Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Liang Kou,Yiqi Shi,Liguo Zhang,Duo Liu,Qing Yang

DOI: https://doi.org/10.32604/cmc.2019.03760

2019-01-01

Abstract:With the development of computer hardware technology and network technology, the Internet of Things as the extension and expansion of traditional computing network has played an increasingly important role in all professions and trades and has had a tremendous impact on people lifestyle. The information perception of the Internet of Things plays a key role as a link between the computer world and the real world. However, there are potential security threats in the Perceptual Layer Network applied for information perception because Perceptual Layer Network consists of a large number of sensor nodes with weak computing power, limited power supply, and open communication links. We proposed a novel lightweight authentication protocol based on password, smart card and biometric identification that achieves mutual authentication among User, GWN and sensor node. Biometric identification can increase the non-repudiation feature that increases security. After security analysis and logical proof, the proposed protocol is proven to have a higher reliability and practicality.

Weili Han,Ye Cao,Chang Lei

DOI: https://doi.org/10.1109/ithings/cpscom.2011.64

2011-01-01

Abstract:The authentication based on user's username and password is one of the most popular ways to verify a user when he or she enters an information system. Thus, in recent years, many attackers, e.g. phishers, aim to steal passwords to intrude information systems. To strengthen the password-based authentication, we introduce a method, named SmartID, where we use a Bluetooth-enabled Smart Phone as a platform to store user's username, password and their relevant information of login interface. SmartID can help a user authenticate both his or her identify and validity of login interfaces of web sites and desktops. The experiment and analysis show that SmartID can offer an excellent recall rate, and an acceptable precision rate for anti-phishing and anti-pharming. Thus, SmartID is applicable to strengthen password-based authentication.

张亮,刘建伟

DOI: https://doi.org/10.3969/j.issn.1002-0802.2009.01.091

2009-01-01

Abstract:With the improvement of wireless network, there are increasing users wirelessly accessing the Internet through mobile phones. So it is very important to solve the identity authentication problems of wireless access users. Dynamic password has become the new development trend for the Identity Authentication mechanism. It offers stronger security than the static password. In this article, a dynamic password authentication protocol based on callenge/rsponse mechanism is designed. According to this protocol, a dynamic password identity authentication system based on mobile phone token is designed. The composition and authentication processes of this system are described in detail, and its security is analyzed as wel1. The analysis indicates that this system features high security and wide application. It can be conveniently used and implemented in low cost.

Mengjun Xie,Yanyan Li,Kenji Yoshigoe,Remzi Seker,Jiang Bian

DOI: https://doi.org/10.1109/hase.2015.41

2015-01-01

Abstract:Frequent outbreak of password database leaks and server breaches in recent years manifests the aggravated security problems of web authentication using only password. Two-factor authentication, despite being more secure and strongly promoted, has not been widely applied to web authentication. Leveraging the unprecedented popularity of both personal mobile devices (e.g., Smartphones) and barcode scans through camera, we explore a new horizon in the design space of two-factor authentication. In this paper, we present CamAuth, a web authentication scheme that exploits pervasive mobile devices and digital cameras to counter various password attacks including man-in-the-middle and phishing attacks. In CamAuth, a mobile device is used as the second authentication factor to vouch for the identity of a use who is performing a web login from a PC. The device communicates directly with the PC through the secure visible light communication channels, which incurs no cellular cost and is immune to radio frequency attacks. CamAuth employs public-key cryptography to ensure the security of authentication process. We implemented a prototype system of CamAuth that consists of an Android application, a Chrome browser extension, and a Java-based web server. Our evaluation results indicate that CamAuth is a viable scheme for enhancing the security of web authentication.

ZHANG Xiao-wei,ZHANG Gui-dong,SHEN Yong-jun

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2009.12.043

2009-01-01

Abstract:As the first defense line of secure application system, the identity authentication is the most important secure service. By analyzing disadvantages of username/password and one-time password, and the threat of malware, we proposed a double factor authentication system based on mobile terminal. Analyzing and testing of the prototype system indicated that the system can resolve problems such as password guess, small integer attack, password leak brought by malware, etc, and have well running efficiency.

Wang Yi,Wang Lixing,Zhang Lei,Han Weili

DOI: https://doi.org/10.3969/j.issn.1000-386X.2009.12.087

2009-01-01

Abstract:This paper provides a novel approach for password management through the smart phone with bluetooth.It brings users high efficiency along with security as general password management has,and avoids unsafe factors which would be a big issue of normal password management tool due to being installed on vulnerable PC.The approach discussed here also provides authentication for web-based login applications which ensures the password will be inputted precisely on legitimate websites while login so as to effectively cope with common phishing attacks.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-23829-6_11

2015-01-01

Abstract:Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

Wenting Li,Yaosheng Shen,Ping Wang

DOI: https://doi.org/10.1007/s11265-017-1305-z

2017-01-01

Abstract:Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

Wanjun Xiong,Fan Zhou,Ruomei Wang,Rushi Lan,Xiyan Sun,Xiaonan Luo

DOI: https://doi.org/10.1109/access.2018.2869535

IF: 3.9

2018-01-01

IEEE Access

Abstract:With regard to the privacy of client-server communication systems, most research works have concentrated on authentication to guarantee security. Among the investigated schemes, two-factor password authentication has been a major focus and has undergone considerable development. Two-factor password authentication is a process in which both a password and a physical object are used for authentication to achieve a higher level of security. However, these methods are still subject to some security vulnerabilities, such as malicious card reader attacks, man-in-the-middle attacks, and a lack of perfect forward secrecy. Moreover, although there are many evaluation criteria, there still lacks a set of universal criteria. To address these issues, a two-factor password authentication scheme is proposed in the context of practical application environment in this paper, such as side-channel attacks. Moreover, a card reader verification step is added to the authentication scheme to counteract malicious card reader attacks. In addition, the proposed scheme can resist various known attacks, including replay attacks, lost or stolen smart card attacks, and man-inthe-middle attacks. We present a detailed security analysis and comparative evaluation, and we prove the security of our scheme with Burrows-Abadi-Needham (BAN) logic. Compared with previous schemes, the main advantages of the proposed scheme are its low computational cost, guaranteed security, and better adaptability to actual client-server communication environments.

Yu-feng JIANG,Da-wei GUO,Hang LIU

DOI: https://doi.org/10.3969/j.issn.1674-6236.2017.23.011

2017-01-01

Abstract:With the development of society and the continuous improvement of information technology,the value of human-computer interaction in life is getting higher and higher and the importance of ensuring information security has become increasingly prominent.For the purpose of ensuring the security of mobile devices and the user's privacy,a system named WiF based on Wi-Fi is proposed.Experiment in the indoor environment using a signal transmitter and a signal receiver show that WiF can achieve a recognition accuracy of 86.11％ on the button of one to nine.

Baohua Zhao,Ningyu An,Xiao Liang,Chunhui Ren,Zhihao Wang

DOI: https://doi.org/10.1007/978-3-030-05755-8_1

2018-01-01

Abstract:In order to solve the security issues existed in RFID authentication in recent years. A mutual identity authentication scheme based on dynamic is proposed after describing and analyzing the problems that RFID authentication technology encounters, which can solve replay attack, man-in-the-middle attack and other security issues. In addition, this paper also describes the techno of Authentication technology. The method proposed refers to tags privacy level between Tag and Reader to achieve mutual authentication, it not only can enhance the privacy protection of the label carrier and protect the identity privacy of the Reader holder, but also has a certain effectiveness advantage.

Mete Eminağaoğlu,Ece Çini,Gizem Sert,Derya Zor,Mete Eminagaoglu,Ece Cini

DOI: https://doi.org/10.1109/est.2014.19

2014-09-01

Abstract:The use of QR code-based technologies and applications has become prevalent in recent years where QR codes are accepted to be a practical and intriguing data representation/processing mechanism amongst worldwide users. The aim of this study is to design and implement an alternative two-factor identity authentication system by using QR codes and to make the relevant mechanism and process that could be more user-friendly and practical than one-time password mechanisms used with similar purposes today. The proposed model in this project has been designed in order to enable the verification and validation steps with several security and networking options during the logon process. The model has been implemented by developing a two-factor identity verification system where the second factor is the user's smart/mobile phone device and a pseudo-randomly generated alphanumerical QR code which is used as the one-time password token sent to the user via e-mail or MMS. The proposed model has been developed using C#, asp.net and jQuery languages with symmetrical and asymmetrical cryptography standards for database encryption/hashing and network infrastructure and it has been tested as a prototype where promising results are observed regarding the efficiency, speed and security requirements for today's on-line financial services and similar e-commerce systems.

Chen Wang,Yan Wang,Yingying Chen,Hongbo Liu,Jian Liu

DOI: https://doi.org/10.1016/j.comnet.2020.107118

IF: 5.493

2020-04-01

Computer Networks

Abstract:<p>Mobile devices have brought a great convenience to us these years, which allow the users to enjoy the anytime and anywhere various applications such as the online shopping, Internet banking, navigation and mobile media. While the users enjoy the convenience and flexibility of the "Go Mobile" trend, their sensitive private information (e.g., name and credit card number) on the mobile devices could be disclosed. An adversary could access the sensitive private information stored on the mobile device by unlocking the mobile devices. Moreover, the user's mobile services and applications are all exposed to security threats. For example, the adversary could utilize the user's mobile device to conduct non-permitted actions (e.g., making online transactions and installing malwares). The authentication on mobile devices plays a significant role to protect the user's sensitive information on mobile devices and prevent any non-permitted access to the mobile devices. This paper surveys the existing authentication methods on mobile devices. In particular, based on the basic authentication metrics (i.e., knowledge, ownership and biometrics) used in existing mobile authentication methods, we categorize them into four categories, including the knowledge-based authentication (e.g., passwords and lock patterns), physiological biometric-based authentication (e.g., fingerprint and iris), behavioral biometrics-based authentication (e.g., gait and hand gesture), and two/multi-factor authentication. We compare the usability and security level of the existing authentication approaches among these categories. Moreover, we review the existing attacks to these authentication approaches to reveal their vulnerabilities. The paper points out that the trend of the authentication on mobile devices would be the multi-factor authentication, which determines the user's identity using the integration (not the simple combination) of more than one authentication metrics. For example, the user's behavior biometrics (e.g., keystroke dynamics) could be extracted simultaneously when he/she inputs the knowledge-based secrets (e.g., PIN), which can provide the enhanced authentication as well as sparing the user's trouble to conduct multiple inputs for different authentication metrics.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yao Liu,Yueting Chai,Yi Liu

DOI: https://doi.org/10.1109/icebe.2015.76

2015-01-01

Abstract:In the current Internet environment, security incidents occur frequently and the potential safety problems are highlighted. In this case, we propose "Internet trusted identity authentication system". The system changes the previous conventional mode of identity authentication, changes the mode of username/password to the relationship bound between net ID and password rule and replaces the traditional dead-password mode with the mode of dynamic password and password rule. At the same time, we should establish the repository of trusted identity to store and manage the net ID and password rule. With the tools of USBKEY, SMS and digital certificates, the system can achieve the function of implementing the real-name network in the Internet, making remembering passwords more convenience, simplifying users' operations online and strengthening the security of personal identification information online, which can improve the safety, reliability and efficiency of the Internet, on the premise that it won't change the Internet functions or the operation habits.

ZHANG Jin-ying,ZHENG Yu,LU Xian-hui,HE Da-ke

2005-01-01

Abstract:A password-based remote user authentication scheme was proposed by Lin and Lai, but there were some vulnerabilities in time-stamp and user ID.So an improved scheme based on challenge-response was presented,adopting diplex authentication technologies,fingerprint and smart card.It could achieve mutual authentication and avoid replay attack and masquerade attack.The random factor was generated by the mutual parties to guarantee the authentication fairness.Moreover,user's fingerprint needed not be transmitted in the authentication process to protect user's privacy.

Xin Su,Bingying Wang,Xuewu Zhang,Yupeng Wang,Dongmin Choi

DOI: https://doi.org/10.1002/cpe.4150

2018-01-01

Abstract:Secure mechanisms have been adapted to satisfy the needs of mobile subscribers; however, the mobile environment is quite different from a desktop PC or laptop-based environment. The existing attack patterns in mobile environments are also quite different, and the countermeasures applied should be enhanced. In regards to usability, the mobile environment is based on mobility, and thus, mobile devices are designed and developed to enhance the owner's efficiency. To avoid forgetting passwords, people are willing to adopt simple alphanumeric-character combinations, which are easy to remember and convenient to enter. As a result, the passwords have a high probability of being cracked or exposed. In this paper, we study the potential security problems caused by simple and weak passwords, discuss drawbacks of some conventional works, and propose 3 creative schemes to increase the complexity and strength of passwords by applying the envisioned features. Note that our proposals are based on the assumption that the textual passwords are not difficult for users to remember or enter and do not cause inconvenience to users. In other words, the proposed methods can increase the complexity of simple passwords without the awareness of users.

Yi Hui He

DOI: https://doi.org/10.4028/www.scientific.net/amr.926-930.2819

2014-01-01

Advanced Materials Research

Abstract:Network security and identity authentication is confirmed the true identity whether the user and the claimed identity is consistent or not, in order to prevent the illegal user access the system for resources by identity fraud. The one-time password authentication technology with high safety, convenient for using, easy for management and lower cost is applied widely and has bright prospection. The one-time password authentication technology support to add uncertain factors in the login process, so that the login authentication informations are not the same each time. It is useful to improve the security of the login process. In this paper, a new system which is based on the the one-time password authentication technology called biometric system is first introduced. Then the framework of multi-biometric system is presented, and several examples are also shown. The prospect about multi-biometric fusion is also given.

Guomin Yang,Duncan S. Wong,Huaxiong Wang,Xiaotie Deng

DOI: https://doi.org/10.1016/j.jcss.2008.04.002

IF: 1.043

2008-01-01

Journal of Computer and System Sciences

Abstract:One of the most commonly used two-factor user authentication mechanisms nowadays is based on smart-card and password. A scheme of this type is called a smart-card-based password authentication scheme. The core feature of such a scheme is to enforce two-factor authentication in the sense that the client must have the smart-card and know the password in order to gain access to the server. In this paper, we scrutinize the security requirements of this kind of schemes, and propose a new scheme and a generic construction framework for smart-card-based password authentication. We show that a secure password based key exchange protocol can be efficiently transformed to a smart-card-based password authentication scheme provided that there exist pseudorandom functions and target collision resistant hash functions. Our construction appears to be the first one with provable security. In addition, we show that two recently proposed schemes of this kind are insecure.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1109/tdsc.2016.2605087

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is no comprehensive and systematical metric available for schemes to be assessed objectively, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found short of important security goals or lack of critical properties, especially being stuck with the security-usability tension. To overcome this issue, in this work we first explicitly define a security model that can accurately capture the practical capabilities of an adversary and then suggest a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum. As our main contribution, a new scheme is advanced to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating “honeywords”, traditionally the purview of system security, with a “fuzzy-verifier”, our scheme hits “two birds”: it not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound.