Abstract
With the evolution of communication technology and the exponential increase of mobile devices, the ubiquitous networking allows people to use our data and computing resources anytime and everywhere. However, numerous security concerns and complicated requirements arise as these ubiquitous networks are deployed throughout people’s lives. To meet the challenge, the user authentication schemes in ubiquitous networks should ensure the essential security properties for the preservation of the privacy with low computational cost. In 2017, Chaudhry et al. proposed a password-based authentication scheme for the roaming in ubiquitous networks to enhance the security. Unfortunately, we found that their scheme remains insecure in its protection of the user privacy. In this paper, we prove that Chaudhry et al.’s scheme is vulnerable to the stolen-mobile device and user impersonation attacks, and its drawbacks comprise the absence of the incorrect login-input detection, the incorrectness of the password change phase, and the absence of the revocation provision. Moreover, we suggest a possible way to fix the security flaw in Chaudhry et al’s scheme by using the biometric-based authentication for which the bio-hash is applied in the implementation of a three-factor authentication. We prove the security of the proposed scheme with the random oracle model and formally verify its security properties using a tool named ProVerif, and analyze it in terms of the computational and communication cost. The analysis result shows that the proposed scheme is suitable for resource-constrained ubiquitous environments.
Highlights
The development of communication technology provides efficient services based on sustainable infrastructures that improve the human quality of life
Chaudhry et al [32] proposed a privacy-preserving password-based authentication scheme for roaming in ubiquitous networks to solve the security issues of Farash et al.’s scheme [29]. They claimed that their scheme is secure against the various known attacks and is lightweight compared with the earlier scheme of Farash et al [29]
We found that Chaudhry et al.’s scheme [32] is still vulnerable to several attacks; in this paper, we provide the proof that Chaudhry et al.’s scheme [32] is vulnerable to stolen-mobile devices and user impersonation attacks, and has drawbacks to the absence of the incorrect login-input detection, incorrect password change phase, and the absence of the revocation-process provision
Summary
The development of communication technology provides efficient services based on sustainable infrastructures that improve the human quality of life. Chaudhry et al [32] proposed a privacy-preserving password-based authentication scheme for roaming in ubiquitous networks to solve the security issues of Farash et al.’s scheme [29]. They claimed that their scheme is secure against the various known attacks and is lightweight compared with the earlier scheme of Farash et al [29]. Based on recent research efforts [6, 39,40,41], a biometrics-based authentication scheme for roaming in ubiquitous networks should meet the following security requirements against the adversarial model and the functional requirements to provide user-friendliness: 1. Based on recent research efforts [6, 39,40,41], a biometrics-based authentication scheme for roaming in ubiquitous networks should meet the following security requirements against the adversarial model and the functional requirements to provide user-friendliness: 1. User anonymity: The scheme must ensure the user anonymity to preserve the privacy of MN, i.e., A should not be able to discover the real identity of MN
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.