XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Saru Kumari,Muhammad Khurram Khan,Xiong Li

DOI: https://doi.org/10.1016/j.compeleceng.2014.05.007

IF: 4.152

2014-01-01

Computers & Electrical Engineering

Abstract:In distributed systems, user authentication schemes based on password and smart card are widely used to ensure only authorized access to the protected services. Recently, Chang et al. presented an untraceable dynamic-identity-based user authentication scheme with verifiable-password-update. In this research, we illustrate that Chang et al.'s scheme violates the purpose of dynamic-identity contrary to authors' claim. We show that once the smart card of an arbitrary user is lost, passwords of all registered users are at risk. Using information from an arbitrary smart card, an adversary can impersonate any user of the system. In addition, its password change phase has loopholes and is misguiding. The scheme has no provision for session key agreement and the smart card lacks any verification mechanism. Then we come-up with an improved remote user authentication scheme with the session key agreement, and show its robustness over related schemes.

Hong-bin Tang,Xin-song Liu

DOI: https://doi.org/10.1002/dac.2428

2012-01-01

International Journal of Communication Systems

Abstract:SUMMARYA dynamic user authentication scheme allows a user and a remote server to authenticate each other without leaking the user's identity. In 2011, Wen and Li proposed an improved dynamic ID‐based remote user authentication with key agreement scheme for mobile and home networks. They claimed that their scheme was more secure than the scheme of Wang et al. However, we demonstrate that their scheme is vulnerable to the privileged insider, off‐line password guessing, impersonation, and server spoofing attacks. At the same time, it does not provide any user anonymity and forward secrecy property. Thus, it is not feasible for real‐life implementation.Copyright © 2012 John Wiley & Sons, Ltd.

Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Ding Wang,Chun-guang Ma,De-li Gu,Zhen-shan Cui

DOI: https://doi.org/10.1007/978-3-642-34601-9_35

2012-01-01

Abstract:In NSS'10, Shao and Chin pointed out that Hsiang and Shih's dynamic ID-based remote user authentication scheme for multi-server environment has several security flaws and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that Shao-Chin's scheme still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.'s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their ambitions, Li et al.'s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, which is the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.

Jingxuan Zhai,Tianjie Cao,Xiuqing Chen,Shi Huang

DOI: https://doi.org/10.14257/ijsia.2015.9.1.37

2015-01-01

International Journal of Security and Its Applications

Abstract:Dynamic ID-based authentication schemes based on password and smart card are widely used to provide two-factor authentication and user anonymity. However, these schemes have one or the other possible security weaknesses. In this paper, we analyze the schemes of Li et al. and Wang et al. published in recent years. After the analysis, we demonstrates that Li et al. 's schemes are vulnerable to off-line password guessing attack if the user's identity is compromised, Li et al.'s scheme cannot withstand the impersonation attack and linkability attack, Wang et al.'s schemes cannot resist off-line password guessing attack if the attacker steals a smart card, Wang et al. 's schemes fail to provide forward security. Our result shows that none of the existing dynamic ID based authentication schemes can achieve all the desirable security goals.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1109/ISBAST.2013.27

2013-01-01

Abstract:Remote user authentication is an important and efficient method to ensure security for many network-based application systems. So far, several dynamic identity based authentication schemes have been proposed to protect the user's anonymity. Recently, Sood pointed out the security weaknesses of a dynamic identity based authentication scheme, which was proposed by Wang et al. presented an improved scheme. However, in this paper, we demonstrate that Sood's scheme cannot resist leak of verifier attack, impersonation attack and server spoofing attack. Furthermore, Sood's scheme cannot achieve mutual authentication between the user and the server. Consequently, in this paper, we propose a new dynamic identity based user authentication scheme using elliptic curve cryptosystem to resolve all the aforementioned problems.

Yajuan Shi,Han Shen,Yuanyuan Zhang,Jianhua Chen

DOI: https://doi.org/10.14257/ijseia.2015.9.5.25

2015-01-01

International Journal of Software Engineering and Its Applications

Abstract:To keep the pace with the development of internet technology, remote user authentication techniques become more and more important to protect user's privacy. Recently, Kumari, et al., presented an improved remote user authentication scheme with key agreement based on dynamic-identity using smart card. This scheme allows legal users to change the password at his will without the need to connect the server. They claimed that their scheme could resist smart card stolen or loss attack, user impersonation and server masquerading attack, and provide user anonymity and untraceability and so on. However, our research indicates that their scheme is completely unsafe. Furthermore, the scheme can't provide the proper mutual authentication. In this manuscript, we will propose a new scheme, which can withstand those attacks mentioned above and provide the perfect user anonymity and forward secrecy. Security analysis makes it clear that the improved scheme apparently is more secure and practical.

Mingwei Zhao,Xiaochen Yu

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.10.076

2015-01-01

Abstract:Compared with traditional static password identity authentication technology,the identity authentication system with dynamic password is more secure.Current schemes of dynamic password authentication have difficulties in heavy computation load and key storage because of the use of the public key encryption system mostly.In view of this,we propose a new identity authentication scheme with dynamic password which combines hash function,symmetric encryption mechanism and Challenge /Response mechanism.At the same time,we carry out the performance test and analysis on the scheme.Experimental results show that the scheme not only realises mutual authentication between server and clients under the network environment,but also has the advantages of high safety,strong practicability,low cost etc., which can be used as the identity authentication in most insecure network channels.

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.

Xiong Li,Junguo Liao,Saru Kumari,Wei Liang,Fan Wu,Muhammad Khurram Khan

DOI: https://doi.org/10.1007/s11277-015-2737-z

IF: 2.017

2015-01-01

Wireless Personal Communications

Abstract:The remote user authentication scheme is an important security technology, which provides authentication service before a user accesses the service provided by the remote server. In this paper, we analyze the security and design flaws of a recently proposed dynamic ID authentication and key agreement scheme by Lin. We find Lin’s scheme is totally cannot be used in real applications because of the following weaknesses: it has some design drawbacks such as it does not have the wrong password detection mechanism and its password change phase is incorrect; the user can login to the server using any wrong identity or password because of the inherent defects in the design of the authentication message; at the same time, Lin’s scheme is vulnerable to the mobile device loss attack and denial of service attack. For security considerations, we propose some principles which should be followed in the design of the user authentication schemes. According to these design principles, we design a new dynamic ID-based user authentication scheme using mobile device. We formally analyze the security features of the proposed scheme using BAN logic, and give the provable security analysis in random oracle model. Besides, we also discuss our scheme can resist other well known attacks. The functionality and performance comparisons shown that the proposed scheme enhances the security features and keeps the efficiency at the same time.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Ding Wang,Chunguang Ma,Sendong Zhao,ChangLi Zhou

DOI: https://doi.org/10.1007/978-3-642-35606-3_13

2012-01-01

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. Recently, Yeh et al. showed that Hsiang and Shih's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is nontamper resistant, and proposed an improved version which was claimed to be efficient and secure. In this study, however, we find that, although Yeh et al.'s scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack and key-compromise impersonation attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity and forward secrecy; (3) It has some other minor defects. The proposed cryptanalysis discourages any use of the scheme under investigation in practice. Remarkably, rationales for the security analysis of password-based authentication schemes using smart cards are discussed in detail. © IFIP International Federation for Information Processing 2012.

Xiong Li,Jian-Wei Niu,Jian Ma,Wen-Dong Wang,Cheng-Lian Liu

DOI: https://doi.org/10.1016/j.jnca.2010.09.003

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:Recently, Li and Hwang proposed a biometrics-based remote user authentication scheme using smart cards [Journal of Network and Computer Applications 33 (2010) 1–5]. The scheme is based on biometrics verification, smart card and one-way hash function, and it uses the nonce rather than a synchronized clock, so it is very efficient in computational cost. Unfortunately, the scheme has some security weaknesses, that is to say Li and Hwang's scheme does not provide proper authentication and it cannot resist the man-in-the-middle attacks. If an attacker controls the insecure channel, she/he can easily fabricate messages to pass the user's or server's authentication. Besides, the malicious attacker can impersonate the user to cheat the server and can impersonate the server to cheat the user without knowing any secret information. This paper proposes an improved biometrics-based remote user authentication scheme that removes the aforementioned weaknesses and supports session key agreement.

Xiong Li,Jianwei Niu,Yazhi Liu,Junguo Liao,Wei Liang

DOI: https://doi.org/10.1504/ijahuc.2014.066423

2014-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:Smart card-based password authentication scheme is one of the most simple and efficient method to identify the legitimacy of a user via an insecure channel. To protect the user from tracking by the attacker, many dynamic ID-based user authentication schemes have been proposed. Recently, Chen et al. proposed an efficient and secure dynamic ID-based authentication scheme using smart cards. However, we find that Chen et al.'s scheme cannot really protect user's anonymity and forward secrecy. Besides, their scheme is inefficient in the authentication phase and cannot resist stolen smart card attack. In this paper, we propose a robust dynamic ID-based user authentication scheme using smart cards to cover the above weaknesses, the proposed scheme can really protect the user's anonymity and is more secure comparing with other related schemes.

Manik Lal Das,Ashutosh Saxena,Ved P. Gulati

DOI: https://doi.org/10.1109/TCE.2004.1309441

2007-12-14

Abstract:Password-based authentication schemes are the most widely used techniques for remote user authentication. Many static ID-based remote user authentication schemes both with and without smart cards have been proposed. Most of the schemes do not allow the users to choose and change their passwords, and maintain a verifier table to verify the validity of the user login. In this paper we present a dynamic ID-based remote user authentication scheme using smart cards. Our scheme allows the users to choose and change their passwords freely, and do not maintain any verifier table. The scheme is secure against ID-theft, and can resist the reply attacks, forgery attacks, guessing attacks, insider attacks and stolen verifier attacks.

Cryptography and Security

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Fan Wu

DOI: https://doi.org/10.1002/dac.2853

2014-01-01

International Journal of Communication Systems

Abstract:SummaryRecently, Jiang et al. and He et al. independently found security problems in Chen et al.'s remote user authentication scheme for non‐tamper‐proof storage devices like Universal Serial Bus stick and proposed improvements. Nonetheless, we detect that the schemes proposed by Jiang et al. and He et al. overlook a user's privacy. We also observe that Jiang et al.'s scheme is vulnerable to insider attack and denial of service attacks and lacks forward secrecy. We point out that the password changing facility in He et al.'s scheme is equivalent to undergoing registration, whereas in Jiang et al.'s scheme, it is unsuitable. Moreover, the login phase of both the schemes is incapable to prevent the use of wrong password leading to the computation of an unworkable login request. Therefore, we design a new scheme with user anonymity to surmount the identified weaknesses. Without adding much in communication/computational cost, our scheme provides more security characteristics and keeps the merits of the original schemes. As compared with its predecessor schemes, the proposed scheme stands out as a more apt user authentication method for common storage devices. We have also presented a formal proof of security of the proposed scheme based on the logic proposed by Burrows, Abadi and Needham (BAN logic). Copyright © 2014 John Wiley & Sons, Ltd.

Jie Liu,Lei Fan,Jianhua Li

DOI: https://doi.org/10.1145/1501434.1501509

2006-01-01

Abstract:Yang and Shieh proposed two password authentication schemes based on smart cards. The best merit of their schemes is that the remote server can verify a login user without any prior knowledge except a login request message. Unfortunately, some security weaknesses had been found and kinds of attacks were presented later. Although some improvements were proposed to fix those weaknesses, part of these improvements need the remote server to maintain verification tables and the other improvements were proved insecure either. In this paper, we will propose two improved schemes that can withstand all existed attacks while keeping the best merit of the original schemes. The remote server in our improved schemes is still able to verify a login user only by a request message.

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Baoyuan Kang,Jinguang Han,Qingju Wang

DOI: https://doi.org/10.1109/ICCET.2010.5486299

2010-01-01

Abstract:Wang et al. presented a remote password authentication scheme using IC (integrated Circuit)cards in 2004. Recently, Cheng et al. pointed that the Wang et al.'s scheme is unable to withstand the forgery attack. They consequently proposed a novel version to resist the forgery attack. Although Cheng et al. claimed that their scheme is secure against all known attacks and more practical in application than other IC-card-based authentication schemes, in this paper, we show that Cheng et al. scheme is vulnerable to the guessing attack, parallel session attack and key-compromise attack. To remedy these flaws, this paper proposes an improvement over Cheng et al. scheme with more security.