Comments on “Insider Attack Protection: Lightweight Password-Based Authentication Techniques Using ECC”

Abstract

The radical progress in web services has drained more attraction towards escalating the security of several applications that serve and interact with the Internet users. In order to get authenticated from servers, the users must disclose their secret information to the server such as password and username so that they can access distinct applications on the Web. Due to distinct security attacks, such secret credentials should be discouraged from being revealed. Moreover, it is vibrant to secure the systems from known attacks. In contrast to all known security attacks, the insider attack is considered devastating because the privileged insiders of a system can violate the secret credentials, which may lead towards irrecoverable damage to both the system and the user. Therefore, to ensure the security of the system from insider attacks, different protocols have been proposed. Very recently, Rajamanickam et al. “Insider attack protection: Lightweight password-based authentication techniques using ECC,” presented novel authentication scheme for insider attack protection. They claimed that their protocol not only prevents insider attack but it is also immune to several known security attacks. This comment discloses the non-trivial weaknesses in the authentication phase between client and server. We have identified that the adversary can successfully impersonate the entities communicating with each other through this protocol. Moreover, their protocol fails to offer forward and backward secrecy. Consequently, we suggest possible solution for attack resilience.