Xiangxue Li,Weidong Qiu,Dong Zheng,Kefei Chen,Jianhua Li

DOI: https://doi.org/10.1109/TIE.2009.2028351

IF: 7.7

2010-01-01

IEEE Transactions on Industrial Electronics

Abstract:By exploiting a smart card, this paper presents a robust and efficient password-authenticated key agreement scheme. This paper strengthens the security of the scheme by addressing untraceability property such that any third party over the communication channel cannot tell whether or not he has seen the same (unknown) smart card twice through the authentication sessions. The proposed remedy also pr...

Xiong Li,Junguo Liao,Jiao Zhang,Jianwei Niu,Saru Kumari

DOI: https://doi.org/10.1109/comcomap.2014.7017176

2014-01-01

Abstract:Recently, Yang et al. Proposed a remote user authentication scheme using smart card. Through careful cryptanalysis, we find that Yang et al.'s scheme is not repairable, and cannot achieve mutual authentication and session key agreement. To overcome these security flaws, we propose a new remote user authentication scheme with smart card. In the proposed scheme, the user can choose his/her password freely and renew the password anytime. At the same time, the proposed scheme provides more functions and security features, such as mutual authentication, session key agreement, perfect forward secrecy and so on.

Ahmed Yaser Fahad Alsahlani,Songfeng Lu

2016-01-01

Abstract:Authentication using smart card is a mechanism to verify the legitimacy of the user over insecure communication. Recently, Chen et al. figured out some weaknesses in previously published schemes, they proposed a robust smart card based remote user password authentication scheme. They claimed that, their scheme is efficient and can ensure the session key forward secrecy. We analyzed their scheme, we found that, it cannot detect incorrect password within login phase. Furthermore, the user required to communicate with the server to change or update his/her password. Besides, it cannot securely forward the secrecy. In this paper, we propose a scheme to overcome the aforesaid weaknesses and produce an enhanced authentication scheme based remote user password using smart card. We use a TRPT (Temporary Registration Password Technique) within registration phase to secure user's password. Our proposed scheme can resist various malicious attacks, achieve mutual authentication, user can choose and change his/her password freely without need to communicates with the server, securely forward secrecy, and the login password never been exposed or transferred over channel. We show that, our proposed scheme achieved the goal, and it is more legible to practical use compared to the other related schemes.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1016/j.jnca.2013.02.034

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.

Zhuo Hao,Nenghai Yu

DOI: https://doi.org/10.1109/ISDPE.2010.15

2010-01-01

Abstract:Remote user authentication is a critical component of accessing remote services in distributed applications. In this paper we investigate the security vulnerabilities of a previously proposed remote user authentication scheme. After that we propose a security enhanced remote user password authentication scheme, which effectively prevents the adversary's attacks. The proposed authentication scheme is shown to be secure against password guessing attack, masquerade attack and replay attack. By performance analysis, the proposed scheme is shown to be very efficient, both in the computation and the storage cost. The proposed password authentication scheme is very suitable for providing remote authentication in distributed applications.

Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Debiao He,Jianhua Chen,Jin Hu

2011-01-01

Abstract:Very recently, Sun et al. proposed an improved password authenticated key agreement scheme based on Juang et al.'s scheme. However, after reviewing their scheme and analyzing its security, we find their scheme is vulnerable to two kinds of attacks, i.e., the offline password guessing attack, and the Denial-of-Service (DoS) attack. The analysis shows that Sun's scheme is insecure for practical application. Then, we propose a further improved scheme to eliminate the security vulnerability. Compared with Juang et al.'s scheme and Sun et al.'s scheme, our scheme is more secure and more suitable for real-life applications.

Nenghai Yu

2011-01-01

Abstract:In a distributed network environment,password-authenticated key agreement schemes are fundamental security mechanisms.A security analysis of Chen et al.'s scheme [Chen T H,Hsiang H C,Shih W K.Security enhancement on an improvement on two remote user authentication schemes using smart cards.Future Generation Computer Systems,2011,27(4): 337-380] was presented.It was found that Chen et al.'s scheme cannot resist offline password guessing attacks,and does not have perfect forward secrecy.A security enhanced password-authenticated key agreement scheme was thus proposed.The proposed scheme maintains the good properties of Chen et al.'s scheme,is resistant to offline password guessing attack and provides perfect forward secrecy.A security analysis of the proposed scheme demonstrated that it is capable of strong security.It is suitable for providing mutual authentication and key agreement between the user and the server in a distributed environment.

Fan Wu,Lili Xu,Saru Kumari,Xiong Li,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1002/sec.1305

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Nowadays, smart-card-based user authentication becomes one of the most important security issues. But many schemes of that kind are under different attacks. Recently, Kumari et al. pointed that Chen et al.'s scheme and Li et al.'s scheme with the smart card were not secure. They proposed two improved schemes. Unfortunately, we find that the two schemes are not secure. The first scheme of Kumari et al. is under the de-synchronization attack and lacks strong forward security. The second has the weaknesses including no user anonymity and password leaking. Also, it cannot withstand the user-impersonation attack. We present a new scheme also based on the smart card overcoming common disadvantages and give a formal proof. We also use the tool ProVerif to verify the security of our scheme. Compared with some recent schemes, our scheme performs well, and it is fit for network applications. Copyright (C) 2015 John Wiley & Sons, Ltd.

Saru Kumari,Muhammad Khurram Khan,Xiong Li

DOI: https://doi.org/10.1016/j.compeleceng.2014.05.007

IF: 4.152

2014-01-01

Computers & Electrical Engineering

Abstract:In distributed systems, user authentication schemes based on password and smart card are widely used to ensure only authorized access to the protected services. Recently, Chang et al. presented an untraceable dynamic-identity-based user authentication scheme with verifiable-password-update. In this research, we illustrate that Chang et al.'s scheme violates the purpose of dynamic-identity contrary to authors' claim. We show that once the smart card of an arbitrary user is lost, passwords of all registered users are at risk. Using information from an arbitrary smart card, an adversary can impersonate any user of the system. In addition, its password change phase has loopholes and is misguiding. The scheme has no provision for session key agreement and the smart card lacks any verification mechanism. Then we come-up with an improved remote user authentication scheme with the session key agreement, and show its robustness over related schemes.

TANG Hongbin,LIU Xinsoug

DOI: https://doi.org/10.3778/j.issn.1002-8331.2012.19.016

2012-01-01

Computer Engineering and Applications Journal

Abstract:A smart card based remote user authentication scheme is more secure than a password-based authentication scheme.In 2011,Chen et al.proposed an improvement on Hsiang et al.'s remote user authentication scheme,and claimed their scheme was more secure than Hsiang et al.'s scheme.However,their scheme is still vulnerable to insider attack,lost smart card attack,replay attack,and impersonation attack.To overcome the dictionary attack against lost smart card,a user authentication scheme based on smart card and elliptic curve discrete logarithm problem is proposed.This scheme is proved to be secure agaisnt various attacks and needs only one elliptic curve scale multiplication in the login and authentication phases.

Manik Lal Das

DOI: https://doi.org/10.48550/arXiv.0801.0575

2008-01-04

Abstract:The paper presents an authentication scheme for remote systems using smart card. The scheme prevents the scenario of many logged in users with the same login identity, and does not require password/verifier table to validate the users' login request. The scheme provides a user-friendly password change option, and withstands the replay, impersonation, stolen-verifier, guessing, and denial-of-service attacks.

Cryptography and Security

Marimuthu Karuppiah,Ashok Kumar Das,Xiong Li,Saru Kumari,Fan Wu,Shehzad Ashraf Chaudhry,R. Niranchana

DOI: https://doi.org/10.1007/s11036-018-1061-8

2018-01-01

Abstract:Authentication schemes are widely used mechanisms to thwart unauthorized access of resources over insecure networks. Several smart card based password authentication schemes have been proposed in the literature. In this paper, we demonstrate the security limitations of a recently proposed password based authentication scheme, and show that their scheme is still vulnerable to forgery and offline password guessing attacks and it is also unable to provide user anonymity, forward secrecy and mutual authentication. With the intention of fixing the weaknesses of that scheme, we present a secure authentication scheme. We show that the proposed scheme is invulnerable to various attacks together with attacks observed in the analyzed scheme through both rigorous formal and informal security analysis. Furthermore, the security analysis using the widely-accepted Real-Or-Random (ROR) model ensures that the proposed scheme provides the session key (SK) security. Finally, we carry out the performance evaluation of the proposed scheme and other related schemes, and the result favors that the proposed scheme provides better trade-off among security and performance as compared to other existing related schemes.

DENG Feijin,FAN Lei,SHI Jianjun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.24.062

2005-01-01

Abstract:The dynamic password authentication mechanism is an important development direction of authentication.But in many dynamic password authentication schemes,user’s authentication data are transferred masking with the verifiers stored in the server.Once the verifier is stolen,the attacker can forge authentication data.Therefore,those schemes are vulnerable to theft attacks.Recently a new scheme named 2GR is proposed and showes that it can resist stolen-verifier attack.But the 2GR can’t provide protection against denial of service attack,and doesn’t provide mutual authentication.This paper proposes a revised scheme using smart cards,which eliminates such problems.

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Al-Sakib Khan Pathan,Choong Seon Hong,Tatsuya Suda

DOI: https://doi.org/10.1109/ICCE.2007.341503

2007-12-27

Abstract:This paper proposes a novel remote user authentication scheme using smart cards which allows both the authentication server (AS) and the user to verify authenticity of each other. Our scheme is efficient enough to resist the known attacks that could be launched against remote user authentication process.

Cryptography and Security,Networking and Internet Architecture

Jie Gu,Zhi Xue,Yan Zhu,Fangbiao Li

DOI: https://doi.org/10.1049/cp.2012.1864

2012-01-01

Abstract:Mutual authentication is a process or technology in which both entities in a communications link authenticate each other before conducting any business. It is gaining acceptance as a tool that can minimize the risk of online fraud in e-commerce and other network application. Recently, Wang et al. proposed an efficient remote authentication scheme using smart cards. They claimed that the scheme can withstand guessing attack, forgery attack, denial of service attack and is easily realized in the practical resource-limited environment. However, we point out that Wang et al.'s scheme suffers from parallel session attack and replay attack. Furthermore, we propose an enhanced remote mutual authentication scheme to eliminate all identified security flaws in the aforementioned scheme.

Yang Junhan,Cao Tianjie

DOI: https://doi.org/10.3969/j.issn.1673-4807.2012.03.016

2012-01-01

Abstract:The authors find the password authentication protocol using smart card proposed by Lee et al.suffers from off-line dictionary attack,user impersonation attack and lacks of key exchange.To solve these problems,an improved scheme is put forward and the security of the novel protocol is proved using the formal security model. The result shows that the novel protocol can not only conquer the security problem of the original protocol but also retain all security characteristics of the original protocol.

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.

Debiao He,Jianhua Chen,Jin Hu

2010-01-01

Abstract:The weakness of an exquisite authentication scheme based on smart cards and passwords proposed by Liao et al. (C. H. Liao, H. C. Chen, and C. T. Wang, An Exquisite Mutual Authentication Scheme with Key Agreement Using Smart Card, Informatica, Vol. 33, No. 2, 2009, 125-132.) is analyzed. Five kinds of weakness are presented in different scenarios. The analyses show that Liao et al.'s scheme is insecure for practical application.