Cryptanalysis and Improvement of a Two-Factor User Authentication Scheme Providing Mutual Authentication and Key Agreement over Insecure Channels

Abstract

Abstract — A two-factor remote authentication scheme was presented by Chun-Ta Li et al. in 2010. We present the framework of an impersonation attack against their scheme if the smart card gets stolen. We show that it is easy for an attacker to compute password of a user by using information extracted from the stolen smart card. We also propose a simple and easy solution to fix this problem. Index Terms — Authentication schemes, cryptanalysis, mutual authentication, smart card. I. I NTRODUCTION To avoid unauthorized access, some security mechanism is needed to authenticate legitimate users. There are three common ways to authenticate a user: what you know (a pin or a password), what you have (a hardware token) and what you are (a biometric trait). The most commonly used mechanism for authentication is password. As it is not easy to remember strong passwords especially when a user has multiple accounts, this leads to either using same password for all accounts or selecting passwords with low entropy that can easily be guessed. Hardware token-based schemes are also vulnerable because the hardware token can be lost, stolen, forged or compromised. Biometric-based authentication schemes are resistive for most of the problems in token-based and password systems and provide better security then the other two techniques, yet these are not widely adopted mainly because they are expensive to implement and use. Due to the above-mentioned problems with the individual authentication techniques, researchers have proposed to use two-factor authentication where, in most cases, the two factors being used are a password and a hardware token typically a smart card. Using two-factors increases both security and reliability of the overall system. In this paper, we have analyzed one of the two factor authentication schemes proposed by Chun-Ta Li