Vulnerabilities in a remote agent authentication scheme using smart cards

Agent technology is emerging as a new software paradigm in the areas of distributed computing. The use of multiple agents is a common technique in agent-based systems. In distributed agent systems, for secure communication, the communicating agents should authenticate each other by using authentication protocols. A remote agent authentication scheme is a two-party protocol whereby an authentication server in a distributed system confirms the identity of a remote individual logging on to the server over an untrusted, open network. This paper discusses the security of Yoon et al.'s remote agent authentication scheme making use of smart cards. Yoon et al.'s scheme was proposed to solve the security problem with Hwang et al.'s authentication scheme and was claimed to provide mutual authentication between the server and the remote agent. But, unlike the claim, in Yoon et al.'s scheme, if an attacker steals some agent's smart card and extracts the information stored in the smart card, he/she can violate the authentication goal of the scheme without knowing the agent's password. We show this by mounting two attacks, a agent impersonation attack and a sever impersonation attack, on Yoon et al's scheme. In addition, in Yoon et al.'s scheme, if an attacker steals some agent's smart card and extracts the information stored in the smart card and reads U-i's login massage, he/she can violate its fundamental goal of a password security. We show this by mounting a dictionary attack on Yoon et al.'s scheme and also figure out what has gone wrong with the scheme.