Comments on five smart card based password authentication protocols
In this paper, we use the ten security requirements proposed by Liao et al. for a smart card based authentication protocol to examine five recent work in this area. After analyses, we found that the protocols of Juang et al.s, Hsiang et al.s, Kim et al.s, and Li et al.s all suffer from the password guessing attack if the smart card is lost and the protocol of Xu et al.s suffers from the insider attack.
Comment on four two-party authentication protocols
In this paper, we analyze the protocols of Bindu et al., Goriparthi et al., Wang et al. and Hölbl et al.. After analyses, we found that Bindu et al.s protocol suffers from the insider attack if the smart card is lost, both Goriparthi et al.s and Wang et al.s protocols cant withstand the DoS attack on the password change phase which makes the password invalid after the protocol run, and Hölbl et al.s protocol is vulnerable to the insider attack since a malevolent legal user can deduce KGCs secret key xs.
A Privacy-Flexible Password Authentication Scheme for Multi-Server Environment
Since Kerberos suffers from KDC (Key Distribution Center) compromise and impersonation attack, a multi-server password authentication protocol which highlights no verification table in the server end could therefore be an alternative. Typically, there are three roles in a multi-server password authentication protocol: clients, servers, and a register center which plays the role like KDC in Kerberos. In this paper, we exploit the theoretical basis for implementing a multi-server password authentication system under two constraints: no verification table and user privacy protection. We found that if a system succeeds in privacy protection, it should be implemented either by using a public key cryptosystem or by a register center having a table to record the information shared with corresponding users. Based on this finding, we propose a privacy-flexible system to let a user can employ a random-looking dynamic identity or employ a pseudonym with the register center online or offline to login a server respectively according to his privacy requirement. Compared with other related work, our scheme is not only efficient but also the most conformable to the requirements that previous work suggest.
Comments on two multi-server authentication protocols
Recently, Tsai and Liao et al. each proposed a multi-server authentication protocol. They claimed their protocols are secure and can withstand various attacks. But we found some security loopholes in each protocol. We will show the attacks on their schemes.
Comments on two password based protocols
Recently, M. Hölbl et al. and I. E. Liao et al. each proposed an user authentication protocol. Both claimed that their schemes can withstand password guessing attack. However, T. Xiang et al. pointed out I. E. Liao et al.'s protocol suffers three kinds of attacks, including password guessing attacks. We present an improvement protocol to get rid of password guessing attacks. In this paper, we first point out the security loopholes of M. Hölbl et al.'s protocol and review T. Xiang et al.'s cryptanalysis on I. E. Liao et al.'s protocol. Then, we present the improvements on M. Hölbl et al.'s protocol and I. E. Liao et al.'s protocol, respectively.