At Indocrypt 2005, Viet et al.[21], have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for client's password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n 2 -1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t=1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [21].

The RSA-based Password-Authenticated Key Exchange (PAKE) protocols have been proposed to realize both mutual authentication and generation of secure session keys where a client is sharing his/her password only with a server and the latter should generate its RSA public/private key pair (e,n),(d,n) every time due to the lack of PKI (Public-Key Infrastructures). One of the ways to avoid a special kind of off-line (so called e-residue) attacks in the RSA-based PAKE protocols is to deploy a challenge/response method by which a client verifies the relative primality of e and φ(n) interactively with a server. However, this kind of RSA-based PAKE protocols did not give any proof of the underlying challenge/response method and therefore could not specify the exact complexity of their protocols since there exists another security parameter, needed in the challenge/response method. In this paper, we first present an RSA-based PAKE (RSA-PAKE) protocol that can deploy two different challenge/response methods (denoted by Challenge/Response Method1 and Challenge/Response Method2). The main contributions of this work include: (1) Based on the number theory, we prove that the Challenge/Response Method1 and the Challenge/Response Method2 are secure against e-residue attacks for any odd prime e; (2) With the security parameter for the on-line attacks, we show that the RSA-PAKE protocol is provably secure in the random oracle model where all of the off-line attacks are not more efficient than on-line dictionary attacks; and (3) By considering the Hamming weight of e and its complexity in the RSA-PAKE protocol, we search for primes to be recommended for a practical use. We also compare the RSA-PAKE protocol with the previous ones mainly in terms of computation and communication complexities.

In this paper, we propose a leakage-resilient and proactive authenticated key exchange (called LRP-AKE) protocol for credential services which provides not only a higher level of security against leakage of stored secrets but also secrecy of private key with respect to the involving server. And we show that the LRP-AKE protocol is provably secure in the random oracle model with the reduction to the computational Diffie-Hellman problem. In addition, we discuss about some possible applications of the LRP-AKE protocol.

We propose a new construct, the Text-Graphics Character (TGC) CAPTCHA, for preventing dictionary attacks against password authentication systems allowing remote access via dumb terminals. Password authentication is commonly used for computer access control. But password authentication systems are prone to dictionary attacks, in which attackers repeatedly attempt to gain access using the entries in a list of frequently-used passwords. CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) are currently being used to prevent automated "bots" from registering for email accounts. They have also been suggested as a means for preventing dictionary attacks. However, current CAPTCHAs are unsuitable for text-based remote access. TGC CAPTCHAs fill this gap. In this paper, we define two TGC CAPTCHAs and incorporate one of them in a prototype based on the SSH (Secure Shell) protocol suite. We also prove that, if a TGC CAPTCHA is easy for humans and hard for machines, then the resulting CAPTCHA is secure. We provide empirical evidence that our TGC CAPTCHAs are indeed easy for humans and hard for machines through a series of experiments. We believe that a system exploiting a TGC CAPTCHA will not only help improve the security of servers allowing remote terminal access, but also encourage a healthy spirit of competition in the fields of pattern recognition, computer graphics, and psychology.

In 2000, Sandirigama, Shimizu, and Noda proposed a simple password authentication scheme, SAS. However, SAS was later found to be flawed. Recently, Chen, Lee, Horng proposed two SAS-like schemes, which were claimed to be more secure than similar schemes. Herein, we show that both their schemes are still vulnerable to denial-of-service attacks. Additionally, Chen-Lee-Horng's second scheme is not easily reparable.

In 2003, Wu and Chieu proposed a scheme that was claimed to be an enhanced version of Sun's password authentication scheme. Recently, Wu and Chieu themselves showed that their scheme is vulnerable to a forgery attack and then proposed an improved scheme. Herein, we demonstrate that Wu-Chieu's improved scheme is still vulnerable to several attacks.

Recently, Lin, Hwang, and Li proposed an efficient remote authentication scheme using smart cards for multi-server architecture based on the geometric property of the Euclidean plane. Herein, we show that their scheme is vulnerable to two forgery attacks and a password-guessing attack, and is not easily repairable. Furthermore, their scheme lacks a proper user eviction mechanism.

Recently, Das et al. proposed a dynamic ID-based verifier-free password authentication scheme using smart cards. To resist the ID-theft attack, the user's login ID is dynamically generated and one-time used. Herein, we demonstrate that Das et al.'s scheme is vulnerable to an impersonation attack, in which the adversary can easily impersonate any user to login the server at any time. Furthermore, we also show several minor weaknesses of Das et al.'s scheme.

Applications for transforming money or personal information are increasingly common on the Internet and in mobile communications. These applications require user authentication for confirming legal users. One-time password authentication methods change the verifier every time by sending the present verifier along with the next verifier. However, such methods risk attacks because those protocols use two verifiers every session. The SAS (Simple And Secure password authentication protocol) is a one-time password authentication method that the method uses a hash function five times, but it requires high overhead on low spec machines. In this paper, we propose a new method, SAS-2, which reduces overhead of hash function adaptation by 40%. This method has a mutual authentication phase, which maintains synchronous data communications in its authentication procedure. Moreover, SAS-2 can be applied to key-free systems.

Software applications for the transfer of money or personal information are increasingly common on the Internet. These applications require user authentication for confirming legitimate users. One-time password authentication methods risk a stolen-verifier problem or other steal attacks because the authentication on the Internet server stores the user's verifiers and secret keys. The SAS-2 (Simple And Secure password authentication protocol, ver.2) and the ROSI (RObust and SImple password authentication protocol) are secure password authentication protocols. However, we have found attacks on SAS-2 and ROSI. Here, we propose a new method which eliminates such problems without increasing the processing load and can perform high security level same as S/Key systems without resetting the verifier.

Recently, Hwang and Li proposed a smartcard-based remote user authentication scheme. Later, Chan and Cheng showed that Hwang and Li's scheme is insecure against a kind of impersonation attack where a legitimate user can create another valid pair of user identity and password without knowing the secret key of the remote system. However, an assumption under Chan and Cheng's attack is that the attacker must be a legal user. In this paper, we further present a more fundamental and efficient impersonation attack on Hwang and Li's scheme. Using our attack, any users (including legal and illegal users) can easily get a specific legal user's password, impersonate this specific user to login to the remote system, and pass the system authentication.

User authentication is necessary on the Internet and in mobile communications to protect the legal user's rights. One-time password authentication methods change the verifier every time by sending the present verifier along with the next verifier. However, such methods risk impersonation attacks because those protocols use two verifiers every session. The OSPA (Optimal Strong-Password Authentication) method is a one-time password method which prevents stolen-verifier problems, replay attacks, and denial of service attacks. In this letter, we devise an impersonation attack on the OSPA method and discuss how to break down the OSPA method.

Following the developments in the use of ID-based schemes and smart cards, Yang and Shieh proposed two password authentication schemes to achieve two purposes: (1) to allow users to choose and change their passwords freely, and (2) to make it unnecessary for the remote server to maintain a directory of passwords or a verification table to authenticate users. Recently, Chan and Cheng showed that Yang and Shieh's timestamp-based password authentication scheme is insecure against forgery. In this paper, we point out that Chan and Cheng's forgery attack can not work. Thus, we further examine the security of Yang and Shieh's password authentication schemes and find that they are insecure against forgery because one adversary can easily pretend to be a valid user and pass the server's verification which allows the adversary to login to the the remote server.

Recently, Lin et al. addressed two weaknesses of a new strong-password authentication scheme, the SAS protocol, and then proposed an improved one called the OSPA (Optimal Strong-Password Authentication) protocol. However, we find that both the OSPA protocol and the SAS protocol are vulnerable to the stolen-verifier attack.

A password-based mechanism is the most widely used method of authentication in distributed environments. However, because people are used to choosing easy-to-remember passwords, so-called "weak-passwords," dictionary attacks on them can succeed. The techniques used to prevent dictionary attacks lead to a heavy computational load. Indeed, forcing people to use well-chosen passwords, so-called "strong passwords," with the assistance of tamper-resistant hardware devices can be regarded as another fine authentication solution. In this paper, we examine a recent solution, the SAS protocol, and demonstrate that it is vulnerable to replay and denial of service attacks. We also propose an Optimal Strong-Password Authentication (OSPA) protocol that is secure against stolen-verifier, replay, and denial of service attacks, and minimizes computation, storage, and transmission overheads.

In this paper we propose SAS-Coin, a very practical micro payment scheme based on a hash chain and a simple one time password authentication protocol called SAS. While it has many desirable features of a coin (anonymity etc.), it has no public key operations at any stage and has very little overheads. Moreover authentication is also available and a session key could be generated for encrypted information supply without any additional cost at all. Since there are no public key operations this is extremely useful for mobile telephone applications. This has sufficient security even for larger payments. Comparative analysis with some of the already proposed systems is also done.

We study how to generalize a key agreement and password authentication protocol on the basis of the well known hard problems such as a discrete logarithm problem and a Diffie-Hellman problem. The key agreement and password authentication protocol is necessary for networked or internetworked environments to provide the user knowledge-based authentication and to establish a new cryptographic key for the further secure session. The generalized protocol implies in this paper to require only weak constraints and to be generalized easily in any other cyclic groups which preserve two hard problems. The low entropy of password has made it difficult to design such a protocol and to prove its security soundness. In this paper, we devise a protocol which is easy to be generalized and show its security soundness in the random oracle model. The proposed protocol reduces the constraints extremely only to avoiding a smooth prime modulus. Our main contribution is in solving the password's low entropy problem in the multiplicative group for the generalization.

In the Internet and Mobile communication environment, authentication of the users is very important. Although at present password is extensively used for authentication, bare password transmission suffers from some inherent shortcomings. Several password-based authentication methods have been proposed to eliminate such shortcomings. Those proposed methods have relative demerits as well as merits. In this letter we propose a method where those demerits are eliminated. The prominent feature is security improvement apart from low processing, storage and transmission overheads compared to previous methods. This method can be used in several applications like remote login, encrypted and authenticated communication and electronic payment etc.

A password authentication method PERM has been developed for application to e-mail forwarding. This method is suitable for communications in insecure network environments such as the Internet. In particular, it can be adapted to Internet appliances and Java applets which have limited performance. The PERM method does not require password resettings and enables high-speed authentication processing with a small-sized program. Moreover, it does not use facilities or mechanisms for generating random numbers and writing them into and reading them out of an IC card or similar storage medium on the user's side.