Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

彭志宇,李善平,杨朝晖,林欣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2010.05.011

2010-01-01

Abstract:An anonymous authorization mechanism was proposed to protect the user's privacy in the process of authorization in trust management. User requested for services using their real identification in most of the classic trust-management language system, which potentially leaded to the privacy leaking. Through dynamically searching for the delegation roles which take over the request, the anonymous authorization mechanism retained the right behavior of credential chain discovery and achieved a quantitative way of anonymity against the resource provider. Results showed that the anonymous mechanism shared the same worst-case time complexity with the traditional forward credential-chain-searching method. A method of caching all the members in the nodes was proposed to improve the performance in time spending. Simulation results showed that the performance in time spending greatly improved in the relative stable systems, in which the credentials change slowly.

Ding WANG,Wen-Ting LI,Ping WANG

DOI: https://doi.org/10.13328/j.cnki.jos.005361

2018-01-01

Journal of Software

Abstract:The design of secure and efficient user authentication protocols for multi-server environment is becoming a hot research topic in the cryptographic protocol community. Based on the widely accepted adversary model, this paper analyzes three representative, recently proposed user authentication schemes for multi-server environment. The paper reveals that: 1) Wan et al.’s scheme is subject to offline password guessing attack as opposed to the authors’ claim, and it also cannot provide user anonymity and forward secrecy; 2) Amin et al.’s scheme cannot withstand offline password guessing attack, cannot preserve user anonymity and is vulnerable to two kinds o f forward secrecy issues; 3) Reedy et al.’s scheme cannot resist against user impersonation attack and offline password guessing attack, and  基金项目: 国家自然科学基金(61472016); 国家重点研发计划(2016YFB0800603, 2017YFB1200700) Foundation item: National Natural Science Foundation of China (61472016); National Key Research and Development Plan (2016YFB0800603, 2017YFB1200700) 本文由“面向隐私保护的新型技术与密码算法”专题特约编辑黄欣沂教授推荐. 收稿时间: 2017-05-30; 修改时间: 2017-07-13; 采用时间: 2017-08-22; jos 在线出版时间: 2017-10-17 CNKI 网络优先出版: 2017-10-17 13:38:05, http://kns.cnki.net/kcms/detail/11.2560.TP.20171017.1338.008.html 1938 Journal of Software 软件学报 Vol.29, No.7, July 2018 also falls short of user un-traceability. The paper highlights three principles for designing more robust anonymous multi-factor authentication schemes: Public key principle, user anonymity principle and forward secrecy principle, explaining the essential reasons for the security flaws of the above protocols. It further proposes some amendments for the identified secur ity flaws.

Song Luo,Jianbin Hu,Zhong Chen

DOI: https://doi.org/10.1109/nswctc.2009.287

2009-01-01

Abstract:Password authentication is one of the simplest and the most convenient authentication mechanisms over insecure networks. One-time password authentication which uses dynamic password helps to enhance the security of password. In this paper, we suggest a new one-time password scheme using the smart card based on the bilinear pairings. By generating temporary identity, our scheme can provide anonymity in authentication process to protect the user's privacy. Based on the Computational Diffie-Hellman Problem, we show that the proposed scheme is secure against forgery attack and ID attack under the random oracle model.

Hui Qiao,Xuewen Dong,Yulong Shen

DOI: https://doi.org/10.1007/s10916-019-1442-y

IF: 4.92

2019-10-07

Journal of Medical Systems

Abstract:The technology of Internet of Things (IoT) has appealed to both professionals and the general public to its convenience and flexibility. As a crucial application of IoT, telecare medicine information system (TMIS) provides people a high quality of life and advanced level of medical service. In TMIS, smart card-based authenticated key agreement schemes for multi-server architectures have gathered momentum and positive impetus due to the conventional bound of a single server. However, we demonstrate that most of the protocols in the literatures can not implement strong security features in TMIS, such as Lee et al.'s and Shu's scheme. They store the identity information directly, which fail to provide strong anonymity and suffer from password guessing attack. Then we propose an extended authenticated key agreement scheme (short for AKAS) with strong anonymity for multi-server environment in TMIS, by enhancing the security of the correlation parameters stored in the smart cards and calculating patients' dynamic identities. Furthermore, the proposed chaotic map-based scheme provides privacy protection and is formally proved under Burrows-Abadi-Needham (BAN) logic. At the same, the informal security analysis attests that the AKAS scheme not only could resist the multifarious security attacks but also improve efficiency by 21% compared with Lee et al.'s and Shu's scheme.

health care sciences & services,medical informatics

Kaiping Xue,Peilin Hong

DOI: https://doi.org/10.1016/j.cnsns.2011.11.025

IF: 4.186

2012-01-01

Communications in Nonlinear Science and Numerical Simulation

Abstract:In 2009, Tseng et al. proposed a password sharing and chaotic map based key agreement protocol (Tseng et al.’s protocol). They claimed that the protocol provided mutual authentication between a server and a user, and allowed the user to anonymously interact with the server to establish a shared session key. However, in 2011, Niu et al. have proved that Tseng et al.’s protocol cannot guarantee user anonymity and protocol security when there is an internal adversary who is a legitimate user. Also it cannot provide perfect forward secrecy. Then Niu et al. introduced a trust third party (TTP) into their protocol designing (Niu et al.’s protocol). But according to our research, Niu et al.’s protocol is found to have several unsatisfactory drawbacks. Based on reconsidering Tseng et al.’s protocol without introducing TTP, we give some improvements to meet the original security and performance requirements. Meanwhile our proposed protocol overcomes the security flaws of Tseng et al.’s protocol.

Kyong-Sok Pak,Mi-Hyang Kim,Song-Ho Pak,Chol-Man Ho

DOI: https://doi.org/10.1371/journal.pone.0273664

IF: 3.7

2022-09-16

PLoS ONE

Abstract:Three-party authentication key exchange is a protocol that allows two users to set up a session key for encrypted communication by the help of a trusted remote server. Providing user anonymity and mutual authentication in the authentication key exchange is important security requirements to protect users’ privacy and enhance its security performance. Recently Li proposed a chaotic maps-based authentication key exchange protocol which attempts to provide mutual authentication and user anonymity, but we found that there were some faults in the key exchange phase and password change phase of his scheme. We prove that Li’s scheme does not provide user anonymity and that the user’s privacy information is disclosed, and propose enhanced three-party authentication key exchange protocol that provides user anonymity and we analyse its security properties and verify its validity based on BAN logic and AVISPA tool.

multidisciplinary sciences

Chang-Shiun Liu,Li Xu,Limei Lin,Min-Chi Tseng,Shih-Ya Lin,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-46298-1_4

2016-01-01

Abstract:Most of the mutual authentication protocols with user anonymity proposed for providing secure roaming service through wireless communications are based on smart cards and have to establish public key cryptosystems in advance. To solve this, Guo et al. firstly proposed an efficient mutual authentication protocol with user anonymity using smart card for wireless communications. Unfortunately, we will demonstrate their scheme requires high modular exponential operations for security issues, and does not allow users to change passwords freely. Based on modular square root, we propose an efficient remote user authentication protocol with smart cards for wireless communications. Compared with others, our protocol is more suitable for mobile devices and smart-card users.

Ping Wang,Zijian Zhang,Ding Wang

DOI: https://doi.org/10.1007/978-3-030-01950-1_50

2018-01-01

Abstract:Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. At ICICS’17, Xu et al. proposed an efficient two-factor authentication scheme for multi-server environment to cope with the vulnerabilities in Amin et al.’s scheme. However, in this paper, we reveal that Xu’s new scheme actually is as vulnerable as Amin et al.’s scheme: anyone can impersonate any legitimate user. At FC’17, Wu et al. also developed an improvement over Irshad et al.’s scheme and this improved scheme is alleged to be practical and have a number of appealing merits. Yet, Wu et al.’s scheme still fails to achieve truly two-factor security (which is the most important goal of a two-factor scheme), and the leakage of a session-specific parameter will lead to the leakage of the user’s long-term secret key.

Nenghai Yu

2011-01-01

Abstract:In a distributed network environment,password-authenticated key agreement schemes are fundamental security mechanisms.A security analysis of Chen et al.'s scheme [Chen T H,Hsiang H C,Shih W K.Security enhancement on an improvement on two remote user authentication schemes using smart cards.Future Generation Computer Systems,2011,27(4): 337-380] was presented.It was found that Chen et al.'s scheme cannot resist offline password guessing attacks,and does not have perfect forward secrecy.A security enhanced password-authenticated key agreement scheme was thus proposed.The proposed scheme maintains the good properties of Chen et al.'s scheme,is resistant to offline password guessing attack and provides perfect forward secrecy.A security analysis of the proposed scheme demonstrated that it is capable of strong security.It is suitable for providing mutual authentication and key agreement between the user and the server in a distributed environment.

Rui Shi,Huamin Feng,Yang Yang,Feng Yuan,Yingjiu Li,Hwee Hwa Pang,Robert H. Deng

DOI: https://doi.org/10.1109/tsc.2023.3280914

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:Threshold attribute-based credentials are suitable for decentralized systems such as blockchains as such systems generally assume that authenticity, confidentiality, and availability can still be guaranteed in the presence of a threshold number of dishonest or faulty nodes. Coconut (NDSS'19) was the first selective disclosure attribute-based credentials scheme supporting threshold issuance. However, it does not support threshold tracing of user identities and threshold revocation of user credentials, which is desired for internal governance such as identity management, data auditing, and accountability. The communication and computation complexities of Coconut for verifying credentials are linear in the number of each user's attributes and thus costly. Addressing these issues, we propose a novel efficient threshold attribute-based anonymous credential scheme. While retaining all the features of Coconut, our scheme supports threshold tracing of user identities and threshold revocation of user credentials, and it significantly reduces the computational and communication complexities of credential verification. In addition, we prove that our scheme enjoys strong security features, including anonymity, blindness, traceability, and non-frameability.

computer science, information systems, software engineering

Dheerendra Mishra

DOI: https://doi.org/10.48550/arXiv.1401.4790

2014-01-20

Abstract:Advancement in communication technology provides a scalable platform for various services where a remote user can access the server from anywhere without moving from its place. It has provided a unique opportunity for online services, such that the user need not physically present at the service center. These services adopt authentication and key agreement protocols to ensure authorized and secure access to resources. Most of the authentication schemes support single server environment where the user has to register with each server. If a user wishes to access multiple application servers, he requires to register with each of the servers. Although multi-server authentication schemes introduced a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on smart cards along with password and biometrics. This is a lightweight authentication scheme which requires the computation of only hash function. In this article, we present a brief review of Chuang and Chen's scheme. We analyze Chuang and Chen's scheme and identify that their scheme does not resist stolen smart card attack which causes the user's impersonation attack, server spoofing attack and man-in-the middle attack. Additionally, we show that their scheme has a weak key agreement protocol, which does not ensure forward secrecy.

Cryptography and Security

Shuhong Wang,Jie Wang,Maozhi Xu

DOI: https://doi.org/10.1007/978-3-540-24852-1_30

2004-01-01

Abstract:A password-authenticated key exchange scheme allows two entities, who only share a memorable password, to authenticate each other and to agree on a. cryptographic session key. Instead of considering it in the classic client and server scenarios, Byun et al. recently proposed a password-authenticated key exchange protocol in a cross-realm setting where two clients in different realms obtain a secret session key as well as mutual authentication, with the help of respective servers. In this paper, we first, point out that the proposed protocol is not secure, due to the choice of invalid parameters (say, subgroup generator). Furthermore, we show in detail that, even with properly chosen parameters, the protocol has still some secure flaws. We provide three attacks to illustrate the insecurity of the protocol. Finally, countermeasures are also given, which are believed able to withstand our attacks.

Yanjiang Yang,Shuhong Wang,Feng Bao,Jie Wang,Robert H. Deng

DOI: https://doi.org/10.1016/j.cose.2004.08.005

IF: 5.105

2004-01-01

Computers & Security

Abstract:Apart from user identification and key distribution, it is very useful for the login process to achieve user anonymity. Recently, Wu and Hsu proposed an efficient user identification scheme with key distribution while preserving user anonymity by extending an earlier work of Lee and Chang. We however find out that the Wu and Hsu scheme has a serious weakness, which can be exploited by the service provider to learn the secret token of the user who requests services from the service provider. We further propose a scheme to overcome this limitation while attaining the same set of objectives as the previous works. Performance analyses have shown that efficiency in terms of both computation and communication is not sacrificed in our scheme.

Dheerendra Mishra

DOI: https://doi.org/10.48550/arXiv.1310.6422

2014-04-13

Abstract:Dynamic ID-based remote user authentication schemes ensure efficient and anonymous mutual authentication between entities. In 2013, Khan et al. proposed an improved dynamic ID-based authentication scheme to overcome the security flaws of Wang et al.'s authentication scheme. Recently, Sun and Cao showed that Khan et al. does not satisfies the claim of the user's privacy and proposed an efficient authentication scheme with user anonymity. The Sun and Cao's scheme achieve improvement over Khan et al.'s scheme in both privacy and performance point of view. Unfortunately, we identify that Sun and Cao's scheme does not resist password guessing attack. Additionally, Sun and Cao's scheme does not achieve forward secrecy.

Cryptography and Security

Haojie Lu

2009-01-01

Abstract:User authentication is mostly carried out by sending a pair of username and password to the server in insecure network,since most users have not a certificate.Just based on this fact,some attacks are achieved.The method of phishing and the common mechanism of protecting key are analyzed,and an authentication scheme employing trusted computing technology is proposed.Since the scheme combines protected storage,authentication chain,and password partition etc,thieving only the password will not have an affect on user security.In the end,the proposed approach is proven to protect against phishing attacks.

Zhengjun Cao

DOI: https://doi.org/10.1007/s11277-024-10881-2

IF: 2.017

2024-02-27

Wireless Personal Communications

Abstract:We show that the Kumari-Renuka key agreement scheme (Wirel Pers Commun 117:27–45, 2021) fails to keep user anonymity, not as claimed, because an adversary can retrieve the user's identity from the pseudonym . The loss of anonymity originates from the misuse of bitwise operator, which requires that both operands have an equal bit-length, otherwise the partial string in the long operand will be exposed. We also suggest a remedy method to fix the flaw by using a hash function to convert a point over the underlying elliptic curve into a random string with fixed length.

telecommunications

Hang Xu,Chingfang Hsu,Lein Harn,Janqun Cui,Zhuo Zhao,Ze Zhang

DOI: https://doi.org/10.1109/tsc.2023.3257569

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:With the increasing popularity and wide application of the Internet, the users (such as managers and data consumers) in the Industrial Internet of Things (IIoT) can remotely analyze and control real-time data collected by various smart sensor devices. However, there are many security and privacy issues in the process of transmitting collected data through public channels in IIoT environment. In order to against the illegal access by opponents, a novel anonymous user authentication and key agreement scheme based on hash and elliptic curve encryption is proposed in this paper, which not only uses a pseudonym tuple database in control nodes to realize the functions of user dynamic joining and anonymity protection, but also resists key loss and device capture attacks through fuzzy biometric extraction technology. In addition, the formal secure analysis of the proposed scheme is carried out using the BAN logic model and ROR model, which proves the security of the proposed scheme. Meanwhile, we also prove the scheme can against the described existing attacks and meet the design goals by a detailed informal security discussion. Compared with the latest similar IIoT authentication proposals, our solution has a very obvious advantage in communication efficiency and realizes more functions. Hence, our scheme is more suitable for the IIoT environment, and can also generate greater benefits.

computer science, information systems, software engineering

Hu Xiong,Zhong Chen,Fagen Li

DOI: https://doi.org/10.1016/j.mcm.2011.10.001

2012-01-01

Mathematical and Computer Modelling

Abstract:Authenticated key agreement (AKA) protocols are multi-party protocols in which entities exchange public information allowing them to create a common secret key that is known only to those entities over an open network. Recently, in order to circumvent the key escrow problem inherent to ID-based cryptography and the certificate management burden in traditional public key infrastructure, the notion of certificateless public key cryptography (CL-PKC) was introduced. In this paper, we first present a security model for certificateless AKA protocols for three parties, and then propose an efficient construction based on bilinear pairings. The security of the proposed scheme can be proved to be equivalent to the computational Diffie–Hellman problem in the random oracle model.

LIAN Huanhuan,HOU Huiying,ZHAO Yunlei

DOI: https://doi.org/10.11959/j.issn.1000−436x.2022062

2022-01-01

Abstract:In view of the fact that server stored the passwords directly in plaintext, there was a risk of server compromise, and two-party PAKE protocol was not suitable for large-scale communication systems, a three-party verifier-based password authenticated key exchange protocol from lattices was proposed.Hashing scheme and zero-knowledge password policy check were combined to realize the generation of verifier and the password checking.A novel verifier-based 3PAKE protocol was constructed by using CCA-secure public-key encryption from lattices, which realized mutual authentication.Security and performance analysis shows that the proposed protocol has better advantages in communication efficiency and security.