Cryptanalysis of a dynamic identity‐based remote user authentication scheme with verifiable password update

In the authentication scheme, it is important to ensure that the user's identity changed dynamically with the different sessions, which can protect the user's privacy information from being tracked. Recently, Chang et al. proposed an untraceable dynamic identity‐based remote user authentication scheme with verifiable password update. However, our analysis show that the property of untraceability can easily be broken by the legal user of the system. Besides, we find the scheme of Chang et al. vulnerable to offline password guessing attack, impersonation attack, stolen smart card attack, and insider attack. Copyright © 2013 John Wiley & Sons, Ltd.     

On the security of a dynamic identity‐based remote user authentication scheme with verifiable password update

Recently, Chang et al. [Chang Y, Tai W, Chang H. Untraceable dynamic identity‐based remote user authentication scheme with verifiable password update. International Journal of Communication Systems 2013; doi:10.1002/dac.2552] proposed a dynamic identity‐based remote user authentication scheme with verifiable password update. They also proved that their scheme could withstand various attacks. Unfortunately, by proposing concrete attacks, we show that their scheme is vulnerable to three kinds of attacks. We also point out that their scheme cannot provide untraceability. The analysis shows that the scheme of Chang et al. is not suitable for practical applications. Copyright © 2013 John Wiley & Sons, Ltd.     

Improvement of robust smart‐card‐based password authentication scheme

Smart‐card‐based password authentication scheme is one of the commonly used mechanisms to prevent unauthorized service and resource access and to remove the potential security threats over the insecure networks and has been investigated extensively in the last decade. Recently, Chen et al. proposed a smart‐card‐based password authentication scheme and claimed that the scheme can withstand offline password guessing attacks even if the information stored in the smart card is extracted by the adversary. However, we observe that the scheme of Chen et al. is insecure against offline password guessing attacks in this case. To remedy this security problem, we propose an improved authentication protocol, which inherits the merits of the scheme of Chen et al. and is free from the security flaw of their scheme. Compared with the previous schemes, our improved scheme provides more security guarantees while keeping efficiency. Copyright © 2013 John Wiley & Sons, Ltd.     

A secure and enhanced elliptic curve cryptography‐based dynamic authentication scheme using smart card

In remote system security, 2‐factor authentication is one of the security approaches and provides fundamental protection to the system. Recently, numerous 2‐factor authentication schemes are proposed. In 2014, Troung et al proposed an enhanced dynamic authentication scheme using smart card mainly to provide anonymity, secure mutual authentication, and session key security. By the analysis of Troung et al's scheme, we observed that Troung et al' s scheme does not provide user anonymity, perfect forward secrecy, server's secret key security and does not allow the user to choose his/her password. We also identified that Troung et al's scheme is vulnerable to replay attack. To fix these security weaknesses, a robust authentication scheme is proposed and analyzed using the formal verification tool for measuring the robustness. From the observation of computational efficiency of the proposed scheme, we conclude that the scheme is more secure and easy to implement practically.     

Design and analysis of an improved smartcard‐based remote user password authentication scheme

With the fast development of the Internet and the telecommunication technologies, internet users are carrying out various electronic transactions over internet by means of the authentication protocols. To ensure efficient and robust online transaction, security of authentication protocol turns out to be a great concern nowadays. As a result, smartcard‐based password authentication and session key agreement scheme receives significant attention in recent years. In the literature, various authentication schemes have been proposed by the cryptographic research community. Recently, Li et al. analyze some security weaknesses of the authentication scheme of Chen et al. and propose an enhancement based on the discrete logarithm problem and computational Diffie–Hellman problem. This paper further cryptanalyzes the scheme of Li et al. and identifies various security loopholes and then constructs a modified authentication scheme as a remedy. The security and efficiency evaluations demonstrate that our scheme has more security features and low computation costs than the related schemes. Copyright © 2014 John Wiley & Sons, Ltd.     

无线传感器网络中的“双重”身份验证

如今,无线传感器网络是一种新的和有前途的下一代实时无线监控应用的解决方案。如果在考虑部署传感器网络之前没有适当的安全考虑,可以成为一个威胁。但是,如果有任何安全漏洞,即可能向攻击者敞开了大门并且危害应用。因此,用户身份验证的核心要求之一,以防止未经授权的无线传感器网络的数据访问用户。在这方面提出一个有效的双重身份验证的无线传感器网络,它是基于密码和智能卡（双重）。计划提供了相互认证,使用户能够选择和频繁地改变自己密码。再者,通过合理计算成本,提供强大的保护防止不同类型的攻击。     

A new privacy and authentication protocol for end‐to‐end mobile users

In this papecr, we propose a new privacy and authentication scheme for end‐to‐end mobile users. There are three goals in our scheme. The first allows two end‐to‐end mobile users to communicate privately each other. The second allows two end‐to‐end mobile users to distribute a session key simply. The third allows two end‐to‐end mobile users to mutually authenticate. Copyright © 2003 John Wiley & Sons, Ltd.     

新型密码-DQ密码的设计

基于密码信息分离的思路和动态密码设计一种安全有效的身份认证架构,并且通过图片处理技术和动态密码方案,增大盗取密码成本,使得盗密者原本一次就能盗取的密码,平均增加至2-7次,并且需要人工识别才能完成盗密,从而极大增强密码的安全系数。     

A secure mutual authentication scheme with non‐repudiation for vehicular ad hoc networks

Vehicular ad hoc networks (VANETs) have been a research focus in recent years. VANETs are not only used to enhance the road safety and reduce the traffic accidents earlier but also conducted more researches in network value‐added service. As a result, the security requirements of vehicle communication are given more attention. In order to prevent the security threat of VANETs, the security requirements, such as the message integrity, availability, and confidentiality are needed to be guaranteed further. Therefore, a secured and efficient verification scheme for VANETs is proposed to satisfy these requirements and reduce the computational cost by combining the asymmetric and symmetric cryptology, certificate, digital signature, and session key update mechanism. In addition, our proposed scheme can resist malicious attacks or prevent illegal users' access via security and performance analysis. In summary, the proposed scheme is proved to achieve the requirements of resist known attacks, non‐repudiation, authentication, availability, integrity, and confidentiality. Copyright © 2015 John Wiley & Sons, Ltd.     

On the security and improvement of privacy‐preserving 3‐factor authentication scheme for TMIS

The telecare medicine information system (TMIS) enables patients from different regions to remotely share the same telecare services, which significantly enhances the quality and effectiveness of medical treatment. On the other hand, patients' electronic health records usually involve their privacy information, they thus hesitate to directly transmit these information in TMIS over the public network due to the threat of privacy disclosure. The authenticated key agreement, as a core building of securing communications over the public network, is considered to be necessary for strengthening the security of TMIS. Recently, we note Zhang et al introduced a 3‐factor authenticated key agreement scheme for TMIS and asserted that the proposed scheme can resist various well‐known attacks. Unfortunately, in this paper, we point out that the scheme of Zhang et al cannot achieve the claimed security guarantees. Specifically, their scheme is vulnerable to offline password/identity guessing attack and user/server impersonation attack. To conquer the above security pitfalls, we put forward a new 3‐factor authenticated key agreement scheme with privacy preservation for TMIS. The security evaluation and performance discussion indicate that our scheme can be free from those well‐known and classical attacks including offline guessing attack and impersonation attack, without increasing additional computation cost when compared with related works. Consequently, the new authentication scheme would be more desirable for securing communications in TMIS.     

Secure multi‐factor remote user authentication scheme for Internet of Things environments

Because of the exponential growth of Internet of Things (IoT), several services are being developed. These services can be accessed through smart gadgets by the user at any place, every time and anywhere. This makes security and privacy central to IoT environments. In this paper, we propose a lightweight, robust, and multi‐factor remote user authentication and key agreement scheme for IoT environments. Using this protocol, any authorized user can access and gather real‐time sensor data from the IoT nodes. Before gaining access to any IoT node, the user must first get authenticated by the gateway node as well as the IoT node. The proposed protocol is based on XOR and hash operations, and includes: (i) a 3‐factor authentication (ie, password, biometrics, and smart device); (ii) mutual authentication ; (iii) shared session key ; and (iv) key freshness . It satisfies desirable security attributes and maintains acceptable efficiency in terms of the computational overheads for resource constrained IoT environment. Further, the informal and formal security analysis using AVISPA proves security strength of the protocol and its robustness against all possible security threats. Simulation results also prove that the scheme is secure against attacks.     

A secure and efficient identity‐based mutual authentication scheme with smart card using elliptic curve cryptography

The e‐commerce has got great development in the past decades and brings great convenience to people. Users can obtain all kinds of services through e‐commerce platform with mobile device from anywhere and at anytime. To make it work well, e‐commerce platform must be secure and provide privacy preserving. To achieve this goal, Islam et al. proposed a dynamic identity‐based remote user mutual authentication scheme with smart card using Elliptic Curve Cryptography(ECC). Islam et al claimed that the security of their scheme was good enough to resist various attacks. However, we demonstrate that their scheme is vulnerable to insider attack and suffers from off‐line password guessing attack if smart card is compromised. To overcome the deficiencies, we present an improved scheme over Islam's scheme. The security proof and analysis shows that our scheme can also provide user anonymity and mutual authentication, and the security is enough to against relay attack, impersonation attack, and other common secure attackers. The performance analysis shows that the proposed scheme is more efficient than Islam et al's scheme.     

An improved password‐based authentication scheme for session initiation protocol using smart cards without verification table

Authentication schemes have been widely deployed access control and mobility management in various communication networks. Especially, the schemes that are based on multifactor authentication such as on password and smart card come to be more practical. One of the standard authentication schemes that have been widely used for secure communication over the Internet is session initiation protocol (SIP). The original authentication scheme proposed for SIP was vulnerable to some crucial security weaknesses. To overcome the security problems, various improved authentication schemes have been developed, especially based on elliptic curve cryptography (ECC). Very recently, Zhang et al . proposed an improved authentication scheme for SIP based on ECC using smart cards to overcome the security flaws of the related protocols. Zhang et al . claimed that their protocol is secure against all known security attacks. However, this paper indicates that Zhang et al . protocol is still insecure against impersonation attack. We show that an active attacker can easily masquerade as a legal server to fool users. As a remedy, we also improve Zhang et al . protocol by imposing a little extra computation cost. Copyright © 2014 John Wiley & Sons, Ltd.     

An anonymous and provably secure authentication scheme for mobile user

Chebyshev chaotic map is an important tool used in the domain of cryptography to develop different schemes for numerous applications. In 2014, Lin put forwarded a mobile user authentication system using dynamic identity and chaotic map. Lin declared that the scheme offers mutual authentication and session key agreement between user and server. Moreover, they stated that the scheme offers user anonymity and resilience against known attacks. However, we carefully examined Lin's scheme and found that it is no longer usable for practical applications as (i) it has no facility to identify the wrong password and identity, which are inputted by the user during login and password update phases, (ii) it has no facility to protect user impersonation attack, and (iii) it has the problem of session key forward secrecy. We put forwarded an enhanced scheme based on extended chaotic map to repair the fragilities of Lin's scheme. We formally examined the security of our scheme and demonstrated that it is provably secured in random oracle model. Further, we presented some informal cryptanalysis to make sure that the enhanced scheme is secure from known attacks. Our scheme is also computation efficient against other competitive protocols. Copyright © 2016 John Wiley & Sons, Ltd.     

基于智能卡的动态身份认证机制

由于每次登录时用户提交的认证信息都是固定不变的,传统的口令认证机制容易遭受回放攻击。本文根据一个关于互素数的定理,提出了一种基于智能卡的动态身份认证机制。用户每次登录时,智能卡根据从服务器发来的challenge和事先嵌入智能卡的参数信息,为合法用户计算当前的认证信息。由于每次用户提交的认证信息都是动态可变的,从而有效地防止了回放攻击。     

A robust ElGamal‐based password‐authentication protocol using smart card for client‐server communication

Smart card‐based client‐server authentication protocol is well popular for secure data exchange over insecure and hostile networks. Recently, Lee et al. put forward an authentication protocol by utilizing ElGamal cryptosystem and proved that it can withstand known security threats. This article evinces that the protocol of Lee et al. is unwilling to protect various important security vulnerabilities such as forgery attack and off‐line password‐guessing attack. To vanquish these loopholes, this article presents a robust authentication protocol for client‐server communication over any insecure networks. The security explanation of our protocol has done through the formal and informal mechanism and its outcome makes sure that the designed protocol is strong enough to resist the known vulnerabilities. In addition, we have simulated our protocol using ProVerif online software and its results certify that our protocol is safe against private information of the client and server. This paper also has made performance estimation of the presented protocol and others, and the outcome favors the presented protocol.     

A provable secure sealed‐bid multi‐attribute auction scheme under semi‐honest model

Secure electronic auction protocol attracts increasing attention in the field of information security research. A variety of secure electronic auction protocols have achieved a lot. However, those studies mainly focus on price‐based auction model. There are few literatures involving security issues of multi‐attribute e‐auction. In recent years, the existing literatures mainly focus on the winner determination problem of multi‐attribute auction, but research of multi‐attribute e‐auction just begin from the perspective of information security. The proposal intends to start with the multi‐attribute e‐auction protocol, explores the different results in the multi‐attribute auction model because of different bid structures, focuses on qualitative attribute‐based winner determination auction model, proposes a new qualitative attribute‐based sealed‐bid multi‐attribute auction scheme under semi‐honest model for the first time. According to the security analysis and computation comparison, it provides strong bid privacy, public verifiability, and reasonable computational cost. Copyright © 2013 John Wiley & Sons, Ltd.     

An improved remote password authentication scheme with smart card

This paper analyzes the security performance of a latest proposed remote two-factor user authentication scheme and proposes an improved scheme based on the dynamic ID to avoid the attacks it suffers. Besides this, in our proposed scheme the password is no longer involved in the calculation of verification phase which makes our scheme more secure and costs less than the old one. At last we analyze the performance of our proposed scheme to prove it provides mutual authentication between the user and the server. Moreover, it also resists password guessing attack, server and user masquerade attack and replay attack effectively.     

Time‐assisted authentication protocol

Authentication is the first step toward establishing a service provider and customer association. In a mobile network environment, a lightweight and secure authentication protocol is one of the most significant factors to enhance the degree of service persistence. This work presents a secure and lightweight keying and authentication protocol suite termed time‐assisted authentication protocol (TAP). The TAP improves the security of protocols with the assistance of time‐based encryption keys and scales down the authentication complexity by issuing a reauthentication ticket. While moving across the network, a mobile customer node sends a reauthentication ticket to establish new sessions with service‐providing nodes. Consequently, this reduces the communication and computational complexity of the authentication process. In the keying protocol suite, a key distributor controls the key generation arguments and time factors, while other participants independently generate a keychain based on key generation arguments. We undertake a rigorous security analysis and prove the security strength of TAP using communicating sequential processes and rank function analysis.