Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

Qi XIE,XiuYuan YU,WenHao LIU,DeRen CHEN,GuiLin WANG,JiYi WU

DOI: https://doi.org/10.1360/112011-915

2012-01-01

Scientia Sinica Informationis

Abstract:Mutual authentication between the user and the public cloud is essential requirement for the user to access the public cloud in cloud computing. In 2011, Juang et al. proposed a first authentication scheme based on proxy signature. The advantage of the scheme is that the user only needs to register on his home service cloud (HSC), and can pass through the authentication of the public cloud with the help of his HSC. However, their scheme has three weaknesses: 1) the users HSC needs to update the users public key in each session to protect the users privacy; 2) HSC may suffer from network jam when many users in the same HSC need to register on different public clouds simultaneously; and 3) a secret key should be shared between HSC and visiting cloud. To overcome these weaknesses, a provably secure convertible proxy signcryption for privacy preserving is proposed. Based on this scheme, a novel one-round authentication protocol is proposed, which the user only needs to register on his HSC, and can pass through the authentication of the visiting cloud without the help of his HSC. On the other hand, the proposed protocol can provide some nice properties, such as user privacy protection, non-repudiation, without updating the users public key, and secret key does not have to be shared between HSC and visiting cloud. In addition, the proposed scheme is provably secure in the random oracle model, and is more efficient than Juang et al.s scheme.

TAN Jinfu,SONG Anjun,PENG Qinke,Hu Baosheng

DOI: https://doi.org/10.3969/j.issn.1004-373x.2007.18.037

2007-01-01

Abstract:SSO technology is gradually applied in many fields of software systems.This paper introduces the requirements of SSO and analyzes the inner mechanism of SSO in web applications on the basis of Cookie technology.Besides,SSO is further expatiated on the aspect of security and performance,its risks and improvements needing to be done are pointed out.

Siyu Gan,Gu, Chunhua,Xueqin Zhang

DOI: https://doi.org/10.1109/IEEC.2010.5533219

2010-01-01

Abstract:With the rapid development of E-Business systems, the technology of distributed services and security becomes research focus in the field of Internet based applications. The distributed E-Business application platform has strong security requirements and specific demands on secure user authentication. After analyzing the distributed authentication protocol and public key infrastructure (PKI), a method for distributed E-Business application authentication using public key cryptography is introduced in this paper. By distributing most of the authentication workload away from the trusted intermediary and to the communicating parties, significant enhancements to security and scalability can be achieved.

Dongxi Zheng,Shaohua Tang,Shaofa Li

DOI: https://doi.org/10.1142/S0218126605002714

2011-01-01

Journal of Circuits Systems and Computers

Abstract:Web Services technology is suitable for cross-platform and cross-application integration. To secure systems based on Web Services, a single sign-on protocol for Web Services supporting several login modes are presented. The architecture and the formalized flow of the protocol are described. The protocol is also analyzed and proven using an extended SVO logic.

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Krügel,Giovanni Vigna,Yan Chen

DOI: https://doi.org/10.1007/978-3-319-11379-1_14

2014-01-01

Abstract:Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.

Dawei Zhao,Haipeng Peng,Shudong Li,Yixian Yang

DOI: https://doi.org/10.48550/arXiv.1305.6350

2013-05-28

Abstract:Recently, Li et al. analyzed Lee et al.'s multi-server authentication scheme and proposed a novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. They claimed that their scheme can resist several kinds of attacks. However, through careful analysis, we find that Li et al.'s scheme is vulnerable to stolen smart card and offline dictionary attack, replay attack, impersonation attack and server spoofing attack. By analyzing other similar schemes, we find that the certain type of dynamic ID based multi-server authentication scheme in which only hash functions are used and no registration center participates in the authentication and session key agreement phase is hard to provide perfect efficient and secure authentication. To compensate for these shortcomings, we improve the recently proposed Liao et al.'s multi-server authentication scheme which is based on pairing and self-certified public keys, and propose a novel dynamic ID based remote user authentication scheme for multi-server environments. Liao et al.'s scheme is found vulnerable to offline dictionary attack and denial of service attack, and cannot provide user's anonymity and local password verification. However, our proposed scheme overcomes the shortcomings of Liao et al.'s scheme. Security and performance analyses show the proposed scheme is secure against various attacks and has many excellent features.

Cryptography and Security

Ge Gao,Yuan Zhang,Yaqing Song,Shiyu Li

DOI: https://doi.org/10.1109/tifs.2024.3392533

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Single-sign-on (SSO) authentication employs an identity provider (IdP) to provide users with an efficient way to authenticate themselves with different service providers and has been widely applied in digital systems. However, existing SSO authentication schemes suffer from critical issues in terms of security and privacy. Regarding security, most SSO authentication schemes achieve a high convenience at the expense of security and are thereby susceptible to various attacks. Regarding privacy, most existing schemes fail to protect users' subscription pattern and access pattern against adversaries who can easily extract users' sensitive information from their authentications and launch subsequent attacks for profits. In this paper, we develop a practical SSO authentication system, dubbed PrivSSO, with the protection of users' subscription pattern and access pattern. To balance the trade-off between security and convenience, the key technique is a secure "hybrid" key-based authentication mechanism: a long-term key stored in a well-guarded hardware token serves as the "primary" authentication factor (AF) to guarantee strong security; an ephemeral key bound with portable device(s) serves as the "daily-used" AF to achieve high convenience. To protect the subscription pattern and access pattern from leakage, we propose a redactable token generation mechanism, where the users themselves specify what IdP and the service providers can learn from their authentications. We formally define and prove the security of PrivSSO. We also implement a PrivSSO prototype and conduct a comprehensive performance evaluation to demonstrate its practicality.

Fang Song,Jianhua Chen,Debiao He

2014-01-01

Abstract:With advancement of computer community, people can obtain their service through the mobile devices. The number of service servers providing Internet applications is usually more than one. As a result, users generally need multiple servers to provide different services. It has become a big challenge to design a secure and efficient authentication for remote user under multi-server architecture. In 2013, Jiang et al. proposed an anonymous user authentication with key agreement scheme without pairings for multi-server architecture using self-certified public keys (SCPKs). They claimed that their scheme can satisfy all of the requirements needed for achieving secure authentication in multi-server environments. However, in this paper, we will show that Jiang et al.'s scheme cannot withstand password guessing attack, impersonation attack and insider attack. Therefore, we present a more secure authentication based on SCPKs.

Xiong Li,Jian Ma,Wendong Wang,Yongping Xiong,Junsong Zhang

DOI: https://doi.org/10.1016/j.mcm.2012.06.033

2013-01-01

Mathematical and Computer Modelling

Abstract:With the purpose of using numerous different network services with single registration, various multi-server authentication schemes have been proposed. Furthermore, in order to protect the users from being tracked when they login to the remote server, researchers have proposed some dynamic ID based remote user authentication schemes for multi-server environments. Recently, Lee et al. have pointed out the security weaknesses of Hsiang and Shih’s dynamic ID based multi-server authentication scheme, and proposed an improved dynamic ID based authentication scheme for multi-server environments. They claimed that their scheme provided user anonymity, mutual authentication, session key agreement and can resist several kinds of attacks. In this paper, however, we find that Lee et al.’s scheme is still vulnerable to forgery attack and server spoofing attack. Besides, their scheme cannot provide proper authentication if the mutual authentication message is partly modified by the attacker. In order to remove these security weaknesses, we propose a novel smart card and dynamic ID based authentication scheme for multi-server environments. In order to protect the user from being tracked, the proposed scheme enables the user’s identity to change dynamically when the user logs into the server. The proposed scheme is suitable for use in multi-server environments such as financial security authentication since it can ensure security while maintaining efficiency.

Wang Ke,Ling Li

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.02.068

2008-01-01

Abstract:In order to make the authentic-name network services much more convenient and effective for customers,a model of Single-Sign-On in Authentic-Name Network Services is proposed.The model combines the advantages of two popular SSO methods,Centralized SSO(Microsoft) and distributed SSO(Liberty Alliance).Based on this,the SSO process in Authentic-Name Network Services is elaborated with the eKey idea,and finally,a daemon is set up to verify the model.

Kaiping Xue,Peilin Hong,Changsha Ma

DOI: https://doi.org/10.1016/j.jcss.2013.07.004

IF: 1.043

2014-02-01

Journal of Computer and System Sciences

Abstract:Traditional password based authentication schemes are mostly considered in single-server environments. They are unfit for the multi-server environments from two aspects. Recently, base on Sood et al.ʼs protocol (2011), Li et al. proposed an improved dynamic identity based authentication and key agreement protocol for multi-server architecture (2012). Li et al. claim that the proposed scheme can make up the security weaknesses of Sood et al.ʼs protocol. Unfortunately, our further research shows that Li et al.ʼs protocol contains several drawbacks and cannot resist some types of known attacks. In this paper, we further propose a lightweight dynamic pseudonym identity based authentication and key agreement protocol for multi-server architecture. In our scheme, service providing servers donʼt need to maintain verification tables for users. The proposed protocol provides not only the declared security features in Li et al.ʼs paper, but also some other security features, such as traceability and identity protection.

computer science, theory & methods, hardware & architecture

Ke CHEN,Kun SHE,Di-ming HUANG

2005-01-01

Journal of Computer Applications

Abstract:Single-signon technology enables users to use multiple Web services without repetitious login which makes user identity management more convenient and secure.SAML is the criterion to implement a single-signon system.It provides a standard for Web services to exchange user identity authentication information.The implementation of SAML artifact technology in single-signon system was mainly discussed.The flow and security of this single-signon system was analyzed.

Wu Peng,Su Xinning

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.06.001

2006-01-01

Abstract:At present,the main research fields of security technology are network security,security protocol and encryption arithmetic.The research of security of application layer is want,and ongoing research projects is part application oriented,such as safe mail system,safe document system.This paper designs a Web application security total solution based on PKI/PMI,to implement security control for application layer,and proposes the method to implement by an instance.

Marimuthu Karuppiah,Ashok Kumar Das,Xiong Li,Saru Kumari,Fan Wu,Shehzad Ashraf Chaudhry,R. Niranchana

DOI: https://doi.org/10.1007/s11036-018-1061-8

2018-01-01

Abstract:Authentication schemes are widely used mechanisms to thwart unauthorized access of resources over insecure networks. Several smart card based password authentication schemes have been proposed in the literature. In this paper, we demonstrate the security limitations of a recently proposed password based authentication scheme, and show that their scheme is still vulnerable to forgery and offline password guessing attacks and it is also unable to provide user anonymity, forward secrecy and mutual authentication. With the intention of fixing the weaknesses of that scheme, we present a secure authentication scheme. We show that the proposed scheme is invulnerable to various attacks together with attacks observed in the analyzed scheme through both rigorous formal and informal security analysis. Furthermore, the security analysis using the widely-accepted Real-Or-Random (ROR) model ensures that the proposed scheme provides the session key (SK) security. Finally, we carry out the performance evaluation of the proposed scheme and other related schemes, and the result favors that the proposed scheme provides better trade-off among security and performance as compared to other existing related schemes.

Xiong Li,Yongping Xiong,Jian Ma,Wendong Wang

DOI: https://doi.org/10.1016/j.jnca.2011.11.009

IF: 7.574

2012-01-01

Journal of Network and Computer Applications

Abstract:Generally, if a user wants to use numerous different network services, he/she must register himself/herself to every service providing server. It is extremely hard for users to remember these different identities and passwords. In order to resolve this problem, various multi-server authentication protocols have been proposed. Recently, Sood et al. analyzed Hsiang and Shih's multi-server authentication protocol and proposed an improved dynamic identity based authentication protocol for multi-server architecture. They claimed that their protocol provides user's anonymity, mutual authentication, the session key agreement and can resist several kinds of attacks. However, through careful analysis, we find that Sood et al.'s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack. Besides, since there is no way for the control server CS to know the real identity of the user, the authentication and session key agreement phase of Sood et al.'s protocol is incorrect. We propose an efficient and security dynamic identity based authentication protocol for multi-server architecture that removes the aforementioned weaknesses. The proposed protocol is extremely suitable for use in distributed multi-server architecture since it provides user's anonymity, mutual authentication, efficient, and security.

Haojiang Gao,Xiao Tian-yuan

2011-01-01

Abstract:To overcome the shortcomings of SAML(security assertion markup language),the following improvements are done.Web sites group-based session life cycle is defined.Reverse query on-line user(RQOU) protocol,and logout of fixed logon(SOFL) protocol is designed.Avoiding duplication login method is given.Domain-crossed SSO problem is resolved.A data synchronization strategy is stated,which simplifies legacy system integration.A SSO system based on these designs is used in a state-owned bank in China,which has reduced system management costs and improved productivity,and then satisfies the enterprise requirements.