1. Stolen-Verifier Attack on an Efficient Smartcard-Based One-Time Password Authentication Scheme
Authors: Wei-Chi KU, Hao-Chuan TSAI, Maw-Jinn TSAUR
Source: IEICE transactions on Communications, Vol. E87-B, No.8, Aug. 2004, pp
Speaker: Chih-Chiang Tsou
Date:

2. Outline Review of Yeh-Shen-Hwang’s Scheme
Stolen-Verifier Attack on Yeh-Shen-Hwang’s Scheme
Conclusion

3. Review of Yeh-Shen-Hwang’s Scheme
Secure channel
Common channel
Review of Yeh-Shen-Hwang’s Scheme
1. Registration
SEED: random number S: smart card (SEED) H():secure hash function S
( SEED⊕D0, H(D0), N)
User (Ui)
System
Authenticates H(SEED⊕ (SEED⊕D0))= H(D0)
D0: random number
Computes p0= HN( K⊕SEED)
( p0 ⊕D0 )
Authenticates D0 ⊕ ( p0 ⊕D0 )

4. Review of Yeh-Shen-Hwang’s Scheme
For the t th Login
Request
Dt: random number
User (Ui)
( SEED⊕ Dt , H(Dt) ⊕pt-1, N-t )
System
Computes pt-1= H( H N-t ( K⊕SEED))
Authenticates H(Dt) = Dt
pt ⊕ Dt
Authenticates H( pt )= pt-1
Replaces pt-1 with pt and t-1 with t in the database
Computes pt= H N-t ( K⊕SEED))

5. Stolen-Verifier Attack on Yeh-Shen-Hwang’s Scheme
The adversary stolen p1,p2,…,pi from the database.
And in the user’s ith login, the adversary capture ( SEED⊕ Di , H(Di) ⊕pi-1, N-i ) and (pi ⊕ Di ).
Adversary
System
Uses pi to compute Di and uses Di to compute SEED.
He guesses the PW to derive the key K , and computes pi = H N-i ( K ⊕SEED)).
If pi  = pi , then PW = PW.

6. Conclusion
This attack scheme is not effective to impersonate the legal user or system.