Analysis and Improvement of a Robust Smart Card Based-Authentication Scheme for Multi-Server Architecture

Recently, Pippal et al. proposed an authentication scheme for multi-server architecture and claimed that their scheme had many advantages compared to the previous schemes, such as security, reliability, etc. In this paper, we reanalyze the security of their scheme and demonstrate that their scheme is vulnerable to impersonation attack even if the adversary doesn’t know the information stored in the user’s smart card. Moreover, the adversary can proceed off-line password guessing attack if the user’s smart card is compromised. In order to eliminate those shortcomings, we propose an improved multi-server authentication scheme which can preserve user anonymity. We demonstrate the completeness of the proposed scheme through the BAN logic. Compared with other related protocols, the security analysis and performance evaluation show that our proposed scheme can provide stronger security.     

ELAKA: Energy-Efficient and Lightweight Multi-Server Authentication and Key Agreement Protocol Based on Dynamic Biometrics

Authentication and key agreement (AKA) provides flexible and convenient sercices. Most traditional AKA protocols are designed to apply in single-server environment, where a user has to register at different servers to access different types of network services and the user have to remember or manage a large number of usernames and passwords. Later, multi-server AKA protocols resolve the repeated registration problem of single-server AKA protocols, where a user can access different servers to get different services using a single registration and the same username and password. Recently, in 2015, Lu et al proposed a light-weight ID based authentication and key agreement protocol for multi-server architecture, referred to as LAKA protocol. They claimed their protocol can overcome all shortcomings which existed in Xue et al’s protocol. Unfortunately, our further research shows that LAKA protocol still suffers from server spoofing attack, stolen smart card attack etc. To overcome the weakness of LAKA protocol, an energy-efficient and lightweight authentication and key agreement protocol for multi-server architecture is proposed (abbreviated to ELAKA). The ELAKA protocol not only provides the security features declared by LAKA protocol, but also has some other advantages. First, the ELAKA protocol can realize authentication and key agreement just by three handshakes with extremely low communication cost and computation cost between users and servers, which can achieve a delicate balance of security and performance. Second, ELAKA protocol can enable the user enjoy the remote services with privacy protection. Finally the ELAKA protocol is proved secure against known possible attacks by using BAN logic. As a result, these features make ELAKA protocol is very suitable for computation-limited mobile devices (such as smartphone, PAD, tablets) in comparison to other related existing protocols.     

Cryptanalysis and Improvement of a Robust Smart Card Authentication Scheme for Multi-server Architecture

A multi-server authentication scheme enables a remote user to access the services provided by multiple servers after registering with the registration center. Recently, Pippal et al. (Wirel Pers Commun 2013, doi:10.1007/s11277-013-1039-6) introduced a robust smart card authentication scheme for multi-server architecture. They also illustrated that their scheme could be free from potential network attacks, and validated the scheme by using BAN logic. In this paper, by presenting concrete attacks, we demonstrate that Pippal et al.’s scheme can not withstand off-line password guessing attacks, impersonation attacks and privileged insider attacks. Furthermore, to overcome these attacks, we propose an improved authentication scheme for multi-server architecture using smart card and password. Security and efficiency analysis indicates that our scheme not only actually achieves intended security goals (e.g., two-factor authentication, perfect forward secrecy etc.), but also is efficient enough to be implemented for practical applications.     

An Enhanced Authentication Scheme with Privacy Preservation for Roaming Service in Global Mobility Networks

Global mobility network (GLOMONET) provides global roaming service to ensure ubiquitous connectivity for users traveling from one network to another. It is very crucial not only to authenticate roaming users, but to protect the privacy of users. However, due to the broadcast nature of wireless channel and resource limitations of terminals, providing efficient user authentication with privacy preservation is challenging. Recently, He et al. proposed a secure and lightweight user authentication scheme with anonymity for roaming service in GLOMONETs. However, in this paper, we identify that the scheme fails to achieve strong two-factor security, and suffers from domino effect, privileged insider attack and no password change option, etc. Then we propose an enhanced authentication scheme with privacy preservation based on quadratic residue assumption. Our improved scheme enhances security strength of He et al.’s protocol while inheriting its merits of low communication and computation cost. Specifically, our enhanced scheme achieves two-factor security and user untraceability.     

Breaking a remote user authentication scheme for multi-server architecture

Lin et al., (2003) proposed a remote user authentication scheme for multi-server architecture. In this paper, we breaks this scheme by giving an attack. Our attack allows an adversary to impersonate any user in the system, as long as a single authentication message of that user is observed.     

An Improved and Secure Two-factor Dynamic ID Based Authenticated Key Agreement Scheme for Multiserver Environment

The smart card based password authentication scheme is one of the most important and efficient security mechanism, which is used for providing security to authorized users over an insecure network. In this paper, we analyzed major security flaws of Jangirala et al.’s scheme and proved that it is vulnerable to forgery attack, replay attack, user impersonation attack. Also, Jangirala et al.’s scheme fail to achieve mutual authentication as it claimed. We proposed an improved two factor based dynamic ID based authenticated key agreement protocol for the multiserver environment. The proposed scheme has been simulated using widely accepted AVISPA tool. Furthermore, mutual authentication is proved through BAN logic. The rigorous security and performance analysis depicts that the proposed scheme provides users anonymity, mutual authentication, session key agreement and secure against various active attacks.     

A lightweight anonymous two‐factor authentication protocol for wireless sensor networks in Internet of Vehicles

Internet of Vehicles (IoV), as the next generation of transportation systems, tries to make highway and public transportation more secure than used to be. In this system, users use public channels for their communication so they can be the victims of passive or active attacks. Therefore, a secure authentication protocol is essential for IoV; consequently, many protocols are presented to provide secure authentication for IoV. In 2018, Yu et al proposed a secure authentication protocol for WSNs in vehicular communications and claimed that their protocol could satisfy all crucial security features of a secure authentication protocol. Unfortunately, we found that their protocol is susceptible to sensor capture attack, user traceability attack, user impersonation attack, and offline sink node's secret key guessing attack. In this paper, we propose a new authentication protocol for IoV which can solve the weaknesses of Yu et al's protocol. Our protocol not only provides anonymous user registration phase and revocation smart card phase but also uses the biometric template in place of the password. We use both Burrow‐Abadi‐Needham (BAN) logic and real‐or‐random (ROR) model to present the formal analysis of our protocol. Finally, we compare our protocol with other existing related protocols in terms of security features and computation overhead. The results prove that our protocol can provide more security features and it is usable for IoV system.     

A new three-factor authentication and key agreement protocol for multi-server environment

Several password and smart-card based two-factor security remote user authentication protocols for multi-server environment have been proposed for the last two decades. Due to tamper-resistant nature of smart cards, the security parameters are stored in it and it is also a secure place to perform authentication process. However, if the smart card is lost or stolen, it is possible to extract the information stored in smart card using power analysis attack. Hence, the two factor security protocols are at risk to various attacks such as password guessing attack, impersonation attack, replay attack and so on. Therefore, to enhance the level of security, researchers have focused on three-factor (Password, Smart Card, and Biometric) security authentication scheme for multi-server environment. In existing biometric based authentication protocols, keys are generated using fuzzy extractor in which keys cannot be renewed. This property of fuzzy extractor is undesirable for revocation of smart card and re-registration process when the smart card is lost or stolen. In addition, existing biometric based schemes involve public key cryptosystem for authentication process which leads to increased computation cost and communication cost. In this paper, we propose a new multi-server authentication protocol using smart card, hash function and fuzzy embedder based biometric. We use Burrows–Abadi–Needham logic to prove the correctness of the new scheme. The security features and efficiency of the proposed scheme is compared with recent schemes and comparison results show that this scheme provides strong security with a significant efficiency.

     

A Secure and Effective Anonymous User Authentication Scheme for Roaming Service in Global Mobility Networks

In global mobility networks, anonymous user authentication is an essential task for enabling roaming service. In a recent paper, Jiang et al. proposed a smart card based anonymous user authentication scheme for roaming service in global mobility networks. This scheme can protect user privacy and is believed to have many abilities to resist a range of network attacks, even if the secret information stored in the smart card is compromised. In this paper, we analyze the security of Jiang et al.’s scheme, and show that the scheme is in fact insecure against the stolen-verifier attack and replay attack. Then, we also propose a new smart card based anonymous user authentication scheme for roaming service. Compared with the existing schemes, our protocol uses a different user authentication mechanism, which does not require the home agent to share a static secret key with the foreign agent, and hence, it is more practical and realistic. We show that our proposed scheme can provide stronger security than previous protocols.     

An improved password‐based authentication scheme for session initiation protocol using smart cards without verification table

Authentication schemes have been widely deployed access control and mobility management in various communication networks. Especially, the schemes that are based on multifactor authentication such as on password and smart card come to be more practical. One of the standard authentication schemes that have been widely used for secure communication over the Internet is session initiation protocol (SIP). The original authentication scheme proposed for SIP was vulnerable to some crucial security weaknesses. To overcome the security problems, various improved authentication schemes have been developed, especially based on elliptic curve cryptography (ECC). Very recently, Zhang et al . proposed an improved authentication scheme for SIP based on ECC using smart cards to overcome the security flaws of the related protocols. Zhang et al . claimed that their protocol is secure against all known security attacks. However, this paper indicates that Zhang et al . protocol is still insecure against impersonation attack. We show that an active attacker can easily masquerade as a legal server to fool users. As a remedy, we also improve Zhang et al . protocol by imposing a little extra computation cost. Copyright © 2014 John Wiley & Sons, Ltd.     

Cryptanalysis of smart‐card‐based password authenticated key agreement protocol for session initiation protocol of Zhang et al.

As the core signaling protocol for multimedia services, such as voice over internet protocol, the session initiation protocol (SIP) is receiving much attention and its security is becoming increasingly important. It is critical to develop a roust user authentication protocol for SIP. The original authentication protocol is not strong enough to provide acceptable security level, and a number of authentication protocols have been proposed to strengthen the security. Recently, Zhang et al. proposed an efficient and flexible smart‐card‐based password authenticated key agreement protocol for SIP. They claimed that the protocol enjoys many unique properties and can withstand various attacks. However, we demonstrate that the scheme by Zhang et al. is insecure against the malicious insider impersonation attack. Specifically, a malicious user can impersonate other users registered with the same server. We also proposed an effective fix to remedy the flaw, which remedies the security flaw without sacrificing the efficiency. The lesson learned is that the authenticators must be closely coupled with the identity, and we should prevent the identity from being separated from the authenticators in the future design of two‐factor authentication protocols. Copyright © 2014 John Wiley & Sons, Ltd.     

基于生物特征和混沌映射的多服务器身份认证方案

基于密码的用户远程认证系统已被广泛应用,近年来的研究发现,单一口令系统容易遭受字典分析、暴力破解等攻击,安全性不高.生物特征与密码相结合的认证方式逐渐加入远程认证系统中,以提高认证系统的安全水平.但现有认证系统通常工作在单一服务器环境中,扩展到多服务器环境中时会遇到生物特征模板和密码容易被单点突破、交叉破解的问题.为了克服以上问题,提出了一种基于生物特征和混沌映射的多服务器密钥认证方案,该方案基于智能卡、密码和生物特征,可明显提高多服务器身份认证系统的安全性及抗密码猜解的能力.     

一种增强的智能卡口令鉴别方案

分析了Zhang等提出的身份鉴别方案,指出了其不能抵抗离线口令猜测攻击,以及在登录阶段和验证阶段存在设计缺陷等问题.然后在保留其优点的基础之上,通过引入随机数和增加登录请求信息的方法,提出了一种更加安全可靠的口令认证协议方案.安全性分析结果表明,该方案能够有效抵抗离线口令猜测攻击和假冒攻击,可以实现双向鉴别等特点,增强了系统的安全性和实用性.     

A secure and efficient identity‐based mutual authentication scheme with smart card using elliptic curve cryptography

The e‐commerce has got great development in the past decades and brings great convenience to people. Users can obtain all kinds of services through e‐commerce platform with mobile device from anywhere and at anytime. To make it work well, e‐commerce platform must be secure and provide privacy preserving. To achieve this goal, Islam et al. proposed a dynamic identity‐based remote user mutual authentication scheme with smart card using Elliptic Curve Cryptography(ECC). Islam et al claimed that the security of their scheme was good enough to resist various attacks. However, we demonstrate that their scheme is vulnerable to insider attack and suffers from off‐line password guessing attack if smart card is compromised. To overcome the deficiencies, we present an improved scheme over Islam's scheme. The security proof and analysis shows that our scheme can also provide user anonymity and mutual authentication, and the security is enough to against relay attack, impersonation attack, and other common secure attackers. The performance analysis shows that the proposed scheme is more efficient than Islam et al's scheme.     

Analysis and improvement of a new authenticated group key agreement in a mobile environment

In 2009, Lee et al. (Ann Telecommun 64:735–744, 2009) proposed a new authenticated group key agreement protocol for imbalanced wireless networks. Their protocol based on bilinear pairing was proven the security under computational Diffie–Hellman assumption. It remedies the security weakness of Tseng’s nonauthenticated protocol that cannot ensure the validity of the transmitted messages. In this paper, the authors will show that Lee et al.’s authenticated protocol also is insecure. An adversary can impersonate any mobile users to cheat the powerful node. Furthermore, the authors propose an improvement of Lee et al.’s protocol and prove its security in the Manulis et al.’s model. The new protocol can provide mutual authentication and resist ephemeral key compromise attack via binding user’s static private key and ephemeral key.     

Security Enhanced Anonymous User Authenticated Key Agreement Scheme Using Smart Card

Nowadays, the password-based remote user authentication mechanism using smart card is one of the simplest and convenient authentication ways to ensure secure communications over the public network environments. Recently, Liu et al. proposed an efficient and secure smart card based password authentication scheme. However, we find that Liu et al.’s scheme is vulnerable to the off-line password guessing attack and user impersonation attack. Furthermore, it also cannot provide user anonymity. In this paper, we cryptanalyze Liu et al.’s scheme and propose a security enhanced user authentication scheme to overcome the aforementioned problems. Especially, in order to preserve the user anonymity and prevent the guessing attack, we use the dynamic identity technique. The analysis shows that the proposed scheme is more secure and efficient than other related authentication schemes.     

Cryptanalysis and security enhancement of a remote user authentication scheme using smart cards

With the broad implementations of the electronic business and government applications,robust system security and strong privacy protection have become essential requirements for remote user authentication schemes.Recently,Chen et al.pointed out that Wang et al.’s scheme is vulnerable to the user impersonation attack and parallel session attack,and proposed an enhanced version to overcome the identified security flaws.In this paper,however,we show that Chen et al.’s scheme still cannot achieve the claimed security goals and report its following problems:(1) It suffers from the offline password guessing attack,key compromise impersonation attack and known key attack;(2) It fails to provide forward secrecy;(3) It is not easily repairable.As our main contribution,a robust dynamic ID-based scheme based on non-tamper resistance assumption of the smart cards is presented to cope with the aforementioned defects,while preserving the merits of different related schemes.The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several grave security threats that are difficult to be tackled at the same time in previous scholarship.     

A New Password-Based Multi-server Authentication Scheme Robust to Password Guessing Attacks

A multi-server authentication scheme is a useful authentication mechanism in which a remote user can access the services of multiple servers after registering with the registration center (RC). This study shows that the password-based multi-server authentication scheme proposed by Yeh and Lo is vulnerable to undetectable password-guessing attack and offline password-guessing attack. This study proposes a new password-based multi-server authentication scheme to overcome these vulnerabilities. The proposed protocol introduces a new mechanism for protecting user password. The RC sends an alternative key to help the server verify the legitimacy of user instead of the user’s password. The values of these keys are changed with a random large nonce in each session. Therefore, the password-guessing attack cannot work successfully on the proposed scheme.     

A secure and effective biometric‐based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor

User authentication is a prominent security requirement in wireless sensor networks (WSNs) for accessing the real‐time data from the sensors directly by a legitimate user (external party). Several user authentication schemes are proposed in the literature. However, most of them are either vulnerable to different known attacks or they are inefficient. Recently, Althobaiti et al. presented a biometric‐based user authentication scheme for WSNs. Although their scheme is efficient in computation, in this paper, we first show that their scheme has several security pitfalls such as (i) it is not resilient against node capture attack; (ii) it is insecure against impersonation attack; and (iii) it is insecure against man‐in‐the‐middle attack. We then aim to propose a novel biometric‐based user authentication scheme suitable for WSNs in order to withstand the security pitfalls found in Althobaiti et al. scheme. We show through the rigorous security analysis that our scheme is secure and satisfies the desirable security requirements. Furthermore, the simulation results for the formal security verification using the most widely used and accepted Automated Validation of Internet Security Protocols and Applications tool indicate that our scheme is secure. Our scheme is also efficient compared with existing related schemes. Copyright © 2015 John Wiley & Sons, Ltd.