Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment

IEEE Transactions on Dependable and Secure Computing

Volumn 12, Issue 4, 2015, Pages 428-442

  Wang, Ding ^a   He, Debiao ^b   Wang, Ping ^a   Chu, Chao Hsien ^c  

^a PEKING UNIVERSITY   (China)

^b WUHAN UNIVERSITY   (China)

^c PENNSYLVANIA STATE UNIVERSITY   (United States)

Author keywords

de synchronization attack; offline dictionary attack; smart card loss attack; Two factor authentication; user anonymity

Indexed keywords

COMMERCE; COMPUTER CRIME; CRYPTOGRAPHY; ECONOMIC AND SOCIAL EFFECTS; NETWORK SECURITY; SMART CARDS;

DE-SYNCHRONIZATION ATTACKS; DISTRIBUTED SYSTEMS; INHERENT LIMITATIONS; OFF-LINE DICTIONARY ATTACKS; SECURITY AND PRIVACY; SECURITY REQUIREMENTS; TWO FACTOR AUTHENTICATION; USER ANONYMITY;

AUTHENTICATION;

EID: 84975275069     PISSN: 15455971     EISSN: 19410018     Source Type: Journal    
DOI: 10.1109/TDSC.2014.2355850     Document Type: Article

References (60)

1. M. Bond, O. Choudary, and S. Murdoch, "Chip and skim: Cloning EMV cards with the pre-play attack," in Proc. IEEE S&P 2014, 2014, pp. 1-15.
2. D. Wang and P. Wang, "On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions," Comput. Netw., vol. 73, pp. 41-57, 2014.
3. N. Gunson, D. Marshall, H. Morton, and M. Jack, "User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking," Comput. Security, vol. 30, no. 4, pp. 208-220, 2011.
4. W.-H. Yang and S.-P. Shieh, "Password authentication schemes with smart cards," Comput. Security, vol. 18, no. 8, pp. 727-733, 1999.
5. M. Bellare, D. Pointcheval, and P. Rogaway, "Authenticated key exchange secure against dictionary attacks," in Proc. 19th Int. Conf. Theory Appl. Cryptographic Tech., 2000, vol. 1807, pp.139-155.
6. J. Katz, R. Ostrovsky, and M. Yung, "Efficient and secure authenticated key exchange using weak passwords," J. ACM, vol. 57, no. 1, pp. 1-41, 2009.
7. 50 million compromised in evernote hack. (2013, Mar.) [Online]. Available: http://www.cnn.com/2013/03/04/tech/web/evernote-hacked/
8. P. Sean, LinkedIn Passwords Leaked Online: Hackers are beginning to decrypt 6.4 million passwords. (2012, Jun. 6) [Online]. Available: http://www.webpronews.com/linkedin-passwords-leakedonline-2012-06
9. Heartbleed-openssl zero-day bug leaves millions of websites vulnerable. (2014, Apr.) [Online]. Available: http://www.tuicool.com/articles/yyUfUz
10. G. Yang, D. Wong, H. Wang, and X. Deng, "Two-factor mutual authentication based on smart cards and passwords," J. Comput. Syst. Sci., vol. 74, no. 7, pp. 1160-1172, 2008.
11. X. Li, W. Qiu, D. Zheng, K. F. Chen, and J. Li, "Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards," IEEE Trans. Ind. Electron., vol. 57, no. 2, pp. 793-800, Feb. 2010.
12. X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, "A generic framework for three-factor authentication: Preserving security and privacy in distributed systems," IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 8, pp. 1390-1397, Aug. 2011.
13. Y. G. Wang, "Password protected smart card and memory stick authentication against off-line dictionary attacks," in Proc. Inform. Security Privacy Conf., 2012, vol. 376, pp. 489-500.
14. F. Zhu, S. Carpenter, and A. Kulkarni, "Understanding identity exposure in pervasive computing environments," Pervasive Mob. Comput., vol. 8, no. 5, pp. 777-794, 2012.
15. M. Das, A. Saxena, and V. Gulati, "A dynamic ID-based remote user authentication scheme," IEEE Trans. Consum. Electron., vol. 50, no. 2, pp. 629-631, May 2004.
16. Y. Wang, J. Liu, F. Xiao, and J. Dan, "A more efficient and secure dynamic ID-based remote user authentication scheme," Comput. Commun., vol. 32, no. 4, pp. 583-585, 2009.
17. M. Khan and S. Kim, "Cryptanalysis and security enhancement of a more efficient & secure dynamic ID-based remote user authentication scheme'," Comput. Commun., vol. 34, no. 3, pp. 305-309, 2011.
18. Y.-F. Chang, W.-L. Tai, and H.-C. Chang, "Untraceable dynamicidentity-based remote user authentication scheme with verifiable password update," Int. J. Commun. Syst., 2013, Doi: 10.1002/dac.2368.
19. T. H. Kim, C. Kim, and I. Park, "Side channel analysis attacks using am demodulation on commercial smart cards with seed," J. Syst. Soft., vol. 85, no. 12, pp. 2899-2908, 2012.
20. K. Nohl, D. Evans, S. Starbug, and H. Plötz, "Reverse-engineering a cryptographic rfid tag," in Proc. 17th Conf. Security Symp., 2008, pp.185-193.
21. A. Barenghi, L. Breveglieri, and D. Naccache, "Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures," Proc. IEEE, vol. 100, no. 11, pp. 3056-3076, Nov. 2012.
22. R. C. Wang, W. S. Juang, and C. L. Lei, "Robust authentication and key agreement scheme preserving the privacy of secret key," Comput. Commun., vol. 34, no. 3, pp. 274-280, 2011.
23. K. Xue, P. Hong, and C. Ma, "A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture," J. Comput. Syst. Sci., vol. 80, no. 1, pp. 195-206, 2014.
24. S. H. Wu, Y. F. Zhu, and Q. Pu, "Robust smart-cards-based user authentication scheme with user anonymity," Security Commun. Netw., vol. 5, no. 2, pp. 236-248, 2012.
25. R. Madhusudhan and R. Mittal, "Dynamic ID-based remote user password authentication schemes using smart cards: A review," J. Netw. Comput. Appl., vol. 35, no. 4, pp. 1235-1248, 2012.
26. I. Liao, C. Lee, and M. Hwang, "A password authentication scheme over insecure networks," J. Comput. Syst. Sci., vol. 72, no. 4, pp. 727-740, 2006.
27. C. Tsai, C. Lee, and M. Hwang, "Password authentication schemes: current status and key issues," Int. J. Netw. Security, vol. 3, no. 2, pp. 101-115, 2006.
28. X. Li, J. Niu, M. Khurram Khan, and J. Liao, "An enhanced smart card based remote user password authentication scheme," J. Netw. Comput. Appl., vol. 36, no. 5, pp. 1365-1371, 2013.
29. J.-L. Tsai, N.-W. Lo, and T.-C. Wu, "Novel anonymous authentication scheme using smart cards," IEEE Trans. Ind. Inform., vol. 9, no. 4, pp. 2004-2013, Nov. 2013.
30. X. Huang, X. Chen, J. Li, Y. Xiang, and L. Xu, "Further observations on smart-card-based password-authenticated key agreement in distributed systems," IEEE Trans. Parallel Distrib. Syst., vol. 25, no. 7, pp. 1767-1775, Jul. 2014.
31. S. Kumari and M. K. Khan, "More secure smart card-based remote user password authentication scheme with user anonymity," Security Comm. Netw., 2014.
32. D. Wang, and P. Wang, "Offline dictionary attack on password authentication schemes using smart cards," in Proc. 16th Inform. Security Conf., 2013, pp. 1-16.
33. C.-T. Li, "A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card," IET Inform. Security, vol. 7, no. 1, pp. 3-10, 2013.
34. K. H. Yeh, C. Su, N. W. Lo, Y. Li, and Y. X. Hung, "Two robust remote user authentication protocols using smart cards," J. Syst. Softw., vol. 83, no. 12, pp. 2556-2565, 2010.
35. D. Wang, P. Wang, C. Ma, and Z. Chen, "iPass: Robust smart card based password authentication scheme against smart card loss problem," J. Comput. Syst. Sci., In press, 2014, full version [Online]. Available: http://eprint.iacr.org/2012/439.pdf.
36. R. Canetti and H. Krawczyk, "Analysis of key-exchange protocols and their use for building secure channels," in Proc. Int. Conf. Theory Appl. Cryptographic Tech.: Adv. Cryptol., 2001, vol. 2045, pp. 453-474.
37. J. Bonneau, M. Just, and G. Matthews, "What's in a name?" in Proc. FC, 2010, vol. 6052, pp. 98-113.
38. M. Scott, Cryptanalysis of a recent two factor authentication scheme. (2012). Cryptology ePrint Archive, Rep. 2012/527 [Online]. Available: http://eprint.iacr.org/2012/527.pdf
39. C. Ma, D. Wang, and S. Zhao, "Security flaws in two improved remote user authentication schemes using smart cards," Int. J. Commun. Syst., 2012, Doi: 10.1002/dac.2468.
40. E. Morse, M. Theofanos, Y. Choong, C. Paul, and A. Zhang, "Usability of piv smartcards for logical access," US Dept. Commerce, NIST, Gaithersburg, MD, USA, Tech. Rep. NIST-IR-7867, 2012.
41. J. Xu, W. Zhu, and D. Feng, "An improved smart card based password authentication scheme with provable security," Comput. Stand. Inter., vol. 31, no. 4, pp. 723-728, 2009.
42. Miracl library, Shamus Software Ltd. (2013, May) [Online]. Available: http://www.shamus.ie/index.php?page=home
43. J. Bonneau, "The science of guessing: Analyzing an anonymized corpus of 70 million passwords," in Proc. IEEE Symp. Security Privacy, 2012, pp. 538-552.
44. Standards for Efficient Cryptography, SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0, Certicom Research. (2010, Jan.) [Online]. Available: http://www.secg.org/download/aid-784/sec2-v2.pdf
45. J. Nam, S. Kim, and D. Won, "Security analysis of a nonce-based user authentication scheme using smart cards," IEICE Trans. Fund. Electron. Comm. Comput. Sci., vol. 90, no. 1, pp. 299-302, 2007.
46. M. Alsaleh, M. Mannan, and P. Van Oorschot, "Revisiting defenses against large-scale online password guessing attacks," IEEE Trans. Depend Secur. Comput., vol. 9, no. 1, pp. 128-141, Jan./Feb. 2012.
47. Thinking Putty defeats Fingerprint Scanners! Dan's Data (2013, Sep.) [Online]. Available: http://www.puttyworld.com/thinputdeffi.html
48. X. Huang, Y. Xiang, E. Bertino, J. Zhou, and L. Xu, "Robust multifactor authentication for fragile communications," IEEE Trans. Depend. Secur. Comput., 2013, Doi: 10.1109/TDSC.2013.2297110.
49. S. Kumari and M. K. Khan, "Cryptanalysis and improvement of a robust smart-card-based remote user password authentication scheme," Int. J. Commun. Syst., 2013, Doi: 10.1002/dac.2590.
50. G.-L. Wang, J.-S. Yu, and Q. Xie, "Security analysis of a single sign-on mechanism for distributed computer networks," IEEE Trans. Ind. Inform., vol. 9, no. 1, pp. 294-302, Feb. 2013.
51. F. Bao, Security can only be measured by attacks. (2008) [Online]. Available: http://wenku.baidu.com/view/ff14a31ea300a6c30c229f7a.html
52. E. Fujisaki and T. Okamoto, " Secure integration of asymmetric and symmetric encryption schemes," in Proc. CRYPTO 19th Annu. Int. Cryptol. Conf., 1999, vol. 1666, pp. 537-554.
53. D. Chaum and E. Heyst, " Group signatures," in Proc. Workshop Theory Appl. Cryptographic Tech., 1991, vol. 547, pp. 257-265.
54. J. Ren, and L. Harn, "An efficient threshold anonymous authentication scheme for privacy-preserving communications," IEEE Trans. Wireless Commun., vol. 12, no. 3, pp. 1018-1025, Mar. 2013.
55. H. Maji, M. Prabhakaran, and M. Rosulek, "Attribute-based signatures," in Proc. CT-RSA, 2011, pp. 376-392.
56. D. He, C. Chen, S. Chan, and J. Bu, "Secure and efficient handover authentication based on bilinear pairing functions," IEEE Trans. Wireless Commun., vol. 11, no. 1, pp. 48-53, Jan. 2012.
57. S. Goldwasser and S. Micali, "Probabilistic encryption," J. Comput. Syst. Sci., vol. 28, no. 2, pp. 270-299, 1984.
58. N. Koblitz and A. J. Menezes, "Another look at 'provable security'," J. Cryptol., vol. 20, no. 1, pp. 3-37, 2007.
59. T.-Y. Li and G.-L. Wang, "Analyzing a family of key protection schemes against modification attacks," IEEE Trans. Depend. Secur. Comput., vol. 8, no. 5, pp. 770-776, Sep./Oct. 2011.
60. A. Menezes. (2012). Another look at provable security, Proc. 31st Annu. Int. Conf. Theory Appl. Cryptographic Tech., vol. 7237, p. 8 [Online]. Available: http://www.cs.bris.ac.uk/eurocrypt2012/Program/Weds/Menezes.pdf