Song Luo,Jianbin Hu,Zhong Chen

DOI: https://doi.org/10.1109/nswctc.2009.287

2009-01-01

Abstract:Password authentication is one of the simplest and the most convenient authentication mechanisms over insecure networks. One-time password authentication which uses dynamic password helps to enhance the security of password. In this paper, we suggest a new one-time password scheme using the smart card based on the bilinear pairings. By generating temporary identity, our scheme can provide anonymity in authentication process to protect the user's privacy. Based on the Computational Diffie-Hellman Problem, we show that the proposed scheme is secure against forgery attack and ID attack under the random oracle model.

Wenjian Luo,Yamin Hu,Hao Jiang,Junteng Wang

DOI: https://doi.org/10.1109/tifs.2018.2844854

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Secure password storage is a vital aspect in systems based on password authentication, which is still the most widely used authentication technique, despite some security flaws. In this paper, we propose a password authentication framework that is designed for secure password storage and could be easily integrated into existing authentication systems. In our framework, first, the received plain password from a client is hashed through a cryptographic hash function (e.g., SHA-256). Then, the hashed password is converted into a negative password. Finally, the negative password is encrypted into an encrypted negative password (ENP) using a symmetric-key algorithm (e.g., AES), and multi-iteration encryption could be employed to further improve security. The cryptographic hash function and symmetric encryption make it difficult to crack passwords from ENPs. Moreover, there are lots of corresponding ENPs for a given plain password, which makes precomputation attacks (e.g., lookup table attack and rainbow table attack) infeasible. The algorithm complexity analyses and comparisons show that the ENP could resist lookup table attack and provide stronger password protection under dictionary attack. It is worth mentioning that the ENP does not introduce extra elements (e.g., salt); besides this, the ENP could still resist precomputation attacks. Most importantly, the ENP is the first password protection scheme that combines the cryptographic hash function, the negative password, and the symmetric-key algorithm, without the need for additional information except the plain password.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Rong Fan,Dao-jing He,Xue-zeng Pan,Ling-di Ping

DOI: https://doi.org/10.1631/jzus.c1000377

2011-01-01

Abstract:Wireless sensor networks (WSNs) are vulnerable to security attacks due to their deployment and resource constraints. Considering that most large-scale WSNs follow a two-tiered architecture, we propose an efficient and denial-of-service (DoS)-resistant user authentication scheme for two-tiered WSNs. The proposed approach reduces the computational load, since it performs only simple operations, such as exclusive-OR and a one-way hash function. This feature is more suitable for the resource-limited sensor nodes and mobile devices. And it is unnecessary for master nodes to forward login request messages to the base station, or maintain a long user list. In addition, pseudonym identity is introduced to preserve user anonymity. Through clever design, our proposed scheme can prevent smart card breaches. Finally, security and performance analysis demonstrates the effectiveness and robustness of the proposed scheme.

Rong Fan,Lingdi Ping,JianQing Fu,Xuezeng Pan

DOI: https://doi.org/10.1109/PACCS.2010.5626600

2010-01-01

Abstract:As wireless sensor networks (WSNs) are susceptible to attacks and sensor nodes have limited resources, designing a secure and efficient user authentication protocol for WSNs is a difficult task. Considering that most future large-scale WSNs follow a two-tiered architecture, we propose an efficient and Denial-of-Service resistant user authentication scheme for two-tiered WSNs, which imposes very light computational load and requires simple operations such as one-way hash function and exclusive-OR operations. In addition, there is a growing requirement for preserving user anonymity recently. Thus we introduce pseudonym identity for each user which is concealed in login messages. And through clever design, our proposed scheme can prevent from smart card breach. Moreover, the security analysis on this scheme demonstrates that our proposed scheme enjoys security attributes such as preventing the various kinds of attacks and user anonymity. Finally, performance analysis shows that our proposed scheme is simple and efficient.

Dongdong Zhao,Wenjian Luo

DOI: https://doi.org/10.1109/dasc.2013.38

2013-01-01

Abstract:Nowadays, data privacy has been widely concerned. The private set intersection means that several parties calculate the intersection of their private sets while without revealing extra information about their private data. The negative database (NDB) is a new technique for preserving privacy, and it stores information in the complementary set of a traditional database (DB). Reversing the NDB to recover the corresponding DB is an NP-hard problem, and this property is the security foundation of the NDB. Moreover, the NDB can directly support some database operations such as intersection, union, select and Cartesian product. However, so far, there is no research work about the secure multi-party computation based on NDBs. In this paper, firstly, a two-party private set intersection protocol based on NDBs is proposed, and its security and efficiency are analyzed. Then, the multi-party private set intersection protocol based on NDBs is given.

Dongdong Zhao,Wenjian Luo

DOI: https://doi.org/10.7551/978-0-262-31709-2-ch131

2013-01-01

Abstract:The negative database (NDB) is the negative representation of original data. Existing work has demonstrated that NDB can be used to preserve privacy and hide information. However, most work about NDB is based on binary representation. In some applications which are naturally descripted in real-valued space, the binary negative database is hard to be applied appropriately. Therefore, the real-valued negative database is proposed in this paper, and reversing the real-valued negative database is proved to be an NP-hard problem. Moreover, an effective algorithm for generating real-valued negative databases is given. Finally, an example of applying the real- valued negative database to the privacy-preserving data publication is descripted, and it shows that the real-valued negative database is valuable in practice.

Ran Liu,Wenjian Luo,Xufa Wang

DOI: https://doi.org/10.1109/cicybs.2011.5949400

2011-01-01

Abstract:The negative database (NDB) is a complement of the corresponding database. The NDB could protect the privacy of the data, but it should be complete and hard-to-reverse. However, existent techniques cannot generate the complete and hard-to-reverse negative database. In this paper, a hybrid method is proposed to generate single negative databases. The proposed hybrid method includes two phases. Firstly, a complete negative database with a small size is generated by the transformation of the prefix algorithm. Secondly, a hard-to-reverse negative database, which is generated with the q-hidden method, is added into the small complete negative database. Therefore, the hybrid negative database is both complete and hard-to-reverse. Experiment results show that the NDB generated by the hybrid method is better than the NDB generated by the typical q-hidden method. Especially, the NDB generated by the q-hidden method can be reversed on average when the string length is 300. However, the NDB generated by the hybrid method cannot be reversed on average when the string length is 150.

吴和生,范训礼,谢俊元

DOI: https://doi.org/10.3969/j.issn.1002-137X.2003.05.044

2003-01-01

Computer Science

Abstract:Some usual one-time password authentication protocols are analyzed. A practical efficient one-time pass-word authentication implementing method is presented based on the symmetric algorithm, which conquers usual chal-lenge-response protocol weakness and can protect user's identity and avoid replay attack etc. It also can boost up thesecurity of the application security system by integrating with it in networks. And the correlative issues are discusseddeeply such as security, reliability and so on.

Anup Patel,Niveeta Sharma,Magdalini Eirinaki

DOI: https://doi.org/10.48550/arXiv.1105.0049

2011-04-30

Abstract:Data Security is a major issue in any web-based application. There have been approaches to handle intruders in any system, however, these approaches are not fully trustable; evidently data is not totally protected. Real world databases have information that needs to be securely stored. The approach of generating negative database could help solve such problem. A Negative Database can be defined as a database that contains huge amount of data consisting of counterfeit data along with the real data. Intruders may be able to get access to such databases, but, as they try to extract information, they will retrieve data sets that would include both the actual and the negative data. In this paper we present our approach towards implementing the concept of negative database to help prevent data theft from malicious users and provide efficient data retrieval for all valid users.

Databases

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Fan Wu

DOI: https://doi.org/10.1002/dac.2853

2014-01-01

International Journal of Communication Systems

Abstract:SummaryRecently, Jiang et al. and He et al. independently found security problems in Chen et al.'s remote user authentication scheme for non‐tamper‐proof storage devices like Universal Serial Bus stick and proposed improvements. Nonetheless, we detect that the schemes proposed by Jiang et al. and He et al. overlook a user's privacy. We also observe that Jiang et al.'s scheme is vulnerable to insider attack and denial of service attacks and lacks forward secrecy. We point out that the password changing facility in He et al.'s scheme is equivalent to undergoing registration, whereas in Jiang et al.'s scheme, it is unsuitable. Moreover, the login phase of both the schemes is incapable to prevent the use of wrong password leading to the computation of an unworkable login request. Therefore, we design a new scheme with user anonymity to surmount the identified weaknesses. Without adding much in communication/computational cost, our scheme provides more security characteristics and keeps the merits of the original schemes. As compared with its predecessor schemes, the proposed scheme stands out as a more apt user authentication method for common storage devices. We have also presented a formal proof of security of the proposed scheme based on the logic proposed by Burrows, Abadi and Needham (BAN logic). Copyright © 2014 John Wiley & Sons, Ltd.

Shaohua Tang

DOI: https://doi.org/10.3321/j.issn:1000-565X.2001.08.019

2001-01-01

Abstract:Lamport's one-time password authentication is one of the famous password authentication schemes. But there are some disadvantages: when the user re-generates the password chain for the original remote system or generates the password chain for a new remote system, he has to register to the dedicated system again, which is inconvenient and not flexible enough. In order to solve these problems, a kind of one-time password authentication scheme is proposed in the paper. It is shown that our scheme is as secure and almost as efficient as Lamport's scheme, but our scheme is more flexible and convenient than Lamport's scheme.

LI Xing

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.19.034

2008-01-01

Computer Engineering and Applications Journal

Abstract:This paper proposes an efficient remote user authentication scheme based on random nonce which does not require password verification tables.To withstand message replay attacks,the proposed scheme uses random nonce in place of timestamps.Moreover,users are able to freely choose and change their passwords.It has many other advantages such as low computation cost,easy designed,efficient,practical and high security.

Yi Chen,Hong Wen,Huanhuan Song,Songlin Chen,Feiyi Xie,Qing Yang,Lin Hu

DOI: https://doi.org/10.1049/iet-com.2018.0023

IF: 1.345

2018-01-01

IET Communications

Abstract:The energy-constrained devices such as the mobile terminals and nodes of the Internet of Things make lightweight security schemes an urgent need. The traditional identity authentication techniques can provide protection for the user's privacy and information to a certain extent, but they suffer from heavy cost. Non-cryptographic authentication mechanisms based on the physical layer characteristics are new techniques, which have a higher security level. The recognition technique of radio transmitter based on radio-frequency fingerprint (RFF) is one of the non-cryptographic authentication techniques. The authors propose a lightweight one-time password (OTP) authentication scheme based on RFF (RFF-OTP), which is a novel cross-layer secure authentication scheme and can provide mutual authentication between the mobile terminal and server, by combining RFF recognition algorithm with a hash encryption algorithm. By theoretical analysis and Syverson and van Oorschot logic verification, they prove that the RFF-OTP scheme is simple, efficient, flexible and independent of trusted-party while it also can resist the cloning attack and satisfy the anonymity compared with the OTP authentication scheme. Besides, it only requires the password to log into the system in the authors' scheme in comparison to the OTP scheme that needs both ID and password for the same purpose.

Yun Huang,Zheng Huang,Haoran Zhao,Xuejia Lai

DOI: https://doi.org/10.1016/j.ieri.2013.11.006

2013-01-01

IERI Procedia

Abstract:One-Time Passwords (OTP) can provide complete protection of the login-time authentication mechanism against replay attacks. In this paper, we propose TSOTP: a new effective simple OTP method that generates a unique passcode for each use. The calculation uses both time stamps and sequence numbers. A two-factor authentication prototype for mobile phones using this method has been developed and has been used in practice for a year.

Yi Hui He

DOI: https://doi.org/10.4028/www.scientific.net/amr.926-930.2819

2014-01-01

Advanced Materials Research

Abstract:Network security and identity authentication is confirmed the true identity whether the user and the claimed identity is consistent or not, in order to prevent the illegal user access the system for resources by identity fraud. The one-time password authentication technology with high safety, convenient for using, easy for management and lower cost is applied widely and has bright prospection. The one-time password authentication technology support to add uncertain factors in the login process, so that the login authentication informations are not the same each time. It is useful to improve the security of the login process. In this paper, a new system which is based on the the one-time password authentication technology called biometric system is first introduced. Then the framework of multi-biometric system is presented, and several examples are also shown. The prospect about multi-biometric fusion is also given.

Xuelian Cao,Zheng Yang,Jianting Ning,Chenglu Jin,Rongxing Lu,Zhiming Liu,Jianying Zhou

DOI: https://doi.org/10.1109/tifs.2024.3386350

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Group time-based one-time passwords (GTOTP) is a novel lightweight cryptographic primitive for achieving anonymous client authentication, which enables the efficient generation of time-based one-time passwords on behalf of a group without revealing any information about the actual client's identity beyond their group membership. The security properties of GTOTP regarding anonymity and traceability have been formulated in a static group management setting (where all group members should be determined during the group initialization phase), yet, a formal treatment for real-world dynamic groups (i.e., group members may join and leave at any time) is still an open question. It is non-trivial to construct an efficient GTOTP scheme that can provide a lightweight password generation procedure run by group members and support dynamic group management, allowing group members to join and leave without affecting other members' states (non-disruptively). To address the above challenge, we first define the notion and the security model of dynamic group time-based one-time passwords (DGTOTP) in this work. We then present an efficient DGTOTP construction that can generically transform an asymmetric time-based one-time passwords scheme into a DGTOTP scheme utilizing a chameleon hash function family and a Merkle tree scheme. Within our construction, we particularly tailor an outsourcing solution realizing an issue-first-and-join-later (IFJL) strategy, enabling smooth joining and revocation without disrupting other group members. Moreover, our scheme minimizes symmetric cryptographic operations and maintains constant storage for group members, compared to the linear storage cost that grows rapidly with respect to the lifetime of the GTOTP instance in the previous static GTOTP scheme. Our DGTOTP scheme satisfies stronger security guarantees in a dynamic group management setting without random oracles. Our experimental results confirm the efficiency of our DGTOTP scheme.

computer science, theory & methods,engineering, electrical & electronic

Hongfeng Zhu

DOI: https://doi.org/10.1002/sec.1182

IF: 1.968

2015-02-10

Security and Communication Networks

Abstract:Authenticated key agreement protocols, aiming at solving the problems to set up a secure channel over public Internet, can achieve authentication of the corresponding participants and confidentiality of data transmission. Nowadays, most of the authenticated key agreement protocols focus on security, efficiency, and user experience at the same time. One‐time password authenticated algorithm, which is that a hash chain can update by itself smoothly and securely through capturing the secure bit of the tip, has the feature of high‐efficient. In addition, biometrics‐based algorithm can make the scheme more secure and more amiable for users. The combination of aforementioned algorithms can lead to a high practical scheme in the universal client/server architecture. Based on these motivations, the paper firstly proposed the new concept of one‐time identity–password (OTIP), which means the identity and the password can be used only once. Then, a new robust biometrics‐based OTIP authenticated key agreement protocol is given based on the OTIP. Security of the protocol is based on the biometric authentication, a secure symmetric encryption and a secure one‐way hash function with the hash chain. At the same time, the proposed protocol can not only refrain from many consuming algorithms but also robust to many kinds of attacks and owns much excellent features. Finally, we provide the secure proof and the efficiency analysis about our proposed scheme. Copyright © 2015 John Wiley & Sons, Ltd. The paper firstly proposed a new concept of one‐time identity–password, which means identity and password can be used only once. Then, we present a provably secure and flexible one‐time identity–password authenticated key agreement scheme based on biometrics. The core ideas of our scheme are features of security and efficiency in the mobile device and server's side and feature of user friendly for the user's side. Through comparing with recently related work, our scheme has satisfactory security, efficiency, and functionality.

computer science, information systems,telecommunications

SH Tang

DOI: https://doi.org/10.1142/s0218126600000135

2000-01-01

Journal of Circuits Systems and Computers

Abstract:A new kind of one-time password authentication scheme, directed one-time password authentication scheme, is presented in this paper. The distinguished feature of the directed authentication scheme is that only the specified verifier can validate the verifiee's genuine identity, without the help of this specified verifier, anyone else cannot verify it. One strong directed one-time password authentication scheme based on discrete logarithm is proposed in this paper and the security and performance of which are also analyzed.

Haoyang Pu,Wen Chen,Hongchao Wang,Shenghong Bao

DOI: https://doi.org/10.3390/s24196217

IF: 3.9

2024-09-26

Sensors

Abstract:Due to their inherent openness, wireless sensor networks (WSNs) are vulnerable to eavesdropping attacks. Addressing the issue of secure Internet Key Exchange (IKE) in the absence of reliable third parties like CA/PKI (Certificate Authority/Public Key Infrastructure) in WSNs, a novel key synchronization method named NDPCS-KS is proposed in the paper. Firstly, through an initial negotiation process, both ends of the main channels generate the same initial key seeds using the Channel State Information (CSI). Subsequently, negotiation keys and a negative database (NDB) are synchronously generated at the two ends based on the initial key seeds. Then, in a second-negotiation process, the NDB is employed to filter the negotiation keys to obtain the keys for encryption. NDPCS-KS reduced the risk of information leakage, since the keys are not directly transmitted over the network, and the eavesdroppers cannot acquire the initial key seeds because of the physical isolation of their eavesdropping channels and the main channels. Furthermore, due to the NP-hard problem of reversing the NDB, even if an attacker obtains the NDB, deducing the initial key seeds is computationally infeasible. Therefore, it becomes exceedingly difficult for attackers to generate legitimate encryption keys without the NDB or initial key seeds. Moreover, a lightweight anti-replay and identity verification mechanism is designed to deal with replay attacks or forgery attacks. Experimental results show that NDPCS-KS has less time overhead and stronger randomness in key generation compared with other methods, and it can effectively counter replay, forgery, and tampering attacks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation