Liling Cao,Wancheng Ge

DOI: https://doi.org/10.1002/sec.1010

IF: 1.968

2014-01-01

Security and Communication Networks

Abstract:In order to enhance the security in wireless communication, authentication schemes come to be more crucial and widely deployed recently, especially those which are referred to as multi-factor biometric authentication that base on password, biometrics, and smart card protections. A new scheme in this way was proposed in 2010 by Li and Hwang. Then Das extended the work of Li et al. and made an improvement of their weak scheme in 2011. However, in 2012, Younghwa An demonstrated that Das's protocol failed to achieve mutual authentication for the server and the user. In this paper, it is described that Younghwa An's scheme cannot withstand the following two attacks. i It is still vulnerable to replay attack, then an adversary can masquerade as the legal server. ii It cannot provide user anonymity and resistance to user masquerading attack, because an adversary can execute the re-registration process by intercepting the IDi in the login phase. Therefore, an improvement to Younghwa An's scheme is presented in this paper. Then, security formal analysis of the modified scheme using the Burrows-Abadi-Needham logic is given, which demonstrates that the modified scheme with slight high computation costs can protect against the several possible attacks. Copyright © 2014 John Wiley & Sons, Ltd.

Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Hossen Asiful Mustafa,Hasan Muhammad Kafi

DOI: https://doi.org/10.48550/arXiv.1711.01198

2017-11-03

Abstract:Password security can no longer provide enough security in the area of remote user authentication. Considering this security drawback, researchers are trying to find solution with multifactor remote user authentication system. Recently, three factor remote user authentication using biometric and smart card has drawn a considerable attention of the researchers. However, most of the current proposed schemes have security flaws. They are vulnerable to attacks like user impersonation attack, server masquerading attack, password guessing attack, insider attack, denial of service attack, forgery attack, etc. Also, most of them are unable to provide mutual authentication, session key agreement and password, or smart card recovery system. Considering these drawbacks, we propose a secure three factor user authentication scheme using biometric and smart card. Through security analysis, we show that our proposed scheme can overcome drawbacks of existing systems and ensure high security in remote user authentication.

Cryptography and Security

Yasir Giani,Li Jianhua,Chen Gongliang,Zahid Mehmood

DOI: https://doi.org/10.1109/compcomm.2016.7925201

2016-01-01

Abstract:In the recent decades, in order to achieve high-degree security many researchers are introducing multifactor authentication schemes replacing by conventional password-based remote authentication schemes. In 2010, Li and Hwang proposed biometric-based authentication scheme using the smart card. Later on, Das pointed out that the scheme is susceptible to denial of services attack and also having low efficiency. Then proposed a new scheme to overcome the weaknesses of prior scheme. In 2012, Younghwa An. substantiate that Das's scheme doesn't provide mutual authentication. In 2014, Cao and Ge pointed that Younghwa's scheme is still vulnerable to replay attack and unable to provide user anonymity, while an adversary can perform the re-registration by intercepting user identity IDx in the login phase. In this paper, we first analyze Cao and Ge's scheme and show that their scheme is still vulnerable to password guessing and traceability attacks.

Youping Lin,Kaihui Wang,Baocan Zhang,Yuzhen Liu,Xiong Li

DOI: https://doi.org/10.14257/ijsia.2016.10.1.29

2016-01-01

International Journal of Security and Its Applications

Abstract:Authentication is an important and basic security service for many network based applications, which allows the registered user access remote services after the validity of his/her identity is verified by the remote server. Password, smart card and biometric are three frequently used factors in authentication, and some remote user authentication schemes for different environments had been presented based on these factors by researchers. Recently, Baruah et al. pointed out the weaknesses of Mishra et al.'s three factors user authentication scheme for multi-server environments, and they proposed an enhanced scheme. They claimed that their scheme has many security features and can resist some common attacks. However, based on our analysis, Baruah et al.'s scheme cannot resist stolen smart card attack, cannot protect user's anonymity, and it is also vulnerable to Denial of Service attack. In this paper, an enhanced three factors user authentication scheme for multi-server environments based on fuzzy extractor technology is proposed, and the analysis show that the proposed scheme is more security and efficient than other related schemes.

Hongbin Tang,Xinsong Liu,Yao Li

DOI: https://doi.org/10.1049/cp.2012.2315

2012-01-01

Abstract:A three-factor (password, smart card and biometric) authentication scheme allows a user and a remote server to authenticate each other, and it provides strong authentication. Very recently, Das proposed a three-factor remote authentication scheme. He claimed that their scheme was more secure than Li-Hwang's scheme. However, we demonstrate that his scheme is vulnerable to various attacks. It is not feasible for real-life implementation. We then suggest an improvement. The proposed scheme is proved to be more secure than the previous related works and maintains low computation and communication cost.

Xiong Li,Kaihui Wang,Jian Shen,Saru Kumari,Fan Wu,Yonghua Hu

DOI: https://doi.org/10.1007/s12652-015-0338-z

IF: 3.662

2016-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Computer networks have become so ubiquitous that the user can access various services by using network devices at anytime and anywhere. However, due to the open nature of the network, the security issue has become an important consideration in these network-based systems that cannot be ignored, especially in critical systems, such as life-critical system and financial system. User authentication scheme is the most used and effective mechanism for information security, and many user authentication schemes have been proposed by researchers. Recently, Shen et al. proposed a biometrics-based user authentication scheme for multi-server environments in critical systems. However, their scheme lacks the wrong password detection mechanism and is vulnerable to denial-of-service attack. Besides, they do not consider the user anonymity property, and may suffer from biometrics template lost attack because the biometrics template is directly stored in user’s smart card. In this paper, an enhanced biometrics-based user authentication scheme for multi-server environments in critical systems is presented by adopting the fuzzy extractor. The analysis shows that the proposed scheme not only removes the security weaknesses of previous schemes, but also keeps the computational efficiency.

Li Yang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0194093

IF: 3.7

2018-01-01

PLoS ONE

Abstract:According to advancements in the wireless technologies, study of biometrics-based multi-server authenticated key agreement schemes has acquired a lot of momentum. Recently, Wang et al. presented a three-factor authentication protocol with key agreement and claimed that their scheme was resistant to several prominent attacks. Unfortunately, this paper indicates that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol cannot provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Compared with various related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the proposed protocol shows the satisfactory performances in respect of storage requirement, communication overhead and computational cost. Thus, our protocol is suitable for expert systems and other multi-server architectures. Consequently, the proposed protocol is more appropriate in the distributed networks.

Xiong Li,Jian-Wei Niu,Jian Ma,Wen-Dong Wang,Cheng-Lian Liu

DOI: https://doi.org/10.1016/j.jnca.2010.09.003

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:Recently, Li and Hwang proposed a biometrics-based remote user authentication scheme using smart cards [Journal of Network and Computer Applications 33 (2010) 1–5]. The scheme is based on biometrics verification, smart card and one-way hash function, and it uses the nonce rather than a synchronized clock, so it is very efficient in computational cost. Unfortunately, the scheme has some security weaknesses, that is to say Li and Hwang's scheme does not provide proper authentication and it cannot resist the man-in-the-middle attacks. If an attacker controls the insecure channel, she/he can easily fabricate messages to pass the user's or server's authentication. Besides, the malicious attacker can impersonate the user to cheat the server and can impersonate the server to cheat the user without knowing any secret information. This paper proposes an improved biometrics-based remote user authentication scheme that removes the aforementioned weaknesses and supports session key agreement.

LIU Jia-yong,LIU Yue-qin,FANG Yong,Ming X. Gao

DOI: https://doi.org/10.3969/j.issn.1009-3087.2006.06.021

2006-01-01

Abstract:The present authentication scheme has been found to be vulnerable to forged login attack;an intruder could still impersonate legitimate users to login and accesses the remote server in two ways at least.To solve this problem,an improved scheme will be proposed,which can withstand the existing forged attacks by means of improving the security policy and authentication information.The security analysis showed that the improved scheme still keeps the features of the non-storage data model authentication scheme and will not add the additional computation cost to the smart card,and will perform better in security and practical operations.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1109/tdsc.2016.2605087

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is no comprehensive and systematical metric available for schemes to be assessed objectively, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found short of important security goals or lack of critical properties, especially being stuck with the security-usability tension. To overcome this issue, in this work we first explicitly define a security model that can accurately capture the practical capabilities of an adversary and then suggest a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum. As our main contribution, a new scheme is advanced to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating “honeywords”, traditionally the purview of system security, with a “fuzzy-verifier”, our scheme hits “two birds”: it not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Debiao He,Jianhua Chen,Jin Hu

DOI: https://doi.org/10.6138/jit.2012.13.3.04

2012-01-01

Abstract:As an important mechanism to guarantee secure communication, the authentication scheme has attracted wide attention. Recently, Xu et al. proposed a new authentication scheme and show their scheme is provably secure in the random oracle model under the computational Diffie-Hellman assumption. Unfortunately, in this paper, we will demonstrate that Xu et al.'s scheme is vulnerable to the impersonation attack and the privileged insider attack. We also propose an improved scheme to eliminate the security vulnerability.

Chengqi Wang,Xiao Zhang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0149173

IF: 3.7

2016-01-01

PLoS ONE

Abstract:With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we propose a novel biometric-based multi-server authentication and key agreement scheme which is based on the cryptanalysis of Mishra et al.'s scheme. The informal and formal security analysis of our scheme are given, which demonstrate that our scheme satisfies the desirable security requirements. The presented scheme provides a variety of significant functionalities, in which some features are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. Compared with several related schemes, our scheme has more secure properties and lower computation cost. It is obviously more appropriate for practical applications in the remote distributed networks.

Xiong Li,Jianwei Niu,Zhibo Wang,Caisen Chen

DOI: https://doi.org/10.1002/sec.767

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:There are some biometrics-based three-factor remote user authentication schemes proposed by researchers for ensure high security features for network-based application systems. Recently, Das pointed out the security flaws of Li and Hwang's three-factor remote user authentication scheme, and proposed an enhanced biometrics-based three-factor remote user authentication scheme. Das's scheme overcomes the defects of Li and Hwang's scheme, and maintains the advantages of Li and Hwang's scheme at the same time. However, after detailed analysis, we find that Das's scheme remains vulnerable to forgery attack and stolen smart card attack; at the same time, Das's scheme cannot provide the session key agreement after the mutual authentication. To provide more security features, we design a three-factor remote user authentication scheme with key agreement using biometrics. Copyright © 2013 John Wiley & Sons, Ltd.

Jingxuan Zhai,Tianjie Cao,Xiuqing Chen,Shi Huang

DOI: https://doi.org/10.14257/ijsia.2015.9.1.37

2015-01-01

International Journal of Security and Its Applications

Abstract:Dynamic ID-based authentication schemes based on password and smart card are widely used to provide two-factor authentication and user anonymity. However, these schemes have one or the other possible security weaknesses. In this paper, we analyze the schemes of Li et al. and Wang et al. published in recent years. After the analysis, we demonstrates that Li et al. 's schemes are vulnerable to off-line password guessing attack if the user's identity is compromised, Li et al.'s scheme cannot withstand the impersonation attack and linkability attack, Wang et al.'s schemes cannot resist off-line password guessing attack if the attacker steals a smart card, Wang et al. 's schemes fail to provide forward security. Our result shows that none of the existing dynamic ID based authentication schemes can achieve all the desirable security goals.

Chengqi Wang,Xiao Zhang,Zhiming Zheng

DOI: https://doi.org/10.1007/s11042-016-4198-0

IF: 2.577

2016-01-01

Multimedia Tools and Applications

Abstract:With the increase of security requirements, numerous biometrics based authentication schemes that apply the smart card technology are proposed for multimedia medicine information systems in the last several years. Recently, Lu et al. presented a biometrics based authentication and key agreement scheme using extended Chebyshev chaotic maps. Unfortunately, we find that their scheme is still insecure with respect to issues such as flaws in the both login phase and password change phase. And we show that their scheme is vulnerable to the Denial-of-Service attack, user impersonation attack and server masquerade attack, which also fails to achieve the user anonymity. In order to remedy these weaknesses, we retain the useful properties of Lu et al.’s scheme to propose a robust biometrics based authentication and key agreement scheme for multimedia medicine information systems. The informal and formal security analysis of our scheme are given respectively, which demonstrate that our scheme satisfies the desirable security requirements. Furthermore, the proposed scheme provides some significant features which are not considered in most of the related schemes, such as, biometric information protection and user re-registration or revocation. Thus, our scheme resists the known attacks and is efficient for practical applications in the multimedia medicine information systems.

Zhen-Fu Cao,Da-Zhi Sun

DOI: https://doi.org/10.1109/ICMLC.2006.259062

2006-01-01

Abstract:For providing the login service in multi-server environments, Fan, Xu, and Li presented a remote user authentication scheme using smart cards. In this paper, we demonstrate that Fan-Xu-Li's scheme is vulnerable to the parallel session attack. That is, when a legal user logs in a server, an adversary without knowing any secret information can easily impersonate the user to log in other authorized servers. It means that a serious security flaw exists in Fan-Xu-Li's scheme. In addition to being practical, it is desirable to avoid relying on timestamps for security in their scheme. We therefore propose an improved scheme to overcome above disadvantages. As a unilateral authentication mechanism, our improved scheme is more suitable for real-life cryptographic applications than Fan-Xu-Li's scheme.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1016/j.jnca.2013.02.034

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.