Two-factor Authentication Protocol Research Articles

Secure two-factor lightweight authentication protocol using self-certified public key cryptography for multi-server 5G networks

Recently Ying and Nayak proposed a multi-server supported lightweight authentication protocol for 5G networks and confirmed the security of their protocol against all prominent attacks. Nevertheless, this paper will show certain shortcomings in their protocol, like vulnerability against identity guessing, password guessing, and user impersonation attacks. Additionally, it lacks in rendering strong user anonymity and truly two-factor security. Following the crypt-analysis, we propose an improved multi-server authentication protocol, that resists all recognized attacks, including these traps. The formal analysis using broadly accepted BAN-logic assures that the proposed protocol provides mutual authentication among the user and service-providing server. Additionally, the automated verification using the “Automated Validation of Internet Security Protocols and Applications” (AVISPA) tool asserts that improved protocol is safe toward active attacks. The performance comparison with the Ying-Nayak's protocol is evident that the proposed protocol is efficient concerning computational complexity and communication costs.

A privacy preserving two-factor authentication protocol for the Bitcoin SPV nodes

In the Bitcoin network, the simplified payment verification protocol (SPV) enables a lightweight device such as a mobile phone to participate in the bitcoin network without needed todownload and store the whole Bitcoin blocks. A Bitcoin SPV node initiates and verifies transactions of the Bitcoin network through the Bitcoin wallet software which is deployed on a resource constrained device such as a mobile phone.Thus, the security of the wallet is critical for the SPV nodes as it may affect the security of users cryptocurrencies. However, there are some concerns about the security flaws within the SPV nodes which could lead to significant economic losses. Most of these vulnerabilities can be resolved by employing a secure user authentication protocol. Over the years, researchers have engaged in designing a secure authentication protocol. However, most proposals have security flaws or performance issues. Recently, Park et al. proposed a two-party authenticated key exchange protocol for the mobile environment. They claimed that their protocol is not only secure against various attacks but also can be deployed efficiently. However, after a thorough security analysis, we find that the Park et al.s protocol is vulnerable to user forgery attack, smart card stolen attack and unable to provide user anonymity. To enhance security, we proposed an efficient and secure user authentication protocol for the SPV nodes in the mobile environment which can fulfill all the security requirements and has provable security. Additionally, we provide performance analysis which shows our proposed protocol is efficient for the SPV nodes in the Bitcoin network.

Two-Factor Mutual Authentication Offloading for Mobile Cloud Computing

Security analysts have shown that it is possible to compromise the mobile two-factor authentication applications that employ SMS-based authentication. In this paper, we consider that offloading mobile applications to the cloud, which is resource-rich and provides a more secure environment, represents a good solution when energy limitation and security constraints are raised. To this end, we propose an offloading architecture for the two-factor mutual authentication applications, and a novel two-factor mutual authentication scheme based on a novel mechanism, named virtual smart card. We also propose a decision-making process to offload the authentication application and its virtual smart card, based on three conditions: security, mobile device's residual energy, and energy cost. We analytically derive the lower-bound on the mobile application running time from the energy cost formula to perform offloading. We analyze and verify the security properties of the proposed architecture, and provide evaluation results of the two-factor mutual authentication protocol and the offloading decision-making process.

A Novel Protocol to Provide Authentication and Privacy in WSN

A wireless sensor network holds a large amount of nodes. These nodes will contact themselves by utilizing some of the radio signals. wireless sensor networks (WSNs) has develop some applications during a huge selection areas, in the time of which external side users ought to straightly attach with sensors to get a perceived information. But, WSNs (wireless sensor node) are open to numerous attacks for wireless links, like eavesdropping and meddling. Two-factor authentication combining password and ID utterly like this demand due to password and ID usefulness. Then, a bucket of two-factor authentication protocol was advised in present research works. Because of the difficult assignment of adjustable potency and privacy requirements, still it’s difficult to introduce a privacyaware two-factor protocol that's potential of giving different safety features whereas take care of proper potency. in this paper the proposed work tend to suggests a privacy aware two-factor authentication protocol depend on ECC for wireless sensor nodes(WSNs). In this another convention performs distinctive wellbeing highlights need fully for the application situations, all things considered, though deal with appropriate power. So in this we will in general demonstrate that the presented convention accomplishes intelligent in the Burrows–Abadi– Needham judgment to boot, through manner of unofficial security statistics, the work show the introduced protocol will face up to a range of attacks and supply fascinating safety features.

MudraChain: Blockchain-based framework for automated cheque clearance in financial institutions

Currently, the burden on the cheque clearing houses in financial institutions is increasing day-by-day, which necessitates the upgrading of the existing cheque truncation system (CTS). It is a manual process which uses Magnetic Ink Character Recognition (MICR), where cheques have been scanned and sent to the clearing house for further processing. The limitations of existing CTS are — illegal duplication of cheque images, invisible ink usage, visibility issues in beneficiary name, and amount on the cheque. To handle the aforementioned issues of the existing CTS, blockchain has emerged as a new technology which is a distributed ledger that is timestamped and immutable. Being immutable, forgeries related to images of cheques during clearance cycles are not allowed. This provides trust and consensus among all participating entities in the network. Motivated by the above discussion, in this paper, we propose a framework named MudraChain for automated cheque clearance, where clearance operations are handled by the blockchain network, instead of existing CTS. It includes: (i) A multi-level authentication scheme to make the blockchain-based framework secure and tamper-proof among participating financial stakeholders, (ii) A quick-response (QR) code generation algorithm which performs digital signing of a cheque, and (iii) A novel two-factor authentication protocol to generate a time based one-time password (TOTP) for secure funds transfer. The obtained results are examined against state-of-the-art approaches to indicate the supremacy of the proposed framework. Thus, MudraChain allows a seamless flow of clearance operation via blockchain for the payer and the payee without any intermediaries. Finally, it addresses the requirements of building a secure application for cheque clearance in view of decentralized blockchain 4.0 applications.

Secure Three-Factor Authentication Protocol for Multi-Gateway IoT Environments.

Internet of Things (IoT) environments such as smart homes, smart factories, and smart buildings have become a part of our lives. The services of IoT environments are provided through wireless networks to legal users. However, the wireless network is an open channel, which is insecure to attacks from adversaries such as replay attacks, impersonation attacks, and invasions of privacy. To provide secure IoT services to users, mutual authentication protocols have attracted much attention as consequential security issues, and numerous protocols have been studied. In 2017, Bae et al. presented a smartcard-based two-factor authentication protocol for multi-gateway IoT environments. However, we point out that Bae et al.’s protocol is vulnerable to user impersonation attacks, gateway spoofing attacks, and session key disclosure, and cannot provide a mutual authentication. In addition, we propose a three-factor mutual authentication protocol for multi-gateway IoT environments to resolve these security weaknesses. Then, we use Burrows–Abadi–Needham (BAN) logic to prove that the proposed protocol achieves secure mutual authentication, and we use the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to analyze a formal security verification. In conclusion, our proposed protocol is secure and applicable in multi-gateway IoT environments.

Three party secure data transmission in IoT networks through design of a lightweight authenticated key agreement scheme

Abstract Wireless sensor networks (WSNs) can be deployed in any unattended environment. With new enhancements in internet of things (IoT) technology, authorized users are able to access reliable sensor nodes. By accessing the sensor nodes, they can obtain data and send commands to the nodes. Designing an efficient secure authentication and key agreement scheme is vital because of the resource constrained nature of nodes. During the last decade, several lightweight two-factor or three-factor authentication and key agreement protocols have been proposed to provide secure communication links between users and sensor nodes. However, after careful assessment of these works, we found that two of recently proposed ones, which have tried to improve their previous works, are still susceptible to strong replay attacks or do not provide perfect forward secrecy. Therefore, to address this concern, in this paper, we propose a secure and lightweight authentication and key agreement protocol for IoT based WSNs that is free from the security challenges of previous protocols. Formal security verification of the proposed protocol is presented using the well-known and widely-accepted Automated Validation of Internet Security Protocols and Applications tool. Comparative security and performance evaluations with other related works indicate the superiority of the proposed protocol.

Two-Factor Authentication for IoT With Location Information

The number of Internet of Things (IoT) devices is expected to grow exponentially in the near future and produce large amounts of potentially sensitive data. The simple and low cost nature of IoT devices makes them an attractive target for spoofing or impersonation attacks. To solve this issue, this paper proposes a two-factor authentication protocol using physically unclonable functions and the characteristics of the wireless signal from an IoT device. The security analysis and results on MICAz motes shows that the proposed protocol can be used as an effective tool to secure IoT systems from spoofing as well as various other attacks. A performance analysis of the proposed protocol shows that it has a significantly lower computational overhead and energy consumption compared to existing techniques.

An Improved Lightweight Two-Factor Authentication and Key Agreement Protocol with Dynamic Identity Based on Elliptic Curve Cryptography

An Improved Lightweight Two-Factor Authentication and Key Agreement Protocol with Dynamic Identity Based on Elliptic Curve Cryptography

Comments on Physically Unclonable Function Based Two-Factor Authentication Protocols

Physically unclonable function (PUF) is an embedded hardware-based function in a device and cannot be cloned or reproduced on another device. Due to its unclonability, the PUF has been one of the hot issues in IoT devices over pervasive communication network. Recently, there have been attempts to combine a password with an input of PUF for more efficient authentication over insecure communication. In this paper, we firstly raise a question that “Is it really secure if a password is used for an input of PUF?”. Up to now, to the best of our knowledge, only two password-based PUF authentications have been introduced in the literature. We revisit two schemes in view of an off-line password guessing attack. Under a practical PUF assumption, however, we observe that two protocols are susceptible to an off-line dictionary attack. We also present a quite simple but powerful countermeasure.

An Efficient and Provably Secure Anonymous User Authentication and Key Agreement for Mobile Cloud Computing

Nowadays, due to the rapid development and wide deployment of handheld mobile devices, the mobile users begin to save their resources, access services, and run applications that are stored, deployed, and implemented in cloud computing which has huge storage space and massive computing capability with their mobile devices. However, the wireless channel is insecure and vulnerable to various attacks that pose a great threat to the transmission of sensitive data. Thus, the security mechanism of how the mobile devices and remote cloud server authenticate each other to create a secure session in mobile cloud computing environment has aroused the interest of researchers. In this paper, we propose an efficient and provably secure anonymous two-factor user authentication protocol for the mobile cloud computing environment. The proposed scheme not only provides mutual authentication between mobile devices and cloud computing but also fulfills the known security evaluation criteria. Moreover, utilization of ECC in our scheme reduces the computing cost for mobile devices that are computation capability limited and battery energy limited. In addition, the formal security proof is given to show that the proposed scheme is secure under random oracle model. Security analysis and performance comparisons indicate that the proposed scheme has reasonable computation cost and communication overhead at the mobile client side as well as the server side and is more efficient and more secure than the related competitive works.

Privacy preserving light weight authentication protocol (LEAP) for WBAN by exploring Genus-2 HEC

Wireless Body Area Network (WBAN) is evolving as the successful way of monitoring patient health and offers enhanced healthcare solutions to provide the better quality of life for the urban community. As it involves wireless communications, securing the privacy-related data is a key constraint in WBAN. To ensure privacy, it is essential to include authentication to prevent unauthorized access by intruders. This paper proposes the privacy preserving LightwEight two factors Authentication Protocol (LEAP) for WBAN based on genus-2 Hyper Elliptic Curve (HEC). Personal Digital Assistant (PDA) collects signals from sensors from the BAN. PDA transmits the healthcare data to the Healthcare Service Provider (HSP) connected in the public network. Hence, the two-factor mutual authentication protocol is established between PDA and HSP. Since PDA is considered as a resource constraint device, the lightweight mutual authentication is required. Genus 2 Hyper elliptic curve (HEC) is carefully designed to prevent all possible cryptographic attacks, which is more suitable for lightweight authentication since it provides the high degree of security with the lesser key size even as compared to the elliptic curve. Using the rigorous formal security analysis using BAN logic, it is proved that the proposed scheme is secure against possible attacks. Also, the privacy preserving lightweight authentication scheme is implemented using the most-widely accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool, and the simulation results reveal that proposed scheme is secure and robust.

A new three-factor authentication and key agreement protocol for multi-server environment

Several password and smart-card based two-factor security remote user authentication protocols for multi-server environment have been proposed for the last two decades. Due to tamper-resistant nature of smart cards, the security parameters are stored in it and it is also a secure place to perform authentication process. However, if the smart card is lost or stolen, it is possible to extract the information stored in smart card using power analysis attack. Hence, the two factor security protocols are at risk to various attacks such as password guessing attack, impersonation attack, replay attack and so on. Therefore, to enhance the level of security, researchers have focused on three-factor (Password, Smart Card, and Biometric) security authentication scheme for multi-server environment. In existing biometric based authentication protocols, keys are generated using fuzzy extractor in which keys cannot be renewed. This property of fuzzy extractor is undesirable for revocation of smart card and re-registration process when the smart card is lost or stolen. In addition, existing biometric based schemes involve public key cryptosystem for authentication process which leads to increased computation cost and communication cost. In this paper, we propose a new multi-server authentication protocol using smart card, hash function and fuzzy embedder based biometric. We use Burrows–Abadi–Needham logic to prove the correctness of the new scheme. The security features and efficiency of the proposed scheme is compared with recent schemes and comparison results show that this scheme provides strong security with a significant efficiency.

Anonymous two factor authentication protocol for roaming service in global mobility network with security beyond traditional limit

In a globalized world, the mobile user roams frequently from one place to other. Global mobility network provides roaming services to a mobile user when the mobile user is away from his home network and wants to avail the services of the foreign network. Roaming authentication protocol supports authentication between the mobile user and the foreign server in global mobility network so that the malicious user can not get access the roaming services in the foreign network. Moreover, privacy-preserving authentication between the mobile user and the foreign server is an essential technology for the secure access of global mobility network because mobile user’s privacy protection has become a major issue due to increasingly misuse of consumer’s private data by various organizations and individuals. Many privacy-preserving two-factor authentication protocols have been proposed to provide secure roaming services in global mobility network but they failed to support privacy and security while ensuring efficient typo detection by the smart card. We propose a privacy-preserving secure two-factor authentication protocol for roaming service in global mobility network which not only ensures the privacy of the mobile user but also provides efficient typo detection using fuzzy verifier and honeyword technique. Moreover, the proposed protocol overcomes the problem of desynchronization attack using public key encryption technique based on quadratic residue assumption with low computational load at the mobile user.

An ameliorated two-factor anonymous key exchange authentication protocol for mobile client-server environment

An ameliorated two-factor anonymous key exchange authentication protocol for mobile client-server environment

A new lightweight authentication protocol in IoT environment for RFID tags

Nowadays, internet of things (IoT) is a prominent technology that provides the field for connection and information transfer through communicational networks like internet and intranet. Since IoT is applied in various functions so that personal information of individuals or objects may be read without consent of them or in absence of a secure protocol, that is a challenge in this part, this study aimed at identifying tags efficiently in order to protect privacy of things against attackers. In this research, a two-factor authentication protocol based on the public key cryptography has been presented in order to protect privacy. It has been tried in this protocol to diminish complicated calculations while the proposed method can resist against some attacks like tampering with tag and tag reader, tag tracking, man-in-the-middle attack, and replay attack. To examine the proposed method, application of paying toll in traffic management was used. Various traffic models have been considered to pay toll in proposed model and implementation of this method was done in simulation environment of MATLAB. In this simulation, two cryptography algorithms with Robin and ECC public keys with keys in different sizes were evaluated and results showed that almost all of passed tags were identified using an anticipation rate with high rate between tag and tag reader in a system implemented with Rabin algorithm. Moreover, this ratio was higher than 90% in a system that was implemented with ECC algorithm. However, application of conventional symmetric cryptographic algorithms such as AES can reduce ratio of read tags to lower than 20%.

Perfect forward secrecy in VoIP networks through design a lightweight and secure authenticated communication scheme

With the growth of the internet, development of IP based services has increased. Voice over IP (VoIP) technology is one of the services which works based on the internet and packet switching networks and uses this structure to transfer the multimedia data e.g. voices and images. Recently, Chaudhry et al., Zhang et al. and Nikooghadam et al. have presented three authentication and key agreement protocols, separately. However, in this paper, it is proved that the presented protocols by Chaudhry et al. and also Nikooghadam et al. do not provide the perfect forward secrecy, and the presented protocol by Zhang et al. not only is vulnerable to replay attack, and known session-specific temporary information attack, but also does not provide user anonymity, re-registration and revocation, and violation of fast error detection. Therefore, a secure and efficient two-factor authentication and key agreement protocol is presented. The security analysis proves that our proposed protocol is secure against various attacks. Furthermore, security of proposed scheme is formally analyzed using BAN logic and simulated by means of the AVISPA tool. The simulation results demonstrate security of presented protocol against active and passive attacks. The communication and computation cost of the proposed scheme is compared with previously proposed authentication schemes and results confirm superiority of the proposed scheme.

Secure and efficient two-factor zero-knowledge authentication solution for access control systems

The authentication schemes based on common chip cards such as Mifare cards are still very popular and are used in various access control systems deployed in critical infrastructure sectors, universities, companies, libraries, hospitals, and other public and private institutions. On one hand, the access control systems based on these obsolete cards and cryptographic protocols have several security flaws and can be easily attacked. On the other hand, newer authentication schemes usually need many complex cryptographic operations and thus take impractical time on current programmable smart cards during the authentication of users. In this paper, we present a secure and efficient two-factor authentication protocol for fast access control systems and user-things identification schemes based on programmable smart cards. Our protocol is based on a zero-knowledge approach, and it is protected against common attacks. Further, we implement the proposed authentication protocol on current off-the-shelf programmable smart cards in order to demonstrate its efficiency and practicality. Finally, we compare our solution with related works and show the improvement of our solution in computation and communication perspectives.

Improved keylogging and shoulder-surfing resistant visual two-factor authentication protocol

Designing a secure user authentication method that involves human in the authentication procedure is a challenging problem. Due to their high user convenience, the password is the most widely used means of authentication. However, passwords are vulnerability to compromise by disclosure using various forms of information tapping like Keylogging, phishing attack, human shoulder-surfing and camera-based recording. This paper starts with an analysis of a previous attempt that proposes two visual authentication protocols to enhance password authentication. These protocols were based on the use of user-driven visualization utilizing two-dimensional barcode and smartphones. Even though the two protocols resist some known types of attacks, our analysis reveals serious shortcomings. The first protocol is not secure against theft of a smartphone. Both protocols are not secure against shoulder surfing, camera-based recording and phishing attacks. In this paper, the deficiencies of the original scheme are demonstrated, then a two-factor authentication scheme that eliminates these deficiencies is presented. A prototype of the proposed scheme is implemented and a secured virtual on-screen keyboard (SVOSK) comprising dynamic emoticon keyboard layout is also proposed. Formal security proof and usability analyses show that the proposed scheme is secure, efficient and has a high level of usability.

A Secure and Anonymous Two-Factor Authentication Protocol in Multiserver Environment

With the great development of network technology, the multiserver system gets widely used in providing various of services. And the two-factor authentication protocols in multiserver system attract more and more attention. Recently, there are two new schemes for multiserver environment which claimed to be secure against the known attacks. However, after a scrutinization of these two schemes, we found that (1) their description of the adversary’s abilities is inaccurate; (2) their schemes suffer from many attacks. Thus, firstly, we corrected their description on the adversary capacities to introduce a widely accepted adversary model and then summarized fourteen security requirements of multiserver based on the works of pioneer contributors. Secondly, we revealed that one of the two schemes fails to preserve forward secrecy and user anonymity and cannot resist stolen-verifier attack and off-line dictionary attack and so forth and also demonstrated that another scheme fails to preserve forward secrecy and user anonymity and is not secure to insider attack and off-line dictionary attack, and so forth. Finally, we designed an enhanced scheme to overcome these identified weaknesses, proved its security via BAN logic and heuristic analysis, and then compared it with other relevant schemes. The comparison results showed the superiority of our scheme.