Wenting Li,Haibo Cheng,Ping Wang

DOI: https://doi.org/10.1109/cybersecpods.2019.8885375

2019-01-01

Abstract:User authentication plays an important role in generic IoT networks that prevents malicious parties from gaining access to various services offered by remote servers. As user-end IoT devices are typically resource-constrained, how to design secure and efficient multi-factor authentication schemes remains hard to tackle. Very recently, instead of using traditional asymmetric encryption algorithms such as RSA, EIGamal encryption, a number of attempts have been made to employ chaotic maps as building blocks to design multi-factor authentication schemes for IoT environments. In this paper, we first revisit two foremost chaotic maps based multi-factor user authentication schemes presented by Roy et al. and Truong et al., and show that, despite being armed with a formal security proof, none of them can achieve the goal of “truly multi-factor security”. Besides, we find Roy et al.'s scheme fails to achieve the claimed feature of forward secrecy, while Truong et al.'s scheme suffers from stolen verifier attack and violation of user anonymity. Further, we indicate how to mend these weaknesses and propose an enhanced protocol with high efficiency. Security and efficiency analysis suggest that our scheme outperforms existing schemes and is practical for real applications of IoT environments.

Jiao Zhang,Yong He,Yu-Zhen Liu,Xiong Li

2015-01-01

Abstract:Identity authentication protocol is an important type of protocols for information security protection. Recently, Lee et al. pointed out the security flaws of a multi-server user authentication protocol with key agreement which is presented by Tsaur et al., and they further proposed an extended chaotic maps-based user authentication protocol for multi-server. However, we observed that Lee et al.'s protocol has some functionality and security flaws. In this paper, the cryptanalysis of Lee et al.'s authentication protocol was pointed out, and it was found inefficient in the detection of unauthorized login and did not support password change. Besides, their protocol is pointed out vulnerable to registration center spoofing attack and server spoofing attack.

Fan Wu,Lili Xu

DOI: https://doi.org/10.1007/978-3-319-68542-7_16

2017-01-01

Abstract:Cloud computing is a hot issue mentioned more and more nowadays. Vast information for every domain are stored in cloud servers. Security issue is accompanied with the fast development of cloud application. On the other hand, many authentication schemes with different methods have been presented over the last decades. To guarantee the valid access to remote server, smart cards are used on the client side. Moreover, user anonymity becomes a hot issue in such schemes. We present a chaotic-map based mutual authentication scheme for cloud computing. After our concrete analysis, the new scheme not only makes user anonymous but also performs well in basic aspects compared with recent schemes. The new scheme is practical and efficient via our comparison and it overcomes various attacks and meets security requirements in public opinion. ...

Dheerendra MIshra

DOI: https://doi.org/10.48550/arXiv.1310.5896

2013-10-22

Abstract:The Telecare medicine information system (TMIS) is developed to provide Telecare services to the remote user. A user can access remote medical servers using internet without moving from his place. Although remote user and server exchange their messages/data via public networks. An adversary is considered to be enough powerful that he may have full control over the public network. This makes these Telecare services vulnerable to attacks. To ensure secure communication between the user and server many password based authentication schemes have been proposed. In 2013, Hao et al. presented chaotic maps-based password authentication scheme for TMIS. Recently, Lee identified that Hao et al.'s scheme fails to satisfy key agreement property, such that a malicious server can predetermine the session key. Lee also presented an efficient chaotic map-based password authentication and key agreement scheme using Smart cards for TMIS. In this article, we briefly review Lee's scheme and demonstrates the weakness of Lee's scheme. The study shows that the Lee's scheme inefficiency of password change phase causes denial of service attack and login phase results extra computation and communication overhead.

Cryptography and Security

Saru Kumari,Xiong Li,Fan Wu,Ashok Kumar Das,Hamed Arshad,Muhammad Khurram Khan

DOI: https://doi.org/10.1016/j.future.2016.04.016

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:Spread of wireless network technology has opened new doors to utilize sensor technology in various areas via Wireless Sensor Networks (WSNs). Many authentication protocols for among the service seeker users, sensing component sensor nodes (SNs) and the service provider base-station or gateway node (GWN) are available to realize services from WSNs efficiently and without any fear of deceit. Recently, Li et al. and He et al. independently proposed mutual authentication and key agreement schemes for WSNs. We find that both the schemes achieve mutual authentication, establish session key and resist many known attacks but still have security weaknesses. We show the applicability of stolen verifier, user impersonation, password guessing and smart card loss attacks on Li et al.’s scheme. Although their scheme employs the feature of dynamic identity, an attacker can reveal and guess the identity of a registered user. We demonstrate the susceptibility of He et al.’s scheme to password guessing attack. In both the schemes, the security of the session key established between user and SNs is imperfect due to lack of forward secrecy and session-specific temporary information leakage attack. In addition both the schemes impose extra computational load on resource scanty sensor-nodes and are not user friendly due to absence of user anonymity and lack of password change facility. To handle these drawbacks, we design a mutual authentication and key agreement scheme for WSN using chaotic maps. To the best of our knowledge, we are the first to propose an authentication scheme for WSN based on chaotic maps. We show the superiority of the proposed scheme over its predecessor schemes by means of detailed security analysis and comparative evaluation. We also formally analyze our scheme using BAN logic.

Debiao He,Yitao Chen,Jianhua Chen

DOI: https://doi.org/10.1007/s11071-012-0335-0

IF: 5.741

2012-01-01

Nonlinear Dynamics

Abstract:Very recently, Lee et al. (C. Lee, C. Chen, C. Wu, S. Huang, An extended chaotic maps-based key agreement protocol with user anonymity, Nonlinear Dynamics, doi: 10.1007/s11071-011-0247-4) proposed a chaotic maps-based key agreement protocol with user anonymity and claimed their protocol could resist various attacks. In this paper, we will point out that Lee et al.'s protocol suffers from three weaknesses: (1) inability of resisting the privileged insider attack; (2) inability of resisting the denial-of-service attack; and (3) inability of providing anonymity. To overcome the weaknesses, we also proposed an improved protocol. The analysis shows our protocol is more suitable for practical applications.

Guoqiang Long,Xiuli Chai,Zhihua Gan,Donghua Jiang,Xin He,Mengge Sun

DOI: https://doi.org/10.1016/j.chaos.2023.114111

2023-01-01

Abstract:As a result of their prominent initial value sensitivity, pseudo-randomness, and unpredictability nature, chaotic maps are widely used in multimedia security. However, the majority of chaotic maps now in use have issues like narrow parameter scope, poor traversability, and insufficient chaotic performance. To address these issues, a one-dimensional exponential Chebyshev (1-DEC) chaotic map is constructed in this paper which performs satisfactorily. Through the use of a bifurcation diagram, Lyapunov exponents, sample entropy, and permutation entropy, the chaotic dynamics of the 1-DEC are thoroughly examined. Subsequently, a visually meaningful image encryption (VMIE) scheme combined with matching embedding based on 1-DEC was presented. Specifically, a cyclic shift confusion method across rows and columns (CSCARC) is proposed to eliminate the correlation of adjacent pixels. Then, an adaptive embedding method based on image energy and dynamic matching (AEIEDM) is proposed to fuse the privacy information into carrier images. In addition, secret image share and authenti- cation information is introduced in this scheme, which improves disaster-tolerance performance and implements the distributed management and storage of data. Subscribers have the capabilities of authentication, manage- ment, and data integrity checking. Ultimately, the simulation results and analysis demonstrate that the proposed scheme possesses satisfactory performance in terms of security and robustness, and the visual quality of the steganographic images was above 50.9 dB.

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Dheerendra Mishra

DOI: https://doi.org/10.48550/arXiv.1401.4790

2014-01-20

Abstract:Advancement in communication technology provides a scalable platform for various services where a remote user can access the server from anywhere without moving from its place. It has provided a unique opportunity for online services, such that the user need not physically present at the service center. These services adopt authentication and key agreement protocols to ensure authorized and secure access to resources. Most of the authentication schemes support single server environment where the user has to register with each server. If a user wishes to access multiple application servers, he requires to register with each of the servers. Although multi-server authentication schemes introduced a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on smart cards along with password and biometrics. This is a lightweight authentication scheme which requires the computation of only hash function. In this article, we present a brief review of Chuang and Chen's scheme. We analyze Chuang and Chen's scheme and identify that their scheme does not resist stolen smart card attack which causes the user's impersonation attack, server spoofing attack and man-in-the middle attack. Additionally, we show that their scheme has a weak key agreement protocol, which does not ensure forward secrecy.

Cryptography and Security

Shuming Qiu,Ding Wang,Guoai Xu,Saru Kumari

DOI: https://doi.org/10.1109/tdsc.2020.3022797

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Due to the limitations of symmetric-key techniques, authentication and key agreement (AKA) protocols based on public-key techniques have attracted much attention, providing secure access and communication mechanism for various application environments. Among these public-key techniques used for AKA protocols, chaotic-map is more effective than scalar multiplication and modular exponentiation, and it offers a list of desirable cryptographic properties such as un-predictability, un-repeatability, un-certainty, and higher efficiency than scalar multiplication and modular exponentiation. Furthermore, it is usually believed that three-factor AKA protocols can achieve a higher security level than single- and two-factor protocols. However, none of existing three-factor AKA protocols can meet all security requirements. One of the most prevalent problems is how to balance security and usability, and particularly how to achieve truly three-factor security while providing password change friendliness. To deal with this problem, in this article we put forward a provably secure three-factor AKA protocol based on extended chaotic-maps for mobile lightweight devices, by adopting the techniques of "Fuzzy-Verifiers" and "Honeywords". We prove the security of the proposed protocol in the random oracle model, assuming the intractability of extended chaotic-maps Computational Diffie-Hellman problem. We also simulate the protocol by using the AVISPA tool. The security analysis and simulation results show that our protocol can meet all 13 evaluation criteria regarding security. We also assess the performance of our protocol by comparing with seven other related protocols. The evaluation results demonstrate that our protocol offers better balance between security and usability over state-of-the-art ones.

computer science, information systems, software engineering, hardware & architecture

Ping Wang,Bin Li,Hongjin Shi,Yaosheng Shen,Ding Wang

DOI: https://doi.org/10.1155/2019/2516963

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Investigating the security pitfalls of cryptographic protocols is crucial to understand how to improve security. At ICCCS'17, Wu and Xu proposed an efficient smart-card-based password authentication scheme for cloud computing environments to cope with the vulnerabilities in Jiang et al.'s scheme. However, we reveal that Wu-Xu's scheme actually is subject to various security flaws, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services and further suggested a user-friendly scheme which is claimed to be suitable for multiserver architecture and robust against various attacks. In this work, we show that Roy et al.'s scheme fails to achieve truly two-factor security and shows poor scalability. At FGCS'18, Amin et al. pointed out that most of existing two-factor schemes are either insecure or inefficient for mobile devices due to the use of public-key techniques and thus suggested an improved protocol by using only light-weight symmetric key techniques. Almost at the same time, Wei et al. also observed this issue and proposed a new scheme based on symmetric key techniques with formal security proofs in the random oracle model. Nevertheless, we point out that both Amin et al.'s and Wei et al.'s schemes cannot achieve the claimed security goals (including the most crucial goal of truly two-factor security). Our results invalidate any use of the scrutinized schemes for cloud computing environments.

Nan Liu,Cheng Guo,Huan Zhang,Lifeng Yuan

DOI: https://doi.org/10.1049/ic.2014.0156

2014-01-01

Abstract:With the gradual research on authentication issues, many researchers began to apply chaotic maps. Chaos theory has many good properties. It can achieve fast computing, and the time of encryption and decryption can be shortened to ensure smooth communication. Meanwhile, smart card technology is becoming a more practical technology. It has capabilities of security, confidentiality and identification, and can complete simple encryption and decryption operations. Based on the property of chaotic maps and smart cards, we proposed an authenticated key agreement protocol. In our protocol, we reach the goal of creatively combining chaotic maps and smart cards. Using chaotic maps and smart cards simplify our protocol and decrease the communication overhead, also improve the security of the authentication process.

Xiong Li,Jianwei Niu,Saru Kumari,Muhammad Khurram Khan,Junguo Liao,Wei Liang

DOI: https://doi.org/10.1007/s11071-015-1937-0

IF: 5.741

2015-01-01

Nonlinear Dynamics

Abstract:An authenticated key agreement protocol is a protocol for information security over insecure networks. Due to the excellent properties of chaotic system, chaos-related cryptography has received a certain development, and recently, researchers have presented some three-party authenticated key agreement protocols based on the chaotic maps. Unfortunately, most of the chaotic maps-based key agreement protocols use a password to achieve the key agreement, and this leads to some security loopholes. First, the server has to store a sensitive password table, and it would be dangerous if the server was compromised or the password table was leaked. Besides, the low-entropy passwords are vulnerable to some password-related attacks, such as insider attack and password guessing attacks. In this paper, we design a communication- and computation-efficient chaotic maps-based three-party authenticated key agreement protocol without password and clock synchronization, and formally analyze the security using Burrows–Abadi–Needham logic. In addition to the formal analysis, we also prove that the presented protocol is free from most of the common attacks, and compare the performance and functionality with other related protocols. The result of the analysis and comparisons demonstrate that our protocol is more efficient and practical for real applications.

Ding Wang,Chun-guang Ma,De-li Gu,Zhen-shan Cui

DOI: https://doi.org/10.1007/978-3-642-34601-9_35

2012-01-01

Abstract:In NSS'10, Shao and Chin pointed out that Hsiang and Shih's dynamic ID-based remote user authentication scheme for multi-server environment has several security flaws and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that Shao-Chin's scheme still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.'s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their ambitions, Li et al.'s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, which is the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.

Xiong Li,Fan Wu,Muhammad Khurram Khan,Lili Xu,Jian Shen,Minho Jo

DOI: https://doi.org/10.1016/j.future.2017.08.029

2018-01-01

Abstract:As a kind of e-health notion, telemedicine employs telecommunication and information technologies to provide remote clinical health care. Telecare medicine information system (TMIS) is a widely used application nowadays. Through the services provided by such e-health systems, doctors can obtain the variation of patients’ conditions and make treatments quickly and accordingly. Recently, researchers have employed the Chebyshev chaotic maps in the authentication process of TMISs. Unfortunately, many kinds of security weaknesses such as off-line guessing attack, destitution of user anonymity and session key agreement happen in relative work. To overcome the disadvantages, we propose a secure remote authentication scheme employing the chaotic maps. We use the formal proof under random oracle model, and the famous verification tool Proverif to prove the security of the proposed scheme. Besides, informal analysis including ten security properties and performance comparison are shown to supplement the security properties. From the formal proof, we can see that the attacker has a negligible probability to crack the scheme over the active guessing attack. The formal verification demonstrates that our scheme can resist the attackers simulated by the tool Proverif. Moreover, we compare our scheme with several recent schemes, and the comparison results show that our scheme reaches the level of security requirements and also has suitable cost in performance. Thus, it is more applicable to telecare medicineenvironments.

Yasir Giani,Li Jianhua,Chen Gongliang,Zahid Mehmood

DOI: https://doi.org/10.1109/compcomm.2016.7925201

2016-01-01

Abstract:In the recent decades, in order to achieve high-degree security many researchers are introducing multifactor authentication schemes replacing by conventional password-based remote authentication schemes. In 2010, Li and Hwang proposed biometric-based authentication scheme using the smart card. Later on, Das pointed out that the scheme is susceptible to denial of services attack and also having low efficiency. Then proposed a new scheme to overcome the weaknesses of prior scheme. In 2012, Younghwa An. substantiate that Das's scheme doesn't provide mutual authentication. In 2014, Cao and Ge pointed that Younghwa's scheme is still vulnerable to replay attack and unable to provide user anonymity, while an adversary can perform the re-registration by intercepting user identity IDx in the login phase. In this paper, we first analyze Cao and Ge's scheme and show that their scheme is still vulnerable to password guessing and traceability attacks.

Wenting Li,Yaosheng Shen,Ping Wang

DOI: https://doi.org/10.1007/s11265-017-1305-z

2017-01-01

Abstract:Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

Shen Yaosheng,Wang Ding,Wang Ping

DOI: https://doi.org/10.1007/978-3-030-00009-7_13

2018-01-01

Abstract:Investigating the security pitfalls of cryptographic protocols is crucial to understanding how to improve security. At ICCCS’17, Wu and Xu proposed an efficient smart-card-based password authentication scheme to cope with the vulnerabilities in Jiang et al.’s scheme. However, in this paper, we reveal that Wu-Xu’s scheme actually is subject to critical security defects, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services, and further suggested a user-friendly scheme which is claimed to be suitable for multi-server architecture and robust against various attacks. In this work, we show that Roy et al.’s scheme cannot achieve truly two-factor security and is of poor scalability. Our results invalidate any use of the scrutinized schemes for cloud computing environments. © Springer Nature Switzerland AG 2018.

Dharminder Dharminder,Uddeshaya Kumar,Pratik Gupta

DOI: https://doi.org/10.1007/s40747-021-00441-7

Abstract:The outbreak of coronavirus has caused widespread global havoc, and the implementation of lockdown to contain the spread of the virus has caused increased levels of online healthcare services. Upgraded network technology gives birth to a new interface "telecare medicine information systems" in short TMIS. In this system, a user from a remote area and a server located at the hospital can establish a connection to share the necessary information between them. But, it is very clear that all the information is always being transmitted over a public channel. Chaotic map possesses a dynamic structure and it plays a very important role in the construction of a secure and efficient authentication protocols, but they are generally found vulnerable to identity-guess, password-guess, impersonation, and stolen smart-card. We have analyzed (Li et al. in Fut Gen Comput Syst 840:149-159, 2018; Madhusudhan and Nayak Chaitanya in A robust authentication scheme for telecare medical information systems, 2008; Zhang et al in Privacy protection for telecare medicine information systems using a chaotic map-based three-factor authenticated key agreement scheme, 2017; Dharminder and Gupta in Pratik security analysis and application of Chebyshev Chaotic map in the authentication protocols, 2019) and found that Bergamo's attack (IEEE Trans Circ Syst 52(7):1382-1393, 2005) cannot be resisted by the protocol. Although few of the protocols ensures efficient computations but they cannot ensure an anonymous and secure communication. Therefore, we have proposed a secure and efficient chaotic map based authentication protocol that can be used in telecare medicine information system. This protocol supports verified session keys with only two messages of exchange. Moreover, we have analysed the performance of proposed protocol with relevant protocols and it is being implemented in "Automated Validation of Internet Security Protocols and Applications" respectively.