Chen ZHANG,Xiao-liang GAO

DOI: https://doi.org/10.3969/j.issn.1001-506X.2015.10.16

2015-01-01

Abstract:Kerberos authentication is one of the information security technologies for the cloud computing security.The formal verification of the Kerberos protocol helps to discover and avoid the protocol design flaws and attacks.An automatic tool named SPEAR Ⅱ for modeling and analyzing security protocols is used to ana-lyze the security of the Kerberos protocol.Firstly,three attack scenarios such as eavesdropping,replay and tampering are designed and characteristics of communication partners in each scenario are researched.Then, several hypothesizes are proposed,which are used as the input of a Prolog based analyzer in SPEAR Ⅱ to reason the working of the Kerberos protocol.The results show that the Kerberos protocol can keep the key safety be-tween legal communication partners in the eavesdropping and replay attack scenarios,but the attacker can use a fake key to communicate with a legal user in the tampering attack scenario.

Zhou QingLei,Wang Feng,Zhao DongMing

DOI: https://doi.org/10.3969/j.issn.1008-0570.2007.21.021

2007-01-01

Abstract:The basic notion and theorems of strand spaces model are introduced.It is the first time to prove the modified version of NSSK protocol with strand space theory from the aspects of both confidentiality and authentication.The analysis proved the correct-ness of the modified NSSK protocol.

刘东喜,白英彩

2002-01-01

Journal of Software

Abstract:Strand space is a new model for the analysis of security protocols. In this paper, a systematic study is made on how to prove the existence of vulnerabilities in authentication protocols based on the Strand space. During the proof procedure, the authentication property is proved by using the goal-refined method. Moreover, by introducing type-check mechanism into this model, the proof procedure is simplified significantly. In addition, this method is also applied to authentication protocols involved three principals. At last, the same results are got as the relevant literatures.

JIANG Rui,LI Jian-hua,PAN Li

DOI: https://doi.org/10.3321/j.issn:1006-2467.2006.05.019

2006-01-01

Abstract:The 3GPP(Third Generation Partnership Project) authentication and key agreement(AKA) was formally analyzed with the strand space model and authentication tests.It was pointed out that the 3GPP AKA has two security shortages on secrecy and authentication when applied in the insecure chanoel,and two attacks were given.Then,an improved 3GPP authentication and key agreement was proposed to overcome the two security shortages.Finally,the improved protocol was formally analyzed with the strand space model and the authentication tests,and was proven to ensure the secrecy,the mutual authentication between the mobile subscriber and the visiting network, and the recency of the cipher key and integrity key in the insecure channel.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

LU Chao,ZHOU Hao,CHEN Bo,ZHAO Bao-hua

DOI: https://doi.org/10.3969/j.issn.0253-2778.2007.12.015

2007-01-01

Journal of University of Science and Technology of China

Abstract:Kao and Chow proposed an efficient and secure cryptographic protocol called Kao Chow protocol.They used BAN to prove its authenticity property.However,they didn't prove its secrecy and agreement on new session keys.Due to BAN's limitations,it can not be used to analyze cryptographic protocol's secrecy property.Thus a strand space model is given on the basis of which,a rigorous proof of its secrecy and agreement on new session keys as well as its authenticity property is obtained.

DU Jin-hui,HU Ming-zeng,ZHANG Zhao-xin

2008-01-01

Abstract:Verification and analyzing the authentication protocol with formal method has become international researcher’s new focus. This paper researches on Needham-Schroeder authentication protocol based on BAN logic. It points out the flaw of the protocol that can be used by replay attack and improves the protocol by adding nonce in the transferred message. Finally,this paper proves the correctness of the improved protocol with BAN logic.

Yuesheng Zhu,Limin Ma,Jinjiang Zhang

DOI: https://doi.org/10.1002/sec.1066

IF: 1.968

2014-01-01

Security and Communication Networks

Abstract:As one of the most important trusted third-party-based authentication protocols, Kerberos is widely used to provide authentication service in distributed networks. However, it is vulnerable to common brute force password-guessing attacks because of its password-based mechanism. Some enhanced Kerberos protocols based on public key cryptography were proposed as solutions, but they require excessive computation and communication resources. In this paper, a new enhanced Kerberos protocol with non-interactive zero-knowledge proof is proposed, in which the clients and the authentication server can mutually authenticate each other without revealing any information during the authentication process. Our security analysis and experimental results have shown that the proposed scheme can resist password-guessing attacks and is more convenient and efficient than previous schemes. Copyright (C) 2014 John Wiley & Sons, Ltd.

Yuanyuan Zhang,Jianhua Chen,Baojun Huang

DOI: https://doi.org/10.1002/dac.2612

2014-01-01

International Journal of Communication Systems

Abstract:SUMMARYRecently, Chang et al. proposed an authentication and key agreement protocol for satellite communications, and they claimed that their scheme could withstand various attacks. However, in this paper, we will show that their scheme is vulnerable to the denial of service attack and the impersonation attack. Moreover, we also point out that the adversary could compute the session key through the intercepted message. The analysis shows the scheme of Chang et al. is not secure for practical applications. Copyright © 2013 John Wiley & Sons, Ltd.

Weiwei Zhao,Aixin Zhang,Jianhua Li,Xinghua Wu,Yuchen Liu

DOI: https://doi.org/10.1109/milcom.2016.7795299

2016-01-01

Abstract:With the development of mobile communication technology, space information network plays an essential role in meeting the increasing demands of mobile communications. As a basic and powerful security mechanism, authentication protocol provides primary protection. In 2012, Zheng et al. proposed an efficient four-phase authentication scheme for space information network. But we observed that it is vulnerable to various attacks, such as the identity spoofing attack, malicious service request attack and denial of service attack. In this paper, we analyze the protocol in detail. Then an improved authentication scheme based on the self-renewal and timeout retransmission mechanism of user's temporary identity is proposed. The formal verification with SVO logic proves that the proposed authentication protocol is secure.

孙海波,林东岱,黄寄洪

DOI: https://doi.org/10.3321/j.issn:1000-8608.2003.z1.002

2003-01-01

Abstract:With the popularization and development of network communication and especially the increasing requirement of secure protocol, because of the diversification of secure requirements and various attack techniques, people made higher request for the efficiency and the veracity of network protocol's formalization analyses. The previously available tools severely suffer from the state space explosion, which makes the analyses of massive complicated protocol difficult. Strand space theories supplies the method to avoid the state space explosion problem and improves the efficiency of formalization analysis. This paper utilizes some simple protocol to illuminate how to use strand space theory to analyze protocol effectively.

Hung-Min Sun,Her-Tyan Yeh

DOI: https://doi.org/10.1016/j.jcss.2006.03.005

IF: 1.043

2006-01-01

Journal of Computer and System Sciences

Abstract:In an open networking environment, a workstation usually needs to identify its legal users for providing its services. Kerberos provides an efficient approach whereby a trusted third-party authentication server is used to verify users' identities. However, Kerberos enforces the user to use strong cryptographic secret for user authentication, and hence is insecure from password guessing attacks if the user uses a weak password for convenience. In this paper, we focus on such an environment in which the users can use easy-to-remember passwords. In addition to password guessing attacks, perfect forward secrecy (PFS in short) is another important security consideration when designing an authentication and key distribution protocol. Based on the capability of protecting the client's password, the application server's secret key, and the authentication server's private key, we define seven classes of perfect forward secrecy and focus on protocols achieving class-1, class-3, and class-7 due to their hierarchical relations. Then, we propose three secure authentication and key distribution protocols to provide perfect forward secrecy of these three classes. All these protocols are efficient in protecting poorly-chosen passwords chosen by users from guessing attacks and replay attacks.

Liu Dongxi,Li Xiaoyong,Bai Yingcai

DOI: https://doi.org/10.1007/bf02943285

IF: 1.871

2002-01-01

Journal of Computer Science and Technology

Abstract:This paper proposes an, automatic attack construction algorithm in order to find potential attacks on security protocols. It is based on a dynamic strand space model, which enhances the original strand space model by introducing active nodes on strands so as to characterize the dynamic procedure of protocol execution. With exact causal dependency relations between messages considered in the model, this algorithm can avoid state space explosion caused by asynchronous composition. In order to get a finite state space, a new method called strand-added on demand is exploited, which extends a bundle in an incremental manner without requiring explicit configuration of protocol execution parameters. A finer granularity model of term structure is also introduced, in which subterms are divided into check subterms and data subterms. Moreover, data subterms can be further classified based on the compatible data subterm relation to obtain automatically the finite set of valid acceptable terms for an honest principal. In this algorithm, terms core is designed to represent the intruder’s knowledge compactly, and forward search technology is used to simulate attack patterns easily. Using this algorithm, a new attack on the Dolve-Yao protocol can be found, which is even more harmful because the secret is revealed before the session terminates.

LI Xiehua,YANG Shutang,LI Jianhua,ZHU Hongwen

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.13.001

2007-01-01

Abstract:This paper proposes a new checking model based on the authentication tests for security protocol analysis.With the model,each component of the ciphertext is verified to determine its originator,so that the replayed attack can be detected in time.The combination of the check model and authentication tests can overcome the deficiency of the original authentication tests in detecting message replay attacks.The proof of neuman-stubblebine protocol shows that the checking model can detect the type flaw attack efficiently,while the original authentication tests cannot.

BT Hsieh,HM Sun,T Hwang

DOI: https://doi.org/10.15388/informatica.2003.014

2003-01-01

Informatica

Abstract:In an internet environment, such as UNIX, a remote user has to obtain the access right from a server before doing any job. The procedure of obtaining acess right is called a user authentication protocol. User authentication via user memorable password provides convenience without needing any auxiliary devices, such as smart card. A user authentication protocol via username and password should basically withstand the off-line password guessing attack, the stolen verifier attack, and the DoS attack. Recently, Peyravian and Zunic proposed one password transmission protocol and one password change protocol. Later, Tseng et al. (2001) pointed out that Peyravian and Zunic's protocols can not withstand the off-line password guessing attack, and therefore proposed an improved protocol to defeat the attack. Independently, Hwang and Yeh also showed that Peyravian and Zunic's protocols suffer from some secury flaws, and an improved protocol was also presented. In this paper, we show that both Peyravian and Zunic's protocols and Tseng et al.'s improved protocol are insecure against the stolen verifier attack. Moreover, we show that all Peyravian and Zunic's, Tseng et al.'s, and Hwang and Yeh's protocols are insecure against DoS attack.

舒剑,许春香

DOI: https://doi.org/10.3969/j.issn.1000-436x.2010.03.008

2010-01-01

Abstract:The security of a recently proposed password-based authenticated key exchange protocol was analyzed. Al- though it was provably secure in the standard model, it was vulnerable to reflection attacks. A modify scheme was pro- posed, which eliminated the defect of original scheme and improved the efficiency of the protocol. The security of the proposed scheme had been proven in the standard model under DDH assumption. The results show that it provides per- fect forward secrecy.

SH Wang,F Bao,J Wang

DOI: https://doi.org/10.1093/ietcom/e88-b.4.1641

2005-01-01

IEICE Transactions on Communications

Abstract:In 2002, Zhu et al. proposed a password authenticated key exchange protocol based on RSA such that it is efficient enough to be implemented on most of the target low-power devices such as smart cards and low-power Personal Digital Assistants in imbalanced wireless networks. Recently, YEH et al. claimed that Zhu et al.'s protocol not only is insecure against undetectable on-line password guessing attack but also does not achieve explicit key authentication. Thus they presented an improved version. Unfortunately, we find that YEH et al.'s password guessing attack does not come into existence, and that their improved protocol is vulnerable to off-line dictionary attacks. In this paper we describe our observation in details, and also comment for the original protocol on how to achieve explicit key authentication as well as resist against other existent attacks.

Ma Limin,Zhu Yuesheng

2014-01-01

Abstract:As an important trust third-party authentication protocol, Kerberos is widely deployed to provide authentication service in distributed networks. However, it is vulnerable to some attacks such as password guessing attack and replay attack. PKINIT is an enhanced Kerberos protocol based on public key cryptography to resist these attacks. However, it requires excessive computation and communication resources. A new scheme based on one-time password (OTP) mechanism is proposed and implemented to improve the security and computation efficiency of Kerberos protocol in this paper. Experiment results demonstrate that the proposed scheme can enhance the security of Kerberos and reduce 32.3% time of initial authentication exchange and is easier to be deployed than PKINIT. © 2014 ISSN 1881-803X.

XU Chun-xiang,LUO Shu-dan,Shu D. Luo

DOI: https://doi.org/10.3969/j.issn.1001-0548.2009.04.025

2009-01-01

Abstract:The three-party password-based authenticated key exchange protocol based on the CCDH assumption is analyzed. It is demonstrated that this protocol has security vulnerabilities from on-line guessing attack and lacks a perfect authentication mechanism. This paper presents an attack scheme to the protocol. Our attack scheme shows that an adversary can get other legitimate user's password successfully by on-line guessing cyclically.