Skip to Main Content
Recently, Yang et al. proposed an improvement of two password authentication schemes based on timestamp and nonce. They claimed that their schemes are secure against different kind of attacks. However, we point out that their schemes are vulnerable and can easily be cryptanalyzed. We demonstrate that their schemes perform unilateral authentication (only client authentication) and there is no mutual authentication between user and remote system, thus their schemes are susceptible to the server spoofing attack. To fill this security gap, we present an improvement which overcomes the weakness of Yang et al.'s schemes. As a result, our improved security patch establishes trust between client and remote system in the form of mutual authentication.
Date of Conference: 28-30 Dec. 2007