Stolen-Verifier Attack on an Efficient Smartcard-Based One-Time Password Authentication Scheme Authors: Wei-Chi KU, Hao-Chuan TSAI, Maw-Jinn TSAUR Source: IEICE transactions on Communications, Vol. E87-B, No.8, Aug. 2004, pp.2374- 2376 Speaker: Chih-Chiang Tsou Date: 2005.01.03

Outline Review of Yeh-Shen-Hwang’s Scheme Stolen-Verifier Attack on Yeh-Shen-Hwang’s Scheme Conclusion

Review of Yeh-Shen-Hwang’s Scheme Secure channel Common channel Review of Yeh-Shen-Hwang’s Scheme 1. Registration SEED: random number S: smart card (SEED) H():secure hash function S ( SEED⊕D0, H(D0), N) User (Ui) System Authenticates H(SEED⊕ (SEED⊕D0))= H(D0) D0: random number Computes p0= HN( K⊕SEED) ( p0 ⊕D0 ) Authenticates D0 ⊕ ( p0 ⊕D0 )

Review of Yeh-Shen-Hwang’s Scheme For the t th Login Request Dt: random number User (Ui) ( SEED⊕ Dt , H(Dt) ⊕pt-1, N-t ) System Computes pt-1= H( H N-t ( K⊕SEED)) Authenticates H(Dt) = Dt pt ⊕ Dt Authenticates H( pt )= pt-1 Replaces pt-1 with pt and t-1 with t in the database Computes pt= H N-t ( K⊕SEED))

Stolen-Verifier Attack on Yeh-Shen-Hwang’s Scheme The adversary stolen p1,p2,…,pi from the database. And in the user’s ith login, the adversary capture ( SEED⊕ Di , H(Di) ⊕pi-1, N-i ) and (pi ⊕ Di ). Adversary System Uses pi to compute Di and uses Di to compute SEED. He guesses the PW to derive the key K , and computes pi = H N-i ( K ⊕SEED)). If pi  = pi , then PW = PW.

Conclusion This attack scheme is not effective to impersonate the legal user or system.