Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

彭志宇,李善平,杨朝晖,林欣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2010.05.011

2010-01-01

Abstract:An anonymous authorization mechanism was proposed to protect the user's privacy in the process of authorization in trust management. User requested for services using their real identification in most of the classic trust-management language system, which potentially leaded to the privacy leaking. Through dynamically searching for the delegation roles which take over the request, the anonymous authorization mechanism retained the right behavior of credential chain discovery and achieved a quantitative way of anonymity against the resource provider. Results showed that the anonymous mechanism shared the same worst-case time complexity with the traditional forward credential-chain-searching method. A method of caching all the members in the nodes was proposed to improve the performance in time spending. Simulation results showed that the performance in time spending greatly improved in the relative stable systems, in which the credentials change slowly.

Jinguang Han,Liqun Chen,Steve Schneider,Helen Treharne,Stephan Wesemeyer

DOI: https://doi.org/10.48550/arXiv.1804.07201

2018-04-19

Abstract:Anonymous Single-Sign-On authentication schemes have been proposed to allow users to access a service protected by a verifier without revealing their identity which has become more important due to the introduction of strong privacy regulations. In this paper we describe a new approach whereby anonymous authentication to different verifiers is achieved via authorisation tags and pseudonyms. The particular innovation of our scheme is authentication can only occur between a user and its designated verifier for a service, and the verification cannot be performed by any other verifier. The benefit of this authentication approach is that it prevents information leakage of a user's service access information, even if the verifiers for these services collude which each other. Our scheme also supports a trusted third party who is authorised to de-anonymise the user and reveal her whole services access information if required. Furthermore, our scheme is lightweight because it does not rely on attribute or policy-based signature schemes to enable access to multiple services. The scheme's security model is given together with a security proof, an implementation and a performance evaluation.

Cryptography and Security

Run-hua Shi,Hong Zhong,Liu-sheng Huang

DOI: https://doi.org/10.1002/ett.2606

IF: 3.6

2014-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:In this paper, we present a novel anonymous authentication scheme without employing any symmetric or asymmetric cryptosystem. The security of our scheme is guaranteed by the basic theories for solving linear equations, which can ensure it is unconditionally secure. The proposed scheme is adaptable for resource-constrained devices or wireless networks well, because it only needs to perform several scalar multiplications instead of complex cryptographic operations and takes only one round of message exchange (challenge-response) between the verification centre and the legal user. Copyright (c) 2012 John Wiley & Sons, Ltd.

Saru Kumari,Xiong Li,Fan Wu,Ashok Kumar Das,Vanga Odelu,Muhammad Khurram Khan

DOI: https://doi.org/10.3837/tiis.2016.09.026

2016-01-01

KSII Transactions on Internet and Information Systems

Abstract:Widespread use of wireless networks has drawn attention to ascertain confidential communication and proper authentication of an entity before granting access to services over insecure channels. Recently, Truong et al. proposed a modified dynamic ID-based authentication scheme which they claimed to resist smart-card-theft attack. Nevertheless, we find that their scheme is prone to smart-card-theft attack contrary to the author's claim. Besides, anyone can impersonate the user as well as service provider server and can breach the confidentiality of communication by merely eavesdropping the login request and server's reply message from the network. We also notice that the scheme does not impart user anonymity and forward secrecy. Therefore, we present another authentication scheme keeping apart the threats encountered in the design of Truong et al.'s scheme. We also prove the security of the proposed scheme with the help of widespread BAN (Burrows, Abadi and Needham) Logic.

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Fan Wu

DOI: https://doi.org/10.1002/dac.2853

2014-01-01

International Journal of Communication Systems

Abstract:SummaryRecently, Jiang et al. and He et al. independently found security problems in Chen et al.'s remote user authentication scheme for non‐tamper‐proof storage devices like Universal Serial Bus stick and proposed improvements. Nonetheless, we detect that the schemes proposed by Jiang et al. and He et al. overlook a user's privacy. We also observe that Jiang et al.'s scheme is vulnerable to insider attack and denial of service attacks and lacks forward secrecy. We point out that the password changing facility in He et al.'s scheme is equivalent to undergoing registration, whereas in Jiang et al.'s scheme, it is unsuitable. Moreover, the login phase of both the schemes is incapable to prevent the use of wrong password leading to the computation of an unworkable login request. Therefore, we design a new scheme with user anonymity to surmount the identified weaknesses. Without adding much in communication/computational cost, our scheme provides more security characteristics and keeps the merits of the original schemes. As compared with its predecessor schemes, the proposed scheme stands out as a more apt user authentication method for common storage devices. We have also presented a formal proof of security of the proposed scheme based on the logic proposed by Burrows, Abadi and Needham (BAN logic). Copyright © 2014 John Wiley & Sons, Ltd.

Song Luo,Jianbin Hu,Zhong Chen

DOI: https://doi.org/10.1109/nswctc.2009.287

2009-01-01

Abstract:Password authentication is one of the simplest and the most convenient authentication mechanisms over insecure networks. One-time password authentication which uses dynamic password helps to enhance the security of password. In this paper, we suggest a new one-time password scheme using the smart card based on the bilinear pairings. By generating temporary identity, our scheme can provide anonymity in authentication process to protect the user's privacy. Based on the Computational Diffie-Hellman Problem, we show that the proposed scheme is secure against forgery attack and ID attack under the random oracle model.

Mengxia Shuai,Nenghai Yu,Hongxia Wang,Ling Xiong

DOI: https://doi.org/10.1016/j.cose.2019.06.002

IF: 5.105

2019-01-01

Computers & Security

Abstract:Smart home is an emerging paradigm of the Internet of Things (IoT), which facilitates an individual to operate the smart home appliances remotely through the internet. Since the user and the smart devices communicate over insecure communication channels, the transmitted sensitive data collected by the smart devices may be intercepted and altered easily by a malicious adversary. Therefore, there is a great need to design an effective and anonymous authentication scheme to guarantee secure communications in smart home environment. In the past decade, extensive research has been carried out on this security issue, but most of them are not secure. As a step towards this direction, in this paper, we propose an efficient and anonymous authentication scheme for smart home environment using Elliptic Curve Cryptography (ECC). The proposed scheme avoids keeping the verification table for authentication purposes. In addition, random number method is adopted to resist replay attack, and it can avoid the clock synchronization problem. The rigorous formal proof and heuristic analysis show that the proposed scheme provides the desired security features and resists against all the possible attacks. Compared with the most representative related schemes, the proposed scheme achieves a delicate balance between security and efficiency, and it is more suitable for realistic environments.

Xiangxi Li,Yu Zhang,Yuxin Deng

DOI: https://doi.org/10.1007/978-3-642-10433-6_14

2009-01-01

Abstract:Anonymous credentials are widely used to certify properties of a credential owner or to support the owner to demand valuable services, while hiding the user's identity at the same time. A credential system (a.k.a. pseudonym system) usually consists of multiple interactive procedures between users and organizations, including generating pseudonyms, issuing credentials and verifying credentials, which are required to meet various security properties. We propose a general symbolic model (based on the applied pi calculus) for anonymous credential systems and give formal definitions of a few important security properties, including pseudonym and credential unforgeability, credential safety, pseudonym untraceability. We specialize the general formalization and apply it to the verification of a concrete anonymous credential system proposed by Camenisch and Lysyanskaya. The analysis is done automatically with the tool ProVerif and several security properties have been verified.

CAO Xue-fei,ZENG Xing-wen,KOU Wei-dong,YU Yong

DOI: https://doi.org/10.3969/j.issn.1001-2400.2007.06.006

2007-01-01

Journal of Xidian University

Abstract:Firstly,an ID-based signature scheme is proposed based on pairings.The bilinearity and non-degeneration of pairings are explored to make the verification result of the signature vary only with the identity of the signer.Then an anonymous authentication scheme is proposed based on the signature scheme.During the authentication,a user chooses a pseudonym by him/herself;then server computes the user's account index from the pseudonym in order to identify and authenticate the user.With our scheme,users are able to travel incognito and to change their passwords at will.Furthermore,there is no need for server to maintain a table of users' passwords or pseudonyms.To the best of our knowledge,the proposed scheme realizes for the first time both user anonymity and authentication security requirements over the insecure channel.

Bin Lian,Gongliang Chen,Lang Wang,Jialin Cui,Ping Yu,Dake He

DOI: https://doi.org/10.1016/j.ins.2019.12.014

IF: 8.1

2019-01-01

Information Sciences

Abstract:Cloning user's identity is always a thorny problem for an information system, especially for an anonymous system. With the development of big data applications, clone behaviors sometimes even become attacks on these systems. But until now, there has been no very satisfactory anti-clone scheme in the anonymous system. After analyzing the problems in existing anti-clone schemes, without any assumptions about physical security, we provide a practical solution to the clone problem in anonymous authentication system. In our scheme, the authentication is not only related to user's private key, but also related to user's current state, which is constantly updated by the system. Therefore, the authentication trajectories of user and clone will inevitably overlap, and it results in information leakage so as to indentify clone behaviors and revoke clone user's credential. Meanwhile, we prove that honest users are truly anonymous and their login behaviors are unlinkable with complete security proofs. According to the analysis of the system function and the system efficiency, our scheme is much more efficient and has the best anti-clone properties comparing with the existing schemes.

Suyun Borjigin

2024-05-31

Abstract:Credential theft and remote attacks are the most serious threats to user authentication mechanisms. The crux of these problems is that we cannot control such behaviors. However, if a password does not contain user secrets, stealing it is useless. If unauthorized inputs are invalidated, remote attacks can be disabled. Thus, credential secrets and account input fields can be controlled. Rather than encrypting passwords, we design a dual-password login-authentication mechanism, where a user-selected secret-free login password is converted into an untypable authentication password. Subsequently, the authenticatable functionality of the login password and the typable functionality of the authentication password can be disabled or invalidated to prevent credential theft and remote attacks. Thus, the usability-security tradeoff and password reuse issues are resolved; local authentication password storage is no longer necessary. More importantly, the password converter acts as an open hashing algorithm, meaning that its intermediate elements can be used to define a truly unique identity for the login process to implement a novel dual-identity authentication scheme. In particular, the system-managed elements are concealed, inaccessible, and independent of any personal information and therefore can be used to define a perfect unforgeable process identifier to identify unauthorized inputs.

Cryptography and Security,Emerging Technologies,Systems and Control

Yong Woon Hwang,Taehoon Kim,Daehee Seo,Im-Yeong Lee

DOI: https://doi.org/10.1080/09540091.2023.2287979

2024-01-10

Connection Science

Abstract:In order to provide the reliability of transmitted data in the era of big data, it is necessary to communicate by applying signature technology to data. There are various signature schemes, among which attribute-based signatures perform signatures based on user attributes. This ensures signer anonymity by allowing users to create and verify signatures without exposing the signer's sensitive information. However, the verifier can verify normally if the attribute period expires and a user without signing authority creates and transmits a signature with the existing signing key and attributes. In addition, signers who abuse anonymity can disclose their signing keys and attributes for some purpose (Money, profit) because there is no risk of being caught. Unauthorized users can use public information to sign and send messages. Therefore, in this paper, we propose a Traceable Attribute-based Signature scheme provided with anonymous credentials. The proposed scheme has the feature of verifying the validity of the signer by using the pseudonym ID included in the user list in the cloud server. In addition, the signer's identity is expressed as an Oblivious Transfer-based pseudonym ID. The signer's identity can be verified through tracing in case of a problem.

computer science, artificial intelligence, theory & methods

Junghyun Nam,Kim-Kwang Raymond Choo,Sangchul Han,Moonseong Kim,Juryon Paik,Dongho Won

DOI: https://doi.org/10.1371/journal.pone.0116709

2015-09-23

Abstract:A smart-card-based user authentication scheme for wireless sensor networks (hereafter referred to as a SCA-WSN scheme) is designed to ensure that only users who possess both a smart card and the corresponding password are allowed to gain access to sensor data and their transmissions. Despite many research efforts in recent years, it remains a challenging task to design an efficient SCA-WSN scheme that achieves user anonymity. The majority of published SCA-WSN schemes use only lightweight cryptographic techniques (rather than public-key cryptographic techniques) for the sake of efficiency, and have been demonstrated to suffer from the inability to provide user anonymity. Some schemes employ elliptic curve cryptography for better security but require sensors with strict resource constraints to perform computationally expensive scalar-point multiplications; despite the increased computational requirements, these schemes do not provide user anonymity. In this paper, we present a new SCA-WSN scheme that not only achieves user anonymity but also is efficient in terms of the computation loads for sensors. Our scheme employs elliptic curve cryptography but restricts its use only to anonymous user-to-gateway authentication, thereby allowing sensors to perform only lightweight cryptographic operations. Our scheme also enjoys provable security in a formal model extended from the widely accepted Bellare-Pointcheval-Rogaway (2000) model to capture the user anonymity property and various SCA-WSN specific attacks (e.g., stolen smart card attacks, node capture attacks, privileged insider attacks, and stolen verifier attacks).

Cryptography and Security

Xiong Li,Jianwei Niu,Marimuthu Karuppiah,Saru Kumari,Fan Wu

DOI: https://doi.org/10.1007/s10916-016-0629-8

IF: 4.92

2016-01-01

Journal of Medical Systems

Abstract:Benefited from the development of network and communication technologies, E-health care systems and telemedicine have got the fast development. By using the E-health care systems, patient can enjoy the remote medical service provided by the medical server. Medical data are important privacy information for patient, so it is an important issue to ensure the secure of transmitted medical data through public network. Authentication scheme can thwart unauthorized users from accessing services via insecure network environments, so user authentication with privacy protection is an important mechanism for the security of E-health care systems. Recently, based on three factors (password, biometric and smart card), an user authentication scheme for E-health care systems was been proposed by Amin et al., and they claimed that their scheme can withstand most of common attacks. Unfortunate, we find that their scheme cannot achieve the untraceability feature of the patient. Besides, their scheme lacks a password check mechanism such that it is inefficient to find the unauthorized login by the mistake of input a wrong password. Due to the same reason, their scheme is vulnerable to Denial of Service (DoS) attack if the patient updates the password mistakenly by using a wrong password. In order improve the security level of authentication scheme for E-health care application, a robust user authentication scheme with privacy protection is proposed for E-health care systems. Then, security prove of our scheme are analysed. Security and performance analyses show that our scheme is more powerful and secure for E-health care systems when compared with other related schemes.

Rakshitha S M,Shravana,Riya Biswas,Sushmita Shetty

DOI: https://doi.org/10.48175/ijarsct-2866

2022-03-21

Abstract:The Internet of Things (IoT) connects many of the world's home appliances, from intelligent thermostats to intelligent cars. We had 9 billion connected things by the end of 2015. According to Gartner, the total number of networked devices will approach 50 billion by 2020. The majority of linked devices in the existing network use outdated security technology and encryption, and many do not allow for remote device updates. Given the vast number of IoT devices available, ranging from off-the-shelf motion monitoring to machine tools, it is impossible to determine which functions are associated with any given service or product. In a nutshell, this is the issue: you can't trust the device's security and integrity. K-times anonymous authentication (k-TAA) is an important access control approach used in ecoupon and e-bill. It allows a user to authenticate himself anonymously to a distant server a set number of times. However, most known k-TAA techniques need a lot of processing, which makes them difficult to use on devices with low resources. In 2018, Tian and colleagues published Tian et al presented a remote user authentication system that protects users' privacy. Considering untraceability of k-times In contrast to the typical k-TAA,Tian et almethod .'s is better suited to mobile devices.as a result of avoiding costly pairing operations They're also claim that their system ensures user trust and authenticity. Untraceability k times Unfortunately, we are unable to do so in this paper Analyzing their scheme reveals that it is insecure. Their Neither scheme can stop a rogue user from sending information neither the authentication.

Xiong Li,Maged Hamada Ibrahim,Saru Kumari,Rahul Kumar

DOI: https://doi.org/10.1007/s11235-017-0340-1

2017-01-01

Abstract:The mobility and openness of wireless communication technologies make Mobile Healthcare Systems (mHealth) potentially exposed to a number of potential attacks, which significantly undermines their utility and impedes their widespread deployment. Attackers and criminals, even without knowing the context of the transmitted data, with simple eavesdropping on the wireless links, may benefit a lot from linking activities to the identities of patient's sensors and medical staff members. These vulnerabilities apply to all tiers of the mHealth system. A new anonymous mutual authentication scheme for three-tier mobile healthcare systems with wearable sensors is proposed in this paper. Our scheme consists of three protocols: Protocol-1 allows the anonymous authentication nodes (mobile users and controller nodes) and the HSP medical server in the third tier, while Protocol-2 realizes the anonymous authentication between mobile users and controller nodes in the second tier, and Protocol-3 achieves the anonymous authentication between controller nodes and the wearable body sensors in the first tier. In the design of our protocols, the variation in the resource constraints of the different nodes in the mHealth system are taken into consideration so that our protocols make a better trade-off among security, efficiency and practicality. The security of our protocols are analyzed through rigorous formal proofs using BAN logic tool and informal discussions of security features, possible attacks and countermeasures. Besides, the efficiency of our protocols are concretely evaluated and compared with related schemes. The comparisons show that our scheme outperforms the previous schemes and provides more complete and integrated anonymous authentication services. Finally, the security of our protocols are evaluated by using the Automated Validation of Internet Security Protocols and Applications and the SPAN animator software. The simulation results show that our scheme is secure and satisfy all the specified privacy and authentication goals.

Marimuthu Karuppiah,Saru Kumari,Ashok Kumar Das,Xiong Li,Fan Wu,Sayantani Basu

DOI: https://doi.org/10.1002/sec.1598

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Ubiquitous networks provide effective roaming services for mobile users (MUs). Through the worldwide roaming technology, authorized MUs can avail ubiquitous network services. Important security issues to be considered in ubiquitous networks are authentication of roaming MUs and protection of privacy of MUs. However, because of the broadcast nature of wireless channel and resource limitations of terminals, providing efficient user authentication with privacy preservation is a challenging task. Very recently, Farash et al. proposed an authentication scheme with anonymity for consumer roaming in ubiquitous networks and claimed their scheme achieves all security requirements. In this paper, we show that the scheme of Farash et al. fails to achieve user anonymity and mutual authentication. Their scheme also fails to provide local password verification, and it has a faulty password change phase. Moreover, their scheme is vulnerable to replay, offline password guessing, and forgery attacks. To fix the security flaws of the scheme of Farash et al., we present an improved authentication scheme for accessing roaming service provided by ubiquitous networks. We then formally verify the security properties of our scheme by the widely-accepted push-button tool called Automated Validation of Internet Security Protocols and Applications. Security and performance analyses show that our scheme is more powerful, efficient, and secure when it is compared with existing schemes. Copyright (C) 2016 John Wiley & Sons, Ltd.

Ding Wang,Debiao He,Ping Wang,Chao-Hsien Chu

DOI: https://doi.org/10.1109/tdsc.2014.2355850

2015-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Despite two decades of intensive research, it remains a challenge to design a practical anonymous two-factor authentication scheme, for the designers are confronted with an impressive list of security requirements (e.g., resistance to smart card loss attack) and desirable attributes (e.g., local password update). Numerous solutions have been proposed, yet most of them are shortly found either unable to satisfy some critical security requirements or short of a few important features. To overcome this unsatisfactory situation, researchers often work around it in hopes of a new proposal (but no one has succeeded so far), while paying little attention to the fundamental question: whether or not there are inherent limitations that prevent us from designing an “ideal” scheme that satisfies all the desirable goals? In this work, we aim to provide a definite answer to this question. We first revisit two foremost proposals, i.e. Tsai et al.'s scheme and Li's scheme, revealing some subtleties and challenges in designing such schemes. Then, we systematically explore the inherent conflicts and unavoidable trade-offs among the design criteria. Our results indicate that, under the current widely accepted adversarial model, certain goals are beyond attainment. This also suggests a negative answer to the open problem left by Huang et al. in 2014. To the best of knowledge, the present study makes the first step towards understanding the underlying evaluation metric for anonymous two-factor authentication, which we believe will facilitate better design of anonymous two-factor protocols that offer acceptable trade-offs among usability, security and privacy.