A new method for using hash functions to solve remote user authentication

Recently, Peyravian and Zunic proposed the remote password authentication schemes only based on the collision-resistant hash function. The schemes are, therefore, easy to implement and simple to use. The attractive properties cause a series of discussion. Several security flaws are found and remedied. Unfortunately, most of the remedies either are insecure or violate the original advantages because of involving public-key cryptosystems or modular exponential operations. Hence, it is still a challenge to design a secure scheme abiding by the beneficial assumption of the Peyravian-Zunic schemes. The proposed scheme not only keeps the original advantages (user friendness and computational cheapness) but also highlights certain of valuable features, such as (1) mutual authentication (higher security level), (2) server’s ignorance of users’ passwords (further security guaranee to users, specially for financial services), (3) immunity from maintaining security-sensitive table (maintaining burden reduction to servers), and so forth.     

一个简单有效的口令识别方案

基于口令的身份识别技术是分布式网络环境中使用最为广泛的一种技术，然而传统的口令识别技术容易受到字典攻击、重传攻击和拒绝服务攻击。针对Sandirigara等人提出的SAS协议，提出了一种简单有效的口令识别方案SEPA，该方案可以抵御字典攻击、重传攻击和服务器拒绝服务攻击，且计算负荷和通信负荷较小。     

利用Kerberos增强Linux用户注册安全性的探讨

通过分析Linux用户注册过程中存在的安全漏洞,阐述了以Kerberos为代表的基于对称密钥的第三方验证的过程及其特点,提出了一种将Kerberos应用于Linux用户注册的安全模型。     

高考远程录取中的用户管理技术

高考远程录取是一个复杂的Web应用系统，具有大量的不同级别的用户和敏感机密的数据，所以有必要对用户的管理提出系统的解决方案。该文详细介绍了开发的高考远程录取系统中的用户管理、身份认证和用户访问控制的具体方法和技术。     

A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps

Spread of wireless network technology has opened new doors to utilize sensor technology in various areas via Wireless Sensor Networks (WSNs). Many authentication protocols for among the service seeker users, sensing component sensor nodes (SNs) and the service provider base-station or gateway node (GWN) are available to realize services from WSNs efficiently and without any fear of deceit. Recently, Li et al. and He et al. independently proposed mutual authentication and key agreement schemes for WSNs. We find that both the schemes achieve mutual authentication, establish session key and resist many known attacks but still have security weaknesses. We show the applicability of stolen verifier, user impersonation, password guessing and smart card loss attacks on Li et al.’s scheme. Although their scheme employs the feature of dynamic identity, an attacker can reveal and guess the identity of a registered user. We demonstrate the susceptibility of He et al.’s scheme to password guessing attack. In both the schemes, the security of the session key established between user and SNs is imperfect due to lack of forward secrecy and session-specific temporary information leakage attack. In addition both the schemes impose extra computational load on resource scanty sensor-nodes and are not user friendly due to absence of user anonymity and lack of password change facility. To handle these drawbacks, we design a mutual authentication and key agreement scheme for WSN using chaotic maps. To the best of our knowledge, we are the first to propose an authentication scheme for WSN based on chaotic maps. We show the superiority of the proposed scheme over its predecessor schemes by means of detailed security analysis and comparative evaluation. We also formally analyze our scheme using BAN logic.     

基于动态口令的身份认证机制及其安全性分析

身份认证是网络安全技术的一个重要组成部分，文章在基于挑战／应答认证机制的基础上提出了基于动态口令的认证机制，并对的安全性进行了剖析。     

Usability,security and trust in password managers: A quest for user-centric properties and features

A password manager stores and handles users’ passwords from different services. This relieves the users from constantly remembering and recalling many different login credentials. However, because of the poor usability and limited user experience of password managers, users find it difficult to perform basic actions, such as a safe login. Unavoidably, the password manager holds the login credentials of many online services; as a result, it becomes a desired target for online attacks. This results in compromised security, which users often consider as an inevitable condition that must be accepted. Many studies analysed the usability and security of various password managers. Their research findings, though important, are rather incomprehensible to designers of password managers, because they are limited to particular properties or specific applications and they, often, are contradictory. Hence, we focus on investigating properties and features that can elevate the usability, security, and trustworthiness of password managers, aiming at providing practical, simple, and useful guidelines for building a useable password manager. We performed a systematic literature review, in which we selected thirty-two articles with coherent outcomes associated with usability and security. From these outcomes, we deduced and present meaningful suggestions for realising a useable, secure and trustworthy password manager.     

Cognitive passwords: The key to easy access control

This paper suggests the use of cognitive passwords as a method of overcoming the difficulty of creating passwords that are simultaneously memorable and difficult to guess. Cognitive passwords involve a dialogue between a user and a system, where a user answers a rotating set of questions about highly personal facts and opinions. A set of such brief responses replace a single password.The findings of this empirical investigation, focusing on memorability and ease-of-guessing of cognitive passwords, are reported. These findings show that cognitive passwords were easier to recall than conventional passwords, while they were difficult for others to guess, even others who were socially close to the users.     

An analysis of BioHashing and its variants

As a result of the growing demand for accurate and reliable personal authentication, biometric recognition, a substitute for or complement to existing authentication technologies, has attracted considerable attention. It has recently been reported that, along with its variants, BioHashing, a new technique that combines biometric features and a tokenized (pseudo-) random number (TRN), has achieved perfect accuracy, having zero equal error rates (EER) for faces, fingerprints and palmprints. There are, however, anomalies in this approach. These are identified in this paper, in which we systematically analyze the details of the approach and conclude that the claim of having achieved a zero EER is based upon an impractical hidden assumption. We simulate the claimants’ experiments and find that it is not possible to achieve their reported performance without the hidden assumption and that, indeed, the results are worse than when using the biometric alone.     

无线传感器网络安全认证技术综述

作为安全机制的核心与重要基础环节,如何在无线传感网的各种限制下,安全、高效、低能耗地实现认证,始终是无线传感网安全研究领域的热点.敌对环境下的无线传感网应用中,为了防止恶意节点注入非法信息或篡改数据等攻击,在节点的身份认证和控制信息的发布中必须引入认证密钥.同时,安全认证还需要考虑到随着不可信节点的被发现、旧节点能量耗尽以及新节点的加入等新情况的出现.系统介绍了无线传感网安全认证问题的研究内容及研究现状,就当前主要解决方案进行了深入阐述,针对当前研究中的优缺点,给出了进一步的研究方向.     

A fingerprint-based user authentication protocol considering both the mobility and security in the telematics environment

With the advance of the Internet and mobile communication techniques, the telematics environment where users in vehicles can use the Internet service has been realized. For the safe driving, however, we propose that user authentication for the Internet service is performed by using the driver's fingerprint, instead of typing his/her password. Since the driver's fingerprint is private information to be protected and the size of the fingerprint information is much larger than that of a typical password, we need a different user authentication protocol for the telematics environment. That is, in addition to the compliance with the standard X9.84 protocol to protect the fingerprint information transmitted, we use the watermarking technique to lessen the privacy threat, and propose a secure and efficient protocol between Access Points (APs) considering the possible hand-off during the authentication in the mobile telematics environment. Based on the experimental measurement of the proposed protocol, we confirm that the fingerprint-based user authentication can be performed in real-time in the telematics environment.     

Graphical One-Time Password (GOTPass): A usability evaluation

ABSTRACT

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords is difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. In addition, they are vulnerable to various types of attacks, such as shoulder surfing, replay, and keylogger attacks (Gupta, Sahni, Sabbu, Varma, & Gangashetty, 2012) One-Time Passwords (OTPs) aim to overcome such problems (Gupta et al., 2012); however, most implemented OTP techniques require special hardware, which not only adds cost, but there are also issues regarding its availability (Brostoff, Inglesant, & Sasse, 2010). In contrast, the use of graphical passwords is an alternative authentication mechanism designed to aid memorability and ease of use, often forming part of a multifactor authentication process. This article is complementary to the earlier work that introduced and evaluated the security of the new hybrid user-authentication approach: Graphical One-Time Password (GOTPass) (Alsaiari et al., 2015). The scheme aims to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. The article presents the results of an empirical user study that investigates the usability features of the proposed approach, as well as pretest and posttest questionnaires. The experiment was conducted during three separate sessions, which took place over five weeks, to measure the efficiency, effectiveness, memorability, and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 s.     

Review of Alan Turing: His Work and Impact Edited by S. Barry Cooper and Jan van Leeuwen

In this paper, a password authentication scheme based on a unit circle encoding is proposed. In our scheme, a one-way function and a cryptographic operation such as DES (data encryption standard) are adopted. Besides, in our scheme, the system only need to store a master secret key, and each user can select his own password freely. Instead of storing a password verification table inside the computer system, our method only has to store a corresponding table of identities, which is used by the computer system for validating the submitted passwords. Owing to this scheme the system can quickly and efficiently respond to any log-in attempt, and is suitable for real-time applications. Furthermore, in our scheme, the system does not need to reconstruct any term of the existing key table, when a new user is inserted into the system. Thus, our scheme is suitable for practical implementation.     

面向多认证系统的在线用户统一管控平台设计与实现

在校园网中同时部署多套上网认证系统并使用统一的账号密码是常见的上网认证部署方案。多套上网认证系统并存时如何对在线用户进行统一管控、用户上线轨迹追踪和分析,以及如何对多套上网认证系统进行统一监控管理是当前校园网管理面临的共同问题。对此设计和实现了一种面向多认证系统的统一在线用户管控平台,并在真实校园网环境中测试使用,测试结果验证了平台的有效性。     

A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards

Advancement in communication technology provides a scalable platform for various services, where a remote user can access the server from anywhere without moving from its place. It provides a unique opportunity for online services such that a user does not need to be physically present at the service center. These services adopt authentication and key agreement protocols in order to ensure authorized and secure access to the resources. Most of the authentication schemes proposed in the literature support a single-server environment, where the user has to register with each server. If a user wishes to access multiple application servers, he/she requires to register with each server. The multi-server authentication introduces a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on a user’s password and biometrics (Chuang and Chen, 2014). Their scheme is a lightweight, which requires the computation of only hash functions. In this paper, we first analyze Chuang and Chen’s scheme and then identify that their scheme does not resist stolen smart card attack which causes the user’s impersonation attack and server spoofing attack. We also show that their scheme fails to protect denial-of-service attack. We aim to propose an efficient improvement on Chuang and Chen’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Chuang and Chen’s scheme. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against the replay and man-in-the-middle attacks. In addition, our scheme is comparable in terms of the communication and computational overheads with Chuang and Chen’s scheme and other related existing schemes.     

Efficient handover authentication with user anonymity and untraceability for Mobile Cloud Computing

Various wireless communication technologies have been generated and deployed on account of mass requirements. These enable cloud computing with integration with mobility and Mobile Cloud Computing (MCC) becomes the trend of future generation computing paradigm. In this paper, we address a challenging issue of MCC technology—security and privacy of the handover process. We propose a new design of handoff authentication for heterogeneous mobile cloud networks, which provides user anonymity and untraceability. Compared with previous protocols, our proposed mechanism achieves comprehensive features of universality, robust security and efficiency.     

Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic ID-based remote user authentication scheme’

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low computational cost and convenient portability for the authentication purpose. Recently, Wang et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. They claimed that their scheme preserves anonymity of user, has the features of strong password chosen by the server, and protected from several attacks. However, in this paper, we point out that Wang et al.’s scheme has practical pitfalls and is not feasible for real-life implementation. We identify that their scheme: does not provide anonymity of a user during authentication, user has no choice in choosing his password, vulnerable to insider attack, no provision for revocation of lost or stolen smart card, and does provide session key agreement. To remedy these security flaws, we propose an enhanced authentication scheme, which covers all the identified weaknesses of Wang et al.’s scheme and is more secure and efficient for practical application environment.     

Using multiple data sources to get closer insights into user cost and task performance

This pilot study explores the use of combining multiple data sources (subjective, physical, physiological, and eye tracking) in understanding user cost and behavior. Specifically, we show the efficacy of such objective measurements as heart rate variability (HRV), and pupillary response in evaluating user cost in game environments, along with subjective techniques, and investigate eye and hand behavior at various levels of user cost. In addition, a method for evaluating task performance at the micro-level is developed by combining eye and hand data. Four findings indicate the great potential value of combining multiple data sources to evaluate interaction: first, spectral analysis of HRV in the low frequency band shows significant sensitivity to changes in user cost, modulated by game difficulty—the result is consistent with subjective ratings, but pupillary response fails to accord with user cost in this game environment; second, eye saccades seem to be more sensitive to user cost changes than eye fixation number and duration, or scanpath length; third, a composite index based on eye and hand movements is developed, and it shows more sensitivity to user cost changes than a single eye or hand measurement; finally, timeline analysis of the ratio of eye fixations to mouse clicks demonstrates task performance changes and learning effects over time. We conclude that combining multiple data sources has a valuable role in human–computer interaction (HCI) evaluation and design.