Pengzhen Xia,Jianhua Chen

DOI: https://doi.org/10.3969/j.issn.1001-3695.2017.10.041

2017-01-01

Abstract:With the increasing of the multi-server application,researches on three-factor authentication scheme which based on password,smart card and biometrics continue ensure the information safety of the communcation parties.Recently,Chaudhry proposed a new three-factor authentication scheme based on elliptic curve cryptosystem.This paper showed that his scheme was vulnerable to not only denial of service attacks,but also user impersonation attack.In addition,users didn't have a unique identifier in his protocol,and they were unable to change the password.To solve these safety deficiencies,this paper proposed an improved scheme,reasonably used the elliptic curve cryptosystem and fuzzy extractor technology to combine three-factor.This paper proves that the proposed scheme is feasible and safe through Burrows-Abadi-Needham (BAN) logic and the analysis of the known attacks.As compared with the previous multi-server authentication schemes,the proposed scheme is more secure and practical.

Jiaqing Mo,Hang Chen,Wei Shen

DOI: https://doi.org/10.1007/978-3-030-16946-6_36

2020-01-01

Abstract:Cryptanalyzing the security weaknesses of authentication protocols is extremely important to propose countermeasures and develop a truly secure protocol. Over last few years, many three factor-based authentication schemes with key agreement have been proposed for multi-server environment. In 2017, Ali and Pal developed a three-factor authentication scheme in multi-server environment using elliptic curve cryptography (ECC) to remedy the security flaws in Li et al.'s scheme and claimed their improved version can withstand the passive and active attacks. In this paper, we prove that Ali-Pal's scheme is subject to offline password guessing attack, replay attack, and known session-specific temporary information (KSSTI) attack. In the same year, Feng et al. examined Kumari et al.'s biometrics-based authentication scheme for multi-server environment and found that their scheme was vulnerable to several attacks. To fix these weaknesses, Feng et al. proposed an enhanced three-factor authentication scheme with key distribution for mobile multi-server environment and claimed that their scheme can satisfy the security and functional requirements. However, we show that Feng et al.'s scheme fails to resist offline password guessing attack, and suffers from replay attack. In addition to point out the security defects, we put forward countermeasures to eliminate the security risks and secure the three factor-based authentication schemes for multi-server environment.

Peng Jiang,Qiaoyan Wen,Wenmin Li,Zhengping Jin,Hua Zhang

DOI: https://doi.org/10.1007/s11704-014-3125-7

2015-01-01

Abstract:As service demands rise and expand single-server user authentication has become unable to satisfy actual application demand. At the same time identity and password based authentication schemes are no longer adequate because of the insecurity of user identity and password. As a result biometric user authentication has emerged as a more reliable and attractive method. However, existing biometric authentication schemes are vulnerable to some common attacks and provide no security proof, some of these biometric schemes are also either inefficient or lack sufficient concern for privacy. In this paper, we propose an anonymous and efficient remote biometric user authentication scheme for a multi-server architecture with provable security. Through theoretical mathematic deduction, simulation implementation, and comparison with related work, we demonstrate that our approach can remove the aforementioned weaknesses and is well suited for a multi-server environment.

Fan Wu,Lili Xu,Saru Kumari,Xiong Li

DOI: https://doi.org/10.1016/j.compeleceng.2015.02.015

IF: 4.152

2015-01-01

Computers & Electrical Engineering

Abstract:The biometrics, the password and the storage device are the elements of the three-factor authentication. In 2013, Yeh et al. proposed a three-factor user authentication scheme based on elliptic curve cryptography. However, we find that it has weaknesses including useless user identity, ambiguous process, no session key and no mutual authentication. Also, it cannot resist the user forgery attack and the server spoofing attack. Moreover, Khan et al. propose a fingerprint-based remote authentication scheme with mobile devices. Unfortunately it cannot withstand the user impersonation attack and the De-synchronization attack. Furthermore, the user’s identity cannot be anonymous, either. To overcome the disadvantages, we propose a new three-factor remote authentication scheme and give a formal proof with strong forward security. It could provide the user’s privacy and is secure. Compared to some recent three-factor authentication schemes, our scheme is secure and practical.

Mingping Qi,Jianhua Chen

DOI: https://doi.org/10.1007/s11042-019-07812-w

IF: 2.577

2019-01-01

Multimedia Tools and Applications

Abstract:The rapidly evolving communication technology has now made it easy for people to enjoy kinds of online services over the insecure public internet. However, with convenience, ensuring data security as well as user privacy and authentication is particularly important and urgent. In view of this, this work presents a new biometrics-based three-factor authentication with key agreement scheme for multi-server environment using ECC. The formal authentication proof using BAN logic confirms that the new scheme can achieve mutual authentication and agree on a common session key; and the heuristic cryptanalysis shows that the new scheme provides perfect forward secrecy, preserves user anonymity and secures against various known security vulnerabilities. Furthermore, the performance evaluation demonstrates that our scheme is efficient.

Junsong Zhang,Jian Ma,Xiong Li,Wendong Wang

DOI: https://doi.org/10.3837/tiis.2014.08.021

2014-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid growth of the communication technology, intelligent terminals (i.e. PDAs and smartphones) are widely used in many mobile applications. To provide secure communication in mobile environment, in recent years, many user authentication schemes have been proposed. However, most of these authentication schemes suffer from various attacks and cannot provide provable security. In this paper, we propose a novel remote user mutual authentication scheme for multi-server environments using elliptic curve cryptography (ECC). Unlike other ECC-based schemes, the proposed scheme uses ECC in combination with a secure hash function to protect the secure communication among the users, the servers and the registration center (RC). Through this method, the proposed scheme requires less ECC-based operations than the related schemes, and makes it possible to significantly reduce the computational cost. Security and performance analyses demonstrate that the proposed scheme can solve various types of security problems and can meet the requirements of computational complexity for low-power mobile devices.

Youping Lin,Kaihui Wang,Baocan Zhang,Yuzhen Liu,Xiong Li

DOI: https://doi.org/10.14257/ijsia.2016.10.1.29

2016-01-01

International Journal of Security and Its Applications

Abstract:Authentication is an important and basic security service for many network based applications, which allows the registered user access remote services after the validity of his/her identity is verified by the remote server. Password, smart card and biometric are three frequently used factors in authentication, and some remote user authentication schemes for different environments had been presented based on these factors by researchers. Recently, Baruah et al. pointed out the weaknesses of Mishra et al.'s three factors user authentication scheme for multi-server environments, and they proposed an enhanced scheme. They claimed that their scheme has many security features and can resist some common attacks. However, based on our analysis, Baruah et al.'s scheme cannot resist stolen smart card attack, cannot protect user's anonymity, and it is also vulnerable to Denial of Service attack. In this paper, an enhanced three factors user authentication scheme for multi-server environments based on fuzzy extractor technology is proposed, and the analysis show that the proposed scheme is more security and efficient than other related schemes.

Li Yang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0194093

IF: 3.7

2018-01-01

PLoS ONE

Abstract:According to advancements in the wireless technologies, study of biometrics-based multi-server authenticated key agreement schemes has acquired a lot of momentum. Recently, Wang et al. presented a three-factor authentication protocol with key agreement and claimed that their scheme was resistant to several prominent attacks. Unfortunately, this paper indicates that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol cannot provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Compared with various related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the proposed protocol shows the satisfactory performances in respect of storage requirement, communication overhead and computational cost. Thus, our protocol is suitable for expert systems and other multi-server architectures. Consequently, the proposed protocol is more appropriate in the distributed networks.

Xiong Li,Kaihui Wang,Jian Shen,Saru Kumari,Fan Wu,Yonghua Hu

DOI: https://doi.org/10.1007/s12652-015-0338-z

IF: 3.662

2016-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Computer networks have become so ubiquitous that the user can access various services by using network devices at anytime and anywhere. However, due to the open nature of the network, the security issue has become an important consideration in these network-based systems that cannot be ignored, especially in critical systems, such as life-critical system and financial system. User authentication scheme is the most used and effective mechanism for information security, and many user authentication schemes have been proposed by researchers. Recently, Shen et al. proposed a biometrics-based user authentication scheme for multi-server environments in critical systems. However, their scheme lacks the wrong password detection mechanism and is vulnerable to denial-of-service attack. Besides, they do not consider the user anonymity property, and may suffer from biometrics template lost attack because the biometrics template is directly stored in user’s smart card. In this paper, an enhanced biometrics-based user authentication scheme for multi-server environments in critical systems is presented by adopting the fuzzy extractor. The analysis shows that the proposed scheme not only removes the security weaknesses of previous schemes, but also keeps the computational efficiency.

Ding Wang,Xizhe Zhang,Zijian Zhang,Ping Wang

DOI: https://doi.org/10.1016/j.cose.2019.101619

IF: 5.105

2020-01-01

Computers & Security

Abstract:Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. Dozens of multi-factor authentication schemes for multi-server environments were successively proposed, yet most of them have been shortly found problematic. The research pattern of this area has fallen into the undesirable "break-fix-break-fix" cycle, in which lots of efforts have been devoted but little real progress has been made. In this paper, we revisit five leading two-factor authentication schemes for multi-server environments (i.e., Xu et al. scheme at ICICS'17, Wu et al. scheme at FC'17, Leu-Hsieh's scheme at IET IS'14, Zhou et al. scheme at WINET'18 and Roy et al. scheme at IEEE TII'19), and demonstrate that all of them suffer from critical security defects (e.g., no truly multi-factor security and temporary information leakage attack) or are short of important properties (e.g., no user anonymity). Our results invalidate any use of these five schemes for practical applications without further improvement, and underscore some new challenges (e.g., attacks arising from the leakage of session-specific parameters and from malicious insiders) in designing sound multi-factor schemes for multi-server environments. We also draw some useful lessons from the cryptanalysis results. (C) 2019 Elsevier Ltd. All rights reserved.

Hua Guo,Pei Wang,Xiyong Zhang,Yuanfei Huang,Fangchao Ma

DOI: https://doi.org/10.1371/journal.pone.0187403

IF: 3.7

2017-01-01

PLoS ONE

Abstract:In order to improve the security in remote authentication systems, numerous biometric-based authentication schemes using smart cards have been proposed. Recently, Moon et al. presented an authentication scheme to remedy the flaws of Lu et al.'s scheme, and claimed that their improved protocol supports the required security properties. Unfortunately, we found that Moon et al.'s scheme still has weaknesses. In this paper, we show that Moon et al.'s scheme is vulnerable to insider attack, server spoofing attack, user impersonation attack and guessing attack. Furthermore, we propose a robust anonymous multi-server authentication scheme using public key encryption to remove the aforementioned problems. From the subsequent formal and informal security analysis, we demonstrate that our proposed scheme provides strong mutual authentication and satisfies the desirable security requirements. The functional and performance analysis shows that the improved scheme has the best secure functionality and is computational efficient.

Nassoro M. R. Lwamo,Liehuang Zhu,Chang Xu,Kashif Sharif,Ximeng Liu,Chuan Zhang

DOI: https://doi.org/10.1016/j.ins.2018.10.037

IF: 8.1

2018-01-01

Information Sciences

Abstract:The rapid increase in user base and technological penetration has enabled the use of a wide range of devices and applications. The services are rendered to these devices from single-server or highly distributed server environments, irrespective of their location. As the information exchanged between servers and clients is private, numerous forms of attacks can be launched to compromise it. To ensure the security, privacy, and availability of the services, different authentication schemes have been proposed for both single-server and multi-server environments. The primary performance objective of such schemes is to prevent most (if not all) attacks, with minimal computational costs at the server and user ends. To address this challenge, this paper presents a secure user authentication scheme with anonymity (SUAA) for single-server and multi-server environments. It works on 3-factor authentication, involving passwords, smart cards, and biometric data. We use symmetric and asymmetric encryption for single-server and multi-server architectures respectively, to reduce the computational costs. Through a comprehensive security analysis, we show that the proposed scheme is reliable through mutual authentication, and is resilient to attacks addressed by state of the art solutions. Time cost analysis also shows less time required to complete the authentication process.

Mingping Qi,Jianhua Chen

DOI: https://doi.org/10.1007/s11042-018-5683-4

2018-01-01

Abstract:In this work, we demonstrate that Chaudhry et al.’s recent biometrics-based three factor authentication scheme is vulnerable to the denial of service attack, and it also fails to provide perfect forward secrecy because it only uses the lightweight symmetric key primitives to ensure security. To enhance the information security, this article presents a new robust biometrics-based mutual authentication scheme using elliptic curve cryptography for client-server architecture based applications in mobile environment. The proposed scheme supports session key agreement and flawless mutual authentication of participants, which is proved under the BAN logic. Moreover, the proposed scheme provides prefect security attributes and resists all known attacks, and it has perfect performance in communication cost. Thereby, the proposed scheme is more suitable for client-server architecture based applications.

Ping Wang,Zijian Zhang,Ding Wang

DOI: https://doi.org/10.1007/978-3-030-01950-1_50

2018-01-01

Abstract:Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. At ICICS’17, Xu et al. proposed an efficient two-factor authentication scheme for multi-server environment to cope with the vulnerabilities in Amin et al.’s scheme. However, in this paper, we reveal that Xu’s new scheme actually is as vulnerable as Amin et al.’s scheme: anyone can impersonate any legitimate user. At FC’17, Wu et al. also developed an improvement over Irshad et al.’s scheme and this improved scheme is alleged to be practical and have a number of appealing merits. Yet, Wu et al.’s scheme still fails to achieve truly two-factor security (which is the most important goal of a two-factor scheme), and the leakage of a session-specific parameter will lead to the leakage of the user’s long-term secret key.

Hossen Asiful Mustafa,Hasan Muhammad Kafi

DOI: https://doi.org/10.48550/arXiv.1711.01198

2017-11-03

Abstract:Password security can no longer provide enough security in the area of remote user authentication. Considering this security drawback, researchers are trying to find solution with multifactor remote user authentication system. Recently, three factor remote user authentication using biometric and smart card has drawn a considerable attention of the researchers. However, most of the current proposed schemes have security flaws. They are vulnerable to attacks like user impersonation attack, server masquerading attack, password guessing attack, insider attack, denial of service attack, forgery attack, etc. Also, most of them are unable to provide mutual authentication, session key agreement and password, or smart card recovery system. Considering these drawbacks, we propose a secure three factor user authentication scheme using biometric and smart card. Through security analysis, we show that our proposed scheme can overcome drawbacks of existing systems and ensure high security in remote user authentication.

Cryptography and Security

Yu Zhang, Guangmin Sun

DOI: https://doi.org/10.17762/converter.105

2021-01-01

CONVERTER

Abstract:Aiming at the security problems of authentication in multi-server environments, a novel three-factor authentication scheme for multi-server environments of industrial Internet is proposed. After verifying password and face, a temporary session key is established for the user and server. Then the user obtains the permission of application services and accessing resources. In process of verifying password, hash function is used to hide password. The method of verifying face is the face recognition based on singular value decomposition. During the key agreement phase, only four dot multiplication operations based on elliptic curve cryptography is used to realize one-time key for cryptograph transmission and mutual authentication. Through security analysis and performance comparison, the proposed scheme has stronger robustness, higher security, better convenience and less computation cost than other similar schemes, and has high application value for multi-server environments of industrial Internet.

Xiong Li,Jian Ma,Wendong Wang,Yongping Xiong,Junsong Zhang

DOI: https://doi.org/10.1016/j.mcm.2012.06.033

2013-01-01

Mathematical and Computer Modelling

Abstract:With the purpose of using numerous different network services with single registration, various multi-server authentication schemes have been proposed. Furthermore, in order to protect the users from being tracked when they login to the remote server, researchers have proposed some dynamic ID based remote user authentication schemes for multi-server environments. Recently, Lee et al. have pointed out the security weaknesses of Hsiang and Shih’s dynamic ID based multi-server authentication scheme, and proposed an improved dynamic ID based authentication scheme for multi-server environments. They claimed that their scheme provided user anonymity, mutual authentication, session key agreement and can resist several kinds of attacks. In this paper, however, we find that Lee et al.’s scheme is still vulnerable to forgery attack and server spoofing attack. Besides, their scheme cannot provide proper authentication if the mutual authentication message is partly modified by the attacker. In order to remove these security weaknesses, we propose a novel smart card and dynamic ID based authentication scheme for multi-server environments. In order to protect the user from being tracked, the proposed scheme enables the user’s identity to change dynamically when the user logs into the server. The proposed scheme is suitable for use in multi-server environments such as financial security authentication since it can ensure security while maintaining efficiency.

Ding WANG,Wen-Ting LI,Ping WANG

DOI: https://doi.org/10.13328/j.cnki.jos.005361

2018-01-01

Journal of Software

Abstract:The design of secure and efficient user authentication protocols for multi-server environment is becoming a hot research topic in the cryptographic protocol community. Based on the widely accepted adversary model, this paper analyzes three representative, recently proposed user authentication schemes for multi-server environment. The paper reveals that: 1) Wan et al.’s scheme is subject to offline password guessing attack as opposed to the authors’ claim, and it also cannot provide user anonymity and forward secrecy; 2) Amin et al.’s scheme cannot withstand offline password guessing attack, cannot preserve user anonymity and is vulnerable to two kinds o f forward secrecy issues; 3) Reedy et al.’s scheme cannot resist against user impersonation attack and offline password guessing attack, and  基金项目: 国家自然科学基金(61472016); 国家重点研发计划(2016YFB0800603, 2017YFB1200700) Foundation item: National Natural Science Foundation of China (61472016); National Key Research and Development Plan (2016YFB0800603, 2017YFB1200700) 本文由“面向隐私保护的新型技术与密码算法”专题特约编辑黄欣沂教授推荐. 收稿时间: 2017-05-30; 修改时间: 2017-07-13; 采用时间: 2017-08-22; jos 在线出版时间: 2017-10-17 CNKI 网络优先出版: 2017-10-17 13:38:05, http://kns.cnki.net/kcms/detail/11.2560.TP.20171017.1338.008.html 1938 Journal of Software 软件学报 Vol.29, No.7, July 2018 also falls short of user un-traceability. The paper highlights three principles for designing more robust anonymous multi-factor authentication schemes: Public key principle, user anonymity principle and forward secrecy principle, explaining the essential reasons for the security flaws of the above protocols. It further proposes some amendments for the identified secur ity flaws.

Shudong Li,Xiaobo Wu,Dawei Zhao,Aiping Li,Zhihong Tian,Xiaodong Yang

DOI: https://doi.org/10.1371/journal.pone.0202657

IF: 3.7

2018-01-01

PLoS ONE

Abstract:Recently, Li et al. proposed a novel smart card and dynamic ID-based remote user authentication scheme for multi-server environments. They claimed that their scheme can resist several types of attacks. However, through careful analysis, we find that Li et al.'s scheme is vulnerable to stolen smart card and off-line dictionary attacks, replay attacks, impersonation attacks and server spoofing attacks. By analyzing other similar schemes, we find that a certain type of dynamic ID-based multi-server authentication scheme in which only hash functions are used and whereby no registration center participates in the authentication and session key agreement phase faces difficulties in providing perfectly efficient and secure authentication. To compensate for these shortcomings, we propose a novel dynamic ID-based remote user authentication scheme for multi-server environments based on pairing and self-certified public keys. Security and performance analyses show that the proposed scheme is secure against various attacks and has many excellent features.

Xiong Li,Jianwei Niu,Saru Kumari,SK Hafizul Islam,Fan Wu,Muhammad Khurram Khan,Ashok Kumar Das

DOI: https://doi.org/10.1007/s11042-017-4390-x

IF: 2.017

2014-01-01

Wireless Personal Communications

Abstract:The widespread popularity of the computer networks has triggered concerns about information security. Password-based user authentication with key agreement protocols have drawn attentions since it provides proper authentication of a user before granting access right to services, and then ensure secure communication over insecure channels. Recently, Lee et al. pointed out different security flaws on Tsaur et al.'s multi-server user authentication protocol, and they further proposed an extended chaotic maps-based user authentication with key agreement protocol for multi-server environments. However, we observed that Lee et al.'s protocol has some functionality and security flaws, i.e., it is inefficient in detection of unauthorized login and it does not support password change mechanism. Besides, their protocol is vulnerable to registration center spoofing attack and server spoofing attack. In order to remedy the aforementioned flaws, we proposed a novel chaotic maps-based user authentication with key agreement protocol for multi-server environments. The proposed protocol is provably secure in the random oracle model under the chaotic-maps based computational Diffie-Hellman assumption. In addition, we analyzed our protocol using BAN logic model. We also compared our protocol with Lee et al.'s protocol in aspects of computation cost, functionalities and securities.