Dongqing Xu,Jianhua Chen,Qin Liu

DOI: https://doi.org/10.1007/s12652-018-0710-x

IF: 3.662

2019-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Significant developments in wireless communication technologies have resulted in the increased popularity of mobile devices and mobile services. However, excessive service requests reduce the efficiency of traditional single-server architectures, which consist of one server and many users. To overcome this limitation, a multi-server architecture was proposed. Additionally, password-based or smart-card-based authentication schemes cannot support some important security properties in multi-server environments. Consequently, biometrics are widely used as a third factor, in addition to passwords and smart cards, to make authentication schemes more secure. Reddy et al. recently designed a three-factor (i.e., password, smart card and biometrics) authentication scheme for multi-server environments. However, we found that their scheme lacks untraceability and is vulnerable to privileged insider attacks. To address these deficiencies, we propose a security-enhanced three-factor authentication scheme for multi-server environments based on elliptic curve cryptography (ECC). We prove that the proposed scheme is secure using the random oracle model. Moreover, an informal security analysis shows that the proposed scheme fulfills all the security requirements of the multi-server architecture. Finally, the results from performance analyses indicate that our proposed scheme achieves a significant improvement in security with minimal impact on performance.

YAO Lin,FAN Qing-na,KONG Xiang-wei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.32.030

2010-01-01

Abstract:Pervasive computing raises new challenges to the security and privacy of the Internet communication,and conventional authentication protocols cannot meet the requirements of this new pervasive environment.A novel mutual authentication and key establishment scheme to secure the interactions between mobile users and service providers is proposed.Highly integrating biometric encryption and the Diffie-Hellman key exchange,the proposed protocol achieves mutual authentication without revealing any privacy information of the user.Secure session key establishment is enabled by the proposed algorithm.Differentiated service access control is also achieved with the biometric encryption.It is shown that the protocol can resist most of the attacks,especially the denial of service attack.

Jiaqing Mo,Hang Chen,Wei Shen

DOI: https://doi.org/10.1007/978-3-030-16946-6_36

2020-01-01

Abstract:Cryptanalyzing the security weaknesses of authentication protocols is extremely important to propose countermeasures and develop a truly secure protocol. Over last few years, many three factor-based authentication schemes with key agreement have been proposed for multi-server environment. In 2017, Ali and Pal developed a three-factor authentication scheme in multi-server environment using elliptic curve cryptography (ECC) to remedy the security flaws in Li et al.'s scheme and claimed their improved version can withstand the passive and active attacks. In this paper, we prove that Ali-Pal's scheme is subject to offline password guessing attack, replay attack, and known session-specific temporary information (KSSTI) attack. In the same year, Feng et al. examined Kumari et al.'s biometrics-based authentication scheme for multi-server environment and found that their scheme was vulnerable to several attacks. To fix these weaknesses, Feng et al. proposed an enhanced three-factor authentication scheme with key distribution for mobile multi-server environment and claimed that their scheme can satisfy the security and functional requirements. However, we show that Feng et al.'s scheme fails to resist offline password guessing attack, and suffers from replay attack. In addition to point out the security defects, we put forward countermeasures to eliminate the security risks and secure the three factor-based authentication schemes for multi-server environment.

Youping Lin,Kaihui Wang,Baocan Zhang,Yuzhen Liu,Xiong Li

DOI: https://doi.org/10.14257/ijsia.2016.10.1.29

2016-01-01

International Journal of Security and Its Applications

Abstract:Authentication is an important and basic security service for many network based applications, which allows the registered user access remote services after the validity of his/her identity is verified by the remote server. Password, smart card and biometric are three frequently used factors in authentication, and some remote user authentication schemes for different environments had been presented based on these factors by researchers. Recently, Baruah et al. pointed out the weaknesses of Mishra et al.'s three factors user authentication scheme for multi-server environments, and they proposed an enhanced scheme. They claimed that their scheme has many security features and can resist some common attacks. However, based on our analysis, Baruah et al.'s scheme cannot resist stolen smart card attack, cannot protect user's anonymity, and it is also vulnerable to Denial of Service attack. In this paper, an enhanced three factors user authentication scheme for multi-server environments based on fuzzy extractor technology is proposed, and the analysis show that the proposed scheme is more security and efficient than other related schemes.

Mingping Qi,Jianhua Chen

DOI: https://doi.org/10.1007/s11042-018-5683-4

2018-01-01

Abstract:In this work, we demonstrate that Chaudhry et al.’s recent biometrics-based three factor authentication scheme is vulnerable to the denial of service attack, and it also fails to provide perfect forward secrecy because it only uses the lightweight symmetric key primitives to ensure security. To enhance the information security, this article presents a new robust biometrics-based mutual authentication scheme using elliptic curve cryptography for client-server architecture based applications in mobile environment. The proposed scheme supports session key agreement and flawless mutual authentication of participants, which is proved under the BAN logic. Moreover, the proposed scheme provides prefect security attributes and resists all known attacks, and it has perfect performance in communication cost. Thereby, the proposed scheme is more suitable for client-server architecture based applications.

Mingping Qi,Jianhua Chen

DOI: https://doi.org/10.1007/s11042-019-07812-w

IF: 2.577

2019-01-01

Multimedia Tools and Applications

Abstract:The rapidly evolving communication technology has now made it easy for people to enjoy kinds of online services over the insecure public internet. However, with convenience, ensuring data security as well as user privacy and authentication is particularly important and urgent. In view of this, this work presents a new biometrics-based three-factor authentication with key agreement scheme for multi-server environment using ECC. The formal authentication proof using BAN logic confirms that the new scheme can achieve mutual authentication and agree on a common session key; and the heuristic cryptanalysis shows that the new scheme provides perfect forward secrecy, preserves user anonymity and secures against various known security vulnerabilities. Furthermore, the performance evaluation demonstrates that our scheme is efficient.

Junsong Zhang,Jian Ma,Xiong Li,Wendong Wang

DOI: https://doi.org/10.3837/tiis.2014.08.021

2014-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid growth of the communication technology, intelligent terminals (i.e. PDAs and smartphones) are widely used in many mobile applications. To provide secure communication in mobile environment, in recent years, many user authentication schemes have been proposed. However, most of these authentication schemes suffer from various attacks and cannot provide provable security. In this paper, we propose a novel remote user mutual authentication scheme for multi-server environments using elliptic curve cryptography (ECC). Unlike other ECC-based schemes, the proposed scheme uses ECC in combination with a secure hash function to protect the secure communication among the users, the servers and the registration center (RC). Through this method, the proposed scheme requires less ECC-based operations than the related schemes, and makes it possible to significantly reduce the computational cost. Security and performance analyses demonstrate that the proposed scheme can solve various types of security problems and can meet the requirements of computational complexity for low-power mobile devices.

Fan Wu,Lili Xu,Saru Kumari,Xiong Li

DOI: https://doi.org/10.1016/j.compeleceng.2015.02.015

IF: 4.152

2015-01-01

Computers & Electrical Engineering

Abstract:The biometrics, the password and the storage device are the elements of the three-factor authentication. In 2013, Yeh et al. proposed a three-factor user authentication scheme based on elliptic curve cryptography. However, we find that it has weaknesses including useless user identity, ambiguous process, no session key and no mutual authentication. Also, it cannot resist the user forgery attack and the server spoofing attack. Moreover, Khan et al. propose a fingerprint-based remote authentication scheme with mobile devices. Unfortunately it cannot withstand the user impersonation attack and the De-synchronization attack. Furthermore, the user’s identity cannot be anonymous, either. To overcome the disadvantages, we propose a new three-factor remote authentication scheme and give a formal proof with strong forward security. It could provide the user’s privacy and is secure. Compared to some recent three-factor authentication schemes, our scheme is secure and practical.

Hossen Asiful Mustafa,Hasan Muhammad Kafi

DOI: https://doi.org/10.48550/arXiv.1711.01198

2017-11-03

Abstract:Password security can no longer provide enough security in the area of remote user authentication. Considering this security drawback, researchers are trying to find solution with multifactor remote user authentication system. Recently, three factor remote user authentication using biometric and smart card has drawn a considerable attention of the researchers. However, most of the current proposed schemes have security flaws. They are vulnerable to attacks like user impersonation attack, server masquerading attack, password guessing attack, insider attack, denial of service attack, forgery attack, etc. Also, most of them are unable to provide mutual authentication, session key agreement and password, or smart card recovery system. Considering these drawbacks, we propose a secure three factor user authentication scheme using biometric and smart card. Through security analysis, we show that our proposed scheme can overcome drawbacks of existing systems and ensure high security in remote user authentication.

Cryptography and Security

Li Yang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0194093

IF: 3.7

2018-01-01

PLoS ONE

Abstract:According to advancements in the wireless technologies, study of biometrics-based multi-server authenticated key agreement schemes has acquired a lot of momentum. Recently, Wang et al. presented a three-factor authentication protocol with key agreement and claimed that their scheme was resistant to several prominent attacks. Unfortunately, this paper indicates that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol cannot provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Compared with various related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the proposed protocol shows the satisfactory performances in respect of storage requirement, communication overhead and computational cost. Thus, our protocol is suitable for expert systems and other multi-server architectures. Consequently, the proposed protocol is more appropriate in the distributed networks.

Xiong Li,Kaihui Wang,Jian Shen,Saru Kumari,Fan Wu,Yonghua Hu

DOI: https://doi.org/10.1007/s12652-015-0338-z

IF: 3.662

2016-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Computer networks have become so ubiquitous that the user can access various services by using network devices at anytime and anywhere. However, due to the open nature of the network, the security issue has become an important consideration in these network-based systems that cannot be ignored, especially in critical systems, such as life-critical system and financial system. User authentication scheme is the most used and effective mechanism for information security, and many user authentication schemes have been proposed by researchers. Recently, Shen et al. proposed a biometrics-based user authentication scheme for multi-server environments in critical systems. However, their scheme lacks the wrong password detection mechanism and is vulnerable to denial-of-service attack. Besides, they do not consider the user anonymity property, and may suffer from biometrics template lost attack because the biometrics template is directly stored in user’s smart card. In this paper, an enhanced biometrics-based user authentication scheme for multi-server environments in critical systems is presented by adopting the fuzzy extractor. The analysis shows that the proposed scheme not only removes the security weaknesses of previous schemes, but also keeps the computational efficiency.

Ding Wang,Xizhe Zhang,Zijian Zhang,Ping Wang

DOI: https://doi.org/10.1016/j.cose.2019.101619

IF: 5.105

2020-01-01

Computers & Security

Abstract:Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. Dozens of multi-factor authentication schemes for multi-server environments were successively proposed, yet most of them have been shortly found problematic. The research pattern of this area has fallen into the undesirable "break-fix-break-fix" cycle, in which lots of efforts have been devoted but little real progress has been made. In this paper, we revisit five leading two-factor authentication schemes for multi-server environments (i.e., Xu et al. scheme at ICICS'17, Wu et al. scheme at FC'17, Leu-Hsieh's scheme at IET IS'14, Zhou et al. scheme at WINET'18 and Roy et al. scheme at IEEE TII'19), and demonstrate that all of them suffer from critical security defects (e.g., no truly multi-factor security and temporary information leakage attack) or are short of important properties (e.g., no user anonymity). Our results invalidate any use of these five schemes for practical applications without further improvement, and underscore some new challenges (e.g., attacks arising from the leakage of session-specific parameters and from malicious insiders) in designing sound multi-factor schemes for multi-server environments. We also draw some useful lessons from the cryptanalysis results. (C) 2019 Elsevier Ltd. All rights reserved.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1109/ISBAST.2013.20

2013-01-01

Abstract:Recently, An pointed out the weaknesses of Das's three-factor remote user authentication scheme, and proposed an improved biometric based three-factor remote user authentication scheme. An's scheme improves the security problems of previous schemes while keeping the efficiency. However, after detailed analysis, we find that An's scheme exists some weaknesses such as vulnerable to denial-of-service (DoS) attack and forgery attack, and does not provide session key agreement. In order to provide high-level of security and more useful functions, we design a new robust biometric based three-factor remote user authentication scheme with key agreement using elliptic curve cryptosystem.

Hongbin Tang,Xinsong Liu,Yao Li

DOI: https://doi.org/10.1049/cp.2012.2315

2012-01-01

Abstract:A three-factor (password, smart card and biometric) authentication scheme allows a user and a remote server to authenticate each other, and it provides strong authentication. Very recently, Das proposed a three-factor remote authentication scheme. He claimed that their scheme was more secure than Li-Hwang's scheme. However, we demonstrate that his scheme is vulnerable to various attacks. It is not feasible for real-life implementation. We then suggest an improvement. The proposed scheme is proved to be more secure than the previous related works and maintains low computation and communication cost.

xiong li,jianwei niu,muhammad khurram khan,junguo liao,xiaoke zhao

DOI: https://doi.org/10.1002/sec.961

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:As the fast growth of multimedia information, the security of multimedia systems is becoming a rather important topic nowadays. Multimedia systems are often suffering attacks when users access the information and online services. Because of the excellent features of the biometric, many biometric-based three-factor remote user authentication schemes have been proposed to provide high level of security for different network-based application systems. Recently, An pointed out the weaknesses of Das's three-factor remote user authentication scheme and proposed an improved biometric-based three-factor remote user authentication scheme. An's scheme improves the security problems of previous schemes while keeping the efficiency. However, after detailed analysis, we find that An's scheme exists some weaknesses such as vulnerable to denial-of-service attack and forgery attack, cannot detect unauthorized login quickly, and does not provide session key agreement. In order to provide high level of security for multimedia systems, we design a robust three-factor remote user authentication scheme with key agreement using elliptic curve cryptosystem. Copyright (c) 2014 John Wiley & Sons, Ltd.

Ping Wang,Zijian Zhang,Ding Wang

DOI: https://doi.org/10.1007/978-3-030-01950-1_50

2018-01-01

Abstract:Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. At ICICS’17, Xu et al. proposed an efficient two-factor authentication scheme for multi-server environment to cope with the vulnerabilities in Amin et al.’s scheme. However, in this paper, we reveal that Xu’s new scheme actually is as vulnerable as Amin et al.’s scheme: anyone can impersonate any legitimate user. At FC’17, Wu et al. also developed an improvement over Irshad et al.’s scheme and this improved scheme is alleged to be practical and have a number of appealing merits. Yet, Wu et al.’s scheme still fails to achieve truly two-factor security (which is the most important goal of a two-factor scheme), and the leakage of a session-specific parameter will lead to the leakage of the user’s long-term secret key.

Yuanyuan Zhang,Jianhua Chen,Baojun Huang,Cong Peng

DOI: https://doi.org/10.5755/j01.itc.43.4.6579

IF: 0.813

2014-01-01

Information Technology And Control

Abstract:Recently, Li proposed a new password authentication and user anonymity scheme based on elliptic curve cryptography. In this paper, we will show that Li's scheme is vulnerable to the impersonation attack and the denial of service attack. Moreover, we also point out that there is an error in his scheme. To overcome the weaknesses of Li's scheme, we proposed an efficient password authentication scheme based on elliptic curve cryptography. The proposed scheme improves the security and efficiency of the authentication process.

Hua Guo,Chen,Ya Gao,Xiong Li,Jiongchao Jin

DOI: https://doi.org/10.1155/2018/3284324

2018-01-01

Wireless Communications and Mobile Computing

Abstract:Three-factor multiserver authentication protocols become a prevalence in recent years. Among these protocols, almost all of them do not involve the registration center into the authentication process. To improve the protocol's efficiency, a common secret key is shared among all severs, which leads to a serious weakness; i.e., we find that these protocols cannot resist the passive attack from the honest-but-curious servers. This paper takes Wang et al.'s protocol as an example, to exhibit how an honest-but-curious server attacks their protocol. To remedy this weakness, a novel three-factor multiserver authentication protocol is presented. By introducing the registration center into the authentication process, the new protocol can resist the passive attack from the honestbut-curious servers. Security analyses including formal and informal analyses are given, demonstrating the correctness and validity of the new protocol. Compared with related protocols, the new protocol possesses more secure properties and more practical functionalities than others at a relatively low computation cost and communication cost.

Chengqi Wang,Xiao Zhang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0149173

IF: 3.7

2016-01-01

PLoS ONE

Abstract:With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we propose a novel biometric-based multi-server authentication and key agreement scheme which is based on the cryptanalysis of Mishra et al.'s scheme. The informal and formal security analysis of our scheme are given, which demonstrate that our scheme satisfies the desirable security requirements. The presented scheme provides a variety of significant functionalities, in which some features are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. Compared with several related schemes, our scheme has more secure properties and lower computation cost. It is obviously more appropriate for practical applications in the remote distributed networks.

Xiong Li,Jianwei Niu,Saru Kumari,Junguo Liao,Wei Liang

DOI: https://doi.org/10.1007/s11277-014-2002-x

IF: 2.017

2014-01-01

Wireless Personal Communications

Abstract:User authentication is an important security issue for network based services. Multi-server authentication scheme resolves the repeated registration problem of single-server authentication scenario where the user has to register at different servers to access different types of network services. Recently, Pippal et al. proposed a smart card authentication scheme for multi-server architecture. They claimed that their scheme has some advantages and can resist kinds of attacks. However, we find their scheme cannot provide correct authentication, cannot resist impersonation attack, stolen smart card attack, and insider attack. Besides, their scheme is non-extensible when a new server added into the system. In order to overcome the aforementioned weaknesses of Pippal et al.’s scheme, we propose an improved smart card authentication scheme for multi-server architecture. We analyze the security of the proposed scheme using BAN logic, and the analysis result shows that the proposed scheme is more efficient and secure than Pippal et al.’s scheme.