Replay and Denial-of-Service Attacks on a New Strong-Password Authentication Scheme

Abstract

Existing one-time password authentication schemes can be categorized into two types, weak-password authentication schemes and strong-password authentication schemes. Generally, the strong-password authentication schemes have the advantages over the weak-password authentication schemes in that their computational overhead are lighter, designs are simpler, and implementations are easier, and therefore are especially suitable for some constrained environments. Recently, Lin, Sun, and Hwang proposed a strong-password authentication scheme, OSPA, which was later found to be vulnerable to a stolen-verifier attack and a man-in-the-middle attack. Later, Lin, Shen, and Hwang proposed an improved version of OSPA and showed that the improved scheme can resist the guessing attack, the replay attack, the impersonation attack, and the stolen-verifier attack. Herein, we show that their scheme is still vulnerable to a replay attack and a denial- of-service attack.