Showing papers on "Data Authentication Algorithm published in 2008"

Physical-Layer Authentication

Abstract: Authentication is the process where claims of identity are verified. Most mechanisms of authentication (e.g., digital signatures and certificates) exist above the physical layer, though some (e.g., spread-spectrum communications) exist at the physical layer often with an additional cost in bandwidth. This paper introduces a general analysis and design framework for authentication at the physical layer where the authentication information is transmitted concurrently with the data. By superimposing a carefully designed secret modulation on the waveforms, authentication is added to the signal without requiring additional bandwidth, as do spread-spectrum methods. The authentication is designed to be stealthy to the uninformed user, robust to interference, and secure for identity verification. The tradeoffs between these three goals are identified and analyzed in block fading channels. The use of the authentication for channel estimation is also considered, and an improved bit-error rate is demonstrated for time-varying channels. Finally, simulation results are given that demonstrate the potential application of this authentication technique.

Extensible Authentication Protocol (EAP) Key Management Framework

Abstract: The Extensible Authentication Protocol (EAP), defined in [RFC3748], enables extensible network access authentication. This document specifies the EAP key hierarchy and provides a framework for the transport and usage of keying material generated by EAP authentication algorithms, known as "methods". It also provides a system-level security analysis.

Aggregate message authentication codes

Abstract: We propose and investigate the notion of aggregate message authentication codes (MACs) which have the property that multiple MAC tags, computed by (possibly) different senders on multiple (possibly different) messages, can be aggregated into a shorter tag that can still be verified by a recipient who shares a distinct key with each sender. We suggest aggregate MACs as an appropriate tool for authenticated communication in mobile ad-hoc networks or other settings where resource-constrained devices share distinct keys with a single entity (such as a base station), and communication is an expensive resource.

Efficient In-Vehicle Delayed Data Authentication Based on Compound Message Authentication Codes

Abstract: Modern vehicles contain an in-vehicle network consisting of a number of electronic control units (ECUs). These ECUs are responsible for most of the functionality in the vehicle, including vehicle control and maneuverability. To date, no security features exist in this network since it has been isolated. However, an upcoming trend among automobile manufacturers is to establish a wireless connection to the vehicle to provide remote diagnostics and software updates. As a consequence, the in-vehicle network is exposed to external communication, and a potential entry point for attackers is introduced. Messages sent on the in-vehicle network lack integrity protection and data authentication; thus, the network is vulnerable to injection and modification attacks. Due to the real-time constraints and the limited resources in the ECUs, achieving data authentication is a challenge. In this paper, we propose an efficient delayed data authentication using compound message authentication codes. A message authentication code is calculated on a compound of successive messages and sent together with the subsequent messages, resulting in a delayed authentication. This data authentication could be used to detect and possibly recover from injection and modification attacks in the in-vehicle network.

Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)

Abstract: EAP-TTLS is an EAP (Extensible Authentication Protocol) method that encapsulates a TLS (Transport Layer Security) session, consisting of a handshake phase and a data phase. During the handshake phase, the server is authenticated to the client (or client and server are mutually authenticated) using standard TLS procedures, and keying material is generated in order to create a cryptographically secure tunnel for information exchange in the subsequent data phase. During the data phase, the client is authenticated to the server (or client and server are mutually authenticated) using an arbitrary authentication mechanism encapsulated within the secure tunnel. The encapsulated authentication mechanism may itself be EAP, or it may be another authentication protocol such as PAP, CHAP, MS-CHAP, or MS- CHAP-V2. Thus, EAP-TTLS allows legacy password-based authentication protocols to be used against existing authentication databases, while protecting the security of these legacy protocols against eavesdropping, man-in-the-middle, and other attacks. The data phase may also be used for additional, arbitrary data exchange. This memo provides information for the Internet community.

An Efficient Mobile Authentication Scheme for Wireless Networks

Abstract: This paper proposes an efficient authentication scheme, which is suitable for low-power mobile devices. It uses an elliptic-curve-eryptosystem based trust delegation mechanism to generate a delegation passcode for mobile station authentication, and it can effectively defend all known attacks to mobile networks including the denial-of-service attack. Moreover, the mobile station only needs to receive one message and send one message to authenticate itself to a visitor's location register, and the scheme only requires a single elliptic-curve scalar point multiplication on a mobile device. Therefore, this scheme enjoys both computation efficiency and communication efficiency as compared to known mobile authentication schemes.

Method and Apparatus for Using a Third Party Authentication Server

Abstract: A method and apparatus for a third party authentication server is described. The method includes receiving a record ID for a user, and a one-time key generated by the server and encrypted with a user's public key by the server. The method further includes receiving the user's authentication data from the client, and determining if the user's authentication data matches the record ID. If the authentication data matches the record ID, decrypting the one-time key with the user's private key, and returning the decrypted one-time key to the client.

Multi-factor authentication and certification system for electronic transactions

Abstract: The present invention provides computer-enable certification and authentication in, for example, e-commerce with wireless and mobile devices. The present authentication method offers ease of operation by automatically embedding a one-time passcode to the message without the sender input. A one-time key can also be used to encrypt the message, further providing transmission security. In addition, sensitive information and one-time passcode generator are pre-arranged and stored at both sender and receiver devices, avoiding information comprising in wireless environment transmission.

A Modified Remote User Authentication Scheme Using Smart Cards

Abstract: In 1981,Lamport proposed the first well-known remote password authentication scheme using smart cards.A number of remote password authentication schemes with smart cards have been present since then.Recently Shen,Lin and Hwang pointed out a different type of attack on this scheme and presented a modified scheme to remove these defects.In this paper we present a new remote user authentication scheme which is the modified form of the Shen-Lin-Hwang's scheme.In this scheme the password is controlled by the user,and at any time can be changer.The scheme can withstand attack that similar to Chan and Cheng's attack and Chang and Hwang' attack in registration phase and authentication phase.

Security Aspects of the Authentication Used in Quantum Cryptography

Abstract: Unconditionally secure message authentication is an important part of quantum cryptography (QC). In this correspondence, we analyze security effects of using a key obtained from QC for authentication purposes in later rounds of QC. In particular, the eavesdropper gains partial knowledge on the key in QC that may have an effect on the security of the authentication in the later round. Our initial analysis indicates that this partial knowledge has little effect on the authentication part of the system, in agreement with previous results on the issue. However, when taking the full QC protocol into account, the picture is different. By accessing the quantum channel used in QC, the attacker can change the message to be authenticated. This, together with partial knowledge of the key, does incur a security weakness of the authentication. The underlying reason for this is that the authentication used, which is insensitive to such message changes when the key is unknown, becomes sensitive when used with a partially known key. We suggest a simple solution to this problem, and stress usage of this or an equivalent extra security measure in QC.

Authentication messaging service

Abstract: In one embodiment an authentication server comprises one or more processors, and a memory module communicatively connected to the one or more processors. The memory module and comprises logic instructions which, when executed on the one or more processors configure the one or more processors to regulate access to a service in a communication network by performing operations, comprising receiving, in the authentication server, a first authentication token request for an authentication token, wherein the first authentication token request uniquely identifies a client computing device and a unique service, processing, in the authentication server, the first authentication token request, and transmitting an authentication token from the authentication token server to the client computing device when the first authentication token request is approved by the authentication server.

Techniques to perform federated authentication

Abstract: Techniques to perform federated authentication are described. An apparatus may comprise a resource server may have an authentication proxy component to perform authentication operations on behalf of a client. The authentication proxy component comprises an authentication handling module operative to receive an authentication request to authenticate the client using a basic authentication protocol. The authentication proxy component also comprises an authentication discovery module communicatively coupled to the authentication handling module, the authentication discovery module operative to discover an identity server for the client. The authentication proxy component further comprises an authentication manager module communicatively coupled to the authentication discovery module, the authentication manager module operative to retrieve authentication information from the identity server using an enhanced authentication protocol, and authenticate the client to access resource services using the authentication information. Other embodiments are described and claimed.

Anonymous authentication system and anonymous authentication method

Abstract: A disclosed anonymous authentication system comprises a group management device, an authentication-subjected user device, a verification device and an authentication-subjected user identification device. A user previously registers a verification key in the group management device such that his signature can be verified. For authentication, the user generates his or her own signature using the authentication-subjected user device, and encrypts the signature using an encryption key of the group to generate authentication data. The verification device authenticates the signature in collaboration with a verification assistant who has a decryption key of the group. The authentication-subjected user identification device that has the decryption key of the group decrypts the authentication data as required to identify a user who is to be authenticated.

PAS: Predicate-Based Authentication Services Against Powerful Passive Adversaries

Abstract: Securely authenticating a human user without assistance from any auxiliary device in the presence of powerful passive adversaries is an important and challenging problem. Passive adversaries are those that can passively monitor, intercept, and analyze every part of the authentication procedure, except for an initial secret shared between the user and the server. In this paper, we propose a new secure authentication scheme called predicate-based authentication service (PAS). In this scheme, for the first time, the concept of a predicate is introduced for authentication. We conduct analysis on the proposed scheme and implement its prototype system. Our analytical data and experimental data illustrate that the PAS scheme can simultaneously achieve a desired level of security and user friendliness.

Security analysis on a family of ultra-lightweight RFID authentication protocols

Abstract: In this paper, we analyze the security vulnerabilities of a family of ultra-lightweight RFID mutual authentication protocols: LMAP, M2AP and EMAP, which are recently proposed by Peris-Lopez et al. We identify two effective attacks, namely de-synchronization attack and full-disclosure attack, against their protocols. The former permanently disables the authentication capability of a RFID tag by destroying synchronization between the tag and the RFID reader. It can be carried out in just single round of interaction in the authentication protocols. The latter completely compromises a tag by extracting all the secret information stored in the tag. It is accomplished across several runs of the protocols. Moreover, we point out the potential countermeasures to improve the security of above protocols.

Mashauth: using mashssl for efficient delegated authentication

Abstract: The present invention provides a method that allows the MashSSL protocol to be used to provide a secure and efficient way for delegated authentication. The invention allows services which already have an SSL infrastructure to reuse that infrastructure for delegated authentication, and to do so in a fashion where the cryptographic overhead is amortized across multiple users, and which provides the user with greater control of what information is shared on their behalf.

Enabling two-factor authentication for terminal services

Abstract: Techniques for enabling two-factor authentication for terminal services are described. A client receives an authentication token from an authentication server. The authentication token is used as a factor for authenticating the client to a terminal services device. Native authentication of the client is also performed.

Secure Biometric Authentication with Improved Accuracy

Abstract: We propose a new hybrid protocol for cryptographically secure biometric authentication. The main advantages of the proposed protocol over previous solutions can be summarised as follows: (1) potential for much better accuracy using different types of biometric signals, including behavioural ones; and (2) improved user privacy, since user identities are not transmitted at any point in the protocol execution. The new protocol takes advantage of state-of-the-art identification classifiers, which provide not only better accuracy, but also the possibility to perform authentication without knowing who the user claims to be. Cryptographic security is based on the Paillier public key encryption scheme.

A Simple User Authentication Scheme for Grid Computing

Abstract: The security issue has become an important concern of grid computing. To prevent the grid resources from being illegally visited, the strong mutual authentication is needed for user and server. In this paper, based on the elliptic curve cryptosystem, we would like to propose an efficient user authentication scheme for grid computing. The proposed scheme only requires a one-way hash function and server private key, which makes it more simple.

Method for offline drm authentication and a system thereof

Abstract: A method for offline DRM authentication and a system thereof relates to the information security field. In order to solve the problem that a license must be requested from the server in the process of DRM authentication, the invention provides a method for offline DRM authentication, in which, the method comprises: a content provider encrypts the data file with DRM standard and stores the internal information in an authentication device, the authentication device is connected to the local computer, the software program on the local computer opens and reads the data file. A system for offline DRM authentication, in which, the system comprises an authentication device, a client PC and content provider side, the authentication device comprises the DRM service module and authentication communication module. Compared with the prior art, the present invention allows the user to use the DRM protected information without a network connection.

Design of Fully Deniable Authentication Service for E-mail Applications

Abstract: Secure electronic mail (e-mail), such as PGP and S/MIME, uses digital signature to provide message authentication, which also provides the undesired non-repudiation evidence of the message sender. In this paper, we introduce a fully deniable e-mail authentication service. Our design can be easily integrated into the current PGP and S/MIME to provide message authentication without non-repudiation evidence. This feature can protect personal privacy of the message sender in most personal communication.

Username based authentication security

Abstract: An apparatus and a method for an authentication protocol. In one embodiment, a client requests for an authentication challenge from a server. The server generates the authentication challenge and sends it to the client. The authentication challenge includes the authentication context identifier, a random string, a timestamp, and a signature value. The client computes a salt value based on a username and the authentication context identifier from the authentication challenge. The signature value is computed based on the authentication context identifier, the random string, and the timestamp. The client computes a hashed password value based on the computed salt value, and a message authentication code based on the hashed password value and the random string. The client sends a response to the server. The response includes the username, the message authentication code, the random string, the timestamp, and the signature value.

Super peer based peer-to-peer network system and peer authentication method thereof

Abstract: Provided are a super peer based P2P network system and a peer authentication method thereof. The authentication method includes a first authentication process and a second authentication process. In the first authentication process, a user and a peer which want to use a P2P network are verified by submitting authentication information and a public key infrastructure (PKI) certificate, and receive the permission of connection. In the second authentication process, a user and a peer requesting the use of a specific service are authenticated by using an authentication ticket and a service access-permitted time is limited in order to reinforcing the security of the specific service, which is searched in the P2P network and provided by the peer. Accordingly, the service providers can verify users more securely and limit the service available time of each user with respect to a specific service provided by the peer by using the lifetime of the ticket.

A new hash-based RFID mutual authentication protocol providing enhanced user privacy protection

Abstract: The recently proposed Radio Frequency Identification (RFID) authentication protocol based on a hashing function can be divided into two types according to the type of information used for authentication between a reader and a tag: either a value fixed or one updated dynamically in a tag. In this study we classify the RFID authentication protocol into a static ID-based and a dynamic-ID based protocol and then analyze their respective strengths and weaknesses and the previous protocols in the static/dynamic ID-based perspectives. Also, we define four security requirements that must be considered in designing the RFID authentication protocol including mutual authentication, confidentiality, indistinguishability and forward security. Based on these requirements, we suggest a secure and efficient mutual authentication protocol. The proposed protocol is a dynamic ID-based mutual authentication protocol designed to meet requirements of both indistinguishability and forward security by ensuring the unlinkability of tag responses among sessions. Thus, the protocol can provide more strengthened user privacy compared to previous protocols and recognizes a tag efficiently in terms of the operation quantity of tags and database.

The Tag Authentication Scheme using Self-Shrinking Generator on RFID System

Abstract: Since communications between tag and reader in RFID system are by radio, anyone can access the tag and obtain its any information. And a tag always replies with the same ID so that it is hard to distinguish between a real and a fake tag. Thus, there are many security problems in today-s RFID System. Firstly, unauthorized reader can easily read the ID information of any Tag. Secondly, Adversary can easily cheat the legitimate reader using the collected Tag ID information, such as the any legitimate Tag. These security problems can be typically solved by encryption of messages transmitted between Tag and Reader and by authentication for Tag. In this paper, to solve these security problems on RFID system, we propose the Tag Authentication Scheme based on self shrinking generator (SSG). SSG Algorithm using in our scheme is proposed by W.Meier and O.Staffelbach in EUROCRYPT-94. This Algorithm is organized that only one LFSR and selection logic in order to generate random stream. Thus it is optimized to implement the hardware logic on devices with extremely limited resource, and the output generating from SSG at each time do role as random stream so that it is allow our to design the light-weight authentication scheme with security against some network attacks. Therefore, we propose the novel tag authentication scheme which use SSG to encrypt the Tag-ID transmitted from tag to reader and achieve authentication of tag.

Authentication access method and authentication access system for wireless multi-hop network

Abstract: Authentication access method and authentication access system for wireless multi-hop network. Terminal equipment and coordinator have the capability of port control, the coordinator broadcasts a beacon frame, and the terminal equipment selects an authentication and key management suite and transmits a connecting request command to the coordinator. The coordinator performs authentication with the terminal equipment according to the authentication and key management suite which is selected by the terminal equipment, after authenticated, transmits a connecting response command to the terminal equipment. The terminal equipment and the coordinator control the port according to the authentication result, therefore the authenticated access for the wireless multi-hop network is realized. The invention solves the security problem of the wireless multi-hop network authentication method.

Wireless communication method and system for transmission authentication at the physical layer

Abstract: The subject authentication scheme encompasses a large family of authentication systems which may be built over existing transmission systems. By superimposing a carefully designed secret modulation on the waveforms, authentication is added to the signal without requiring additional bandwidth. The authentication information (tag signal) is sent concurrently with data (message signal). The authentication is designed to be stealthy to the uninformed user, robust to interference, and secure for identity verification. The tradeoffs between these three goals are identified and analyzed. The use of the authentication for channel estimation is also considered, and improved bit errors are demonstrated for time-varying channels. With a long enough authentication code word an authentication system is achieved with very slight data degradation. Additionally, by treating the authentication tag as a sequence of pilot symbols, the data recovery may be improved by the aware receiver.

Quality-Optimized and Secure End-to-End Authentication for Media Delivery

Abstract: The need for security services, such as confidentiality and authentication, has become one of the major concerns in multimedia communication applications, such as video on demand and peer-to-peer content delivery. Conventional data authentication cannot be directly applied for streaming media when an unreliable channel is used and packet loss may occur. This paper begins by reviewing existing end-to-end media authentication schemes, which can be classified into stream-based and content-based techniques. We then motivate and describe how to design authentication schemes for multimedia delivery that exploit the unequal importance of different packets. By applying conventional cryptographic hashes and digital signatures to the media packets, the system security is similar to that achievable in conventional data security. However, instead of optimizing packet verification probability, we optimize the quality of the authenticated media, which is determined by the packets that are received and able to be decoded and authenticated. The quality of the authenticated media is optimized by allocating the authentication resources unequally across streamed packets based on their relative importance, thereby providing unequal authenticity protection. The effectiveness of this approach is demonstrated through experimental results on different media types (image and video), different compression standards (JPEG, JPEG2000, and H.264), and different channels (wired with packet erasures and wireless with bit errors).

Cross-domain authentication

Abstract: A user using a browser having stored authentication information for a web service in a first domain is authenticated to a web service in a second domain. The browser is provided with computer program instructions causing the browser to transparently provide the stored authentication information to the service in the first domain, receive cross-domain authentication credentials from the service in the first domain, and provide the cross-domain authentication credentials to the service in the second domain. The service in the second domain validates the cross-domain authentication credentials. If the credentials validate, the service in the second domain transparently provides the user with authenticated access.