Abstract

In 2000, Peyravian and Zunic proposed an efficient hash-based password authentication scheme that can be easily implemented. Later, Lee, Li, and Hwang demonstrated that Peyravian-Zunic's scheme is vulnerable to an off-line guessing attack, and then proposed an improved version. However, Ku, Chen, and Lee pointed out that their scheme can not resist an off-line guessing attack, a denial-of-service attack, and a stolen-verifier attack. Recently, Yoon, Ryu, and Yoo proposed an improved scheme of Lee-Li-Hwang's scheme. Unfortunately, we find that Yoon-Ryu-Yoo's scheme is still vulnerable to an off-line guessing attack and a stolen-verifier attack. Furthermore, their scheme can not achieve backward secrecy. Herein, we first briefly review Yoon-Ryu-Yoo's scheme and then describe its weaknesses.