Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Qi Xie,Deren Chen

DOI: https://doi.org/10.1109/icie.2010.292

2010-01-01

Journal of Networks

Abstract:To use the network services provided by multiple servers in mobile wireless network, a hash function and smart card based multi-server authentication scheme without verification tables and servers' public keys is proposed. The new protocol has many advantages, such as no encryption, signature, verification tables, timestamp, and public keys directory.

YAN Wei-wei,HUANG Wei,HAN Jun,ZENG Xiao-yang

2010-01-01

Abstract:An embedded authentication system based on shared-key authentication and fingerprint verification is proposed.First,this system authenticates the identities of client and server by shared-key authentication,creates the current communication encrypt key,and then authenticates the identity of them by fingerprint verification.During the process of fingerprint verification,the information of fingerprint is not needed to transmit over the public channel,so the security of fingerprint is increased.Theoretic analysis and experiments show that,this system reach very high authentication rate and security.This system can resist replay attack,server template attack,device template attack,effectively.

Zhendong Wu,Longwei Tian,Ping Li,Ting Wu,Ming Jiang,Chunming Wu

DOI: https://doi.org/10.1016/j.ins.2016.12.048

IF: 8.1

2018-01-01

Information Sciences

Abstract:Cloud computing is profoundly changing the way of data storage, transfer and process. User authentication is the first security barrier for cloud computing. However, the security of traditional biometric-template-based authentication technology has been challenged because of the information leakage of biometric templates and insufficient user-key strength, which is limited by the ability of the user to memorize keys. In this paper, we propose a new bio-key generation algorithm named FVHS, which combines the advantages of both biometrics authentication and user-key authentication. It directly generates stable and sufficiently strong bio-key sequences from finger vein biometrics. Based on FVHS, a new framework for cloud computing authentication is presented that provides a more flexible, convenient, and secure user authentication. The key idea of FVHS is that through combining machine learning, biometrics, and cryptography technologies, we can mine a special feature vector from the biometrics space that can be separated and stabilized into a fixed number sequence in a higher-dimensional space. Both a theoretical analysis and experimental verification show that FVHS can extract stable bio-keys from high quality finger vein images. FVHS can extract a finger vein bio-key with a Genuine Accept Rate of more than 99.9%, while the False Accept Rate is less than 0.8% and Equal Error Rate is less than 0.5%. Meanwhile, the security strength can reach 256 bits.

Hong Yen Tran,Jiankun Hu,Wen Hu

DOI: https://doi.org/10.1109/tifs.2024.3468624

IF: 7.231

2024-10-11

IEEE Transactions on Information Forensics and Security

Abstract:Existing fuzzy extractor and similar methods provide an effective way for extracting a secret key from a user's biometric data, but are susceptible to impersonation attack: once a valid biometric sample is captured, the scheme is no longer secure. We propose a novel multi-factor fuzzy extractor that integrates both a user's secret (e.g., a password) and a user's biometrics in the generation and reconstruction process of a cryptographic key. We then employ this multi-factor fuzzy extractor to construct personal identity credentials, which can be used in a new multi-factor authenticated key exchange protocol that possesses multiple important features. First, the protocol provides mutual authentication. Second, the user and service provider can authenticate each other without the involvement of the identity authority. Third, the protocol can prevent user impersonation from a compromised identity authority. Finally, even when both a biometric sample and the secret are captured, the user can re-register to create a new credential using a new secret (renewable biometrics-based identity credentials). Most existing works on multi-factor authenticated key exchange only have a subset of these features. We formally prove that the proposed protocol is semantically secure. Our experiments carried out on the finger vein dataset SDUMLA achieved a low equal error rate (EER) of 0.04%, a reasonable computation time of 0.93 seconds for the user and service provider to authenticate and establish a shared session key, and a small communication overhead of 448 bytes.

computer science, theory & methods,engineering, electrical & electronic

Mingming Jiang,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-17146-8_17

2022-01-01

Abstract:Fuzzy authenticated key exchange (FAKE) enables two parties to agree on a shared key with the help of their fuzzy sources, like biometric features [3,9], physical unclonable functions (PUFs) [16], etc. In FAKE, each user will generate public strings from its own fuzzy source, and register public strings to the system. In the interactive protocol of FAKE, the user will again employ their own fuzzy sources to accomplish key agreement and achieve authenticity and privacy for the agreed session keys. The advantage of FAKE is that users do not have to store them in the devices, hence do not worry about key leakage due to bad key management in devices. In this paper, We propose a generic construction of FAKE from three building blocks including secure sketch (SS), key encapsulation scheme (KEM) and a digital signature (SIG). We also define authenticity for users and pseudo-randomness for session keys to formalize the security of FAKE in the multi-user multi-challenge setting. We prove the security of our FAKE construction with tight security reductions to the building blocks in the random oracle model. Given the available choices for SS, tightly secure KEM and tightly secure SIG schemes, we obtain a bunch of FAKE schemes with tight security in the multi-user multi-challenge setting.

Xiong Li,Kaihui Wang,Jian Shen,Saru Kumari,Fan Wu,Yonghua Hu

DOI: https://doi.org/10.1007/s12652-015-0338-z

IF: 3.662

2016-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Computer networks have become so ubiquitous that the user can access various services by using network devices at anytime and anywhere. However, due to the open nature of the network, the security issue has become an important consideration in these network-based systems that cannot be ignored, especially in critical systems, such as life-critical system and financial system. User authentication scheme is the most used and effective mechanism for information security, and many user authentication schemes have been proposed by researchers. Recently, Shen et al. proposed a biometrics-based user authentication scheme for multi-server environments in critical systems. However, their scheme lacks the wrong password detection mechanism and is vulnerable to denial-of-service attack. Besides, they do not consider the user anonymity property, and may suffer from biometrics template lost attack because the biometrics template is directly stored in user’s smart card. In this paper, an enhanced biometrics-based user authentication scheme for multi-server environments in critical systems is presented by adopting the fuzzy extractor. The analysis shows that the proposed scheme not only removes the security weaknesses of previous schemes, but also keeps the computational efficiency.

Dawei Zhao,Haipeng Peng,Shudong Li,Yixian Yang

DOI: https://doi.org/10.48550/arXiv.1305.6350

2013-05-28

Abstract:Recently, Li et al. analyzed Lee et al.'s multi-server authentication scheme and proposed a novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. They claimed that their scheme can resist several kinds of attacks. However, through careful analysis, we find that Li et al.'s scheme is vulnerable to stolen smart card and offline dictionary attack, replay attack, impersonation attack and server spoofing attack. By analyzing other similar schemes, we find that the certain type of dynamic ID based multi-server authentication scheme in which only hash functions are used and no registration center participates in the authentication and session key agreement phase is hard to provide perfect efficient and secure authentication. To compensate for these shortcomings, we improve the recently proposed Liao et al.'s multi-server authentication scheme which is based on pairing and self-certified public keys, and propose a novel dynamic ID based remote user authentication scheme for multi-server environments. Liao et al.'s scheme is found vulnerable to offline dictionary attack and denial of service attack, and cannot provide user's anonymity and local password verification. However, our proposed scheme overcomes the shortcomings of Liao et al.'s scheme. Security and performance analyses show the proposed scheme is secure against various attacks and has many excellent features.

Cryptography and Security

Youping Lin,Kaihui Wang,Baocan Zhang,Yuzhen Liu,Xiong Li

DOI: https://doi.org/10.14257/ijsia.2016.10.1.29

2016-01-01

International Journal of Security and Its Applications

Abstract:Authentication is an important and basic security service for many network based applications, which allows the registered user access remote services after the validity of his/her identity is verified by the remote server. Password, smart card and biometric are three frequently used factors in authentication, and some remote user authentication schemes for different environments had been presented based on these factors by researchers. Recently, Baruah et al. pointed out the weaknesses of Mishra et al.'s three factors user authentication scheme for multi-server environments, and they proposed an enhanced scheme. They claimed that their scheme has many security features and can resist some common attacks. However, based on our analysis, Baruah et al.'s scheme cannot resist stolen smart card attack, cannot protect user's anonymity, and it is also vulnerable to Denial of Service attack. In this paper, an enhanced three factors user authentication scheme for multi-server environments based on fuzzy extractor technology is proposed, and the analysis show that the proposed scheme is more security and efficient than other related schemes.

Chi Chen,Chaogang Wang,Tengfei Yang,Dongdai Lin,Song Wang,Jiankun Hu

DOI: https://doi.org/10.1109/fskd.2014.6980974

2014-01-01

Abstract:Following the wide use of smart devices, biometric cryptosystem is used to protect users' privacy data. However, biometric cryptosystem is rarely used in the scenario of mobile cloud, because the biometric sensors are different on various devices. In this paper, an optional multi-biometric cryptosystem based on fuzzy extractor and secret share technology is proposed. Each of the enrolled biometric modality generates a feature vector, and then the feature vector is put into a fuzzy extractor to get a stable codeword, namely a bit-string. All the codewords are used to bind a random key based on a secret share method, and the key can be used to encrypt users' privacy data. During the verification phase, part of the enrolled biometric modalities are enough to recover the random key. Therefore, the proposed scheme can provide a user the same biometric key on different devices. In addition, experiment on a virtual multi-biometric database shows that the novel concept of optional multi-biometric cryptosystem is better than the corresponding uni-biometric cryptosystem both in matching accuracy and key entropy.

Kai Xi,Tohari Ahmad,Fengling Han,Jiankun Hu

DOI: https://doi.org/10.1002/sec.225

IF: 1.968

2011-01-01

Security and Communication Networks

Abstract:With fast evolution of mobile devices and mobile network, the need of protecting user sensitive information locally and performing secure user authentication remotely become evermore increasing. Bio-cryptography is emerging as a powerful solution which can combine the advantages of conventional cryptography and biometric security. In this paper, we present an efficient bio-cryptographic security protocol designed for client/server authentication in current mobile computing environment, with a reasonable assumption that server is secure. In this protocol, fingerprint biometric is used in user verification, protected by a computationally efficient Public Key Infrastructure (PKI) scheme, Elliptic Curve Cryptography (ECC). The genuine fingerprint information is hidden in the feature vault which is the mixture of genuine and chaff features. Fingerprint features are not only used for biometric verification but also for cryptographic key generation. Our security analysis shows that the proposed protocol can provide a secure and trustworthy authentication of remote mobile users over insecure network. Experimental results on public domain database show an acceptable verification performance. We also tested the computational costs and efficiency of our protocol on the CLDC emulator using Java ME (previous J2ME) programming technology. The simulation results prove that the proposed protocol suits current mobile environment. Copyright (C) 2010 John Wiley & Sons, Ltd.

Swe Geng,Georgia Giannopoulou,Maëlle Kabir-Querrec

DOI: https://doi.org/10.1145/3338498.3358648

2019-11-01

Abstract:Biometric authentication is getting increasingly popular due to the convenience of using unique individual traits, such as fingerprints, palm veins, irises. Especially fingerprints are widely used nowadays due to the availability and low cost of fingerprint scanners. To avoid identity theft or impersonation, fingerprint data is typically stored locally, e.g., in a trusted hardware module, in a single device that is used for user enrollment and authentication. Local storage, however, limits the ability to implement distributed applications, in which users can enroll their fingerprint once and use it to access multiple physical locations and mobile applications afterwards. In this paper, we present a distributed authentication system that stores fingerprint data in a server or cloud infrastructure in a privacy-preserving way. Multiple devices can be connected and perform user enrollment or verification. To secure the privacy and integrity of sensitive data, we employ a cryptographic construct called fuzzy vault. We highlight challenges in implementing fuzzy vault-based authentication, for which we propose and compare alternative solutions. We conduct a security analysis of our biometric cryptosystem, and as a proof of concept, we build an authentication system for access control using resource-constrained devices (Raspberry Pis) connected to fingerprint scanners and the Microsoft Azure cloud environment. Furthermore, we evaluate the fingerprint matching algorithm against the well-known FVC2006 database and show that it can achieve comparable accuracy to widely-used matching techniques that are not designed for privacy, while remaining efficient with an authentication time of few seconds.

Cryptography and Security

Liangliang Wang,Junzuo Lai,Hu Xiong,Kefei Chen,Yu Long

DOI: https://doi.org/10.1002/sec.1572

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:According to the inspirations from history, we introduce a new cryptography primitive called fuzzy certificateless signature, which not only eliminates the key escrow problem inherently existed in fuzzy identity-based signature but also possesses the error tolerance property of fuzzy identity-based signature that allows for a set of attributes ω to verify a signature produced with a private key for an identity ω' if and only if the distance between the two identities ω and ω' is within a certain threshold. In this paper, the concept of fuzzy certificateless signature is first proposed, and then, the syntax and security model of fuzzy certificateless signature are formally defined. In the next step, so far, the first concrete fuzzy certificateless signature scheme is proposed, which may be practicably implemented in biometric identification. In addition, a formal security proof is provided, so as to demonstrate that in the random oracle model, our newly proposed scheme is existentially unforgeable against Types I and II chosen message attacks formalized in the security model under the computational Diffie-Hellman assumption. Copyright © 2016 John Wiley & Sons, Ltd.

Fagen Li,Jiye Wang,Yuyang Zhou,Chunhua Jin,SK Hafizul Islam

DOI: https://doi.org/10.1007/s11276-018-1839-4

IF: 2.701

2018-01-01

Wireless Networks

Abstract:In a mobile client–server environment, a low-power mobile device wants to access a strong server to get some kind of services. User authentication and key establishment are two basic security requirements for this environment. Without the user authentication, an unauthorized user can access the server and gets the services. Without the key establishment, the communication between the user and the server will be disclosed. Recently, some user authentication and key establishment protocols were designed. However, all of them are homogeneous since the client and the server belong to the same cryptosystem. That is, both the client and the server belong to public key infrastructure or identity-based cryptosystem or self-certified cryptosystem. Such design does not comply with the characteristic of mobile client–server application. In this paper, we design a heterogeneous user authentication and key establishment protocol using a signcryption scheme. In this protocol, the client uses identity-based cryptosystem and the server uses the public key infrastructure. As compared with existing works, our protocol has the lowest cost in computation and communication.

Chengchen Zhu,Kunling Li,Jianan Hong,Cunqing Hua,Futai Zou

DOI: https://doi.org/10.1109/icc51166.2024.10622361

2024-01-01

Abstract:The technology development of wireless communication has brought about the rapid growth of various wireless devices, but also brings in many security threats. This paper focuses on the security and privacy problems in wireless authentication and proposes a novel authentication scheme based on the design of reusable fuzzy extractor (RFE) for device's radio frequency (RF) fingerprinting. Firstly, unlike the traditional authentication protocol, our scheme can accomplish the mutual authentication without the storage of long-term secret key, thus tackles with the key-compromise threats. Furthermore, although the scheme authenticates devices based on their RF fingerprint, it does not store RF fingerprinting information explicitly to safeguard it from eavesdroppers who may use it to impersonate the identity of valid users. Finally, our designed protocol relies on the correspondent peer to measure the fingerprint, rather than the device itself, thus is more secure against various adversaries. The security analysis shows the resiliency against theft of secret keys, wireless channel attacks and privacy disclosure. And the performance evaluation demonstrates that the design of RFE for device's RF fingernrinting is efficient in terms of recognition accuracy.

L Fan,CX Xu,JH Li

IF: 1.019

2004-01-01

Chinese Journal of Electronics

Abstract:A lots of remote password authentication schemes have been proposed in recent years. However, these schemes are not designed for multi-server architecture environments. In this paper, we present a remote password authentication scheme for multi-server environments based on one-way hash function. In this scheme, any user can freely choose his password. There is no limitation of the number of the users, and the system doesn't need to keep the passwords for the users. According to the analysis, intruders cannot obtain any secret information from the public information or transmitted messages of a user. In addition, this scheme can withstand the replay attack. The computation cost of this scheme is very low.

Fang Song,Jianhua Chen,Debiao He

2014-01-01

Abstract:With advancement of computer community, people can obtain their service through the mobile devices. The number of service servers providing Internet applications is usually more than one. As a result, users generally need multiple servers to provide different services. It has become a big challenge to design a secure and efficient authentication for remote user under multi-server architecture. In 2013, Jiang et al. proposed an anonymous user authentication with key agreement scheme without pairings for multi-server architecture using self-certified public keys (SCPKs). They claimed that their scheme can satisfy all of the requirements needed for achieving secure authentication in multi-server environments. However, in this paper, we will show that Jiang et al.'s scheme cannot withstand password guessing attack, impersonation attack and insider attack. Therefore, we present a more secure authentication based on SCPKs.

ZHANG Jin-ying,ZHENG Yu,LU Xian-hui,HE Da-ke

2005-01-01

Abstract:A password-based remote user authentication scheme was proposed by Lin and Lai, but there were some vulnerabilities in time-stamp and user ID.So an improved scheme based on challenge-response was presented,adopting diplex authentication technologies,fingerprint and smart card.It could achieve mutual authentication and avoid replay attack and masquerade attack.The random factor was generated by the mutual parties to guarantee the authentication fairness.Moreover,user's fingerprint needed not be transmitted in the authentication process to protect user's privacy.