XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Ding Wang,Chun-guang Ma,De-li Gu,Zhen-shan Cui

DOI: https://doi.org/10.1007/978-3-642-34601-9_35

2012-01-01

Abstract:In NSS'10, Shao and Chin pointed out that Hsiang and Shih's dynamic ID-based remote user authentication scheme for multi-server environment has several security flaws and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that Shao-Chin's scheme still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.'s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their ambitions, Li et al.'s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, which is the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.

Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

Hong-bin Tang,Xin-song Liu

DOI: https://doi.org/10.1002/dac.2428

2012-01-01

International Journal of Communication Systems

Abstract:SUMMARYA dynamic user authentication scheme allows a user and a remote server to authenticate each other without leaking the user's identity. In 2011, Wen and Li proposed an improved dynamic ID‐based remote user authentication with key agreement scheme for mobile and home networks. They claimed that their scheme was more secure than the scheme of Wang et al. However, we demonstrate that their scheme is vulnerable to the privileged insider, off‐line password guessing, impersonation, and server spoofing attacks. At the same time, it does not provide any user anonymity and forward secrecy property. Thus, it is not feasible for real‐life implementation.Copyright © 2012 John Wiley & Sons, Ltd.

Yajuan Shi,Han Shen,Yuanyuan Zhang,Jianhua Chen

DOI: https://doi.org/10.14257/ijseia.2015.9.5.25

2015-01-01

International Journal of Software Engineering and Its Applications

Abstract:To keep the pace with the development of internet technology, remote user authentication techniques become more and more important to protect user's privacy. Recently, Kumari, et al., presented an improved remote user authentication scheme with key agreement based on dynamic-identity using smart card. This scheme allows legal users to change the password at his will without the need to connect the server. They claimed that their scheme could resist smart card stolen or loss attack, user impersonation and server masquerading attack, and provide user anonymity and untraceability and so on. However, our research indicates that their scheme is completely unsafe. Furthermore, the scheme can't provide the proper mutual authentication. In this manuscript, we will propose a new scheme, which can withstand those attacks mentioned above and provide the perfect user anonymity and forward secrecy. Security analysis makes it clear that the improved scheme apparently is more secure and practical.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Zahid Mehmood,Gongliang Chen,Jianhua Li,Aiiad Albeshri

DOI: https://doi.org/10.3837/tiis.2017.03.027

2017-01-01

Abstract:Recent evolution in the open access internet technology demands that the identifying information of a user must be protected. Authentication is a prerequisite to ensure the protection of user identification. To improve Qu et al.' s scheme for remote user authentication, a recent proposal has been published by Huang et al., which presents a key agreement protocol in combination with ECC. It has been claimed that Huang et al. proposal is more robust and provides improved security. However, in the light of our experiment, it has been observed that Huang et al.' s proposal is breakable in case of user impersonation. Moreover, this paper presents an improved scheme to overcome the limitations of Huang et al.' s scheme. Security of the proposed scheme is evaluated using the well-known random oracle model. In comparison with Huang et al.' s protocol, the proposed scheme is lightweight with improved security.

Saru Kumari,Xiong Li,Fan Wu,Ashok Kumar Das,Vanga Odelu,Muhammad Khurram Khan

DOI: https://doi.org/10.3837/tiis.2016.09.026

2016-01-01

KSII Transactions on Internet and Information Systems

Abstract:Widespread use of wireless networks has drawn attention to ascertain confidential communication and proper authentication of an entity before granting access to services over insecure channels. Recently, Truong et al. proposed a modified dynamic ID-based authentication scheme which they claimed to resist smart-card-theft attack. Nevertheless, we find that their scheme is prone to smart-card-theft attack contrary to the author's claim. Besides, anyone can impersonate the user as well as service provider server and can breach the confidentiality of communication by merely eavesdropping the login request and server's reply message from the network. We also notice that the scheme does not impart user anonymity and forward secrecy. Therefore, we present another authentication scheme keeping apart the threats encountered in the design of Truong et al.'s scheme. We also prove the security of the proposed scheme with the help of widespread BAN (Burrows, Abadi and Needham) Logic.

Tianjie Cao,Shi Huang

DOI: https://doi.org/10.1166/sl.2013.2963

2013-01-01

Sensor Letters

Abstract:Authentication with user anonymity could preserve user privacy in security-sensitive applications. Recently, Shin et al. pointed security weaknesses in some anonymous sensor smart card based password authentication schemes and proposed an enhanced scheme. They claimed that the proposed scheme provide desirable security requirements. However, we demonstrates that Shin et al.'s scheme can not provide unlinkability, mutual authentication and perfect forward secrecy. We also indicate that Shin et al.'s scheme is vulnerable to the denial of service attack and stolen sensor smart card attack.

Ding WANG,Wen-Ting LI,Ping WANG

DOI: https://doi.org/10.13328/j.cnki.jos.005361

2018-01-01

Journal of Software

Abstract:The design of secure and efficient user authentication protocols for multi-server environment is becoming a hot research topic in the cryptographic protocol community. Based on the widely accepted adversary model, this paper analyzes three representative, recently proposed user authentication schemes for multi-server environment. The paper reveals that: 1) Wan et al.’s scheme is subject to offline password guessing attack as opposed to the authors’ claim, and it also cannot provide user anonymity and forward secrecy; 2) Amin et al.’s scheme cannot withstand offline password guessing attack, cannot preserve user anonymity and is vulnerable to two kinds o f forward secrecy issues; 3) Reedy et al.’s scheme cannot resist against user impersonation attack and offline password guessing attack, and  基金项目: 国家自然科学基金(61472016); 国家重点研发计划(2016YFB0800603, 2017YFB1200700) Foundation item: National Natural Science Foundation of China (61472016); National Key Research and Development Plan (2016YFB0800603, 2017YFB1200700) 本文由“面向隐私保护的新型技术与密码算法”专题特约编辑黄欣沂教授推荐. 收稿时间: 2017-05-30; 修改时间: 2017-07-13; 采用时间: 2017-08-22; jos 在线出版时间: 2017-10-17 CNKI 网络优先出版: 2017-10-17 13:38:05, http://kns.cnki.net/kcms/detail/11.2560.TP.20171017.1338.008.html 1938 Journal of Software 软件学报 Vol.29, No.7, July 2018 also falls short of user un-traceability. The paper highlights three principles for designing more robust anonymous multi-factor authentication schemes: Public key principle, user anonymity principle and forward secrecy principle, explaining the essential reasons for the security flaws of the above protocols. It further proposes some amendments for the identified secur ity flaws.

Dheerendra Mishra,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1309.5255

2013-09-20

Abstract:Remote user authentication is desirable for a Telecare medicine information system (TMIS) to verify the correctness of remote users. In 2013, Jiang et al. proposed privacy preserving authentication scheme for TMIS. Recently, Wu and Xu analyzed Jiang's scheme and identify serious security flaws in their scheme, namely, user impersonation attack, DoS attack and off-line password guessing attack. In this article, we analyze Wu and Xu's scheme and show that their scheme is also vulnerable to off-line password guessing attack and does not protect user anonymity. Moreover, we identify the inefficiency of incorrect input detection of the login phase in Wu and Xu's scheme, where the smart card executes the login session in-spite of wrong input.

Cryptography and Security

Xiong Li,Jianwei Niu,Junguo Liao,Wei Liang

DOI: https://doi.org/10.1002/dac.2676

2015-01-01

Abstract:AbstractIn the authentication scheme, it is important to ensure that the user's identity changed dynamically with the different sessions, which can protect the user's privacy information from being tracked. Recently, Chang et al. proposed an untraceable dynamic identity-based remote user authentication scheme with verifiable password update. However, our analysis show that the property of untraceability can easily be broken by the legal user of the system. Besides, we find the scheme of Chang et al. vulnerable to offline password guessing attack, impersonation attack, stolen smart card attack, and insider attack. Copyright © 2013 John Wiley & Sons, Ltd.

ZHU Chang-sheng,LIU Peng-hui,WANG Qing-rong,CAO Lai-cheng

DOI: https://doi.org/10.3724/sp.j.1087.2011.01862

2011-01-01

Journal of Computer Applications

Abstract:How to keep mutual anonymity between two entities is one of the critical issues for Trusted Computation(TC).According to the characteristics of TC,an efficient password-based authenticated key exchange scheme was proposed.Adopting threshold cryptography and fuzzy ID set,the scheme achieved mutual anonymity between user and server sharing ID set.On the premise of secure hashing,the analysis and the proving procedure based on the Random Oracle Model(ROM) show this scheme is secure against dictionary attack and resource-depletion DoS(Denial-of-Service) attack under the computational Diffie-Hellman intractability assumption.This scheme effectively preserves the user's privacy and server's privacy,and compared with other schemes such as VIET et al.'s scheme,it is more efficient.

Xiong Li,Junguo Liao,Saru Kumari,Wei Liang,Fan Wu,Muhammad Khurram Khan

DOI: https://doi.org/10.1007/s11277-015-2737-z

IF: 2.017

2015-01-01

Wireless Personal Communications

Abstract:The remote user authentication scheme is an important security technology, which provides authentication service before a user accesses the service provided by the remote server. In this paper, we analyze the security and design flaws of a recently proposed dynamic ID authentication and key agreement scheme by Lin. We find Lin’s scheme is totally cannot be used in real applications because of the following weaknesses: it has some design drawbacks such as it does not have the wrong password detection mechanism and its password change phase is incorrect; the user can login to the server using any wrong identity or password because of the inherent defects in the design of the authentication message; at the same time, Lin’s scheme is vulnerable to the mobile device loss attack and denial of service attack. For security considerations, we propose some principles which should be followed in the design of the user authentication schemes. According to these design principles, we design a new dynamic ID-based user authentication scheme using mobile device. We formally analyze the security features of the proposed scheme using BAN logic, and give the provable security analysis in random oracle model. Besides, we also discuss our scheme can resist other well known attacks. The functionality and performance comparisons shown that the proposed scheme enhances the security features and keeps the efficiency at the same time.

Marimuthu Karuppiah,Ashok Kumar Das,Xiong Li,Saru Kumari,Fan Wu,Shehzad Ashraf Chaudhry,R. Niranchana

DOI: https://doi.org/10.1007/s11036-018-1061-8

2018-01-01

Abstract:Authentication schemes are widely used mechanisms to thwart unauthorized access of resources over insecure networks. Several smart card based password authentication schemes have been proposed in the literature. In this paper, we demonstrate the security limitations of a recently proposed password based authentication scheme, and show that their scheme is still vulnerable to forgery and offline password guessing attacks and it is also unable to provide user anonymity, forward secrecy and mutual authentication. With the intention of fixing the weaknesses of that scheme, we present a secure authentication scheme. We show that the proposed scheme is invulnerable to various attacks together with attacks observed in the analyzed scheme through both rigorous formal and informal security analysis. Furthermore, the security analysis using the widely-accepted Real-Or-Random (ROR) model ensures that the proposed scheme provides the session key (SK) security. Finally, we carry out the performance evaluation of the proposed scheme and other related schemes, and the result favors that the proposed scheme provides better trade-off among security and performance as compared to other existing related schemes.

Hu Xiong,Xiaofeng Wang,Fagen Li

DOI: https://doi.org/10.1587/transfun.e95.a.256

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Recently, Kang et al. discussed some security flaws of Wu et al's and Wei et al.'s authentication schemes that guarantee user anonymity in wireless communications and showed how to overcome the problems regarding anonymity and the forged login messages. However, we will show that Kang et al.'s improved scheme still did not provide user anonymity as they claimed.

Saru Kumari,Muhammad Khurram Khan,Xiong Li

DOI: https://doi.org/10.1016/j.compeleceng.2014.05.007

IF: 4.152

2014-01-01

Computers & Electrical Engineering

Abstract:In distributed systems, user authentication schemes based on password and smart card are widely used to ensure only authorized access to the protected services. Recently, Chang et al. presented an untraceable dynamic-identity-based user authentication scheme with verifiable-password-update. In this research, we illustrate that Chang et al.'s scheme violates the purpose of dynamic-identity contrary to authors' claim. We show that once the smart card of an arbitrary user is lost, passwords of all registered users are at risk. Using information from an arbitrary smart card, an adversary can impersonate any user of the system. In addition, its password change phase has loopholes and is misguiding. The scheme has no provision for session key agreement and the smart card lacks any verification mechanism. Then we come-up with an improved remote user authentication scheme with the session key agreement, and show its robustness over related schemes.

Wenting Li,Yaosheng Shen,Ping Wang

DOI: https://doi.org/10.1007/s11265-017-1305-z

2017-01-01

Abstract:Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

Debiao He,Yuanyuan Zhang,Jianhua Chen

DOI: https://doi.org/10.1007/s11277-013-1282-x

IF: 2.017

2013-01-01

Wireless Personal Communications

Abstract:Authentication protocols with anonymity attracted wide attention since they could protect users’ privacy in wireless communications. Recently, Hsieh and Leu proposed an anonymous authentication protocol based on elliptic curve Diffie–Hellman problem for wireless access networks and claimed their protocol could provide anonymity. However, by proposing a concrete attack, we point out that their protocol cannot provide user anonymity. To overcome its weakness, we propose an improved protocol. We also provide an analysis of our proposed protocol to prove its superiority, even though its computational cost is slightly higher.