Ding Wang,Xizhe Zhang,Zijian Zhang,Ping Wang

DOI: https://doi.org/10.1016/j.cose.2019.101619

IF: 5.105

2020-01-01

Computers & Security

Abstract:Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. Dozens of multi-factor authentication schemes for multi-server environments were successively proposed, yet most of them have been shortly found problematic. The research pattern of this area has fallen into the undesirable "break-fix-break-fix" cycle, in which lots of efforts have been devoted but little real progress has been made. In this paper, we revisit five leading two-factor authentication schemes for multi-server environments (i.e., Xu et al. scheme at ICICS'17, Wu et al. scheme at FC'17, Leu-Hsieh's scheme at IET IS'14, Zhou et al. scheme at WINET'18 and Roy et al. scheme at IEEE TII'19), and demonstrate that all of them suffer from critical security defects (e.g., no truly multi-factor security and temporary information leakage attack) or are short of important properties (e.g., no user anonymity). Our results invalidate any use of these five schemes for practical applications without further improvement, and underscore some new challenges (e.g., attacks arising from the leakage of session-specific parameters and from malicious insiders) in designing sound multi-factor schemes for multi-server environments. We also draw some useful lessons from the cryptanalysis results. (C) 2019 Elsevier Ltd. All rights reserved.

Li Yang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0194093

IF: 3.7

2018-01-01

PLoS ONE

Abstract:According to advancements in the wireless technologies, study of biometrics-based multi-server authenticated key agreement schemes has acquired a lot of momentum. Recently, Wang et al. presented a three-factor authentication protocol with key agreement and claimed that their scheme was resistant to several prominent attacks. Unfortunately, this paper indicates that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol cannot provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Compared with various related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the proposed protocol shows the satisfactory performances in respect of storage requirement, communication overhead and computational cost. Thus, our protocol is suitable for expert systems and other multi-server architectures. Consequently, the proposed protocol is more appropriate in the distributed networks.

Ding WANG,Wen-Ting LI,Ping WANG

DOI: https://doi.org/10.13328/j.cnki.jos.005361

2018-01-01

Journal of Software

Abstract:The design of secure and efficient user authentication protocols for multi-server environment is becoming a hot research topic in the cryptographic protocol community. Based on the widely accepted adversary model, this paper analyzes three representative, recently proposed user authentication schemes for multi-server environment. The paper reveals that: 1) Wan et al.’s scheme is subject to offline password guessing attack as opposed to the authors’ claim, and it also cannot provide user anonymity and forward secrecy; 2) Amin et al.’s scheme cannot withstand offline password guessing attack, cannot preserve user anonymity and is vulnerable to two kinds o f forward secrecy issues; 3) Reedy et al.’s scheme cannot resist against user impersonation attack and offline password guessing attack, and  基金项目: 国家自然科学基金(61472016); 国家重点研发计划(2016YFB0800603, 2017YFB1200700) Foundation item: National Natural Science Foundation of China (61472016); National Key Research and Development Plan (2016YFB0800603, 2017YFB1200700) 本文由“面向隐私保护的新型技术与密码算法”专题特约编辑黄欣沂教授推荐. 收稿时间: 2017-05-30; 修改时间: 2017-07-13; 采用时间: 2017-08-22; jos 在线出版时间: 2017-10-17 CNKI 网络优先出版: 2017-10-17 13:38:05, http://kns.cnki.net/kcms/detail/11.2560.TP.20171017.1338.008.html 1938 Journal of Software 软件学报 Vol.29, No.7, July 2018 also falls short of user un-traceability. The paper highlights three principles for designing more robust anonymous multi-factor authentication schemes: Public key principle, user anonymity principle and forward secrecy principle, explaining the essential reasons for the security flaws of the above protocols. It further proposes some amendments for the identified secur ity flaws.

Hossen Asiful Mustafa,Hasan Muhammad Kafi

DOI: https://doi.org/10.48550/arXiv.1711.01198

2017-11-03

Abstract:Password security can no longer provide enough security in the area of remote user authentication. Considering this security drawback, researchers are trying to find solution with multifactor remote user authentication system. Recently, three factor remote user authentication using biometric and smart card has drawn a considerable attention of the researchers. However, most of the current proposed schemes have security flaws. They are vulnerable to attacks like user impersonation attack, server masquerading attack, password guessing attack, insider attack, denial of service attack, forgery attack, etc. Also, most of them are unable to provide mutual authentication, session key agreement and password, or smart card recovery system. Considering these drawbacks, we propose a secure three factor user authentication scheme using biometric and smart card. Through security analysis, we show that our proposed scheme can overcome drawbacks of existing systems and ensure high security in remote user authentication.

Cryptography and Security

Ping Wang,Zijian Zhang,Ding Wang

DOI: https://doi.org/10.1007/978-3-030-01950-1_50

2018-01-01

Abstract:Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. At ICICS’17, Xu et al. proposed an efficient two-factor authentication scheme for multi-server environment to cope with the vulnerabilities in Amin et al.’s scheme. However, in this paper, we reveal that Xu’s new scheme actually is as vulnerable as Amin et al.’s scheme: anyone can impersonate any legitimate user. At FC’17, Wu et al. also developed an improvement over Irshad et al.’s scheme and this improved scheme is alleged to be practical and have a number of appealing merits. Yet, Wu et al.’s scheme still fails to achieve truly two-factor security (which is the most important goal of a two-factor scheme), and the leakage of a session-specific parameter will lead to the leakage of the user’s long-term secret key.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Chengqi Wang,Xiao Zhang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0149173

IF: 3.7

2016-01-01

PLoS ONE

Abstract:With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we propose a novel biometric-based multi-server authentication and key agreement scheme which is based on the cryptanalysis of Mishra et al.'s scheme. The informal and formal security analysis of our scheme are given, which demonstrate that our scheme satisfies the desirable security requirements. The presented scheme provides a variety of significant functionalities, in which some features are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. Compared with several related schemes, our scheme has more secure properties and lower computation cost. It is obviously more appropriate for practical applications in the remote distributed networks.

Dawei Zhao,Haipeng Peng,Shudong Li,Yixian Yang

DOI: https://doi.org/10.48550/arXiv.1305.6350

2013-05-28

Abstract:Recently, Li et al. analyzed Lee et al.'s multi-server authentication scheme and proposed a novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. They claimed that their scheme can resist several kinds of attacks. However, through careful analysis, we find that Li et al.'s scheme is vulnerable to stolen smart card and offline dictionary attack, replay attack, impersonation attack and server spoofing attack. By analyzing other similar schemes, we find that the certain type of dynamic ID based multi-server authentication scheme in which only hash functions are used and no registration center participates in the authentication and session key agreement phase is hard to provide perfect efficient and secure authentication. To compensate for these shortcomings, we improve the recently proposed Liao et al.'s multi-server authentication scheme which is based on pairing and self-certified public keys, and propose a novel dynamic ID based remote user authentication scheme for multi-server environments. Liao et al.'s scheme is found vulnerable to offline dictionary attack and denial of service attack, and cannot provide user's anonymity and local password verification. However, our proposed scheme overcomes the shortcomings of Liao et al.'s scheme. Security and performance analyses show the proposed scheme is secure against various attacks and has many excellent features.

Cryptography and Security

Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

Ping Wang,Bin Li,Hongjin Shi,Yaosheng Shen,Ding Wang

DOI: https://doi.org/10.1155/2019/2516963

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Investigating the security pitfalls of cryptographic protocols is crucial to understand how to improve security. At ICCCS'17, Wu and Xu proposed an efficient smart-card-based password authentication scheme for cloud computing environments to cope with the vulnerabilities in Jiang et al.'s scheme. However, we reveal that Wu-Xu's scheme actually is subject to various security flaws, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services and further suggested a user-friendly scheme which is claimed to be suitable for multiserver architecture and robust against various attacks. In this work, we show that Roy et al.'s scheme fails to achieve truly two-factor security and shows poor scalability. At FGCS'18, Amin et al. pointed out that most of existing two-factor schemes are either insecure or inefficient for mobile devices due to the use of public-key techniques and thus suggested an improved protocol by using only light-weight symmetric key techniques. Almost at the same time, Wei et al. also observed this issue and proposed a new scheme based on symmetric key techniques with formal security proofs in the random oracle model. Nevertheless, we point out that both Amin et al.'s and Wei et al.'s schemes cannot achieve the claimed security goals (including the most crucial goal of truly two-factor security). Our results invalidate any use of the scrutinized schemes for cloud computing environments.

Dheerendra Mishra

DOI: https://doi.org/10.48550/arXiv.1401.4790

2014-01-20

Abstract:Advancement in communication technology provides a scalable platform for various services where a remote user can access the server from anywhere without moving from its place. It has provided a unique opportunity for online services, such that the user need not physically present at the service center. These services adopt authentication and key agreement protocols to ensure authorized and secure access to resources. Most of the authentication schemes support single server environment where the user has to register with each server. If a user wishes to access multiple application servers, he requires to register with each of the servers. Although multi-server authentication schemes introduced a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on smart cards along with password and biometrics. This is a lightweight authentication scheme which requires the computation of only hash function. In this article, we present a brief review of Chuang and Chen's scheme. We analyze Chuang and Chen's scheme and identify that their scheme does not resist stolen smart card attack which causes the user's impersonation attack, server spoofing attack and man-in-the middle attack. Additionally, we show that their scheme has a weak key agreement protocol, which does not ensure forward secrecy.

Cryptography and Security

Wenting Li,Yaosheng Shen,Ping Wang

DOI: https://doi.org/10.1007/s11265-017-1305-z

2017-01-01

Abstract:Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

Nassoro M. R. Lwamo,Liehuang Zhu,Chang Xu,Kashif Sharif,Ximeng Liu,Chuan Zhang

DOI: https://doi.org/10.1016/j.ins.2018.10.037

IF: 8.1

2018-01-01

Information Sciences

Abstract:The rapid increase in user base and technological penetration has enabled the use of a wide range of devices and applications. The services are rendered to these devices from single-server or highly distributed server environments, irrespective of their location. As the information exchanged between servers and clients is private, numerous forms of attacks can be launched to compromise it. To ensure the security, privacy, and availability of the services, different authentication schemes have been proposed for both single-server and multi-server environments. The primary performance objective of such schemes is to prevent most (if not all) attacks, with minimal computational costs at the server and user ends. To address this challenge, this paper presents a secure user authentication scheme with anonymity (SUAA) for single-server and multi-server environments. It works on 3-factor authentication, involving passwords, smart cards, and biometric data. We use symmetric and asymmetric encryption for single-server and multi-server architectures respectively, to reduce the computational costs. Through a comprehensive security analysis, we show that the proposed scheme is reliable through mutual authentication, and is resilient to attacks addressed by state of the art solutions. Time cost analysis also shows less time required to complete the authentication process.

Shen Yaosheng,Wang Ding,Wang Ping

DOI: https://doi.org/10.1007/978-3-030-00009-7_13

2018-01-01

Abstract:Investigating the security pitfalls of cryptographic protocols is crucial to understanding how to improve security. At ICCCS’17, Wu and Xu proposed an efficient smart-card-based password authentication scheme to cope with the vulnerabilities in Jiang et al.’s scheme. However, in this paper, we reveal that Wu-Xu’s scheme actually is subject to critical security defects, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services, and further suggested a user-friendly scheme which is claimed to be suitable for multi-server architecture and robust against various attacks. In this work, we show that Roy et al.’s scheme cannot achieve truly two-factor security and is of poor scalability. Our results invalidate any use of the scrutinized schemes for cloud computing environments. © Springer Nature Switzerland AG 2018.

Lili Xu,Fan Wu

DOI: https://doi.org/10.1007/s10916-014-0179-x

Abstract:Nowadays, connected health care applications are used more and more in the world. Service through the applications can save the patients' time and expense, such as telecare medical information system (TMIS) and integrated electronic patient record (EPR) information system. In the applications, preserving patients' privacy, transmitting messages securely and keeping mutual authentication should all be paid attention. Many authentication schemes have been proposed to make a secure communicating environment. Recently Xie et al. showed that Wen's scheme was insecure because it was under the off-line password guessing attack and without user anonymity and forward security. They gave a new three-factor authentication scheme and claimed that it was secure. However, we find that Xie et al's scheme is vulnerable to the De-synchronization attack and the server has too much storage burden in the scheme. Then we present an improved scheme which overcomes the usual weaknesses and keeps ordinary security characters. Compared with recent schemes of the same kind, our scheme is secure and practical.

Vorugunti Chandra Sekhar,Mrudula Sarvabhatla

DOI: https://doi.org/10.48550/arXiv.1401.6121

2013-12-07

Abstract:In 2013, Tsai et al. cryptanalyzed Yeh et al. scheme and shown that Yeh et al., scheme is vulnerable to various cryptographic attacks and proposed an improved scheme. In this poster we will show that Tsai et al., scheme is also vulnerable to undetectable online password guessing attack, on success of the attack, the adversary can perform all major cryptographic attacks. As apart of our contribution, we have proposed an improved scheme which overcomes the defects in Tsai et al. and Yeh et al. schemes.

Cryptography and Security

Dheerendra Mishra,Ankita Chaturvedi,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1312.4793

2013-12-17

Abstract:The smart card based authentication protocols try to ensure secure and authorized communication between remote entities. In 2012, Wei et al. presented an improvement of Wu et al.'s two-factor authentication scheme for TMIS which is proven vulnerable to off-line password guessing attack by Zhu. Zhu also proposed a modified scheme to overcome with weakness of Wei et al.'s scheme, although Lee and Liu showed the failure of his scheme to resist parallel session attacks. Moreover, Lee and Liu introduced an improved scheme. We analyze Wei et al.'s, Zhu's and Lee and Liu's schemes and identify that none of the schemes resist on-line password guessing attack. Moreover, these schemes do not present efficient login and password chance phase. We also show that how inefficient password change phase causes denial of service attack. Further, we propose an improved password based remote user authentication scheme with the aim to eliminate all the drawbacks of previously presented schemes.

Cryptography and Security

Weiwei Han

DOI: https://doi.org/10.48550/arXiv.1201.0883

2012-01-04

Abstract:Recently, Li et al. proposed a dynamic identity based authentication protocol for multi-server architecture. They claimed their protocol is secure and can withstand various attacks. But we found some security loopholes in the protocol. Accordingly, the current paper demonstrates that Li et al.'s protocol is vulnerable to the replay attack, the password guessing attack and the masquerade attack.

Cryptography and Security

Ang Kok Wee,Eyasu Getahun Chekole,Jianying Zhou

2024-07-30

Abstract:Nowadays, cyberattacks are growing exponentially, causing havoc to Internet users. In particular, authentication attacks constitute the major attack vector where intruders impersonate legitimate users to maliciously access systems or resources. Traditional single-factor authentication (SFA) protocols are often bypassed by side-channel and other attack techniques, hence they are no longer sufficient to the current authentication requirements. To alleviate this problem, multi-factor authentication (MFA) protocols have been widely adopted recently, which helps to raise the security bar against imposters. Although MFA is generally considered more robust and secure than SFA, it may not always guarantee enhanced security and efficiency. This is because, critical security vulnerabilities and performance problems may still arise due to design or implementation flaws of the protocols. Such vulnerabilities are often left unnoticed until they are exploited by attackers. Therefore, the main objective of this work is identifying such vulnerabilities in existing MFA protocols by systematically analysing their designs and constructions. To this end, we first form a set of security evaluation criteria, encompassing both existing and newly introduced ones, which we believe are very critical for the security of MFA protocols. Then, we thoroughly review several MFA protocols across different domains. Subsequently, we revisit and thoroughly analyze the design and construction of the protocols to identify potential vulnerabilities. Consequently, we manage to identify critical vulnerabilities in ten of the MFA protocols investigated. We thoroughly discuss the identified vulnerabilities in each protocol and devise relevant mitigation strategies. We also consolidate the performance information of those protocols to show the runtime and storage cost when employing varying number of authentication factors.

Cryptography and Security

ZHU Chang-sheng,LIU Peng-hui,WANG Qing-rong,CAO Lai-cheng

DOI: https://doi.org/10.3724/sp.j.1087.2011.01862

2011-01-01

Journal of Computer Applications

Abstract:How to keep mutual anonymity between two entities is one of the critical issues for Trusted Computation(TC).According to the characteristics of TC,an efficient password-based authenticated key exchange scheme was proposed.Adopting threshold cryptography and fuzzy ID set,the scheme achieved mutual anonymity between user and server sharing ID set.On the premise of secure hashing,the analysis and the proving procedure based on the Random Oracle Model(ROM) show this scheme is secure against dictionary attack and resource-depletion DoS(Denial-of-Service) attack under the computational Diffie-Hellman intractability assumption.This scheme effectively preserves the user's privacy and server's privacy,and compared with other schemes such as VIET et al.'s scheme,it is more efficient.