Skip to Main Content
In 2003 (ACM Operating Systems Review, Vol.37), Kim, Lee and Yoo proposed an ID-based password authentication scheme for log-on to a remote server using smart card, password and fingerprint. In this paper, we show that the KLY protocol is vulnerable to an active adversary who can extract some information embedded in the smart card by using existing smart cards attack methods. By getting the information and eavesdropping the previous login messages of a legal user, an attacker without any password or fingerprint can successfully forge the legal user to obtain services from the system. In this case, the protocol is not sufficient for systems with high level security requirements.