On the Security of “Secure and Lightweight Authentication with Key Agreement for Smart Wearable Systems”

Over the years, the performance of devices used to gather sensitive medical information about individuals has increased substantially. These include implanted devices in the body, placed on or around the body, creating a Wireless body area network. Security and privacy have been a greater concern over a period of time due to the sensitive nature of the data collected and transmitted by the network. It has been noticed that various techniques have been applied to secure the data and provide privacy in WBANs but with a tradeoff of execution overhead. Although the latest available anonymous authentication schemes provide privacy and security but due to the limited computation capacity of WBAN devices, these schemes show greater time cost for authentication and consume more processing time. We review two latest anonymous authentication schemes for the WBAN environment in terms of computation cost. These two schemes provide anonymous authentication and use encryption to secure the data and ensure privacy. Then we analyze a recent lightweight authentication scheme proposed for wearable devices which provides anonymity and privacy along with security with very low computation cost. This scheme uses hash functions in order to obtain authentication and anonymity and doesn’t use encryption in the authentication process. This scheme is not proposed for the WBAN environment, but it can be applied on the WBAN environment with necessary variations. The comparison of these available schemes shows clearly that the computation cost is considerably decreased by applying the latest authentication scheme in the WBAN environment. We propose a new authentication scheme for the WBAN environment based on the light-weight scheme proposed for wearable devices. The detailed analysis shows that our proposed scheme minimizes the computation cost and maintains the privacy and security along with anonymous authentication.

     

基于位替换运算的RFID双向认证协议

安全性是射频识别系统面临的重要隐患,针对该问题,设计了用于加密的位替换运算,并提出了一种新的基于位替换运算的RFID双向认证协议(SRMAP).安全与性能分析表明:SRMAP可抵抗多种潜在攻击,且能够使标签内计算操作、存储空间及通信量得以降低.最后,采用BAN逻辑方法形式化证明了该协议的正确性与安全性.     

基于属性加密的高效密文去重和审计方案

针对当前支持去重的属性加密方案既不支持云存储数据审计,又不支持过期用户撤销,且去重搜索和用户解密效率较低的问题,该文提出一种支持高效去重和审计的属性加密方案。该方案引入了第3方审计者对云存储数据的完整性进行检验,利用代理辅助用户撤销机制对过期用户进行撤销,又提出高效去重搜索树技术来提高去重搜索效率,并通过代理解密机制辅助用户解密。安全性分析表明该方案通过采用混合云架构,在公有云达到IND-CPA安全性,在私有云达到PRV-CDA安全性。性能分析表明该方案的去重搜索效率更高,用户的解密计算量较小。     

Conditional privacy-protection remote user authentication mechanism for WBAN

A conditional privacy-protection remote user authentication scheme based on a certificateless group signature was proposed,which can accomplish the anonymous mutual authentication between the user and the remote doctors.In addition,when the doctors perceived that users were in case of an emergency,the mechanism enabled the only group manager (GM) to expose the real identity information of users and given users timely assistance.The scheme can provide the anonymity,traceability,mutual authentication,non-reputation and some other security features.The performance analysis results show the scheme is more suitable for WBAN.     

Data sharing scheme supporting secure outsourced computation in wireless body area network

How to effectively protect the security of data sharing in WBAN was a key problem to be solved urgently.The traditional CP-ABE mechanism had a 〝one to many〝 data security communication function which was suitable for access control in WBAN,but it had high computational complexity and did not support attribute revocation.Fully considering of limitations on computation and storage of sensor nodes and dynamic user attribute in WBAN,a CP-ABE scheme was proposed which was provably secure against CPA under the standard model and supported attributes revocation,outsourced encryption and decryption.Compared with the proposed schemes,the computation burden on senor nodes is greatly reduced and the user's attribution can be revoked immediately and fine grained while meeting the demand of its security in the proposed scheme.     

CAKA: a novel certificateless-based cross-domain authenticated key agreement protocol for wireless mesh networks

Due to the flexibility of wireless mesh networks (WMNs) to form the backhaul subnetworks, future generation networks may have to integrate various kinds of WMNs under possibly various administrative domains. Aiming at establishing secure access and communications among the communication entities in a multi-domain WMN environment, in this paper, we intend to address the cross-domain authentication and key agreement problem. We present a light-weight cross-domain authentication and key agreement protocol, namely CAKA, under certificateless-based public key cryptosystem. CAKA has a few attractive features. First, mutual authentication and key agreement between any pair of users from different WMN domains can be easily achieved with two-round interactions. Second, no central domain authentication server is required and fast authentication for various roaming scenarios is supported by using a repeated cross-domain algorithm. Third, no revocation and renewal of certificates and key escrow are needed. Finally, it provides relatively more security features without increasing too much overhead of computation and storage. Our analysis shows that the proposed CAKA protocol is highly efficient in terms of communication overhead and resilient to various kinds of attacks.     

Efficient and privacy-preserving online face authentication scheme

In traditional face authentication system,the trait template and authentication request were generally matched over plaintext,which may lead to the leakage of users’ sensitive data.In order to address the above-mentioned problem,based on matrix encryption,an efficient and privacy-preserving online face authentication scheme was proposed.Specifically,the users’ face trait template for register and the authentication request were encrypted before being sent to the online authentication server,and the similarity computation between the encrypted face trait template and authentication request was computed by the online authentication server over ciphertexts,which guaranteed the security of users’ sensitive data without affecting the accuracy of face authentication.Security analysis shows that the proposed scheme can achieve multiple security levels according to different security parameters.Moreover,performance evaluation shows that the proposed scheme has low computation cost and communication overhead.Experiments results demonstrate the high efficiency of the proposed scheme,which can be implemented in the real environment effectively.     

Privacy‐preserving registration protocol for mobile network

In this paper, we propose a novel privacy‐preserving registration protocol that combines the verifier local revocation group signature with mobile IP. The protocol could achieve strong security guarantee, such as user anonymity via a robust temporary identity, local user revocation with untraceability support, and secure key establishment against home server and eavesdroppers. Various kinds of adversary attacks can be prevented by the proposed protocol, especially that deposit‐case attack does not work here. Meanwhile, a concurrent mechanism and a dynamical revocation method are designed to minimize the handover authentication delay and the home registration signals. The theoretical analysis and simulation results show that the proposed scheme could provide high security level besides lightweight computational cost and efficient communication performance. For instance, compared with Yang's scheme, the proposed protocol could decrease the falling speed of handover authentication delay up to about 40% with privacy being preserved. Copyright © 2012 John Wiley & Sons, Ltd.     

Multi-authority attribute-based encryption with efficient revocation

Multi-authority attribute-based encryption was very suitable for data access control in a cloud storage environment.However,efficient user revocation in multi-authority attribute-based encryption remains a challenging problem that prevents it from practical applications.A multi-authority ciphertext-policy attribute-based encryption scheme with efficient revocation was proposed in prime order bilinear groups,and was further proved statically secure and revocable in the random oracle model.Extensive efficiency analysis results indicate that the proposed scheme significantly reduce the computation cost for the users.In addition,the proposed scheme supports large universe and any monotone access structures,which makes it more flexible for practical applications.     

A lightweight anonymous two‐factor authentication protocol for wireless sensor networks in Internet of Vehicles

Internet of Vehicles (IoV), as the next generation of transportation systems, tries to make highway and public transportation more secure than used to be. In this system, users use public channels for their communication so they can be the victims of passive or active attacks. Therefore, a secure authentication protocol is essential for IoV; consequently, many protocols are presented to provide secure authentication for IoV. In 2018, Yu et al proposed a secure authentication protocol for WSNs in vehicular communications and claimed that their protocol could satisfy all crucial security features of a secure authentication protocol. Unfortunately, we found that their protocol is susceptible to sensor capture attack, user traceability attack, user impersonation attack, and offline sink node's secret key guessing attack. In this paper, we propose a new authentication protocol for IoV which can solve the weaknesses of Yu et al's protocol. Our protocol not only provides anonymous user registration phase and revocation smart card phase but also uses the biometric template in place of the password. We use both Burrow‐Abadi‐Needham (BAN) logic and real‐or‐random (ROR) model to present the formal analysis of our protocol. Finally, we compare our protocol with other existing related protocols in terms of security features and computation overhead. The results prove that our protocol can provide more security features and it is usable for IoV system.     

An efficient remote user authentication and key agreement protocol for mobile client–server environment from pairings

With the continue evaluation of mobile devices in terms of the capabilities and services, security concerns increase dramatically. To provide secured communication in mobile client–server environment, many user authentication protocols from pairings have been proposed. In 2009, Goriparthi et al. proposed a new user authentication scheme for mobile client–server environment. In 2010, Wu et al. demonstrated that Goriparthi et al.’s protocol fails to provide mutual authentication and key agreement between the client and the server. To improve security, Wu et al. proposed an improved protocol and demonstrated that their protocol is provably secure in random oracle model. Based on Wu et al.’s work, Yoon et al. proposed another scheme to improve performance. However, their scheme just reduces one hash function operation at the both of client side and the server side. In this paper, we present a new user authentication and key agreement protocol using bilinear pairings for mobile client–server environment. Performance analysis shows that our protocol has better performance than Wu et al.’s protocol and Yoon et al.’s protocol. Then our protocol is more suited for mobile client–server environment. Security analysis is also given to demonstrate that our proposed protocol is provably secure against previous attacks.     

A chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card

Authenticated key agreement protocols play an important role for network‐connected servers to authenticate remote users in Internet environment. In recent years, several authenticated key agreement protocols for single‐server environment have been developed based on chaotic maps. In modern societies, people usually have to access multiple websites or enterprise servers to accomplish their daily personal matters or duties on work; therefore, how to increase user's convenience by offering multi‐server authentication protocol becomes a practical research topic. In this study, a novel chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card is proposed. In this protocol, a legal user can access multiple servers using only a single secret key obtained from a trusted third party, known as the registration center. Security analysis shows this protocol is secure against well‐known attacks. In addition, protocol efficiency analysis is conducted by comparing the proposed protocol with two recently proposed schemes in terms of computational cost during one authentication session. We have shown that the proposed protocol is twice faster than the one proposed by Khan and He while preserving the same security properties as their protocol has. Copyright © 2014 John Wiley & Sons, Ltd.     

基于身份代理权可撤销的代理签名

代理签名体制中代理签名权的撤销问题至关重要,SONG等人提出一种可撤销代理权的代理签名方案。提出了一种新的基于身份的可撤销代理权的代理签名方案,原始签名者在发现代理签名者不诚实时,可以通过可信中心TA及时有效地撤销代理签名者的代理签名权,且在该方案中将用户个人信息作为身份标识,大大减少了密钥的存储和管理开销。     

An efficient voting based decentralized revocation protocol for vehicular ad hoc networks

Vehicular Ad-hoc NETworks (VANETs) enable cooperative behaviors in vehicular environments and are seen as an integral component of Intelligent Transportation Systems (ITSs). The security of VANETs is crucial for their successful deployment and widespread adoption. A critical aspect of preserving the security and privacy of VANETs is the efficient revocation of the ability of misbehaving or malicious vehicles to participate in the network. This is usually achieved by revoking the validity of the digital certificates of the offending nodes and by maintaining and distributing an accurate Certificate Revocation List (CRL). The immediate revocation of misbehaving vehicles is of prime importance for the safety of other vehicles and users. In this paper, we present a decentralized revocation approach based on Shamir’s secret sharing to revoke misbehaving vehicles with very low delays. Besides enhancing VANETs’ security, our proposed protocol limits the size of the revocation list to the number of the revoked vehicles. Consequently, the authentication process is more efficient, and the communication overhead is reduced. We experimentally evaluate our protocol to demonstrate that it provides a reliable solution to the scalability, efficiency and security of VANETs.     

A Robust Mutual Authentication Protocol for Wireless Sensor Networks

Authentication is an important service in wireless sensor networks (WSNs) for an unattended environment. Recently, Das proposed a hash‐based authentication protocol for WSNs, which provides more security against the masquerade, stolen‐verifier, replay, and guessing attacks and avoids the threat which comes with having many logged‐in users with the same login‐id. In this paper, we point out one security weakness of Das' protocol in mutual authentication for WSN's preservation between users, gateway‐node, and sensor nodes. To remedy the problem, this paper provides a secrecy improvement over Das' protocol to ensure that a legal user can exercise a WSN in an insecure environment. Furthermore, by presenting the comparisons of security, computation and communication costs, and performances with the related protocols, the proposed protocol is shown to be suitable for higher security WSNs.     

一种基于散列函数的RFID安全认证方法

RFID系统中有限的标签芯片资源,导致数据与信息的安全成为RFID系统的重要问题之一,散列函数的单向性为RFID的识别和认证提供了一种既可靠又有效的途径.在分析了现有几种典型散列认证协议的基础上,提出了一种新的基于散列函数的安全认证协议.本协议旨在解决手持式、无线连接的RFID阅读器与标签、服务器间的识别,利用散列函数实现服务器、阅读器以及电子标签三者之间的相互认证.经过安全性与性能的分析,新协议在采用较小的存储空间和较低的运算开销的情况下,可抵抗已知的大多数攻击,有效地保证了RFID系统中数据和隐私的安全,实现了终端与服务器间的双向认证和匿名认证,非常适合于在大型分布式系统中使用.     

Efficient revocable attribute-based encryption scheme

In the existing solutions,the time-based scheme is difficult to achieve immediate revocation,and the third-party-based scheme often requires re-encryption,which needs large amount of calculation and doesn’t apply to mas-sive data.To solve the problem,an efficient and immediate CP-ABE scheme was proposed to support user and attribute lev-els revocation.The scheme was based on the classic LSSS access structure,introducing RSA key management mechanism and attribute authentication.By means of a semi-trusted third party,the user could be authenticated before decryption.Com-pared with the existing revocation schemes,The proposed scheme didn’t need the user to update the key or re-encrypt the ciphertext.The semi-trusted third party wasn’t required to update the RSA attribute authentication key.The scheme greatly reduced the amount of computation and traffic caused by revocation,while ensuring anti-collusion attacks and forward and backward security.Finally,the security analysis and experimental simulation show that the scheme has higher revocation ef-ficiency.     

一种简化的低开销家庭基站重认证协议

The 3rd Generation Partnership Project (3GPP) defined a new architecture, called Home eNode B (HeNB). The 3GPP has also presented a protocol for communications between HeNB and core networks for mutual authentication. To reduce the authentication costs associated with communication, compu-tation and energy, this paper proposes a simple and low-cost re-authentication protocol that does not compromise the provided security services. The proposed protocol uses as the re-authentication parameter a Master Session Key (MSK) that has already been computed in the initial authentication, and does not require the full initial authentication to be repeated. Moreover, the proposed protocol does not modify the 3GPP infrastructure, and is easily applied to the HeNB system. Finally, the security of the proposed protocol is veri?ed by Automated Validation of Internet Security Protocols and Applications (AVISPA) and Burrows-Abadi-Needham (BAN) Logic; de-tailed evaluations of performance are also given. The analysis results illustrate that the proposed protocol can achieve at least 50% cost reduction in communication and 58% cost reduction in energy. The computational cost is also reduced by half compared with the initial authentication.     

A novel universal authentication protocol based on combined public key in heterogeneous networks

Based on combined public key (CPK), a novel universal authentication protocol which conforms extensible authentication protocol (EAP) specification in heterogeneous networks was presented, so called EAP-CPK. Subsequently, detailed authentication process and related delay analysis of EAP-CPK in the 3rd Generation Partnership Project wireless local area network (3GPP-WLAN) interworking network were also given. In this paper, parameters from client and server related with mutual authentication process are classified systematically, and detailed verification process by using BurrowsAbadiNeedham89 (BAN) logic analysis is proposed. Security analysis results show that the proposed protocol is secure, and it not only can prevent man-in-the-middle attack and replay attack, but also can make lower system cost.