Showing papers on "Otway–Rees protocol published in 2014"

Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography.

Abstract: Wireless sensor networks (WSNs) consist of sensors, gateways and users. Sensors are widely distributed to monitor various conditions, such as temperature, sound, speed and pressure but they have limited computational ability and energy. To reduce the resource use of sensors and enhance the security of WSNs, various user authentication protocols have been proposed. In 2011, Yeh et al. first proposed a user authentication protocol based on elliptic curve cryptography (ECC) for WSNs. However, it turned out that Yeh et al.'s protocol does not provide mutual authentication, perfect forward secrecy, and key agreement between the user and sensor. Later in 2013, Shi et al. proposed a new user authentication protocol that improves both security and efficiency of Yeh et al.'s protocol. However, Shi et al.'s improvement introduces other security weaknesses. In this paper, we show that Shi et al.'s improved protocol is vulnerable to session key attack, stolen smart card attack, and sensor energy exhausting attack. In addition, we propose a new, security-enhanced user authentication protocol using ECC for WSNs.

Cost-Effective Scalable and Anonymous Certificateless Remote Authentication Protocol

Abstract: Existing anonymous remote authentication protocols to secure wireless body area networks (WBANs) raise challenges such as eliminating the need for distributing clients’ account information to the application providers and achieving forward security. This paper efficiently addresses these challenges by devising a scalable certificateless remote authentication protocol with anonymity and forward security for WBANs. Different from the previous protocols in this field, our protocol not only provides mutual authentication, session key establishment, anonymity, unlinkability, and nonrepudiation, but also achieves forward security, key escrow resilience, and scalability. Performance evaluation demonstrates that compared with the most efficient ID-based remote anonymous authentication protocol, our protocol reduces at least 52.6% and 17.6% of the overall running time and communication overhead, respectively, and the reduction in the computation cost and communication overhead achieves at least 73.8% and 55.8%, respectively, compared with up-to-date certificateless remote authentication protocol with anonymity.

Cryptanalysis and Improvement of Authentication and Key Agreement Protocols for Telecare Medicine Information Systems

Abstract: Recently, many authentication protocols have been presented using smartcard for the telecare medicine information system (TMIS). In 2014, Xu et al. put forward a two-factor mutual authentication with key agreement protocol using elliptic curve cryptography (ECC). However, the authors have proved that the protocol is not appropriate for practical use as it has many problems (1) it fails to achieve strong authentication in login and authentication phases; (2) it fails to update the password correctly in the password change phase; (3) it fails to provide the revocation of lost/stolen smartcard; and (4) it fails to protect the strong replay attack. We then devised an anonymous and provably secure two-factor authentication protocol based on ECC. Our protocol is analyzed with the random oracle model and demonstrated to be formally secured against the hardness assumption of computational Diffie-Hellman problem. The performance evaluation demonstrated that our protocol outperforms from the perspective of security, functionality and computation costs over other existing designs.

Security analysis and improvements of authentication and access control in the Internet of Things.

Abstract: Internet of Things is a ubiquitous concept where physical objects are connected over the internet and are provided with unique identifiers to enable their self-identification to other devices and the ability to continuously generate data and transmit it over a network Hence, the security of the network, data and sensor devices is a paramount concern in the IoT network as it grows very fast in terms of exchanged data and interconnected sensor nodes This paper analyses the authentication and access control method using in the Internet of Things presented by Jing et al (Authentication and Access Control in the Internet of Things In Proceedings of the 2012 32nd International Conference on Distributed Computing Systems Workshops, Macau, China, 18-21 June 2012, pp 588-592) According to our analysis, Jing et al's protocol is costly in the message exchange and the security assessment is not strong enough for such a protocol Therefore, we propose improvements to the protocol to fill the discovered weakness gaps The protocol enhancements facilitate many services to the users such as user anonymity, mutual authentication, and secure session key establishment Finally, the performance and security analysis show that the improved protocol possesses many advantages against popular attacks, and achieves better efficiency at low communication cost

A Secure RFID Authentication Protocol for Healthcare Environments Using Elliptic Curve Cryptosystem

Abstract: With the fast advancement of the wireless communication technology and the widespread use of medical systems, the radio frequency identification (RFID) technology has been widely used in healthcare environments. As the first important protocol for ensuring secure communication in healthcare environment, the RFID authentication protocols derive more and more attentions. Most of RFID authentication protocols are based on hash function or symmetric cryptography. To get more security properties, elliptic curve cryptosystem (ECC) has been used in the design of RFID authentication protocol. Recently, Liao and Hsiao proposed a new RFID authentication protocol using ECC and claimed their protocol could withstand various attacks. In this paper, we will show that their protocol suffers from the key compromise problem, i.e. an adversary could get the private key stored in the tag. To enhance the security, we propose a new RFID authentication protocol using ECC. Detailed analysis shows the proposed protocol not only could overcome weaknesses in Liao and Hsiao's protocol but also has the same performance. Therefore, it is more suitable for healthcare environments.

Cryptanalysis and Improvement of an Anonymous Authentication Protocol for Wireless Access Networks

Abstract: Authentication protocols with anonymity attracted wide attention since they could protect users' privacy in wireless communications. Recently, Hsieh and Leu proposed an anonymous authentication protocol based on elliptic curve Diffie---Hellman problem for wireless access networks and claimed their protocol could provide anonymity. However, by proposing a concrete attack, we point out that their protocol cannot provide user anonymity. To overcome its weakness, we propose an improved protocol. We also provide an analysis of our proposed protocol to prove its superiority, even though its computational cost is slightly higher.

An efficient authentication and key agreement protocol for 4G (LTE) networks

Abstract: Long Term Evolution (LTE) networks designed by 3rd Generation Partnership Project (3GPP) represent a widespread technology. LTE is mainly influenced by high data rates, minimum delay and the capacity due to scalable bandwidth and its flexibility. With the rapid and widespread use LTE networks, and increase the use in data/video transmission and Internet applications in general, accordingly, the challenges of securing and speeding up data communication in such networks is also increased. Authentication in LTE networks is very important process because most of the coming attacks occur during this stage. Attackers try to be authenticated and then launch the network resources and prevent the legitimate users from the network services. The basics of Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA) are used in LTE AKA protocol which is called Evolved Packet System AKA (EPS-AKA) protocol to secure LTE network, However it still suffers from various vulnerabilities such as disclosure of the user identity, computational overhead, Man In The Middle (MITM) attack and authentication delay. In this paper, an Efficient EPS-AKA protocol (EEPS-AKA) is proposed to overcome those problems. The proposed protocol is based on the Simple Password Exponential Key Exchange (SPEKE) protocol. Compared to previous proposed methods, our method is faster, since it uses a secret key method which is faster than certificate-based methods, In addition, the size of messages exchanged between User Equipment (UE) and Home Subscriber Server (HSS) is reduced, this reduces authentication delay and storage overhead effectively. The automated validation of internet security protocols and applications (AVISPA) tool is used to provide a formal verification. Results show that the proposed EEPS-AKA is efficient and secure against active and passive attacks.

EasySMS: A Protocol for End-to-End Secure Transmission of SMS

Abstract: Nowadays, short message service (SMS) is being used in many daily life applications, including healthcare monitoring, mobile banking, mobile commerce, and so on. But when we send an SMS from one mobile phone to another, the information contained in the SMS transmit as plain text. Sometimes this information may be confidential like account numbers, passwords, license numbers, and so on, and it is a major drawback to send such information through SMS while the traditional SMS service does not provide encryption to the information before its transmission. In this paper, we propose an efficient and secure protocol called EasySMS, which provides end-to-end secure communication through SMS between end users. The working of the protocol is presented by considering two different scenarios. The analysis of the proposed protocol shows that this protocol is able to prevent various attacks, including SMS disclosure, over the air modification, replay attack, man-in-the-middle attack, and impersonation attack. The EasySMS protocol generates minimum communication and computation overheads as compared with existing SMSSec and PK-SIM protocols. On an average, the EasySMS protocol reduces 51% and 31% of the bandwidth consumption and reduces 62% and 45% of message exchanged during the authentication process in comparison to SMSSec and PK-SIM protocols respectively. Authors claim that EasySMS is the first protocol completely based on the symmetric key cryptography and retain original architecture of cellular network.

A secure authentication scheme for session initiation protocol by using ECC on the basis of the Tang and Liu scheme

Abstract: Session initiation protocol SIP provides the basis for establishing the voice over internet protocol sessions after authentication and exchanging signaling messages. SIP is one of the significant and extensively used protocols in the multimedia protocol stack. Since the RFC2617 was put forth, numerous schemes for SIP authentication have been presented to overcome the flaws. Recently, in 2012, Tang and Liu proposed SIP based authentication protocol and claimed for eliminating the threats in Arshad and Ikram protocol. However the scheme can be made more robust by making further improvements, as the former scheme may come under a threat by adversaries through impersonating a server, given that the user password is compromised. We have proposed an improved protocol for SIP authentication by using elliptic curve cryptography that encounters the previous threat with enhanced security. The analysis shows that proposed scheme is suitable for applications with higher security requirements. Copyright © 2013 John Wiley & Sons, Ltd.

Cryptanalysis and improvement of an efficient mutual authentication RFID scheme based on elliptic curve cryptography

Abstract: Radio frequency identification (RFID) is a wireless technology for automatic identification and data capture. Security and privacy issues in the RFID systems have attracted much attention. Many approaches have been proposed to achieve the security and privacy goals. One of these approaches is RFID authentication protocols by which a server and tags can authorize each other through an intracity process. Recently, Chou proposed a RFID authentication protocol based on elliptic curve cryptography. However, this paper demonstrates that the Chou's protocol does not satisfy tag privacy, forward privacy and authentication, and server authentication. Based on these security and privacy problems, we also show that Chou's protocol is defenseless to impersonation attacks, tag cloning attacks and location tracking attacks. Therefore, we propose a more secure and efficient scheme, which does not only cover all the security flaws and weaknesses of related previous protocols, but also provides more functionality. We prove the security of the proposed improved protocol in the random oracle model.

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

Abstract: As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.'s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.'s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.'s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.'s protocol is still susceptible to the trace attack. Besides, Liao et al.'s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.

Cryptanalysis and improvement of a chaotic map-based key agreement protocol using Chebyshev sequence membership testing

Abstract: Recently, Gong et al. (Nonlinear Dyn, doi: 10.1007/s11071-012-0628-3 , 2012) proposed a chaotic map-based key agreement protocol without using smart cards. They claimed that the protocol is secure against password-guessing attacks. However, we show that Gong et al.’s protocol is vulnerable to partition attacks, whereby the adversary can guess the correct password off-line. We also demonstrate that the protocol suffers from a a stolen-verifier attack along with password change pitfalls. Thereafter, we proposed an chaotic map-based key agreement protocol without using smart cards to conquer the mentioned weaknesses. The security analysis of the proposed protocol shows that it is suitable for the applications with higher security requirement.

SymbexNet : Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications

Abstract: Implementations of network protocols, such as DNS, DHCP and Zeroconf, are prone to flaws, security vulnerabilities and interoperability issues caused by developer mistakes and ambiguous requirements in protocol specifications. Detecting such problems is not easy because (i) many bugs manifest themselves only after prolonged operation; (ii) reasoning about semantic errors requires a machine-readable specification; and (iii) the state space of complex protocol implementations is large. This article presents a novel approach that combines symbolic execution and rule-based specifications to detect various types of flaws in network protocol implementations. The core idea behind our approach is to (1) automatically generate high-coverage test input packets for a network protocol implementation using single- and multi-packet exchange symbolic execution (targeting stateless and stateful protocols, respectively) and then (2) use these packets to detect potential violations of manual rules derived from the protocol specification, and check the interoperability of different implementations of the same network protocol. We present a system based on these techniques, SymbexNet, and evaluate it on multiple implementations of two network protocols: Zeroconf, a service discovery protocol, and DHCP, a network configuration protocol. SymbexNet is able to discover non-trivial bugs as well as interoperability problems, most of which have been confirmed by the developers.

Multi-party trust computation in decentralized environments in the presence of malicious adversaries

Abstract: In this paper, we describe a decentralized privacy-preserving protocol for securely casting trust ratings in distributed reputation systems. Our protocol allows n participants to cast their votes in a way that preserves the privacy of individual values against both internal and external attacks. The protocol is coupled with an extensive theoretical analysis in which we formally prove that our protocol is resistant to collusion against as many as n-1 corrupted nodes in both the semi-honest and malicious adversarial models. The behavior of our protocol is tested in a real P2P network by measuring its communication delay and processing overhead. The experimental results uncover the advantages of our protocol over previous works in the area; without sacrificing security, our decentralized protocol is shown to be almost one order of magnitude faster than the previous best protocol for providing anonymous feedback.

A Provably Secure Multi-server Based Authentication Scheme

Abstract: With the rapid growth of electronic commerce and demand on variants of Internet based applications, the system providing resources and business services often consists of many servers around the world. So far, a variety of authentication schemes have been published to achieve remote user authentication on multi-server communication environment. Recently, Pippal et al. proposed a multi-server based authentication protocol to pursue the system security and computation efficiency. Nevertheless, based on our analysis, the proposed scheme is insecure against user impersonation attack, server counterfeit attack, and man-in-the-middle attack. In this study, we first demonstrate how these malicious attacks can be invoked by an adversary. Then, a security enhanced authentication protocol is developed to eliminate all identified weaknesses. Meanwhile, the proposed protocol can achieve the same order of computation complexity as Pippal et al.'s protocol does.

An efficient client---client password-based authentication scheme with provable security

Abstract: Recently, Tso proposed a three-party password-based authenticated key exchange (3PAKE) protocol. This protocol allows two clients to authenticate each other and establish a secure session key through a server over an insecure channel. The main security goals of such protocols are authentication and privacy. However, we show that Tso's protocol achieves neither authentication goal nor privacy goal. In this paper, we indicate that the privacy and authentication goals of Tso's protocol will be broken by off-line password guessing attack and impersonation attack, respectively. To overcome the weaknesses, we propose an improved 3PAKE protocol to achieve more security and performance than related protocols. The security of the proposed improved protocol is proved in random oracle model.

Simulation and analysis of authentication protocols for mobile Internet of Things (MIoT)

Abstract: Things are integrated for increasing the availability of information. MIoT is the connectivity of mobile devices to extend the information. Connectivity of mobile devices helps in managing the various social activities. Security is a major concern while integrating the heterogeneous devices in these social networks. Things embedded with radio frequency based identifications are having scarcity of resources thus require lightweight cryptography aspects. This work proposes a single bar circular topology based authentication protocol for MIoT. This protocol helps in authenticating the mobile devices for constructing secure network. The proposed protocol is modeled using Alloy model. Delay analysis shows that construction of secure network is possible with maximum delay of 0.91 msec. Node can enter or leave the network with minimum of 0.13 and maximum of 0.20 msec. Further, Zone Routing Protocol (ZRP) is considered to be the best protocol for constructing a secure network.

A Pairing-free ID-based Key Agreement Protocol with Different PKGs

Abstract: This paper proposes an identity based key agreement protocol based on elliptic curve cryptography (ECC) between users of different networks with independent private key generations (PKGs). Instead of bilinear pairings which commonly used for contracting identity based schemes, the proposed protocol makes use of elliptic curves to obtain more computational efficiency. The proposed protocol develops Cao et al’s protocol for situations that two users of independent organizations or networks with separate servers (that in this article, are named PKGs, based on their main duty, generating private keys for the users) want to share a secret key via an insecure link. The main novelty of this paper is security proof of the proposed protocol in the random oracle model. The security proof argues the security attributes of the proposed protocol.

A secure and efficient handover authentication protocol for wireless networks.

Abstract: Handover authentication protocol is a promising access control technology in the fields of WLANs and mobile wireless sensor networks. In this paper, we firstly review an efficient handover authentication protocol, named PairHand, and its existing security attacks and improvements. Then, we present an improved key recovery attack by using the linearly combining method and reanalyze its feasibility on the improved PairHand protocol. Finally, we present a new handover authentication protocol, which not only achieves the same desirable efficiency features of PairHand, but enjoys the provable security in the random oracle model.

Secure Improved Cloud-Based RFID Authentication Protocol

Abstract: Although Radio Frequency IDentification (RFID) systems promise a fruitful future, security and privacy concerns have affected the adoption of the RFID technology. Several studies have been proposed to tackle the RFID security and privacy concerns under the assumption that the server is secure. In this paper, we assume that the server resides in the cloud that might be insecure, thus the tag’s data might be prone to privacy invasion and attacks. Xie et al. proposed a new scheme called “cloud-based RFID authentication”, which aimed to address the security and privacy concerns of RFID tag’s data in the cloud. In this paper, we showed that the Xie et al. protocol is vulnerable to reader impersonation attacks, location tracking and tag’s data privacy invasion. Hence, we proposed a new protocol that guarantees that the tag’s data in the cloud are anonymous, and cannot be compromised. Furthermore, the proposed protocol achieves mutual authentication between all the entities participating in a communication session, such as a cloud server, a reader and a tag. Finally, we analysed the proposed protocol informally, and formally using a privacy model and CasperFDR. The results indicate that the proposed protocol achieves data secrecy and authentication for RFID tags.

A robust smart card-based anonymous user authentication protocol for wireless communications

Abstract: Anonymous user authentication is an important but challenging task for wireless communications. In a recent paper, Das proposed a smart cardi¾?based anonymous user authentication protocol for wireless communications. The scheme can protect user privacy and is believed to be secure against a range of network attacks even if the secret information stored in the smart card is compromised. In this paper, we reanalyze the security of Das' scheme, and show that the scheme is in fact insecure against impersonation attacks. We then propose a new smart cardi¾?based anonymous user authentication protocol for wireless communications. Compared with the existing schemes, our protocol uses a different user authentication mechanism, which does not require different entities to maintain a synchronized clock. We show that the proposed new protocol can provide stronger security and better efficiency and scalability than previous schemes.

Improvement of the Hash-Based RFID Mutual Authentication Protocol

Abstract: Radio frequency identification (RFID) is a popular kind of automatic identification technologies that uses radio frequencies. Many security and privacy problems my be raised in the using of RFID due to its radio transmission nature. In 2012, Cho et al. (Comput Math Appl, 2012. doi: 10.1016/j.camwa.2012.02.025 ) proposed a new hash-based RFID mutual authentication protocol to solve these problems. However, this protocol was demonstrated to be vulnerable to DOS attack. This paper further shows that Cho et al.'s protocol is vulnerable to traffic analysis and tag/reader impersonation attacks. An improved protocol is also proposed which can prevent the said attacks.

Denial-of-Service attacks on 6LoWPAN-RPL networks: Threats and an intrusion detection system proposition

Abstract: RPL (Routing Protocol for Low-power and lossy networks) is a specic routing protocol designed to optimize

Performing remote wi-fi network configuration when a network security protocol is unknown

Abstract: The disclosure relates to performing a remote Wi-Fi network configuration when a network security protocol is unknown. In particular, Wi-Fi network configurations typically require a name, a security protocol, and authentication credentials. However, users attempting to configure a Wi-Fi network may not know the security protocol or be unable to recall the security protocol when presented with a dialog requesting such details. As such, assuming a finite set of security protocols, the algorithm disclosed herein may assume an OPEN (e.g., unsecured) configuration on the destination Wi-Fi network if no credentials were supplied or alternatively a WPS configuration if credentials consisting of exactly eight digits were supplied. Otherwise, the algorithm may iterate through each security protocol supported on the device supports (e.g., according to popularity, complexity, etc.) until a successful network association occurs or all supported security protocols are exhausted.

Cryptanalysis and improvement of password-authenticated key agreement for session initiation protocol using smart cards

Abstract: Session Initiation Protocol (SIP) is one of the most commonly used protocols for handling sessions for over Internet Protocol based communications, and the security of SIP is becoming increasingly important. Recently, Zhang et al. proposed a password-authenticated key agreement protocol for SIP by using smart cards to protect the VoIP communications between users. Their protocol provided some unique features, such as mutual authentication, no password table needed, and password updating freely. In this study, we performed cryptanalysis of Zhang et al.'s protocol and found that their protocol was vulnerable to the impersonation attack although the protocol could withstand several other attacks. A malicious attacker could compute other users' privacy keys and then impersonated the users to cheat the SIP server. Furthermore, we proposed an improved password-authentication key agreement protocol for SIP, which overcame the weakness of Zhang et al.'s protocol and was more suitable for Voice over Internet Protocol communications. Copyright © 2014 John Wiley & Sons, Ltd.

Mitigating Iris-Based Replay Attacks

Abstract: In this paper, we present an iris-based access control protocol that is resistant to iris-based replay attacks. This new style of biometric-based access control protocol is similar to the so called, 'one time password' approach used by some conventional username/password access protocols. Our results show that not only is this new type of iris-based access protocol effective, it can also distinguish between when a user attempting to gain access has supplied a poor sample of their iris and when the access control system is experiencing an iris-based replay attack.