Universal Serial Bus (USB) is widely used, for example to facilitate hot-swapping and plug-and-play. However, USB ports can be exploited by an adversary to extract private or personal data from the connected devices. Hence, a number of organizations and workplaces have prohibited their employees from using USB devices, and there have been efforts to design secure USB storage device schemes to more effectively resist different known security attacks. However, designing such schemes is challenging. For example, in this article we revisit the Wei et al.’s scheme, and demonstrate that it is vulnerable to attacks such as password guessing and user impersonation. We also explain that the scheme does not verify the correctness of user’s input in the login phase, which is another design flaw. Then, we present an improved scheme and prove it secure in the random oracle model.

中文翻译：

---

USB 存储设备的可证明安全的两因素身份验证方案

通用串行总线 (USB) 被广泛使用，例如便于热插拔和即插即用。但是，攻击者可以利用 USB 端口从连接的设备中提取私人或个人数据。因此，许多组织和工作场所禁止其员工使用 USB 设备，并且一直在努力设计安全的 USB 存储设备方案，以更有效地抵御各种已知的安全攻击。然而，设计这样的方案是具有挑战性的。例如，在本文中，我们重新审视 Wei 等人的方案，并证明它容易受到密码猜测和用户模拟等攻击。我们还解释了该方案在登录阶段没有验证用户输入的正确性，这是另一个设计缺陷。然后，