Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity

Information Sciences

Volumn 321, Issue , 2015, Pages 162-178

  Wang, Ding ^a,b   Wang, Nan ^a   Wang, Ping ^a,b   Qing, Sihan ^a  

^a PEKING UNIVERSITY   (China)

^b Ministry of Education   (China)

Author keywords

De synchronization; Password authentication; Random oracle model; User anonymity

Indexed keywords

COMPUTER CRIME; CRYPTOGRAPHY; DATA PRIVACY; MOBILE SECURITY; SYNCHRONIZATION;

DE-SYNCHRONIZATION ATTACKS; DESYNCHRONIZATION; PASSWORD AUTHENTICATION; PRIVACY PRESERVING; RANDOM ORACLE MODEL; SECURITY AND PRIVACY; TWO FACTOR AUTHENTICATION; USER ANONYMITY;

AUTHENTICATION;

EID: 84938203681     PISSN: 00200255     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.ins.2015.03.070     Document Type: Article

References (111)

1. M. Abdalla, P.-A. Fouque, and D. Pointcheval Password-based authenticated key exchange in the three-party setting S. Vaudenay, PKC 2005 LNCS vol. 3386 2005 Springer Berlin Heidelberg 65 84
2. A. Acquisti, L. Brandimarte, and G. Loewenstein Privacy and human behavior in the age of information Science 347 6221 2015 509 514
3. J. Balasch, B. Gierlichs, R. Verdult, L. Batina, and I. Verbauwhede Power analysis of Atmel CryptoMemory-recovering keys from secure EEPROMs O. Dunkelman, CT-RSA 2012 LNCS vol. 7178 2012 Springer Berlin/Heidelberg 19 34
4. A. Barenghi, L. Breveglieri, I. Koren, and D. Naccache Fault injection attacks on cryptographic devices: theory, practice, and countermeasures Proc. IEEE 100 11 2012 3056 3076
5. S.M. Bellovin, and M. Merritt Encrypted key exchange: password-based protocols secure against dictionary attacks Proceedings of IEEE S&P 1992 1992 IEEE 72 84
6. L. Bilge, and T. Dumitras Before we knew it: an empirical study of zero-day attacks in the real world Proceedings of ACM CCS 2012 2012 ACM 833 844
7. J. Bohannon Credit card study blows holes in anonymity Science 347 6221 2015 468-468
8. J. Bonneau The science of guessing: analyzing an anonymized corpus of 70 million passwords Proceedings of IEEE S&P 2012 2012 IEEE Computer Society 538 552
9. J. Bonneau, M. Just, and G. Matthews Whats in a name? R. Sion, FC 2010 LNCS vol. 6052 2010 Springer Berlin/Heidelberg 98 113
10. G. Bouffard, and J.-L. Lanet The next smart card nightmare D. Naccache, Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday-Cryptography and Security: From Theory to Applications LNCS vol. 6805 2012 Springer Berlin Heidelberg 405 424
11. E. Bresson, O. Chevassut, and D. Pointcheval Security proofs for an efficient password-based key exchange Proceedings of ACM CCS 2003 2003 ACM New York, NY, USA 241 250
12. E. Bresson, O. Chevassut, and D. Pointcheval New security results on encrypted key exchange F. Bao, R. Deng, J. Zhou, PKC 2004 LNCS vol. 2947 2004 Springer-Verlag 145 158
13. S. Cai, Y. Li, T. Li, and R.H. Deng Attacks and improvements to an RIFD mutual authentication protocol and its extensions Proceedings of ACM WiSec 2009 2009 ACM New York, NY, USA 51 58
14. C.C. Chang, and T.C. Wu Remote password authentication with smart cards IEE Proc.-Comp. Dig. Techniq. 138 3 1991 165 168
15. Y.-F. Chang, W.-L. Tai, and H.-C. Chang Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update Int. J. Commun. Syst. 27 11 2014 3430 3440
16. B. Chen, W. Kuo, and L. Wuu Robust smart-card-based remote user password authentication scheme Int. J. Commun. Syst. 27 2 2014 377 389
17. T.H. Chen, H.C. Hsiang, and W.K. Shih Security enhancement on an improvement on two remote user authentication schemes using smart cards Fut. Gener. Comp. Syst. 27 4 2011 377 380
18. H. Chung, W. Ku, and M. Tsaur Weaknesses and improvement of Wang et al.'s remote user password authentication scheme for resource-limited environments Comput. Stand. Inter. 31 4 2009 863 868
19. L. Constantin, Sony Stresses that PSN Passwords were Hashed < http://news.softpedia.com/news/Sony-Stresses-PSN-Passwords-Were-Hashed-198218.shtml > (May 2011).
20. J.-S. Coron, J. Patarin, and Y. Seurin The random oracle model and the ideal cipher model are equivalent D. Wagner, CRYPTO 2008 LNCS vol. 5157 2008 Springer Berlin/Heidelberg 1 20
21. A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang The tangled web of password reuse Proceedings of NDSS 2014 2014 The Internet Society 1 15
22. M. Das, A. Saxena, and V. Gulati A dynamic id-based remote user authentication scheme IEEE Trans. Consum. Electron. 50 2 2004 629 631
23. M.L. Das Two-factor user authentication in wireless sensor networks IEEE Trans. Wirel. Commun. 8 3 2009 1086 1090
24. Dazzlepod Inc., CSDN Cleartext Passwords, Online News < http://dazzlepod.com/csdn/ > (March 2013).
25. M. Dell'Amico, P. Michiardi, and Y. Roudier Password strength: an empirical analysis Proceedings of INFOCOM 2010 2010 IEEE 1 9
26. S. Drimer, S.J. Murdoch, and R. Anderson Thinking inside the box: system-level failures of tamper proofing Proceedings of 2008 IEEE Security & Privacy 2008 IEEE 281 295
27. EMVCo, LLC., Integrated Circuit Card Specifications for Payment Systems: Europay, Mastercard and Visa < http://www.emvco.com/specifications.aspx?id=223 > (November 2011).
28. N. Ernstmann, O. Ommen, M. Neumann, A. Hammer, R. Voltz, and H. Pfaff Primary care physician's attitude towards the german e-health card projectłdeterminants and implications J. Med. Syst. 33 3 2009 181 188
29. ETSI-TS-102: Smart Cards; UICC-Terminal Interface; Physical and Logical Characteristics < http://www.etsi.org/standards > (February 2010).
30. C. Fan, Y. Chan, and Z. Zhang Robust remote authentication scheme with smart cards Comp. Sec. 24 8 2005 619 628
31. N. Ferguson, B. Schneier, and T. Kohno Cryptography Engineering: Design Principles and Practical Applications 2010 John Wiley & Sons
32. D. Florencio, and C. Herley A large-scale study of web password habits Proceedings of WWW 2007 2007 ACM New York, NY, USA 657 666
33. E. Fujisaki, and T. Okamoto Secure integration of asymmetric and symmetric encryption schemes M. Wiener, Proceedings of CRYPTO 1999 LNCS vol. 1666 1999 Springer Verlag 537 554
34. A.R.A. Grégio, D.S. Fernandes, V.M. Afonso, P.L. de Geus, V.F. Martins, and M. Jino An empirical analysis of malicious internet banking software behavior Proceedings of the 28th Annual ACM Symposium on Applied Computing (SAC 2013) 2013 ACM 1830 1835
35. S. Halevi, and H. Krawczyk Public-key cryptography and password protocols ACM Trans. Inf. Syst. Sec. 2 3 1999 230 268
36. D. He, N. Kumar, and N. Chilamkurti A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks Inf. Sci. 321 2015 263 277
37. D.B. He, J.H. Chen, and J. Hu Improvement on a smart card based password authentication scheme J. Internet Technol. 13 3 2012 38 42
38. D.J. He, C. Chen, J. Bu, S. Chan, and Y. Zhang Security and efficiency in roaming services for wireless networks: challenges, approaches, and prospects IEEE Commun. Magaz. 51 2 2013 142 150
39. D.J. He, M.D. Ma, Y. Zhang, C. Chen, and J.J. Bu A strong user authentication scheme with smart cards for wireless communications Comput. Commun. 34 3 2011 367 374
40. X. Huang, X. Chen, J. Li, Y. Xiang, and L. Xu Further observations on smart-card-based password-authenticated key agreement in distributed systems IEEE Trans. Parallel Distrib. Syst. 25 7 2014 1767 1775
41. D. Hughes, V. Shmatikov, and Information hiding anonymity and privacy: a modular approach J. Comp. Sec. 12 1 2004 3 36
42. J.Y. Hwang, S. Lee, B.-H. Chung, H.S. Cho, and D. Nyang Group signatures with controllable linkability for dynamic membership Inf. Sci. 222 2013 761 778
43. Q. Jiang, J. Ma, G. Li, and X. Li Improvement of robust smart-card-based password authentication scheme Int. J. Commun. Syst. 28 2 2015 383 393
44. Q. Jiang, J. Ma, Z. Ma, and G. Li A privacy enhanced authentication scheme for telecare medical information systems J. Med. Syst. 37 1 2013 1 8
45. Q. Jiang, Z. Ma, J.F. Ma, and G. Li Security enhancement of robust user authentication framework for wireless sensor networks China Commun. 9 10 2012 103 111
46. W.-S. Juang, S.-T. Chen, and H.-T. Liaw Robust and efficient password-authenticated key agreement using smart cards IEEE Trans. Ind. Electron. 55 6 2008 2551 2556
47. J. Katz, P. MacKenzie, G. Taban, and V. Gligor Two-server password-only authenticated key exchange J. Comp. Syst. Sci. 78 2 2012 651 669
48. J. Katz, R. Ostrovsky, and M. Yung Efficient and secure authenticated key exchange using weak passwords J. ACM 57 1 2009 1 41
49. M. Khan, S. Kim, and K. Alghathbar Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme' Comp. Commun. 34 3 2011 305 309
50. K.-K. Kim, and M.-H. Kim An enhanced anonymous authentication and key exchange scheme using smartcard A. Juels, C. Pa ar, Proceedings of the 15th International Conference on Information Security and Cryptology (ICISC 2012) LNCS vol. 7839 2012 Springer Berlin/Heidelberg 487 494
51. H. Krawczyk HMQV: a high-performance secure Diffie-Hellman protocol V. Shoup, CRYPTO 2005 LNCS vol. 3621 2005 Springer Berlin/Heidelberg 546 566
52. S. Kumari, and M.K. Khan Cryptanalysis and improvement of a robust smart-card-based remote user password authentication scheme Int. J. Commun. Syst. 27 12 2014 3939 3955
53. C. Lai, H. Li, X. Liang, R. Lu, K. Zhang, and X. Shen CPAL: a conditional privacy-preserving authentication with access linkability for roaming service IEEE Internet Things J. 1 1 2014 46 57
54. X. Leroy, Smart Card Security From a Programming Language and Static Analysis Perspective, INRIA Rocquencourt & Trusted Logic, Tecnical Report, 2013 < http://pauillac.inria.fr/-xleroy/talks/language-security-etaps03.pdf.
55. C.-T. Li A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card IET Inf. Sec. 7 1 2013 3 10
56. C.-T. Li, and M.-S. Hwang A lightweight anonymous routing protocol without public key en/decryptions for wireless ad hoc networks Inf. Sci. 181 23 2011 5333 5347
57. C.T. Li, and C.C. Lee A robust remote user authentication scheme using smart card Inf. Technol. Control 40 3 2011 236 245
58. T.-Y. Li, and G.-L. Wang Security analysis of two ultra-lightweight RFID authentication protocols H. Venter, M. Eloff, L. Labuschagne, J. Eloff, R. Solms, Proceedings of SEC 2007 IFIP AICT vol. 232 2007 Springer-Verlag 109 120
59. X. Li, J. Niu, M.K. Khan, and J. Liao An enhanced smart card based remote user password authentication scheme J. Netw. Comput. Appl. 36 5 2013 1365 1371
60. X. Li, Y. Xiong, J. Ma, and W. Wang An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards J. Netw. Comput. Appl. 35 2 2012 763 769
61. X.X. Li, W.D. Qiu, D. Zheng, K.F. Chen, and J. Li Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards IEEE Trans. Ind. Electron. 57 2 2010 793 800
62. J. Long, No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing, Syngress, 2011.
63. C.-G. Ma, D. Wang, and S. Zhao Security flaws in two improved remote user authentication schemes using smart cards Int. J. Commun. Syst. 27 10 2014 2215 2227
64. R. Madhusudhan, and R. Mittal Dynamic id-based remote user password authentication schemes using smart cards: a review J. Netw. Comput. Appl. 35 4 2012 1235 1248
65. K. Mangipudi, and R. Katti A secure identification and key agreement protocol with user anonymity (sika) Comp. Sec. 25 6 2006 420 425
66. T.S. Messerges, E.A. Dabbish, and R.H. Sloan Examining smart-card security under the threat of power analysis attacks IEEE Trans. Comp. 51 5 2002 541 552
67. A. Moradi, A. Barenghi, T. Kasper, and C. Paar On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs Proceedings of ACM CCS 2011 2011 ACM New York, NY, USA 111 124
68. E. Morse, M. Theofanos, Y. Choong, C. Paul, A. Zhang, FIPS 201: Personal Identity Verification of Federal Employees and Contractors, Tech. rep., National Institute of Standards and Technology, McLean, VA, August 2013, http://dx.doi.org/10.6028/NIST/.FIPS.201-2.
69. S.J. Murdoch, S. Drimer, R. Anderson, and M. Bond Chip and pin is broken Proceedings of IEEE S&P 2010 2010 IEEE Computer Society 433 446
70. K. Nohl, D. Evans, S. Starbug, H. Plötz, Reverse-engineering a cryptographic RFID tag, in: USENIX Security 2008, USENIX Association, 2008, pp. 185-193.
71. A. Patrice, B.B. Macq, Feature-based watermarking of 3d objects: toward robustness against remeshing and desynchronization, in: Proceedings of SPIE, vol. 5681, 2005, pp. 400-408.
72. B. Pinkas, and T. Sander Securing passwords against dictionary attacks Proceedings of ACM CCS 2002 2002 ACM 161 170
73. D. Pointcheval Provable security for public key schemes Contemporary Cryptology 2005 Springer 133 190
74. D. Pointcheval Password-based authenticated key exchange M. Fischlin, J. Buchmann, M. Manulis, PKC 2012 LNCS vol. 7293 2012 Springer Berlin/Heidelberg 390 397
75. M. Scott, Miracl Library, CertiVox UK Ltd., 2011 < https://www.certivox.com/miracl >.
76. M. Scott, N. Costigan, and W. Abdulwahab Implementing cryptographic pairings on smartcards L. Goubin, M. Matsui, CHES 2006 LNCS vol. 4249 2006 Springer Berlin Heidelberg 134 147
77. K. Shim Security flaws in three password-based remote user authentication schemes with smart cards Cryptologia 36 1 2012 62 69
78. H. Shirazi, J. Cosmas, and D. Cutts A cooperative cellular and broadcast conditional access system for pay-tv systems IEEE Trans. Multim. 56 1 2010 44 57
79. R. Song Advanced smart card based password authentication protocol Comp. Stand. Interf. 32 5 2010 321 325
80. H.-M. Sun, B.-Z. He, C.-M. Chen, T.-Y. Wu, C.-H. Lin, and H. Wang A provable authenticated group key agreement protocol for mobile environment Inf. Sci. 321 2015 224 237
81. J. Sun, C. Zhang, Y. Zhang, and Y. Fang Sat: a security architecture achieving anonymity and traceability in wireless mesh networks IEEE Trans. Depend. Secur. Comput. 8 2 2011 295 307
82. J. Tsai, T. Wu, and K. Tsai New dynamic id authentication scheme using smart cards Int. J. Commun. Syst. 23 12 2010 1449 1462
83. J.-L. Tsai, N.-W. Lo, and T.-C. Wu Novel anonymous authentication scheme using smart cards IEEE Trans. Ind. Inform. 9 4 2013 2004 2013
84. W.-J. Tsaur, J.-H. Li, and W.-B. Lee An efficient and secure multi-server authentication scheme with key agreement J. Syst. Softw. 85 4 2012 876 882
85. A.G. Vicente, I.B. Munoz, J.L.L. Galilea, and P.A.R. del Toro Remote automation laboratory using a cluster of virtual machines IEEE Trans. Ind. Electron. 57 10 2010 3276 3283
86. C.-H. Wang, and S. Chin A new RFID authentication protocol with ownership transfer in an insecure communication environment Proceedings of the Ninth International Conference on Hybrid Intelligent Systems (HIS 2009) vol. 1 2009 IEEE 486 491
87. D. Wang, D. He, P. Wang, and C.-H. Chu Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment IEEE Trans. Depend. Secur. Comput. 2014 http://dx.doi.org/10.1109/TDSC.2014.2355850
88. D. Wang, and P. Wang Offline dictionary attack on password authentication schemes using smart cards Y. Desmedt, B. Thuraisingham, K. Hamlen, ISC 2013 LNCS 2013 Springer Berlin/Heidelberg 1 16 < http://eprint.iacr.org/2014/208.pdf >
89. D. Wang, and P. Wang On the usability of two-factor authentication Proceedings of SecureComm 2014 Lecture Notes in Computer Science 2015 Springer Berlin/Heidelberg 1 9
90. D. Wang, P. Wang, and J. Liu Improved privacy-preserving authentication scheme for roaming service in mobile networks Proceedings of 15th IEEE Wireless Communications and Networking Conference (WCNC 2014) 2014 IEE 3178 3183
91. D. Wang, P. Wang, C.G. Ma, Z. Chen, Robust Smart-Card-Based Password Authentication Scheme Against Smart Card Security Breach, Cryptology ePrint Archive, Report 2012/439, 2012 < http://eprint.iacr.org/2012/439.pdf >.
92. R.C. Wang, W.S. Juang, and C.L. Lei Robust authentication and key agreement scheme preserving the privacy of secret key Comp. Commun. 34 3 2011 274 280
93. Y. Wang, J. Liu, F. Xiao, and J. Dan A more efficient and secure dynamic id-based remote user authentication scheme Comp. Commun. 32 4 2009 583 585
94. Y.G. Wang Password protected smart card and memory stick authentication against off-line dictionary attacks D. Gritzalis, S. Furnell, M. Theoharidou, SEC 2012 IFIP AICT vol. 376 2012 Springer Boston 489 500
95. F. Wen A more secure anonymous user authentication scheme for the integrated epr information system J. Med. Syst. 38 5 2014 1 7
96. F. Wen, and X. Li An improved dynamic id-based remote user authentication with key agreement scheme Comp. Electr. Eng. 38 2 2012 381 387
97. F. Wen, W. Susilo, and G. Yang A secure and effective anonymous user authentication scheme for roaming service in global mobility networks Wirel. Pers. Commun. 73 3 2013 993 1004
98. S.H. Wu, Y.F. Zhu, and Q. Pu Robust smart-cards-based user authentication scheme with user anonymity Secur. Commun. Netw. 5 2 2012 236 248
99. T. Xiang, K. Wong, and X. Liao Cryptanalysis of a password authentication scheme over insecure networks J. Comp. Syst. Sci. 74 5 2008 657 661
100. Q. Xie Dynamic id-based password authentication protocol with strong security against smart card lost attacks P. Snac, M. Ott, A. Seneviratne, O. Akan, Proceedings of ICWCA 2012 LNICST vol. 72 2012 Springer Berlin/Heidelberg 412 418
101. H. Xiong, Y. Chen, Z. Guan, and Z. Chen Finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys Inf. Sci. 235 2013 329 340
102. J. Xu, and W.-T. Zhu A generic framework for anonymous authentication in mobile networks J. Comp. Sci. Technol. 28 4 2013 732 742
103. J. Xu, W.-T. Zhu, and D.-G. Feng An efficient mutual authentication and key agreement protocol preserving user anonymity in mobile networks Comp. Commun. 34 3 2011 319 325
104. K. Xue, P. Hong, and C. Ma A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture J. Comp. Syst. Sci. 80 1 2014 195 206
105. Q. Yan, J. Han, Y. Li, and R.H. Deng On limitations of designing leakage-resilient password systems: attacks, principles and usability Proceedings of NDSS 2012, February 5-8 2012 The Internet Society San Diego, USA 1 16
106. G. Yang, D. Wong, H. Wang, and X. Deng Two-factor mutual authentication based on smart cards and passwords J. Comp. Syst. Sci. 74 7 2008 1160 1172
107. M.H. Yang Across-authority lightweight ownership transfer protocol Electron. Comm. Res. Appl. 10 4 2011 375 383
108. K.H. Yeh, C. Su, N.W. Lo, Y. Li, and Y.X. Hung Two robust remote user authentication protocols using smart cards J. Syst. Softw. 83 12 2010 2556 2565
109. X. Yi, S. Ling, and H.-X. Wang Efficient two-server password-only authenticated key exchange IEEE Trans. Paral. Distrib. Syst. 24 9 2013 1773 1782
110. Y. Zhang, J. Chen, B. Huang, and C. Peng An efficient password authentication scheme using smart card based on elliptic curve cryptography Inf. Technol. Control 43 4 2014 390 401
111. T. Zhou, and J. Xu Provable secure authentication protocol with anonymity for roaming service in global mobility networks Comp. Netw. 55 1 2011 205 213