In a paper recently published in the ACM Operating Systems Review, Kim, Lee and Yoo [1] describe two ID-based password authentication schemes for logging onto a remote network server using smart cards, passwords and fingerprints. Various claims are made regarding the security of the schemes, but no proof is offered. Here we show how a passive eavesdropper, without access to any smart card, password or fingerprint, and after passively eavesdropping only one legitimate log-on, can subsequently log-on to the server claiming any identity.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1

Hyun-Sung Kim , Sung-Woon Lee , Kee-Young Yoo, ID-based password authentication scheme using smart cards and fingerprints, ACM SIGOPS Operating Systems Review, v.37 n.4, p.32-41, October 2003  [doi>10.1145/958965.958969]