scholarly journals A Secure and Efficient ECC-Based Anonymous Authentication Protocol

2019 ◽  
Vol 2019 ◽  
pp. 1-13 ◽  
Author(s):  
Feifei Wang ◽  
Guoai Xu ◽  
Lize Gu
Keyword(s):  
User Authentication ◽  
Authentication Protocol ◽  
Performance Comparison ◽  
Impersonation Attack ◽  
Session Key ◽  
Anonymous Authentication ◽  
Password Guessing Attack ◽  
Authentication Schemes ◽  
And Performance ◽  
Guessing Attack

Nowadays, remote user authentication protocol plays a great role in ensuring the security of data transmission and protecting the privacy of users for various network services. In this study, we discover two recently introduced anonymous authentication schemes are not as secure as they claimed, by demonstrating they suffer from offline password guessing attack, desynchronization attack, session key disclosure attack, failure to achieve user anonymity, or forward secrecy. Besides, we reveal two environment-specific authentication schemes have weaknesses like impersonation attack. To eliminate the security vulnerabilities of existing schemes, we propose an improved authentication scheme based on elliptic curve cryptosystem. We use BAN logic and heuristic analysis to prove our scheme provides perfect security attributes and is resistant to known attacks. In addition, the security and performance comparison show that our scheme is superior with better security and low computation and communication cost.

scholarly journals Security Enhanced Anonymous Multiserver Authenticated Key Agreement Scheme Using Smart Cards and Biometrics

2014 ◽  
Vol 2014 ◽  
pp. 1-15 ◽  
Author(s):  
Younsung Choi ◽  
Junghyun Nam ◽  
Donghoon Lee ◽  
Jiye Kim ◽  
Jaewook Jung ◽  
...  
Keyword(s):  
Key Agreement ◽  
User Authentication ◽  
Mutual Authentication ◽  
Smart Cards ◽  
Security Requirements ◽  
Impersonation Attack ◽  
Single Server ◽  
Authenticated Key Agreement ◽  
Session Key ◽  
Authentication Schemes

An anonymous user authentication scheme allows a user, who wants to access a remote application server, to achieve mutual authentication and session key establishment with the server in an anonymous manner. To enhance the security of such authentication schemes, recent researches combined user’s biometrics with a password. However, these authentication schemes are designed for single server environment. So when a user wants to access different application servers, the user has to register many times. To solve this problem, Chuang and Chen proposed an anonymous multiserver authenticated key agreement scheme using smart cards together with passwords and biometrics. Chuang and Chen claimed that their scheme not only supports multiple servers but also achieves various security requirements. However, we show that this scheme is vulnerable to a masquerade attack, a smart card attack, a user impersonation attack, and a DoS attack and does not achieve perfect forward secrecy. We also propose a security enhanced anonymous multiserver authenticated key agreement scheme which addresses all the weaknesses identified in Chuang and Chen’s scheme.

Analysis of the Dynamic ID-Based Remote User Authentication Schemes Using Smart Card for Multi-Server Environments

2014 ◽  
Vol 543-547 ◽  
pp. 3343-3347
Author(s):  
Xue Lei Li ◽  
Qiao Yan Wen ◽  
Wen Min Li ◽  
Hua Zhang ◽  
Zheng Ping Jin
Keyword(s):  
Smart Card ◽  
User Authentication ◽  
Password Guessing Attack ◽  
Remote User Authentication ◽  
Diffie Hellman ◽  
Dynamic Id ◽  
Authentication Schemes ◽  
Guessing Attack ◽  
Multi Server ◽  
Remote User

In this paper, we analyze and point out several weaknesses in the dynamic ID-based remote user authentication schemes using smart card for multi-server environments, and present the countermeasures to enhance the security of the schemes. Taking Li et al.'s scheme for instance, we demonstrate that their scheme does not provide forward secrecy and key privacy for the session keys, and cannot resist offline password guessing attack. Furthermore, the reasons of these security weaknesses are analyzed through extending the attacks to its predecessors. Finally, the improved ideas of local verification and authenticated Diffie-Hellman key agreement are presented to overcome the weaknesses mentioned above.

scholarly journals Revisiting the “An Improved Remote user Authentication Scheme with Key Agreement”

2018 ◽  
Vol 11 (4) ◽  
pp. 190-194
Author(s):  
YALIN CHEN ◽  
JUE-SAM CHOU ◽  
I - CHIUNG LIAO
Keyword(s):  
Smart Card ◽  
Key Agreement ◽  
User Authentication ◽  
Authentication Scheme ◽  
Session Key ◽  
Password Guessing Attack ◽  
Remote User Authentication ◽  
User Authentication Scheme ◽  
Guessing Attack ◽  
Remote User

Recently, Kumari et al., pointed out that Chang et al.’s scheme “Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update” has several drawbacks and does not provide any session key agreement. Hence, they proposed an improved remote user authentication scheme with key agreement based on Chang et al.’s protocol. They claimed that the improved method is secure. However, we found that their improvement still has both anonymity breach and smart card loss password guessing attack which cannot be violated in the ten basic requirements advocated for a secure identity authentication using smart card by Liao et al. Thus, we modify their protocol to encompass these security functionalities which are needed in a user authentication system using smart card.

scholarly journals A Lightweight Three-Factor Authentication and Key Agreement Scheme for Multigateway WSNs in IoT

2021 ◽  
Vol 2021 ◽  
pp. 1-15
Author(s):  
Lingyan Xue ◽  
Qinglong Huang ◽  
Shuaiqing Zhang ◽  
Haiping Huang ◽  
Wenming Wang
Keyword(s):  
User Authentication ◽  
Relevant Literature ◽  
Evaluation Criteria ◽  
Impersonation Attack ◽  
Security Evaluation ◽  
Replay Attack ◽  
Password Guessing Attack ◽  
Smart Healthcare ◽  
Multifactor Authentication ◽  
Guessing Attack

The Internet of Things (IoT) has built an information bridge between people and the objective world, wherein wireless sensor networks (WSNs) are an important driving force. For applications based on WSN, such as environment monitoring, smart healthcare, user legitimacy authentication, and data security, are always worth exploring. In recent years, many multifactor user authentication schemes for WSNs have been proposed using smart cards, passwords, as well as biometric features. Unfortunately, these schemes are revealed to various vulnerabilities (e.g., password guessing attack, impersonation attack, and replay attack) due to nonuniform security evaluation criteria. Wang et al. put forward 12 pieces of widely accepted evaluation criteria by investigating quantities of relevant literature. In this paper, we first propose a lightweight multifactor authentication protocol for multigateway WSNs using hash functions and XOR operations. Further, BAN logic and BPR model are employed to formally prove the correctness and security of the proposed scheme, and the informal analysis with Wang et al.’s criteria also indicates that it can resist well-known attacks. Finally, performance analysis of the compared schemes is given, and the evaluation results show that only the proposed scheme can satisfy all 12 evaluation criteria and keep efficient among these schemes.

Attacks on Young-Hwa An’s Improved Dynamic ID-Based Remote User Authentication Scheme

2014 ◽  
Vol 556-562 ◽  
pp. 5235-5238
Author(s):  
Cheng Qiang Xu ◽  
Zhen Li Zhang
Keyword(s):  
User Authentication ◽  
Authentication Scheme ◽  
Session Key ◽  
Forgery Attack ◽  
Password Guessing Attack ◽  
Remote User Authentication ◽  
Dynamic Id ◽  
User Authentication Scheme ◽  
Guessing Attack ◽  
Remote User

In 2011, Khan et al. analyzed and improved an enhanced secure dynamic ID-based remote user authentication scheme to overcome the weakness of Wang et al.’s scheme. In 2013, Young-Hwa An showed that Khan et al.’s scheme is not secure because Khan et al.’s scheme can not resist password guessing attack, forgery attack and does not provide user anonymity. After that he proposed a security improvement of dynamic ID-based remote user authentication scheme with session key agreement to remedy the weakness in Khan et al.’s scheme. Recently, through our study, we have found that Young-Hwa An’s mechanism is not secure enough. There still exists insider user’s attack, anonymity attack and forgery attack.

scholarly journals Elliptic Curve Cryptography based Secure and Efficient Authentication Protocol for Smart Card Users

2019 ◽  
Vol 9 (2) ◽  
pp. 3393-3397
Keyword(s):  
Elliptic Curve ◽  
Smart Card ◽  
Elliptic Curve Cryptography ◽  
User Authentication ◽  
Authentication Protocol ◽  
Password Guessing Attack ◽  
Communication Scheme ◽  
Guessing Attack ◽  
S Model ◽  
Remote User

Communication scheme which is used to have communication between authorized remote users over an insecure network is generally the authentication scheme which uses the password for the authentication. Remote user authentication techniques using the smart card have been proposed by many researchers. The main benefit of using the smart card is the storage availability and the computation speed. Huang et al. proposed a scheme for user authentication with smart cards which uses the concept of the timestamp. In Huang et al.’s protocol authors argued that their protocol is secure and efficient against any type of attack. Unfortunately Jung et al. show that Huang et al.’s model fails against the offline password guessing attack and with this scheme wrong password detection is not easy. In Huang et al.’s scheme, RSA cryptosystem is used to offer the authentication. In this article, advanced and secure smart card based authentication protocol using elliptic curve cryptography (ECC) is proposed. This proposed scheme thus overcomes all the possible drawbacks of Huang et al.’s scheme, and it has faster computation as compared to the available schemes

A Three-Party Password-based Authenticated Key Exchange Protocol for Wireless Communications

2015 ◽  
Vol 44 (4) ◽  
pp. 404-409 ◽  
Author(s):  
Yanrong Lu ◽  
Lixiang Li ◽  
Haiepeng Peng ◽  
Yixian Yang
Keyword(s):  
Information Technology ◽  
Wireless Communications ◽  
Key Exchange ◽  
Impersonation Attack ◽  
Authenticated Key Exchange ◽  
Session Key ◽  
Password Guessing Attack ◽  
Cryptographic Primitive ◽  
Guessing Attack ◽  
And Control

A three-party password-based authenticated key exchange (3PAKE) protocol is an important cryptographic primitive which allows two entities to establish a session key with the help of a trusted server through an insecure channel. Recently, Farash and Attari (Information Technology and Control 43(2), 143-150, 2014) presented an improved 3PAKE protocol to erase the security flaws found in Tallapally’s 3PAKE protocol (Information Technology and Control 41(1), 15-22, 2012). They claimed that their improved protocol could withstand many security attacks. However, we identified that Farash and Attari’s protocol was still sensitive to the off-line password guessing attack which directly resulted in defencelessness to the impersonation attack. In order to cope with the loopholes of Farash and Attari’s protocol, we proposed a modified 3PAKE protocol without using smart cards for wireless communications. We demonstrate that the proposed protocol can mitigate all the problems of the protocol of Farash and Attari and possess more security properties. In addition, we make a comparison among the proposed protocol and the other related protocols regarding the performance and security properties.DOI: http://dx.doi.org/10.5755/j01.itc.44.4.9729

Security Weaknesses and Improvements of a Remote User Authentication Scheme Preserving User Anonymity

2011 ◽  
Vol 145 ◽  
pp. 184-188
Author(s):  
Young Hwa An
Keyword(s):  
User Authentication ◽  
User Anonymity ◽  
Authentication Scheme ◽  
Impersonation Attack ◽  
Replay Attack ◽  
Password Guessing Attack ◽  
Insider Attack ◽  
Man In The Middle ◽  
User Authentication Scheme ◽  
Guessing Attack

In 2008, Bindu et al. proposed an improvement to Chien et al.'s remote password authentication scheme preserving user anonymity, and has asserted that the scheme is secure against replay attack, guessing attack, insider attack and man-in-the-middle attack, etc. However, in this paper, we have shown that Bindu et al.'s scheme is still insecure against man-in-the-middle attack and password guessing attack, and does not provide user anonymity. Also, we propose an improved scheme to withstand these weaknesses, while preserving their merits, even if the secret information stored in the smart card is revealed. As a result of analysis, the proposed scheme is secure against user impersonation attack, server masquerading attack, password guessing attack and does provide user anonymity. And we can see that the proposed scheme is relatively more effective than Bindu et al.'s scheme.

Sign in / Sign up

Export Citation Format

Share Document