Cryptanalysis and improvement of ‘an improved authentication with key agreement scheme on elliptic curve cryptosystem for global mobility networks’

Authentication schemes assure that authorised user can fraudulently obtain his/her required services from home domains. Recently, Li et al. (International Journal of Network Management, 2013; 23(5):311–324) proposed a remote user authentication scheme. They claimed that their protocol is secure against known security attacks. However, in this paper, we indicate that Li et al.'s scheme is insecure against user impersonation attack. We show that an active adversary can easily masquerade as a legitimate user without knowing the user's secret information. As a remedy, we also proposed an improved authentication scheme to overcome the security weaknesses of Li et al.'s scheme. To show the security of our scheme, we prove its security the random oracle model. The implementation results show that our improved scheme offers a reduction of 58% in computational cost and a communication cost reduction of 48% with respect to Li et al.'s scheme. Copyright © 2014 John Wiley & Sons, Ltd.     

An improved password‐based authentication scheme for session initiation protocol using smart cards without verification table

Authentication schemes have been widely deployed access control and mobility management in various communication networks. Especially, the schemes that are based on multifactor authentication such as on password and smart card come to be more practical. One of the standard authentication schemes that have been widely used for secure communication over the Internet is session initiation protocol (SIP). The original authentication scheme proposed for SIP was vulnerable to some crucial security weaknesses. To overcome the security problems, various improved authentication schemes have been developed, especially based on elliptic curve cryptography (ECC). Very recently, Zhang et al . proposed an improved authentication scheme for SIP based on ECC using smart cards to overcome the security flaws of the related protocols. Zhang et al . claimed that their protocol is secure against all known security attacks. However, this paper indicates that Zhang et al . protocol is still insecure against impersonation attack. We show that an active attacker can easily masquerade as a legal server to fool users. As a remedy, we also improve Zhang et al . protocol by imposing a little extra computation cost. Copyright © 2014 John Wiley & Sons, Ltd.     

Security Enhanced Anonymous User Authenticated Key Agreement Scheme Using Smart Card

Nowadays, the password-based remote user authentication mechanism using smart card is one of the simplest and convenient authentication ways to ensure secure communications over the public network environments. Recently, Liu et al. proposed an efficient and secure smart card based password authentication scheme. However, we find that Liu et al.’s scheme is vulnerable to the off-line password guessing attack and user impersonation attack. Furthermore, it also cannot provide user anonymity. In this paper, we cryptanalyze Liu et al.’s scheme and propose a security enhanced user authentication scheme to overcome the aforementioned problems. Especially, in order to preserve the user anonymity and prevent the guessing attack, we use the dynamic identity technique. The analysis shows that the proposed scheme is more secure and efficient than other related authentication schemes.     

An Improved and Secure Two-factor Dynamic ID Based Authenticated Key Agreement Scheme for Multiserver Environment

The smart card based password authentication scheme is one of the most important and efficient security mechanism, which is used for providing security to authorized users over an insecure network. In this paper, we analyzed major security flaws of Jangirala et al.’s scheme and proved that it is vulnerable to forgery attack, replay attack, user impersonation attack. Also, Jangirala et al.’s scheme fail to achieve mutual authentication as it claimed. We proposed an improved two factor based dynamic ID based authenticated key agreement protocol for the multiserver environment. The proposed scheme has been simulated using widely accepted AVISPA tool. Furthermore, mutual authentication is proved through BAN logic. The rigorous security and performance analysis depicts that the proposed scheme provides users anonymity, mutual authentication, session key agreement and secure against various active attacks.     

基于生物特征标识的无线传感器网络三因素用户认证协议

为满足高安全级别场景（如军事、国家安全、银行等）的应用需求,进一步提高无线传感器网络用户认证协议的安全性,提出了基于生物特征识别的三因素用户认证协议.针对Althobaiti协议无法防御节点妥协攻击、模拟攻击、中间人攻击和内部特权攻击的安全缺陷,增加智能卡和密码作为协议基本安全因素,并利用生物特征标识信息生成函数与回复函数处理的生物特征标识作为附加安全因素;在密钥管理中,为每个节点配置了与网关节点共享唯一密钥,保证认证过程的独立性与安全性;实现用户自主选择与网关节点的共享密钥,提高公共信道通信的安全性;在网关节点不参与的情况下,设计密码和生物特征标识更新机制,保证二者的新鲜性.通过Dolev-Yao拓展威胁模型的分析与AVISPA的OFMC分析终端的仿真,结果证明该认证协议克服了Althobaiti协议安全缺陷,且对计算能力的需求小于公钥加密.权衡安全性与计算成本,该协议适用于资源受限且安全需求高的无线传感器网络应用.     

A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security

Ubiquitous networks provide roaming service for mobile nodes enabling them to use the services extended by their home networks in a foreign network. A mutual authentication scheme between the roamed mobile node and the foreign network is needed to be performed through the home network. Various authentication schemes have been developed for such networks, but most of them failed to achieve security in parallel to computational efficiency. Recently, Shin et al. and Wen et al. separately proposed two efficient authentication schemes for roaming service in ubiquitous networks. Both argued their schemes to satisfy all the security requirements for such systems. However, in this paper, we show that Shin et al. 's scheme is susceptible to: (i) user traceability; (ii) user impersonation; (iii) service provider impersonation attacks; and (iv) session key disclosure. Furthermore, we show that Wen et al. 's scheme is also insecure against: (i) session key disclosure; and (ii) known session key attacks. To conquer the security problems, we propose an improved authentication scheme with anonymity for consumer roaming in ubiquitous networks. The proposed scheme not only improved the security but also retained a lower computational cost as compared with existing schemes. We prove the security of proposed scheme in random oracle model. Copyright © 2015 John Wiley & Sons, Ltd.     

A lightweight anonymous two‐factor authentication protocol for wireless sensor networks in Internet of Vehicles

Internet of Vehicles (IoV), as the next generation of transportation systems, tries to make highway and public transportation more secure than used to be. In this system, users use public channels for their communication so they can be the victims of passive or active attacks. Therefore, a secure authentication protocol is essential for IoV; consequently, many protocols are presented to provide secure authentication for IoV. In 2018, Yu et al proposed a secure authentication protocol for WSNs in vehicular communications and claimed that their protocol could satisfy all crucial security features of a secure authentication protocol. Unfortunately, we found that their protocol is susceptible to sensor capture attack, user traceability attack, user impersonation attack, and offline sink node's secret key guessing attack. In this paper, we propose a new authentication protocol for IoV which can solve the weaknesses of Yu et al's protocol. Our protocol not only provides anonymous user registration phase and revocation smart card phase but also uses the biometric template in place of the password. We use both Burrow‐Abadi‐Needham (BAN) logic and real‐or‐random (ROR) model to present the formal analysis of our protocol. Finally, we compare our protocol with other existing related protocols in terms of security features and computation overhead. The results prove that our protocol can provide more security features and it is usable for IoV system.     

Secure user authentication scheme with novel server mutual verification for multiserver environments

The fast growth of mobile services and devices has made the conventional single‐server architecture ineffective from the point of its functional requirements. To extend the scalability and availability of mobile services to various applications, it is required to deploy multiserver architecture. In 2016, Moon et al insisted that Lu et al's scheme is weak to insiders and impersonation attack, then they proposed a biometric‐based scheme for authentication and key agreement of users in multiserver environments. Unfortunately, we analyze Moon et al's scheme and demonstrate that their scheme does not withstand various attacks from a malicious registered server. We propose a user authentication scheme with server mutual verification to overcome these security drawbacks. The proposed scheme withstands an attack from malicious insiders in multiserver environments. We use a threshold cryptography to strengthen the process of server authorization and to provide better security functionalities. We then prove the authentication and session key of the proposed scheme using Burrows‐Abadi‐Needham (BAN) logic and show that our proposed scheme is secure against various attacks.     

Cryptanalysis and improvement of ‘a robust smart‐card‐based remote user password authentication scheme’

With the use of smart card in user authentication mechanisms, the concept of two‐factor authentication came into existence. This was a forward move towards more secure and reliable user authentication systems. It elevated the security level by requiring a user to possess something in addition to know something. In 2010, Sood et al. and Song independently examined a smart‐card‐based authentication scheme proposed by Xu et al. They showed that in the scheme of Xu et al., an internal user of the system can turn hostile to impersonate other users of the system. Both of them also proposed schemes to improve the scheme of Xu et al. Recently, Chen et al. identified some security problems in the improved schemes proposed by Sood et al. and Song. To fix these problems, Chen et al. presented another scheme, which they claimed to provide mutual authentication and withstand lost smart card attack. Undoubtedly, in their scheme, a user can also verify the legitimacy of server, but we find that the scheme fails to resist impersonation attacks and privileged insider attack. We also show that the scheme does not provide important features such as user anonymity, confidentiality to air messages, and revocation of lost/stolen smart card. Besides, the scheme defies the very purpose of two‐factor security. Furthermore, an attacker can guess a user's password from his or her lost/stolen smart card. To meet these challenges, we propose a user authentication method with user anonymity. We show through analysis and comparison that the proposed scheme exhibits enhanced efficiency in contrast to related schemes, including the scheme of Chen et al. Copyright © 2013 John Wiley & Sons, Ltd.     

An enhanced authentication with key agreement scheme for satellite communication systems

To ensure secure communication in satellite communication systems, recently, Zhang et al presented an authentication with key agreement scheme and claimed that their scheme satisfies various security requirements. However, this paper demonstrates that Zhang et al's scheme is insecure against the stolen‐verifier attack and the denial of service attack. Furthermore, to authenticate a user, Zhang et al's scheme requires large computational load to exhaustively retrieve the user's identity and password from the account database according to a temporary identity and then update the temporary identity in the database. To overcome the weaknesses existing in Zhang et al's scheme, we proposed an enhanced authentication with key agreement scheme for satellite communication systems. The analyses of our proposed scheme show that the proposed scheme possesses perfect security properties and eliminates the weaknesses of Zhang et al's scheme well. Therefore, from the authors' viewpoints, the proposed scheme is more suitable for the authentication scheme of mobile satellite communication systems.     

A secure and enhanced elliptic curve cryptography‐based dynamic authentication scheme using smart card

In remote system security, 2‐factor authentication is one of the security approaches and provides fundamental protection to the system. Recently, numerous 2‐factor authentication schemes are proposed. In 2014, Troung et al proposed an enhanced dynamic authentication scheme using smart card mainly to provide anonymity, secure mutual authentication, and session key security. By the analysis of Troung et al's scheme, we observed that Troung et al' s scheme does not provide user anonymity, perfect forward secrecy, server's secret key security and does not allow the user to choose his/her password. We also identified that Troung et al's scheme is vulnerable to replay attack. To fix these security weaknesses, a robust authentication scheme is proposed and analyzed using the formal verification tool for measuring the robustness. From the observation of computational efficiency of the proposed scheme, we conclude that the scheme is more secure and easy to implement practically.     

ID-Based User Authentication Scheme for Cloud Computing

In cloud computing environments, user authentication is an important security mechanism because it provides the fundamentals of authentication, authorization, and accounting (AAA). In 2009, Wang et al. proposed an identity-based (ID-based) authentication scheme to deal with the user login problem for cloud computing. However, Wang et al.'s scheme is insecure against message alteration and impersonation attacks. Besides, their scheme has large computation costs for cloud users. Therefore, we propose a novel ID-based user authentication scheme to solve the above mentioned problems. The proposed scheme provides anonymity and security for the user who accesses different cloud servers. Compared with the related schemes, the proposed scheme has less computation cost so it is very efficient for cloud computing in practice.     

Security flaws in two improved remote user authentication schemes using smart cards

Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password‐based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID‐based scheme without public‐key operations introduced by Wen and Li in 2012. This proposal attempts to overcome many of the well‐known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen–Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart‐card‐based password authentication schemes: (i) public‐key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade‐off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright © 2012 John Wiley & Sons, Ltd.     

An Improve Three Factor Remote User Authentication Scheme Using Smart Card

In this digital era, two entities can exchange the messages over internet even through the physical distance between them is much far. Before exchange they require to authenticate each other via authentication scheme. Biometric is one of the unique feature for each entity and can be accustomed to identify the authenticity of the entity. Motivated by this, many researchers had proposed the various schemes based on biometric feature for authentication using smart card. As smart card is not a temper resistance consummately, various attacks have been identified by the researchers in the biometric based authentication schemes. In this paper we review Wen et al.’s scheme and we find that Wen et al.’s scheme is vulnerable to insider attack, denial of service attack and user anonymity cannot achieve by them. Then we propose new remote user authentication algorithm where our algorithm is secure.     

A secure and efficient identity‐based mutual authentication scheme with smart card using elliptic curve cryptography

The e‐commerce has got great development in the past decades and brings great convenience to people. Users can obtain all kinds of services through e‐commerce platform with mobile device from anywhere and at anytime. To make it work well, e‐commerce platform must be secure and provide privacy preserving. To achieve this goal, Islam et al. proposed a dynamic identity‐based remote user mutual authentication scheme with smart card using Elliptic Curve Cryptography(ECC). Islam et al claimed that the security of their scheme was good enough to resist various attacks. However, we demonstrate that their scheme is vulnerable to insider attack and suffers from off‐line password guessing attack if smart card is compromised. To overcome the deficiencies, we present an improved scheme over Islam's scheme. The security proof and analysis shows that our scheme can also provide user anonymity and mutual authentication, and the security is enough to against relay attack, impersonation attack, and other common secure attackers. The performance analysis shows that the proposed scheme is more efficient than Islam et al's scheme.     

A Secure and Effective Anonymous User Authentication Scheme for Roaming Service in Global Mobility Networks

In global mobility networks, anonymous user authentication is an essential task for enabling roaming service. In a recent paper, Jiang et al. proposed a smart card based anonymous user authentication scheme for roaming service in global mobility networks. This scheme can protect user privacy and is believed to have many abilities to resist a range of network attacks, even if the secret information stored in the smart card is compromised. In this paper, we analyze the security of Jiang et al.’s scheme, and show that the scheme is in fact insecure against the stolen-verifier attack and replay attack. Then, we also propose a new smart card based anonymous user authentication scheme for roaming service. Compared with the existing schemes, our protocol uses a different user authentication mechanism, which does not require the home agent to share a static secret key with the foreign agent, and hence, it is more practical and realistic. We show that our proposed scheme can provide stronger security than previous protocols.     

Robust smart‐card‐based remote user password authentication scheme

Smart‐card‐based remote user password authentication schemes are commonly used for providing authorized users a secure method for remotely accessing resources over insecure networks. In 2009, Xu et al. proposed a smart‐card‐based password authentication scheme. They claimed their scheme can withstand attacks when the information stored on the smart card is disclosed. Recently, Sood et al. and Song discovered that the smart‐card‐based password authentication scheme of Xu et al. is vulnerable to impersonation and internal attacks. They then proposed their respective improved schemes. However, we found that there are still flaws in their schemes: the scheme of Sood et al. does not achieve mutual authentication and the secret key in the login phase of Song's scheme is permanent and thus vulnerable to stolen‐smart‐card and off‐line guessing attacks. In this paper, we will propose an improved and efficient smart‐card‐based password authentication and key agreement scheme. According to our analysis, the proposed scheme not only maintains the original secret requirement but also achieves mutual authentication and withstands the stolen‐smart‐card attack. Copyright © 2012 John Wiley & Sons, Ltd.     

A Strong Authentication Scheme with User Privacy for Wireless Sensor Networks

Wireless sensor networks (WSNs) are used for many real‐time applications. User authentication is an important security service for WSNs to ensure only legitimate users can access the sensor data within the network. In 2012, Yoo and others proposed a security‐performance‐balanced user authentication scheme for WSNs, which is an enhancement of existing schemes. In this paper, we show that Yoo and others' scheme has security flaws, and it is not efficient for real WSNs. In addition, this paper proposes a new strong authentication scheme with user privacy for WSNs. The proposed scheme not only achieves end‐party mutual authentication (that is, between the user and the sensor node) but also establishes a dynamic session key. The proposed scheme preserves the security features of Yoo and others' scheme and other existing schemes and provides more practical security services. Additionally, the efficiency of the proposed scheme is more appropriate for real‐world WSNs applications.     

An anonymous and untraceable password‐based authentication scheme for session initiation protocol using smart cards

Recently, Zhang et al. proposed a password‐based authenticated key agreement for session initiation protocol (Int J Commun Syst 2013, doi:10.1002/dac.2499). They claimed that their protocol is secure against known security attacks. However, in this paper, we indicate that the protocol by Zhang et al. is vulnerable to impersonation attack whereby an active adversary without knowing the user's password is able to introduce himself/herself as the user. In addition, we show that the protocol by Zhang et al. suffers from password changing attack. To overcome the weaknesses, we propose an improved authentication scheme for session initiation protocol. The rigorous analysis shows that our scheme achieves more security than the scheme by Zhang et al. Copyright © 2014 John Wiley & Sons, Ltd.     

An improved lightweight multiserver authentication scheme

Multiserver authentication complies with the up‐to‐date requirements of Internet services and latest applications. The multiserver architecture enables the expedient authentication of subscribers on an insecure channel for the delivery of services. The users rely on a single registration of a trusted third party for the procurement of services from various servers. Recently, Chen and Lee, Moon et al, and Wang et al presented multiserver key agreement schemes that are found to be vulnerable to many attacks according to our analysis. The Chen and Lee scheme was found susceptible to impersonation attack, trace attack, stolen smart card attack exposing session key, key‐compromise impersonation attack, and inefficient password modification. The Moon et al is susceptible to stolen card attack leading to further attacks, ie, identity guessing, key‐compromise impersonation attack, user impersonation attack, and session keys disclosure, while Wang et al is also found to be prone to trace attack, session‐specific temporary information attack, key‐compromise information attack, and privileged insider attack leading to session key disclosure and user impersonation attacks. We propose an improved protocol countering the indicated weaknesses of these schemes in an equivalent cost. Our scheme demonstrates automated and security analysis on the basis of Burrows‐Abadi‐Needham logic and also presents the performance evaluation for related schemes.