Verifier Attack Research Articles

A provably secure anonymous mutual authentication scheme with key agreement for SIP using ECC

Recently, Lu et al. and Chaudhry et al. presented an authenticated key agreement scheme for session initiation protocol (SIP), respectively. They illustrated their schemes are secure against various familiar attacks. However, we demonstrate Lu et al.’s scheme is vulnerable to stolen verifier attack and Chaudhry et al.’s scheme is insecure to session key attack. To solve these problems, we propose a new provably secure mutual authentication scheme for SIP. Informal security analysis illustrates this proposed protocol can withstand different kinds of familiar attacks including stolen verifier attack and session key attack. And the correctness and security of the proposed protocol is also proved through Protocol Composition Logic (PCL) and generic group model. Eventually, security comparison shows our proposed scheme is more secure and performance analysis demonstrates the computation cost is also acceptable.

Memory and machine attributes-based profiling and elliptic curve cryptography-based multi-level authentication for the security of Internet of Things

PurposeDue to the connectivity of the multiple devices and the systems on the same network, rapid development has become possible in Internet of Things (IoTs) for the last decade. But, IoT is mostly affected with severe security challenges due to the potential vulnerabilities happened through the multiple connectivity of sensors, devices and system. In order to handle the security challenges, literature presents a handful of security protocols for IoT. The purpose of this paper is to present a threat profiling and elliptic curve cryptography (ECC)-based mutual and multi-level authentication for the security of IoTs. This work contains two security attributes like memory and machine-related attributes for maintaining the profile table. Also, the profile table stores the value after encrypting the value with ECC to avoid storage resilience using the proposed protocol. Furthermore, three entities like, IoT device, server and authorization centre (AC) performs the verification based on seven levels mutually to provide the resilience against most of the widely accepted attacks. Finally, DPWSim is utilized for simulation of IoT and verification of proposed protocol to show that the protocol is secure against passive and active attacks.Design/methodology/approachIn this work, the authors have presented a threat profiling and ECC-based mutual and multi-level authentication for the security of IoTs. This work contains two security attributes like memory and machine-related attributes for maintaining the profile table. Also, the profile table stores the value after encrypting the value with ECC to avoid storage resilience using the proposed protocol. Furthermore, three entities like, IoT device, server and AC performs the verification based on seven levels mutually to provide the resilience against most of the widely accepted attacks.FindingsDPWSim is utilized for simulation of IoT and verification of the proposed protocol to show that this protocol is secure against passive and active attacks. Also, attack analysis is carried out to prove the robustness of the proposed protocol against the password guessing attack, impersonation attack, server spoofing attack, stolen verifier attack and reply attack.Originality/valueThis paper presents a threat profiling and ECC-based mutual and multi-level authentication for the security of IoTs.

A password based authentication scheme for wireless multimedia systems

In this digital era, where Internet of Things (IoT) is increasing day by day, use of resource constrained devices is also increasing. Indeed, the features such as low cost, less maintenance, more adaptive to hostile environment, etc. make the wireless multimedia devices to be the best choice as the resource constrained devices. For the security, the end user device requires to establish the session key with the server before transferring the data. Mobile is one of the device having more and more usage as wireless multimedia device in recent years. In 2013, Li et al. proposed an efficient scheme for the wireless mobile communications and claimed it to be secure against various attacks. Recently, Shen et al. claimed that the scheme of Li et al. is still vulnerable to the privileged insider attack, the stolen verifier attack and finally proposed a scheme to withstand the mentioned and other attacks. However, in this paper we claim that the scheme of Shen et al. is still susceptible to the user anonymity, the session specific temporary information attack and the replay attack. In addition, Shen et al.’s scheme requires more time due to many operations. Further, we propose an efficient scheme that is secure against various known attacks and due to reduced time complexity our scheme is a preferred choice for the wireless mobile networks and hence for wireless multimedia systems.

Improving Security of Lightweight Authentication Technique for Heterogeneous Wireless Sensor Networks

One of the great application of user authentication and key agreement protocol is to access sensor information securely over the insecure networks. Recently, Kalra and Sood proposed an efficient smart card based authentication protocol to exchange confidential information securely between the user and sensor node. We review the security of Kalra and Sood scheme and observe that their scheme is vulnerable to stolen smart card attack, stolen verifier attack and impersonation attack. The entire analysis indicates that there is a need of secure and user-friendly authentication mechanism for wireless sensor networks (WSNs). To ensure secure communication in WSNs, we improve the security of the authentication mechanism for WSNs. The main intention of this paper is to confiscate the mentioned security attacks by proposing an efficient authentication protocol using smart card. To validate security attributes, we have used well-popular AVISPA simulation tool whose results shows that the proposed protocol is SAFE under OFMC and CL-AtSe models. Further, the performance analysis shows its efficiency.

Smart card–based password authenticated key agreement protocol using chaotic maps

SummaryIn 2015, Lee proposed time stamp–based and nonce‐based password authenticated key agreement protocols based on the Chebyshev chaotic map to enhance the security of relevant schemes. However, in this paper, we demonstrate that Lee's protocols are vulnerable to user impersonation and stolen verifier attacks. To overcome these security problems, we thus provide an improved version using a smart card. Security analysis and comparisons show that the proposed protocol is more secure and maintains better performance. Furthermore, we perform a formal verification of the proposed protocol using the widely accepted AVISPA tool for error detection.

A Multiserver Biometric Authentication Scheme for TMIS using Elliptic Curve Cryptography.

Recently several authentication schemes are proposed for telecare medicine information system (TMIS). Many of such schemes are proved to have weaknesses against known attacks. Furthermore, numerous such schemes cannot be used in real time scenarios. Because they assume a single server for authentication across the globe. Very recently, Amin et al. (J. Med. Syst. 39(11):180, 2015) designed an authentication scheme for secure communication between a patient and a medical practitioner using a trusted central medical server. They claimed their scheme to extend all security requirements and emphasized the efficiency of their scheme. However, the analysis in this article proves that the scheme designed by Amin et al. is vulnerable to stolen smart card and stolen verifier attacks. Furthermore, their scheme is having scalability issues along with inefficient password change and password recovery phases. Then we propose an improved scheme. The proposed scheme is more practical, secure and lightweight than Amin et al.'s scheme. The security of proposed scheme is proved using the popular automated tool ProVerif.

Verifying the Security Characteristics of a Secure Physical Access Control Protocol

Physical access control protocols provide a structured method of controlling the behavior of physical devices which in many cases are not only remotely located with respect to the accessing entity, but require the exchange of messages over one or more untrusted networks, such as the internet. Therefore, if it is necessary to prevent unauthorized access to the controlled physical devices, it is essential that the physical access control protocol exhibit certain verifiable security properties. We studied the Universal Physical Access Control System (UPACS) and used the formal protocol verification tool Proverif to verify that it possesses several key security properties. We also conducted a security analysis of the protocol and verified that it was resilient or otherwise invulnerable to several known forms of security attack, including Attacks on User Privacy and Anonymity, Session Key Security Attacks, Password Guessing Attacks, De-Synchronization Attacks, Replay Attacks, Eavesdropping Attacks, Denial-of-Service Attacks, User and Server Masquerade Attacks, Stolen Verifier Attacks and Stolen Password Attacks.

A privacy‐preserving multi‐server authenticated key‐agreement scheme based on Chebyshev chaotic maps

AbstractThe paper presents a password‐based authenticated key‐agreement protocol for multi‐server environments by using Chebyshev chaotic maps. The protocol allows a user to login to different servers via a single password. The proposed scheme has removed the weakness of multi‐server authenticated key‐agreement schemes, which adopt the architecture of two‐level servers. After a user has finished the first login to a service providing server, the control server is not required to be online for the user's subsequent logins. Compared with the related multi‐server authentication schemes, our scheme meets more security requirements, such as mutual authentication, perfect forward security, freedom of password change, scalability of login, resistance to the stolen verifier attacks, resistance to server spoofing attacks, and two‐factor security. Detailed analysis shows that the proposed scheme can resist several kinds of attacks. The proposed scheme is provably secure under the CDH assumption of Chebyshev polynomials in the random oracle model. Furthermore, it offers the user and server with privacy‐preserving, that is, anonymity and untraceability. Any adversary can neither figure out the identities of users or the identities of service providing servers nor link different sessions with a user or a server. Copyright © 2016 John Wiley & Sons, Ltd.

A Provably Secure, Efficient, and Flexible Authentication Scheme for Ad hoc Wireless Sensor Networks

In 2014, Turkanovic et al. proposed a smart card-based authentication scheme for heterogeneous ad hoc wireless sensor network. This scheme is very efficient since it employs only hash function and XOR operation. However, we found that Turkanovic et al. ’s scheme is vulnerable to impersonation attack with node capture, stolen smart card attack, sensor node spoofing attack, stolen verifier attack, and fails to ensure backward secrecy. We propose an efficient scheme to overcome all those weaknesses. Moreover, we also propose an advanced scheme, which provides perfect forward secrecy without much modification from the first proposed scheme.

Single round-trip SIP authentication scheme with provable security for Voice over Internet Protocol using smart card

In recent years, Voice over Internet Protocol (VoIP) has gained more and more popularity as an application of the Internet technology. For various IP applications including VoIP, the topic of Session Initiation Protocol (SIP) has attracted major concern from researchers. SIP is an advanced signaling protocol operating on Internet Telephony. SIP uses digest authentication protocols such as Simple Mail Transport Protocol (SMTP) and Hyper Text Transport Protocol (HTTP). When a user seeks SIP services, authentication plays an important role in providing secure access to the server only to the authorized access seekers. Being an insecure-channel-based protocol, a SIP authentication protocol is susceptible to adversarial threats. Therefore, security is a big concern in SIP authentication mechanisms. This paper reveals the security vulnerabilities of two recently proposed SIP authentication schemes for VoIP, Irshad et al.'s scheme [Multimed. Tools. Appl. doi:10.1007/s11042-013-1807-z] and Arshad and Nikooghadam's scheme [Multimed. Tools. Appl. DOI 10.1007/s11042-014-2282-x], the later scheme is based on the former scheme. Irshad et al.'s scheme suffers from password guessing, user impersonation and server spoofing attacks. Arshad and Nikooghadam's scheme can be threatened with server spoofing and stolen verifier attack. None of these two schemes achieve mutual authentication. It also fails to follow the single round-trip authentication design of Irshad et al.'s scheme. To overcome these weaknesses, we propose a provable secure single round-trip SIP authentication scheme for VoIP using smart card. We formally prove the security of the scheme in random oracle and demonstrate through discussion its resistance to various attacks. The comparative analysis shows that the proposed SIP authentication scheme offers superior performance with a little extra computational cost.

A Secure Anonymous Authentication Scheme for Wireless Communications Using Smart Cards

Wireless communications have become one of the most key parts in our everyday life, which give us facility on work and life but they still bring a great security risk. A crucial problem with wireless communications is to ensure the security of communication and prevent the privacy of communication entities revealing. Authentication is becoming an important issue when a mobile user (MU) wants to access services provided by the home agent (HA) in a visited foreign agent (FA). Recently, Kuo et al. proposed an authentication scheme and claimed that the proposed scheme was secure against different kinds of attacks. In this paper, we show that Kuo et al.'s scheme fails to resist insider and verifier attacks while it does not provide local verification. In addition, password change phase of Kuo et al.'s scheme also has a loophole. To remedy these shortcomings, an improved anonymous authentication scheme for wireless communications is proposed which is immune to various known types of attacks. Finally, in comparison with other existing schemes regarding security properties and performance, we show that our scheme has various kinds of security properties and is suitable for practical applications in wireless networks.

Efficient and anonymous two-factor user authentication in wireless sensor networks: achieving user anonymity with lightweight sensor computation.

A smart-card-based user authentication scheme for wireless sensor networks (hereafter referred to as a SCA-WSN scheme) is designed to ensure that only users who possess both a smart card and the corresponding password are allowed to gain access to sensor data and their transmissions. Despite many research efforts in recent years, it remains a challenging task to design an efficient SCA-WSN scheme that achieves user anonymity. The majority of published SCA-WSN schemes use only lightweight cryptographic techniques (rather than public-key cryptographic techniques) for the sake of efficiency, and have been demonstrated to suffer from the inability to provide user anonymity. Some schemes employ elliptic curve cryptography for better security but require sensors with strict resource constraints to perform computationally expensive scalar-point multiplications; despite the increased computational requirements, these schemes do not provide user anonymity. In this paper, we present a new SCA-WSN scheme that not only achieves user anonymity but also is efficient in terms of the computation loads for sensors. Our scheme employs elliptic curve cryptography but restricts its use only to anonymous user-to-gateway authentication, thereby allowing sensors to perform only lightweight cryptographic operations. Our scheme also enjoys provable security in a formal model extended from the widely accepted Bellare-Pointcheval-Rogaway (2000) model to capture the user anonymity property and various SCA-WSN specific attacks (e.g., stolen smart card attacks, node capture attacks, privileged insider attacks, and stolen verifier attacks).

An efficient ECC-based privacy-preserving client authentication protocol with key agreement using smart card

The authentication protocols are trusted components in a communication system in order to protect sensitive information against a malicious adversary in the client-server environment by means of providing a variety of services including users' privacy and authentication. In the cryptographic protocols, understanding the security failures is the key for both patching to the existing protocols and designing the future protocols. Recently, in 2014, Wang proposed an improved Elliptic Curve Cryptography (ECC) based anonymous remote authentication scheme using smart card and claimed that the proposed scheme is secure against password guessing attack, smart card lost/stolen verifier attack, and also preserves user anonymity and prevents credential leakage. However, in this paper, we show that Wang's scheme fails to preserve the user anonymity and does not prevent the off-line password guessing attack, credential leakage and smart card lost/stolen verifier attack. In order to withstand those security pitfalls found in Wang's scheme, we aim to propose a new secure privacy-preserving ECC-based client authentication with key agreement protocol using smart card. Through the formal and informal security analysis we show that our scheme is secure against possible known attacks including the off-line password guessing attack, credential leakage attack and smart card lost/stolen verifier attack. Our scheme also preserves the user anonymity property. In addition, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks. Our scheme provides high security along with low computational and communication costs. As a result, our scheme is practically suitable for mobile devices in the client-server environment as compared to other related schemes in the literature.

An Efficient and Secure Multi-server Smart Card based Authentication Scheme

This paper proposes an efficient and robust multi-server authentication scheme using smart cards. Security of this scheme depends upon cryptographic one-way hash function. This scheme allows remote users to access multiple servers without any need of separately registering with each server. Also, it gets rid of the use of verification table, permits users to select and update the password securely without taking help from the server or registration center, achieves mutual authentication and establishes a session key that is common between user and the server. Moreover, the proposed scheme withstands user impersonation attack, reflection and parallel session attacks, server impersonation attack, replay attack, password guessing attack, smart card loss attack, insider attack, and stolen verifier attack.

무선 센서 네트워크를 위한 생체 정보 기반 사용자 인증 스킴의 보안 취약점 분석

The numerous improved schemes of remote user authentication based on password have been proposed in order to overcome the security weakness in user authentication process. Recently, some of biometric-based user authentication schemes to use personal biometric information have been introduced and they have shown the relatively higher security and the enhanced convenience as compared to traditional password-based schemes. These days wireless sensor network is a fundamental technology in face of the ubiquitous era. The wireless sensor networks to collect and process the data from sensor nodes in increasing high-tech applications require important security issues to prevent the data access from the unauthorized person. Accordingly, the research to apply to the user authentication to the wireless sensor networks has been under the progress. In 2010, Yuan et al. proposed a biometric-based user authentication scheme to be applicable for wireless sensor networks. Yuan et al. claimed that their scheme is effectively secure against the various security flaws including the stolen verifier attack. In this paper, author will prove that Yuan et al.`s scheme is still vulnerable to the password guessing attack, user impersonation attack and the replay attack, by analyzing their security weakness.

Analysis and Enhancement of a Password Authentication and Update Scheme Based on Elliptic Curve Cryptography

Recently, a password authentication and update scheme has been presented by Islam and Biswas to remove the security weaknesses in Lin and Huang’s scheme. Unfortunately, He et al., Wang et al., and Li have found out that Islam and Biswas’ improvement was vulnerable to offline password guessing attack, stolen verifier attack, privilege insider attack, and denial of service attack. In this paper, we further analyze Islam and Biswas’ scheme and demonstrate that their scheme cannot resist password compromise impersonation attack. In order to remedy the weaknesses mentioned above, we propose an improved anonymous remote authentication scheme using smart card without using bilinear paring computation. In addition, the verifier tables are no longer existent, and the privacy of users could be protected better. Furthermore, our proposal not only inherits the advantages in Islam and Biswas’ scheme, but also provides more features, including preserving user anonymity, supporting offline password change, revocation, reregistration with the same identifier, and system update. Finally, we compare our enhancement with related works to illustrate that the improvement is more secure and robust, while maintaining low performance cost.

On the Security of the Discrete Logarithm Based Remote Authentication Scheme Using Smart Cards

Nowadays, we can easily obtain variety of services through network. But due to the open environment, networks are vulnerable to variety of security threats. Ramasamy et al. proposed a discrete logarithm based remote authentication scheme with smart cards. Their scheme provides mutual authentication and withstanding the denial of service attack, forgery attack, parallel session attack and smart card loss attack. In this article, we show that their scheme is not a practical solution for remote accessing. It also lacks key agreement mechanism; and users cannot update password freely. Moreover, their scheme cannot resist the stolen verifier attack and off-line guessing attack.

스마트 카드를 사용한 검증자 없는 사용자 인증 및 접근 제어 방법: Chen-Yeh 방법의 개선

User authentication and access control are two important components in high security applications. Recently, Chen and Yeh proposed a method to integrate both of them seamlessly. However, Chen-Yeh`s scheme is vulnerable to a stolen verifier attack, since it maintains a smart card identifier table in a remote server. Therefore, this paper modifies Chen-Yeh`s scheme and propose a new integrated authentication and access control scheme that is resilient to the stolen verifier attack while inheriting all the merits of Chen-Yeh`s scheme. Security analysis shows that the proposed scheme withstands well-known security attacks and exhibits many good features.

Dynamic Encryption Key based Smart Card Authentication Scheme

In order to keep away from difficulties associated with traditional password based authentication methods, smart card based authentication schemes have been widely used. It has already been accepted worldwide due to its low computational cost. However, most of these schemes are vulnerable to one or the other possible attack. This paper describes a new smart card authentication scheme using symmetric key cryptography, which covers all the identified security pitfalls and satisfies the needs of a user. Its security is based on encrypting the contents of all the communicating messages exchanged between remote user and the server. Moreover, it provides users to choose and change their passwords freely, mutual authentication and session key generation. In addition, it uses nonce instead of timestamp to resist replay attack. Security analysis proves that this scheme is secure against impersonation attack, password guessing attack, replay attack, reflection attack, parallel session attack, insider attack, attack on perfect forward secrecy, stolen verifier attack, smart card loss attack and man-in-the-middle attack. The proposed scheme can be easily extended to Internet protocol television broadcasting, Multi-server authentication, Wireless communication and Healthcare, where the user needs to access data from server.

A Secure and Efficient Password-Based User Authentication Scheme Using Smart Cards for the Integrated EPR Information System

The integrated EPR information system supports convenient and rapid e-medicine services. A secure and efficient authentication scheme for the integrated EPR information system provides safeguarding patients' electronic patient records (EPRs) and helps health care workers and medical personnel to rapidly making correct clinical decisions. Recently, Wu et al. proposed an efficient password-based user authentication scheme using smart cards for the integrated EPR information system, and claimed that the proposed scheme could resist various malicious attacks. However, their scheme is still vulnerable to lost smart card and stolen verifier attacks. This investigation discusses these weaknesses and proposes a secure and efficient authentication scheme for the integrated EPR information system as alternative. Compared with related approaches, the proposed scheme not only retains a lower computational cost and does not require verifier tables for storing users' secrets, but also solves the security problems in previous schemes and withstands possible attacks.