Huang Shi,Tianjie Cao,Gao Caiyun

DOI: https://doi.org/10.14257/ijsia.2015.9.6.12

2015-01-01

International Journal of Security and Its Applications

Abstract:Authentication between user and server has become more and more important in the insecure network. Chen et al's proposed a user-participating authentication scheme. The CAPTCHA techniques and visual secret sharing is used in their scheme. The scheme can complete mutual authentication and resist certain known attacks. But for password guessing attack and denial-of-service attack, it can not resist. Therefore, an improved scheme to eliminate these weaknesses is proposed in this paper.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Qi Xie,Ji-Lin Wang,Deren Chen,Xiuyuan Yu

DOI: https://doi.org/10.1109/csse.2008.1043

2008-01-01

Abstract:Recently, Das et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. Liao et al. pointed out some weaknesses of Das et al.psilas scheme, and presented an improved scheme. However, an impersonate attack on Liao et al.psilas scheme is proposed, it proves that their scheme is also insecure. To overcome the weakness, the new scheme is presented. The advantage of the proposed scheme is that there are no secret numbers in the smart card, and can withstand all sorts of attacks.

Fang Song,Jianhua Chen,Debiao He

2014-01-01

Abstract:With advancement of computer community, people can obtain their service through the mobile devices. The number of service servers providing Internet applications is usually more than one. As a result, users generally need multiple servers to provide different services. It has become a big challenge to design a secure and efficient authentication for remote user under multi-server architecture. In 2013, Jiang et al. proposed an anonymous user authentication with key agreement scheme without pairings for multi-server architecture using self-certified public keys (SCPKs). They claimed that their scheme can satisfy all of the requirements needed for achieving secure authentication in multi-server environments. However, in this paper, we will show that Jiang et al.'s scheme cannot withstand password guessing attack, impersonation attack and insider attack. Therefore, we present a more secure authentication based on SCPKs.

Saru Kumari,Xiong Li,Fan Wu,Ashok Kumar Das,Vanga Odelu,Muhammad Khurram Khan

DOI: https://doi.org/10.3837/tiis.2016.09.026

2016-01-01

KSII Transactions on Internet and Information Systems

Abstract:Widespread use of wireless networks has drawn attention to ascertain confidential communication and proper authentication of an entity before granting access to services over insecure channels. Recently, Truong et al. proposed a modified dynamic ID-based authentication scheme which they claimed to resist smart-card-theft attack. Nevertheless, we find that their scheme is prone to smart-card-theft attack contrary to the author's claim. Besides, anyone can impersonate the user as well as service provider server and can breach the confidentiality of communication by merely eavesdropping the login request and server's reply message from the network. We also notice that the scheme does not impart user anonymity and forward secrecy. Therefore, we present another authentication scheme keeping apart the threats encountered in the design of Truong et al.'s scheme. We also prove the security of the proposed scheme with the help of widespread BAN (Burrows, Abadi and Needham) Logic.

Vorugunti Chandra Sekhar,Mrudula Sarvabhatla

DOI: https://doi.org/10.48550/arXiv.1401.6121

2013-12-07

Abstract:In 2013, Tsai et al. cryptanalyzed Yeh et al. scheme and shown that Yeh et al., scheme is vulnerable to various cryptographic attacks and proposed an improved scheme. In this poster we will show that Tsai et al., scheme is also vulnerable to undetectable online password guessing attack, on success of the attack, the adversary can perform all major cryptographic attacks. As apart of our contribution, we have proposed an improved scheme which overcomes the defects in Tsai et al. and Yeh et al. schemes.

Cryptography and Security

Marimuthu Karuppiah,Ashok Kumar Das,Xiong Li,Saru Kumari,Fan Wu,Shehzad Ashraf Chaudhry,R. Niranchana

DOI: https://doi.org/10.1007/s11036-018-1061-8

2018-01-01

Abstract:Authentication schemes are widely used mechanisms to thwart unauthorized access of resources over insecure networks. Several smart card based password authentication schemes have been proposed in the literature. In this paper, we demonstrate the security limitations of a recently proposed password based authentication scheme, and show that their scheme is still vulnerable to forgery and offline password guessing attacks and it is also unable to provide user anonymity, forward secrecy and mutual authentication. With the intention of fixing the weaknesses of that scheme, we present a secure authentication scheme. We show that the proposed scheme is invulnerable to various attacks together with attacks observed in the analyzed scheme through both rigorous formal and informal security analysis. Furthermore, the security analysis using the widely-accepted Real-Or-Random (ROR) model ensures that the proposed scheme provides the session key (SK) security. Finally, we carry out the performance evaluation of the proposed scheme and other related schemes, and the result favors that the proposed scheme provides better trade-off among security and performance as compared to other existing related schemes.

L Fan,CX Xu,JH Li

IF: 1.019

2004-01-01

Chinese Journal of Electronics

Abstract:A lots of remote password authentication schemes have been proposed in recent years. However, these schemes are not designed for multi-server architecture environments. In this paper, we present a remote password authentication scheme for multi-server environments based on one-way hash function. In this scheme, any user can freely choose his password. There is no limitation of the number of the users, and the system doesn't need to keep the passwords for the users. According to the analysis, intruders cannot obtain any secret information from the public information or transmitted messages of a user. In addition, this scheme can withstand the replay attack. The computation cost of this scheme is very low.

Xiong Li,Jianwei Niu,Muhammad Khurram Khan,Junguo Liao

DOI: https://doi.org/10.1016/j.jnca.2013.02.034

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.

Xiong Li,Kaihui Wang,Jian Shen,Saru Kumari,Fan Wu,Yonghua Hu

DOI: https://doi.org/10.1007/s12652-015-0338-z

IF: 3.662

2016-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Computer networks have become so ubiquitous that the user can access various services by using network devices at anytime and anywhere. However, due to the open nature of the network, the security issue has become an important consideration in these network-based systems that cannot be ignored, especially in critical systems, such as life-critical system and financial system. User authentication scheme is the most used and effective mechanism for information security, and many user authentication schemes have been proposed by researchers. Recently, Shen et al. proposed a biometrics-based user authentication scheme for multi-server environments in critical systems. However, their scheme lacks the wrong password detection mechanism and is vulnerable to denial-of-service attack. Besides, they do not consider the user anonymity property, and may suffer from biometrics template lost attack because the biometrics template is directly stored in user’s smart card. In this paper, an enhanced biometrics-based user authentication scheme for multi-server environments in critical systems is presented by adopting the fuzzy extractor. The analysis shows that the proposed scheme not only removes the security weaknesses of previous schemes, but also keeps the computational efficiency.

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Fan Wu

DOI: https://doi.org/10.1002/dac.2853

2014-01-01

International Journal of Communication Systems

Abstract:SummaryRecently, Jiang et al. and He et al. independently found security problems in Chen et al.'s remote user authentication scheme for non‐tamper‐proof storage devices like Universal Serial Bus stick and proposed improvements. Nonetheless, we detect that the schemes proposed by Jiang et al. and He et al. overlook a user's privacy. We also observe that Jiang et al.'s scheme is vulnerable to insider attack and denial of service attacks and lacks forward secrecy. We point out that the password changing facility in He et al.'s scheme is equivalent to undergoing registration, whereas in Jiang et al.'s scheme, it is unsuitable. Moreover, the login phase of both the schemes is incapable to prevent the use of wrong password leading to the computation of an unworkable login request. Therefore, we design a new scheme with user anonymity to surmount the identified weaknesses. Without adding much in communication/computational cost, our scheme provides more security characteristics and keeps the merits of the original schemes. As compared with its predecessor schemes, the proposed scheme stands out as a more apt user authentication method for common storage devices. We have also presented a formal proof of security of the proposed scheme based on the logic proposed by Burrows, Abadi and Needham (BAN logic). Copyright © 2014 John Wiley & Sons, Ltd.

Yajuan Shi,Han Shen,Yuanyuan Zhang,Jianhua Chen

DOI: https://doi.org/10.14257/ijseia.2015.9.5.25

2015-01-01

International Journal of Software Engineering and Its Applications

Abstract:To keep the pace with the development of internet technology, remote user authentication techniques become more and more important to protect user's privacy. Recently, Kumari, et al., presented an improved remote user authentication scheme with key agreement based on dynamic-identity using smart card. This scheme allows legal users to change the password at his will without the need to connect the server. They claimed that their scheme could resist smart card stolen or loss attack, user impersonation and server masquerading attack, and provide user anonymity and untraceability and so on. However, our research indicates that their scheme is completely unsafe. Furthermore, the scheme can't provide the proper mutual authentication. In this manuscript, we will propose a new scheme, which can withstand those attacks mentioned above and provide the perfect user anonymity and forward secrecy. Security analysis makes it clear that the improved scheme apparently is more secure and practical.

ZHOU Xian-cun,XIONG Yan,LIU Ren-jin

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.20.021

2012-01-01

Abstract:Analysis indicates that Liaw et al's remote user authentication scheme is vulnerable to replay attack,man-in-the-middle attack,and there are obvious security vulnerabilities in the password changing phase and registration phase.A remote user authentication scheme based on Diffie-Hellman(D-H) key exchange protocol is proposed.Theoretical analysis shows that the scheme can resist impersonation attack,replay attack,man-in-the-middle attack,and it can implement mutual authentication and session key generation securely.

Ahmed Yaser Fahad Alsahlani,Songfeng Lu

2016-01-01

Abstract:Authentication using smart card is a mechanism to verify the legitimacy of the user over insecure communication. Recently, Chen et al. figured out some weaknesses in previously published schemes, they proposed a robust smart card based remote user password authentication scheme. They claimed that, their scheme is efficient and can ensure the session key forward secrecy. We analyzed their scheme, we found that, it cannot detect incorrect password within login phase. Furthermore, the user required to communicate with the server to change or update his/her password. Besides, it cannot securely forward the secrecy. In this paper, we propose a scheme to overcome the aforesaid weaknesses and produce an enhanced authentication scheme based remote user password using smart card. We use a TRPT (Temporary Registration Password Technique) within registration phase to secure user's password. Our proposed scheme can resist various malicious attacks, achieve mutual authentication, user can choose and change his/her password freely without need to communicates with the server, securely forward secrecy, and the login password never been exposed or transferred over channel. We show that, our proposed scheme achieved the goal, and it is more legible to practical use compared to the other related schemes.

Dawei Zhao,Haipeng Peng,Shudong Li,Yixian Yang

DOI: https://doi.org/10.48550/arXiv.1305.6350

2013-05-28

Abstract:Recently, Li et al. analyzed Lee et al.'s multi-server authentication scheme and proposed a novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. They claimed that their scheme can resist several kinds of attacks. However, through careful analysis, we find that Li et al.'s scheme is vulnerable to stolen smart card and offline dictionary attack, replay attack, impersonation attack and server spoofing attack. By analyzing other similar schemes, we find that the certain type of dynamic ID based multi-server authentication scheme in which only hash functions are used and no registration center participates in the authentication and session key agreement phase is hard to provide perfect efficient and secure authentication. To compensate for these shortcomings, we improve the recently proposed Liao et al.'s multi-server authentication scheme which is based on pairing and self-certified public keys, and propose a novel dynamic ID based remote user authentication scheme for multi-server environments. Liao et al.'s scheme is found vulnerable to offline dictionary attack and denial of service attack, and cannot provide user's anonymity and local password verification. However, our proposed scheme overcomes the shortcomings of Liao et al.'s scheme. Security and performance analyses show the proposed scheme is secure against various attacks and has many excellent features.

Cryptography and Security

Nassoro M. R. Lwamo,Liehuang Zhu,Chang Xu,Kashif Sharif,Ximeng Liu,Chuan Zhang

DOI: https://doi.org/10.1016/j.ins.2018.10.037

IF: 8.1

2018-01-01

Information Sciences

Abstract:The rapid increase in user base and technological penetration has enabled the use of a wide range of devices and applications. The services are rendered to these devices from single-server or highly distributed server environments, irrespective of their location. As the information exchanged between servers and clients is private, numerous forms of attacks can be launched to compromise it. To ensure the security, privacy, and availability of the services, different authentication schemes have been proposed for both single-server and multi-server environments. The primary performance objective of such schemes is to prevent most (if not all) attacks, with minimal computational costs at the server and user ends. To address this challenge, this paper presents a secure user authentication scheme with anonymity (SUAA) for single-server and multi-server environments. It works on 3-factor authentication, involving passwords, smart cards, and biometric data. We use symmetric and asymmetric encryption for single-server and multi-server architectures respectively, to reduce the computational costs. Through a comprehensive security analysis, we show that the proposed scheme is reliable through mutual authentication, and is resilient to attacks addressed by state of the art solutions. Time cost analysis also shows less time required to complete the authentication process.

Ding Wang,Chunguang Ma,Qi-Ming Zhang,Sendong Zhao

DOI: https://doi.org/10.4304/jnw.8.1.148-155

2013-01-01

Journal of Networks

Abstract:It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.

Youping Lin,Kaihui Wang,Baocan Zhang,Yuzhen Liu,Xiong Li

DOI: https://doi.org/10.14257/ijsia.2016.10.1.29

2016-01-01

International Journal of Security and Its Applications

Abstract:Authentication is an important and basic security service for many network based applications, which allows the registered user access remote services after the validity of his/her identity is verified by the remote server. Password, smart card and biometric are three frequently used factors in authentication, and some remote user authentication schemes for different environments had been presented based on these factors by researchers. Recently, Baruah et al. pointed out the weaknesses of Mishra et al.'s three factors user authentication scheme for multi-server environments, and they proposed an enhanced scheme. They claimed that their scheme has many security features and can resist some common attacks. However, based on our analysis, Baruah et al.'s scheme cannot resist stolen smart card attack, cannot protect user's anonymity, and it is also vulnerable to Denial of Service attack. In this paper, an enhanced three factors user authentication scheme for multi-server environments based on fuzzy extractor technology is proposed, and the analysis show that the proposed scheme is more security and efficient than other related schemes.

Zhuo Hao,Nenghai Yu

DOI: https://doi.org/10.1109/ISDPE.2010.15

2010-01-01

Abstract:Remote user authentication is a critical component of accessing remote services in distributed applications. In this paper we investigate the security vulnerabilities of a previously proposed remote user authentication scheme. After that we propose a security enhanced remote user password authentication scheme, which effectively prevents the adversary's attacks. The proposed authentication scheme is shown to be secure against password guessing attack, masquerade attack and replay attack. By performance analysis, the proposed scheme is shown to be very efficient, both in the computation and the storage cost. The proposed password authentication scheme is very suitable for providing remote authentication in distributed applications.

Ding Wang,Chun-guang Ma,De-li Gu,Zhen-shan Cui

DOI: https://doi.org/10.1007/978-3-642-34601-9_35

2012-01-01

Abstract:In NSS'10, Shao and Chin pointed out that Hsiang and Shih's dynamic ID-based remote user authentication scheme for multi-server environment has several security flaws and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that Shao-Chin's scheme still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.'s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their ambitions, Li et al.'s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, which is the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.