Full Text:   <1189>

Summary:  <517>

CLC number: TP309

On-line Access: 2015-04-03

Received: 2014-07-03

Revision Accepted: 2014-11-13

Crosschecked: 2015-03-04

Cited: 2

Clicked: 2385

Citations:  Bibtex RefMan EndNote GB/T7714

 ORCID:

Kuo-Hui Yeh

http://orcid.org/0000-0003-0598-761X

-   Go to

Article info.
Open peer comments

Frontiers of Information Technology & Electronic Engineering  2015 Vol.16 No.4 P.259-271

http://doi.org/10.1631/FITEE.1400232


A lightweight authentication scheme with user untraceability


Author(s):  Kuo-Hui Yeh

Affiliation(s):  Department of Information Management, National Dong Hwa University, Taiwan 974, Hualien

Corresponding email(s):   khyeh@mail.ndhu.edu.tw

Key Words:  Authentication, Privacy, Security, Smart card, Untraceability


Share this article to: More |Next Article >>>

Kuo-Hui Yeh. A lightweight authentication scheme with user untraceability[J]. Frontiers of Information Technology & Electronic Engineering, 2015, 16(4): 259-271.

@article{title="A lightweight authentication scheme with user untraceability",
author="Kuo-Hui Yeh",
journal="Frontiers of Information Technology & Electronic Engineering",
volume="16",
number="4",
pages="259-271",
year="2015",
publisher="Zhejiang University Press & Springer",
doi="10.1631/FITEE.1400232"
}

%0 Journal Article
%T A lightweight authentication scheme with user untraceability
%A Kuo-Hui Yeh
%J Frontiers of Information Technology & Electronic Engineering
%V 16
%N 4
%P 259-271
%@ 2095-9184
%D 2015
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.1400232

TY - JOUR
T1 - A lightweight authentication scheme with user untraceability
A1 - Kuo-Hui Yeh
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 16
IS - 4
SP - 259
EP - 271
%@ 2095-9184
Y1 - 2015
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.1400232


Abstract: 
With the rapid growth of electronic commerce and associated demands on variants of Internet based applications, application systems providing network resources and business services are in high demand around the world. To guarantee robust security and computational efficiency for service retrieval, a variety of authentication schemes have been proposed. However, most of these schemes have been found to be lacking when subject to a formal security analysis. Recently, Chang et al. (2014) introduced a formally provable secure authentication protocol with the property of user-untraceability. Unfortunately, based on our analysis, the proposed scheme fails to provide the property of user-untraceability as claimed, and is insecure against user impersonation attack, server counterfeit attack, and man-in-the-middle attack. In this paper, we demonstrate the details of these malicious attacks. A security enhanced authentication scheme is proposed to eliminate all identified weaknesses.

In the paper, the authors analyzed Chang et al.'s authentication scheme and proposed an improved protocol to overcome weaknesses in Chang et al.'s protocol. They also demonstated that their scheme could withstand various attacks and provably secure in the random oracle model. The paper is writen well.

一套具备使用者不可追踪性的轻量化身分鉴别机制

目的:随着电子商务应用的蓬勃发展,如何安全且有效率地提供足够的网路资源或线上服务给远端使用者逐渐成为一门研究显学。鉴于此,本论文主要针对目前商务网路环境设计使用者身分鉴别机制。
创新点:本研究所提出的鉴别机制主要利用杂凑函数(Hash function)作为机制内的资讯保护技术,并以一套新设计的讯息传递逻辑成功完成多个体间的相互身分鉴别,如此将可同时达到计算安全与轻量化效能两大效益。
方法:藉由使用者注册(Registration)、登入与鉴别(Login and authentication)、密码变更(Password change)等三大阶段来完成并良好管理使用者身分鉴别与讯息传输安全。
结论:本论文主要针对现有网路环境下的商务架构,进行使用者身分鉴别机制设计。在协定安全度方面,根据传输逻辑分析与安全正式化分析结果,所提方法的安全可行性已被成功证实。在效能方面,本研究比近期所提出的几份相关机制(Tsai et al., 2013;Chang et al., 2014;Kumari and Khan, 2014)皆更为有效率(表2、3)。

关键词:身分鉴别;隐私;安全;智慧卡;不可追踪性

Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article

Reference

[1]Bellare, M., Rogaway, P., 1994. Entity authentication and key distribution. LNCS, 773:232-249.

[2]Bellare, M., Pointcheval, D., Rogaway, P., 2000. Authenticated key exchange secure against dictionary attacks. Advances in Cryptology-EUROCRYPT, p.139-155.

[3]Blake-Wilson, S., Johnson, D., Menezes, A., 1997. Key agreement protocols and their security analysis. 6th IMA Int. Conf. on Cryptography Coding, p.30-45.

[4]Burrows, M., Abadi, M., Needham, R., 1990. A logic of authentication. ACM Trans. Comput. Syst., 8(1):18-36.

[5]Chang, C.C., Lee, C.Y., 2012. A secure single sign-on mechanism for distributed computer networks. IEEE Trans. Ind. Electron., 59(1):629-637.

[6]Chang, Y.F., Tai, W.L., Chang, H.C., 2014. Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update. Int. J. Commun. Syst., 27(11):3430-3440.

[7]He, D., Wu, S., 2012. Security flaws in a smart card based authentication scheme for multi-server environment. Wirel. Pers. Commun., 70(1):323-329.

[8]Hsiang, C., Shih, W.K., 2009. Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stand. Interf., 31(6):1118-1123.

[9]Hsieh, W., Leu, J., 2012. Exploiting hash functions to intensify the remote user authentication scheme. Comput. Secur., 31(6):791-798.

[10]Huang, X., Chen, X., Li, J., et al., 2013. Further observations on smart-card-based password-authenticated key agreement in distributed systems. IEEE Trans. Parall. Distr. Syst., 25(7):1767-1775.

[11]Juang, W.S., Chen, S.T., Liaw, H.T., 2008. Robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Ind. Electron., 55(6):2551-2556.

[12]Kumari, S., Khan, M.K., 2014. Cryptanalysis and improvement of a robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst., 27(12):3939-3955.

[13]Lamport, L., 1981. Password authentication with insecure communication. Commun. ACM, 24(11):770-772.

[14]Li, C.T., Lee, C.C., Liu, C.J., et al., 2011. A robust remote user authentication scheme against smart card security breach. 25th Annual IFIP WG 11.3 Conf., p.231-238.

[15]Li, X., Qiu, W., Zheng, D., et al., 2010. Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Ind. Electron., 57(2):793-800.

[16]Li, X., Xiong, Y., Ma, J., et al., 2012. An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. J. Network Comput. Appl., 35(2):763-769.

[17]Liao, Y.P., Wang, S.S., 2009. A secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stand. Interf., 31(1):24-29.

[18]Sood, S.K., Sarje, A.K., Singh, K., 2011. A secure dynamic identity based authentication protocol for multi-server architecture. J. Network Comput. Appl., 34(2):609-618.

[19]Sun, D.Z., Huai, J.P., Sun, J.Z., et al., 2009. Improvements of Juang et al.’s password-authenticated key agreement scheme using smart cards. IEEE Trans. Ind. Electron., 56(6):2284-2291.

[20]Tsai, J.L., Lo, N.W., Wu, T.C., 2013. Novel anonymous authentication scheme using smart cards. IEEE Trans. Ind. Inform., 9(4):2004-2013.

[21]Wang, D., Ma, C.G., 2012. Cryptanalysis and security enhancement of a remote user authentication scheme using smart cards. J. China Univ. Posts Telecommun., 19(5):104-114.

[22]Wang, D., Wang, P., 2013. Offline dictionary attack on password authentication schemes using smart cards. 16th Information Security Conf., p.1-16.

[23]Wang, D., Wang, P., 2014. On the anonymity of two-factor authentication schemes for wireless sensor networks: attacks, principle and solutions. Comput. Networks, 73:41-57.

[24]Wang, D., Ma, C., Wang, P., et al., 2012a. iPass: privacy preserving two-factor authentication scheme against smart card loss problem. Cryptology ePrint Archive, 439:1-35.

[25]Wang, D., Ma, C., Wang, P., 2012b. Secure password-based remote user authentication scheme with non-tamper resistant smart cards. 26th Annual IFIP Conf. on Data and Applications Security and Privacy, p.114-121.

[26]Wang, D., He, D., Wang, P., et al., 2014. Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans. Depend. Secure Comput., in press.

[27]Wang, G., Yu, J., Xie, Q., 2013. Security analysis of a single sign-on mechanism for distributed computer networks. IEEE Trans. Ind. Inform., 9(1):294-302.

[28]Wang, Y., 2012. Password protected smart card and memory stick authentication against off-line dictionary attacks. 27th IFIP TC 11 Information Security and Privacy Conf., p.489-500.

[29]Yeh, K.H., Lo, N.W., Li, Y., 2011. Cryptanalysis of Hsiang-Shih’s authentication scheme for multi-server architecture. Int. J. Commun. Syst., 24(7):829-836.

Open peer comments: Debate/Discuss/Question/Opinion

<1>

Please provide your name, email address and a comment





Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou 310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn
Copyright © 2000 - Journal of Zhejiang University-SCIENCE