結合生物資訊及智慧卡的技術以應用於遠端使用者的認證架構是越來越普遍,在2003年Kim,Lee和Yoo(KLY)提出了一個以指紋辨識為基礎,結合ID(使用者身份碼認證)與智慧卡來確保遠端認證安全。雖然如此,他們所提出的架構仍舊存在著安全上的弱點,以致於無法抵擋資料破解攻擊及重送攻擊。在本篇論文中,我們將分析KLY等人的架構,指出其安全上的瑕疵,我們針對資料破解攻擊及重送攻擊方法提出攻擊的演算法 In 2003 ( ACM Operating Systems Review, Vol.37), Kim, Lee and Yoo [1] proposed an ID-based password authentication scheme for log-on to a remote server using smart card, password and fingerprint. In this paper, we show that the KLY protocol is vulnerable to an active adversary who can extract some information embedded in the smart card by using existing smart cards attack methods. By getting the information and eavesdropping the previous login messages of a legal user, an attacker without any password or fingerprint can successfully forge the legal user to obtain services from the system. In this case, the protocol is not sufficient for systems with high level security requirements. We point out a cryptanalysis of KLY scheme and propose a data compromise attack algorithm and replay attack algorithm.We also hope that the benefit of the science and technique can improve the security of the remote user authentication.
