Investigating the security pitfalls of cryptographic protocols is crucial to understand how to improve security. At ICCCSâ??17,Wu and\nXu proposed an efficient smart-card-based password authentication scheme for cloud computing environments to cope with the\nvulnerabilities in Jiang et al.â??s scheme. However, we reveal that Wu-Xuâ??s scheme actually is subject to various security flaws, such\nas offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et\nal. found that in most previous two-factor schemes a user has to manage different credentials for different services and further\nsuggested a user-friendly scheme which is claimed to be suitable for multiserver architecture and robust against various attacks. In\nthis work, we show that Roy et al.â??s scheme fails to achieve truly two-factor security and shows poor scalability. At FGCSâ??18, Amin\net al. pointed out that most of existing two-factor schemes are either insecure or inefficient for mobile devices due to the use of\npublic-key techniques and thus suggested an improved protocol by using only light-weight symmetric key techniques. Almost at\nthe same time, Wei et al. also observed this issue and proposed a new scheme based on symmetric key techniques with formal\nsecurity proofs in the random oracle model. Nevertheless, we point out that both Amin et al.â??s and Wei et al.â??s schemes cannot\nachieve the claimed security goals (including the most crucial goal of â??truly two-factor securityâ?). Our results invalidate any use of\nthe scrutinized schemes for cloud computing environments.
Loading....