As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is no comprehensive and systematical metric available for schemes to be assessed objectively, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found short of important security goals or lack of critical properties, especially being stuck with the security-usability tension. To overcome this issue, in this work we first explicitly define a security model that can accurately capture the practical capabilities of an adversary and then suggest a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum. As our main contribution, a new scheme is advanced to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating “honeywords”, traditionally the purview of system security, with a “fuzzy-verifier”, our scheme hits “two birds”: it not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound.

Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound

Book review: Applied cryptography: Protocols, algorithms, and source code in C

http://wangdingg.weebly.com/uploads/2/0/3/6/20366987/comnet14.pdf

On the anonymity of two-factor authentication schemes for wireless sensor networks

Multi-server environment is the most common scenario for a large number of enterprise class applications. In this environment, user registration at each server is not recommended. Using multi-server authentication architecture, user can manage authentication to various servers using single identity and password. We introduce a new authentication scheme for multi-server environments using Chebyshev chaotic map. In our scheme, we use the Chebyshev chaotic map and biometric verification along with password verification for authorization and access to various application servers. The proposed scheme is light-weight compared to other related schemes. We only use the Chebyshev chaotic map, cryptographic hash function and symmetric key encryption-decryption in the proposed scheme. Our scheme provides strong authentication, and also supports biometrics & password change phase by a legitimate user at any time locally, and dynamic server addition phase. We perform the formal security verification using the broadly-accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to show that the presented scheme is secure. In addition, we use the formal security analysis using the Burrows-Abadi-Needham (BAN) logic along with random oracle models and prove that our scheme is secure against different known attacks. High security and significantly low computation and communication costs make our scheme is very suitable for multi-server environments as compared to other existing related schemes.

Secure Biometric-Based Authentication Scheme Using Chebyshev Chaotic Map for Multi-Server Environment

LAM-CIoT: Lightweight authentication mechanism in cloud-based IoT environment

In a distributed environment, a fundamental concern is authentication of local and remote users in insecure communication networks. Absolutely, legitimate users are more powerful attackers, since they possess internal system information not available to an intruder. Therefore many remote user authentication schemes for distributed systems have been proposed. These schemes claimed that they could resist various attacks. However, they were found to have some weaknesses later. Lee et al . proposed a secure dynamic ID-based remote user authentication scheme for the multi-server environment using smart cards and claimed that their scheme could protect against masquerade attacks, server spoofing attack, registration server spoofing attack and insider attack. In this study, the authors show that Lee et al .'s scheme is still vulnerable to password guessing attack, server spoofing attack and masquerade attack. To propose a viable authentication scheme for distributed systems, we remedy the flaws of Lee et al .'s scheme and propose an efficient improvement over Lee et al .'s scheme. Furthermore, we compare the proposed scheme with related ones to prove that the computation cost, security and efficiency of the proposed scheme are well suitable for practical applications in a distributed system.

Efficient and secure dynamic ID-based remote user authentication scheme for distributed systems using smart cards

As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.'s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.'s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.'s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.'s protocol is still susceptible to the trace attack. Besides, Liao et al.'s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

As the mobile networks are springing up, mobile devices become a must gadget in our daily life. People can easily access Internet application services anytime and anywhere via the hand-carried mobile devices. Most of modern mobile devices are equipped with a GPS module, which can help get the real-time location of the mobile device. In this paper, we propose a novel authentication scheme which exploits volatile passwords - One-Time Passwords (OTPs) based on the time and location information of the mobile device to transparently and securely authenticate users while accessing Internet services, such as online banking services and e-commerce transactions. Compared to a permanent password base scheme, an OTP based one can prevent users from being eavesdropped. In addition to a memoryless feature, the scheme restricts the validness of the OTP password not only in a certain time period but also in a tolerant geometric region to increase the security protection. However, if a legitimate user is not in the anticipated tolerant region, the user may fail to be authenticated. Hence, a Short Message Service (SMS) based mutual authentication mechanism is also proposed in the article to supplement the unexpected misjudgement. The proposed method with a volatile time/location-based password features more secure and more convenient for user authentication.

Design of a time and location based One-Time Password authentication scheme

In modern, wireless sensor networks (WSNs) stand for the next evolutionary and innovative development step in utilities, industrial, building, home, shipboard, and transportation systems automation. The feature of WSNs is easy to deploy and has wide range of applications. Therefore, in distributed and unattended locations, WSNs are deployed to allow a legitimated user to login to the network and access data. Consequently, the authentication between users and sensor nodes has become one of the important security issues. In 2009, M. L. Das proposed a two-factor authentication for WSNs. Based on one-way hash function and exclusive-OR operation, the scheme is well-suited for resource constrained environments. Later, Khan and Algahathbar pointed out the flaws and vulnerabilities of Das's scheme and proposed an alternative scheme. However, Vaidya et al. found that both Das's and Khan–Algahathbar's schemes are vulnerable to various attacks including stolen smart card attacks. Further, Vaidya et al. proposed an improved two-factor user authentication to overcome the security weakness of both schemes. In this paper, we show that Vaidya et al.'s scheme still exposes to a malicious insider attack that seriously threatens the security of WSNs. Furthermore, we propose an improve scheme that mends those vulnerabilities.

Wen-Bin Hsieh

Papers

Efficient and secure dynamic ID-based remote user authentication scheme for distributed systems using smart cards

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

Design of a time and location based One-Time Password authentication scheme

A Robust User Authentication Scheme Using Dynamic Identity in Wireless Sensor Networks

Exploiting hash functions to intensify the remote user authentication scheme