In the generalized secret-key authentication system, for each n 1 a legitimate sender transmits a cryptogram Wn to a legitimate receiver sharing a key En in the presence of an opponent who tries to cheat the legitimate receiver. A generalized version of the Simmons' bounds on the success probabilities of the impersonation attack and a certain kind of substitution attack are obtained.

This paper provides the Shannon theoretic coding theorems on the success probabilities of the impersonation attack and the substitution attack against secret-key authentication systems. Though there are many studies that develop lower bounds on the success probabilities, their tight upper bounds are rarely discussed. This paper characterizes the tight upper bounds in an extended secret-key authentication system that includes blocklength K and permits the decoding error probability tending to zero as K . In the extended system an encoder encrypts K source outputs to K cryptograms under K keys and transmits K cryptograms to a decoder through a public channel in the presence of an opponent. The decoder judges whether K cryptograms received from the public channel are legitimate or not under K keys shared with the encoder. It is shown that 2-KI(W;E) is the minimal attainable upper bound of the success probability of the impersonation attack, where I(W;E) denotes the mutual information between a cryptogram W and a key E. In addition, 2-KH(E|W) is proved to be the tight upper bound of the probability that the opponent can correctly guess K keys from transmitted K cryptograms, where H(E|W) denotes the conditional entropy of E given W.