Password Authentication Scheme Research Articles

An Improved and Secure Two-factor Dynamic ID Based Authenticated Key Agreement Scheme for Multiserver Environment

The smart card based password authentication scheme is one of the most important and efficient security mechanism, which is used for providing security to authorized users over an insecure network. In this paper, we analyzed major security flaws of Jangirala et al.’s scheme and proved that it is vulnerable to forgery attack, replay attack, user impersonation attack. Also, Jangirala et al.’s scheme fail to achieve mutual authentication as it claimed. We proposed an improved two factor based dynamic ID based authenticated key agreement protocol for the multiserver environment. The proposed scheme has been simulated using widely accepted AVISPA tool. Furthermore, mutual authentication is proved through BAN logic. The rigorous security and performance analysis depicts that the proposed scheme provides users anonymity, mutual authentication, session key agreement and secure against various active attacks.

A two-factor authentication scheme against FDM attack in IFTTT based Smart Home System

Smart Home is an emerging key-element of the advantages of Internet of Things (IoT), which facilitates an individual to have control over the smart devices of his house through the Internet. However, its control should be confined to the legitimate user only, which can refrain from malicious activities. Internet services like IFTTT (If This Then That) integrate heterogeneous Smart Home devices and allow the user to customize Smart Home configurations via IFTTT recipes. Earlier researches have suggested an attack scenario based on Feature-Distributed Malware (FDM), where the malware can compromise the victim’s IFTTT account and as a result the attacker can manipulate the recipes from his own device. This paper proposes a secure IFTTT-based Smart Home framework by incorporating suitable captcha-based One Time Password (OTP) authentication scheme and Physical Unclonable Function (PUF). A suitable adversarial model has been used to evaluate the security of the framework.

Security Enhanced Anonymous User Authenticated Key Agreement Scheme Using Smart Card

Nowadays, the password-based remote user authentication mechanism using smart card is one of the simplest and convenient authentication ways to ensure secure communications over the public network environments. Recently, Liu et al. proposed an efficient and secure smart card based password authentication scheme. However, we find that Liu et al.’s scheme is vulnerable to the off-line password guessing attack and user impersonation attack. Furthermore, it also cannot provide user anonymity. In this paper, we cryptanalyze Liu et al.’s scheme and propose a security enhanced user authentication scheme to overcome the aforementioned problems. Especially, in order to preserve the user anonymity and prevent the guessing attack, we use the dynamic identity technique. The analysis shows that the proposed scheme is more secure and efficient than other related authentication schemes.

An efficient and secure remote user mutual authentication scheme using smart cards for Telecare medical information systems

Abstract Authentication schemes are widely used mechanisms to thwart unauthorized access of resources over insecure networks. Several smart card based password authentication schemes for Telecare Medical Information Systems (TMIS) have been proposed in the literature. Recently, Lee et al. proposed an authentication scheme for TMIS and then they claimed that their scheme is able to resist various attacks. However, in this paper we demonstrate that Lee et al. scheme is still vulnerable to forgery and offline password guessing attacks and it is also unable to provide user anonymity, forward secrecy and mutual authentication. With the intention of fixing the weaknesses of Lee et al. scheme, we present a secure authentication scheme for TMIS. Moreover, the proposed scheme can also resist all known attacks. We prove the security of the proposed scheme with the help of widely-accepted random Oracle model. Finally, we carry out the performance evaluation of the proposed scheme and other related schemes, and the result favors that the proposed scheme provides better trade-off among security and performance as compared to other existing related schemes.

An Efficient and Secure Two-Factor Password Authentication Scheme With Card Reader(Terminal) Verification

With regard to the privacy of client–server communication systems, most research works have concentrated on authentication to guarantee security. Among the investigated schemes, two-factor password authentication has been a major focus and has undergone considerable development. Two-factor password authentication is a process in which both a password and a physical object are used for authentication to achieve a higher level of security. However, these methods are still subject to some security vulnerabilities, such as malicious card reader attacks, man-in-the-middle attacks, and a lack of perfect forward secrecy. Moreover, although there are many evaluation criteria, there still lacks a set of universal criteria. To address these issues, a two-factor password authentication scheme is proposed in the context of practical application environment in this paper, such as side-channel attacks. Moreover, a card reader verification step is added to the authentication scheme to counteract malicious card reader attacks. In addition, the proposed scheme can resist various known attacks, including replay attacks, lost or stolen smart card attacks, and man-in-the-middle attacks. We present a detailed security analysis and comparative evaluation, and we prove the security of our scheme with Burrows–Abadi–Needham (BAN) logic. Compared with previous schemes, the main advantages of the proposed scheme are its low computational cost, guaranteed security, and better adaptability to actual client–server communication environments.

Privacy Preserving User Authentication Scheme Based on Smart Card

One of the most commonly used user authentication mechanisms is two factor authentication based on smart card and password. The core feature of the scheme is to enforce that the user must have the smart card and know the password in order to gain access to server. Recently, Liu et al. proposed a smart card based password authentication scheme and argued that it is secure against insider attack, replay attack and man in the middle attack and provides perfect forward secrecy. In this paper, we show security weaknesses in Liu et al.’s scheme focused on off-line password guessing attack and masquerading attack and it does not provide perfect forward secrecy and anonymity. Accordingly, we propose a privacy preserving user authentication scheme based on smart card, denoted as PUAS, to remedy these security weaknesses and to provide anonymity and perfect forward secrecy. PUAS is more secure with a bit of computational overhead to support several positive properties in security and privacy.

A novel biometric-based password authentication scheme for client-server environment using ECC and fuzzy extractor

A novel biometric-based password authentication scheme for client-server environment using ECC and fuzzy extractor

Improvement of Efficient and Secure Smart Card Based Password Authentication Scheme.

Improvement of Efficient and Secure Smart Card Based Password Authentication Scheme.

CRYPTANALYSIS AND ENHANCEMENT OF PASSWORD AUTHENTICATION SCHEME FOR SMART CARD

ABSTRACT Password authentication with smart card is one of the simplest and efficient authentication mechanisms to ensure secure communication over insecure network environments. Recently, Tsai et al. proposed an improved password authentication scheme for smart card. Their scheme is more secure than the other previous schemes. In this paper, we show Tsai et al.’s scheme is vulnerable to password guessing attack and has computational overhead. Furthermore, we propose an enhanced password authentication scheme to eliminate the security vulnerability and enhance the overhead. By presenting concrete analysis of security and performance, we show that the proposed scheme cannot only resist various well known attacks, but also is more efficient than the other related works, and thus is feasible for practical applications.

Cryptanalysis and Enhancement of Password Authentication Scheme for Smart Card

Cryptanalysis and Enhancement of Password Authentication Scheme for Smart Card

MAKA: Provably Secure Multi-factor Authenticated Key Agreement Protocol

Remote authentication is important to protect a networked server against malicious remote logins in complex systems, it is also the most efficient method to determine the identity of a remote user. Recently, Li et al. proposed an enhanced smart card based remote user password authentication scheme, referred to as LNKL scheme. In this paper, we first analyze LNKL scheme and show their scheme is vulnerable to key compromise impersonation attack and smart card impersonated attack. Besides, LNKL scheme does not provide user’s anonymity and privacy protection. LNKL scheme still has some design flaws such as non-repairability. Furthermore, LNKL scheme adopts two-factor authentication (password and smart-card), which are easily compromised. Based on LNKL scheme and biometrics- based multi-factor authentication, an improved multi-factor authentication (short for MAKA) is proposed in this paper, which not only keeps the merits of LNKL scheme, but also achieves more security features. In addition, the MAKA protocol can be formally proved securely against passive and active attacks under the computational Diffie-Hellman problem assumption in the random oracle model. As a result, it is more well-suited for mobile application scenarios where resource is constrained and security is concerned.

Efficient and secure two-factor dynamic ID-based password authentication scheme with provable security

ABSTRACTPassword-based remote user authentication schemes using smart cards are designed to ensure that only a user who possesses both the smart card and the corresponding password can gain access to the remote servers. Despite many research efforts, it remains a challenging task to design a secure password-based authentication scheme with user anonymity. The author uses Kumari et al.’s scheme as the case study. Their scheme uses non-public key primitives. The author first presents the cryptanalysis of Kumari et al.’s scheme in which he shows that their scheme is vulnerable to user impersonation attack, and does not provide forward secrecy and user anonymity. Using the case study, he has identified that public-key techniques are indispensable to construct a two-factor authentication scheme with security attributes, such as user anonymity, unlinkability and forward secrecy under the nontamper resistance assumption of the smart card. The author proposes a password-based authentication scheme using elliptic curve cryptography. Through the informal and formal security analysis, he shows that proposed scheme is secure against various known attacks, including the attacks found in Kumari’s scheme. Furthermore, he verifies the correctness of mutual authentication using the BAN logic.

Anonymous biometrics-based authentication scheme with key distribution for mobile multi-server environment

Significant advances in wireless communication technologies have led to the emergence and proliferation of a wide range of mobile devices and mobile services. However, the use of various cloud servers has made the traditional single-server architecture, where we have one server and many users, inefficient in terms of its performance. To address this drawback, multi-server architectures have been proposed. Password or smart card-based authentication schemes suffer from poor security in the multi-server environment and as a result biometrics have become a preferred choice for secure and robust authentication because of its close link with the physical characteristics of an individual. Recently Kumari and Li et al. proposed a biometrics-based authentication scheme for multi-server environment. However, we found that their scheme fails to meet user anonymity requirement and is vulnerable to several attacks. Therefore, first of our work, we describe the various possible attacks on the previous scheme. Then, to enhance user anonymity, we propose a new biometrics-based authentication scheme with key distribution for the mobile multi-server environment. Our proposed scheme is based on smart card and elliptic curve cryptosystem. Informal and formal security analyses demonstrate that our scheme can satisfy the security and functional requirements in the mobile multi-server environment. Moreover, performance results (such as computation and communication cost) obtained with our proposed scheme demonstrate significant improvements in the level of security.

Qualitative Analysis of Recognition-based Graphical Password Authentication Schemes for Accessing the Cloud

<p>Cloud computing is increasingly becoming popular as many enterprise applications and data are moving into cloud platforms. However, a major barrier for cloud application is real and perceived lack of security. There are many security mechanisms exercised to utilize cloud services. Amongst them the prominent and primitive security mechanism is the Authentication System. Traditional text based passwords are susceptible to threats. Tough passwords are hard to recall and easily recalled passwords are simple and predictable. Graphical passwords are introduced as the better alternative. Two types of graphical passwords are there – recall based and recognition based. This research reviews several Recognition-Based Graphical Password methods and analyses their security based on the estimation criteria. Moreover, the research defines a metric called a 14-point scale that would make it possible for the qualitative analysis of the graphical passwords schemes. </p>

Encryption Technique for Secure Password Authentication Scheme at Application Layer

Encryption Technique for Secure Password Authentication Scheme at Application Layer

An Efficient User Authentication and User Anonymity Scheme with Provably Security for IoT-Based Medical Care System

In recent years, with the increase in degenerative diseases and the aging population in advanced countries, demands for medical care of older or solitary people have increased continually in hospitals and healthcare institutions. Applying wireless sensor networks for the IoT-based telemedicine system enables doctors, caregivers or families to monitor patients’ physiological conditions at anytime and anyplace according to the acquired information. However, transmitting physiological data through the Internet concerns the personal privacy of patients. Therefore, before users can access medical care services in IoT-based medical care system, they must be authenticated. Typically, user authentication and data encryption are most critical for securing network communications over a public channel between two or more participants. In 2016, Liu and Chung proposed a bilinear pairing-based password authentication scheme for wireless healthcare sensor networks. They claimed their authentication scheme cannot only secure sensor data transmission, but also resist various well-known security attacks. In this paper, we demonstrate that Liu–Chung’s scheme has some security weaknesses, and we further present an improved secure authentication and data encryption scheme for the IoT-based medical care system, which can provide user anonymity and prevent the security threats of replay and password/sensed data disclosure attacks. Moreover, we modify the authentication process to reduce redundancy in protocol design, and the proposed scheme is more efficient in performance compared with previous related schemes. Finally, the proposed scheme is provably secure in the random oracle model under ECDHP.

A Pattern-Based Password Authentication Scheme for Minimizing Shoulder Surfing Attack

The user usually uses password to avoid the attacks like a dictionary attack, brute force attack and shoulder surfing attack which is the famous attack nowadays. The shoulder surfing attack is a direct observation technique by watching over the user’s shoulder when they enter their password to get information. The most common authentication method used by the user is textual password. But, the textual password has many disadvantages because it is vulnerable to attack as it tends to shoulder surfing attack. In this project, a pattern-based password authentication will develop to overcome this problem. Using this scheme, the user needs to select the type of pattern that they like during registration. To login to their account, the user needs to enter the password in the form of the textual password in ordering manner based on a pattern that they choose during registration. The text password grid presented with a different style as it filled with random objects whether characters, numbers or images. This method is suitable to minimizing shoulder surfing attack as it can improve the security of user’s password and they can efficiently login to the system.

Secure server-server communication for dual stage biometrics – based password authentication scheme

The distributed environment insists the protection of servers, while information sharing is achieved. The conventional biometrics-based password authentication mechanisms use single server, which can be compromised easily. The dual stage authentication mechanism has been already proved for its security over the single stage authentication mechanism in our previous work. In this paper, the protocol is improved to establish communication between the authentication server and the master server through a secure link. Since the hashed messages are prone to collision attacks, the proposed scheme uses elliptic curve cryptography-based ciphers for establishing connection at the initial stage. The security analysis of the proposed authentication scheme with secure server – server communication link reveals the robustness and the security features, which are offered over our previous as well as the conventional authentication mechanisms.

Cryptanalysis of a User Anonymous Password Authentication Scheme Without Smart Card

Recently, after analyzing Jiang et al. and He et al.’s remote user authentication scheme, Kumari et al. detected some defects in their own protocol and designed a user anonymous password authentication scheme without smart card. They claimed that their protocol is rigorous to resist a wide range of network attacks. Unfortunately, based on the analysis of a large amount of experiments, we found that their protocol is not robust enough when facing with changing session key attack. The user and server cannot achieve the consistency of the session even though they have been authenticated each other.

A Secure and Efficient One-time Password Authentication Scheme for WSN

An algorithm that a user has authenticated over remote devices should be designed to consider the limitations of computation and lower power in a wireless sensor net- works. Lamport first proposed a one-time password authentication scheme which the password was different in each transaction. In this paper, according to the Lam- port's concept we propose an efficient and secure one- time password authentication scheme for wireless sensor networks.