A novel user identification scheme with key distribution preserving user anonymity for distributed computer networks

Recently, Yang et al. proposed an efficient user identification scheme with key distribution, in which it is possible for the user to anonymously log into a system and establish a secret key shared with the system. Mangipudi and Katti later demonstrated a Deniable-of-Service (DoS) attack on the Yang et al. scheme and then proposed an improvement to withstand such an attack. However, this paper demonstrates an identity disclosure attack to show that neither schemes’ claimed user anonymity requirement can be achieved. We further propose a novel user identification scheme with key distribution preserving user anonymity for distributed computer networks. The proposed scheme not only withstands the attacks mentioned above, but also achieves the following: (i) user anonymity, (ii) key distribution, (iii) mutual authentication, and (iv) key confirmation. The performance of our scheme is of greater efficiency than that of previously proposed schemes in terms of communication costs and computational complexities.     

An efficient mutual authentication and key agreement protocol preserving user anonymity in mobile networks

We address the problem of mutual authentication and key agreement with user anonymity for mobile networks. Recently, Lee et al. proposed such a scheme, which is claimed to be a slight modification of, but a security enhancement on Zhu et al.’s scheme based on the smart card. In this paper, however, we reveal that both schemes still suffer from certain weaknesses which have been previously overlooked, and thus are far from the desired security. We then propose a new protocol which is immune to various known types of attacks. Analysis shows that, while achieving identity anonymity, key agreement fairness, and user friendliness, our scheme is still cost-efficient for a general mobile node.     

An efficient user identification scheme based on ID-based cryptosystem

Tseng-Jan modified a non-interactive public key distribution system and also proposed several applications based on the Maurer–Yacobi scheme. In their scheme, a user can prove his identity to another user without revealing his secret key. They use a challenge-response-type interactive protocol to achieve their objective. However, in wireless environment, waiting for a corresponding response from the other is time-wasting and consumes the battery of the mobile device. The ability of computing and the capacity of the battery of a mobile device are limited. Therefore, we propose an efficient scheme based on ID-based cryptosystem that is more suitable to be applied in the mobile environment.     

An efficient incomparable public key encryption scheme

Public keys are closely related to the identity of recipients in public key encryption setting. In privacy-sensitive applications of public key encryption, it is desirable to hide the relation between the public key and the identity of the recipient. The main functional approach in the privacy enhanced public key encryption scheme is to give anonymity of the public keys of recipients. In this case, all the users in the system are potential recipients of every ciphertext. Waters, Felten, and Sahai proposed an incomparable public key encryption scheme which guarantees the anonymity of recipients against both eavesdroppers and senders. In their scheme, all the recipients must complete the same amount of computations to identify the ciphertexts which direct to them. In this paper, we focus on reducing the number of computations for the recipients while preserving the security level of Waters et al.’s scheme. Our method is to separate the decryption process into two steps, first the recipient determines whether a ciphertext is directed to him or her, and only if the direction is correct, the recipient recovers the corresponding plaintext. This improves the efficiency of the system.     

A strong user authentication scheme with smart cards for wireless communications

Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.     

Cognitive passwords: The key to easy access control

This paper suggests the use of cognitive passwords as a method of overcoming the difficulty of creating passwords that are simultaneously memorable and difficult to guess. Cognitive passwords involve a dialogue between a user and a system, where a user answers a rotating set of questions about highly personal facts and opinions. A set of such brief responses replace a single password.The findings of this empirical investigation, focusing on memorability and ease-of-guessing of cognitive passwords, are reported. These findings show that cognitive passwords were easier to recall than conventional passwords, while they were difficult for others to guess, even others who were socially close to the users.     

基于PUF的5G车联网V2V匿名认证与密钥协商协议

单点登录（single sign on,SSO）方案能够避免认证模块冗余带来的资源浪费、信息泄露问题,而具有匿名性的单点登录能够在保护个人隐私的情况下实现匿名认证与授权,但现有的匿名单点登录方案未考虑因用户匿名而出现的欺诈行为追责问题. 针对此问题,首先提出一个格上可追溯的匿名单点登录方案. 所提方案采用格上基于身份的密码体制缓解公钥证书管理问题,通过授权认证标签和假名实现对用户的匿名认证;然后使用强指定验证者技术实现用户服务请求的定向验证;同时引入受信任机构,通过公钥恢复出用户身份并进行追责;最后在安全模型下证明方案具有不可链接性、不可伪造性与可追溯性. 安全性与性能分析结果表明方案在PARMS II和PARMS III这2组参数下,分别运行大约75 ms和108 ms便可为用户生成可供4次服务请求的访问服务票据,并可达到230 b和292 b的量子安全强度.

     

一种新的传感器网络密钥分配方案

密钥分配对于无线传感器网络（WSN）的安全起着基础性作用。由于传感器网络规模大、节点资源非常受限等特点,传统的基于公钥和可信任密钥分配中心等方式不能使用。提出了一种新的WSN密钥分配方案,并对其存储量、通信量、计算量和安全性进行了分析。该方案基于安全两方计算,计算负载小,安全性高,适合传感器网络。     

Embedding biometric identifiers in 2D barcodes for improved security

Two-dimensional (2D) barcode symbology is an emerging technology used for compactly storing and retrieving information. These barcodes can be found on the back of drivers' licenses and are encoded with secure text data. Standard 2D barcode such as PDF417 uses upper and lowercase alphabets, numeric digits and special characters for encoding. Some barcodes also include a compressed photo of the individual. The visual quality of the compressed image is usually poor and occupies a large amount of space which greatly reduces the capacity needed for encoding text. This paper presents a novel approach for embedding uncompressed images in a standard PDF417 2D barcode using a blind digital watermarking technique. The text is encoded in the standard PDF417 format with error correction, while the face and fingerprint images are watermarked in the encoded 2D barcode. Experimental results show that the proposed technique effectively increased the standard capacity of the PDF417 2D barcode without altering the contents of the encoded data. The results also show that the visual quality of the extracted photo image is high. The extracted fingerprint image when compared with the original fingerprint using an AFIS system yielded a high matching score.     

MTi: A method for user identification for multitouch displays

This paper describes MTi, a biometric method for user identification on multitouch displays. The method is based on features obtained only from the coordinates of the 5 touchpoints of one of the user's hands. This makes MTi applicable to all multitouch displays large enough to accommodate a human hand and detect 5 or more touchpoints without requiring additional hardware and regardless of the display's underlying sensing technology. MTi only requests that the user places his hand on the display with the fingers comfortably stretched apart. A dataset of 34 users was created on which our method reported 94.69% identification accuracy. The method's scalability was tested on a subset of the Bosphorus hand database (100 users, 94.33% identification accuracy) and a usability study was performed.     

A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps

Spread of wireless network technology has opened new doors to utilize sensor technology in various areas via Wireless Sensor Networks (WSNs). Many authentication protocols for among the service seeker users, sensing component sensor nodes (SNs) and the service provider base-station or gateway node (GWN) are available to realize services from WSNs efficiently and without any fear of deceit. Recently, Li et al. and He et al. independently proposed mutual authentication and key agreement schemes for WSNs. We find that both the schemes achieve mutual authentication, establish session key and resist many known attacks but still have security weaknesses. We show the applicability of stolen verifier, user impersonation, password guessing and smart card loss attacks on Li et al.’s scheme. Although their scheme employs the feature of dynamic identity, an attacker can reveal and guess the identity of a registered user. We demonstrate the susceptibility of He et al.’s scheme to password guessing attack. In both the schemes, the security of the session key established between user and SNs is imperfect due to lack of forward secrecy and session-specific temporary information leakage attack. In addition both the schemes impose extra computational load on resource scanty sensor-nodes and are not user friendly due to absence of user anonymity and lack of password change facility. To handle these drawbacks, we design a mutual authentication and key agreement scheme for WSN using chaotic maps. To the best of our knowledge, we are the first to propose an authentication scheme for WSN based on chaotic maps. We show the superiority of the proposed scheme over its predecessor schemes by means of detailed security analysis and comparative evaluation. We also formally analyze our scheme using BAN logic.     

Enforcing the security of a time-bound hierarchical key assignment scheme

A time-bound hierarchical key assignment scheme is a method to assign a cryptographic key to each class of users in a system organized as a partially ordered hierarchy, in such a way that key derivation is constrained both by class relationships and by time. Recently, a time-bound hierarchical key assignment scheme based on tamper-resistant devices and requiring low computational load and implementation cost has been proposed. Unfortunately, the scheme is not secure.In this paper we show how three malicious users can handle public and private information to misuse their tamper-resistant devices in order to compute some encryption keys that they should not be able to learn. We also show some countermeasures to withstand the weakness we have exploited.     

一种可认证密钥分配方案

给出一种新的可认证密钥分配方案，该方案基于差错控制编码理论中的系统线性分组码，而不使用任何加算法，它不仅对于抵御内外攻击者的攻击具有较高的安全性，而且还可以提高通信的可靠性。     

改进的错误容忍的会议密钥分配方案

提出了一个改进的基于身份并且错误容忍的会议密钥分配方案,分析结果表明,改进的协议在继承原协议安全特性的基础上,具备了抗被动攻击性、抗篡改攻击性和前向安全性,跟同类协议相比较,其安全性最高,通信量居中,因此,其实用性最强。     

一种基于Smart Card的远程用户身份验证方案的安全性讨论

身份验证是计算机通信的一个重要方面。由于密码验证协议的简单性,它已经被广泛地用于身份验证。最近,Lee氏等利用Smart Card,提出了一个基于随机数的远程用户验证方案。指出了这个方案并不像其提出者所声称的那样安全,同时提出了两种攻击方法以破解其验证方案。     

Provably secure and efficient identification and key agreement protocol with user anonymity

Many authentication and key agreement protocols were proposed for protecting communicated messages. In previous protocols, if the user?s identity is transmitted in plaintext, an adversary can tap the communications and employ it to launch some attacks. In most protocols with user anonymity, they focus on satisfaction of several security requirements. From a client?s point of view, those protocols are not admired since the cost of storage, computation and communication is high. In pervasive computing, a client usually uses a limited-resource device to access multiple servers. The storage and computation are very important issues especially in this kind of environments. Also, for a convenience of designing protocol, most protocols use timestamps to prevent the replay attack. As we know, the serious time synchronization problem exists in timestamp-based protocols. Finally, most protocols do not have formal proofs for the security. In this paper, we propose a secure and efficient identification and key agreement protocol with user anonymity based on the difficulty of cracking the elliptic curve Diffie–Hellman assumption. In addition, we also propose an augmented protocol for providing the explicit mutual authentication. Compared with the related protocols, the proposed protocols? computation cost is lower and the key length is shorter. Therefore, our protocols are suitable even for applications in low power computing environments. Finally, we formally prove the security of the proposed protocols by employing the random oracle model.     

基于增强型双向散列链的自愈组密钥分发方案

针对基于传统双向散列链的自愈组密钥分发方法无法抵制合谋攻击的不足,提出了引入滑动窗口和轻量级子链LiBHC结构的增强型双向散列链结构,并给出了基于该结构的自愈组密钥分发方案。该方案有效地解决了组密钥的无缝切换问题,更大程度地减少了合谋攻击对系统构成的安全威胁。分析表明,本方案在保持较好的资源开销优势的前提下,获得了更好的安全性和可靠性,更适用于节点俘获攻击多发的应用场景。     

A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards

Advancement in communication technology provides a scalable platform for various services, where a remote user can access the server from anywhere without moving from its place. It provides a unique opportunity for online services such that a user does not need to be physically present at the service center. These services adopt authentication and key agreement protocols in order to ensure authorized and secure access to the resources. Most of the authentication schemes proposed in the literature support a single-server environment, where the user has to register with each server. If a user wishes to access multiple application servers, he/she requires to register with each server. The multi-server authentication introduces a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on a user’s password and biometrics (Chuang and Chen, 2014). Their scheme is a lightweight, which requires the computation of only hash functions. In this paper, we first analyze Chuang and Chen’s scheme and then identify that their scheme does not resist stolen smart card attack which causes the user’s impersonation attack and server spoofing attack. We also show that their scheme fails to protect denial-of-service attack. We aim to propose an efficient improvement on Chuang and Chen’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Chuang and Chen’s scheme. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against the replay and man-in-the-middle attacks. In addition, our scheme is comparable in terms of the communication and computational overheads with Chuang and Chen’s scheme and other related existing schemes.     

Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic ID-based remote user authentication scheme’

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low computational cost and convenient portability for the authentication purpose. Recently, Wang et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. They claimed that their scheme preserves anonymity of user, has the features of strong password chosen by the server, and protected from several attacks. However, in this paper, we point out that Wang et al.’s scheme has practical pitfalls and is not feasible for real-life implementation. We identify that their scheme: does not provide anonymity of a user during authentication, user has no choice in choosing his password, vulnerable to insider attack, no provision for revocation of lost or stolen smart card, and does provide session key agreement. To remedy these security flaws, we propose an enhanced authentication scheme, which covers all the identified weaknesses of Wang et al.’s scheme and is more secure and efficient for practical application environment.