HEAP: A packet authentication scheme for mobile ad hoc networks

In mobile ad hoc networks (MANETs) and wireless sensor networks (WSNs), it is easy to launch various sophisticated attacks such as wormhole, man-in-the-middle and denial of service (DoS), or to impersonate another node. To combat such attacks from outsider nodes, we study packet authentication in wireless networks and propose a hop-by-hop, efficient authentication protocol, called HEAP. HEAP authenticates packets at every hop by using a modified HMAC-based algorithm along with two keys and drops any packets that originate from outsiders. HEAP can be used with multicast, unicast or broadcast applications. We ran several simulations to compare HEAP with existing authentication schemes, such as TESLA, LHAP and Lu and Pooch’s algorithm. We measured metrics such as latency, throughput, packet delivery ratio, CPU and memory utilization and show that HEAP performs very well compared to other schemes while guarding against outsider attacks.     

Improvement of robust smart‐card‐based password authentication scheme

Smart‐card‐based password authentication scheme is one of the commonly used mechanisms to prevent unauthorized service and resource access and to remove the potential security threats over the insecure networks and has been investigated extensively in the last decade. Recently, Chen et al. proposed a smart‐card‐based password authentication scheme and claimed that the scheme can withstand offline password guessing attacks even if the information stored in the smart card is extracted by the adversary. However, we observe that the scheme of Chen et al. is insecure against offline password guessing attacks in this case. To remedy this security problem, we propose an improved authentication protocol, which inherits the merits of the scheme of Chen et al. and is free from the security flaw of their scheme. Compared with the previous schemes, our improved scheme provides more security guarantees while keeping efficiency. Copyright © 2013 John Wiley & Sons, Ltd.     

A Provably Secure Multi-server Based Authentication Scheme

With the rapid growth of electronic commerce and demand on variants of Internet based applications, the system providing resources and business services often consists of many servers around the world. So far, a variety of authentication schemes have been published to achieve remote user authentication on multi-server communication environment. Recently, Pippal et al. proposed a multi-server based authentication protocol to pursue the system security and computation efficiency. Nevertheless, based on our analysis, the proposed scheme is insecure against user impersonation attack, server counterfeit attack, and man-in-the-middle attack. In this study, we first demonstrate how these malicious attacks can be invoked by an adversary. Then, a security enhanced authentication protocol is developed to eliminate all identified weaknesses. Meanwhile, the proposed protocol can achieve the same order of computation complexity as Pippal et al.’s protocol does.     

Threshold password authentication against guessing attacks in Ad hoc networks

Password authentication has been accepted as one of the commonly used solutions in network environment to protect resources from unauthorized access. The emerging mobile Ad hoc network, however, has called for new requirements for designing authentication schemes due to its dynamic nature and vulnerable-to-attack structure, which the traditional schemes overlooked, such as availability and strong security against off line guessing attacks in face of node compromise. In this paper, we propose a threshold password authentication scheme, which meets both availability and strong security requirements in the mobile Ad hoc networks. In our scheme, t out of n server nodes can jointly achieve mutual authentication with a registered user within only two rounds of message exchanges. Our scheme allows users to choose and change their memorable password without subjecting to guessing attacks. Moreover, there is no password table in the server nodes end, which is preferable since mobile nodes are usually memory-restricted devices. We also show that our scheme is efficient to be implemented in mobile devices.     

Provably secure and efficient PUF‐based broadcast authentication schemes for smart grid applications

Many smart grid applications need broadcast communications. Because of the critical role of the broadcasted messages in these applications, their authentication is very important to prevent message forgery attacks. Smart grid consists of plenty of low‐resource devices such as smart meters or phasor measurement units (PMUs) that are located in physically unprotected environments. Therefore, the storage and computational constraints of these devices as well as their security against physical attacks must be considered in designing broadcast authentication schemes. In this paper, we consider two communication models based on the resources of the broadcasters and receivers and propose a physical unclonable function (PUF)–based broadcast authentication scheme for each of them including Broadcast Authentication with High‐Resource Broadcaster (BA‐HRB) and Broadcast Authentication with Low‐Resource Broadcaster (BA‐LRB). We formally prove that both schemes are unforgeable and memory leakage resilient. Moreover, we analyze the performance of our proposed schemes and compare them with related works. The comparison results demonstrate a significant improvement in the storage and computational overhead of our schemes compared with the related works.     

<Emphasis Type="Italic">EIAS-CP:</Emphasis> new efficient identity-based authentication scheme with conditional privacy-preserving for VANETs

In VANETs, vehicles broadcast traffic-related messages periodically according to Dedicated Short Range Communication protocol. To ensure the reliability and integrity of messages, authentication schemes are involved in VANETs. As traffic-related messages are time-sensitive, they must be verified and processed timely, or it may cause inestimable harm to the traffic system. However, the OBUs and the RSUs are limited in computation ability and cannot afford vast messages’ verification. Recently, some identity-based authentication schemes using bilinear pairing have been proposed to improve the efficiency of message verification for VANETs. Nevertheless, the bilinear pairing is not suited for VANETs due to its complex operations. The design of an efficient and secure authentication scheme with low computation cost for VANETs still is a rewarding challenge. To settle this challenge, a new efficient identity-based authentication scheme is proposed in this paper. The proposed scheme ensures reliability and integrity of messages and provides conditional privacy-preserving. Compared with the most recent proposed authentication schemes for VANETs, the computation costs of the message signing and verification in the proposed scheme reduce by 88 and 93 % respectively, while security analysis demonstrates that our proposed scheme satisfies all security and privacy requirements for VANETs.     

Multimedia Broadcast Authentication Based on Batch Signature [Advances in Mobile Multimedia]

Conventional block-based broadcast authentication protocols overlook the heterogeneity of receivers in mobile computing by letting the sender choose the block size, divide a broadcast stream into blocks, associate each block with a signature, and spread the effect of the signature across all the packets in the block through hash or coding algorithms. They suffer from some drawbacks. First, they require that the entire block with its signature be collected before authenticating every packet in the block. This authentication latency can lead to the jitter effect on real-time applications at receivers. Second, the block-based approach is vulnerable to packet loss in mobile computing in the sense that the loss of some packets makes the other packets unable to be authenticated, especially when the block signature is lost. Third, they are also vulnerable to DoS attacks caused by the injection of forged packets. In this article we propose a novel broadcast authentication protocol based on an efficient cryptographic primitive called a batch signature. Our protocol supports the verification of the authenticity of any number of packets simultaneously and avoids the shortcomings of the block-based approach.     

Analysis and Improvement of a Robust Smart Card Based-Authentication Scheme for Multi-Server Architecture

Recently, Pippal et al. proposed an authentication scheme for multi-server architecture and claimed that their scheme had many advantages compared to the previous schemes, such as security, reliability, etc. In this paper, we reanalyze the security of their scheme and demonstrate that their scheme is vulnerable to impersonation attack even if the adversary doesn’t know the information stored in the user’s smart card. Moreover, the adversary can proceed off-line password guessing attack if the user’s smart card is compromised. In order to eliminate those shortcomings, we propose an improved multi-server authentication scheme which can preserve user anonymity. We demonstrate the completeness of the proposed scheme through the BAN logic. Compared with other related protocols, the security analysis and performance evaluation show that our proposed scheme can provide stronger security.     

An efficient three factor–based authentication scheme in multiserver environment using ECC

Recently, Li et al have developed a smartcard‐based remote user authentication scheme in multiserver environment. They have claimed that their scheme is secured against some possible cryptographic attacks. However, we have analyzed that the scheme of Li et al cannot preserve all the proclaimed security goals, which are given as follows: (1) It is not withstanding password‐guessing, user impersonation, insider, and smartcard theft attacks, and (2) it fails to facilitate user anonymity property. To remedy these above‐mentioned security flaws, we have proposed an efficient three factor–based authentication scheme in a multiserver environment using elliptic curve cryptography. The Burrows‐Abadi‐Needham logic is used to confirm the security validation of our scheme, which ensures that it provides mutual‐authentication and session‐key agreement securely. Then, the random oracle model is also considered to analyze the proposed scheme, and it shows that the backbone parameters, ie, identity, password, biometrics, and the session key, are secure from an adversary. Further, the informal security analysis confirms that the suggested scheme can withstand against some possible mentioned attacks. Later, the Automated Validation of Internet Security Protocols and Applications tool is incorporated to ensure its security against passive and active attacks. Finally, the performance comparison of the scheme is furnished to confirm its enhanced security with other relevant schemes.     

Design and Validation of an Efficient Authentication Scheme with Anonymity for Roaming Service in Global Mobility Networks

Designing a user authentication protocol with anonymity for the global mobility network (GLOMONET) is a difficult task because wireless networks are susceptible to attacks and each mobile user has limited power, processing and storage resources. In this paper, a secure and lightweight user authentication protocol with anonymity for roaming service in the GLOMONET is proposed. Compared with other related approaches, our proposal has many advantages. Firstly, it uses low-cost functions such as one-way hash functions and exclusive-OR operations to achieve security goals. Having this feature, it is more suitable for battery-powered mobile devices. Secondly, it uses nonces instead of timestamps to avoid the clock synchronization problem. Therefore, an additional clock synchronization mechanism is not needed. Thirdly, it only requires four message exchanges between the user, foreign agent and home agent. Further, the security properties of our protocol are formally validated by a model checking tool called AVISPA. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity, no password table, and high efficiency in password authentication. Security and performance analyses show that compared with other related authentication schemes, the proposed scheme is more secure and efficient.     

An efficient reliable broadcasting protocol for wireless mobile ad hoc networks

The mobile ad hoc network (MANET) has recently been recognized as an attractive network architecture for wireless communication. Reliable broadcast is an important operation in MANET (e.g., giving orders, searching routes, and notifying important signals). However, using a naive flooding to achieve reliable broadcasting may be very costly, causing a lot of contention, collision, and congestion, to which we refer as the broadcast storm problem. This paper proposes an efficient reliable broadcasting protocol by taking care of the potential broadcast storm problem that could occur in the medium-access level. Existing protocols are either unreliable, or reliable but based on a too costly approach. Our protocol differs from existing protocols by adopting a low-cost broadcast, which does not guarantee reliability, as a basic operation. The reliability is ensured by additional acknowledgement and handshaking. Simulation results do justify the efficiency of the proposed protocol.     

适用于车载边缘计算网络的高效匿名认证协议

为了解决车载边缘计算网络中无线网络传输特性导致的窃听、重放、拦截、篡改等安全威胁,考虑到车载终端资源有限的特点,提出了一种轻量级匿名高效身份认证协议。基于切比雪夫混沌映射算法,避免了多数方案所采用的指数、双线性映射等复杂算法,有效降低了身份认证与密钥协商过程中的计算复杂度。此外,在实现接入认证及切换认证的同时,能够实现终端匿名性及可追溯、可撤销等安全功能。通过Scyther工具验证结果表明该协议能够满足认证过程中的安全需求并且能够抵抗多种协议攻击。相比已有方案,所提接入认证方案总计算开销最低可节省67%,带宽开销最低可节省11%。此外,相比于接入认证方案,所提域内切换认证方案总计算开销可节省99.8%,带宽开销可节省52%;域间切换认证方案总计算开销可节省80%,带宽开销可节省37%。性能分析结果表明该协议具备更良好的计算和通信性能,因此可以解决车载边缘计算网络中的终端高效安全接入及切换问题。     

Cryptanalysis and improvement of 2 mutual authentication schemes for Session Initiation Protocol

Recently, Chaudhry et al and Kumari et al proposed an advanced mutual authentication protocol for Session Initiation Protocol on the basis of the protocol of Lu et al. The authors claimed that their schemes can be resistant to various attacks. Unfortunately, we observe some important flaws in their respective schemes. We point out that their schemes are prone to off‐line password guessing and privileged insider attacks. To remedy their protocols's drawbacks, in this paper, we present a new improved authentication scheme keeping apart the threats encountered in the design of the schemes of Chaudhry et al and Kumari et al. Furthermore, the security analysis illustrates that our proposed scheme not only removes these drawbacks in their schemes but also can resist all known attacks and provide session key security. We give a heuristic security analysis and also provide the security analysis of the proposed scheme with the help of widespread Burrows‐Abadi‐Needham Logic. Finally, our scheme is compared with the previously proposed schemes on security and performance.     

GHAP: An Efficient Group-based Handover Authentication Mechanism for IEEE 802.16m Networks

IEEE 802.16m is now under consideration by the International Telecommunication Union (ITU) to become the International Mobile Telecommunications (IMT)-Advanced standard. However, handover authentication is a critical issue in this area. In this paper, we propose an efficient group-based handover authentication mechanism, named as GHAP, for correlated mobile stations (MSs) in IEEE 802.16m networks. In our scheme, the correlated MSs who have the similar Signal to Interference-plus-Noise Ratio and history handover information etc. are divided into the same handover group. When the first MS of the handover group members moves from the service base station (BS) to a target BS, the service BS transmits all the handover group members’ security context to the target BS utilizing the security context transfer (SCT) method and then all these MSs in the same handover group can easily perform the handover authentication with the target BS. Different from the conventional SCT schemes, our scheme uses the MSs’ security context as a symmetric key of Cipher-based message authentication code (CMAC) but not the key material of deriving new session key. Therefore, the proposed scheme can effectively resist the domino effect existing in the previous SCT schemes. Moreover, security analysis shows that the proposed scheme also meets the other security requirements in handover authentication semantics. Furthermore, performance analysis demonstrates that the proposed scheme is very efficient in reducing average handover latency.     

Cryptanalysis and improvement of the YAK protocol with formal security proof and security verification via Scyther

Hao proposed the YAK as a robust key agreement based on public‐key authentication, and the author claimed that the YAK protocol withstands all known attacks and therefore is secure against an extremely strong adversary. However, Toorani showed the security flaws in the YAK protocol. This paper shows that the YAK protocol cannot withstand the known key security attack, and its consequences lead us to introduce a new key compromise impersonation attack, where an adversary is allowed to reveal both the shared static secret key between two‐party participation and the ephemeral private key of the initiator party in order to mount this attack. In addition, we present a new security model that covers these attacks against an extremely strong adversary. Moreover, we propose an improved YAK protocol to remedy these attacks and the previous attacks mentioned by Toorani on the YAK protocol, and the proposed protocol uses a verification mechanism in its block design that provides entity authentication and key confirmation. Meanwhile, we show that the proposed protocol is secure in the proposed formal security model under the gap Diffie‐Hellman assumption and the random oracle assumption. Moreover, we verify the security of the proposed protocol and YAK protocol by using an automatic verification method such as the Scyther tool, and the verification result shows that the security claims of the proposed protocol are proven, in contrast to those of the YAK protocol, which are not proven. The security and performance comparisons show that the improved YAK protocol outperforms previous related protocols.     

An enhanced scheme for mutual authentication for healthcare services

With the advent of state-of-art technologies, the Telecare Medicine Information System (TMIS) now offers fast and convenient healthcare services to patients at their doorsteps. However, this architecture engenders new risks and challenges to patients' and the server's confidentiality, integrity and security. In order to avoid any resource abuse and malicious attack, employing an authentication scheme is widely considered as the most effective approach for the TMIS to verify the legitimacy of patients and the server. Therefore, several authentication protocols have been proposed to this end. Very recently, Chaudhry et al. identified that there are vulnerabilities of impersonation attacks in Islam et al.'s scheme. Therefore, they introduced an improved protocol to mitigate those security flaws. Later, Qiu et al. proved that these schemes are vulnerable to the man-in-the-middle, impersonation and offline password guessing attacks. Thus, they introduced an improved scheme based on the fuzzy verifier techniques, which overcome all the security flaws of Chaudhry et al.'s scheme. However, there are still some security flaws in Qiu et al.'s protocol. In this article, we prove that Qiu et al.'s protocol has an incorrect notion of perfect user anonymity and is vulnerable to user impersonation attacks. Therefore, we introduce an improved protocol for authentication, which reduces all the security flaws of Qiu et al.'s protocol. We also make a comparison of our protocol with related protocols, which shows that our introduced protocol is more secure and efficient than previous protocols.     

LPPA: Lightweight privacy‐preservation access authentication scheme for massive devices in fifth Generation (5G) cellular networks

Because of the requirements of stringent latency, high‐connection density, and massive devices concurrent connection, the design of the security and efficient access authentication for massive devices is the key point to guarantee the application security under the future fifth Generation (5G) systems. The current access authentication mechanism proposed by 3rd Generation Partnership Project (3GPP) requires each device to execute the full access authentication process, which can not only incur a lot of protocol attacks but also result in signaling congestion on key nodes in 5G core networks when sea of devices concurrently request to access into the networks. In this paper, we design an efficient and secure privacy‐preservation access authentication scheme for massive devices in 5G wireless networks based on aggregation message authentication code (AMAC) technique. Our proposed scheme can accomplish the access authentication between massive devices and the network at the same time negotiate a distinct secret key between each device and the network. In addition, our proposed scheme can withstand a lot of protocol attacks including interior forgery attacks and DoS attacks and achieve identity privacy protection and group member update without sacrificing the efficiency. The Burrows Abadi Needham (BAN) logic and the formal verification tool: Automated Validation of Internet Security Protocols and Applications (AVISPA) and Security Protocol ANimator for AVISPA (SPAN) are employed to demonstrate the security of our proposed scheme.     

一种基于动态ID刷新机制的低成本RFID标签双向认证协议(英文)

In order to solve the various privacy and security problems in RFID system, a new low-cost RFID mutual authentication protocol based on ID updating mechanics is proposed. In the proposed scheme, the backend server keeps both the current ID and potential next ID for each tag, thus to solve the possible problem of de-synchronization attack in the most ID updating-based schemes. In the security analysis section, comparing several protocols in property required and attacker resistances, the comparison results s...     

Wireless broadcast encryption based on smart cards

Wireless broadcasting is an efficient way to broadcast data to a large number of users. Some commercial applications of wireless broadcasting, such as satellite pay-TV, desire that only those users who have paid for the service can retrieve broadcast data. This is often achieved by broadcast encryption, which allows a station securely to broadcast data to a dynamically changing set of privileged users through open air. Most existing broadcast encryption schemes can only revoke a pre-specified number of users before system re-setup or require high computation, communication and storage overheads in receivers. In this paper, we propose a new broadcast encryption scheme based on smart cards. In our scheme, smart cards are used to prevent users from leaking secret keys. Additionally, once an illegally cloned smart card is captured, our scheme also allows tracing of the compromised smart card by which illegal smart cards are cloned, and can then revoke all cloned smart cards. The new features of our scheme include minimal computation needs of only a few modular multiplications in the smart card, and the capability to revoke up to any number of users in one revocation. Furthermore, our scheme is secure against both passive and active attacks and has better performance than other schemes.     

Wireless Ad Hoc Multicast Routing with Mobility Prediction

An ad hoc wireless network is an infrastructureless network composed of mobile hosts. The primary concerns in ad hoc networks are bandwidth limitations and unpredictable topology changes. Thus, efficient utilization of routing packets and immediate recovery of route breaks are critical in routing and multicasting protocols. A multicast scheme, On-Demand Multicast Routing Protocol (ODMRP), has been recently proposed for mobile ad hoc networks. ODMRP is a reactive (on-demand) protocol that delivers packets to destination(s) on a mesh topology using scoped flooding of data. We can apply a number of enhancements to improve the performance of ODMRP. In this paper, we propose a mobility prediction scheme to help select stable routes and to perform rerouting in anticipation of topology changes. We also introduce techniques to improve transmission reliability and eliminate route acquisition latency. The impact of our improvements is evaluated via simulation.