Server Spoofing Research Articles

Fortification of Transport Layer Security Protocol by using Password and Fingerprint as Identity Authentication Parameters

Whenever there is communication between Client and Server over a public link and resources are to be accessed from remote systems, then proving an identity becomes quiet complex because there is need of proper access rights with authentication. Complete security at the transport layer starts with proof of authentication, majority organizations only use password for security but this research paper would include one more tier of security to the transport layer security protocol by using fingerprints for identity authentication. Bio Hashing with the help of Minutiae Points at the fingerprints would be used for mutual authentication. Complete comparative analysis of all the existing password authentication schemes on the basis of security requirements and attacks is done in this paper. Result is generated that which existing scheme could withstand security requirement of mutual authentication for using fingerprint as identity parameter along with password. Proof is generated that with mutual authentication intruders could not practice Phishing, IP or Server Spoofing, Smurf attack and DNS Poisoning etc. Research paper focuses on implementing Password and Fingerprints for mutual authentication in Multi Server environment which will generate an Ideal Password Authentication Scheme and will result in fortification of Transport Layer Security Protocol. General Terms Ideal Password Authentication Scheme, Multi Server Environment

An Efficient and Secure ID-based Remote User Authentication Scheme using Smart Card

The User Authentication mechanism technology has enjoyed strong growth in recent year, but security threats and facing attacks in authentication have grown equally fast. Today, there are many potential attacks that are targeted at authentication including insider attack, masquerade attack, server spoofing attack, parallel session attack, offline password guessing attack and many more. Recently, In 2010 R. Song proposed advanced smart card based password authentication protocol with such non-tamper resistant smart card based on symmetric key cryptosystem as well as modular exponentiation. R. Song et al Scheme is vulnerable to the offline password attack, insider attack; forward secrecy and denial of service attack are cryptanalyses by W B Horng. In this article, we will propose an efficient ID-based authentication scheme which can avoid all type of security flaws. The functionally, performance and security analysis show that our proposed scheme is feasible in terms of computation cost, storage capacity and the scheme can resist server attack.

Weaknesses of an efficient and secure dynamic ID-based remote user authentication scheme

Recently, Wang, Liu, Xiao and Dan proposed an efficient and secure dynamic ID-based remote user authentication scheme and claimed that their scheme provides strong security. We demonstrate that Wang et al.’s scheme is vulnerable to insider, masquerade and server spoofing attacks.

A Privacy-Preserving Dynamic ID-Based Remote User Authentication Scheme with Access Control for Multi-Server Environment

Since the number of server providing the facilities for users is usually more than one, remote user authentication schemes used for multi-server architectures, rather than single server circumstance, is considered. As far as security is concerned, privacy is the most important requirements, though some other properties are also desirable in practice. Recently, a number of dynamic ID-based user authentication schemes have been proposed. However, most of those schemes have more or less weaknesses and/or security flaws. In the worst case, user privacy cannot be achieved since malicious servers or users can mount some attacks, i.e., server spoofing attack and impersonation attack, to identify the unique identifier of users and masquerade of one entity as some other. In this paper, we analyze two latest research works and demonstrate that they cannot achieve true anonymity and have some other weaknesses. We further propose the improvements to avoid those security problems. Besides user privacy, the key features of our scheme are including no verification table, freely chosen password, mutual authentication, low computation and communication cost, single registration, session key agreement, and being secure against the related attacks.

Three Attacks on Jia et al.'s Remote User Authentication Scheme using Bilinear Pairings and ECC

Recently, Jia et al. proposed a remote user authentication scheme using bilinear pairings and an Elliptic Curve Cryptosystem (ECC). However, the scheme is vulnerable to privileged insider attack at their proposed registration phase and to forgery attack at their proposed authentication phase. In addition, the scheme can be vulnerable to server spoofing attack because it does not provide mutual authentication between the user and the remote server. Therefore, this paper points out that the Jia et al. scheme is vulnerable to the above three attacks. Keywords—Cryptography, authentication, smart card, password, cryptanalysis, bilinear pairings.

Design of improved password authentication and update scheme based on elliptic curve cryptography

Secured password authentication and update of passwords are two essential requirements for remote login over unreliable networks. In this paper, an elliptic curve cryptography (ECC) based technique has been proposed that not only satisfies the above two requirements, but also provides additional security requirements that are not available in some schemes proposed so far. For instances, the Peyravian and Zunic’s scheme does not provide the protection against the password guessing attack, server spoofing attack and data eavesdropping attack. Although some modifications to remove these attacks have been proposed by Hwang and Yeh, Lee et al., it has been found that some attacks like replay attack, server spoofing attack, data eavesdropping attack, etc. are still possible. Subsequently, Hwang and Yeh’s scheme is further improved by Lin and Hwang, which has been analyzed in this paper and certain security flaws have been identified. We have attempted to remove these security flaws and proposed an ECC-based scheme that in addition to the secured password authentication and password update, it protects several related attacks efficiently. As a proof of our claim, the detailed security analysis of the proposed scheme against the attacks has been given. One advantage of the proposed scheme is that it generates an ECC-based common secret key that can be used for symmetric encryption, which requires lesser processing time than the time required in the public key encryption-based techniques.

A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards

Recently, Hsiang et al. pointed out that Liao-Wang’s dynamic ID based remote user authentication scheme for multi-server environment is vulnerable to insider attack, masquerade attack, server spoofing attack, registration center attack and is not easily reparable. Besides, Liao-Wang’s scheme cannot achieve mutual authentication. For this, Hsiang et al. proposed an improved scheme to overcome these weaknesses and claimed that their scheme is efficient, secure, and suitable for the practical application environment. However, we observe that Hsiang et al.’s scheme is still vulnerable to a masquerade attack, server spoofing attack, and is not easily reparable. Furthermore, it cannot provide mutual authentication. Therefore, in this paper we propose an improved scheme to solve these weaknesses.

A Multifactor Hash Digest Challenge-Response Authentication Scheme for Session Initiation Protocol

Authentication is a process by which the sender and the receiver identify the legal communicating partners prior to commencement of message transactions.   Authentication is a kind of security which is ascertained at the time of initiation of the communication between the two communicating entities like client and server.   Network communications are found to be vulnerable due to the increase of number of threats from unknown intruders.   Session Initiation Protocol (SIP) is used for initializing the session between two communicating devices or entities.   This protocol is widely used in multimedia communications.   SIP is a powerful signaling protocol which initializes, establishes, maintains, and terminates the session between the communicating devices.    Many authentication schemes were proposed for SIP from time to time.   Here we propose a new authentication scheme for SIP based on Multifactor Hash Digest Challenge-Response Sequence Count method.   This method enhances the SIP authentication and overcomes vulnerability attacks like Password guessing, Server spoofing, Replay, Bucket Brigade and Modification Attacks.   This method ensures the Confidentiality and Integrity in SIP Authentication process.

An Authentication and Key Agreement Scheme with Key Confirmation and Privacy-preservation for Multi-server Environments

In the internet environment, it is desirable for a user to login different servers by keying the same password and using the same smart card. This paper proposes an authentication and key agreement scheme with key confirmation for multi-server environments. Compared with the previous authentication and key agreement schemes for multi-server environments, the new scheme holds many merits. It satisfies the following properties: R1. Single registration; R2. User friendly; R3. Prevention of the replay, the password guessing without smart cards, the impersonation and the stolen-verifier attacks; R4. Resistance against server spoofing; R5. Mutual authentication; R6. Two-factor authentication; R7.Resistance against known-key attacks; R8. Perfect forward secrecy; R9. Scalability of login; R10. Anonymity of users.

Two Improved Multi-server Authentication Protocols Based on Hash Function and Smart Card

To use the network services provided by multiple servers in mobile wireless network, recently, Tsai proposed a hash function and smart card based multi-server authentication protocol. Chen et al. showed that Tsai’s scheme cannot resist the server spoofing attack, and proposed a novel one. In this paper, we show that Chen et al.’s protocol cannot resist off-line password guessing attacks, and propose two improvements of Tsai and Chen et al’s protocols, respectively. Two improved protocols have many advantages over existing solutions, as it relies on neither of encryption, signature, verification tables, timestamp, and public keys directory.

Cryptanalysis of Hsiang‐Shih's authentication scheme for multi‐server architecture

AbstractFrom user point of view, password‐based remote user authentication technique is one of the most convenient and easy‐to‐use mechanisms to provide necessary security on system access. As the number of computer crimes in modern cyberspace has increased dramatically, the robustness of password‐based authentication schemes has been investigated by industries and organizations in recent years. In this paper, a well‐designed password‐based authentication protocol for multi‐server communication environment, introduced by Hsiang and Shih, is evaluated. Our security analysis indicates that their scheme is insecure against session key disclosure, server spoofing attack, and replay attack and behavior denial. Copyright © 2010 John Wiley & Sons, Ltd.

User authentication scheme with privacy-preservation for multi-server environment

New user authentication schemes for multiple-servers environment were proposed by Liao-Wang and Tsai. In their schemes, application servers do not need to maintain a verification table and this admired merit is not addressed by previous scholarship. Besides, the privacy of users is also addressed in Liao-Wang's scheme. In this article, we show that their schemes are not secure against the server spoofing and the impersonation attacks. Then we propose a robust user authentication scheme to withstand these attacks and keep the same merits.

Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment

Recently, Liao and Wang proposed a secure dynamic ID based remote user authentication scheme for multi-server environment, and claimed that their scheme was intended to provide mutual authentication, two-factor security, replay attack, server spoofing attack, insider and stolen verifier attack, forward secrecy and user anonymity. In this paper, we show that Liao and Wang's scheme is still vulnerable to insider's attack, masquerade attack, server spoofing attack, registration center spoofing attack and is not reparable. Furthermore, it fails to provide mutual authentication. To remedy these flaws, this paper proposes an efficient improvement over Liao–Wang's scheme with more security. The computation cost, security, and efficiency of the improved scheme are well suited to the practical applications environment.

New dynamic password authentication based on smart card and fingerprint

In 2005,Zhang et al.proposed a dynamic password authentication based on smart card and fingerprint.This paper found that Zhang et al.'s authentication scheme was vulnerable to a server spoofing attack.Any adversary can masquerade as a legal server by sending two fixed parameters.Therefore,an improved scheme was proposed.This proposed scheme encrypted individual information and protected a parameter sent from the server by using one-way hash function.It also protected the random number sent from the server by using the shared information.

A new provably secure authentication and key agreement protocol for SIP using ECC

SIP has been chosen as the protocol for multimedia application in 3G mobile networks. The authentication mechanism proposed in SIP specification is HTTP digest based authentication, which allows malicious parties to impersonate other parties or to charge calls to others, furthermore, other security problems, such as off-line password guessing attacks and server spoofing, are also needed to be solved. This paper proposes a new authenticated key exchange protocol NAKE, which can solve the existing problems in the original proposal. The NAKE protocol is probably secure in CK security model, thus it inherits the corresponding security attributes in CK security model.

Improving the security of ‘a flexible biometrics remote user authentication scheme’

Recently, Lin-Lai proposed 'a flexible biometrics remote user authentication scheme,' which is based on El Gamal's cryptosystem and fingerprint verification, and does not need to maintain verification tables on the server. They claimed that their scheme is secured from attacks and suitable for high security applications; however, we point out that their scheme is vulnerable and can easily be cryptanalyzed. We demonstrate that their scheme performs only unilateral authentication (only client authentication) and there is no mutual authentication between user and remote system, thus their scheme is susceptible to the server spoofing attack. To fill this security gap, we present an improvement which overcomes the weakness of Lin-Lai's scheme. As a result, our improved security patch establishes trust between client and remote system in the form of mutual authentication. Moreover, some standards for biometric-based authentication are also discussed, which should be followed during the development of biometric systems.

Secure authentication scheme for session initiation protocol

The Session Initiation Protocol provides an expandable and easy solution to the IP-based telephony environment. When users ask to use an SIP service, they need to be authenticated in order to get service from the server. Therefore, some SIP authentication procedure schemes were proposed to meet the above demand. However, there are security problems that need to be solved, such as off-line password guessing attacks and server spoofing. In this article, we shall propose a new scheme for a secure authentication procedure for the Session Initiation Protocol to enhance the security of the original scheme.

Comments on YEH-SHEN-HWANG's One-Time Password Authentication Scheme

Recently, Yeh, Shen and Hwang proposed an one-time password authentication scheme, which enhances the S/KEY scheme to resist server spoofing attacks, preplay attacks and off-line dictionary attacks. In this letter, the weaknesses and inconveniences of their scheme are demonstrated.

A secure and efficient strong-password authentication protocol

Password authentication protocols are divided into two types. One employs the easy-to-remember password while the other requires the strong password. In 2001, Lin et al. proposed an optimal strong-password authentication protocol (OSPA) to resist the replay attack and the denial-of-service attack. However, Chen and Ku pointed out that the OSPA protocol is vulnerable to the stolen-verifier attack. Hence, Lin et al. presented an enhancement in 2003. Nevertheless, mutual authentication is not ensured in Lin et al.'s protocol such that it suffers from the server spoofing attack. Moreover, Lin et al.'s protocol is also vulnerable to the denial-of-service attack. As a result, we present a secure strong-password authentication protocol in this paper to overcome their disadvantages.

A secure one-time password authentication scheme with low-computation for mobile communications

In recent years, m-commerce technology has been maturing. Various mobile devices are now designed to help users reach the servers of service providers and to process tasks such as stock trading, product purchasing, product information collecting, and so on. Once the services are only available to the members, authentication is applied to verify the identities of users. However, most current authentication methods used in m-commerce are designed for wired networks and require high computation costs, making them unsuitable for wireless environments.A one-time password authentication scheme that uses lighter computation and considers the limitations of mobile devices is proposed in this paper. Meanwhile, the proposed scheme is free from replay attacks, server spoofing attacks, off-line dictionary attacks, active attacks, and revelation of message contents.