XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

ZHOU Xian-cun,XIONG Yan,LIU Ren-jin

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.20.021

2012-01-01

Abstract:Analysis indicates that Liaw et al's remote user authentication scheme is vulnerable to replay attack,man-in-the-middle attack,and there are obvious security vulnerabilities in the password changing phase and registration phase.A remote user authentication scheme based on Diffie-Hellman(D-H) key exchange protocol is proposed.Theoretical analysis shows that the scheme can resist impersonation attack,replay attack,man-in-the-middle attack,and it can implement mutual authentication and session key generation securely.

Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Ding Wang,Chun-guang Ma,De-li Gu,Zhen-shan Cui

DOI: https://doi.org/10.1007/978-3-642-34601-9_35

2012-01-01

Abstract:In NSS'10, Shao and Chin pointed out that Hsiang and Shih's dynamic ID-based remote user authentication scheme for multi-server environment has several security flaws and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that Shao-Chin's scheme still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.'s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their ambitions, Li et al.'s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, which is the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Xiong Li,Jian-Wei Niu,Jian Ma,Wen-Dong Wang,Cheng-Lian Liu

DOI: https://doi.org/10.1016/j.jnca.2010.09.003

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:Recently, Li and Hwang proposed a biometrics-based remote user authentication scheme using smart cards [Journal of Network and Computer Applications 33 (2010) 1–5]. The scheme is based on biometrics verification, smart card and one-way hash function, and it uses the nonce rather than a synchronized clock, so it is very efficient in computational cost. Unfortunately, the scheme has some security weaknesses, that is to say Li and Hwang's scheme does not provide proper authentication and it cannot resist the man-in-the-middle attacks. If an attacker controls the insecure channel, she/he can easily fabricate messages to pass the user's or server's authentication. Besides, the malicious attacker can impersonate the user to cheat the server and can impersonate the server to cheat the user without knowing any secret information. This paper proposes an improved biometrics-based remote user authentication scheme that removes the aforementioned weaknesses and supports session key agreement.

Yajuan Shi,Han Shen,Yuanyuan Zhang,Jianhua Chen

DOI: https://doi.org/10.14257/ijseia.2015.9.5.25

2015-01-01

International Journal of Software Engineering and Its Applications

Abstract:To keep the pace with the development of internet technology, remote user authentication techniques become more and more important to protect user's privacy. Recently, Kumari, et al., presented an improved remote user authentication scheme with key agreement based on dynamic-identity using smart card. This scheme allows legal users to change the password at his will without the need to connect the server. They claimed that their scheme could resist smart card stolen or loss attack, user impersonation and server masquerading attack, and provide user anonymity and untraceability and so on. However, our research indicates that their scheme is completely unsafe. Furthermore, the scheme can't provide the proper mutual authentication. In this manuscript, we will propose a new scheme, which can withstand those attacks mentioned above and provide the perfect user anonymity and forward secrecy. Security analysis makes it clear that the improved scheme apparently is more secure and practical.

Hongbin Tang,Xinsong Liu,Yao Li

DOI: https://doi.org/10.1049/cp.2012.2315

2012-01-01

Abstract:A three-factor (password, smart card and biometric) authentication scheme allows a user and a remote server to authenticate each other, and it provides strong authentication. Very recently, Das proposed a three-factor remote authentication scheme. He claimed that their scheme was more secure than Li-Hwang's scheme. However, we demonstrate that his scheme is vulnerable to various attacks. It is not feasible for real-life implementation. We then suggest an improvement. The proposed scheme is proved to be more secure than the previous related works and maintains low computation and communication cost.

Xiong Li,Junguo Liao,Saru Kumari,Wei Liang,Fan Wu,Muhammad Khurram Khan

DOI: https://doi.org/10.1007/s11277-015-2737-z

IF: 2.017

2015-01-01

Wireless Personal Communications

Abstract:The remote user authentication scheme is an important security technology, which provides authentication service before a user accesses the service provided by the remote server. In this paper, we analyze the security and design flaws of a recently proposed dynamic ID authentication and key agreement scheme by Lin. We find Lin’s scheme is totally cannot be used in real applications because of the following weaknesses: it has some design drawbacks such as it does not have the wrong password detection mechanism and its password change phase is incorrect; the user can login to the server using any wrong identity or password because of the inherent defects in the design of the authentication message; at the same time, Lin’s scheme is vulnerable to the mobile device loss attack and denial of service attack. For security considerations, we propose some principles which should be followed in the design of the user authentication schemes. According to these design principles, we design a new dynamic ID-based user authentication scheme using mobile device. We formally analyze the security features of the proposed scheme using BAN logic, and give the provable security analysis in random oracle model. Besides, we also discuss our scheme can resist other well known attacks. The functionality and performance comparisons shown that the proposed scheme enhances the security features and keeps the efficiency at the same time.

Lili Xu,Fan Wu

DOI: https://doi.org/10.1007/s10916-014-0179-x

Abstract:Nowadays, connected health care applications are used more and more in the world. Service through the applications can save the patients' time and expense, such as telecare medical information system (TMIS) and integrated electronic patient record (EPR) information system. In the applications, preserving patients' privacy, transmitting messages securely and keeping mutual authentication should all be paid attention. Many authentication schemes have been proposed to make a secure communicating environment. Recently Xie et al. showed that Wen's scheme was insecure because it was under the off-line password guessing attack and without user anonymity and forward security. They gave a new three-factor authentication scheme and claimed that it was secure. However, we find that Xie et al's scheme is vulnerable to the De-synchronization attack and the server has too much storage burden in the scheme. Then we present an improved scheme which overcomes the usual weaknesses and keeps ordinary security characters. Compared with recent schemes of the same kind, our scheme is secure and practical.

Dheerendra Mishra,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1309.5255

2013-09-20

Abstract:Remote user authentication is desirable for a Telecare medicine information system (TMIS) to verify the correctness of remote users. In 2013, Jiang et al. proposed privacy preserving authentication scheme for TMIS. Recently, Wu and Xu analyzed Jiang's scheme and identify serious security flaws in their scheme, namely, user impersonation attack, DoS attack and off-line password guessing attack. In this article, we analyze Wu and Xu's scheme and show that their scheme is also vulnerable to off-line password guessing attack and does not protect user anonymity. Moreover, we identify the inefficiency of incorrect input detection of the login phase in Wu and Xu's scheme, where the smart card executes the login session in-spite of wrong input.

Cryptography and Security

Lili Xu,Fan Wu

DOI: https://doi.org/10.1002/sec.977

2015-01-01

Abstract:AbstractRecently, Li proposed an authenticated key exchange AKE scheme based on elliptic curve cryptosystem with smart cards in two versions. We point out that the two versions of Li's scheme are not secure and then we present an improved authentication scheme to overcome general disadvantages. Also, we deem that the notion of forward security is old for modern AKE schemes based on smart cards and enhance it as strong forward security. We prove that our scheme is secure with a formal security model containing the feature of strong forward security. Then, via the concrete security analysis and comparison, our scheme resists common attacks and has general security characters. Compared with other schemes, our scheme has low time, storage, and communication cost. It is suitable for communicating applications in network. Copyright © 2014 John Wiley & Sons, Ltd.

Wenting Li,Yaosheng Shen,Ping Wang

DOI: https://doi.org/10.1007/s11265-017-1305-z

2017-01-01

Abstract:Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

Jie Liu,Lei Fan,Jianhua Li

DOI: https://doi.org/10.1145/1501434.1501509

2006-01-01

Abstract:Yang and Shieh proposed two password authentication schemes based on smart cards. The best merit of their schemes is that the remote server can verify a login user without any prior knowledge except a login request message. Unfortunately, some security weaknesses had been found and kinds of attacks were presented later. Although some improvements were proposed to fix those weaknesses, part of these improvements need the remote server to maintain verification tables and the other improvements were proved insecure either. In this paper, we will propose two improved schemes that can withstand all existed attacks while keeping the best merit of the original schemes. The remote server in our improved schemes is still able to verify a login user only by a request message.

Jie Gu,Zhi Xue,Yan Zhu,Fangbiao Li

DOI: https://doi.org/10.1049/cp.2012.1864

2012-01-01

Abstract:Mutual authentication is a process or technology in which both entities in a communications link authenticate each other before conducting any business. It is gaining acceptance as a tool that can minimize the risk of online fraud in e-commerce and other network application. Recently, Wang et al. proposed an efficient remote authentication scheme using smart cards. They claimed that the scheme can withstand guessing attack, forgery attack, denial of service attack and is easily realized in the practical resource-limited environment. However, we point out that Wang et al.'s scheme suffers from parallel session attack and replay attack. Furthermore, we propose an enhanced remote mutual authentication scheme to eliminate all identified security flaws in the aforementioned scheme.

Hong-bin Tang,Xin-song Liu

DOI: https://doi.org/10.1002/dac.2428

2012-01-01

International Journal of Communication Systems

Abstract:SUMMARYA dynamic user authentication scheme allows a user and a remote server to authenticate each other without leaking the user's identity. In 2011, Wen and Li proposed an improved dynamic ID‐based remote user authentication with key agreement scheme for mobile and home networks. They claimed that their scheme was more secure than the scheme of Wang et al. However, we demonstrate that their scheme is vulnerable to the privileged insider, off‐line password guessing, impersonation, and server spoofing attacks. At the same time, it does not provide any user anonymity and forward secrecy property. Thus, it is not feasible for real‐life implementation.Copyright © 2012 John Wiley & Sons, Ltd.

Debiao He,Jianhua Chen,Wenbo Shi,Muhammad Khurram Khan

DOI: https://doi.org/10.1504/ijesdf.2013.058669

2013-01-01

International Journal of Electronic Security and Digital Forensics

Abstract:Recently, Pippal et al. proposed an authentication scheme for multi-server architecture and claimed that their scheme could withstand various attacks. In this paper, we will analyse the security of Pippal et al.'s scheme. After reviewing their scheme, we find that their scheme cannot withstand the server spoofing attack, the user impersonation attack, the offline password guessing attack and the privileged insider attack. The analysis shows their scheme is not secure for practical applications.

Debiao He,Yuanyuan Zhang,Jianhua Chen

DOI: https://doi.org/10.1007/s11277-013-1282-x

IF: 2.017

2013-01-01

Wireless Personal Communications

Abstract:Authentication protocols with anonymity attracted wide attention since they could protect users’ privacy in wireless communications. Recently, Hsieh and Leu proposed an anonymous authentication protocol based on elliptic curve Diffie–Hellman problem for wireless access networks and claimed their protocol could provide anonymity. However, by proposing a concrete attack, we point out that their protocol cannot provide user anonymity. To overcome its weakness, we propose an improved protocol. We also provide an analysis of our proposed protocol to prove its superiority, even though its computational cost is slightly higher.

Debiao He,Jianhua Chen,Yitao Chen

DOI: https://doi.org/10.1002/sec.506

2011-01-01

Abstract:The session initiation protocol (SIP) is a powerful signaling protocol that controls communication on the Internet, establishing, maintaining, and terminating the sessions. The services that are enabled by SIP are equally applicable in the world of mobile and ubiquitous computing. In 2009, Tsai proposed an authenticated key agreement scheme as an enhancement to SIP. Very recently, Arshad et al. demonstrated that Tsai's scheme was vulnerable to offline password guessing attack and stolen-verifier attack. They also pointed that Tsai's scheme did not provide known-key secrecy and perfect forward secrecy. In order to overcome the weaknesses, Arshad et al. also proposed an improved mutual authentication scheme based on elliptic curve discrete logarithm problem for SIP and claimed that their scheme can withstand various attacks. In this paper, we do a cryptanalysis of Arshad et al.'s scheme and show that Arshad et al.'s scheme is vulnerable to the password guessing attack.

Hu Xiong,Xiaofeng Wang,Fagen Li

DOI: https://doi.org/10.1587/transfun.e95.a.256

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Recently, Kang et al. discussed some security flaws of Wu et al's and Wei et al.'s authentication schemes that guarantee user anonymity in wireless communications and showed how to overcome the problems regarding anonymity and the forged login messages. However, we will show that Kang et al.'s improved scheme still did not provide user anonymity as they claimed.