CRITICAL ANALYSIS ON LAMPORT’S

AUTHENTICATION ALGORITHM
Ganesh Kumar Muthiah
Middlesex University, London, UK.
GM489@mdx.ac.uk
30th June 2008

ABSTRACT: “Digitalized signatures and public

Authentication is the main issue in key
communication between the users
in internet. There are many ways functions as intractable as
to initiate a secure communication factorization” [2], in his paper
and many algorithms to provide called “password authentication
authentication one such technique with insecure communication” [1]
to authenticate user is by Dr.Lamport implied a technique
password, but there is also many such as ‘one way hashing’[1]. In
flaws and drawback in this paper I would like to criticize
authentication using password. Dr. and bring out the possible flaws
Leslie Lamport gave a solution for with Lamport’s technique in
some of the drawback in Michael password authentication and give
o. Rabin’s paper named possible solution to make it more
reliable algorithm for making
secure authentication.
Key words: Authentication, hashing, eaves dropping, small ‘n’ attack,
mutual SSL, salt, picture password, one way authentication

INTRODUCTION: stealing and eavesdropping. The

The major issue in online
communication is password
authentication. When ever the user
needs to sign in to a network or
communicate with the end user he
is need to be authenticated. There
are many ways to authenticate the
end side, one such way is been told
in Dr.Lamport’s paper, [1] he
introduced a new method to over
come the problem of password file
technique he used to eliminate the
password theft from the database
and eaves dropping by one way
hashing function. Let us see how
this method works and will see any
drawbacks and improvements that
could be made.
THEORY:
 OVERVIEW OF
LAMPORT’S
TECHNIQUES:
According to Dr.
Lamport’s solution for avoiding
the password theft which is stored
in the system is to store the
password in encrypted format i.e.
in general when a user need to start
the communication with end
system he has to send a password
or a value to the server then the
server checks the value in its
database which is in plain text, if
the value is equal then the server
establish the service but the Dr.
Lamport suggested, the server to
save the user’s password as
encrypted value in the database,
even if an intruder compromise the
system or server he will not be
able to get the plain text password
stored in the system. But if the
attacker is listening to the victim’s
packet he can easily sniff the
password and claims the server as
an original user. To avoid this
problem of eaves dropping the
user’s packet, he suggested another
method by using sequence of
password hashing or chain hashing
[1].
In this technique when the
user needs to communicate with
the end system he gives his
username and password in the
browser and the browser send this
data to the server, now the server
sends the username to the end user.
End user will reply back with the
‘n’ value, this ‘n’ value is been pre
agreed by the both user and this
value will be stored in the database
of both users and server. Now the
initiator will compute the hash n-1
(password) and reply back to the
server which answers the value of
‘n’. “The server calculates hash
(hash n-1 (password)) = hash n
(password). If this value matches
the one on file, then the login is
successful. The server replaces
hash n (password) with hash n-1
(password) and decrements ‘n’.”
[3].
FLAWS &
IMPROVEMENT ON
LAMPORT’S
TECHNIQUES:
There are several flaws in this
technique let us see the first flaw
now. The value of ‘n’ should not
be higher value if so it will be
difficult to re hash the function and
also the value should not be lesser,
if its lesser they have to be reset
very often. To make this technique
safer from dictionary attack we can
add a value called salt along with
the ‘n’. Salt is a unique number
that is chosen by the user during
the password installation on the
server, now even if the value of
‘n’=1 the user doesn’t need to reset
the password he/she just need to
change the salt value [3].
The next flaw is there is no
mutual authentication. The user
will think that he is
communicating with the server but
actually an intruder would have
been in the middle of the channel.
I.e. man in the middle attack [4].
To avoid this attack we should
have a strong mutual
authentication between the users.
This can be done by implementing
mutual SSL [5]. Mutual SSL is
done by mutual authentication
process which is similar to SSL
with more authentication and also
non repudiation. We can also
increase the mutual authentication
by digital signature or by getting
their key from key distribution
centre (KDC). [6]
The other flaw is small ‘n’
attack. Small ‘n’ attack is similar
to man in the middle attack [4].
When the user A sends the
password and username to server,
the server will send the username
FUTURE DEVELOPMENT
If the password is going to be
text or number it is easy to sniff
and we need all these encryption
technique to safe guard the
password, so what I suggest here is
to use picture password where it is
very difficult to crack the
password and it is very easy for the
user to remember the password
than the text.[8] The future cyber
world will be avoiding using
textual and numeric password. By
using this picture password we can
avoid dictionary attack and many
to the user B, now the user B will
send the ‘n’ to the server back, but
in this attack the intruder will
receive the value ‘n’ and replace
the value with ‘m’ which is his
own value and forwards it to the
user A. User A will hash the
function {hash(m-1)
(password)}and sends back to the
intruder and he will be able to
calculate the { hash m (password)}
only if value of ‘m’ is lesser than
‘n’[3]. This attack can be over
come by the user by just
remembering the value of the ‘n’
and salt that the user have used
before for authentication, but to
make it more secure from the
attackers I suggest to implement
IPSec based VPN or SSL based
VPN between the users to avoid
small ’n’ attack or man in the
middle attack.
more. If this picture password is
been implemented in internet or
online communication then there
will not be much problem with
authentication and all these
authentication protocols will go
worthless.
CONCLUTION:
In this paper I critically
reviewed about the Dr. Lamport’s
authentication method and I pin
pointed the flaws in those method
and I gave the various solutions
such as using mutual SSL, KDC
for mutual authentication and for
avoiding small‘n’attack I [8] “Picture this: A password you
suggested to secure the channel by
using IPSec VPN or SSL VPN. As
a further work I also suggested to
implement the picture password
instead of textual password which
may keep an end to these flaws in
the user authentication.
REFERENCE:
never forget” by Alex salkever on
May 15, 2001 e - journals in
www.businessweek.com.
[9] “Scientists draw new technology to
improve password protection” News
link 24 October 2007 in
http://www.ncl.ac.uk/press.office/newsli
nk/?ref=1193216061.

[1] “Password Authentication with

Insecure Communication”,
Communications of the ACM, vol.
24(11), 1981, p. 770-772 by Dr. Leslie
Lamport

[2] “My writing” by Dr.Leslie

Lamport Content 35, May 2008.
http://research.microsoft.com/users/lamp
ort/pubs/pubs.html#dig-sig

[3] “CEON 350” by Thomas

Schwarz,S.j., OEN,SCU
http://www.cse.scu.edu/~tschwarz/coen3
50/lamportHash.html

[4] “Hacking Exposed: Network

Security Secrets & Solutions - Page
368” by Stuart Mc Clure, Joel Scambary
George Kurtz 2005.

[5] “Mutual Authentication”

http://en.wikipedia.org/wiki/Mutual_aut
hentication.

[6] “RFC 3634 KDC” ftp://ftp.rfc-

editor.org/in-notes/rfc3634.txt.

[7] White paper “Access Anywhere

System 2003-04”
http://www.ncl.ac.uk/press.office/newsli
nk/?ref=1193216061.
 COURSE WORK

CCM4330
NETWORK SECURITY: STANDARDS, PROTOCOLS AND
APPLICATION

MIDDLESEX UNIVERSITY
HENDON
2008

MODULE LEADER

Dr A. LASEBAE
SCHOOL OF COMPUTING SCIENCE

TOPIC:

CRITICAL ANALYSIS OF LAMPORT’S AUTHENTICATION

ALGORITHM

DONE BY
GANESH KUMAR MUTHIAH
GM489@MDX.AC.UK
M00193665