Cryptanalysis of Timestamp-Based Password Authentication Schemes Using Smart Cards

Password authentication is an important mechanism for remote login systems, where only authorized users can be authenticated via using their passwords and/or some similar secrets. In 1999, Yang and Shieh [14] proposed two password authentication schemes using smart cards. Their schemes are not only very efficient, but also allow users to change their passwords freely and the server has no need to maintain a verification table for authenticating users. However, their schemes are later identified to be flawed. To overcome those security flaws, Shen et al. [9] and Yoon et al. [17] proposed further improvements and claimed their new schemes are secure. In this paper, we first point out that Yang et al.’s attack [15] against Shen et al.’s scheme is actually invalid, since we can show that in a real implementation it is extremely difficult to find two hash values such that one is divisible by the other. After that, we show that both of Shen et al.’ scheme and Yoon et al.’s scheme are insecure by identifying several effective impersonation attacks. Those attacks enable an outsider to be successfully authenticated and then enjoy the resources and/or services provided by the server.