Alzubair Hassan,Nabeil Eltayieb,Rashad Elhabob,Fagen Li

DOI: https://doi.org/10.1007/978-3-319-59463-7_59

2018-01-01

Abstract:Based on mobile devices limitations, several user authentications and key exchange schemes have been proposed for mobile devices using identity-based public key cryptography (ID-PKC). However, these schemes suffer from key escrow problem. Moreover, they are not secure against impersonation attacks, and they can't achieve perfect forward secrecy. In this paper, a new user authentication and key exchange protocol for the mobile client-server environment is proposed. Certificateless public key cryptography (CL-PKC) and bilinear pairing are adopted in the proposed scheme. Our protocol solves the key escrow problem of identity-based public key cryptography. Also, it is secure against both adversaries type I and type II. Furthermore, the proposed protocol achieves perfect forward secrecy. We prove the security of our protocol in the random oracle model under the Computational Diffie-Hellman (CDH) problem. Hence, the proposed scheme is more suitable for the mobile devices environments.

Alzubair Hassan,Rafik Hamza,Vittor Gift Mawutor,Akash Suresh Patil,Fagen Li

DOI: https://doi.org/10.1007/978-3-030-30619-9_9

2019-01-01

Abstract:Nowadays, smartphone applications are the most widespread in our daily lives. These applications raised several security concerns such as authentication, key agreement, and mutual authentication. Accordingly, the researchers have been presented several user authentication schemes based on the identity-based cryptography (IBC) and certificateless cryptography (CLC). Smartphones considered as limited resources devices, thus, it needs lightweight protocols. However, the existing schemes are suffering from high computational costs especially the one that depends on CLC. In this paper, a lightweight certificateless user authentication scheme based on the elliptic curve cryptography (ECC) is introduced. The proposed scheme has the lowest computation costs comparing with the existing certificateless user’s authentication protocols. Furthermore, The proposed scheme is secure under the computational Diffie-Hellman (CDH) Problem and the elliptic curve discrete logarithm problem (ECDLP). Indeed, the proposed scheme is suitable to use in the mobile client-server environment and the Internet of things (IoT) applications.

Fagen Li,Jiye Wang,Yuyang Zhou,Chunhua Jin,SK Hafizul Islam

DOI: https://doi.org/10.1007/s11276-018-1839-4

IF: 2.701

2018-01-01

Wireless Networks

Abstract:In a mobile client–server environment, a low-power mobile device wants to access a strong server to get some kind of services. User authentication and key establishment are two basic security requirements for this environment. Without the user authentication, an unauthorized user can access the server and gets the services. Without the key establishment, the communication between the user and the server will be disclosed. Recently, some user authentication and key establishment protocols were designed. However, all of them are homogeneous since the client and the server belong to the same cryptosystem. That is, both the client and the server belong to public key infrastructure or identity-based cryptosystem or self-certified cryptosystem. Such design does not comply with the characteristic of mobile client–server application. In this paper, we design a heterogeneous user authentication and key establishment protocol using a signcryption scheme. In this protocol, the client uses identity-based cryptosystem and the server uses the public key infrastructure. As compared with existing works, our protocol has the lowest cost in computation and communication.

Qi Xie,Deren Chen

DOI: https://doi.org/10.1109/icie.2010.292

2010-01-01

Journal of Networks

Abstract:To use the network services provided by multiple servers in mobile wireless network, a hash function and smart card based multi-server authentication scheme without verification tables and servers' public keys is proposed. The new protocol has many advantages, such as no encryption, signature, verification tables, timestamp, and public keys directory.

Bo LIU,Yu-Yang ZHOU,Fei HU,Fa-Gen LI

DOI: https://doi.org/10.13868/j.cnki.jcr.000224

2018-01-01

Abstract:With the rapid development of E-commerce, network service providers usually provide users with a wide range of services running on different servers. Thus, multi-server model has been widely used. Meanwhile, more and more people access network services more quickly through the mobile phones or other mobile devices, this is the current mobile client-multi-server model which has been very popular. On one hand, mobile devices bring convenience to our lives. On the other hand, the openness of mobile Internet makes its security issues more serious. It is necessary to design a user authentication and key agreement protocol for the mobile client-multi-server model. However, compared with personal computers, mobile devices have resource-constrained features. So how to design a protocol that combines security and efficiency is not an easy task. In order to solve this problem, this study proposes a user authentication and key agreement protocol under the mobile client-multi-server model. Certificateless public key cryptography can solve the problem of certificate management in traditional public key systems and the inherent key escrow problem in identity-based public key cryptography, it has the advantages of both high efficiency and security. In addition, the mobile devices have the characteristics of resource constraints, so the certificateless public key cryptography is very suitable for designing a security protocol for mobile devices which have limited resources. In this paper, it is proved that the proposed protocol can provide mutual authentication and secure key agreement services in the random oracle model. Compared with other protocols of the same type,the proposed protocol in this paper has a better computational efficiency.

Alzubair Hassan,Rafik Hamza,Fagen Li,Awad Ali,Mohammed Bakri Bashir,Samar M. Alqhtani,Tawfeeg Mohmmed Tawfeeg,Adil Yousif

DOI: https://doi.org/10.1109/ACCESS.2022.3186683

IF: 3.9

2022-01-01

IEEE Access

Abstract:Mobile devices have become very important for our daily needs. The user authentication protocols with the key agreement are required to deal with the security issues that arise from the use of mobile devices through Internet applications. However, existing user authentication protocols are only suitable if the client and the server use a similar cryptographic approach. Therefore, it is important to develop an authentication protocol for mobile environments with heterogeneous cryptographic approaches. In this paper, an efficient user authentication and key agreement protocol is proposed for a heterogeneous client-server mobile environment. The security of the proposed scheme is formally proved under the q-strong Diffie-Hellman problem (q-SDH), the q-bilinear Diffe-Hellman inversion problem (q-BDHI), and the modified bilinear Diffie-Hellman inversion problem (mBDHI), respectively. Our scheme has reasonable processing costs and communication costs on the client and server sides. Moreover, our scheme is suitable for applications that use different cryptographic approaches. In particular, the proposed protocol can work when the client applies the identity-based cryptosystem and the server applies the certificateless cryptosystem.

Mingping Qi,Jianhua Chen

DOI: https://doi.org/10.1002/dac.3341

2017-01-01

International Journal of Communication Systems

Abstract:SummaryThe primary goal of this research is to ensure secure communications by client‐server architectures in mobile environment. Although various two‐party authentication key exchange protocols are proposed and claimed to be resistant to a variety of attacks, studies have shown that various loopholes exist in these protocols. What's more, many two‐party authentication key exchange protocols use timestamp to prevent the replay attack and transmit the user's identity in plaintext form. Obviously, these methods will lead to the clock synchronization problem and user's anonymity problem. Fortunately, the three‐way challenged‐response handshake technique and masking user's original identity with a secret hash value used in our study address these problems well. Of course, the proposed protocol based on elliptic curve cryptography supports flawless mutual authentication of participants, agreement of session key, impersonation attack resistance, replay attack resistance, and prefect forward secrecy, as well. The analyses in the aspects of efficiency and security show that the proposed protocol is a better choice for mobile users.

Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

Debiao He,Jianhua Chen,Jin Hu

DOI: https://doi.org/10.1016/j.inffus.2011.01.001

IF: 18.6

2012-01-01

Information Fusion

Abstract:Recently, lots of remote user authentication schemes are implemented on elliptic curve cryptosystem (ECC) to reduce the computation loads for mobile devices. However, most of those remote user authentication schemes on ECC suffer from different attacks and can not provide provable security. Therefore, we propose an ID-based remote mutual authentication with key agreement scheme on ECC in this paper. The proposed scheme not only provides mutual authentication but also supports a session key agreement between the user and the server. The scheme also provides the known session key security, the perfect forward secrecy, the no key-compromise impersonation, the no unknown key-share and the no key control. Compared with the related works, the proposed scheme is more efficient and practical for mobile devices. We also give a security proof under the random oracle.

Her-Tyan Yeh,Hung-Min Sun

DOI: https://doi.org/10.1016/s0164-1212(03)00093-1

IF: 3.5

2004-01-01

Journal of Systems and Software

Abstract:Up to now, most of the literature on three-party authentication and key distribution protocols has focused on the environment in which two users (clients) establish a session key through an authentication server. In this paper, we discuss another environment in which a user (client) requests service from an application server through an authentication server. We propose two secure and efficient authentication protocols (KTAP: key transfer authentication protocol and KAAP: key agreement authentication protocol) to fit this environment. These two proposed protocols can be efficiently applied to various communication systems in distributed computing environments since they provide security, efficiency, and reliability.

Huihui Yang,J.H. Chen,Yongjuan Zhang

DOI: https://doi.org/10.2991/itms-15.2015.224

2015-01-01

Abstract:Key exchange protocol plays an important role in cryptosystem, by which two sides who communicate with each other over an open network can obtain a common session key to keep the communication secret.Both two communication entities make full use of the received messages to compute a secret session key.In 1976, Diffie and Hellman [1] put forward a first key exchange protocol, which cannot make authentication of two communication entities possible.On account of lacking mutual authentication, two parties are subject to the man-in the-middle attack.Since then, some two-party authentication key exchange (2PAKE) protocols are proposed [2][3][4][7][8][9][10].Two authentication key exchange protocols furnish mutual authentication of two entities and are suitable for application in public channel.On the basis of new cryptographic techniques, 2PAKE protocols can be divided into three classes.(1) A public-key-based key exchange protocol authenticates each other and builds a common session key by means of public-key technology of cryptography.However, it takes much time to verify the process for certificates in a public-key cryptosystem.(2) A two-party password-based authentication key exchange (2PAKE) protocol allows two sides to have a share in a common password so as to obtain a secret session key.But it is unfit for large area wide range of communication environment to share a secret password for building the common session key.(3) An ID-based key exchange protocol utilizes some user's information (identity, e-mail or social security number) as its public key.Miller [5] and Koblitz [6] propose the concept of ECC.Yang et al. [11] proposed 2PAKE on basis of ECC [12] to increasing the level of security.In 2009, Yoon et al. [13] pointed out that Yang et al.'s protocol cannot furnish forward secrecy and be subject to impersonation attacks.Compared with Yoon et al.'s scheme, He et al.'s scheme [14] is more fit and efficient in mobile environment.This is because Yoon et al.'s protocol cannot furnish prefect forward secrecy.However, He et al.'s protocol doesn't surmount weakness.A legal party cannot confirm whether or not private key of the user is correct.Based on the above protocols, Chou et al. propose an ID-based authenticated scheme [15].However, their protocol cannot resist impersonation attacks.In this paper, we proposed new protocol can resist impersonation attack, public key problem, unknown key share attack, mutual authentication, forward secrecy and deniable authentication attack.Meanwhile, we show that our protocol is efficient.The remainder of this paper is organized as follows.Section 2 describes some preliminaries.We propose our protocol in Section 3. The security analysis of the proposed protocol is presented in Section 4. Comparisons are given in Section 5.

Debiao He,Sahadeo Padhye,Jianhua Chen

DOI: https://doi.org/10.1016/j.camwa.2012.03.044

IF: 3.218

2012-01-01

Computers & Mathematics with Applications

Abstract:Since certificateless public key cryptography (CLPKC) has received widespread attention due to its efficiency in avoiding key escrow problems in identity-based public key cryptography (ID-PKC), the certificateless authenticated key agreement (CLAKA) protocol, an important part of CLPKC, has been studied a great deal. Most CLAKA protocols are built from pairings which need costly operations. To improve the performance, several pairing-free CLAKA protocols have been proposed. In this paper, we propose a new pairing-free CLAKA protocol. Compared with the related protocols, our protocol has better performance. Also, our protocol is provably secure in a very strong security model—the extended Canetti–Krawczyk (eCK) model.

Hu Xiong,Zhong Chen,Zhiguang Qin

DOI: https://doi.org/10.1080/00207160.2011.568613

IF: 1.75

2011-01-01

International Journal of Computer Mathematics

Abstract:Key agreement protocols are multi-party protocols in which entities exchange public information allowing them to create a common secret key that is known only to those entities and which cannot be predetermined by any party. Key agreement can be achieved using a public key infrastructure or identity-based cryptography. However, the former suffers from a heavy certificate management burden, while the latter is subject to the so-called key escrow problem. Recently, the notion of certificateless public key cryptography (CL-PKC) was introduced to mitigate these limitations. In this paper, we introduce the notion of three-party authenticated key agreement into CL-PKC and propose a concrete certificateless three-party authenticated key agreement protocol. We show that the proposed protocol is secure (i.e. conforms to defined security attributes) while being efficient.

Kai Xi,Tohari Ahmad,Fengling Han,Jiankun Hu

DOI: https://doi.org/10.1002/sec.225

IF: 1.968

2011-01-01

Security and Communication Networks

Abstract:With fast evolution of mobile devices and mobile network, the need of protecting user sensitive information locally and performing secure user authentication remotely become evermore increasing. Bio-cryptography is emerging as a powerful solution which can combine the advantages of conventional cryptography and biometric security. In this paper, we present an efficient bio-cryptographic security protocol designed for client/server authentication in current mobile computing environment, with a reasonable assumption that server is secure. In this protocol, fingerprint biometric is used in user verification, protected by a computationally efficient Public Key Infrastructure (PKI) scheme, Elliptic Curve Cryptography (ECC). The genuine fingerprint information is hidden in the feature vault which is the mixture of genuine and chaff features. Fingerprint features are not only used for biometric verification but also for cryptographic key generation. Our security analysis shows that the proposed protocol can provide a secure and trustworthy authentication of remote mobile users over insecure network. Experimental results on public domain database show an acceptable verification performance. We also tested the computational costs and efficiency of our protocol on the CLDC emulator using Java ME (previous J2ME) programming technology. The simulation results prove that the proposed protocol suits current mobile environment. Copyright (C) 2010 John Wiley & Sons, Ltd.

Khalid Mahmood,Aniqa Rehman,Pradeep Chaudhary,Xiong Li,Fan Wu,Saru Kumari

DOI: https://doi.org/10.1002/dac.4253

2020-01-01

International Journal of Communication Systems

Abstract:Rapid evolution in information and communication technologies has facilitated us to experience mobile communication in our daily routine. Mobile user can only avail the services from the server, once he/she is able to accomplish authentication process successfully. In the recent past, several researchers have contributed diverse authentication protocols for mobile client-server environment. Currently, Lu et al designed two-factor protocol for authenticating mobile client and server to exchange key between them. Lu et al emphasized that their scheme not only offers invincibility against potential security threats but also offers anonymity. Although this article reveals the facts that their protocol is vulnerable against client and server impersonation, man-in-the-middle, server key breach, anonymity violation, client traceability, and session-specific temporary attacks, therefore, we have enhanced their protocol to mitigate the above mention vulnerabilities. The enhanced protocol's security strength is evaluated through formal and informal security analysis. The security analysis and performance comparison endorses the fact that our protocol is able to offer more security with least possible computation complexity.

Junsong Zhang,Jian Ma,Xiong Li,Wendong Wang

DOI: https://doi.org/10.3837/tiis.2014.08.021

2014-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid growth of the communication technology, intelligent terminals (i.e. PDAs and smartphones) are widely used in many mobile applications. To provide secure communication in mobile environment, in recent years, many user authentication schemes have been proposed. However, most of these authentication schemes suffer from various attacks and cannot provide provable security. In this paper, we propose a novel remote user mutual authentication scheme for multi-server environments using elliptic curve cryptography (ECC). Unlike other ECC-based schemes, the proposed scheme uses ECC in combination with a secure hash function to protect the secure communication among the users, the servers and the registration center (RC). Through this method, the proposed scheme requires less ECC-based operations than the related schemes, and makes it possible to significantly reduce the computational cost. Security and performance analyses demonstrate that the proposed scheme can solve various types of security problems and can meet the requirements of computational complexity for low-power mobile devices.

Dawei Zhao,Haipeng Peng,Shudong Li,Yixian Yang

DOI: https://doi.org/10.48550/arXiv.1305.6350

2013-05-28

Abstract:Recently, Li et al. analyzed Lee et al.'s multi-server authentication scheme and proposed a novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. They claimed that their scheme can resist several kinds of attacks. However, through careful analysis, we find that Li et al.'s scheme is vulnerable to stolen smart card and offline dictionary attack, replay attack, impersonation attack and server spoofing attack. By analyzing other similar schemes, we find that the certain type of dynamic ID based multi-server authentication scheme in which only hash functions are used and no registration center participates in the authentication and session key agreement phase is hard to provide perfect efficient and secure authentication. To compensate for these shortcomings, we improve the recently proposed Liao et al.'s multi-server authentication scheme which is based on pairing and self-certified public keys, and propose a novel dynamic ID based remote user authentication scheme for multi-server environments. Liao et al.'s scheme is found vulnerable to offline dictionary attack and denial of service attack, and cannot provide user's anonymity and local password verification. However, our proposed scheme overcomes the shortcomings of Liao et al.'s scheme. Security and performance analyses show the proposed scheme is secure against various attacks and has many excellent features.

Cryptography and Security

Huibo Yang,Jianhua Chen,Yuanyuan Zhang

DOI: https://doi.org/10.1007/s11277-015-2847-7

IF: 2.017

2015-01-01

Wireless Personal Communications

Abstract:Mobile environment has been used in large area range of network. In order to secure communication, a number of schemes have been proposed. The typical schemes are two-party authentication key exchange (2PAKE) protocols. It is based on elliptic curve cryptosystem. The main weakness of the protocol is that attackers have the ability to impersonate a legal user at any time. In addition, it is vulnerable to the public key problem and unknown key share attack. In this paper, we propose a 2PAKE protocol. Our protocol is indeed safer and meets the needs. Hence, the proposed protocol has a great contribution to the area of mobile environment.

Kaiping Xue,Peilin Hong,Changsha Ma

DOI: https://doi.org/10.1016/j.jcss.2013.07.004

IF: 1.043

2014-02-01

Journal of Computer and System Sciences

Abstract:Traditional password based authentication schemes are mostly considered in single-server environments. They are unfit for the multi-server environments from two aspects. Recently, base on Sood et al.ʼs protocol (2011), Li et al. proposed an improved dynamic identity based authentication and key agreement protocol for multi-server architecture (2012). Li et al. claim that the proposed scheme can make up the security weaknesses of Sood et al.ʼs protocol. Unfortunately, our further research shows that Li et al.ʼs protocol contains several drawbacks and cannot resist some types of known attacks. In this paper, we further propose a lightweight dynamic pseudonym identity based authentication and key agreement protocol for multi-server architecture. In our scheme, service providing servers donʼt need to maintain verification tables for users. The proposed protocol provides not only the declared security features in Li et al.ʼs paper, but also some other security features, such as traceability and identity protection.

computer science, theory & methods, hardware & architecture

Shi Yijuan,Li Jianhua

DOI: https://doi.org/10.1007/s11859-006-0194-y

2007-01-01

Wuhan University Journal of Natural Sciences

Abstract:Certificateless public key cryptography was introduced to overcome the key escrow limitation of the identity-based cryptography. It combines the advantages of the identity-based cryptography and the traditional PKI. Many certificateless public key encryption and signature schemes have been proposed. However, the key agreement in CL-PKE is seldom discussed. In this paper, we present a new certificateless two party authentication key agreement protocol and prove its security attributes. Compared with the existing protocol, our protocol is more efficient.