On vulnerability analysis of several password authentication protocols
In this work, we argue that the usage of computationally intensive mathematical operations in password authentication protocols can lead to security vulnerability in the protocol. We formulate a generalized algorithm for cryptanalysis to perform clogging attack (a form of denial of service) on protocols which use the computationally intensive modular exponentiation to guarantee security. We then apply this technique to cryptanalyze four recent password authentication protocols, and observe all four of them to be prone to the clogging attack. The first one by Yang et al. is a password-based authentication scheme to preserve identity privacy. This protocol does not use timestamps. The second protocol we consider for analysis is by Islam. This is a smart card-based remote user password authentication protocol that uses timestamps. The third protocol by Jiang et al. is a password-based authentication protocol that does not use smart cards. Finally, the last protocol we consider for analysis is by Wang et al. This is a recent smart card-based authentication protocol claimed to be immune to the DoS attack. The protocols differ in either their usage of factors (smart cards, memory drives etc.), or their way of communications (usage of encryption, nonces, timestamps etc.). But their similarity lies in their usage of the computationally intensive modular exponentiation as a medium of authentication. We conclude that the strengths of all the protocols, e.g., Yang et al. (usage of nonce, and encryption), or, e.g., Islam (usage of timestamps) can be combined to prevent the clogging attack on the protocols.
Innovations in Systems and Software Engineering
Digital Object Identifier (DOI)
Garrett, Talluri, S. R., & Roy, S. (2015). On vulnerability analysis of several password authentication protocols. Innovations in Systems and Software Engineering, 11(3), 167–176. https://doi.org/10.1007/s11334-015-0250-x