Showing papers on "Password published in 2021"

How many FIDO protocols are needed? Surveying the design, security and market perspectives.

Abstract: Unequivocally, a single man in possession of a strong password is not enough to solve the issue of security. Studies indicate that passwords have been subjected to various attacks, regardless of the applied protection mechanisms due to the human factor. The keystone for the adoption of more efficient authentication methods by the different markets is the trade-off between security and usability. To bridge the gap between user-friendly interfaces and advanced security features, the Fast Identity Online (FIDO) alliance defined several authentication protocols. Although FIDO's biometric-based authentication is not a novel concept, still daunts end users and developers, which may be a contributor factor obstructing FIDO's complete dominance of the digital authentication market. This paper traces the evolution of FIDO protocols, by identifying the technical characteristics and security requirements of the FIDO protocols throughout the different versions while providing a comprehensive study on the different markets (e.g., digital banking, social networks, e-government, etc.), applicability, ease of use, extensibility and future security considerations. From the analysis, we conclude that there is currently no dominant version of a FIDO protocol and more importantly, earlier FIDO protocols are still applicable to emerging vertical services.

Lightweight and Anonymity-Preserving User Authentication Scheme for IoT-based Healthcare

Abstract: Internet of Things (IoT) produces massive heterogeneous data from various applications, including digital health, smart hospitals, automated pathology labs, and so forth. IoT sensor nodes are integrated with the medical equipment to enable the health workers to monitor the patients’ health condition and appliances in real-time. However, due to security vulnerabilities, an unauthorized user can access health-related information or control the IoT nodes attached to the patient’s body resulting in unprecedented outcomes. Due to wireless channels as a medium of communication, IoT poses several threats such as a denial of service attack, man-in-the-middle attack, and modification attack to the IoT networks’ security and privacy. The proposed research presents a lightweight and anonymity-preserving user authentication protocol to counter these security threats. The given scheme establishes a secure session for the legitimate user and prohibits unauthorized users from gaining access to the IoT sensor nodes. The proposed protocol uses only lightweight cryptography primitives (hash) to alleviate the node’s tiny processor burden. The proposed protocol is efficient and superior because it has low computational and communication costs than conventional protocols. The proposed scheme uses password protection to let only the legitimate user access the IoT sensor nodes to obtain the patient’s real-time health report.

Secure Multifactor Authenticated Key Agreement Scheme for Industrial IoT

Abstract: The application of Internet of Things (IoT) has generally penetrated into people’s life and become popular in recent years. The IoT devices with different functions are integrated and applied to various domains, such as E-health, smart home, Industrial IoT (IIoT), and smart farming. IIoT obtains the general attention among these domains, which allows the authorized user remotely access and control the sensing devices. The user suffices to attain the real-time data collected by sensing devices during the process of production. However, these data is usually transmitted via an insecure channel, which brings the problem of the security and privacy arising from the hostile attacks in IIoT. To resist the hostile attacks by the adversary and protect the security of the transmitted data, we propose a secure multifactor authenticated key agreement scheme for IIoT to support the authorized user remotely accessing the sensing device. The scheme adopts password, biometrics, and smart card to identify the user in the IIoT environment. We employ the secret-sharing technology and Chinese remainder theorem to construct a group key among legitimate sensing devices, and then this group key is utilized to assist in negotiating a secure session key between the user and multiple sensing devices. The proposed scheme is suitable for the resource-constrained IIoT as it only uses hash function, bitwise XOR operation, and symmetric cryptography. The performance analysis indicates that our scheme has less communication and computational costs in contrast to other correlative schemes. Besides, the security analysis indicates that our scheme can withstand many known attacks.

A Novel Three-Factor Authentication Protocol for Wireless Sensor Networks With IoT Notion

Abstract: As an important topic of IoT, wireless sensor network (WSN) data transmission is popular nowadays. It is widely accepted that the wireless channel is hazard, and multifactor authentication schemes are proposed to save the hazard of wireless communication circumstance. To overcome the problems, we give a fresh three-factor authentication scheme providing session keys for WSNs. Formal verification given by Proverif illustrates that the new scheme keeps security properties. At the same time, the informal analysis also denotes that the proposed scheme is practical and satisfies general needs, such as counteraction against various attacks and meeting security properties. Compared to some recent similar schemes, the proposed scheme performs better in security and is suitable for application. At last, we use NS-3 for simulation. The results from the simulation show that the scheme can run in IoT environment normally and has practical perspective.

PROTECT: Efficient Password-Based Threshold Single-Sign-On Authentication for Mobile Users against Perpetual Leakage

Abstract: Password-based single-sign-on authentication has been widely applied in mobile environments. It enables an identity server to issue authentication tokens to mobile users holding correct passwords. With an authentication token, one can request mobile services from related service providers without multiple registrations. However, if an adversary compromises the identity server, he can retrieve users’ passwords by performing dictionary guessing attacks (DGA) and can overissue authentication tokens to break the security. In this paper, we propose a password-based threshold single-sign-on authentication scheme dubbed PROTECT that thwarts adversaries who can compromise identity server(s), where multiple identity servers are introduced to authenticate mobile users and issue authentication tokens in a threshold way. PROTECT supports key renewal that periodically updates the secret on each identity server to resist perpetual leakage of the secret. Furthermore, PROTECT is secure against off-line DGA: a credential used to authenticate a user is computed from the password and a server-side key. PROTECT is also resistant to online DGA and password testing attacks in an efficient way. We conduct a comprehensive performance evaluation of PROTECT, which demonstrates the high efficiency on the user side in terms of computation and communication and proves that it can be easily deployed on mobile devices.

Fast and Secure Authentication in Virtual Reality Using Coordinated 3D Manipulation and Pointing

Abstract: There is a growing need for usable and secure authentication in immersive virtual reality (VR). Established concepts (e.g., 2D authentication schemes) are vulnerable to observation attacks, and most alternatives are relatively slow. We present RubikAuth, an authentication scheme for VR where users authenticate quickly and secure by selecting digits from a virtual 3D cube that leverages coordinated 3D manipulation and pointing. We report on results from three studies comparing how pointing using eye gaze, head pose, and controller tapping impact RubikAuth’s usability, memorability, and observation resistance under three realistic threat models. We found that entering a four-symbol RubikAuth password is fast: 1.69–3.5 s using controller tapping, 2.35–4.68 s using head pose and 2.39 –4.92 s using eye gaze, and highly resilient to observations: 96–99.55% of observation attacks were unsuccessful. RubikAuth also has a large theoretical password space: 45n for an n-symbols password. Our work underlines the importance of considering novel but realistic threat models beyond standard one-time attacks to fully assess the observation-resistance of authentication schemes. We conclude with an in-depth discussion of authentication systems for VR and outline five learned lessons for designing and evaluating authentication schemes.

Preventing DeepFake Attacks on Speaker Authentication by Dynamic Lip Movement Analysis

Abstract: Recent research has demonstrated that lip-based speaker authentication systems can not only achieve good authentication performance but also guarantee liveness. However, with modern DeepFake technology, attackers can produce the talking video of a user without leaving any visually noticeable fake traces. This can seriously compromise traditional face-based or lip-based authentication systems. To defend against sophisticated DeepFake attacks, a new visual speaker authentication scheme based on the deep convolutional neural network (DCNN) is proposed in this paper. The proposed network is composed of two functional parts, namely, the Fundamental Feature Extraction network (FFE-Net) and the Representative lip feature extraction and Classification network (RC-Net). The FFE-Net provides the fundamental information for speaker authentication. As the static lip shape and lip appearance is vulnerable to DeepFake attacks, the dynamic lip movement is emphasized in the FFE-Net. The RC-Net extracts high-level lip features that discriminate against human imposters while capturing the client’s talking style. A multi-task learning scheme is designed, and the proposed network is trained end-to-end. Experiments on the GRID and MOBIO datasets have demonstrated that the proposed approach is able to achieve an accurate authentication result against human imposters and is much more robust against DeepFake attacks compared to three state-of-the-art visual speaker authentication algorithms. It is also worth noting that the proposed approach does not require any prior knowledge of the DeepFake spoofing method and thus can be applied to defend against different kinds of DeepFake attacks.

An Intelligent Terminal Based Privacy-Preserving Multi-Modal Implicit Authentication Protocol for Internet of Connected Vehicles

Abstract: The Internet of connected Vehicles (IOV) can collect, process, compute and release the information of intelligent transportation systems. IOV is an integrated service system that can support the applications for automatic driving, intelligent transport and information services. As the number of incidents on IOV has been on the rise in the past few years, IOV security is becoming increasingly important in the IOV architecture. One of the most notable risks of IOV faces is intelligent terminal security. The vehicle’s intelligent terminal can be used to launch for further attacks on the on-board operating system to penetrate into the internal network of connected vehicle, and consequently threaten the safety of the vehicle. Thus, it is of paramount importance that we protect the security of the intelligent terminal. We propose two intelligent terminal based privacy-preserving multi-modal implicit authentication protocols to protect the security of the intelligent terminal in IOV. The proposed protocols use the password and the vehicle owner’s behavior features as the authentication factors to protect the security of the intelligent terminal. Since the vehicle owner’s behavior features are sensitive and the privacy information of the user must be protected, we also consider the privacy protection of the behavior features. Our protocols do not reveal any information about the vehicle owner’s behavior features to the authentication server and the adversary except the ciphertext size of the feature vector. We analyze the security of our proposed protocol and compare them with other related protocols in terms of computation and communications costs. Our results demonstrate that our proposed protocols yield better security and efficiency.

LAPTAS: lightweight anonymous privacy-preserving three-factor authentication scheme for WSN-based IIoT

Abstract: Nowadays, wireless sensor networks (WSNs) are essential for monitoring and data collection in many industrial environments. Industrial environments are usually huge. The distances between the devices located in them can be vast; in this case, the Industrial Internet of Things (IIoT) leads to greater productivity and efficiency of industries. Furthermore, the sensor devices in IIoT have limited memory and constrained processing power, and using gateway nodes is inevitable to cover these vast areas and manage communications between industrial sensors. Security threats such as compromised devices, denial of service, and leakage of confidential information can incur hefty expenses and irreparable damage to industrial systems. Hence, in the IIoT hierarchical architecture, anonymous and mutual authentication between users, gateway nodes, and sensor nodes is essential to protect users and the system’s security and privacy. In this article, we propose a lightweight anonymous privacy-preserving three-factor authentication scheme for WSN-Based IIoT (LAPTAS). In LAPTAS, registered users can use their security smartcard to communicate with sensors and access their data. Moreover, the proposed scheme supports sensor node dynamic registration, password and biometric change, and revocation phase. Additionally, we evaluate and verify our scheme’s security formally using the Real-or-Random model and informally with the automatic cryptographic Protocol Verifier tool(ProVerif). Finally, our scheme is simulated by the OPNET network simulator and compared with other similar schemes to ensure that the LAPTAS meets all security and performance requirements.

Security in 5G-Enabled Internet of Things Communication: Issues, Challenges, and Future Research Roadmap

Abstract: 5G mobile communication systems promote the mobile network to not only interconnect people, but also interconnect and control the machine and other devices. 5G-enabled Internet of Things (IoT) communication environment supports a wide-variety of applications, such as remote surgery, self-driving car, virtual reality, flying IoT drones, security and surveillance and many more. These applications help and assist the routine works of the community. In such communication environment, all the devices and users communicate through the Internet. Therefore, this communication agonizes from different types of security and privacy issues. It is also vulnerable to different types of possible attacks (for example, replay, impersonation, password reckoning, physical device stealing, session key computation, privileged-insider, malware, man-in-the-middle, malicious routing, and so on). It is then very crucial to protect the infrastructure of 5G-enabled IoT communication environment against these attacks. This necessitates the researchers working in this domain to propose various types of security protocols under different types of categories, like key management, user authentication/device authentication, access control/user access control and intrusion detection. In this survey paper, the details of various system models (i.e., network model and threat model) required for 5G-enabled IoT communication environment are provided. The details of security requirements and attacks possible in this communication environment are further added. The different types of security protocols are also provided. The analysis and comparison of the existing security protocols in 5G-enabled IoT communication environment are conducted. Some of the future research challenges and directions in the security of 5G-enabled IoT environment are displayed. The motivation of this work is to bring the details of different types of security protocols in 5G-enabled IoT under one roof so that the future researchers will be benefited with the conducted work.

Biometric Identification System: Security and Privacy Concern

Abstract: Biometric system is rapidly increasing scheme replacing traditional password and manual authentication systems. Security, privacy, and accuracy are the most important aspects to be considered in developing and designing biometric arrangements. In this chapter, a comprehensive study is presented to enlighten the latest development covering aspects of improving security and privacy of biometric system. Current trends and future challenges are also outlined in this chapter. Biometric credentials are becoming popular in all concern areas as a mode of authenticating person due to the broad range advantages with comparison to traditional authentication methods. This authentication method is having the most precious bond between a user and his biometric credentials; besides this biometric system raises some serious privacy and security concerns in case its traits get compromised. This chapter presents the challenging issues that need to be taken care when designing secure and privacy concern biometric authentication protocol. It describes major threats against its security and gives directions on actions to be taken as security measures in order to design secure and privacy preserving biometric identification system. In order to improve the usability of biometric authentication system, we classify and review the current biometric system by focusing on privacy and security concern. This chapter gives overall review and information about biometric system and protects privacy in adequate manner. It discusses personal privacy in terms of adoption of biometric identification system. In present time, we talk more about frauds and insecurity in different sectors as well as the computer technologies to be applied in current trends to ecommerce, banking, etc. There are two conventional ways of identifying individual. The first one is knowledge-based method which is based on different knowledge such as PIN and password to allow user to activate services. The second method is on token-based method. It can be a piece of badge, identification paper, key, etc. Both ways are insecure as password can be forgotten or guessed by others, and in other case, badge id or other identification may be lost or stolen. Biometric attributes are an optional solution with two previous modes. The merit of using biometric features is universal, unique, measurable, and permanent.

Deep Learning Approaches for Continuous Authentication Based on Activity Patterns Using Mobile Sensing.

Abstract: Smartphones as ubiquitous gadgets are rapidly becoming more intelligent and context-aware as sensing, networking, and processing capabilities advance. These devices provide users with a comprehensive platform to undertake activities such as socializing, communicating, sending and receiving e-mails, and storing and accessing personal data at any time and from any location. Nowadays, smartphones are used to store a multitude of private and sensitive data including bank account information, personal identifiers, account passwords and credit card information. Many users remain permanently signed in and, as a result, their mobile devices are vulnerable to security and privacy risks through assaults by criminals. Passcodes, PINs, pattern locks, facial verification, and fingerprint scans are all susceptible to various assaults including smudge attacks, side-channel attacks, and shoulder-surfing attacks. To solve these issues, this research introduces a new continuous authentication framework called DeepAuthen, which identifies smartphone users based on their physical activity patterns as measured by the accelerometer, gyroscope, and magnetometer sensors on their smartphone. We conducted a series of tests on user authentication using several deep learning classifiers, including our proposed deep learning network termed DeepConvLSTM on the three benchmark datasets UCI-HAR, WISDM-HARB and HMOG. Results demonstrated that combining various motion sensor data obtained the highest accuracy and energy efficiency ratio (EER) values for binary classification. We also conducted a thorough examination of the continuous authentication outcomes, and the results supported the efficacy of our framework.

Lightweight Three-Factor-Based Privacy- Preserving Authentication Scheme for IoT-Enabled Smart Homes

Abstract: Smart homes are an emerging paradigm of Internet of Things (IoT) in which users can remotely control various home devices via the internet anytime and anywhere. However, smart home environments are vulnerable to security attacks because an attacker can inject, insert, intercept, delete, and modify transmitted messages over an insecure channel. Thus, secure and lightweight authentication protocols are essential to ensure useful services in smart home environments. In 2021, Kaur and Kumar presented a two-factor based user authentication protocol for smart homes using elliptic curve cryptosystems (ECC). Unfortunately, we demonstrate that their scheme cannot resist security attacks such as impersonation and session key disclosure attacks, and also ensure secure user authentication. Moreover, their scheme is not suitable in smart home environments because it utilizes public-key cryptosystems such as ECC. Hence, we design a secure and lightweight three-factor based privacy-preserving authentication scheme for IoT-enabled smart home environments to overcome the security problems of Kaur and Kumar’s protocol. We prove the security of the proposed scheme by using informal and formal security analyses such as the ROR model and AVISPA simulation. In addition, we compare the performance and security features between the proposed scheme and related schemes. The proposed scheme better provides security and efficiency compared with the previous schemes and is more suitable than previous schemes for IoT-enabled smart home environments.

Enhancing IoT Security via Cancelable HD-sEMG-Based Biometric Authentication Password, Encoded by Gesture

Abstract: Enhancing information security via reliable user authentication in wireless body area network (WBAN)-based Internet-of-Things (IoT) applications has attracted increasing attention. The noncancelability of traditional biometrics (e.g., fingerprint) for user authentication increases the privacy disclosure risks once the biometric template is exposed, because users cannot volitionally create a new template. In this work, we propose a cancelable biometric modality based on high-density surface electromyogram (HD-sEMG) encoded by hand gesture password, for user authentication. HD-sEMG signals (256 channels) were acquired from the forearm muscles when users performed a prescribed gesture password, forming their biometric token. Thirty four alternative hand gestures in common daily use were studied. Moreover, to reduce the data acquisition and transmission burden in IoT devices, an automatically generated password-specific channel mask was employed to reduce the number of active channels. HD-sEMG biometrics were also robust with reduced sampling rate, further reducing power consumption. HD-sEMG biometrics achieved a low equal error rate (EER) of 0.0013 when impostors entered a wrong gesture password, as validated on 20 subjects. Even if impostors entered the correct gesture password, the HD-sEMG biometrics still achieved an EER of 0.0273. If the HD-sEMG biometric template was exposed, users could cancel it by simply changing it to a new gesture password, with an EER of 0.0013. To the best of our knowledge, this is the first study to employ HD-sEMG signals under common daily hand gestures as biometric tokens, with training and testing data acquired on different days.

Improving Password Guessing via Representation Learning

Abstract: Learning useful representations from unstructured data is one of the core challenges, as well as a driving force, of modern data-driven approaches. Deep learning has demonstrated the broad advantages of learning and harnessing such representations.In this paper, we introduce a deep generative model representation learning approach for password guessing. We show that an abstract password representation naturally offers compelling and versatile properties that open new directions in the extensively studied, and yet presently active, password guessing field. These properties can establish novel password generation techniques that are neither feasible nor practical with the existing probabilistic and non-probabilistic approaches. Based on these properties, we introduce: (1) A general framework for conditional password guessing that can generate passwords with arbitrary biases; and (2) an Expectation Maximization-inspired framework that can dynamically adapt the estimated password distribution to match the distribution of the attacked password set.

Keystroke Dynamics based Hybrid Nanogenerators for Biometric Authentication and Identification using Artificial Intelligence.

Abstract: Cyberattack is one of the severe threats in the digital world as it encompasses everything related to personal information, health, finances, intellectual properties, and even national security. Password-based authentication is the most practiced authentication system, however, is vulnerable to several attacks such as dictionary attack, shoulder surfing attack, and guessing attack. Here, a new keystroke dynamics-based hybrid nanogenerator for biometric authentication and identification integrated with artificial intelligence (AI) is reported. Keystroke dynamics offer behavioral and contextual information that can distinguish and authorize the individuals based on their typing rhythms. The hybrid electromagnetic-triboelectric nanogenerators/sensors efficiently convert the keystroke mechanical energy into electrical signals, which are fed into an artificial neural network based AI system. The self-powered hybrid sensors-based biometric authentication system integrated with a neural network achieves an accuracy of 99% and offers a promising hybrid security layer against password vulnerability.

DAKOTA: Sensor and Touch Screen-Based Continuous Authentication on a Mobile Banking Application

Abstract: Authenticating a user in the right way is essential to IT systems, where the risks are becoming more and more complex. Especially in the mobile world, banking applications are among the most delicate systems requiring strict rules and regulations. Existing approaches often require point-of-entry authentication accompanied by a one-time password as a second-factor authentication. However, this requires active participation of the user and there is continuous authentication during a session. In this paper, we investigate whether it is possible to continuously authenticate users via behavioral biometrics with a certain performance on a mobile banking application. A currently used mobile banking application in Turkey is chosen as the case, and we developed a continuous authentication scheme, named DAKOTA, on top of this application. The DAKOTA system records data from the touch screen and the motion sensors on the phone to monitor and model the user’s behavioral patterns. Forty-five participants completed the predefined banking transactions. This data is used to train seven different classification algorithms. The results reveal that binary-SVM with RBF kernel reaches the lowest error scores, 3.5% equal error rate (EER). Using the end-to-end DAKOTA system, we investigate the performance in real-time, both in terms of authentication accuracy and resource usage. We show that it does not bring extra overhead in terms of power and memory usage compared to the original banking application and we can achieve a 90% true positive recognition rate, on average.

PSL-MAAKA: Provably Secure and Lightweight Mutual Authentication and Key Agreement Protocol for Fully Public Channels in Internet of Medical Things

Abstract: Designing efficient and secure mutual authentication and key agreement (MAAKA) protocols for Internet of Medical Things (IoMT) has been shown to be challenging, mainly due to the different security and privacy requirements in complex settings. Existing schemes generally are subject to a number of limitations, ranging from performance to security issues. In this article, we introduce a provably secure and lightweight MAAKA (PSL-MAAKA) protocol for fully public channels in IoMT. First, the proposed scheme is lightweight since the major operations in the stage of authentication and key agreement are hash operation and XOR operation, respectively. Second, this article proves the security of the presented protocol taking the advantage of the random oracle model. Next, this article gives that security requirements in IoMT could be satisfied through our presented MAAKA protocol. Finally, we demonstrate that it enjoys optimal performance than other competing schemes, in terms of communication overhead, computation overhead, and storage overhead.

A New Mutual Authentication and Key Agreement Protocol for Mobile Client—Server Environment

Abstract: Mobile devices are becoming an essential part of many users’ lives. Users exchange sometimes very sensitive data with remote servers. This raises a security problem in terms of the confidentiality and integrity of these data, and users’ privacy. Mutual authentication protocols allow a user and a server to confirm each other’s legitimacy and share a session key to encrypt subsequent communications. Several protocols have been proposed to achieve this goal. However, these have certain weaknesses, such as impersonation, lack of anonymity, the use of additional hardware, and the synchronization problem associated with the use of timestamps. In this paper, we propose a mutual authentication protocol based on elliptic curve cryptography for mobile client – server environments, which addresses the above problems. This protocol is intended to be lightweight as it is designed for resource constrained mobile devices. Moreover, we present a formal and informal analysis of the security of the proposed protocol. This latter has security attributes, such as session key security, perfect forward secrecy, user anonymity, resistance to impersonation, replay and insider attacks. Performance evaluation shows that we outperform similar protocols. Therefore, the proposed protocol is secure, efficient and suitable for mobile environments.

Empirical Study of PLC Authentication Protocols in Industrial Control Systems

Abstract: Programmable logic controllers (PLCs) run a ‘control logic’ program that defines how to control a physical process such as a nuclear plant, power grid stations, and gas pipelines. Attackers target the control logic of a PLC to sabotage a physical process. Most PLCs employ password based authentication mechanisms to prevent unauthorized remote access to control logic. This paper presents an empirical study on proprietary authentication mechanisms in five industry-scale PLCs to understand the security-design practices of four popular ICS vendors, i.e., Allen-Bradley, Schneider Electric, AutomationDirect, and Siemens. The empirical study determines whether the mechanisms are vulnerable by design and can be exploited. It reveals serious design issues and vulnerabilities in authentication mechanisms, including lack of nonce, small-sized encryption key, weak encryption scheme, and client-side authentication. The study further confirms the findings empirically by creating and testing their proof-of-concept exploits derived from MITRE ATT&CK knowledge base of adversary tactics and techniques. Unlike existing work, our study relies solely on network traffic examination and does not employ typical reverse-engineering of binary files (e.g., PLC firmware) to reveal the seriousness of design problems. Moreover, the study covers PLCs from different vendors to highlight an industry-wide issue of secure PLC authentication that needs to be addressed.

Secure Password-Protected Encryption Key for Deduplicated Cloud Storage Systems

Abstract: In this paper, we propose SPADE, an encrypted data deduplication scheme that resists compromised key servers and frees users from the key management problem. Specifically, we propose a proactivization mechanism for the servers-aided message-locked encryption (MLE) to periodically substitute key servers with newly employed ones, which renews the security protection and retains encrypted data deduplication. We present a servers-aided password-hardening protocol to resist dictionary guessing attacks. Based on the protocol, we further propose a password-based layered encryption mechanism and a password-based authentication mechanism and integrate them into SPADE to enable users to access their data only using their passwords. Provable security and high efficiency of SPADE are demonstrated by comprehensive analyses and experimental evaluations.

Neuromuscular Password-Based User Authentication

Abstract: In this article, we propose a novel neuromuscular password-based user authentication method. The method consists of two parts: surface electromyogram (sEMG) based finger muscle isometric contraction password (FMICP) and neuromuscular biometrics. FMICP can be entered through isometric contraction of different finger muscles in a prescribed order without actual finger movement, which makes it difficult for observers to obtain the password. In our study, the isometric contraction patterns of different finger muscles were recognized through high-density sEMG signals acquired from the right dorsal hand. Moreover, both time–frequency–space domain features at macroscopic level (interference-pattern EMG) and motor neuron firing rate features at microscopic level (via decomposition) were extracted to represent neuromuscular biometrics, serving as a second defense. The FMICP and macro–micro neuromuscular biometrics together form a neuromuscular password. The proposed neuromuscular password achieved an equal error rate (EER) of 0.0128 when impostors entered a wrong FMICP. Even when impostors entered the correct FMICP, the neuromuscular biometrics, as the second defense, inhibited impostors with an EER of 0.1496. To the best of our knowledge, this is the first study to use individually unique neuromuscular information during unobservable muscle isometric contractions for user authentication, with training and testing data acquired on different days.

A Novel Multiserver Authentication Scheme Using Proxy Resignature With Scalability and Strong User Anonymity

Abstract: As the indispensable part of the security demand in a distributed system, a variety of online services need to be protected from unauthorized access. Multiserver authentication (MA) is one of the most effective and promising approaches to guarantee one party the authenticity of its partner in the distributed system. In this article, we first elaborate the problem of scalability for MA protocol. After that, a two-level framework for multiserver environment is proposed to convert single-server authentication to MA with provable security and perfect scalability. Also, we give an instance of our novel infrastructure by adopting the idea of proxy resignature to achieve strong anonymity. Furthermore, the security analysis and performance evaluation show that our protocol is secure and practical.