Remote User Authentication Protocol Research Articles

Lightweight Privacy-Preserving Remote User Authentication and Key Agreement Protocol for Next-Generation IoT-Based Smart Healthcare

The advancement and innovations in wireless communication technologies including the Internet of Things have massively changed the paradigms of health-based services. In particular, during the COVID-19 pandemic, the trends of working from home have been promoted. Wireless body area network technology frameworks help sufferers in remotely obtaining scientific remedies from physicians through the Internet without paying a visit to the clinics. IoT sensor nodes are incorporated into the clinical device to allow health workers to consult the patients’ fitness conditions in real time. Insecure wireless communication channels make unauthorized access to fitness-related records and manipulation of IoT sensor nodes attached to the patient’s bodies possible, as a result of security flaws. As a result, IoT-enabled devices are threatened by a number of well-known attacks, including impersonation, replay, man-in-the-middle, and denial-of-service assaults. Modern authentication schemes do solve these issues, but they frequently involve challenging mathematical concepts that raise processing and transmission costs. In this paper, we propose a lightweight, secure, and efficient symmetric key exchange algorithm and remote user authentication scheme. Our research proposal presents a successful privacy-protecting method for remote users and provides protection against known attacks. When compared to conventional options, this technique significantly reduces calculation costs by up to 37.68% and transmission costs by up to 32.55%.

An optimal cluster based security and resilience of smart home environments using hybrid soft computing techniques

AbstractSmart home is the main part of smart intelligent system here the remote users share the sensitive information through an insecure medium to access such smart devices, which becomes security issues. The recent user authentication protocols have used to solve those problems and provide secure communication. Consumer traffic increase the risk of illegal user as legal user and radio channels are extra vulnerable to listeners. For further security enhancement, we proposed an optimal cluster based remote user authentication (OCRUA) protocol for smart home environment using hybrid soft computing techniques. The first contribution of proposed protocol is to introduce squirrel induced butterfly optimization (SBO) algorithm for cluster formation, which groups the smart devices. Then, we compute the cluster head (CH) using the teacher learning based deep neural network (TL‐DNN) based on multiple design constraints. The second contribution is to illustrate remote user authentication using optimal elliptic curve cryptography (OECC) which encrypts the sensitive information before forward to gateway. At long last, the concert of planned OCRUA protocol evaluates use different replication scenarios and shows the effectiveness over the existing state‐of‐art protocols.

Lightweight and Privacy-Preserving Remote User Authentication for Smart Homes

The rapid proliferation of embedded devices has led to the growth of the Internet of Things (IoT) with applications in numerous domains such as home automation, healthcare, education and agriculture. However, many of the connected devices particularly in smart homes are the target of attacks that try to exploit security vulnerabilities such as hard-coded passwords and insecure data transfer. Recent studies show that there is a considerable surge in the number of phishing attacks targeting smart homes during the COVID-19 pandemic. Moreover, many of the existing user authentication protocols in the literature incur additional computational overhead and need to be made more resilient to smart home targeted attacks. In this paper, we propose a novel lightweight and privacy-preserving remote user authentication protocol for securing smart home applications. Our approach is based on Photo Response Non-Uniformity (PRNU) to make our protocol resilient to smart home attacks such as smartphone capture attacks and phishing attacks. In addition, the lightweight nature of our solution is suitable for deployment on heterogeneous and resource constrained IoT devices. Besides, we leverage geometric secret sharing for establishing mutual authentication among the participating entities. We validate the security of the proposed protocol using the AVISPA formal verification tool and prototype it on a Raspberry Pi to analyze the power consumption. Finally, a comparison with existing schemes reveals that our scheme incurs a 20% reduction in communication overhead on smart devices. Furthermore, our proposed scheme is usable as it absolves users from memorizing passwords and carrying smart cards.

A Robust Anonymous Remote User Authentication Protocol for IoT Services

A Robust Anonymous Remote User Authentication Protocol for IoT Services

An efficient three-factor remote user authentication protocol based on BPV-FourQ for internet of drones

Due to the mobility, flexibility and autonomy of drones, the Internet of Drones (IoD) have gained momentum recently and are being widely used in a variety of fields, such as agriculture, industry, and transportation. However, due to the intrinsic openness of wireless communication channels in IoD, the data generated by drones are facing new security challenges and privacy issues. To ensure the confidentiality of data communication, it is crucial to authenticate remote users and establish session keys for IoD through the authentication and key agreement (AKA) protocol. Unfortunately, most existing AKA protocols using asymmetric cryptographic primitives are computationally expensive, and are unaffordable for the computing power limited drones. To this end, this paper presents an efficient three-factor AKA protocol for IoD based on FourQ and Boyko-Peinado-Venkatesan (BPV) pre-calculation. The detailed security analysis reveals that our protocol is secure against known attacks and achieves important security goals, especially perfect forward secrecy. Besides, by performing real world experiments on the Raspberry Pi, we demonstrate that the improved FourQ curve primitive is 4–5 times faster than the conventional elliptic curve primitives. The security and performance comparison are also given to prove that the proposed protocol provides stronger security and higher efficiency than existing ones.

A robust provable-secure privacy-preserving authentication protocol for Industrial Internet of Things

Wireless sensor networks (WSNs) accomplish a key aspect in the Industrial Internet of Things (IIoT) that has turned out to be the most flourishing perception for computerizations in an industrial maneuver. IIoT environment is a significant application of the Internet of Things (IoT) that facilitate the professionals related to industries for remote supervision of factory, warehouses, etc. In this environment, the data must constantly be analyzed to take important real-time decisions. It makes remote confirmation most essential to secure the data transmission through insure channel so that alteration, interception, modifications of data cannot occur. As a result, there remains an immense requirement of remote user authentication protocol to restrict any illicit access to the data. In this scenario, to eradicate all the security attacks, it is aimed to design a robust provable-secure privacy-preserving three-factor authentication protocol for IIoT in this research. Our scheme is analyzed using both informal and formal security reviews using broadly known random oracle models, BAN logic as well as simulated using a well-accepted ProVerif simulation tool that confirms that the protocol is well-secured against all existing security threats. It is exhibited in the performance estimation that the proposed scheme is more efficient as well as lightweight than other existing schemes. To conclude it can be said that the proposed scheme is easy to be realized in the resource-constrained IIoT environment.

A Secure and Lightweight Three‐Factor Remote User Authentication Protocol for Future IoT Applications

With the booming integration of IoT technology in our daily life applications such as smart industrial, smart city, smart home, smart grid, and healthcare, it is essential to ensure the security and privacy challenges of these systems. Furthermore, time‐critical IoT applications in healthcare require access from external parties (users) to their real‐time private information via wireless communication devices. Therefore, challenges such as user authentication must be addressed in IoT wireless sensor networks (WSNs). In this paper, we propose a secure and lightweight three‐factor (3FA) user authentication protocol based on feature extraction of user biometrics for future IoT WSN applications. The proposed protocol is based on the hash and XOR operations, including (i) a 3‐factor authentication (i.e., smart device, biometrics, and user password); (ii) shared session key; (iii) mutual authentication; and (iv) key freshness. We demonstrate the proposed protocol’s security using the widely accepted Burrows–Abadi–Needham (BAN) logic, Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool, and the informal security analysis that demonstrates its other features. In addition, our simulations prove that the proposed protocol is superior to the existing related authentication protocols, in terms of security and functionality features, along with communication and computation overheads. Moreover, the proposed protocol can be utilized efficiently in most of IoT’s WSN applications, such as wireless healthcare sensor networks.

A Secure and Efficient ECC-Based Anonymous Authentication Protocol

Nowadays, remote user authentication protocol plays a great role in ensuring the security of data transmission and protecting the privacy of users for various network services. In this study, we discover two recently introduced anonymous authentication schemes are not as secure as they claimed, by demonstrating they suffer from offline password guessing attack, desynchronization attack, session key disclosure attack, failure to achieve user anonymity, or forward secrecy. Besides, we reveal two environment-specific authentication schemes have weaknesses like impersonation attack. To eliminate the security vulnerabilities of existing schemes, we propose an improved authentication scheme based on elliptic curve cryptosystem. We use BAN logic and heuristic analysis to prove our scheme provides perfect security attributes and is resistant to known attacks. In addition, the security and performance comparison show that our scheme is superior with better security and low computation and communication cost.

An enhanced anonymous and unlinkable user authentication and key agreement protocol for TMIS by utilization of ECC

SummaryThe telecare medicine information systems (TMISs) not only help patients to receive incessant health care services but also assist the medical staffs to access patients' electronic health records anytime and from anywhere via Internet. Since the online communications are exposed to numerous security threats, the mutual authentication and key agreement between patients and the medical servers are of prime significance. During the recent years, various user authentication schemes have been suggested for the TMISs. Nonetheless, most of them are susceptible to some known attacks or have high computational cost. Newly, an effective remote user authentication and session key agreement protocol has been introduced by Ravanbakhsh and Nazari for health care systems. Besides the nice contributions of their work, we found that it has two security weaknesses, namely, known session‐specific temporary information attack and lack of perfect forward secrecy. As a result, to overcome these deficiencies, this paper suggests a novel anonymous and unlinkable user authentication and key agreement scheme for TMISs using the elliptic curve cryptosystem (ECC). We have evaluated the security of the proposed scheme by applying the automated validation of internet security protocols and applications (AVISPA) tool with the intention of indicating that our scheme can satisfy the vital security features. In addition, we have compared the proposed protocol with related schemes to show that it has a proper level of performance. The obtained results demonstrate that the new scheme is more preferable considering both efficiency and security criteria.

Lightweight remote user authentication protocol for multi-server 5G networks using self-certified public key cryptography

Due to small cell deployments and multiple servers in 5G networks, a fast and anonymous mutual authentication protocol needs to be developed for complex 5G networks. In this paper, we propose a lightweight and untraceable authentication protocol for multi-server-based 5G networks. To reduce computational complexity, we employ self-certified public key cryptography based on elliptic curve cryptography to authenticate the validation of users and servers. Without pairing operations, our scheme could improve performance efficiency. Also, a formal security model is designed to prove that our protocol is secure against forgery attack due to the discrete logarithm and the computational Diffie-Hellman problem. Performance analysis further shows that our protocol has a lower communication and computational overhead. Also, our protocol could support anonymous mutual authentication.

A new three-factor authentication and key agreement protocol for multi-server environment

Several password and smart-card based two-factor security remote user authentication protocols for multi-server environment have been proposed for the last two decades. Due to tamper-resistant nature of smart cards, the security parameters are stored in it and it is also a secure place to perform authentication process. However, if the smart card is lost or stolen, it is possible to extract the information stored in smart card using power analysis attack. Hence, the two factor security protocols are at risk to various attacks such as password guessing attack, impersonation attack, replay attack and so on. Therefore, to enhance the level of security, researchers have focused on three-factor (Password, Smart Card, and Biometric) security authentication scheme for multi-server environment. In existing biometric based authentication protocols, keys are generated using fuzzy extractor in which keys cannot be renewed. This property of fuzzy extractor is undesirable for revocation of smart card and re-registration process when the smart card is lost or stolen. In addition, existing biometric based schemes involve public key cryptosystem for authentication process which leads to increased computation cost and communication cost. In this paper, we propose a new multi-server authentication protocol using smart card, hash function and fuzzy embedder based biometric. We use Burrows–Abadi–Needham logic to prove the correctness of the new scheme. The security features and efficiency of the proposed scheme is compared with recent schemes and comparison results show that this scheme provides strong security with a significant efficiency.

A Secure Remote User Authentication Protocol for Healthcare Monitoring Using Wireless Medical Sensor Networks

The wireless medical sensor networks WMSN play a crucial role in healthcare monitoring remotely. In remote healthcare monitoring, the sensor nodes are deployed in patient's body for collecting physiological data and transmit these data over an insecure channel. The patient's health information is highly sensitive and important. Any malicious modification in physiological data will make wrong diagnoses and harm the patient health. Therefore, privacy, data security, and user authentication are extremely important for accessing patient's real-time heath information over an insecure channel. In this regard, this article proposes a secure and robust two-factor based remote user authentication protocol for healthcare monitoring. The authentication proof has done with the help of BAN logic, which ensures that the proposed scheme provides mutual authentication and session key agreement securely. The informal security verification proves that the developed protocol is secure from various security attacks. The simulation of the proposed scheme has been done using AVISPA tool, whose simulation results confirm that the proposed scheme is secure from active and passive attacks. Performance evaluation shows that the proposed protocol is efficient in terms of security features, computation cost, communication cost, and execution time.

Low-Overhead Remote User Authentication Protocol for IoT Based on a Fuzzy Extractor and Feature Extraction

The Internet of things (IoT) is a system of smart technologies and services that mutually communicate data between users and devices or between devices via the Internet. Since data are shared between a remote user and various sensing devices over a network, it is essential to design a secure, lightweight and efficient remote user authentication protocol for the IoT environment. In the context of security and network privacy, mutual authentication is necessary for securely accessing the services of the IoT environment. However, the IoT faces substantial new challenges realizing mutual authentication due to IoT devices constraints. In this paper, we present a lightweight, robust and secure authentication protocol that satisfies constraints on IoT devices. The proposed protocol is based on level 3 feature extraction, fuzzy extraction of the user's biometrics, one-way hash functions and XOR operations and includes (1) three-factor authentication (user password, biometrics and smart devices), (2) mutual authentication, (3) a session key, and (4) key freshness. Furthermore, we have used the Burrows-Abadi-Needham logic to prove the authentication of our proposed protocol. In addition, our proposed protocol does not require additional hardware or a resource-constrained cryptosystem, and for that reason; hence, it has the lowest computational cost on the IoT nodes (0.003_ms), the lowest total computational cost (0.071_ms), and the lowest communication cost (2784 bits) compared with other relevant works. Moreover, we have conducted an informal security analysis to prove its ability to withstand well-known malicious attacks, such as replay attacks, impersonation attacks, password change attacks, man-in-the-middle (MITM) attacks, and denial of service (DOS) attacks.

An enhanced three factor based authentication protocol using wireless medical sensor networks for healthcare monitoring

With the rapid growth of wireless medical sensor networks (WMSNs) based healthcare applications, protecting both the privacy and security from illegitimate users, are major concern issues since patient’s precise information is vital for the proper diagnosis procedure. So, authentication protocol is one of the efficient mechanisms to deal with trustworthy and authentic users. Several authentication protocols have been proposed in WMSNs environment. However, the most of these protocols are so susceptible to security threats and not suitable for practical use. In this article, recently proposed Amin et al.’s authentication scheme is reviewed and some vulnerabilities like off-line password guessing attack, user impersonation attack, known session-key temporary information attack, the revelation of secret parameters, and identity guessing attack are pointed out. To overcome all the above mentioned vulnerabilities, we have proposed an enhanced three-factor based remote user authentication protocol in WMSNs environment. Further, the proposed protocol is validated using Burrows–Abadi–Needham logic and then simulated using Automated Validation of Internet Security Protocols and Applications tool. Moreover, the security analysis ensures that the proposed protocol is well protected from various types of malicious attacks. In addition, the performance evaluation shows better efficiency and suitability of our protocol over other related protocols.

Security Analysis of Improved User Authentication Schemes Using Smart Cards

Smart card based remote user authentication is a broadly adopted method of authentication within insecure communication channels. Recently, Wen and Li proposed a dynamic ID-based remote user authentication protocol with key agreement. Unfortunately, Kim, Nam and Won pointed out that Wen and Li’s authentication protocol suffers from leakage of some key information to an adversary and a man-in-the-middle attack. Kim et al. proposed an improved ID-based remote user authentication scheme. In this work, we revisit Kim et al.’s protocol. Our results indicate that their scheme is vulnerable to smart card loss attack, stolen verifier attack and privileged insider attack. Furthermore, the authentication protocol cannot provide perfect forward secrecy and user anonymity. These weaknesses also exist in Wen and Li’s authentication scheme.

Chaotic Map-Based Anonymous User Authentication Scheme With User Biometrics and Fuzzy Extractor for Crowdsourcing Internet of Things

The recent proliferation of mobile devices, such as smartphones and wearable devices has given rise to crowdsourcing Internet of Things (IoT) applications. E-healthcare service is one of the important services for the crowdsourcing IoT applications that facilitates remote access or storage of medical server data to the authorized users (for example, doctors, patients, and nurses) via wireless communication. As wireless communication is susceptible to various kinds of threats and attacks, remote user authentication is highly essential for a hazard-free use of these services. In this paper, we aim to propose a new secure three-factor user remote user authentication protocol based on the extended chaotic maps. The three factors involved in the proposed scheme are: 1) smart card; 2) password; and 3) personal biometrics. As the proposed scheme avoids computationally expensive elliptic curve point multiplication or modular exponentiation operation, it is lightweight and efficient. The formal security verification using the widely-accepted verification tool, called the ProVerif 1.93, shows that the presented scheme is secure. In addition, we present the formal security analysis using the both widely accepted real-or-random model and Burrows–Abadi–Needham logic. With the combination of high security and appreciably low communication and computational overheads, our scheme is very much practical for battery limited devices for the healthcare applications as compared to other existing related schemes.

Cryptanalysis and Improvement of Chandrakar and Om’s Remote User Authentication Protocol for the Multiserver Environment

Recently, Amin and Biswas proposed a bilinear pairing-based remoter user authentication protocol for multiserver environment, claiming it to be secure under various attacks. However, Chandrakar and Om found that the protocol suffers from an identity guessing attack, a password guessing attack, a user-server impersonation attack and so forth. To erase these weaknesses in Amin and Biswas’s protocol, they later proposed an enhanced ECC-based remoter user authentication protocol. Unfortunately, in this paper, we demonstrate that Chandrakar and Om’s protocol is still vulnerable to a user impersonation attack and cannot provide perfect forward secrecy. To solve the drawbacks, we suggest some simple but effective modification.

A secure remote user authentication scheme for smart cities e-governance applications

Smart cities are rapidly gaining momentum and aims at improving the quality of life of citizens by adopting Information and Communication Technology. E-governance have become the smarter way of deployment of administration by the authority under its jurisdiction. The citizens can access the services of government anywhere at any time. Since this technique requires the transmission of sensitive information between the government and the citizen through the Internet, information security is of utmost importance. This paper proposes a lightweight, robust remote user authentication and key agreement protocol for e-governance applications in the smart cities. The proposed protocol is based on XOR and hash operations, and includes (1) a password and smart card, (2) user anonymity, (3) mutual authentication, (4) shared session key, and (5) key freshness. It satisfies desirable security attributes and is resistant against all well-known security attacks. Further, the formal security verification using AVISPA and informal security proves the security strength of the proposed protocol and its robustness against all possible security threats.

Comment on ‘Efficient and secure dynamic ID‐based remote user authentication scheme for distributed systems using smart cards’

This comment paper refers to an article published by Leu and Hsieh in IET Information Security in the year 2014. Leu and Hsieh proposed a remote user authentication protocol for distributed systems using smartcard. Their protocol affords user anonymity and no verification tables at either end, which can decrease the storage space along with the computations. Their protocol can resist security attacks and is efficient compared with few relevant protocols in terms of computational cost. However, this comment paper brings questions about the correctness of the design of Leu and Hsieh's protocol.

Cryptanalysis and improvement of a biometric‐based remote user authentication protocol usable in a multiserver environment

AbstractRecently, Amin and Biswas have discussed a bilinear pairing–based three‐factor remote user authentication protocol, claiming it to be secured against various attacks. We scrutinize this protocol and find that it is vulnerable to identity guessing attack, password guessing attack, user untraceability attack, user‐server impersonation attack, new smart card issue attack, and privileged insider attack. In this paper, we propose an elliptic curve cryptography and biometric‐based remote user authentication protocol for a multiserver environment by overcoming these drawbacks. We conduct its informal and formal security analysis to show that it resists all known security attacks. The Burrows‐Abadi‐Needham (BAN) logic verifies that our protocol facilitates mutual authentication and session key agreement securely. We simulate it using the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to certify that it can be protected from passive and active threats, including replay and man‐in‐the‐middle attacks. Furthermore, the proposed protocol provides more security attributes and better complexity in terms of smart card storage cost, computation cost, estimated time, and communication cost, as compared with the related existing protocols.