Due to the lack of authentication mechanism in BeiDou navigation satellite system(BDS),BD-Ⅱ civil navigation message(BDⅡ-CNAV) are vulnerable to spoofing attack and replay attack.To solve this problem,we present a s...Due to the lack of authentication mechanism in BeiDou navigation satellite system(BDS),BD-Ⅱ civil navigation message(BDⅡ-CNAV) are vulnerable to spoofing attack and replay attack.To solve this problem,we present a security authentication protocol,called as BDSec,which is designed by using China’s cryptography Shangyong Mima(SM) series algorithms,such as SM2/4/9 and Zu Chongzhi(ZUC)algorithm.In BDSec protocol,both of BDⅡ-CNAV and signature information are encrypted using the SM4 algorithm(Symmetric encryption mechanism).The encrypted result is used as the subject authentication information.BDSec protocol applies SM9 algorithm(Identity-based cryptography mechanism) to protect the integrity of the BDⅡ-CNAV,adopts the SM2 algorithm(Public key cryptosystem) to guarantee the confidentiality of the important session information,and uses the ZUC algorithm(Encryption and integrity algorithm) to verify the integrity of the message authentication serial number and initial information and the information in authentication initialization sub-protocol respectively.The results of the SVO logic reasoning and performance analysis show that BDSec protocol meets security requirements for the dual user identity authentication in BDS and can realize the security authentication of BDⅡ-CNAV.展开更多
Nowadays,the widespread application of 5G has promoted rapid development in different areas,particularly in the Internet of Things(IoT),where 5G provides the advantages of higher data transfer rate,lower latency,and w...Nowadays,the widespread application of 5G has promoted rapid development in different areas,particularly in the Internet of Things(IoT),where 5G provides the advantages of higher data transfer rate,lower latency,and widespread connections.Wireless sensor networks(WSNs),which comprise various sensors,are crucial components of IoT.The main functions of WSN include providing users with real-time monitoring information,deploying regional information collection,and synchronizing with the Internet.Security in WSNs is becoming increasingly essential because of the across-the-board nature of wireless technology in many fields.Recently,Yu et al.proposed a user authentication protocol forWSN.However,their design is vulnerable to sensor capture and temporary information disclosure attacks.Thus,in this study,an improved protocol called PSAP-WSNis proposed.The security of PSAP-WSN is demonstrated by employing the ROR model,BAN logic,and ProVerif tool for the analysis.The experimental evaluation shows that our design is more efficient and suitable forWSN environments.展开更多
To prevent server compromise attack and password guessing attacks,an improved and efficient verifier-based key exchange protocol for three-party is proposed,which enables two clients to agree on a common session key w...To prevent server compromise attack and password guessing attacks,an improved and efficient verifier-based key exchange protocol for three-party is proposed,which enables two clients to agree on a common session key with the help of the server.In this protocol,the client stores a plaintext version of the password,while the server stores a verifier for the password.And the protocol uses verifiers to authenticate between clients and the server.The security analysis and performance comparison of the proposed protocol shows that the protocol can resist many familiar attacks including password guessing attacks,server compromise attacks,man-in-the-middle attacks and Denning-Sacco attacks,and it is more efficient.展开更多
Based on the authentication tests and the strand space model, the robust email protocol with perfect forward secrecy is formally analyzed, and the security shortcomings of the protocol is pointed out. Meanwhile, the m...Based on the authentication tests and the strand space model, the robust email protocol with perfect forward secrecy is formally analyzed, and the security shortcomings of the protocol is pointed out. Meanwhile, the man-in-the-middle attack to the protocol is given, where the attacker forges the messages in the receiving phase to cheat the two communication parties and makes them share the wrong session keys with him. Therefore, the protocol is not ensured to provide perfect forward secrecy. In order to overcome the above security shortcomings, an advanced email protocol is proposed, where the corresponding signatures in the receiving phase of the protocol are added to overcome the man-in-the-middle attack and ensure to provide perfect forward secrecy. Finally, the proposed advanced email protocol is formally analyzed with the authentication tests and the strand space model, and it is proved to be secure in authentication of the email sender, the recipient and the server. Therefore, the proposed advanced email protocol can really provide perfect forward secrecy.展开更多
In order to deploy a secure WLAN mesh network,authentication of both users and APs is needed,and a secure authentication mechanism should be employed.However,some additional configurations of trusted third party agenc...In order to deploy a secure WLAN mesh network,authentication of both users and APs is needed,and a secure authentication mechanism should be employed.However,some additional configurations of trusted third party agencies are still needed on-site to deploy a secure authentication system.This paper proposes a new block chain-based authentication protocol for WLAN mesh security access,to reduce the deployment costs and resolve the issues of requiring key delivery and central server during IEEE 802.11X authentication.This method takes the user’s authentication request as a transaction,considers all the authentication records in the mesh network as the public ledger and realizes the effective monitoring of the malicious attack.Finally,this paper analyzes the security of the protocol in detail,and proves that the new method can solve the dependence of the authentication node on PKI and CA.展开更多
This paper proposed two modifications on IKE protocol with pre-shared key authentication. The first modification can improve its immunity against DDoS attack by authenticating the initiator before the responder genera...This paper proposed two modifications on IKE protocol with pre-shared key authentication. The first modification can improve its immunity against DDoS attack by authenticating the initiator before the responder generates the computation-intensive Diffie-Hellman public value. The second modification can improve its efficiency when the attack on messages occurs because it can detect the attack quickly by replacing the centralized authentication in origical IKE protocol with immediate authentication. In addition, the two modifications can be integrated into one protocol compactly.展开更多
Modem information technology has been utilized progressively to store and distribute a large amount of healthcare data to reduce costs and improve medical facilities.In this context,the emergence of e-Health clouds of...Modem information technology has been utilized progressively to store and distribute a large amount of healthcare data to reduce costs and improve medical facilities.In this context,the emergence of e-Health clouds offers novel opportunities,like easy and remote accessibility of medical data.However,this achievement produces plenty of new risks and challenges like how to provide integrity,security,and confidentiality to the highly susceptible e-Health data.Among these challenges,authentication is a major issue that ensures that the susceptible medical data in clouds is not available to illegal participants.The smart card,password and biometrics are three factors of authentication which fulfill the requirement of giving high security.Numerous three-factor ECC-based authentication protocols on e-Health clouds have been presented so far.However,most of the protocols have serious security flaws and produce high computation and communication overheads.Therefore,we introduce a novel protocol for the e-Health cloud,which thwarts some major attacks,such as user anonymity,offline password guessing,impersonation,and stolen smart card attacks.Moreover,we evaluate our protocol through formal security analysis using the Random Oracle Model(ROM).The analysis shows that our proposed protocol is more efficient than many existing protocols in terms of computation and communication costs.Thus,our proposed protocol is proved to be more efficient,robust and secure.展开更多
From the viewpoint of protocol sequence, analyses are made of the sequence patterns of possible identity authentication protocol under two cases: with or without the trusted third party (TFP). Ten feasible sequence...From the viewpoint of protocol sequence, analyses are made of the sequence patterns of possible identity authentication protocol under two cases: with or without the trusted third party (TFP). Ten feasible sequence patterns of authentication protocol with TIP and 5 sequence patterns without TFP are gained. These gained sequence patterns meet the requirements for identity authentication, and basically cover almost all the authentication protocols with TFP and without TFP at present. All of the sequence patterns gained are classified into unilateral or bilateral authentication. Then, according to the sequence symmetry, several good sequence patterns with TFP are evaluated. The accompolished results can provide a reference to design of new identity authentication protocols.展开更多
FIDO(Fast IDentity Online) Alliance proposed a set of standard in 2014 for change the nature of online authentication. By now, it has drawn attention from many companies, including Google, VISA, Intel etc. In this pap...FIDO(Fast IDentity Online) Alliance proposed a set of standard in 2014 for change the nature of online authentication. By now, it has drawn attention from many companies, including Google, VISA, Intel etc. In this paper, we analyze the FIDO UAF(Universal Authentication Framework) Protocol, one of the two sets of specifications in the standard. We first present protocols' cryptographic abstractions for the registration and authentication protocols of the FIDO UAF. According to the abstractions, we discuss on selected security goals presented in the standard to study UAF security properties. We also propose three attacks, which the first two are based on an assumption that an attacker can corrupt the software installed on the user device, and the third is based on two users sharing a FIDO roaming authenticator. The results of the attacks are to impersonate the legitimate user to pass the online authentication.展开更多
A new efficient protocol-proving algorithm was proposed for verifying security protocols. This algorithm is based on the improved authentication tests model, which enhances the original model by formalizing the messag...A new efficient protocol-proving algorithm was proposed for verifying security protocols. This algorithm is based on the improved authentication tests model, which enhances the original model by formalizing the message reply attack. With exact causal dependency relations between messages in this model, the protocol-proving algorithm can avoid the state explosion caused by asynchronous. In order to get the straight proof of security protocols, three authentication theorems are exploited for evaluating the agreement and distinction properties. When the algorithm terminates, it outputs either the proof results or the potential flaws of the security protocol. The experiment shows that the protocol-proving algorithm can detect the type flaw attack on Neuman-Stubblebine protocol, and prove the correctness of NSL protocol by exploring only 10 states.展开更多
Tele-medical information system provides an efficient and convenient way to connect patients at home with medical personnel in clinical centers.In this system,service providers consider user authentication as a critic...Tele-medical information system provides an efficient and convenient way to connect patients at home with medical personnel in clinical centers.In this system,service providers consider user authentication as a critical requirement.To address this crucial requirement,various types of validation and key agreement protocols have been employed.The main problem with the two-way authentication of patients and medical servers is not built with thorough and comprehensive analysis that makes the protocol design yet has flaws.This paper analyzes carefully all aspects of security requirements including the perfect forward secrecy in order to develop an efficient and robust lightweight authentication and key agreement protocol.The secureness of the proposed protocol undergoes an informal analysis,whose findings show that different security features are provided,including perfect forward secrecy and a resistance to DoS attacks.Furthermore,it is simulated and formally analyzed using Scyther tool.Simulation results indicate the protocol’s robustness,both in perfect forward security and against various attacks.In addition,the proposed protocol was compared with those of other related protocols in term of time complexity and communication cost.The time complexity of the proposed protocol only involves time of performing a hash function Th,i.e.,:O(12Th).Average time required for executing the authentication is 0.006 seconds;with number of bit exchange is 704,both values are the lowest among the other protocols.The results of the comparison point to a superior performance by the proposed protocol.展开更多
Cookies are considered a fundamental means of web application services for authenticating various Hypertext Transfer Protocol(HTTP)requests andmaintains the states of clients’information over the Internet.HTTP cookie...Cookies are considered a fundamental means of web application services for authenticating various Hypertext Transfer Protocol(HTTP)requests andmaintains the states of clients’information over the Internet.HTTP cookies are exploited to carry client patterns observed by a website.These client patterns facilitate the particular client’s future visit to the corresponding website.However,security and privacy are the primary concerns owing to the value of information over public channels and the storage of client information on the browser.Several protocols have been introduced that maintain HTTP cookies,but many of those fail to achieve the required security,or require a lot of resource overheads.In this article,we have introduced a lightweight Elliptic Curve Cryptographic(ECC)based protocol for authenticating client and server transactions to maintain the privacy and security of HTTP cookies.Our proposed protocol uses a secret key embedded within a cookie.The proposed protocol ismore efficient and lightweight than related protocols because of its reduced computation,storage,and communication costs.Moreover,the analysis presented in this paper confirms that proposed protocol resists various known attacks.展开更多
Vehicular ad hoc networks (VANETs) have attracted growing interest in both academia and industry because they can provide a viable solutionthat improves road safety and comfort for travelers on roads. However, wireles...Vehicular ad hoc networks (VANETs) have attracted growing interest in both academia and industry because they can provide a viable solutionthat improves road safety and comfort for travelers on roads. However, wireless communications over open-access environments face many security andprivacy issues that may affect deployment of large-scale VANETs. Researchershave proposed different protocols to address security and privacy issues in aVANET, and in this study we cryptanalyze some of the privacy preservingprotocols to show that all existing protocols are vulnerable to the Sybilattack. The Sybil attack can be used by malicious actors to create fakeidentities that impair existing protocols, which allows them to imitate trafficcongestion or at worse cause an accident that may result in the loss of humanlife. This vulnerability exists because those protocols store vehicle identitiesin an encrypted form, and it is not possible to search over the encryptedidentities to find fake vehicles. This attack is serious in nature and veryprevalent for privacy-preserving protocols. To cope with this kind of attack,we propose a novel and practical protocol that uses Public key encryptionwith an equality test (PKEET) to search over the encrypted identities withoutleaking any information, and eventually eliminate the Sybil attack. Theproposed approach improves security and at the same time maintains privacyin VANET. Our performance analysis indicates that the proposed protocoloutperforms state-of-the-art protocols: The proposed beacon generation timeis constant compared to a linear increase in existing protocols, with beaconverification shown to be faster by 7.908%. Our communicational analysisshows that the proposed protocol with a beacon size of 322 bytes has the leastcommunicational overhead compared to other state-of-the-art protocols.展开更多
Satellite networks are recognized as the most essential communication infrastructures in the world today,which complement land networks and provide valuable services for their users.Extensive coverage and service stab...Satellite networks are recognized as the most essential communication infrastructures in the world today,which complement land networks and provide valuable services for their users.Extensive coverage and service stability of these networks have increased their popularity.Since eavesdropping and active intrusion in satellite communications are much easier than in terrestrial networks,securing satellite communications is vital.So far,several protocols have been proposed for authentication and key exchange of satellite communications,but none of them fullymeet the security requirements.In this paper,we examine one of these protocols and identify its security vulnerabilities.Moreover,we propose a robust and secure authentication and session key agreement protocol using the elliptic curve cryptography(ECC).We show that the proposed protocol meets common security requirements and is resistant to known security attacks.Moreover,we prove that the proposed scheme satisfies the security features using the Automated Validation of Internet Security Protocols and Applications(AVISPA)formal verification tool and On-the fly Model-Checker(OFMC)and ATtack SEarcher(ATSE)model checkers.We have also proved the security of the session key exchange of our protocol using theReal orRandom(RoR)model.Finally,the comparison of our scheme with similar methods shows its superiority.展开更多
The radio frequency identification(RFID)technology has been widely used so far in industrial and commercial applications.To develop the RFID tags that support elliptic curve cryptography(ECC),we propose a scalable and...The radio frequency identification(RFID)technology has been widely used so far in industrial and commercial applications.To develop the RFID tags that support elliptic curve cryptography(ECC),we propose a scalable and mutual authentication protocol based on ECC.We also suggest a tag privacy model that provides adversaries exhibiting strong abilities to attack a tag’s privacy.We prove that the proposed protocol preserves privacy under the privacy model and that it meets general security requirements.Compared with other recent ECCbased RFID authentication protocols,our protocol provides tag privacy and performs the best under comprehensive evaluation of tag privacy,tag computation cost,and communications cost.展开更多
Most of the password based authentication protocols make use of the single authentication server for user's authentication. User's verifier information stored on the single server is a main point of susceptibi...Most of the password based authentication protocols make use of the single authentication server for user's authentication. User's verifier information stored on the single server is a main point of susceptibility and remains an attractive target for the attacker. On the other hand, multi-server architecture based authentication protocols make it difficult for the attacker to find out any significant authentication information related to the legitimate users. In 2009, Liao and Wang proposed a dynamic identity based remote user authentication protocol for multi-server environment. However, we found that Liao and Wang's protocol is susceptible to malicious server attack and malicious user attack. This paper presents a novel dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned flaws, while keeping the merits of Liao and Wang's protocol. It uses two-server paradigm by imposing different levels of trust upon the two servers and the user's verifier information is distributed between these two servers known as the service provider server and the control server. The proposed protocol is practical and computational efficient because only nonce, one-way hash function and XOR operations are used in its implementation. It provides a secure method to change the user's password without the server's help. In e-commerce, the number of servers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required.展开更多
The low-cost RFID tags have very limited computing and storage resources and this makes it difficult to completely solve their security and privacy problems. Lightweight authentication is considered as one of the most...The low-cost RFID tags have very limited computing and storage resources and this makes it difficult to completely solve their security and privacy problems. Lightweight authentication is considered as one of the most effective methods to ensure the security in the RFID system. Many light-weight authentication protocols use Hash function and pseudorandom generator to ensure the anonymity and confidential communication of the RFID system. But these protocols do not provide such security as they claimed. By analyzing some typical Hash-based RFID authentication protocols, it is found that they are vulnerable to some common attacks. Many protocols cannot resist tracing attack and de-synchronization attack. Some protocols cannot provide forward security. Gy?z? Gódor and Sándor Imre proposed a Hash-based authentication protocol and they claimed their protocol could resist the well-known attacks. But by constructing some different attack scenarios, their protocol is shown to be vulnerable to tracing attack and de-synchronization attack. Based on the analysis for the Hash-based authentication protocols, some feasible suggestions are proposed to improve the security of the RFID authentication protocols.展开更多
An efficient authenticated key agreement protocol is proposed, which makesuse of bilinear pairings and self-certificd public keys. Its security is based on the securityassumptions of the bilinear Diff ie-Hellman probl...An efficient authenticated key agreement protocol is proposed, which makesuse of bilinear pairings and self-certificd public keys. Its security is based on the securityassumptions of the bilinear Diff ie-Hellman problem and the computational Diffie-Hellman problem.Users can choose their private keys independently. The public keys and identities of users can beverified implicitly when the session key being generating in a logically single step. A trusted KeyGeneration Center is no longer requiredas in the ID-based authenticated key agreement protocolsCompared with existing authenticated key agreement protocols from pairings, the. new proposedprotocol is more efficient and secure.展开更多
The long authentication handover delay is the greatest challenge in multi-domain SDN environment. In order to solve this problem, an authentication handover mechanism under multi-SDN domain(AHMMD) is proposed in this ...The long authentication handover delay is the greatest challenge in multi-domain SDN environment. In order to solve this problem, an authentication handover mechanism under multi-SDN domain(AHMMD) is proposed in this paper. In AHMMD, firstly, when the mobility entity accesses the network for the first time, its identity and service attributes are authenticated by the flow authentication protocol, which is designed based on the asymmetric encryption key; secondly, when the mobility entity moves to the neighbor domain, the authentication information will be delivered from the current controller to the neighborhood controller through a security communication channel. In order to promote the efficiency, a handover time prediction algorithm is adopted in AHMMD. Experimental results based on our AHMMD prototype have shown that the handover delay decreases by 50% while the handover cost decreases by 60%.展开更多
基金supported in part by the National Key R&D Program of China(No.2022YFB3904503)National Natural Science Foundation of China(No.62172418)the joint funds of National Natural Science Foundation of China and Civil Aviation Administration of China(No.U2133203).
文摘Due to the lack of authentication mechanism in BeiDou navigation satellite system(BDS),BD-Ⅱ civil navigation message(BDⅡ-CNAV) are vulnerable to spoofing attack and replay attack.To solve this problem,we present a security authentication protocol,called as BDSec,which is designed by using China’s cryptography Shangyong Mima(SM) series algorithms,such as SM2/4/9 and Zu Chongzhi(ZUC)algorithm.In BDSec protocol,both of BDⅡ-CNAV and signature information are encrypted using the SM4 algorithm(Symmetric encryption mechanism).The encrypted result is used as the subject authentication information.BDSec protocol applies SM9 algorithm(Identity-based cryptography mechanism) to protect the integrity of the BDⅡ-CNAV,adopts the SM2 algorithm(Public key cryptosystem) to guarantee the confidentiality of the important session information,and uses the ZUC algorithm(Encryption and integrity algorithm) to verify the integrity of the message authentication serial number and initial information and the information in authentication initialization sub-protocol respectively.The results of the SVO logic reasoning and performance analysis show that BDSec protocol meets security requirements for the dual user identity authentication in BDS and can realize the security authentication of BDⅡ-CNAV.
文摘Nowadays,the widespread application of 5G has promoted rapid development in different areas,particularly in the Internet of Things(IoT),where 5G provides the advantages of higher data transfer rate,lower latency,and widespread connections.Wireless sensor networks(WSNs),which comprise various sensors,are crucial components of IoT.The main functions of WSN include providing users with real-time monitoring information,deploying regional information collection,and synchronizing with the Internet.Security in WSNs is becoming increasingly essential because of the across-the-board nature of wireless technology in many fields.Recently,Yu et al.proposed a user authentication protocol forWSN.However,their design is vulnerable to sensor capture and temporary information disclosure attacks.Thus,in this study,an improved protocol called PSAP-WSNis proposed.The security of PSAP-WSN is demonstrated by employing the ROR model,BAN logic,and ProVerif tool for the analysis.The experimental evaluation shows that our design is more efficient and suitable forWSN environments.
基金The National High Technology Research and Development Program of China(863Program)(No.2001AA115300)the Natural Science Foundation of Liaoning Province(No.20031018,20062023)
文摘To prevent server compromise attack and password guessing attacks,an improved and efficient verifier-based key exchange protocol for three-party is proposed,which enables two clients to agree on a common session key with the help of the server.In this protocol,the client stores a plaintext version of the password,while the server stores a verifier for the password.And the protocol uses verifiers to authenticate between clients and the server.The security analysis and performance comparison of the proposed protocol shows that the protocol can resist many familiar attacks including password guessing attacks,server compromise attacks,man-in-the-middle attacks and Denning-Sacco attacks,and it is more efficient.
基金The Natural Science Foundation of Jiangsu Province(No.BK2006108)
文摘Based on the authentication tests and the strand space model, the robust email protocol with perfect forward secrecy is formally analyzed, and the security shortcomings of the protocol is pointed out. Meanwhile, the man-in-the-middle attack to the protocol is given, where the attacker forges the messages in the receiving phase to cheat the two communication parties and makes them share the wrong session keys with him. Therefore, the protocol is not ensured to provide perfect forward secrecy. In order to overcome the above security shortcomings, an advanced email protocol is proposed, where the corresponding signatures in the receiving phase of the protocol are added to overcome the man-in-the-middle attack and ensure to provide perfect forward secrecy. Finally, the proposed advanced email protocol is formally analyzed with the authentication tests and the strand space model, and it is proved to be secure in authentication of the email sender, the recipient and the server. Therefore, the proposed advanced email protocol can really provide perfect forward secrecy.
文摘In order to deploy a secure WLAN mesh network,authentication of both users and APs is needed,and a secure authentication mechanism should be employed.However,some additional configurations of trusted third party agencies are still needed on-site to deploy a secure authentication system.This paper proposes a new block chain-based authentication protocol for WLAN mesh security access,to reduce the deployment costs and resolve the issues of requiring key delivery and central server during IEEE 802.11X authentication.This method takes the user’s authentication request as a transaction,considers all the authentication records in the mesh network as the public ledger and realizes the effective monitoring of the malicious attack.Finally,this paper analyzes the security of the protocol in detail,and proves that the new method can solve the dependence of the authentication node on PKI and CA.
文摘This paper proposed two modifications on IKE protocol with pre-shared key authentication. The first modification can improve its immunity against DDoS attack by authenticating the initiator before the responder generates the computation-intensive Diffie-Hellman public value. The second modification can improve its efficiency when the attack on messages occurs because it can detect the attack quickly by replacing the centralized authentication in origical IKE protocol with immediate authentication. In addition, the two modifications can be integrated into one protocol compactly.
文摘Modem information technology has been utilized progressively to store and distribute a large amount of healthcare data to reduce costs and improve medical facilities.In this context,the emergence of e-Health clouds offers novel opportunities,like easy and remote accessibility of medical data.However,this achievement produces plenty of new risks and challenges like how to provide integrity,security,and confidentiality to the highly susceptible e-Health data.Among these challenges,authentication is a major issue that ensures that the susceptible medical data in clouds is not available to illegal participants.The smart card,password and biometrics are three factors of authentication which fulfill the requirement of giving high security.Numerous three-factor ECC-based authentication protocols on e-Health clouds have been presented so far.However,most of the protocols have serious security flaws and produce high computation and communication overheads.Therefore,we introduce a novel protocol for the e-Health cloud,which thwarts some major attacks,such as user anonymity,offline password guessing,impersonation,and stolen smart card attacks.Moreover,we evaluate our protocol through formal security analysis using the Random Oracle Model(ROM).The analysis shows that our proposed protocol is more efficient than many existing protocols in terms of computation and communication costs.Thus,our proposed protocol is proved to be more efficient,robust and secure.
文摘From the viewpoint of protocol sequence, analyses are made of the sequence patterns of possible identity authentication protocol under two cases: with or without the trusted third party (TFP). Ten feasible sequence patterns of authentication protocol with TIP and 5 sequence patterns without TFP are gained. These gained sequence patterns meet the requirements for identity authentication, and basically cover almost all the authentication protocols with TFP and without TFP at present. All of the sequence patterns gained are classified into unilateral or bilateral authentication. Then, according to the sequence symmetry, several good sequence patterns with TFP are evaluated. The accompolished results can provide a reference to design of new identity authentication protocols.
文摘FIDO(Fast IDentity Online) Alliance proposed a set of standard in 2014 for change the nature of online authentication. By now, it has drawn attention from many companies, including Google, VISA, Intel etc. In this paper, we analyze the FIDO UAF(Universal Authentication Framework) Protocol, one of the two sets of specifications in the standard. We first present protocols' cryptographic abstractions for the registration and authentication protocols of the FIDO UAF. According to the abstractions, we discuss on selected security goals presented in the standard to study UAF security properties. We also propose three attacks, which the first two are based on an assumption that an attacker can corrupt the software installed on the user device, and the third is based on two users sharing a FIDO roaming authenticator. The results of the attacks are to impersonate the legitimate user to pass the online authentication.
基金The National High Technology Research and Development Program of China(863Pro-gram)(No.2005AA145110)
文摘A new efficient protocol-proving algorithm was proposed for verifying security protocols. This algorithm is based on the improved authentication tests model, which enhances the original model by formalizing the message reply attack. With exact causal dependency relations between messages in this model, the protocol-proving algorithm can avoid the state explosion caused by asynchronous. In order to get the straight proof of security protocols, three authentication theorems are exploited for evaluating the agreement and distinction properties. When the algorithm terminates, it outputs either the proof results or the potential flaws of the security protocol. The experiment shows that the protocol-proving algorithm can detect the type flaw attack on Neuman-Stubblebine protocol, and prove the correctness of NSL protocol by exploring only 10 states.
文摘Tele-medical information system provides an efficient and convenient way to connect patients at home with medical personnel in clinical centers.In this system,service providers consider user authentication as a critical requirement.To address this crucial requirement,various types of validation and key agreement protocols have been employed.The main problem with the two-way authentication of patients and medical servers is not built with thorough and comprehensive analysis that makes the protocol design yet has flaws.This paper analyzes carefully all aspects of security requirements including the perfect forward secrecy in order to develop an efficient and robust lightweight authentication and key agreement protocol.The secureness of the proposed protocol undergoes an informal analysis,whose findings show that different security features are provided,including perfect forward secrecy and a resistance to DoS attacks.Furthermore,it is simulated and formally analyzed using Scyther tool.Simulation results indicate the protocol’s robustness,both in perfect forward security and against various attacks.In addition,the proposed protocol was compared with those of other related protocols in term of time complexity and communication cost.The time complexity of the proposed protocol only involves time of performing a hash function Th,i.e.,:O(12Th).Average time required for executing the authentication is 0.006 seconds;with number of bit exchange is 704,both values are the lowest among the other protocols.The results of the comparison point to a superior performance by the proposed protocol.
基金support from Abu Dhabi University’s Office of Research and Sponsored Programs Grant Number:19300810.
文摘Cookies are considered a fundamental means of web application services for authenticating various Hypertext Transfer Protocol(HTTP)requests andmaintains the states of clients’information over the Internet.HTTP cookies are exploited to carry client patterns observed by a website.These client patterns facilitate the particular client’s future visit to the corresponding website.However,security and privacy are the primary concerns owing to the value of information over public channels and the storage of client information on the browser.Several protocols have been introduced that maintain HTTP cookies,but many of those fail to achieve the required security,or require a lot of resource overheads.In this article,we have introduced a lightweight Elliptic Curve Cryptographic(ECC)based protocol for authenticating client and server transactions to maintain the privacy and security of HTTP cookies.Our proposed protocol uses a secret key embedded within a cookie.The proposed protocol ismore efficient and lightweight than related protocols because of its reduced computation,storage,and communication costs.Moreover,the analysis presented in this paper confirms that proposed protocol resists various known attacks.
基金This work was supported by Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.2021-0-00540,Development of Fast Design and Implementation of Cryptographic Algorithms based on GPU/ASIC).
文摘Vehicular ad hoc networks (VANETs) have attracted growing interest in both academia and industry because they can provide a viable solutionthat improves road safety and comfort for travelers on roads. However, wireless communications over open-access environments face many security andprivacy issues that may affect deployment of large-scale VANETs. Researchershave proposed different protocols to address security and privacy issues in aVANET, and in this study we cryptanalyze some of the privacy preservingprotocols to show that all existing protocols are vulnerable to the Sybilattack. The Sybil attack can be used by malicious actors to create fakeidentities that impair existing protocols, which allows them to imitate trafficcongestion or at worse cause an accident that may result in the loss of humanlife. This vulnerability exists because those protocols store vehicle identitiesin an encrypted form, and it is not possible to search over the encryptedidentities to find fake vehicles. This attack is serious in nature and veryprevalent for privacy-preserving protocols. To cope with this kind of attack,we propose a novel and practical protocol that uses Public key encryptionwith an equality test (PKEET) to search over the encrypted identities withoutleaking any information, and eventually eliminate the Sybil attack. Theproposed approach improves security and at the same time maintains privacyin VANET. Our performance analysis indicates that the proposed protocoloutperforms state-of-the-art protocols: The proposed beacon generation timeis constant compared to a linear increase in existing protocols, with beaconverification shown to be faster by 7.908%. Our communicational analysisshows that the proposed protocol with a beacon size of 322 bytes has the leastcommunicational overhead compared to other state-of-the-art protocols.
文摘Satellite networks are recognized as the most essential communication infrastructures in the world today,which complement land networks and provide valuable services for their users.Extensive coverage and service stability of these networks have increased their popularity.Since eavesdropping and active intrusion in satellite communications are much easier than in terrestrial networks,securing satellite communications is vital.So far,several protocols have been proposed for authentication and key exchange of satellite communications,but none of them fullymeet the security requirements.In this paper,we examine one of these protocols and identify its security vulnerabilities.Moreover,we propose a robust and secure authentication and session key agreement protocol using the elliptic curve cryptography(ECC).We show that the proposed protocol meets common security requirements and is resistant to known security attacks.Moreover,we prove that the proposed scheme satisfies the security features using the Automated Validation of Internet Security Protocols and Applications(AVISPA)formal verification tool and On-the fly Model-Checker(OFMC)and ATtack SEarcher(ATSE)model checkers.We have also proved the security of the session key exchange of our protocol using theReal orRandom(RoR)model.Finally,the comparison of our scheme with similar methods shows its superiority.
基金partially supported by the National Natural Science Foundation of China under Grant No.61370203the China Postdoctoral Science Foundation under Grant No.2016M602675the Foundation of the Central Universities in China under Grant No.ZYGX2016J123。
文摘The radio frequency identification(RFID)technology has been widely used so far in industrial and commercial applications.To develop the RFID tags that support elliptic curve cryptography(ECC),we propose a scalable and mutual authentication protocol based on ECC.We also suggest a tag privacy model that provides adversaries exhibiting strong abilities to attack a tag’s privacy.We prove that the proposed protocol preserves privacy under the privacy model and that it meets general security requirements.Compared with other recent ECCbased RFID authentication protocols,our protocol provides tag privacy and performs the best under comprehensive evaluation of tag privacy,tag computation cost,and communications cost.
文摘Most of the password based authentication protocols make use of the single authentication server for user's authentication. User's verifier information stored on the single server is a main point of susceptibility and remains an attractive target for the attacker. On the other hand, multi-server architecture based authentication protocols make it difficult for the attacker to find out any significant authentication information related to the legitimate users. In 2009, Liao and Wang proposed a dynamic identity based remote user authentication protocol for multi-server environment. However, we found that Liao and Wang's protocol is susceptible to malicious server attack and malicious user attack. This paper presents a novel dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned flaws, while keeping the merits of Liao and Wang's protocol. It uses two-server paradigm by imposing different levels of trust upon the two servers and the user's verifier information is distributed between these two servers known as the service provider server and the control server. The proposed protocol is practical and computational efficient because only nonce, one-way hash function and XOR operations are used in its implementation. It provides a secure method to change the user's password without the server's help. In e-commerce, the number of servers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required.
文摘The low-cost RFID tags have very limited computing and storage resources and this makes it difficult to completely solve their security and privacy problems. Lightweight authentication is considered as one of the most effective methods to ensure the security in the RFID system. Many light-weight authentication protocols use Hash function and pseudorandom generator to ensure the anonymity and confidential communication of the RFID system. But these protocols do not provide such security as they claimed. By analyzing some typical Hash-based RFID authentication protocols, it is found that they are vulnerable to some common attacks. Many protocols cannot resist tracing attack and de-synchronization attack. Some protocols cannot provide forward security. Gy?z? Gódor and Sándor Imre proposed a Hash-based authentication protocol and they claimed their protocol could resist the well-known attacks. But by constructing some different attack scenarios, their protocol is shown to be vulnerable to tracing attack and de-synchronization attack. Based on the analysis for the Hash-based authentication protocols, some feasible suggestions are proposed to improve the security of the RFID authentication protocols.
文摘An efficient authenticated key agreement protocol is proposed, which makesuse of bilinear pairings and self-certificd public keys. Its security is based on the securityassumptions of the bilinear Diff ie-Hellman problem and the computational Diffie-Hellman problem.Users can choose their private keys independently. The public keys and identities of users can beverified implicitly when the session key being generating in a logically single step. A trusted KeyGeneration Center is no longer requiredas in the ID-based authenticated key agreement protocolsCompared with existing authenticated key agreement protocols from pairings, the. new proposedprotocol is more efficient and secure.
基金supported in part by the National Natural Science Foundation of China under Grant No.61402521Jiangsu Province Natural Science Foundation of China under Grant No.BK20140068
文摘The long authentication handover delay is the greatest challenge in multi-domain SDN environment. In order to solve this problem, an authentication handover mechanism under multi-SDN domain(AHMMD) is proposed in this paper. In AHMMD, firstly, when the mobility entity accesses the network for the first time, its identity and service attributes are authenticated by the flow authentication protocol, which is designed based on the asymmetric encryption key; secondly, when the mobility entity moves to the neighbor domain, the authentication information will be delivered from the current controller to the neighborhood controller through a security communication channel. In order to promote the efficiency, a handover time prediction algorithm is adopted in AHMMD. Experimental results based on our AHMMD prototype have shown that the handover delay decreases by 50% while the handover cost decreases by 60%.