Dynamic ID-based remote user password authentication schemes using smart cards: A review

Remote user authentication is a mechanism, in which the remote server verifies the legitimacy of a user over an insecure communication channel. Until now, there have been ample of remote user authentication schemes published in the literature and each published scheme has its own merits and demerits. A common feature among most of the published schemes is that the user's identity (ID) is static in all the transaction sessions, which may leak some information about that user and can create risk of identity theft during the message transmission. To overcome this risk, many researchers have proposed dynamic ID based remote user authentication schemes. In this paper, we have defined all the security requirements and all the goals an ideal password authentication scheme should satisfy and achieve. We have presented the results of our survey through six of the currently available dynamic ID based remote user authentication schemes. All the schemes are vulnerable to guessing attack except Khan et al.'s scheme, and do not meet the goals such as session key agreement, secret key forward secrecy. In the future, we hope an ideal dynamic ID based password authentication scheme, which meets all the security requirements and achieves all the goals can be developed.     

An efficient and secure multi-server authentication scheme with key agreement

Remote user authentication is used to validate the legitimacy of a remote log-in user. Due to the rapid growth of computer networks, many network environments have been becoming multi-server based. Recently, much research has been focused on proposing remote password authentication schemes based on smart cards for securing multi-server environments. Each of these schemes used either a nonce or a timestamp technique to prevent the replay attack. However, using the nonce technique to withstand the replay attack is potentially susceptible to the man-in-the-middle attack. Alternatively, when employing the timestamp method to secure remote password authentication, it will require the cost of implementing clock synchronization. In order to solve the above two issues, this paper proposes a self-verified timestamp technique to help the smart-card-based authentication scheme not only effectively achieve password-authenticated key agreement but also avoid the difficulty of implementing clock synchronization in multi-server environments. A secure authenticated key agreement should accomplish both mutual authentication and session key establishment. Therefore, in this paper we further give the formal proof on the execution of the proposed authenticated key agreement scheme.     

对三个多服务器环境下匿名认证协议的分析

设计安全高效的多服务器环境下匿名身份认证协议是当前安全协议领域的研究热点。基于广泛接受的攻击者模型,对多服务器环境下的三个代表性匿名认证协议进行了安全性分析.指出Wan等协议无法实现所声称的离线口令猜测攻击,且未实现用户匿名性和前向安全性;指出Amin等协议同样不能抵抗离线口令猜测攻击,且不能提供匿名性,对两种破坏前向安全性的攻击是脆弱的;指出Reedy等协议不能抵抗所声称的用户仿冒攻击和离线口令猜测攻击,且无法实现用户不可追踪性.突出强调这些协议失败的根本原因在于,违反协议设计的三个基本原则：公钥原则、用户匿名性原则和前向安全性原则.明确协议的具体失误之处,并提出相应修正方法.     

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.’s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.’s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.’s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.’s protocol is still susceptible to the trace attack. Besides, Liao et al.’s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.     

An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards

Generally, if a user wants to use numerous different network services, he/she must register himself/herself to every service providing server. It is extremely hard for users to remember these different identities and passwords. In order to resolve this problem, various multi-server authentication protocols have been proposed. Recently, Sood et al. analyzed Hsiang and Shih's multi-server authentication protocol and proposed an improved dynamic identity based authentication protocol for multi-server architecture. They claimed that their protocol provides user's anonymity, mutual authentication, the session key agreement and can resist several kinds of attacks. However, through careful analysis, we find that Sood et al.'s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack. Besides, since there is no way for the control server CS to know the real identity of the user, the authentication and session key agreement phase of Sood et al.'s protocol is incorrect. We propose an efficient and security dynamic identity based authentication protocol for multi-server architecture that removes the aforementioned weaknesses. The proposed protocol is extremely suitable for use in distributed multi-server architecture since it provides user's anonymity, mutual authentication, efficient, and security.     

A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards

Advancement in communication technology provides a scalable platform for various services, where a remote user can access the server from anywhere without moving from its place. It provides a unique opportunity for online services such that a user does not need to be physically present at the service center. These services adopt authentication and key agreement protocols in order to ensure authorized and secure access to the resources. Most of the authentication schemes proposed in the literature support a single-server environment, where the user has to register with each server. If a user wishes to access multiple application servers, he/she requires to register with each server. The multi-server authentication introduces a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on a user’s password and biometrics (Chuang and Chen, 2014). Their scheme is a lightweight, which requires the computation of only hash functions. In this paper, we first analyze Chuang and Chen’s scheme and then identify that their scheme does not resist stolen smart card attack which causes the user’s impersonation attack and server spoofing attack. We also show that their scheme fails to protect denial-of-service attack. We aim to propose an efficient improvement on Chuang and Chen’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Chuang and Chen’s scheme. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against the replay and man-in-the-middle attacks. In addition, our scheme is comparable in terms of the communication and computational overheads with Chuang and Chen’s scheme and other related existing schemes.     

A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards

Recently, Hsiang et al. pointed out that Liao-Wang’s dynamic ID based remote user authentication scheme for multi-server environment is vulnerable to insider attack, masquerade attack, server spoofing attack, registration center attack and is not easily reparable. Besides, Liao-Wang’s scheme cannot achieve mutual authentication. For this, Hsiang et al. proposed an improved scheme to overcome these weaknesses and claimed that their scheme is efficient, secure, and suitable for the practical application environment. However, we observe that Hsiang et al.’s scheme is still vulnerable to a masquerade attack, server spoofing attack, and is not easily reparable. Furthermore, it cannot provide mutual authentication. Therefore, in this paper we propose an improved scheme to solve these weaknesses.     

An enhanced smart card based remote user password authentication scheme

Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.     

Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment

Recently, Liao and Wang proposed a secure dynamic ID based remote user authentication scheme for multi-server environment, and claimed that their scheme was intended to provide mutual authentication, two-factor security, replay attack, server spoofing attack, insider and stolen verifier attack, forward secrecy and user anonymity. In this paper, we show that Liao and Wang's scheme is still vulnerable to insider's attack, masquerade attack, server spoofing attack, registration center spoofing attack and is not reparable. Furthermore, it fails to provide mutual authentication. To remedy these flaws, this paper proposes an efficient improvement over Liao–Wang's scheme with more security. The computation cost, security, and efficiency of the improved scheme are well suited to the practical applications environment.     

Two robust remote user authentication protocols using smart cards

With the rapid growth of electronic commerce and enormous demand from variants of Internet based applications, strong privacy protection and robust system security have become essential requirements for an authentication scheme or universal access control mechanism. In order to reduce implementation complexity and achieve computation efficiency, design issues for efficient and secure password based remote user authentication scheme have been extensively investigated by research community in these two decades. Recently, two well-designed password based authentication schemes using smart cards are introduced by Hsiang and Shih (2009) and Wang et al. (2009), respectively. Hsiang et al. proposed a static ID based authentication protocol and Wang et al. presented a dynamic ID based authentication scheme. The authors of both schemes claimed that their protocol delivers important security features and system functionalities, such as mutual authentication, data security, no verification table implementation, freedom on password selection, resistance against ID-theft attack, replay attack and insider attack, as well as computation efficiency. However, these two schemes still have much space for security enhancement. In this paper, we first demonstrate a series of vulnerabilities on these two schemes. Then, two enhanced protocols with corresponding remedies are proposed to eliminate all identified security flaws in both schemes.     

云环境下基于PTPM和无证书公钥的身份认证方案

为了解决目前云环境下用户与云端之间进行身份认证时所存在的安全问题和不足,本文首次将PTPM(Portable TPM)和无证书公钥密码体制应用到云环境中,提出一种用于实现用户与云端之间双向身份认证的方案.和现有方案相比,新方案具有以下特点:在通过建立身份管理机制实现用户和云端身份唯一性的基础上,首先利用PTPM不仅确保了终端平台的安全可信和云端与用户之间认证结果的真实正确,而且支持用户利用任意终端设备来完成与云端的身份认证过程;其次,新方案基于无证书公钥签名算法实现了“口令+密钥”的双因子认证过程;最后,通过安全性理论证明和性能分析,证明本文提出的方案在保证EUF-CMA安全性的同时,显著提高了用户和云端之间身份认证的计算效率.     

多服务器环境下可实现访问控制的身份认证方案

相比单服务,多服务器环境的认证方案具有不需要用户重复注册和记忆多个密码等优点,近年来受到学界关注。2015年,屈娟等人提出一个多服务器环境下基于切比雪夫多项式的三因素身份认证方案。相比目前其他多服务器环境的身份认证方案,该方案具有一定新意。但通过分析可以发现该方案仍然存在如下缺陷：容易受到重复注册攻击;生物特征处理不恰当;认证过程严重依赖注册中心,容易遭受拒绝服务器攻击以及系统整体健壮性不高;协议部分设计存在不合理之处。为了解决上述问题,提出基于安全概略和切比雪夫多项式的三因素身份认证方案。通过分析可知该方案虽然计算量有所提升但是能较好解决屈娟等人所提方案存在的安全威胁,同时该方案也能实现访问控制。     

Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem

Conventional single-server authentication schemes suffer a significant shortcoming. If a remote user wishes to use numerous network services, he/she must register his/her identity and password at these servers. It is extremely tedious for users to register numerous servers. In order to resolve this problem, various multi-server authentication schemes recently have been proposed. However, these schemes are insecure against some cryptographic attacks or inefficiently designed because of high computation costs. Moreover, these schemes do not provide strong key agreement function which can provide perfect forward secrecy. Based on these motivations, this paper proposes a new efficient and secure biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem (ECC) without verification table to minimize the complexity of hash operation among all users and fit multi-server communication environments. By adopting the biometrics technique, the proposed scheme can provide more strong user authentication function. By adopting the ECC technique, the proposed scheme can provide strong key agreement function with the property of perfect forward secrecy to reduce the computation loads for smart cards. As a result, compared with related multi-serve authentication schemes, the proposed scheme has strong security and enhanced computational efficiency. Thus, the proposed scheme is extremely suitable for use in distributed multi-server network environments such as the Internet and in limited computations and communication resource environments to access remote information systems since it provides security, reliability, and efficiency.     

An efficient anonymous authentication protocol in multiple server communication networks (EAAM)

In a multi-server authentication environment, a user only needs to register once at a central registration place before accessing the different services on the different registered servers. Both, from a user point of view as for the management and maintenance of the infrastructure, these types of environments become more and more popular. Smartcard- or smartphone-based approaches lead to more secure systems because they offer two- or three-factor authentication, based on the strict combination of the user’s password, the user’s biometrics and the possession of the device. In this paper, we propose an efficient anonymous authentication protocol in multiple server communication networks, called the EAAM protocol, which is able to establish user anonymity, mutual authentication, and resistance against known security attacks. The novelty of the proposed scheme is that it does not require a secure channel during the registration between the user and the registration center and is resistant to a curious but honest registration system. These features are established in a highly efficient way with the minimum amount of communication flows between user and server during the establishment of the secret shared key and by using light-weight cryptographic techniques such as Chebyshev chaotic map techniques and symmetric key cryptography. The performance and security of the protocol are analyzed and compared with the latest new proposals in this field.     

A strong user authentication scheme with smart cards for wireless communications

Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.     

Secure Group Communication with Hidden Group Key

ABSTRACT

Grid environment is mainly concerned with sharing diverse resources belonging to different administrative domains. Security and scalability are important issues for secure group communication in a grid environment. Secure group communication among group members working on collaborative tasks involves confidentiality and authenticity of the message and the session key. In order to transmit the data in a secure way, a suitable key transfer protocol should be implemented. Key transfer protocols rely on a centralized Key Management Center (KMC), an entity responsible for managing user authentication, generating group keys and distributing it to all the members of the communicating group secretly. In this paper, we proposed a secure key transfer protocol that uses the concepts of soft dipole representation of the image and steganography for transferring password and group key securely to the users. In this protocol, users submit their images at the time of registration with the KMC. First KMC compute the soft dipole representation S_I of every user's image and each user's image can be uniquely represented by its corresponding soft dipole representation. The soft dipole representation of each user's image is used as a password for authentication of corresponding user with KMC. KMC generates the group key using soft dipoles of the images of the group members. To preserve the confidentiality, the group key is embedded into an image (using information hiding technique) and KMC broadcast that image to all the group members.     

基于扩展混沌映射的远程医疗信息系统认证方案

针对远程医疗信息系统（TMIS）的实时应用场景,提出了一种安全高效的基于扩展混沌映射的切比雪夫多服务器认证协议。该方案使用随机数和注册中心的私钥为用户/应用服务器的身份加密,有效地支持用户和应用服务器的撤销和重新注册。同时,还利用“模糊验证因子”技术避免离线密码猜测攻击,利用“honeywords”技术有效避免在线密码猜测攻击。该方案在公共信道上传输的与用户身份相关的信息均使用随机数或随机数的计算结果进行加密,因此可以为用户提供强匿名性。通过BAN逻辑证明该协议可以实现用户和服务器的安全相互认证;同时,使用非正式安全证明该协议可以抵抗多种已知攻击。     

An anonymous and efficient remote biometrics user authentication scheme in a multi server environment

As service demands rise and expand single-server user authentication has become unable to satisfy actual application demand. At the same time identity and password based authentication schemes are no longer adequate because of the insecurity of user identity and password. As a result biometric user authentication has emerged as a more reliable and attractive method. However, existing biometric authentication schemes are vulnerable to some common attacks and provide no security proof, some of these biometric schemes are also either inefficient or lack sufficient concern for privacy. In this paper, we propose an anonymous and efficient remote biometric user authentication scheme for a multi-server architecture with provable security. Through theoretical mathematic deduction, simulation implementation, and comparison with related work, we demonstrate that our approach can remove the aforementioned weaknesses and is well suited for a multi-server environment.     

An efficient user authentication and key exchange protocol for mobile client–server environment

Considering the low-power computing capability of mobile devices, the security scheme design is a nontrivial challenge. The identity (ID)-based public-key system with bilinear pairings defined on elliptic curves offers a flexible approach to achieve simplifying the certificate management. In the past, many user authentication schemes with bilinear pairings have been proposed. In 2009, Goriparthi et al. also proposed a new user authentication scheme for mobile client–server environment. However, these schemes do not provide mutual authentication and key exchange between the client and the server that are necessary for mobile wireless networks. In this paper, we present a new user authentication and key exchange protocol using bilinear pairings for mobile client–server environment. As compared with the recently proposed pairing-based user authentication schemes, our protocol provides both mutual authentication and key exchange. Performance analysis is made to show that our presented protocol is well suited for mobile client–server environment. Security analysis is given to demonstrate that our proposed protocol is provably secure against previous attacks.     

A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture

Traditional password based authentication schemes are mostly considered in single-server environments. They are unfit for the multi-server environments from two aspects. Recently, base on Sood et al.?s protocol (2011), Li et al. proposed an improved dynamic identity based authentication and key agreement protocol for multi-server architecture (2012). Li et al. claim that the proposed scheme can make up the security weaknesses of Sood et al.?s protocol. Unfortunately, our further research shows that Li et al.?s protocol contains several drawbacks and cannot resist some types of known attacks. In this paper, we further propose a lightweight dynamic pseudonym identity based authentication and key agreement protocol for multi-server architecture. In our scheme, service providing servers don?t need to maintain verification tables for users. The proposed protocol provides not only the declared security features in Li et al.?s paper, but also some other security features, such as traceability and identity protection.