A Lightweight Three-Factor Authentication and Key Agreement Scheme for Multigateway WSNs in IoT

The Internet of Things (IoT) has built an information bridge between people and the objective world, wherein wireless sensor networks (WSNs) are an important driving force. For applications based on WSN, such as environment monitoring, smart healthcare, user legitimacy authentication, and data security, are always worth exploring. In recent years, many multifactor user authentication schemes for WSNs have been proposed using smart cards, passwords, as well as biometric features. Unfortunately, these schemes are revealed to various vulnerabilities (e.g., password guessing attack, impersonation attack, and replay attack) due to nonuniform security evaluation criteria. Wang et al. put forward 12 pieces of widely accepted evaluation criteria by investigating quantities of relevant literature. In this paper, we first propose a lightweight multifactor authentication protocol for multigateway WSNs using hash functions and XOR operations. Further, BAN logic and BPR model are employed to formally prove the correctness and security of the proposed scheme, and the informal analysis with Wang et al.’s criteria also indicates that it can resist well-known attacks. Finally, performance analysis of the compared schemes is given, and the evaluation results show that only the proposed scheme can satisfy all 12 evaluation criteria and keep efficient among these schemes.

Download Full-text

Security Weaknesses and Improvements of a Remote User Authentication Scheme Preserving User Anonymity

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.145.184 ◽

2011 ◽

Vol 145 ◽

pp. 184-188

Author(s):

Young Hwa An

Keyword(s):

User Authentication ◽

User Anonymity ◽

Authentication Scheme ◽

Impersonation Attack ◽

Replay Attack ◽

Password Guessing Attack ◽

Insider Attack ◽

Man In The Middle ◽

User Authentication Scheme ◽

Guessing Attack

In 2008, Bindu et al. proposed an improvement to Chien et al.'s remote password authentication scheme preserving user anonymity, and has asserted that the scheme is secure against replay attack, guessing attack, insider attack and man-in-the-middle attack, etc. However, in this paper, we have shown that Bindu et al.'s scheme is still insecure against man-in-the-middle attack and password guessing attack, and does not provide user anonymity. Also, we propose an improved scheme to withstand these weaknesses, while preserving their merits, even if the secret information stored in the smart card is revealed. As a result of analysis, the proposed scheme is secure against user impersonation attack, server masquerading attack, password guessing attack and does provide user anonymity. And we can see that the proposed scheme is relatively more effective than Bindu et al.'s scheme.

Download Full-text

A Secure and Efficient ECC-Based Anonymous Authentication Protocol

Security and Communication Networks ◽

10.1155/2019/4656281 ◽

2019 ◽

Vol 2019 ◽

pp. 1-13 ◽

Cited By ~ 4

Author(s):

Feifei Wang ◽

Guoai Xu ◽

Lize Gu

Keyword(s):

User Authentication ◽

Authentication Protocol ◽

Performance Comparison ◽

Impersonation Attack ◽

Session Key ◽

Anonymous Authentication ◽

Password Guessing Attack ◽

Authentication Schemes ◽

And Performance ◽

Guessing Attack

Nowadays, remote user authentication protocol plays a great role in ensuring the security of data transmission and protecting the privacy of users for various network services. In this study, we discover two recently introduced anonymous authentication schemes are not as secure as they claimed, by demonstrating they suffer from offline password guessing attack, desynchronization attack, session key disclosure attack, failure to achieve user anonymity, or forward secrecy. Besides, we reveal two environment-specific authentication schemes have weaknesses like impersonation attack. To eliminate the security vulnerabilities of existing schemes, we propose an improved authentication scheme based on elliptic curve cryptosystem. We use BAN logic and heuristic analysis to prove our scheme provides perfect security attributes and is resistant to known attacks. In addition, the security and performance comparison show that our scheme is superior with better security and low computation and communication cost.

Download Full-text

Revisiting Anonymous Two-Factor Authentication Schemes for IoT-Enabled Devices in Cloud Computing Environments

Security and Communication Networks ◽

10.1155/2019/2516963 ◽

2019 ◽

Vol 2019 ◽

pp. 1-13 ◽

Cited By ~ 5

Author(s):

Ping Wang ◽

Bin Li ◽

Hongjin Shi ◽

Yaosheng Shen ◽

Ding Wang

Keyword(s):

Cloud Computing ◽

Random Oracle Model ◽

Random Oracle ◽

Replay Attack ◽

Password Guessing Attack ◽

Symmetric Key ◽

Computing Environments ◽

Guessing Attack ◽

Key Techniques ◽

User Friendly

Investigating the security pitfalls of cryptographic protocols is crucial to understand how to improve security. At ICCCS’17, Wu and Xu proposed an efficient smart-card-based password authentication scheme for cloud computing environments to cope with the vulnerabilities in Jiang et al.’s scheme. However, we reveal that Wu-Xu’s scheme actually is subject to various security flaws, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services and further suggested a user-friendly scheme which is claimed to be suitable for multiserver architecture and robust against various attacks. In this work, we show that Roy et al.’s scheme fails to achieve truly two-factor security and shows poor scalability. At FGCS’18, Amin et al. pointed out that most of existing two-factor schemes are either insecure or inefficient for mobile devices due to the use of public-key techniques and thus suggested an improved protocol by using only light-weight symmetric key techniques. Almost at the same time, Wei et al. also observed this issue and proposed a new scheme based on symmetric key techniques with formal security proofs in the random oracle model. Nevertheless, we point out that both Amin et al.’s and Wei et al.’s schemes cannot achieve the claimed security goals (including the most crucial goal of “truly two-factor security”). Our results invalidate any use of the scrutinized schemes for cloud computing environments.

Download Full-text

Analysis and Enhancement of a Password Authentication and Update Scheme Based on Elliptic Curve Cryptography

Journal of Applied Mathematics ◽

10.1155/2014/247836 ◽

2014 ◽

Vol 2014 ◽

pp. 1-11 ◽

Cited By ~ 3

Author(s):

Lili Wang

Keyword(s):

Denial Of Service ◽

Impersonation Attack ◽

Password Authentication ◽

Denial Of Service Attack ◽

Password Guessing Attack ◽

Insider Attack ◽

Service Attack ◽

Low Performance ◽

Guessing Attack ◽

Stolen Verifier Attack

Recently, a password authentication and update scheme has been presented by Islam and Biswas to remove the security weaknesses in Lin and Huang’s scheme. Unfortunately, He et al., Wang et al., and Li have found out that Islam and Biswas’ improvement was vulnerable to offline password guessing attack, stolen verifier attack, privilege insider attack, and denial of service attack. In this paper, we further analyze Islam and Biswas’ scheme and demonstrate that their scheme cannot resist password compromise impersonation attack. In order to remedy the weaknesses mentioned above, we propose an improved anonymous remote authentication scheme using smart card without using bilinear paring computation. In addition, the verifier tables are no longer existent, and the privacy of users could be protected better. Furthermore, our proposal not only inherits the advantages in Islam and Biswas’ scheme, but also provides more features, including preserving user anonymity, supporting offline password change, revocation, reregistration with the same identifier, and system update. Finally, we compare our enhancement with related works to illustrate that the improvement is more secure and robust, while maintaining low performance cost.

Download Full-text

A Novel Machine Learning-Based Approach for Security Analysis of Authentication and Key Agreement Protocols

Security and Communication Networks ◽

10.1155/2020/8848389 ◽

2020 ◽

Vol 2020 ◽

pp. 1-15

Author(s):

Behnam Zahednejad ◽

Lishan Ke ◽

Jing Li

Keyword(s):

Machine Learning ◽

Key Agreement ◽

Security Analysis ◽

Replay Attack ◽

Authentication And Key Agreement ◽

Password Guessing Attack ◽

Dataset Size ◽

Security Properties ◽

Guessing Attack ◽

Construction Model

The application of machine learning in the security analysis of authentication and key agreement protocol was first launched by Ma et al. in 2018. Although they received remarkable results with an accuracy of 72% for the first time, their analysis is limited to replay attack and key confirmation attack. In addition, their suggested framework is based on a multiclassification problem in which every protocol or dataset instance is either secure or prone to a security attack such as replay attack, key confirmation, or other attacks. In this paper, we show that multiclassification is not an appropriate framework for such analysis, since authentication protocols may suffer different attacks simultaneously. Furthermore, we consider more security properties and attacks to analyze protocols against. These properties include strong authentication and Unknown Key Share (UKS) attack, key freshness, key authentication, and password guessing attack. In addition, we propose a much more efficient dataset construction model using a tenth number of features, which improves the solving speed to a large extent. The results indicate that our proposed model outperforms the previous models by at least 10–20 percent in all of the machine learning solving algorithms such that upper-bound performance reaches an accuracy of over 80% in the analysis of all security properties and attacks. Despite the previous models, the classification accuracy of our proposed dataset construction model rises in a rational manner along with the increase of the dataset size.

Download Full-text

Two-Factor User Authentication with Key Agreement Scheme Based on Elliptic Curve Cryptosystem

Journal of Electrical and Computer Engineering ◽

10.1155/2014/423930 ◽

2014 ◽

Vol 2014 ◽

pp. 1-6 ◽

Cited By ~ 6

Author(s):

Juan Qu ◽

Xiao-Ling Tan

Keyword(s):

Elliptic Curve ◽

Smart Card ◽

Key Agreement ◽

User Authentication ◽

Security Analysis ◽

Authentication Scheme ◽

Impersonation Attack ◽

Elliptic Curve Cryptosystem ◽

Password Guessing Attack ◽

High Level

A password authentication scheme using smart card is called two-factor authentication scheme. Two-factor authentication scheme is the most accepted and commonly used mechanism that provides the authorized users a secure and efficient method for accessing resources over insecure communication channel. Up to now, various two-factor user authentication schemes have been proposed. However, most of them are vulnerable to smart card loss attack, offline password guessing attack, impersonation attack, and so on. In this paper, we design a password remote user authentication with key agreement scheme using elliptic curve cryptosystem. Security analysis shows that the proposed scheme has high level of security. Moreover, the proposed scheme is more practical and secure in contrast to some related schemes.

Download Full-text

Analysis of the Dynamic ID-Based Remote User Authentication Schemes Using Smart Card for Multi-Server Environments

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.543-547.3343 ◽

2014 ◽

Vol 543-547 ◽

pp. 3343-3347

Author(s):

Xue Lei Li ◽

Qiao Yan Wen ◽

Wen Min Li ◽

Hua Zhang ◽

Zheng Ping Jin

Keyword(s):

Smart Card ◽

User Authentication ◽

Password Guessing Attack ◽

Remote User Authentication ◽

Diffie Hellman ◽

Dynamic Id ◽

Authentication Schemes ◽

Guessing Attack ◽

Multi Server ◽

Remote User

In this paper, we analyze and point out several weaknesses in the dynamic ID-based remote user authentication schemes using smart card for multi-server environments, and present the countermeasures to enhance the security of the schemes. Taking Li et al.'s scheme for instance, we demonstrate that their scheme does not provide forward secrecy and key privacy for the session keys, and cannot resist offline password guessing attack. Furthermore, the reasons of these security weaknesses are analyzed through extending the attacks to its predecessors. Finally, the improved ideas of local verification and authenticated Diffie-Hellman key agreement are presented to overcome the weaknesses mentioned above.

Download Full-text

A Simple Password-Based Authenticated Key Agreement Protocol

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.216.510 ◽

2011 ◽

Vol 216 ◽

pp. 510-513

Author(s):

Yung Cheng Lee

Keyword(s):

Key Agreement ◽

Authenticated Key Agreement ◽

Replay Attack ◽

Computation Cost ◽

Key Agreement Protocol ◽

Password Guessing Attack ◽

Modification Attack ◽

Guessing Attack ◽

Agreement Protocols

The authenticated key agreement protocols are widely used mechanisms for users to negotiate session keys and authenticate each other. Until now, there are many authenticated key agreement protocols proposed. However, many of them suffer from various attacks such as guessing attack, replay attack, impersonate attack, etc. In this paper, we propose a simple password-based authenticated key agreement protocol to solve these problems. The proposed protocol not only provides forward and backward secrecy, but also can resist replay attack, modification attack, and password guessing attack. Moreover, the computation cost of the protocol is very low.

Download Full-text

Revisiting the “An Improved Remote user Authentication Scheme with Key Agreement”

Oriental journal of computer science and technology ◽

10.13005/ojcst11.04.03 ◽

2018 ◽

Vol 11 (4) ◽

pp. 190-194

Author(s):

YALIN CHEN ◽

JUE-SAM CHOU ◽

I - CHIUNG LIAO

Keyword(s):

Smart Card ◽

Key Agreement ◽

User Authentication ◽

Authentication Scheme ◽

Session Key ◽

Password Guessing Attack ◽

Remote User Authentication ◽

User Authentication Scheme ◽

Guessing Attack ◽

Remote User

Recently, Kumari et al., pointed out that Chang et al.’s scheme “Untraceable dynamic-identity-based remote user authentication scheme with veriﬁable password update” has several drawbacks and does not provide any session key agreement. Hence, they proposed an improved remote user authentication scheme with key agreement based on Chang et al.’s protocol. They claimed that the improved method is secure. However, we found that their improvement still has both anonymity breach and smart card loss password guessing attack which cannot be violated in the ten basic requirements advocated for a secure identity authentication using smart card by Liao et al. Thus, we modify their protocol to encompass these security functionalities which are needed in a user authentication system using smart card.

Download Full-text

An AODV Based Multifactor Authentication Scheme for Wireless Sensor Network

Journal of IT in Asia ◽

10.33736/jita.3840.2021 ◽

2021 ◽

Vol 9 (1) ◽

pp. 80-88

Author(s):

Jane Yong ◽

Zi Jian Chai ◽

Kah Hao Chin ◽

Christopher Chin Fung Chee ◽

Daniel Soh ◽

...

Keyword(s):

Wireless Sensor Network ◽

Sensor Network ◽

Computational Cost ◽

Industrial Applications ◽

Authentication Scheme ◽

Wireless Sensor ◽

Replay Attack ◽

Physical Attack ◽

Multifactor Authentication ◽

Guessing Attack

Wireless Sensor Network (WSN) is a type of wireless network that is fast getting a lot of attention in scientific and industrial applications, and it is a network of decentralized autonomous standalone sensor devices. However, WSN is easily prone to malicious attacks as anyone can access the server through the node without a proper security authentication. In this paper, we proposed a secure AODV based multi-factor authentication scheme for WSN to mitigate physical attack, offline guessing attack and replay attack. Our proposed scheme is preferred to keep the scheme lightweight while providing enough security that requires smart card, user identity, password, and OTP. Our proposed scheme has relatively lower computational cost with a total of 10Th than the other compared schemes except for Adil et al.’s scheme. However, we have around 8288 bits of authentication overhead due to the nature of packet and the addition of factors. Hence, our scheme is outperformed from computational cost perspective, but the scheme is slightly higher on authentication overhead perspective. In the future, multiple device authentication, implementation of biometric feature can be added to improve the scheme.

Download Full-text