J. Li,X. Chen,H. Tian,C. Gao

DOI: https://doi.org/10.1504/ijahuc.2014.065156

2014-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:Since the notion of attribute-based encryption (ABE) was proposed, it has been found a lot of important applications such as fine-grained access control. However, the issue of key exposure problem in ABE has been solved completely. This problem is formally addressed and formulated in this paper. More specifically, we propose a new key-insulated ABE (KI-ABE) scheme as a solution to the key exposure problem. The definition and security model of KI-ABE is proposed. Then, a KI-ABE scheme is presented, which is provably secure under the proposed model. The scheme is secure in the remaining time periods against an adversary who compromises the insecure device and obtains secret keys for the periods of its choice. Finally, we show that the scheme also supports user delegation, which is critical when one wants to delegate part of attributes (privileges) to others.

Yuanyuan Zhang,Jianhua Chen,Baojun Huang

DOI: https://doi.org/10.1002/dac.2612

2014-01-01

International Journal of Communication Systems

Abstract:SUMMARYRecently, Chang et al. proposed an authentication and key agreement protocol for satellite communications, and they claimed that their scheme could withstand various attacks. However, in this paper, we will show that their scheme is vulnerable to the denial of service attack and the impersonation attack. Moreover, we also point out that the adversary could compute the session key through the intercepted message. The analysis shows the scheme of Chang et al. is not secure for practical applications. Copyright © 2013 John Wiley & Sons, Ltd.

Marimuthu Karuppiah,Ashok Kumar Das,Xiong Li,Saru Kumari,Fan Wu,Shehzad Ashraf Chaudhry,R. Niranchana

DOI: https://doi.org/10.1007/s11036-018-1061-8

2018-01-01

Abstract:Authentication schemes are widely used mechanisms to thwart unauthorized access of resources over insecure networks. Several smart card based password authentication schemes have been proposed in the literature. In this paper, we demonstrate the security limitations of a recently proposed password based authentication scheme, and show that their scheme is still vulnerable to forgery and offline password guessing attacks and it is also unable to provide user anonymity, forward secrecy and mutual authentication. With the intention of fixing the weaknesses of that scheme, we present a secure authentication scheme. We show that the proposed scheme is invulnerable to various attacks together with attacks observed in the analyzed scheme through both rigorous formal and informal security analysis. Furthermore, the security analysis using the widely-accepted Real-Or-Random (ROR) model ensures that the proposed scheme provides the session key (SK) security. Finally, we carry out the performance evaluation of the proposed scheme and other related schemes, and the result favors that the proposed scheme provides better trade-off among security and performance as compared to other existing related schemes.

Fan Wu,Lili Xu,Saru Kumari,Xiong Li,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1002/sec.1305

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Nowadays, smart-card-based user authentication becomes one of the most important security issues. But many schemes of that kind are under different attacks. Recently, Kumari et al. pointed that Chen et al.'s scheme and Li et al.'s scheme with the smart card were not secure. They proposed two improved schemes. Unfortunately, we find that the two schemes are not secure. The first scheme of Kumari et al. is under the de-synchronization attack and lacks strong forward security. The second has the weaknesses including no user anonymity and password leaking. Also, it cannot withstand the user-impersonation attack. We present a new scheme also based on the smart card overcoming common disadvantages and give a formal proof. We also use the tool ProVerif to verify the security of our scheme. Compared with some recent schemes, our scheme performs well, and it is fit for network applications. Copyright (C) 2015 John Wiley & Sons, Ltd.

Hong-bin Tang,Xin-song Liu,Jian-ying Chen

DOI: https://doi.org/10.1002/dac.2534

2013-01-01

International Journal of Communication Systems

Abstract:SUMMARYThe extensive application of mobile commerce has led researchers to design more secure protocols for mobile devices during the recent years. In 2011, Chen et al. proposed a three‐factor mobile device‐based remote authentication scheme, which tackled the security risk imposed by the loss of both password and mobile device. Scheme of Chen et al., however, is still vulnerable to the privileged insider attack, the replay attack, the impersonation attack, and the denial of service attack. It is not feasible for real‐life implementation. Copyright © 2013 John Wiley & Sons, Ltd.

Zhengjun Cao

DOI: https://doi.org/10.1007/s11235-024-01127-4

2024-03-16

Telecommunication Systems

Abstract:We show that the scheme (Telecommun Syst 78:539–557, 2021) is flawed. It uses a symmetric key encryption to transfer data between vehicles and the grid. But the specified symmetric key is easily retrieved by an adversary, which results in the loss of data confidentiality, and makes it vulnerable to impersonation attack, man-in-the-middle attack, and replay attack. We also present a method to fix this flaw and remove some superfluous communications in its registration phase.

telecommunications

Qi Xia,Chunxiang Xu,Yong Yu

DOI: https://doi.org/10.3772/j.issn.1006-6748.2011.02.013

2011-01-01

Abstract:As a special kind of digital signature, verifiably encrypted signatures are used as a building block to construct optimistic fair exchange. Many verifiably encrypted signature schemes have been proposed so far and most of them were proven secure under certain complexity assumptions. In this paper, however, we find that although some schemes are secure in a single-user setting, they are not secure in a multi-user setting any more. We show that Zhang, et al.'s scheme, Gorantla, et al.'s scheme and Ming, et al.'s scheme are vulnerable to key substitution attacks, where an adversary can generate new keys satisfying legitimate verifiably encrypted signatures created by the legitimate users. We also show that this kind of attacks can breach the fairness when they are used in fair exchange in a multi-user setting. © by HIGH TECHNOLOGY LETTERS PRESS.

Hung-Min Sun,King-Hang Wang

DOI: https://doi.org/10.1109/isecs.2008.36

2008-01-01

Abstract:The security of a two-party authentication protocol relies on the stored secrets of each entity are not easily compromised by adversaries. However, in the real world, hackers can always divulge the stored secrets. In this paper, we introduce the concept of the stolen-secret attack and point out that all existing secret-key based authentication protocols and password based authentication protocols suffer from this attack. We also propose two methods that defend against the stolen-secret attack. Security proof and implementation analysis are given for both methods to illustrate their soundness and usefulness.

Hu Xiong,Junyi Tao,Yanan Chen

DOI: https://doi.org/10.1007/s10916-016-0590-6

IF: 4.92

2016-01-01

Journal of Medical Systems

Abstract:Nowadays people can get many services including health-care services from distributed information systems remotely via public network. By considering that these systems are built on public network, they are vulnerable to many malicious attacks. Hence it is necessary to introduce an effective mechanism to protect both users and severs. Recently many two-factor authentication schemes have been proposed to achieve this goal. In 2016, Li et al. demonstrated that Lee et al.’s scheme was not satisfactory to be deployed in practice because of its security weaknesses and then proposed a security enhanced scheme to overcome these drawbacks. In this paper, we analyze Li et al.’s scheme is still not satisfactory to be applied in telecare medicine information systems (TMIS) because it fails to withstand off-line dictionary attack and known session-specific temporary information attack. Moreover, their scheme cannot provide card revocation services for lost smart card. In order to solve these security problems, we propose an improved scheme. Then we analyze our scheme by using BAN-logic model and compare the improved scheme with related schemes to prove that our scheme is advantageous to be applied in practice.

Debiao He,Jianhua Chen,Jin Hu

2010-01-01

Abstract:Recently, Yoon et al. and Wu proposed two improved remote mutual authentication and key agreement scheme for mobile devices on elliptic curve cryptosystem. In this paper, we show that Yoon et al.'s protocol fails to provide explicit key perfect forward secrecy and fails to achieve explicit key confirmation. We also point out Wu's scheme decreases efficiency by using the double secret keys and is vulnerable to the password guessing attack and the forgery attack. In order to overcome the drawback, we proposed and improved scheme. Through the comparison with other protocol, we believe that our improved scheme is more suitable for real-life applications.

Ping Wang,Zijian Zhang,Ding Wang

DOI: https://doi.org/10.1007/978-3-030-01950-1_50

2018-01-01

Abstract:Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. At ICICS’17, Xu et al. proposed an efficient two-factor authentication scheme for multi-server environment to cope with the vulnerabilities in Amin et al.’s scheme. However, in this paper, we reveal that Xu’s new scheme actually is as vulnerable as Amin et al.’s scheme: anyone can impersonate any legitimate user. At FC’17, Wu et al. also developed an improvement over Irshad et al.’s scheme and this improved scheme is alleged to be practical and have a number of appealing merits. Yet, Wu et al.’s scheme still fails to achieve truly two-factor security (which is the most important goal of a two-factor scheme), and the leakage of a session-specific parameter will lead to the leakage of the user’s long-term secret key.

Hong‐Yi Fan

2007-01-01

Abstract:In a wireless mobile communication system,users and network servers need to authenticate one another and agreement on a session key used for encryption purposes in their conversation.This paper provides security analysis of a mutual authentication and key establishment protocol for wireless communication based on elliptic curve cryptography.Unfortunately proposed by Fangmin Deng et al.,then pointed out that their protocol does not achieve some essential security requirement including forward secrecy,impersonation attack and man-in-middle attack.

Ping Wang,Bin Li,Hongjin Shi,Yaosheng Shen,Ding Wang

DOI: https://doi.org/10.1155/2019/2516963

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Investigating the security pitfalls of cryptographic protocols is crucial to understand how to improve security. At ICCCS'17, Wu and Xu proposed an efficient smart-card-based password authentication scheme for cloud computing environments to cope with the vulnerabilities in Jiang et al.'s scheme. However, we reveal that Wu-Xu's scheme actually is subject to various security flaws, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services and further suggested a user-friendly scheme which is claimed to be suitable for multiserver architecture and robust against various attacks. In this work, we show that Roy et al.'s scheme fails to achieve truly two-factor security and shows poor scalability. At FGCS'18, Amin et al. pointed out that most of existing two-factor schemes are either insecure or inefficient for mobile devices due to the use of public-key techniques and thus suggested an improved protocol by using only light-weight symmetric key techniques. Almost at the same time, Wei et al. also observed this issue and proposed a new scheme based on symmetric key techniques with formal security proofs in the random oracle model. Nevertheless, we point out that both Amin et al.'s and Wei et al.'s schemes cannot achieve the claimed security goals (including the most crucial goal of truly two-factor security). Our results invalidate any use of the scrutinized schemes for cloud computing environments.

Ding Wang,Xizhe Zhang,Zijian Zhang,Ping Wang

DOI: https://doi.org/10.1016/j.cose.2019.101619

IF: 5.105

2020-01-01

Computers & Security

Abstract:Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. Dozens of multi-factor authentication schemes for multi-server environments were successively proposed, yet most of them have been shortly found problematic. The research pattern of this area has fallen into the undesirable "break-fix-break-fix" cycle, in which lots of efforts have been devoted but little real progress has been made. In this paper, we revisit five leading two-factor authentication schemes for multi-server environments (i.e., Xu et al. scheme at ICICS'17, Wu et al. scheme at FC'17, Leu-Hsieh's scheme at IET IS'14, Zhou et al. scheme at WINET'18 and Roy et al. scheme at IEEE TII'19), and demonstrate that all of them suffer from critical security defects (e.g., no truly multi-factor security and temporary information leakage attack) or are short of important properties (e.g., no user anonymity). Our results invalidate any use of these five schemes for practical applications without further improvement, and underscore some new challenges (e.g., attacks arising from the leakage of session-specific parameters and from malicious insiders) in designing sound multi-factor schemes for multi-server environments. We also draw some useful lessons from the cryptanalysis results. (C) 2019 Elsevier Ltd. All rights reserved.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1109/ISBAST.2013.20

2013-01-01

Abstract:Recently, An pointed out the weaknesses of Das's three-factor remote user authentication scheme, and proposed an improved biometric based three-factor remote user authentication scheme. An's scheme improves the security problems of previous schemes while keeping the efficiency. However, after detailed analysis, we find that An's scheme exists some weaknesses such as vulnerable to denial-of-service (DoS) attack and forgery attack, and does not provide session key agreement. In order to provide high-level of security and more useful functions, we design a new robust biometric based three-factor remote user authentication scheme with key agreement using elliptic curve cryptosystem.

Yulei Chen,Jianhua Chen

DOI: https://doi.org/10.1002/ett.4542

IF: 3.6

2022-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the gradual penetration of computers and communication networks into people's lives, more and more people begin to pay attention to the information security. Key agreement protocol provides identity authentication for participants in communication system and generates a temporary session key for participants to encrypt messages. Recently, Wang et al designed an authentication and key agreement (AKA) protocol based elliptic curve cryptosystem and proved that their scheme can resist various known attacks. In this article, we analyze the security of their scheme and demonstrate that it is vulnerable to the temporary factor leakage attacks and insider attacks. Then, based on the elliptic curve public key cryptographic algorithm, we design a secure anonymous two-factor user AKA protocol. And we use the well-known random oracle model (ROM) and traditional heuristic discussion to prove the security of the proposed protocol. By comparing with several existing protocols based on public key cryptography algorithm, it is found that this protocol is more secure and efficient. The security analysis shows that the protocol designed in this article can meet all kinds of security requirements and consumes the less computing resources on users and servers, and is especially suitable for the scenarios with high security and efficiency requirements.

Saru Kumari,Muhammad Khurram Khan,Xiong Li

DOI: https://doi.org/10.1016/j.compeleceng.2014.05.007

IF: 4.152

2014-01-01

Computers & Electrical Engineering

Abstract:In distributed systems, user authentication schemes based on password and smart card are widely used to ensure only authorized access to the protected services. Recently, Chang et al. presented an untraceable dynamic-identity-based user authentication scheme with verifiable-password-update. In this research, we illustrate that Chang et al.'s scheme violates the purpose of dynamic-identity contrary to authors' claim. We show that once the smart card of an arbitrary user is lost, passwords of all registered users are at risk. Using information from an arbitrary smart card, an adversary can impersonate any user of the system. In addition, its password change phase has loopholes and is misguiding. The scheme has no provision for session key agreement and the smart card lacks any verification mechanism. Then we come-up with an improved remote user authentication scheme with the session key agreement, and show its robustness over related schemes.

Yajuan Shi,Han Shen,Yuanyuan Zhang,Jianhua Chen

DOI: https://doi.org/10.14257/ijseia.2015.9.5.25

2015-01-01

International Journal of Software Engineering and Its Applications

Abstract:To keep the pace with the development of internet technology, remote user authentication techniques become more and more important to protect user's privacy. Recently, Kumari, et al., presented an improved remote user authentication scheme with key agreement based on dynamic-identity using smart card. This scheme allows legal users to change the password at his will without the need to connect the server. They claimed that their scheme could resist smart card stolen or loss attack, user impersonation and server masquerading attack, and provide user anonymity and untraceability and so on. However, our research indicates that their scheme is completely unsafe. Furthermore, the scheme can't provide the proper mutual authentication. In this manuscript, we will propose a new scheme, which can withstand those attacks mentioned above and provide the perfect user anonymity and forward secrecy. Security analysis makes it clear that the improved scheme apparently is more secure and practical.

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Rahul Kumar

DOI: https://doi.org/10.1109/ISBAST.2014.7013105

2014-01-01

Abstract:Recently, Chen et al. proposed a remote user authentication scheme for non-tamper-proof storage devices like Universal Serial Bus (USB) stick. A little later, He et al. found that Chen et al.'s scheme suffers from device stolen attack, insider attack and lack of forward secrecy. He et al. improved the scheme by Chen et al. by presenting another scheme. Nonetheless, we detect some security problems in the scheme by He et al.. We show that He et al.'s scheme is vulnerable to off-line password guessing attack. Besides, an attacker can not only impersonate the user impersonation but can also establish a session key with the server, as a result, the scheme lacks proper mutual authentication. Further, the scheme does not protect user's privacy and a user cannot freely change his password at his will as password updating requires interaction with the server.

Xiangjun Xin,Chaoyang Li,Dongsheng Chen,Fagen Li

DOI: https://doi.org/10.14257/ijhit.2016.9.2.11

2016-01-01

International Journal of Hybrid Information Technology

Abstract:In the paper, we analyze the security vulnerability of the key agreement protocol proposed by Lee et al.'s. We present a forgery attack to their protocol. In this attack, the adversary can modify the signed message and forge a new signature, which can pass the verification. Then, we propose a new group key agreement protocol, which overcomes this security drawback. The new protocol can be proved to be secure under Elliptic Curve Discrete Logarithm Problem, Bilinear Computational Diffie–Hellman Problem and Square-Exponent Problem. On the other hand, in the new protocol, only three pairing operations are used, so it is more efficient. Our protocol is also a contributory group key agreement protocol.