A provable and secure mobile user authentication scheme for mobile cloud computing services

The mobile cloud computing (MCC) has enriched the quality of services that the clients access from remote cloud‐based servers. The growth in the number of wireless users for MCC has further augmented the requirement for a robust and efficient authenticated key agreement mechanism. Formerly, the users would access cloud services from various cloud‐based service providers and authenticate one another only after communicating with the trusted third party (TTP). This requirement for the clients to access the TTP during each mutual authentication session, in earlier schemes, contributes to the redundant latency overheads for the protocol. Recently, Tsai et al have presented a bilinear pairing based multi‐server authentication (MSA) protocol, to bypass the TTP, at least during mutual authentication. The scheme construction works fine, as far as the elimination of TTP involvement for authentication has been concerned. However, Tsai et al scheme has been found vulnerable to server spoofing attack and desynchronization attack, and lacks smart card‐based user verification, which renders the protocol inapt for practical implementation in different access networks. Hence, we have proposed an improved model designed with bilinear pairing operations, countering the identified threats as posed to Tsai scheme. Additionally, the proposed scheme is backed up by performance evaluation and formal security analysis.     

云存储环境下的密文安全共享机制

With the convenient of storing and sharing data in cloud storage environment,the concerns about data security arised as well.To achieve data security on untrusted servers,user usually stored the encrypted data on the cloud storage environment.How to build a cipertext-based access control scheme became a pot issue.For the access control problems of ciphertext in cloud storage environment,a CP-ABE based data sharing scheme was proposed.Novel key generation and distribution strategies were proposed to reduce the reliance on a trusted third party.Personal information was added in decryption key to resistant conclusion attacks at the same time.Moreover,key revocation scheme was proposed to provide the data backward secrecy.The security and implement analysis proves that proposed scheme is suit for the real application environment.     

A chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card

Authenticated key agreement protocols play an important role for network‐connected servers to authenticate remote users in Internet environment. In recent years, several authenticated key agreement protocols for single‐server environment have been developed based on chaotic maps. In modern societies, people usually have to access multiple websites or enterprise servers to accomplish their daily personal matters or duties on work; therefore, how to increase user's convenience by offering multi‐server authentication protocol becomes a practical research topic. In this study, a novel chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card is proposed. In this protocol, a legal user can access multiple servers using only a single secret key obtained from a trusted third party, known as the registration center. Security analysis shows this protocol is secure against well‐known attacks. In addition, protocol efficiency analysis is conducted by comparing the proposed protocol with two recently proposed schemes in terms of computational cost during one authentication session. We have shown that the proposed protocol is twice faster than the one proposed by Khan and He while preserving the same security properties as their protocol has. Copyright © 2014 John Wiley & Sons, Ltd.     

A Secure and Effective Anonymous User Authentication Scheme for Roaming Service in Global Mobility Networks

In global mobility networks, anonymous user authentication is an essential task for enabling roaming service. In a recent paper, Jiang et al. proposed a smart card based anonymous user authentication scheme for roaming service in global mobility networks. This scheme can protect user privacy and is believed to have many abilities to resist a range of network attacks, even if the secret information stored in the smart card is compromised. In this paper, we analyze the security of Jiang et al.’s scheme, and show that the scheme is in fact insecure against the stolen-verifier attack and replay attack. Then, we also propose a new smart card based anonymous user authentication scheme for roaming service. Compared with the existing schemes, our protocol uses a different user authentication mechanism, which does not require the home agent to share a static secret key with the foreign agent, and hence, it is more practical and realistic. We show that our proposed scheme can provide stronger security than previous protocols.     

An improved lightweight multiserver authentication scheme

Multiserver authentication complies with the up‐to‐date requirements of Internet services and latest applications. The multiserver architecture enables the expedient authentication of subscribers on an insecure channel for the delivery of services. The users rely on a single registration of a trusted third party for the procurement of services from various servers. Recently, Chen and Lee, Moon et al, and Wang et al presented multiserver key agreement schemes that are found to be vulnerable to many attacks according to our analysis. The Chen and Lee scheme was found susceptible to impersonation attack, trace attack, stolen smart card attack exposing session key, key‐compromise impersonation attack, and inefficient password modification. The Moon et al is susceptible to stolen card attack leading to further attacks, ie, identity guessing, key‐compromise impersonation attack, user impersonation attack, and session keys disclosure, while Wang et al is also found to be prone to trace attack, session‐specific temporary information attack, key‐compromise information attack, and privileged insider attack leading to session key disclosure and user impersonation attacks. We propose an improved protocol countering the indicated weaknesses of these schemes in an equivalent cost. Our scheme demonstrates automated and security analysis on the basis of Burrows‐Abadi‐Needham logic and also presents the performance evaluation for related schemes.     

A new three-factor authentication and key agreement protocol for multi-server environment

Several password and smart-card based two-factor security remote user authentication protocols for multi-server environment have been proposed for the last two decades. Due to tamper-resistant nature of smart cards, the security parameters are stored in it and it is also a secure place to perform authentication process. However, if the smart card is lost or stolen, it is possible to extract the information stored in smart card using power analysis attack. Hence, the two factor security protocols are at risk to various attacks such as password guessing attack, impersonation attack, replay attack and so on. Therefore, to enhance the level of security, researchers have focused on three-factor (Password, Smart Card, and Biometric) security authentication scheme for multi-server environment. In existing biometric based authentication protocols, keys are generated using fuzzy extractor in which keys cannot be renewed. This property of fuzzy extractor is undesirable for revocation of smart card and re-registration process when the smart card is lost or stolen. In addition, existing biometric based schemes involve public key cryptosystem for authentication process which leads to increased computation cost and communication cost. In this paper, we propose a new multi-server authentication protocol using smart card, hash function and fuzzy embedder based biometric. We use Burrows–Abadi–Needham logic to prove the correctness of the new scheme. The security features and efficiency of the proposed scheme is compared with recent schemes and comparison results show that this scheme provides strong security with a significant efficiency.

     

Analysis and improvement on identity-based cloud data integrity verification scheme

Many individuals or businesses outsource their data to remote cloud.Cloud storage provides users the advantages of economic convenience,but data owners no longer physically control over the stored data,which introduces new security challenges,such as no security guarantees of integrity and privacy.The security of two identity-based cloud data integrity verification schemes by Zhang et al and Xu et al respectively are analysed.It shows that Zhang et al.’s scheme is subjected to secret key recovery attack for the cloud servers can recover user’s private key only utilizing stored data.And Xu et al.’s scheme cannot satisfy security requirements of soundness.Based on Xu et al.'s scheme,a modified identity-based cloud data integrity verification scheme is proposed.A comprehensive analysis shows the new scheme can provide the security requirements of soundness and privacy,and has the same communication overhead and computational cost as Xu et al.’s scheme.     

UCAP:a PCL secure user authentication protocol in cloud computing

As the combine of cloud computing and Internet breeds many flexible IT services,cloud computing becomes more and more significant.In cloud computing,a user should be authenticated by a trusted third party or a certification authority before using cloud applications and services.Based on this,a protocol composition logic (PCL) secure user authentication protocol named UCAP for cloud computing was proposed.The protocol used a symmetric encryption symmetric encryption based on a trusted third party to achieve the authentication and confidentiality of the protocol session,which comprised the initial authentication phase and the re-authentication phase.In the initial authentication phase,the trusted third party generated a root communication session key.In the re-authentication phase,communication users negotiated a sub session key without the trusted third party.To verify the security properties of the protocol,a sequential compositional proof method was used under the protocol composition logic model.Compared with certain related works,the proposed protocol satisfies the PCL security.The performance of the initial authentication phase in the proposed scheme is slightly better than that of the existing schemes,while the performance of the re-authentication phase is better than that of other protocols due to the absence of the trusted third party.Through the analysis results,the proposed protocol is suitable for the mutual authentication in cloud computing.     

Robust smart‐card‐based remote user password authentication scheme

Smart‐card‐based remote user password authentication schemes are commonly used for providing authorized users a secure method for remotely accessing resources over insecure networks. In 2009, Xu et al. proposed a smart‐card‐based password authentication scheme. They claimed their scheme can withstand attacks when the information stored on the smart card is disclosed. Recently, Sood et al. and Song discovered that the smart‐card‐based password authentication scheme of Xu et al. is vulnerable to impersonation and internal attacks. They then proposed their respective improved schemes. However, we found that there are still flaws in their schemes: the scheme of Sood et al. does not achieve mutual authentication and the secret key in the login phase of Song's scheme is permanent and thus vulnerable to stolen‐smart‐card and off‐line guessing attacks. In this paper, we will propose an improved and efficient smart‐card‐based password authentication and key agreement scheme. According to our analysis, the proposed scheme not only maintains the original secret requirement but also achieves mutual authentication and withstands the stolen‐smart‐card attack. Copyright © 2012 John Wiley & Sons, Ltd.     

Provable data possession scheme based on public verification and private verification

More and more users choose to transfer their applications and data into the cloud.Data security is a key issue for cloud storage systems.To ensure the integrity and validity of the data stored in the cloud,provable data possession (PDP) scheme is particularly important.In order to verify whether the cloud storage service provider had stored the data of the user completely,a scheme on the basis of NRPDP (non-repudiable PDP) was improved and extended,and a data retention scheme based on public authentication and private authentication was proposed.The scheme can verify the trustworthiness of the service provider and the user in the cloud storage at the same time,which satisfies the non-repudiation of the verification.The theory proves the non-repudiation of the proposed scheme.The experiment proves that the efficiency of each stage is better than that of the existing single public verification method or private authentication method.     

Cryptanalysis and Improvement of a Robust Smart Card Authentication Scheme for Multi-server Architecture

A multi-server authentication scheme enables a remote user to access the services provided by multiple servers after registering with the registration center. Recently, Pippal et al. (Wirel Pers Commun 2013, doi:10.1007/s11277-013-1039-6) introduced a robust smart card authentication scheme for multi-server architecture. They also illustrated that their scheme could be free from potential network attacks, and validated the scheme by using BAN logic. In this paper, by presenting concrete attacks, we demonstrate that Pippal et al.’s scheme can not withstand off-line password guessing attacks, impersonation attacks and privileged insider attacks. Furthermore, to overcome these attacks, we propose an improved authentication scheme for multi-server architecture using smart card and password. Security and efficiency analysis indicates that our scheme not only actually achieves intended security goals (e.g., two-factor authentication, perfect forward secrecy etc.), but also is efficient enough to be implemented for practical applications.     

基于TPM的云计算平台双向认证方案

为了解决云计算服务环境中用户和云服务器之间的双向认证问题,提出一种基于可信平台模块的云计算平台双向认证方案。将可信计算技术和传统的智能卡口令认证方法相结合应用于云计算服务平台,实现云计算中双方身份的认证,协商生成会话密钥,同时对云服务器的平台可信状况进行了验证。实验分析表明,该方案可以抵抗常见的各种攻击,安全性较高。计算时间复杂度在云计算服务中能够满足要求。     

Authentication-based Access Control and Data Exchanging Mechanism of IoT Devices in Fog Computing Environment

The emergence of fog computing has witnessed a big role in initiating secure communication amongst users. Fog computing poses the ability to perform analysis, processing, and storage for a set of Internet of Things (IoT) devices. Several IoT solutions are devised by utilizing the fog nodes to alleviate IoT devices from complex computation and heavy processing. This paper proposes an authentication scheme using fog nodes to manage IoT devices by providing security without considering a trusted third party. The proposed authentication scheme employed the benefits of fog node deployment. The authentication scheme using fog node offers reliable verification between the data owners and the requester without depending on the third party users. The proposed authentication scheme using fog nodes effectively solved the problems of a single point of failure in the storage system and offers many benefits by increasing the throughput and reducing the cost. The proposed scheme considers several entities, like end-users, IoT devices, fog nodes, and smart contracts, which help to administrate the authentication using access policies. The proposed authentication scheme using fog node provided superior results than other methods with minimal memory value of 4009.083 KB, minimal time of 76.915 s, and maximal Packet delivery ratio (PDR) of 76.

     

Efficient revocable attribute-based encryption scheme

In the existing solutions,the time-based scheme is difficult to achieve immediate revocation,and the third-party-based scheme often requires re-encryption,which needs large amount of calculation and doesn’t apply to mas-sive data.To solve the problem,an efficient and immediate CP-ABE scheme was proposed to support user and attribute lev-els revocation.The scheme was based on the classic LSSS access structure,introducing RSA key management mechanism and attribute authentication.By means of a semi-trusted third party,the user could be authenticated before decryption.Com-pared with the existing revocation schemes,The proposed scheme didn’t need the user to update the key or re-encrypt the ciphertext.The semi-trusted third party wasn’t required to update the RSA attribute authentication key.The scheme greatly reduced the amount of computation and traffic caused by revocation,while ensuring anti-collusion attacks and forward and backward security.Finally,the security analysis and experimental simulation show that the scheme has higher revocation ef-ficiency.     

Analysis and Improvement of a Robust Smart Card Based-Authentication Scheme for Multi-Server Architecture

Recently, Pippal et al. proposed an authentication scheme for multi-server architecture and claimed that their scheme had many advantages compared to the previous schemes, such as security, reliability, etc. In this paper, we reanalyze the security of their scheme and demonstrate that their scheme is vulnerable to impersonation attack even if the adversary doesn’t know the information stored in the user’s smart card. Moreover, the adversary can proceed off-line password guessing attack if the user’s smart card is compromised. In order to eliminate those shortcomings, we propose an improved multi-server authentication scheme which can preserve user anonymity. We demonstrate the completeness of the proposed scheme through the BAN logic. Compared with other related protocols, the security analysis and performance evaluation show that our proposed scheme can provide stronger security.     

ELAKA: Energy-Efficient and Lightweight Multi-Server Authentication and Key Agreement Protocol Based on Dynamic Biometrics

Authentication and key agreement (AKA) provides flexible and convenient sercices. Most traditional AKA protocols are designed to apply in single-server environment, where a user has to register at different servers to access different types of network services and the user have to remember or manage a large number of usernames and passwords. Later, multi-server AKA protocols resolve the repeated registration problem of single-server AKA protocols, where a user can access different servers to get different services using a single registration and the same username and password. Recently, in 2015, Lu et al proposed a light-weight ID based authentication and key agreement protocol for multi-server architecture, referred to as LAKA protocol. They claimed their protocol can overcome all shortcomings which existed in Xue et al’s protocol. Unfortunately, our further research shows that LAKA protocol still suffers from server spoofing attack, stolen smart card attack etc. To overcome the weakness of LAKA protocol, an energy-efficient and lightweight authentication and key agreement protocol for multi-server architecture is proposed (abbreviated to ELAKA). The ELAKA protocol not only provides the security features declared by LAKA protocol, but also has some other advantages. First, the ELAKA protocol can realize authentication and key agreement just by three handshakes with extremely low communication cost and computation cost between users and servers, which can achieve a delicate balance of security and performance. Second, ELAKA protocol can enable the user enjoy the remote services with privacy protection. Finally the ELAKA protocol is proved secure against known possible attacks by using BAN logic. As a result, these features make ELAKA protocol is very suitable for computation-limited mobile devices (such as smartphone, PAD, tablets) in comparison to other related existing protocols.     

A New Password-Based Multi-server Authentication Scheme Robust to Password Guessing Attacks

A multi-server authentication scheme is a useful authentication mechanism in which a remote user can access the services of multiple servers after registering with the registration center (RC). This study shows that the password-based multi-server authentication scheme proposed by Yeh and Lo is vulnerable to undetectable password-guessing attack and offline password-guessing attack. This study proposes a new password-based multi-server authentication scheme to overcome these vulnerabilities. The proposed protocol introduces a new mechanism for protecting user password. The RC sends an alternative key to help the server verify the legitimacy of user instead of the user’s password. The values of these keys are changed with a random large nonce in each session. Therefore, the password-guessing attack cannot work successfully on the proposed scheme.     

基于智能卡和密码保护的WSN远程用户安全认证方案

针对无线传感器网络（WSN）用户远程安全认证问题,分析现有方案的不足,提出一种新颖的基于智能卡的WSN远程用户认证方案。通过用户、网关节点和传感器节点之间的相互认证来验证用户和节点的合法性,并结合动态身份标识来抵抗假冒攻击、智能卡被盗攻击、服务拒绝攻击、字典攻击和重放攻击。同时对用户信息进行匿名保护,且用户能够任意修改密码。性能比较结果表明,该方案具有较高的安全性能,且具有较小的计算开销。     

Security Enhanced Anonymous User Authenticated Key Agreement Scheme Using Smart Card

Nowadays, the password-based remote user authentication mechanism using smart card is one of the simplest and convenient authentication ways to ensure secure communications over the public network environments. Recently, Liu et al. proposed an efficient and secure smart card based password authentication scheme. However, we find that Liu et al.’s scheme is vulnerable to the off-line password guessing attack and user impersonation attack. Furthermore, it also cannot provide user anonymity. In this paper, we cryptanalyze Liu et al.’s scheme and propose a security enhanced user authentication scheme to overcome the aforementioned problems. Especially, in order to preserve the user anonymity and prevent the guessing attack, we use the dynamic identity technique. The analysis shows that the proposed scheme is more secure and efficient than other related authentication schemes.     

ID-Based User Authentication Scheme for Cloud Computing

In cloud computing environments, user authentication is an important security mechanism because it provides the fundamentals of authentication, authorization, and accounting (AAA). In 2009, Wang et al. proposed an identity-based (ID-based) authentication scheme to deal with the user login problem for cloud computing. However, Wang et al.'s scheme is insecure against message alteration and impersonation attacks. Besides, their scheme has large computation costs for cloud users. Therefore, we propose a novel ID-based user authentication scheme to solve the above mentioned problems. The proposed scheme provides anonymity and security for the user who accesses different cloud servers. Compared with the related schemes, the proposed scheme has less computation cost so it is very efficient for cloud computing in practice.