Password authentication scheme is a promising and practical solution to remote user authentication. The security of an authentication scheme using strong graphical passwords basing on hash function was analyzed. The scheme can not resist to stolen-verifier attack. The adversary can pretend to be a server to cheat a legal user to send him authentication message, and then it masquerades as a legal user by creating a valid login message, passes the authentication phase and gains the authority of a legitimate user without knowing user password. An enhanced scheme was proposed in which smart card is used for storing server authentication message. The server and user can authenticate each other. The adversary can personate neither server nor user and can not get useful login message from eavesdropped communication. The enhanced scheme can withstand replay attack, denial-of-service attack, password-guessing attack, forgery attack, password-file compromise attack and inside attack as the former scheme. It can also withstand stolen-verifier attack and smart card loss attack.
Lamport L. Password authentication with insecure communication[J].Communication of ACM.1981, 24:770-772
Tsai Chwei-Shyong,Lee Cheng-Chi, Hwang Min-Shiang.Password authentication schemes-current status and key issues[J].International Journal of Network Security,2006,3(2):101-115
Ku Wei-Chi, Tsaur Maw-Jinn. A remote user authentication scheme using strong graphical passwords 30th Annual IEEE Conference on Local Computer Networks (LCN 2005). Sydney, Australia: IEEE Computer Society, 2005:351-357
Ku W C. A hash-based strong-password authentication scheme without using smart cards[J].ACM Operating System Review.2004, 38(1):29-34
Kim Minho. Cryptanalysis and enhancement of authentication protocols . Corvallis: Philosophy in Electrical and Computer Engineering of Oregon State University, 2006
Chen T H, Lee W B, Horng G. Secure SAS-like password authentication schemes[J].Computer Standards & Interfaces.2004, 27:25-31