Two Birds with One Stone: Two-Factor Authentication with Security beyond Conventional Bound

IEEE Transactions on Dependable and Secure Computing

Volumn 15, Issue 4, 2018, Pages 708-722

  Wang, Ding ^a   Wang, Ping ^a  

^a PEKING UNIVERSITY   (China)

Author keywords

provable security; random oracle model; smart card loss attack; Two factor authentication; Zipf's law

Indexed keywords

BIRDS; SMART CARDS;

COMPARATIVE EVALUATIONS; PASSWORD AUTHENTICATION; PROVABLE SECURITY; RANDOM ORACLE MODEL; SECURITY USABILITIES; SYSTEMATIC METHODOLOGY; TWO FACTOR AUTHENTICATION; ZIPF'S LAW;

AUTHENTICATION;

EID: 85038117533     PISSN: 15455971     EISSN: 19410018     Source Type: Journal    
DOI: 10.1109/TDSC.2016.2605087     Document Type: Article

References (61)

1. J. Bonneau, C. Herley, P. Oorschot, and F. Stajano, "The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes, " in Proc. IEEE Symp. Secur. Privacy, 2012, pp. 553-567.
2. T. Wu, "The secure remote password protocol, " in Proc. Netw. Dis-trib. Syst. Secur. Symp., 1998, pp. 1-15.
3. J. Katz, R. Ostrovsky, and M. Yung, "Efficient and secure authenticated key exchange using weak passwords, " J. ACM, vol. 57, no. 1, pp. 1-41, 2009.
4. M. Abdalla, F. Benhamouda, and P. MacKenzie, "Security of the J-PAKE password-authenticated key exchange protocol, " in Proc. IEEE Symp. Secur. Privacy, 2015, pp. 571-587.
5. M. Adeptus, "Hashdumps and passwords, " May 2014. [Online]. Available: http://www.adeptus-mechanicus.com/codex/hashpass/hashpass.php
6. D. Wang and P. Wang, "On the implications of Zipf's law in passwords, " in Proc. Eur. Symp. Res. Comput. Secur., 2016, pp. 1-21.
7. J. Ma, W. Yang, M. Luo, and N. Li, "A study of probabilistic password models, " in Proc. IEEE Symp. Secur. Privacy, 2014, pp. 538-552.
8. J. Gosney, "Password cracking HPC, " in Proc. Password, 2012. [Online]. Available: http://bit.ly/1y00I3O
9. J. Goldberg, "Bcrypt is great, but is password cracking infeasible?" Mar. 2015. [Online]. Available: http://bit.ly/2bpadR8
10. T. Pham, "Four years later, anthem breached again: Hackers stole credentials, " Feb. 2015. [Online]. Available: http://bit.ly/2btkw6K
11. C. Allan, "32 million RockYou passwords stolen, " Dec. 2009. [Online]. Available: http://www.hardwareheaven.com/news. php?newsid=526
12. T. Fox-Brewster, "15 Million passwords appear to have leaked from 000webhost, " Oct. 2015. [Online]. Available: http://www. forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/
13. E. Kovacs, "PhpBB asking users to change passwords following hack, " Dec. 2014. [Online]. Available: http://www.securityweek. com/phpbb-asking-users-change-passwords-following-hack
14. A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang, "The tangled Web of password reuse, " in Proc. Netw. Distrib. Syst. Secur. Symp., 2014, pp. 1-15.
15. J. Camenisch, A. Lehmann, and G. Neven, "Optimal distributed password verification, " in Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., 2015, pp. 182-194.
16. D. Weinshall, "Cognitive authentication schemes safe against spyware, " in Proc. IEEE Symp. Secur. Privacy, 2006, pp. 295-230.
17. Q. Yan, J. Han, Y. Li, and R. H. Deng, "On limitations of designing leakage-resilient password systems: Attacks, principles and usability, " in Proc. Netw. Distrib. Syst. Secur. Symp., 2012, pp. 1-16.
18. C. Chang and T. Wu, "Remote password authentication with smart cards, " IEE Comput. Digital Tech., vol. 138, no. 3, pp. 165-168, May 1991.
19. X. Huang, Y. Xiang, E. Bertino, J. Zhou, and L. Xu, "Robust multi-factor authentication for fragile communications, " IEEE Trans. Depend. Secur. Comput., vol. 11, no. 6, pp. 568-581, Nov./Dec. 2014.
20. J. Yu, G. Wang, Y. Mu, and W. Gao, "An efficient generic framework for three-factor authentication with provably secure instantiation, " IEEE Trans. Inf. Forensics Secur., vol. 9, no. 12, pp. 2302-2313, Dec. 2014.
21. D. Wang, D. He, P. Wang, and C.-H. Chu, "Anonymous two-factor authentication in distributed systems: Certain goals are beyond attainment, " IEEE Trans. Depend. Secur. Comput., vol. 12, no. 4, pp. 428-442, Jul./Aug. 2015.
22. G. M. Yang, D. S. Wong, H. X. Wang, and X. T. Deng, "Two-factor mutual authentication based on smart cards and passwords, " J. Comput. Syst. Sci., vol. 74, no. 7, pp. 1160-1172, 2008.
23. X. Huang, X. Chen, J. Li, Y. Xiang, and L. Xu, "Further observations on smart-card-based password-authenticated key agreement in distributed systems, " IEEE Trans. Parallel Distrib. Syst., vol. 25, no. 7, pp. 1767-1775, Jul. 2014.
24. Y. G. Wang, "Password protected smart card and memory stick authentication against off-line dictionary attacks, " in Proc. 27th IFIP TC 11 Inf. Secur. Privacy Conf. Inf. Secur. Privacy Res., 2012, pp. 489-500.
25. R. Madhusudhan and R. Mittal, "Dynamic ID-based remote user password authentication schemes using smart cards: A review, " J. Netw. Comput. Appl., vol. 35, no. 4, pp. 1235-1248, 2012.
26. S. H. Wu, Y. F. Zhu, and Q. Pu, "Robust smart-cards-based user authentication scheme with user anonymity, " Secur. Commun. Netw., vol. 5, no. 2, pp. 236-248, 2012.
27. C. Fan, Y. Chan, and Z. Zhang, "Robust remote authentication scheme with smart cards, " Comput. Secur., vol. 24, no. 8, pp. 619-628, 2005.
28. J.-L. Tsai, N.-W. Lo, and T.-C. Wu, "Novel anonymous authentication scheme using smart cards, " IEEE Trans. Ind. Informat., vol. 9, no. 4, pp. 2004-2013, Nov. 2013.
29. J. Xu, W. Zhu, and D. Feng, "An improved smart card based password authentication scheme with provable security, " Comput. Standards Interfaces, vol. 31, no. 4, pp. 723-728, 2009.
30. M. Shirvanian, S. Jarecki, N. Saxena, and N. Nathan, "Two-factor authentication resilient to server compromise using mix-bandwidth devices, " in Proc. Netw. Distrib. Syst. Secur. Symp., 2014, pp. 1-16.
31. J. W. Byun, "Privacy preserving smartcard-based authentication system with provable security, " Secur. Commun. Netw., vol. 8, no. 17, pp. 3028-3044, 2015.
32. D. Wang, N. Wang, P. Wang, and S. Qing, "Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity, " Inf. Sci., vol. 321, pp. 162-178, 2015.
33. J. Bonneau, "The science of guessing: Analyzing an anonymized corpus of 70 million passwords, " in Proc. IEEE Symp. Secur. Privacy, 2012, pp. 538-552.
34. A. Juels and R. L. Rivest, "Honeywords: Making password-cracking detectable, " in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2013, pp. 145-160.
35. M. Bellare, D. Pointcheval, and P. Rogaway, "Authenticated key exchange secure against dictionary attacks, " in Proc. 19th Int. Conf. Theory Appl. Cryptographic Techn., 2000, pp. 139-155.
36. S. Halevi and H. Krawczyk, "Public-key cryptography and password protocols, " ACM Trans. Inf. Syst. Secur., vol. 2, pp. 230-268, 1999.
37. J. Liu, Y. Yu, and F.-X. Standaert, "Small tweaks do not help: Differential power analysis of milenage implementations in 3G/4G USIM cards, " in Proc. 20th Eur. Symp. Res. Comput. Secur., 2015, pp. 468-480.
38. X. Leroy, "Smart card security from a programming language and static analysis perspective, " 2013. [Online]. Available: http://pauillac.inria.fr/~ xleroy/talks/language-security-etaps03.pdf
39. K. Nohl, D. Evans, S. Starbug, and H. Plötz, "Reverse-engineering a cryptographic RFID tag, " in Proc. 17th Conf. Secur. Symp., 2008, pp. 185-193.
40. B. Chen and W. Kuo, "Robust smart-card-based remote user password authentication scheme, " Int. J. Commun. Syst., vol. 27, no. 2, pp. 377-389, 2014.
41. S. Kumari and M. K. Khan, "Cryptanalysis and improvement of a robust smart-card-based remote user password authentication scheme, " Int. J. Commun. Syst., vol. 27, no. 12, pp. 3939-3955, 2014.
42. F. Hao, "On robust key agreement based on public key authentication, " in Proc. 14th Int. Conf. Financial Cryptography Data Secur., 2010, pp. 383-390.
43. D. Sun, J. Huai, J. Sun, J. Li, and Z. Feng, "Improvements of Juang et al.'s password-authenticated key agreement scheme using smart cards, " IEEE Trans. Ind. Electron., vol. 56, no. 6, pp. 2284-2291, Jun. 2009.
44. D. Wang, C. G. Ma, and P. Wu, "Secure password-based remote user authentication scheme with non-tamper resistant smart cards, " in Proc. 26th Annu. IFIP WG 11.3 Conf. Data Appl. Secur. Privacy, 2012, pp. 114-121.
45. C. T. Li and C. Lee, "A robust remote user authentication scheme using smart card, " Inf. Tech. Control, vol. 40, no. 3, pp. 236-245, 2011.
46. D. Wang and P. Wang, "On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions, " Comput. Netw., vol. 73, pp. 41-57, 2014.
47. D. Wang, Q. Gu, H. Cheng, and P. Wang, "The request for better measurement: A comparative evaluation of two-factor authentication schemes, " in Proc. 11th ACM Asia Conf. Comput. Commun. Secur., 2016, pp. 475-486.
48. H. Krawczyk, "HMQV: A high-performance secure Diffie-Hell-man protocol, " in Proc. 25th Annu. Int. Conf. Advances Cryptology, 2005, pp. 546-566.
49. I. Liao, C. Lee, and M. Hwang, "A password authentication scheme over insecure networks, " J. Comput. Syst. Sci., vol. 72, no. 4, pp. 727-740, 2006.
50. E. Bresson, O. Chevassut, and D. Pointcheval, "Security proofs for an efficient password-based key exchange, " in Proc. 10th ACM Conf. Comput. Commun. Secur., 2003, pp. 41-50.
51. X. Li, J. Niu, M. K. Khan, and J. Liao, "An enhanced smart card based remote user password authentication scheme, " J. Netw. Comput. Appl., vol. 36, no. 5, pp. 1365-1371, 2013.
52. K. Xue, P. Hong, and C. Ma, "A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture, " J. Comput. Syst. Sci., vol. 80, no. 1, pp. 195-206, 2014.
53. R. Martin, "Amid widespread data breaches in China, " Dec. 2011. [Online]. Available: http://www.techinasia.com/alipay-hack/
54. D. Wang, Z. Zhang, P. Wang, J. Yan, and X. Huang, "Targeted online password guessing: An underestimated threat, " in Proc. ACM Conf. Comput. Commun. Secur., 2016, pp. 1-13, doi: 10.1145/2976749.2978339.
55. H. Wimberly and L. Liebrock, "Using fingerprint authentication to reduce security: An empirical study, " in Proc. IEEE Symp. Secur. Privacy, 2011, pp. 32-46.
56. V. Odelu, A. Das, and A. Goswami, "A secure biometrics-based multi-server authentication protocol using smart cards, " IEEE Trans. Inf. Forensics Secur., vol. 10, no. 9, pp. 1953-1966, Sep. 2015.
57. Q. Jiang, J. Ma, G. Li, and X. Li, "Improvement of robust smart-card-based password authentication scheme, " Int. J. Commun. Syst., vol. 28, no. 2, pp. 383-393, 2015.
58. T.-T. Truong, M.-T. Tran, A.-D. Duong, and I. Echizen, "Chaotic Chebyshev polynomials based remote user authentication scheme in client-server environment, " in Proc. 30th IFIP Int. Inf. Secur. Conf., 2015, pp. 479-494.
59. S. Islam, "Design and analysis of an improved smartcard-based remote user password authentication scheme, " Int. J. Commun. Syst., vol. 29, no. 11, pp. 1708-1719, 2016.
60. M. Scott, N. Costigan, and W. Abdulwahab, "Implementing cryptographic pairings on smartcards, " in Proc. 8th Int. Workshop Cryptographic Hardware Embedded Syst., 2006, pp. 134-147.
61. M. Scott, "Miracl library, " Shamus Softw. Ltd. [Online]. Available: http://www.shamus.ie/index.php?page=home