Robust smart‐card‐based remote user password authentication scheme

Smart‐card‐based remote user password authentication schemes are commonly used for providing authorized users a secure method for remotely accessing resources over insecure networks. In 2009, Xu et al. proposed a smart‐card‐based password authentication scheme. They claimed their scheme can withstand attacks when the information stored on the smart card is disclosed. Recently, Sood et al. and Song discovered that the smart‐card‐based password authentication scheme of Xu et al. is vulnerable to impersonation and internal attacks. They then proposed their respective improved schemes. However, we found that there are still flaws in their schemes: the scheme of Sood et al. does not achieve mutual authentication and the secret key in the login phase of Song's scheme is permanent and thus vulnerable to stolen‐smart‐card and off‐line guessing attacks. In this paper, we will propose an improved and efficient smart‐card‐based password authentication and key agreement scheme. According to our analysis, the proposed scheme not only maintains the original secret requirement but also achieves mutual authentication and withstands the stolen‐smart‐card attack. Copyright © 2012 John Wiley & Sons, Ltd.     

Cryptanalysis and improvement of ‘a robust smart‐card‐based remote user password authentication scheme’

With the use of smart card in user authentication mechanisms, the concept of two‐factor authentication came into existence. This was a forward move towards more secure and reliable user authentication systems. It elevated the security level by requiring a user to possess something in addition to know something. In 2010, Sood et al. and Song independently examined a smart‐card‐based authentication scheme proposed by Xu et al. They showed that in the scheme of Xu et al., an internal user of the system can turn hostile to impersonate other users of the system. Both of them also proposed schemes to improve the scheme of Xu et al. Recently, Chen et al. identified some security problems in the improved schemes proposed by Sood et al. and Song. To fix these problems, Chen et al. presented another scheme, which they claimed to provide mutual authentication and withstand lost smart card attack. Undoubtedly, in their scheme, a user can also verify the legitimacy of server, but we find that the scheme fails to resist impersonation attacks and privileged insider attack. We also show that the scheme does not provide important features such as user anonymity, confidentiality to air messages, and revocation of lost/stolen smart card. Besides, the scheme defies the very purpose of two‐factor security. Furthermore, an attacker can guess a user's password from his or her lost/stolen smart card. To meet these challenges, we propose a user authentication method with user anonymity. We show through analysis and comparison that the proposed scheme exhibits enhanced efficiency in contrast to related schemes, including the scheme of Chen et al. Copyright © 2013 John Wiley & Sons, Ltd.     

Cryptanalysis and security enhancement of a robust two‐factor authentication and key agreement protocol

Two‐factor user authentication scheme allows a user to use a smart card and a password to achieve mutual authentication and establish a session key between a server and a user. In 2012, Chen et al. showed that the scheme of Sood et al. does not achieve mutual authentication and is vulnerable to off‐line password guessing and smart card stolen attacks. They also found that another scheme proposed by Song is vulnerable to similar off‐line password guessing and smart card stolen attacks. They further proposed an improved scheme. In this paper, we first show that the improved scheme of Chen et al. still suffers from off‐line password guessing and smart card stolen attacks, does not support perfect forward secrecy, and lacks the fairness of session key establishment. We then propose a new security‐enhanced scheme and show its security and authentication using the formal verification tool ProVerif, which is based on applied pi calculus. Copyright © 2014 John Wiley & Sons, Ltd.     

Improvement of robust smart‐card‐based password authentication scheme

Smart‐card‐based password authentication scheme is one of the commonly used mechanisms to prevent unauthorized service and resource access and to remove the potential security threats over the insecure networks and has been investigated extensively in the last decade. Recently, Chen et al. proposed a smart‐card‐based password authentication scheme and claimed that the scheme can withstand offline password guessing attacks even if the information stored in the smart card is extracted by the adversary. However, we observe that the scheme of Chen et al. is insecure against offline password guessing attacks in this case. To remedy this security problem, we propose an improved authentication protocol, which inherits the merits of the scheme of Chen et al. and is free from the security flaw of their scheme. Compared with the previous schemes, our improved scheme provides more security guarantees while keeping efficiency. Copyright © 2013 John Wiley & Sons, Ltd.     

Cryptanalysis of a dynamic identity‐based remote user authentication scheme with verifiable password update

In the authentication scheme, it is important to ensure that the user's identity changed dynamically with the different sessions, which can protect the user's privacy information from being tracked. Recently, Chang et al. proposed an untraceable dynamic identity‐based remote user authentication scheme with verifiable password update. However, our analysis show that the property of untraceability can easily be broken by the legal user of the system. Besides, we find the scheme of Chang et al. vulnerable to offline password guessing attack, impersonation attack, stolen smart card attack, and insider attack. Copyright © 2013 John Wiley & Sons, Ltd.     

An anonymous biometric‐based remote user‐authenticated key agreement scheme for multimedia systems

We analyze the security of the Li et al . authentication scheme and show its vulnerability to off‐line password‐guessing and replay attacks. We design a new anonymous authentication scheme. The proposed scheme not only removes the drawback of the scheme of the Li et al . scheme but also protects user's anonymity. Moreover, we show validity of our proposed scheme using Burrows, Abadi, and Needham logic. Our scheme is comparable in terms of the communication and computational overhead with related schemes. Copyright © 2015 John Wiley & Sons, Ltd.     

Further improvement of a certificateless signature scheme without pairing

Recently, He et al. proposed an efficient certificateless signature (CLS) scheme without pairings and demonstrated their scheme to be provably secure in the random oracle model. Unfortunately, Tian and Huang and Tsai et al. pointed out that the scheme cannot withstand a Type II adversary's attack. Tsai et al. also proposed an improved scheme to enhance security. However, the schemes of He et al. and Tsai et al. are not real CLS schemes because the user's public key is used to generate its partial private key. Besides, He et al. and Tsai et al. just demonstrated that their schemes are secure against the normal adversary in the random oracle model. In this paper, we propose a real CLS scheme and demonstrate that our scheme is secure against the super adversary. Security analysis and performance analysis show that our scheme could enhance security and increase computational cost slightly. Copyright © 2012 John Wiley & Sons, Ltd.     

A novel lightweight authentication scheme with anonymity for roaming service in global mobility networks

Recently, two authentication schemes with anonymity for roaming service in wireless networks were proposed by He et al. and Xu et al. In this paper we point out that neither of the two schemes is sufficiently practical owing to the high computational cost involved. Furthermore, we also find that both schemes still have some weaknesses which allow the attacker to trace a certain user's behaviors and thus infer his real identity. Thereafter, we propose a novel lightweight authentication scheme with anonymity for roaming service in global mobility networks to overcome the aforementioned defects. Moreover, we formally analyze our proposed scheme with BAN‐logic and show that it can withstand several possible attacks. Copyright © 2010 John Wiley & Sons, Ltd.     

On the security of a dynamic identity‐based remote user authentication scheme with verifiable password update

Recently, Chang et al. [Chang Y, Tai W, Chang H. Untraceable dynamic identity‐based remote user authentication scheme with verifiable password update. International Journal of Communication Systems 2013; doi:10.1002/dac.2552] proposed a dynamic identity‐based remote user authentication scheme with verifiable password update. They also proved that their scheme could withstand various attacks. Unfortunately, by proposing concrete attacks, we show that their scheme is vulnerable to three kinds of attacks. We also point out that their scheme cannot provide untraceability. The analysis shows that the scheme of Chang et al. is not suitable for practical applications. Copyright © 2013 John Wiley & Sons, Ltd.     

Privacy‐preserving authentication protocols with efficient verification in VANETs

As an important component of intelligent transportation systems, vehicular ad hoc networks can provide safer and more comfortable driving circumstance for the drivers. However, communication security and privacy issues present practical concerns to the deployment of vehicular ad hoc networks. Although recent related studies have already addressed most of these issues, most of them have only considered a posteriori countermeasures or a priori countermeasures to prevent the attacks of an adversary. To the best of our knowledge, up to now, only two privacy‐preserving authentication schemes can provide a posteriori countermeasures and a priori countermeasures. But, the computational cost of verifying a signature is relatively high or security proof of the scheme is loose in the two schemes. In this paper, we propose two novel privacy‐preserving authentication schemes. The first one cannot only provide a posteriori and a priori countermeasures, but also has low computational cost in the verification phase and tight security proof. The second one can achieve batch verification on multiple messages. Comparison with Wu et al.'s scheme and Chen et al's scheme, our scheme shows higher efficiency in terms of the computational cost of verifying signature.Copyright © 2013 John Wiley & Sons, Ltd.     

An improved authentication scheme for mobile satellite communication systems

Recently, Lee et al. proposed a simple and efficient authentication scheme for mobile satellite communication systems. However, we find that their scheme is vulnerable to the smart card loss attack, the denial of service attack and the replay attack. To overcome the weaknesses of Lee et al.'s scheme, we proposed an authentication scheme for mobile satellite communication systems to improve security. The proposed scheme possesses the essential properties and security requirements, which should be considered for the authentication scheme of mobile satellite communication systems. Copyright © 2014 John Wiley & Sons, Ltd.     

An authentication and key agreement protocol for satellite communications

In 2009 and 2011, Chen et al. and Lasc et al. proposed two separate authentication schemes for mobile satellite communication systems. Unfortunately, their schemes are unable to protect security in the event of smart card loss. In this paper, we propose a novel version that resists common malicious attacks and improves both the schemes of Chen et al. and Lasc et al. The security of our scheme is based on the discrete logarithm problem and one‐way hash function. A nonce mechanism is also applied to prevent replay attack. Furthermore, our scheme is more efficient than related schemes and thus more suitable for being implemented in satellite communication systems. Copyright © 2012 John Wiley & Sons, Ltd.     

Cryptanalysis and improvement of ‘an improved authentication with key agreement scheme on elliptic curve cryptosystem for global mobility networks’

Authentication schemes assure that authorised user can fraudulently obtain his/her required services from home domains. Recently, Li et al. (International Journal of Network Management, 2013; 23(5):311–324) proposed a remote user authentication scheme. They claimed that their protocol is secure against known security attacks. However, in this paper, we indicate that Li et al.'s scheme is insecure against user impersonation attack. We show that an active adversary can easily masquerade as a legitimate user without knowing the user's secret information. As a remedy, we also proposed an improved authentication scheme to overcome the security weaknesses of Li et al.'s scheme. To show the security of our scheme, we prove its security the random oracle model. The implementation results show that our improved scheme offers a reduction of 58% in computational cost and a communication cost reduction of 48% with respect to Li et al.'s scheme. Copyright © 2014 John Wiley & Sons, Ltd.     

A secure and enhanced elliptic curve cryptography‐based dynamic authentication scheme using smart card

In remote system security, 2‐factor authentication is one of the security approaches and provides fundamental protection to the system. Recently, numerous 2‐factor authentication schemes are proposed. In 2014, Troung et al proposed an enhanced dynamic authentication scheme using smart card mainly to provide anonymity, secure mutual authentication, and session key security. By the analysis of Troung et al's scheme, we observed that Troung et al' s scheme does not provide user anonymity, perfect forward secrecy, server's secret key security and does not allow the user to choose his/her password. We also identified that Troung et al's scheme is vulnerable to replay attack. To fix these security weaknesses, a robust authentication scheme is proposed and analyzed using the formal verification tool for measuring the robustness. From the observation of computational efficiency of the proposed scheme, we conclude that the scheme is more secure and easy to implement practically.     

A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security

Ubiquitous networks provide roaming service for mobile nodes enabling them to use the services extended by their home networks in a foreign network. A mutual authentication scheme between the roamed mobile node and the foreign network is needed to be performed through the home network. Various authentication schemes have been developed for such networks, but most of them failed to achieve security in parallel to computational efficiency. Recently, Shin et al. and Wen et al. separately proposed two efficient authentication schemes for roaming service in ubiquitous networks. Both argued their schemes to satisfy all the security requirements for such systems. However, in this paper, we show that Shin et al. 's scheme is susceptible to: (i) user traceability; (ii) user impersonation; (iii) service provider impersonation attacks; and (iv) session key disclosure. Furthermore, we show that Wen et al. 's scheme is also insecure against: (i) session key disclosure; and (ii) known session key attacks. To conquer the security problems, we propose an improved authentication scheme with anonymity for consumer roaming in ubiquitous networks. The proposed scheme not only improved the security but also retained a lower computational cost as compared with existing schemes. We prove the security of proposed scheme in random oracle model. Copyright © 2015 John Wiley & Sons, Ltd.     

An improved password‐based authentication scheme for session initiation protocol using smart cards without verification table

Authentication schemes have been widely deployed access control and mobility management in various communication networks. Especially, the schemes that are based on multifactor authentication such as on password and smart card come to be more practical. One of the standard authentication schemes that have been widely used for secure communication over the Internet is session initiation protocol (SIP). The original authentication scheme proposed for SIP was vulnerable to some crucial security weaknesses. To overcome the security problems, various improved authentication schemes have been developed, especially based on elliptic curve cryptography (ECC). Very recently, Zhang et al . proposed an improved authentication scheme for SIP based on ECC using smart cards to overcome the security flaws of the related protocols. Zhang et al . claimed that their protocol is secure against all known security attacks. However, this paper indicates that Zhang et al . protocol is still insecure against impersonation attack. We show that an active attacker can easily masquerade as a legal server to fool users. As a remedy, we also improve Zhang et al . protocol by imposing a little extra computation cost. Copyright © 2014 John Wiley & Sons, Ltd.     

An anonymous and untraceable password‐based authentication scheme for session initiation protocol using smart cards

Recently, Zhang et al. proposed a password‐based authenticated key agreement for session initiation protocol (Int J Commun Syst 2013, doi:10.1002/dac.2499). They claimed that their protocol is secure against known security attacks. However, in this paper, we indicate that the protocol by Zhang et al. is vulnerable to impersonation attack whereby an active adversary without knowing the user's password is able to introduce himself/herself as the user. In addition, we show that the protocol by Zhang et al. suffers from password changing attack. To overcome the weaknesses, we propose an improved authentication scheme for session initiation protocol. The rigorous analysis shows that our scheme achieves more security than the scheme by Zhang et al. Copyright © 2014 John Wiley & Sons, Ltd.     

一种增强的智能卡口令鉴别方案

分析了Zhang等提出的身份鉴别方案,指出了其不能抵抗离线口令猜测攻击,以及在登录阶段和验证阶段存在设计缺陷等问题.然后在保留其优点的基础之上,通过引入随机数和增加登录请求信息的方法,提出了一种更加安全可靠的口令认证协议方案.安全性分析结果表明,该方案能够有效抵抗离线口令猜测攻击和假冒攻击,可以实现双向鉴别等特点,增强了系统的安全性和实用性.     

Weakness of remote authentication scheme of Chen et al.

The extensive application of mobile commerce has led researchers to design more secure protocols for mobile devices during the recent years. In 2011, Chen et al. proposed a three‐factor mobile device‐based remote authentication scheme, which tackled the security risk imposed by the loss of both password and mobile device. Scheme of Chen et al., however, is still vulnerable to the privileged insider attack, the replay attack, the impersonation attack, and the denial of service attack. It is not feasible for real‐life implementation. Copyright © 2013 John Wiley & Sons, Ltd.     

Anonymous authentication protocol based on elliptic curve Diffie–Hellman for wireless access networks

Anonymous channel tickets have been proposed as a way to provide user anonymity and to reduce the overhead of re‐authentication for authentication in wireless environments. Chen et al. proposed a secure and efficient protocol, based on a protocol proposed by Yang et al., which is resistant to guessing attacks on networks from which users’ secret keys are easy to obtain. However, their scheme is time‐consuming in the phases of ticket issuing and authentication. Furthermore, a malicious attacker can utilize the expired time, T_exp, to launch a denial of authentication (DoA) attack, which is a type of denial of service attack. Because T_exp is exposed to any user, it would be easy to launch a DoA attack that could make the scheme impractical. To resist against DoAs that the scheme of Chen et al. might suffer, we propose an improved scheme based on elliptic curve cryptography in this paper. Our scheme not only reduces time cost but also enhances security. The basis of the proposed scheme is the elliptic curve discrete logarithm problem. The operations of points of an elliptic curve are faster and use fewer bits to achieve the same level of security. Therefore, our scheme is more suitable for mobile devices, which have limited computing power and storage. Copyright © 2012 John Wiley & Sons, Ltd.