Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Guomin Yang,Duncan S. Wong,Huaxiong Wang,Xiaotie Deng

DOI: https://doi.org/10.1016/j.jcss.2008.04.002

IF: 1.043

2008-01-01

Journal of Computer and System Sciences

Abstract:One of the most commonly used two-factor user authentication mechanisms nowadays is based on smart-card and password. A scheme of this type is called a smart-card-based password authentication scheme. The core feature of such a scheme is to enforce two-factor authentication in the sense that the client must have the smart-card and know the password in order to gain access to the server. In this paper, we scrutinize the security requirements of this kind of schemes, and propose a new scheme and a generic construction framework for smart-card-based password authentication. We show that a secure password based key exchange protocol can be efficiently transformed to a smart-card-based password authentication scheme provided that there exist pseudorandom functions and target collision resistant hash functions. Our construction appears to be the first one with provable security. In addition, we show that two recently proposed schemes of this kind are insecure.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

ZHU Chang-sheng,LIU Peng-hui,WANG Qing-rong,CAO Lai-cheng

DOI: https://doi.org/10.3724/sp.j.1087.2011.01862

2011-01-01

Journal of Computer Applications

Abstract:How to keep mutual anonymity between two entities is one of the critical issues for Trusted Computation(TC).According to the characteristics of TC,an efficient password-based authenticated key exchange scheme was proposed.Adopting threshold cryptography and fuzzy ID set,the scheme achieved mutual anonymity between user and server sharing ID set.On the premise of secure hashing,the analysis and the proving procedure based on the Random Oracle Model(ROM) show this scheme is secure against dictionary attack and resource-depletion DoS(Denial-of-Service) attack under the computational Diffie-Hellman intractability assumption.This scheme effectively preserves the user's privacy and server's privacy,and compared with other schemes such as VIET et al.'s scheme,it is more efficient.

Shen Yaosheng,Wang Ding,Wang Ping

DOI: https://doi.org/10.1007/978-3-030-00009-7_13

2018-01-01

Abstract:Investigating the security pitfalls of cryptographic protocols is crucial to understanding how to improve security. At ICCCS’17, Wu and Xu proposed an efficient smart-card-based password authentication scheme to cope with the vulnerabilities in Jiang et al.’s scheme. However, in this paper, we reveal that Wu-Xu’s scheme actually is subject to critical security defects, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services, and further suggested a user-friendly scheme which is claimed to be suitable for multi-server architecture and robust against various attacks. In this work, we show that Roy et al.’s scheme cannot achieve truly two-factor security and is of poor scalability. Our results invalidate any use of the scrutinized schemes for cloud computing environments. © Springer Nature Switzerland AG 2018.

Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

Ping Wang,Bin Li,Hongjin Shi,Yaosheng Shen,Ding Wang

DOI: https://doi.org/10.1155/2019/2516963

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Investigating the security pitfalls of cryptographic protocols is crucial to understand how to improve security. At ICCCS'17, Wu and Xu proposed an efficient smart-card-based password authentication scheme for cloud computing environments to cope with the vulnerabilities in Jiang et al.'s scheme. However, we reveal that Wu-Xu's scheme actually is subject to various security flaws, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services and further suggested a user-friendly scheme which is claimed to be suitable for multiserver architecture and robust against various attacks. In this work, we show that Roy et al.'s scheme fails to achieve truly two-factor security and shows poor scalability. At FGCS'18, Amin et al. pointed out that most of existing two-factor schemes are either insecure or inefficient for mobile devices due to the use of public-key techniques and thus suggested an improved protocol by using only light-weight symmetric key techniques. Almost at the same time, Wei et al. also observed this issue and proposed a new scheme based on symmetric key techniques with formal security proofs in the random oracle model. Nevertheless, we point out that both Amin et al.'s and Wei et al.'s schemes cannot achieve the claimed security goals (including the most crucial goal of truly two-factor security). Our results invalidate any use of the scrutinized schemes for cloud computing environments.

Song Luo,Jianbin Hu,Zhong Chen

DOI: https://doi.org/10.1109/nswctc.2009.287

2009-01-01

Abstract:Password authentication is one of the simplest and the most convenient authentication mechanisms over insecure networks. One-time password authentication which uses dynamic password helps to enhance the security of password. In this paper, we suggest a new one-time password scheme using the smart card based on the bilinear pairings. By generating temporary identity, our scheme can provide anonymity in authentication process to protect the user's privacy. Based on the Computational Diffie-Hellman Problem, we show that the proposed scheme is secure against forgery attack and ID attack under the random oracle model.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-23829-6_11

2015-01-01

Abstract:Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-27659-5_16

2015-01-01

Abstract:The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals, namely, Hsieh-Leu’s scheme and Wang’s PSCAV scheme. We show that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim’s password when getting temporary access to the victim’s smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang’s original protocol security model, reveals a new attacking scenario and gives rise to the strongest adversary model so far. In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.

Wenting Li,Yaosheng Shen,Ping Wang

DOI: https://doi.org/10.1007/s11265-017-1305-z

2017-01-01

Abstract:Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1109/tdsc.2016.2605087

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is no comprehensive and systematical metric available for schemes to be assessed objectively, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found short of important security goals or lack of critical properties, especially being stuck with the security-usability tension. To overcome this issue, in this work we first explicitly define a security model that can accurately capture the practical capabilities of an adversary and then suggest a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum. As our main contribution, a new scheme is advanced to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating “honeywords”, traditionally the purview of system security, with a “fuzzy-verifier”, our scheme hits “two birds”: it not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound.

Ding Wang,Debiao He,Ping Wang,Chao-Hsien Chu

DOI: https://doi.org/10.1109/tdsc.2014.2355850

2015-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Despite two decades of intensive research, it remains a challenge to design a practical anonymous two-factor authentication scheme, for the designers are confronted with an impressive list of security requirements (e.g., resistance to smart card loss attack) and desirable attributes (e.g., local password update). Numerous solutions have been proposed, yet most of them are shortly found either unable to satisfy some critical security requirements or short of a few important features. To overcome this unsatisfactory situation, researchers often work around it in hopes of a new proposal (but no one has succeeded so far), while paying little attention to the fundamental question: whether or not there are inherent limitations that prevent us from designing an “ideal” scheme that satisfies all the desirable goals? In this work, we aim to provide a definite answer to this question. We first revisit two foremost proposals, i.e. Tsai et al.'s scheme and Li's scheme, revealing some subtleties and challenges in designing such schemes. Then, we systematically explore the inherent conflicts and unavoidable trade-offs among the design criteria. Our results indicate that, under the current widely accepted adversarial model, certain goals are beyond attainment. This also suggests a negative answer to the open problem left by Huang et al. in 2014. To the best of knowledge, the present study makes the first step towards understanding the underlying evaluation metric for anonymous two-factor authentication, which we believe will facilitate better design of anonymous two-factor protocols that offer acceptable trade-offs among usability, security and privacy.

Guomin Yang,Duncan S. Wong,Huaxiong Wang,Xiaotie Deng

DOI: https://doi.org/10.1007/11935308_7

2006-01-01

Abstract:One of the most commonly used two-factor authentication mechanisms is based on smart card and user's password. Throughout the years, there have been many schemes proposed, but most of them have already been found flawed due to the lack of formal security analysis. On the cryptanalysis of this type of schemes, in this paper, we further review two recently proposed schemes and show that their security claims are invalid. To address the current issue, we propose a new and simplified property set and a formal adversarial model for analyzing the security of this type of schemes. We believe that the property set and the adversarial model themselves are of independent interest. We then propose a new scheme and a generic construction framework. In particular, we show that a secure password based key exchange protocol can be transformed efficiently to a smartcard and password based two-factor authentication scheme provided that there exist pseudorandom functions and collision-resistant hash functions.

Hossen Asiful Mustafa,Hasan Muhammad Kafi

DOI: https://doi.org/10.48550/arXiv.1711.01198

2017-11-03

Abstract:Password security can no longer provide enough security in the area of remote user authentication. Considering this security drawback, researchers are trying to find solution with multifactor remote user authentication system. Recently, three factor remote user authentication using biometric and smart card has drawn a considerable attention of the researchers. However, most of the current proposed schemes have security flaws. They are vulnerable to attacks like user impersonation attack, server masquerading attack, password guessing attack, insider attack, denial of service attack, forgery attack, etc. Also, most of them are unable to provide mutual authentication, session key agreement and password, or smart card recovery system. Considering these drawbacks, we propose a secure three factor user authentication scheme using biometric and smart card. Through security analysis, we show that our proposed scheme can overcome drawbacks of existing systems and ensure high security in remote user authentication.

Cryptography and Security

Ding Wang,Ping Wang,Jing Liu

DOI: https://doi.org/10.1109/WCNC.2014.6953015

2014-01-01

Abstract:User authentication is an important security mechanism that allows mobile users to be granted access to roaming service offered by the foreign agent with assistance of the home agent in mobile networks. While security-related issues have been well studied, how to preserve user privacy in this type of protocols still remains an open problem. In this paper, we revisit the privacy-preserving two-factor authentication scheme presented by Li et al. at WCNC 2013. We show that, despite being armed with a formal security proof, this scheme actually cannot achieve the claimed feature of user anonymity and is insecure against offline password guessing attacks, and thus, it is not recommended for practical applications. Then, we figure out how to fix these identified drawbacks, and suggest an enhanced scheme with better security and reasonable efficiency. Further, we conjecture that under the non-tamper-resistant assumption of the smart cards, only symmetric-key techniques are intrinsically insufficient to attain user anonymity.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Ding Wang,Nan Wang,Ping Wang,Sihan Qing

DOI: https://doi.org/10.1016/j.ins.2015.03.070

IF: 8.1

2015-01-01

Information Sciences

Abstract:•We show a number of latest privacy-preserving two-factor schemes are problematic.•De-synchronization attack is a serious threat to anonymous schemes and deserves attention.•We present a new scheme to overcome the identified flaws with nearly no additional cost.•Security and privacy provisions of our scheme can be proved in a widely accepted model.

HM Sun,HT Yeh

2003-01-01

IEICE Transactions on Communications

Abstract:Following the developments in the use of ID-based schemes and smart cards, Yang and Shieh proposed two password authentication schemes to achieve two purposes: (1) to allow users to choose and change their passwords freely, and (2) to make it unnecessary for the remote server to maintain a directory of passwords or a verification table to authenticate users. Recently, Chan and Cheng showed that Yang and Shieh's timestamp-based password authentication scheme is insecure against forgery. In this paper, we point out that Chan and Cheng's forgery attack can not work. Thus, we further examine the security of Yang and Shieh's password authentication schemes and find that they are insecure against forgery because one adversary can easily pretend to be a valid user and pass the server's verification which allows the adversary to login to the the remote server.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1016/j.comnet.2014.07.010

IF: 5.493

2014-01-01

Computer Networks

Abstract:•We demonstrate privacy breaches into two password authentication schemes for WSNs.•Public-key techniques are indispensible to achieve user untraceability.•Our principle is applicable to two-factor authentication for universal environments.•We discuss the viable solutions to practical realization of user anonymity.•Experimental timings of related public-key operations on small devices are reported.