YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

YAO Lin,FAN Qing-na,KONG Xiang-wei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.32.030

2010-01-01

Abstract:Pervasive computing raises new challenges to the security and privacy of the Internet communication,and conventional authentication protocols cannot meet the requirements of this new pervasive environment.A novel mutual authentication and key establishment scheme to secure the interactions between mobile users and service providers is proposed.Highly integrating biometric encryption and the Diffie-Hellman key exchange,the proposed protocol achieves mutual authentication without revealing any privacy information of the user.Secure session key establishment is enabled by the proposed algorithm.Differentiated service access control is also achieved with the biometric encryption.It is shown that the protocol can resist most of the attacks,especially the denial of service attack.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

Mahdi Ghafoorian,Morteza Nikooghadam

DOI: https://doi.org/10.1007/s11276-020-02319-x

IF: 2.701

2020-04-27

Wireless Networks

Abstract:Near Field Communication (NFC) is a promising technology that facilitate E-commerce through contactless communications. In the past decade, the NFC characteristics such as availability and usage simplicity have attracted the attention of most smartphones’ manufacturers and industries. Nevertheless, lack of a common and a comprehensive approach to employ NFC as a contactless payment tool, results in the persistence of some unresolved problems. These problems have hampered the widespread use of this technology since its appearance. During past years, most researchers have focused on addressing security threats existing in NFC environment. In this regard, these researches led to the introduction of an NFC security standard (NFC-SEC), which has been published by ISO and ECMA organizations. However, this standard does not offer privacy for users and there are few practical works providing it through NFC communications. Recently, some privacy preserving protocols have been proposed to supply NFC security along with anonymity. In this paper, we first prove that these previous protocols suffer from security vulnerabilities. Second, we propose our anonymous and secure key agreement (ASKA) protocol for NFC application using pseudonyms in order to address most probable security threats and those persisting in previous schemes. Third, we provide informal and formal security analysis using the Real-Or-Random model. The safety of the ASKA protocol is also verified by conducted simulation on the widely accepted AVISPA tool. Finally, the computational and communicational cost comparison along with the implementation result confirm that the proposed protocol is more suitable for NFC applications than previous schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jianqing Fu,Chunming Wu,XiaoPing Chen,Rong Fan

DOI: https://doi.org/10.1109/iccet.2010.5485559

2010-01-01

Abstract:Nowadays, the use of Radio Frequency Identification (RFID) systems in industry and stores has increased. Nevertheless, some of these systems present problems that may discourage potential users. Hence, high confidence and efficient privacy protocols are urgently needed. Previous studies to achieve privacy authentication can be grouped into tree-based and synchronization approaches. But all of the tree-based designs are not suitable to large scale RFID systems, and most of the synchronization designs have security flaws. So in this paper, we propose a scalable pseudo random RFID private mutual authentication protocol (SPRA) to archive both scalable and security. The analysis results show that SPRA effectively enhances the security protection for RFID private authentication, and has the authentication efficiency of O(1).

Reham Abdellatif Abouhogail

DOI: https://doi.org/10.17762/ijcnis.v11i2.4142

2022-04-17

International Journal of Communication Networks and Information Security (IJCNIS)

Abstract:As mobile applications grow, securing these applications become an important factor for their success. Especially, when these applications are related to financial transactions. Nowadays, mobile payment that is based on NFC technology is considered one of these important topics. In this paper, we propose A New Secure and Lightweight Authentication Protocol for NFC mobile Payment (NSLA) protocol. NSLA protocol presents a new method to update the users’ identities and the valid session keys, which preserves the privacy and ensures the integrity of the system. The presented performance analysis shows that NSLA protocol satisfies low computation overhead. Moreover, the security analysis proves that NSLA protocol has an immunity against replay attack, brute force attack, denial of service attack, and others types of attacks.

Chalee Thammarat

DOI: https://doi.org/10.3390/sym12101649

2020-10-09

Symmetry

Abstract:The standard protocol of near field communication (NFC) has concentrated primarily on the speed of communication while ignoring security properties. Message between an NFC-enabled smartphone and a point of sale are exchanged over the air (OTA), which is a message considered an authentication request for payment, billing, ticketing, loyalty services, identification or access control. An attacker who has an antenna can intercept or manipulate the exchanged messages to take advantage of these. In order to solve this problem, many researchers have suggested authentication methods for NFC communications. However, these remain inadequate transaction security and fairness. In this paper, we will propose a technique that ensures mutual authentication, security properties, and strong fairness. Mutual authentication is a security property that prevents replay attacks and man-in-the-middle attacks. Both fair exchange and transaction security are also significant issues in electronic transactions with regards to creating trust among the parties participating in the transaction. The suggested protocol deploys a secure offline session key generation technique to increase transaction security and, importantly, make our protocol lightweight while maintaining the fairness property. Our analysis suggests that our protocol is more effective than others regarding transaction security, fairness, and lightweight protocol. The proposed protocol checks robustness and soundness using Burrows, Abadi and Needham (BAN) logic, the Scyther tool, and automated validation of internet security protocols and applications (AVISPA) that provide formal proofs for security protocols. Furthermore, our protocol can resolve disputes in case one party misbehaves.

Shaik Shakeel Ahamad

DOI: https://doi.org/10.1109/access.2021.3139065

IF: 3.9

2022-01-01

IEEE Access

Abstract:The unprecedented growth of mobile applications promoted the usage of these mobile applications for payments. The current research works in mobile payments and commerce are prone to reverse-engineering attacks and lacked transport layer protection, so these research works do not ensure security. Therefore, such attacks on Mobile Payment Applications (MPA) will be successful, which leads to severe financial loss. To address these issues, we propose a secure framework incorporating a defense-in-depth approach for Near Field Communication (NFC) based mobile payment frameworks. Our defense-in-depth approach has three levels, i.e., Defense at hardware, mobile application, and communication level. We have proposed a NFC based Secure Protocol for Mobile Transaction (NSPMT) protocol and successfully verified a mobile payment protocol with BAN (Burrows, Abadi, and Needham) logic and Scyther tool, and our proposed protocol overcome multi-protocol attack, RAM (Random Access Memory) scrapping attack, DOS (Denial Of Service), DDOS (Distributed Denial Of Service), and Phlashing attacks. Our proposed mobile Payment system overcomes the known mobile application vulnerabilities, including Heartbleed and ROBOT (Return Of Bleichenbacher’s Oracle Threat). Our proposed protocol ensures all the security properties and the energy and communication cost and computational cost are far less than the existing works in the literature. Finally, we have successfully implemented our protocol using kotlin language in Android Studio, with two Mobile Payment Applications (MPA) and POS Payment Application (PPA), Elliptic Curve Digital Signature Algorithm (ECDSA) is used and Advanced Encryption Standard (AES) with GCM (Galois/Counter Mode) mode is used for encryption and decryption of Customer Payment Data at MPA and PPA.

computer science, information systems,telecommunications,engineering, electrical & electronic

He-Jun Lu,Dui Liu

DOI: https://doi.org/10.1371/journal.pone.0256367

IF: 3.7

2021-08-16

PLoS ONE

Abstract:Aimed at the security authentication problem between Near Field Communication (NFC) devices, this paper uses the technology of asymmetric encryption algorithm, symmetric encryption algorithm, hash function, timestamp and survival period to improve the confidentiality, performance and security of the protocol. The symmetric encryption algorithm encrypts the transmission content, while the asymmetric encryption algorithm encrypts the shared key. The whole authentication process is secure, and the key distribution is secure. The improved NFC device authentication protocol can effectively resist the brute force attack, man-in-the-middle attack and replay attack in the authentication process, it can reduce the number of message transmission in the authentication process, improve the transmission efficiency, enhance the confidentiality, integrity, non-repudiation and improve the security of NFC device authentication.

multidisciplinary sciences

Forough Sadat Mirkarimzade Tafti,Shahriar Mohammadi,Mehdi Babagoli

DOI: https://doi.org/10.1016/j.jisa.2021.102997

IF: 4.96

2021-11-01

Journal of Information Security and Applications

Abstract:Mobile payments have received a lot of attention because they are available at any time and place. One of the various payment methods is Near Field Communication (NFC) mobile payment. As a result of potential problems that may arise using mobile payments such as fraud and information theft, the security of mobile payment protocols is pivotal. One of the critical stages in mobile payment security is the mutual authentication between the user and the Mobile Network Operator (MNO). Global System for Mobile (GSM) proposed a protocol to mutual authentication using symmetric key cryptographic method. In this paper, we have introduced a new protocol for NFC mobile payment, which improves the GSM authentication protocol due to the existence of symmetric cryptographic security threats, and uses an asymmetric encryption method to mutual authentication. Also, this protocol reduces the number of required key-pairs for authentication. Furthermore, our proposed protocol, increases resistance to attacks such as replay attack, DOS, eavesdropping attacks, repudiation, man in the middle attack and de-synchronization. Because mobile devices have limited resources and processing power, our proposed protocol reduces the signalling overhead and processing load of the client-side as much as possible.

computer science, information systems

Wenying Zheng,Ziyuan Gui,Dengzhi Liu,Xiong Li,Bing Chen

DOI: https://doi.org/10.3966/160792642018121907025

2018-01-01

Abstract:User authentication and key agreement in smart cards is a critical issue due to the open and complex wireless communication environment. In order to protect the user's privacy and sensitive data in smart cards, many two-factor authentication protocols have been proposed, yet most of them cannot withstand various attacks. In this paper, we summarize the security requirements for smart cards and propose a secure lightweight certificateless authentication protocol with password change. Moreover, the proposed protocol satisfies anonymity, mutual authentication and session key agreement as well as resists many attacks. The performance analysis demonstrate that the proposed protocol is secure and highly practical.

Kai Fan,Panfei Song,Zhao Du,Haojin Zhu,Hui Li,Yintang Yang,Xinghua Li,Chao Yang

DOI: https://doi.org/10.1007/978-3-319-42836-9_11

2016-01-01

Abstract:As one of the most important techniques in IoT, NFC (Near Field Communication) is more interested than ever. NFC is a short-range, high-frequency communication technology well suited for electronic tickets, micro-payment and access control function, which is widely used in the financial industry, traffic transport, road ban control and other fields. However, NFC is becoming increasingly popular in the relevant field, but its secure problems, such as man-in-the-middle-attack, brute force attack and so on, have hindered its further development. To address the security problems and specific application scenarios, we propose a NFC mobile electronic ticket secure payment and verification scheme in the paper. The proposed scheme uses a CS E-Ticket and offline session key generation and distribution technology to prevent major attacks and increase the security of NFC. As a result, the proposed scheme can not only be a good alternative to mobile e-ticket system but also be used in many NFC fields. Furthermore, compared with other existing schemes, the proposed scheme provides a higher security.

Kai Fan,Panfei Song,Zhao Du,Haojin Zhu,Hui Li,Yintang Yang,Xinghua Li,Chao Yang

DOI: https://doi.org/10.1155/2017/4796373

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:As one of the most important techniques in IoT, NFC (Near Field Communication) is more interesting than ever. NFC is a short-range, high-frequency communication technology well suited for electronic tickets, micropayment, and access control function, which is widely used in the financial industry, traffic transport, road ban control, and other fields. However, NFC is becoming increasingly popular in the relevant field, but its secure problems, such as man-in-the-middle-attack and brute force attack, have hindered its further development. To address the security problems and specific application scenarios, we propose a NFC mobile electronic ticket secure payment and verification scheme in the paper. The proposed scheme uses a CS E-Ticket and offline session key generation and distribution technology to prevent major attacks and increase the security of NFC. As a result, the proposed scheme can not only be a good alternative to mobile e-ticket system but also be used in many NFC fields. Furthermore, compared with other existing schemes, the proposed scheme provides a higher security.

Si Chen,Muyuan Li,Zhan Qin,Bingsheng Zhang,Kui Ren

DOI: https://doi.org/10.1109/INFCOMW.2014.6849232

2014-01-01

Abstract:Short-range wireless communication technologies have been used in many security-sensitive smartphone applications and services such as contactless micro payment and device pairing. Typically, the data confidentiality of existing short-range communication systems relies on key-exchange then encryption mechanism, which is inefficient, especially for short communication sessions. In this work, we present AcousAuth, a smartphone empowered system designed for personal authentication. AcousAuth adopts the emerging friendly jamming technique from radio communication for data confidentiality and it features a seamless, faster, easier and safer user authentication process without the need for special infrastructure. Our system is intended to provide security assurances comparable to or greater than that of conventional authentication systems while offering the same user experience as inputing a password alone. AcousAuth provides a purely software-based solution to secure smartphone short-range communication without key agreement phase and it is potentially well suited for legacy mobile devices. Despite the computational restrictions and bandwidth of mobile device, our mobile application is able to maintain real-time performance.

Seung-Su Yang,Young-Hwan Jang,Min-Hyung Park,Seok-Cheon Park,Hyung-Joon Kim

DOI: https://doi.org/10.1007/s11277-021-08139-2

IF: 2.017

2021-02-09

Wireless Personal Communications

Abstract:NFC (Near Field Communication) is widely used in day-to-day applications such as in credit cards and smartphones. thus, RFID (Radio Frequency Identification) is being replaced by NFC in many applications. However, the access control system operates on RFID. The existing RFID-based access control systems provide only passive communication, and the authentication process is fragile and vulnerable to malicious hacking because the user information is stored by the reader. Therefore, in this study, we designed and implemented an access control system that uses the NFC-based active authentication technique. To evaluate the system implemented in this study, we performed comparison analysis with the existing NFC security authentication protocols based on whether they provided mutual authentication and whether they could respond to major security threats. The evaluation results showed that the proposed protocol normally supported mutual authentication functions between NFC devices, and ensured secure wireless communications by tackling major security threats that might occur in NFC security authentication protocols.

telecommunications

Daojing He,Maode Ma,Yan Zhang,Chun Chen,Jiajun Bu

DOI: https://doi.org/10.1016/j.comcom.2010.02.031

IF: 5.047

2011-01-01

Computer Communications

Abstract:Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.

Yue-Hsun Lin,Ahren Studer,Yao-Hsin Chen,Hsu-Chun Hsiao,Li-Hsiang Kuo,Jason Lee,Jonathan M. McCune,King-Hang Wang,Maxwell Krohn,Phen-Lan Lin,Adrian Perrig,Hung-Min Sun,Bo-Yin Yang

DOI: https://doi.org/10.1109/tmc.2010.150

IF: 6.075

2010-01-01

IEEE Transactions on Mobile Computing

Abstract:Establishing trust between a group of individuals remains a difficult problem. Prior works assume trusted infrastructure, require an individual to trust unknown entities, or provide relatively low probabilistic guarantees of authenticity (95 percent for realistic settings). This work presents SPATE, a primitive that allows users to establish trust via mobile devices and physical interaction. Once the SPATE protocol runs to completion, its participants' mobile devices have authentic data that their applications can use to interact securely (i.e., the probability of a successful attack is 2^{-24}). For this work, we leverage SPATE as part of a larger system to facilitate efficient, secure, and user-friendly collaboration via e-mail, file-sharing, and text messaging services. Our implementation of SPATE on Nokia N70 smartphones allows users to establish trust in small groups of up to eight users in less than one minute. The example SPATE applications provide increased security with little overhead noticeable to users once keys are established.

ZHANG Juan,XU Chun-xiang

DOI: https://doi.org/10.3969/j.issn.1009-2552.2006.02.014

2006-01-01

Abstract:This paper proposes a secure account-based payment protocol which is suitable for wireless networks.The proposed protocol employs symmetric key operations which require lower computation at all enga-(ging) parties than that in existing mobile protocols.The protocol is secure as SET and SSL.Moreover,the credit-card information is not required to be sent during transactions which results in a security enhancement of the system.