An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards

Generally, if a user wants to use numerous different network services, he/she must register himself/herself to every service providing server. It is extremely hard for users to remember these different identities and passwords. In order to resolve this problem, various multi-server authentication protocols have been proposed. Recently, Sood et al. analyzed Hsiang and Shih's multi-server authentication protocol and proposed an improved dynamic identity based authentication protocol for multi-server architecture. They claimed that their protocol provides user's anonymity, mutual authentication, the session key agreement and can resist several kinds of attacks. However, through careful analysis, we find that Sood et al.'s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack. Besides, since there is no way for the control server CS to know the real identity of the user, the authentication and session key agreement phase of Sood et al.'s protocol is incorrect. We propose an efficient and security dynamic identity based authentication protocol for multi-server architecture that removes the aforementioned weaknesses. The proposed protocol is extremely suitable for use in distributed multi-server architecture since it provides user's anonymity, mutual authentication, efficient, and security.     

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.’s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.’s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.’s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.’s protocol is still susceptible to the trace attack. Besides, Liao et al.’s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.     

Enhanced Dynamic Authentication Scheme (EDAS)

With non-stop growth in network environments, communication security is necessary. A strong protocol guarantees that users and service providers are secure against many kinds of attacks, such as impersonation and replay attack. Sood et al. proposed an authentication scheme based on dynamic identity to prevent transactions from being intercepted by malicious users. Although they claimed that their scheme has advantages over previous schemes with the same approach, we prove that their scheme is vulnerable to impersonation attack and stolen verification attack, and can be affected by clock synchronization. Therefore we propose a novel authentication scheme to enhance security and overcome limitations existing in Sood’s scheme. Our security analysis shows that our proposed method can efficiently resist known types of attacks. Experimental results also show that the method can be implemented and processed in real-time thus applicable for not only regular computers but also mobile devices.     

A secure biometric based multi-server authentication scheme for social multimedia networks

Social networking is one of the major source of massive data. Such data is not only difficult to store, manipulate and maintain but it’s open access makes it security prone. Therefore, robust and efficient authentication should be devised to make it invincible against the known security attacks. Moreover, social networking services are intrinsically multi-server environments, therefore compatible and suitable authentication should be designed accordingly. Sundry authentication protocols are being utilized at the moment and many of them are designed for single server architecture. This type of remote architecture resists each user to get itself register with each server if multiple servers are employed to offer online social services. Recently multi-server architecture for authentication has replaced the single server architecture, and it enable users to register once and procure services from multiple servers. A short time ago, Lu et al. presented two authentication schemes based on three factors. Furthermore, both Lu et al.’s schemes are designed for multi-server architecture. Lu et al. claimed the schemes to be invincible against the known attacks. However, this paper shows that one of the Lu et al.’s scheme is susceptible to user anonymity violation and impersonation attacks, whereas Lu et al.’s second scheme is susceptible to user impersonation attack. Therefore an enhanced scheme is introduced in this paper. The proposed scheme is more robust than subsisting schemes. The proposed scheme is thoroughly verified and validated with formal and informal security discussion, and through the popular automated tool ProVerif. The in-depth analysis affirms that proposed scheme is lightweight in terms of computations while attaining mutual authentication and is invincible against the known attacks, hence is more suitable for automated big data analysis for social multimedia networking environments.     

A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps

Spread of wireless network technology has opened new doors to utilize sensor technology in various areas via Wireless Sensor Networks (WSNs). Many authentication protocols for among the service seeker users, sensing component sensor nodes (SNs) and the service provider base-station or gateway node (GWN) are available to realize services from WSNs efficiently and without any fear of deceit. Recently, Li et al. and He et al. independently proposed mutual authentication and key agreement schemes for WSNs. We find that both the schemes achieve mutual authentication, establish session key and resist many known attacks but still have security weaknesses. We show the applicability of stolen verifier, user impersonation, password guessing and smart card loss attacks on Li et al.’s scheme. Although their scheme employs the feature of dynamic identity, an attacker can reveal and guess the identity of a registered user. We demonstrate the susceptibility of He et al.’s scheme to password guessing attack. In both the schemes, the security of the session key established between user and SNs is imperfect due to lack of forward secrecy and session-specific temporary information leakage attack. In addition both the schemes impose extra computational load on resource scanty sensor-nodes and are not user friendly due to absence of user anonymity and lack of password change facility. To handle these drawbacks, we design a mutual authentication and key agreement scheme for WSN using chaotic maps. To the best of our knowledge, we are the first to propose an authentication scheme for WSN based on chaotic maps. We show the superiority of the proposed scheme over its predecessor schemes by means of detailed security analysis and comparative evaluation. We also formally analyze our scheme using BAN logic.     

多服务器环境下可实现访问控制的身份认证方案

相比单服务,多服务器环境的认证方案具有不需要用户重复注册和记忆多个密码等优点,近年来受到学界关注。2015年,屈娟等人提出一个多服务器环境下基于切比雪夫多项式的三因素身份认证方案。相比目前其他多服务器环境的身份认证方案,该方案具有一定新意。但通过分析可以发现该方案仍然存在如下缺陷：容易受到重复注册攻击;生物特征处理不恰当;认证过程严重依赖注册中心,容易遭受拒绝服务器攻击以及系统整体健壮性不高;协议部分设计存在不合理之处。为了解决上述问题,提出基于安全概略和切比雪夫多项式的三因素身份认证方案。通过分析可知该方案虽然计算量有所提升但是能较好解决屈娟等人所提方案存在的安全威胁,同时该方案也能实现访问控制。     

Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem

Conventional single-server authentication schemes suffer a significant shortcoming. If a remote user wishes to use numerous network services, he/she must register his/her identity and password at these servers. It is extremely tedious for users to register numerous servers. In order to resolve this problem, various multi-server authentication schemes recently have been proposed. However, these schemes are insecure against some cryptographic attacks or inefficiently designed because of high computation costs. Moreover, these schemes do not provide strong key agreement function which can provide perfect forward secrecy. Based on these motivations, this paper proposes a new efficient and secure biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem (ECC) without verification table to minimize the complexity of hash operation among all users and fit multi-server communication environments. By adopting the biometrics technique, the proposed scheme can provide more strong user authentication function. By adopting the ECC technique, the proposed scheme can provide strong key agreement function with the property of perfect forward secrecy to reduce the computation loads for smart cards. As a result, compared with related multi-serve authentication schemes, the proposed scheme has strong security and enhanced computational efficiency. Thus, the proposed scheme is extremely suitable for use in distributed multi-server network environments such as the Internet and in limited computations and communication resource environments to access remote information systems since it provides security, reliability, and efficiency.     

An efficient mutual authentication and key agreement protocol preserving user anonymity in mobile networks

We address the problem of mutual authentication and key agreement with user anonymity for mobile networks. Recently, Lee et al. proposed such a scheme, which is claimed to be a slight modification of, but a security enhancement on Zhu et al.’s scheme based on the smart card. In this paper, however, we reveal that both schemes still suffer from certain weaknesses which have been previously overlooked, and thus are far from the desired security. We then propose a new protocol which is immune to various known types of attacks. Analysis shows that, while achieving identity anonymity, key agreement fairness, and user friendliness, our scheme is still cost-efficient for a general mobile node.     

Two efficient two-factor authenticated key exchange protocols in public wireless LANs

Recently, Parks et al. proposed an authentication and key agreement protocol for low-power PDAs in public wireless LANs using two factors including a password and a token, e.g. a smart card. They claimed that their proposed scheme provided mutual authentication, identity privacy, half-forward secrecy and low computation cost for a client including just one symmetric key encryption and five hash operations. In this paper, we point out that Park et al.’s protocol is vulnerable to the dictionary attack upon identity privacy. We propose two schemes with mutual authentication, half-forward secrecy, lower computation cost and less exchanged messages than Park et al.’s protocol. In additional to these properties, identity privacy, which is not satisfied by Park et al.’s protocol, is also provided by our second scheme.     

基于混沌映射的多因子认证密钥协商协议

在开放的网络环境中,身份认证是确保信息安全的一种重要手段。针对Li等（LI X,WU F,KHAN M K,et al.A secure chaotic map-based remote authentication scheme for telecare medicine information systems.Future Generation Computer Systems,2017,84：149-159.）提出的身份认证协议,指出其容易遭受用户冒充攻击、拒绝服务攻击等缺陷,并提出一个新的多因子认证协议来修复以上安全漏洞。该协议使用了扩展混沌映射,采用动态身份保护用户匿名性,并利用三次握手技术实现异步认证。安全性分析结果表明,所提协议可以抵抗冒充攻击、拒绝服务攻击,能够保护用户匿名性和身份唯一性。     

An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks

User authentication with unlinkability is one of the corner stone services for many security and privacy services which are required to secure communications in wireless sensor networks (WSNs). Recently, Xue et al. proposed a temporal-credential-based mutual authentication and key agreement scheme for WSNs, and claimed that their scheme achieves identity and password protection, and the resiliency of stolen smart card attacks. However, we observe that Xue et al.’s scheme is subject to identity guessing attack, tracking attack, privileged insider attack and weak stolen smart card attack. In order to fix the drawbacks, we propose an enhanced authentication scheme with unlinkability. Additionally, the proposed scheme further cuts the computational cost. Therefore, the proposed scheme not only remedies its security flaws but also improves its performance. It is more suitable for practical applications of WSNs than Xue et al.’s scheme.     

Dynamic ID-based remote user password authentication schemes using smart cards: A review

Remote user authentication is a mechanism, in which the remote server verifies the legitimacy of a user over an insecure communication channel. Until now, there have been ample of remote user authentication schemes published in the literature and each published scheme has its own merits and demerits. A common feature among most of the published schemes is that the user's identity (ID) is static in all the transaction sessions, which may leak some information about that user and can create risk of identity theft during the message transmission. To overcome this risk, many researchers have proposed dynamic ID based remote user authentication schemes. In this paper, we have defined all the security requirements and all the goals an ideal password authentication scheme should satisfy and achieve. We have presented the results of our survey through six of the currently available dynamic ID based remote user authentication schemes. All the schemes are vulnerable to guessing attack except Khan et al.'s scheme, and do not meet the goals such as session key agreement, secret key forward secrecy. In the future, we hope an ideal dynamic ID based password authentication scheme, which meets all the security requirements and achieves all the goals can be developed.     

A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card

The Session Initiation Protocol (SIP) is a signaling communications protocol, which has been chosen for controlling multimedia communication in 3G mobile networks. The proposed authentication in SIP is HTTP digest based authentication. Recently, Tu et al. presented an improvement of Zhang et al.’s smart card-based authenticated key agreement protocol for SIP. Their scheme efficiently resists password guessing attack. However, in this paper, we analyze the security of Tu et al.’s scheme and demonstrate their scheme is still vulnerable to user’s impersonation attack, server spoofing attack and man-in-the middle attack. We aim to propose an efficient improvement on Tu et al.’s scheme to overcome the weaknesses of their scheme, while retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Tu et al.’s scheme. Furthermore, we simulate our scheme for the formal security analysis using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks. Additionally, the proposed scheme is comparable in terms of the communication and computational overheads with Tu et al.’s scheme and other related existing schemes.     

Perfect forward secrecy in VoIP networks through design a lightweight and secure authenticated communication scheme

With the growth of the internet, development of IP based services has increased. Voice over IP (VoIP) technology is one of the services which works based on the internet and packet switching networks and uses this structure to transfer the multimedia data e.g. voices and images. Recently, Chaudhry et al., Zhang et al. and Nikooghadam et al. have presented three authentication and key agreement protocols, separately. However, in this paper, it is proved that the presented protocols by Chaudhry et al. and also Nikooghadam et al. do not provide the perfect forward secrecy, and the presented protocol by Zhang et al. not only is vulnerable to replay attack, and known session-specific temporary information attack, but also does not provide user anonymity, re-registration and revocation, and violation of fast error detection. Therefore, a secure and efficient two-factor authentication and key agreement protocol is presented. The security analysis proves that our proposed protocol is secure against various attacks. Furthermore, security of proposed scheme is formally analyzed using BAN logic and simulated by means of the AVISPA tool. The simulation results demonstrate security of presented protocol against active and passive attacks. The communication and computation cost of the proposed scheme is compared with previously proposed authentication schemes and results confirm superiority of the proposed scheme.

     

对三个多服务器环境下匿名认证协议的分析

设计安全高效的多服务器环境下匿名身份认证协议是当前安全协议领域的研究热点。基于广泛接受的攻击者模型,对多服务器环境下的三个代表性匿名认证协议进行了安全性分析.指出Wan等协议无法实现所声称的离线口令猜测攻击,且未实现用户匿名性和前向安全性;指出Amin等协议同样不能抵抗离线口令猜测攻击,且不能提供匿名性,对两种破坏前向安全性的攻击是脆弱的;指出Reedy等协议不能抵抗所声称的用户仿冒攻击和离线口令猜测攻击,且无法实现用户不可追踪性.突出强调这些协议失败的根本原因在于,违反协议设计的三个基本原则：公钥原则、用户匿名性原则和前向安全性原则.明确协议的具体失误之处,并提出相应修正方法.     

对两个基于智能卡的口令认证协议的安全性分析

身份认证是确保信息系统安全的重要手段,基于智能卡的口令认证协议由于实用性较强而成为近期研究热点。采用基于场景的攻击技术,对最近新提出的两个基于智能卡的口令认证协议进行了安全性分析。指出“对Liao等身份鉴别方案的分析与改进”(潘春兰,周安民,肖丰霞,等.对Liao等人身份鉴别方案的分析与改进.计算机工程与应用,2010,46(4):110-112)中提出的认证协议无法实现所声称的抗离线口令猜测攻击;指出“基于双线性对的智能卡口令认证改进方案”(邓粟,王晓峰.基于双线性对的智能卡口令认证改进方案.计算机工程,2010,36(18):150-152)中提出的认证协议无法抗拒绝服务(DoS)攻击和内部人员攻击,且口令更新阶段存在设计缺陷。分析结果表明,这两个口令认证协议都存在严重安全缺陷,不适合安全需求较高的应用环境。     

New robust biometrics-based mutual authentication scheme with key agreement using elliptic curve cryptography

In this work, we demonstrate that Chaudhry et al.’s recent biometrics-based three factor authentication scheme is vulnerable to the denial of service attack, and it also fails to provide perfect forward secrecy because it only uses the lightweight symmetric key primitives to ensure security. To enhance the information security, this article presents a new robust biometrics-based mutual authentication scheme using elliptic curve cryptography for client-server architecture based applications in mobile environment. The proposed scheme supports session key agreement and flawless mutual authentication of participants, which is proved under the BAN logic. Moreover, the proposed scheme provides prefect security attributes and resists all known attacks, and it has perfect performance in communication cost. Thereby, the proposed scheme is more suitable for client-server architecture based applications.     

Two robust remote user authentication protocols using smart cards

With the rapid growth of electronic commerce and enormous demand from variants of Internet based applications, strong privacy protection and robust system security have become essential requirements for an authentication scheme or universal access control mechanism. In order to reduce implementation complexity and achieve computation efficiency, design issues for efficient and secure password based remote user authentication scheme have been extensively investigated by research community in these two decades. Recently, two well-designed password based authentication schemes using smart cards are introduced by Hsiang and Shih (2009) and Wang et al. (2009), respectively. Hsiang et al. proposed a static ID based authentication protocol and Wang et al. presented a dynamic ID based authentication scheme. The authors of both schemes claimed that their protocol delivers important security features and system functionalities, such as mutual authentication, data security, no verification table implementation, freedom on password selection, resistance against ID-theft attack, replay attack and insider attack, as well as computation efficiency. However, these two schemes still have much space for security enhancement. In this paper, we first demonstrate a series of vulnerabilities on these two schemes. Then, two enhanced protocols with corresponding remedies are proposed to eliminate all identified security flaws in both schemes.     

对两个基于智能卡的多服务器身份认证方案的密码学分析与改进

身份认证是用户访问网络资源时的一个重要安全问题。近来,Xu等(XU C, JIA Z, WEN F, et al. Cryptanalysis and improvement of a dynamic ID based remote user authentication scheme using smart cards [J]. Journal of Computational Information Systems, 2013, 9(14): 5513-5520)提出了一个基于智能卡的动态身份用户认证方案。分析指出其方案不能抵抗中间人攻击和会话密钥泄露攻击,且无法实现会话密钥前向安全性。此外,指出Choi等(CHOI Y, NAM J, LEE D, et al. Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics [J]. The Scientific World Journal, 2014, 2014: 281305)提出的基于智能卡和生物特征的匿名多服务器身份认证方案(简称CNL方案)易遭受智能卡丢失攻击、服务器模仿攻击,且不能提保护用户的匿名性。最后,基于生物特征和扩展混沌映射,提出了一个安全的多服务器认证方案,安全分析结果表明,新方案消除了Xu方案和CNL方案的安全漏洞。     

An efficient user authentication and key exchange protocol for mobile client–server environment

Considering the low-power computing capability of mobile devices, the security scheme design is a nontrivial challenge. The identity (ID)-based public-key system with bilinear pairings defined on elliptic curves offers a flexible approach to achieve simplifying the certificate management. In the past, many user authentication schemes with bilinear pairings have been proposed. In 2009, Goriparthi et al. also proposed a new user authentication scheme for mobile client–server environment. However, these schemes do not provide mutual authentication and key exchange between the client and the server that are necessary for mobile wireless networks. In this paper, we present a new user authentication and key exchange protocol using bilinear pairings for mobile client–server environment. As compared with the recently proposed pairing-based user authentication schemes, our protocol provides both mutual authentication and key exchange. Performance analysis is made to show that our presented protocol is well suited for mobile client–server environment. Security analysis is given to demonstrate that our proposed protocol is provably secure against previous attacks.