Yasir Giani,Li Jianhua,Chen Gongliang,Zahid Mehmood

DOI: https://doi.org/10.1109/compcomm.2016.7925201

2016-01-01

Abstract:In the recent decades, in order to achieve high-degree security many researchers are introducing multifactor authentication schemes replacing by conventional password-based remote authentication schemes. In 2010, Li and Hwang proposed biometric-based authentication scheme using the smart card. Later on, Das pointed out that the scheme is susceptible to denial of services attack and also having low efficiency. Then proposed a new scheme to overcome the weaknesses of prior scheme. In 2012, Younghwa An. substantiate that Das's scheme doesn't provide mutual authentication. In 2014, Cao and Ge pointed that Younghwa's scheme is still vulnerable to replay attack and unable to provide user anonymity, while an adversary can perform the re-registration by intercepting user identity IDx in the login phase. In this paper, we first analyze Cao and Ge's scheme and show that their scheme is still vulnerable to password guessing and traceability attacks.

Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Qi Jiang,Fushan Wei,Shuai Fu,Jianfeng Ma,Guangsong Li,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1007/s11071-015-2467-5

IF: 5.741

2015-01-01

Nonlinear Dynamics

Abstract:Due to its high level of security, three-factor authentication combining password, smart card and biometrics has received much interest in the past decades. Recently, Islam proposed a dynamic identity-based three-factor authentication scheme using extended chaotic map which attempts to fulfill three-factor security and resist various known attacks, offering many advantages over existing works. However, in this paper we first show that the process of password verification in the login phase is invalid. Besides this defect, it is also vulnerable to user impersonation attack and off-line password guessing attack, under the condition that the smart card is lost or stolen. Furthermore, it fails to preserve biometric template privacy in the case that the password and the smart card are compromised. To remedy these flaws, we propose a robust three-factor authentication scheme, which not only resists various known attacks, but also provides more desired security features. We demonstrate that our scheme provides mutual authentication using the Burrows–Abadi–Needham logic. Our scheme provides high security strength as well as low computational cost.

Khaja Mizbahuddin Quadry,A Govardhan,Mohammed Misbahuddin,

DOI: https://doi.org/10.5815/ijcnis.2021.03.04

2021-06-08

International Journal of Computer Network and Information Security

Abstract:With the increase in the number of e-services, there is a sharp increase in online financial transactions these days. These services require a strong authentication scheme to validate the users of these services and allow access to the resources for strong security. Since two-factor authentication ensures the required security strength, various organizations employ biometric-based or Smart Card or Cryptographic Token-based methods to ensure the safety of user accounts. But most of these methods require a verifier table for validating users at a server. This poses a security threat of stolen-verifier attack. To address this issue, there is a strong need for authentication schemes for e-services that do not require a verifier table at the server. Therefore, this paper proposes the design of an authentication scheme for eservices which should be resistant to various attacks including a stolen verifier attack. The paper will also discuss: 1) The proposed scheme analyzed for security provided against the known authentication attacks 2) The concept mplementation of the proposed scheme.

Jianming Cui,Chen Chen,Xiaojun Zhang,Yihui Liu,Ning Cao

DOI: https://doi.org/10.1007/978-3-030-00015-8_60

2018-01-01

Abstract:In this paper, we investigate Chen et al. biometrics-based remote user authentication scheme and find that it cannot validate the correctness of the password, complete the storage and verification of the password, and vulnerable to anonymity attacks, smart card stolen attacks and forgery attacks. To remedy these flaws, we propose an improved three-factor remote authentication scheme based on smart cards. It can implement mutual authentication and generate session keys to effectively improve security in multi-server environments. The proposed scheme can resist smart card attack, anonymity attack, forgery attack and other attacks. In addition, the proposed scheme costs 5Th more compare to Chen et al. work and less computation complexity compared with other schemes.

Hongbin Tang,Xinsong Liu,Yao Li

DOI: https://doi.org/10.1049/cp.2012.2315

2012-01-01

Abstract:A three-factor (password, smart card and biometric) authentication scheme allows a user and a remote server to authenticate each other, and it provides strong authentication. Very recently, Das proposed a three-factor remote authentication scheme. He claimed that their scheme was more secure than Li-Hwang's scheme. However, we demonstrate that his scheme is vulnerable to various attacks. It is not feasible for real-life implementation. We then suggest an improvement. The proposed scheme is proved to be more secure than the previous related works and maintains low computation and communication cost.

Xiong Li,Jianwei Niu,Zhibo Wang,Caisen Chen

DOI: https://doi.org/10.1002/sec.767

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:There are some biometrics-based three-factor remote user authentication schemes proposed by researchers for ensure high security features for network-based application systems. Recently, Das pointed out the security flaws of Li and Hwang's three-factor remote user authentication scheme, and proposed an enhanced biometrics-based three-factor remote user authentication scheme. Das's scheme overcomes the defects of Li and Hwang's scheme, and maintains the advantages of Li and Hwang's scheme at the same time. However, after detailed analysis, we find that Das's scheme remains vulnerable to forgery attack and stolen smart card attack; at the same time, Das's scheme cannot provide the session key agreement after the mutual authentication. To provide more security features, we design a three-factor remote user authentication scheme with key agreement using biometrics. Copyright © 2013 John Wiley & Sons, Ltd.

Youping Lin,Kaihui Wang,Baocan Zhang,Yuzhen Liu,Xiong Li

DOI: https://doi.org/10.14257/ijsia.2016.10.1.29

2016-01-01

International Journal of Security and Its Applications

Abstract:Authentication is an important and basic security service for many network based applications, which allows the registered user access remote services after the validity of his/her identity is verified by the remote server. Password, smart card and biometric are three frequently used factors in authentication, and some remote user authentication schemes for different environments had been presented based on these factors by researchers. Recently, Baruah et al. pointed out the weaknesses of Mishra et al.'s three factors user authentication scheme for multi-server environments, and they proposed an enhanced scheme. They claimed that their scheme has many security features and can resist some common attacks. However, based on our analysis, Baruah et al.'s scheme cannot resist stolen smart card attack, cannot protect user's anonymity, and it is also vulnerable to Denial of Service attack. In this paper, an enhanced three factors user authentication scheme for multi-server environments based on fuzzy extractor technology is proposed, and the analysis show that the proposed scheme is more security and efficient than other related schemes.

Fan Wu,Lili Xu,Saru Kumari,Xiong Li

DOI: https://doi.org/10.1016/j.compeleceng.2015.02.015

IF: 4.152

2015-01-01

Computers & Electrical Engineering

Abstract:The biometrics, the password and the storage device are the elements of the three-factor authentication. In 2013, Yeh et al. proposed a three-factor user authentication scheme based on elliptic curve cryptography. However, we find that it has weaknesses including useless user identity, ambiguous process, no session key and no mutual authentication. Also, it cannot resist the user forgery attack and the server spoofing attack. Moreover, Khan et al. propose a fingerprint-based remote authentication scheme with mobile devices. Unfortunately it cannot withstand the user impersonation attack and the De-synchronization attack. Furthermore, the user’s identity cannot be anonymous, either. To overcome the disadvantages, we propose a new three-factor remote authentication scheme and give a formal proof with strong forward security. It could provide the user’s privacy and is secure. Compared to some recent three-factor authentication schemes, our scheme is secure and practical.

De-song Wang,Jian-ping Li,Yuan Tang,Fu-long Xu,Yue-hao Yan

DOI: https://doi.org/10.1142/9789812799524_0026

2008-01-01

Abstract:In the recent several years, Lee et al. and Lin-Lai proposed fingerprint-based remote user authentication schemes using smart cards. But their schemes are vulnerable and susceptible to the attack and have practical pitfalls. Their schemes perform only unilateral authentication (only client authentication). In order to overcome the flaw, Khan and Zhang present a strong remote user authentication scheme by using fingerprint-biometric and smart cards. The proposed scheme is an extended and generalized form of ElGamal's signature scheme whose security is based on discrete logarithm problem, which is not yet forged. In addition, computational costs and efficiency of the proposed scheme are better than other related schemes. But as the time lapses, fingerprint of some people will be changed, such as being burned or being wounded. Once such case happened, the user won't be authentication. So we propose the authentication scheme of remote users by using multimodal biometric (fingerprint and face features) and smart cards. Proposed scheme not only overcome drawbacks and problems of previous schemes, but also provide a stronger and more secure authentication of remote users over insecure network.

Ali A. Yassin,Hai Jin,Ayad Ibrahim,Deqing Zou

DOI: https://doi.org/10.1007/978-3-642-33469-6_42

2012-01-01

Abstract:Smart card-based authentication is considered as one of the most excessively used and applied solutions for remote user authentication. In this paper, we display Wang et al.'s scheme and indicate many shortcomings in their scheme. Password guessing, masquerade, Denial-Of-Service (DOS) and insider attacks could be effective. To outfight the drawbacks, we propose a strong, more secure and practical scheme, which is aimed to withstand well-known attacks. In addition, our proposed scheme provides many pivotal merits: more functions for security and effectiveness, mutual authentication, key agreement, freely chosen password, secure password change, and user anonymity. Moreover, our proposed scheme is shown to be secure against replay attack, password guessing attack, DOS attack, insider attack, and impersonate attack. Furthermore, the security analysis of our work gains it to appear in applications with high-security requirements.

Min Wu,Jianhua Chen,Wenxia Zhu,Zhenyang Yuan

DOI: https://doi.org/10.1504/ijesdf.2016.079447

2016-01-01

International Journal of Electronic Security and Digital Forensics

Abstract:The security of authentication scheme, especially multi-factor biometric authentication scheme based on password, smart card, and biometric in wireless communication is an important and significant issue that researchers have been focusing on lately. Most recently, Liling Cao et al. improved a multi-factor biometric authentication scheme which demonstrated that their scheme can resist masquerading attack, user masquerading attack, replay attack, and provide mutual authentication, and so on. In this paper, it is indicated that their scheme is vulnerable to stolen smart card attack, user impersonation attack, server impersonation attack and man-in-the-middle-attack. Then, in order to avoid these attacks, a revised scheme with slight high computation costs but more security than other related schemes is presented.

Ahmed Yaser Fahad Alsahlani,Songfeng Lu

2016-01-01

Abstract:Authentication using smart card is a mechanism to verify the legitimacy of the user over insecure communication. Recently, Chen et al. figured out some weaknesses in previously published schemes, they proposed a robust smart card based remote user password authentication scheme. They claimed that, their scheme is efficient and can ensure the session key forward secrecy. We analyzed their scheme, we found that, it cannot detect incorrect password within login phase. Furthermore, the user required to communicate with the server to change or update his/her password. Besides, it cannot securely forward the secrecy. In this paper, we propose a scheme to overcome the aforesaid weaknesses and produce an enhanced authentication scheme based remote user password using smart card. We use a TRPT (Temporary Registration Password Technique) within registration phase to secure user's password. Our proposed scheme can resist various malicious attacks, achieve mutual authentication, user can choose and change his/her password freely without need to communicates with the server, securely forward secrecy, and the login password never been exposed or transferred over channel. We show that, our proposed scheme achieved the goal, and it is more legible to practical use compared to the other related schemes.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1109/ISBAST.2013.20

2013-01-01

Abstract:Recently, An pointed out the weaknesses of Das's three-factor remote user authentication scheme, and proposed an improved biometric based three-factor remote user authentication scheme. An's scheme improves the security problems of previous schemes while keeping the efficiency. However, after detailed analysis, we find that An's scheme exists some weaknesses such as vulnerable to denial-of-service (DoS) attack and forgery attack, and does not provide session key agreement. In order to provide high-level of security and more useful functions, we design a new robust biometric based three-factor remote user authentication scheme with key agreement using elliptic curve cryptosystem.

Jian-Zhu Lu,Ting Chen,Jipeng Zhou,Jinjin Yang,Junhui Jiang

DOI: https://doi.org/10.1109/cisp.2013.6743940

2013-01-01

Abstract:Authentication and key exchange are fundamental techniques for enabling secure communication over mobile networks. In order to reduce implementation complexity and achieve computation efficiency, design issues for efficient and secure biometrics-based remote user authentication scheme have been extensively investigated by research community in these years. Recently, two biometrics-based authentication schemes using smart cards are introduced by Li and Hwang and Li et al., respectively. Li and Hwang proposed an efficient biometrics-based remote user authentication scheme using smart card and Li et al. proposed an improvement. The authors of both schemes claimed that their protocols deliver the important security features and system functionalities, such as without synchronized clock, freely changes password, mutual authentication, as well as low computation costs. However, these two schemes still have much space for security enhancement. In this paper, we first demonstrate a series of vulnerabilities on these two schemes. Then, an enhanced scheme with corresponding remedies is proposed to eliminate all identified security flaws in both schemes.

Wenting Li,Yaosheng Shen,Ping Wang

DOI: https://doi.org/10.1007/s11265-017-1305-z

2017-01-01

Abstract:Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

Liling Cao,Wancheng Ge

DOI: https://doi.org/10.1002/sec.1010

IF: 1.968

2014-01-01

Security and Communication Networks

Abstract:In order to enhance the security in wireless communication, authentication schemes come to be more crucial and widely deployed recently, especially those which are referred to as multi-factor biometric authentication that base on password, biometrics, and smart card protections. A new scheme in this way was proposed in 2010 by Li and Hwang. Then Das extended the work of Li et al. and made an improvement of their weak scheme in 2011. However, in 2012, Younghwa An demonstrated that Das's protocol failed to achieve mutual authentication for the server and the user. In this paper, it is described that Younghwa An's scheme cannot withstand the following two attacks. i It is still vulnerable to replay attack, then an adversary can masquerade as the legal server. ii It cannot provide user anonymity and resistance to user masquerading attack, because an adversary can execute the re-registration process by intercepting the IDi in the login phase. Therefore, an improvement to Younghwa An's scheme is presented in this paper. Then, security formal analysis of the modified scheme using the Burrows-Abadi-Needham logic is given, which demonstrates that the modified scheme with slight high computation costs can protect against the several possible attacks. Copyright © 2014 John Wiley & Sons, Ltd.

Mohammad Wazid,Ashok Kumar Das,Saru Kumari,Xiong Li,Fan Wu

DOI: https://doi.org/10.1002/sec.1452

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Several remote user authentication techniques for telecare medicine information system (TMIS) have been proposed in the literature. But most existing techniques have limitations such as vulnerable to various attacks, lack of functionalities, and inefficiency. Recently, Amin and Biswas proposed a three-factor authentication and key agreement technique for TMIS. But their scheme is inefficient and has several security drawbacks. The attacks such as privileged-insider, user impersonation, and strong reply attacks are possible on their scheme. It also has flaw in password update phase. In order to overcome drawbacks of their scheme, a new provably secure and efficient three-factor remote user authentication scheme for TMIS is proposed in this paper. The proposed scheme overcomes all drawbacks of their scheme and also provides additional features such as user unlinkability, user anonymity, efficient password, and biometric update. The rigorous informal and formal security analysis using random oracle models and the mostly acceptable Automated Validation of Internet Security Protocols and Applications tool is also performed. During the experimentation, it has been observed that the proposed scheme is secure against various known attacks that include replay and man-in-the-middle attacks. Furthermore, the analysis of computation and communication cost estimation of the proposed scheme depicts that our scheme is efficient as compared with other related exiting schemes. Copyright (c) 2016 John Wiley & Sons, Ltd.

Songsong Zhang,Xiang Li,Yong Xie

DOI: https://doi.org/10.1007/978-3-030-24265-7_51

2019-01-01

Abstract:With the development of Internet technology, a single authentication method for username and passwords can’t satisfy the basic requirements of system security. A multi-server authentication scheme is a useful authentication mechanism in which a remote user can access the services of multiple servers after registering with the registration center (RC). Biometric information is difficult to simulate, therefore biometrics is used for multi-factor authentication. Recently Reedy et al.’s proposed a three-factor authentication scheme. They claimed their schemes can resist all types of attacks. But unfortunately, after analyzing the scheme, we demonstrate their scheme cannot defend against impersonation attack and offline guessing attack. At last, we propose improved fix to overcome its deficiency.

Guomin Yang,Duncan S. Wong,Huaxiong Wang,Xiaotie Deng

DOI: https://doi.org/10.1016/j.jcss.2008.04.002

IF: 1.043

2008-01-01

Journal of Computer and System Sciences

Abstract:One of the most commonly used two-factor user authentication mechanisms nowadays is based on smart-card and password. A scheme of this type is called a smart-card-based password authentication scheme. The core feature of such a scheme is to enforce two-factor authentication in the sense that the client must have the smart-card and know the password in order to gain access to the server. In this paper, we scrutinize the security requirements of this kind of schemes, and propose a new scheme and a generic construction framework for smart-card-based password authentication. We show that a secure password based key exchange protocol can be efficiently transformed to a smart-card-based password authentication scheme provided that there exist pseudorandom functions and target collision resistant hash functions. Our construction appears to be the first one with provable security. In addition, we show that two recently proposed schemes of this kind are insecure.