A Secure and Effective Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks

Recently, Mun et al. analyzed Wu et al.’s authentication scheme and proposed an enhanced anonymous authentication scheme for roaming service in global mobility networks. However, through careful analysis, we find that Mun et al.’s scheme is vulnerable to impersonation attacks and insider attacks, and cannot provide user friendliness, user’s anonymity, proper mutual authentication and local verification. To remedy these weaknesses, we propose a novel anonymous authentication scheme for roaming service in global mobility networks. Compared with previous related works, our scheme has many advantages. Firstly, the secure authenticity of the scheme is formally validated by an useful formal model called BAN logic. Secondly, the scheme enjoys many important security attributes including prevention of various attacks, user anonymity, no verification table, local password verification and so on. Thirdly, the scheme does not use timestamp, thus it avoids the clock synchronization problem. Further, the scheme contains the authentication and establishment of session key scheme when mobile user is located in his/her home network, therefore it is more practical and universal for global mobility networks. Finally, performance and cost analysis show our scheme is more suitable for low-power and resource limited mobile devices and thus availability for real implementation.     

Robust Anonymous Two-Factor Authentication Scheme for Roaming Service in Global Mobility Network

Two-factor authentication scheme for roaming service in global mobility network enables the mobile user in possession of a password and a smart card to achieve mutual authentication and session key establishment with the foreign agent. In this paper, we first identify six properties of this type of schemes: (1) Anonymity and untraceability; (2) Robustness; (3) Authentication; (4) Session key security and fairness; (5) User friendliness; and (6) Efficiency, then propose a new scheme which satisfies all these requirements. Our result is validated applying the formal verification tool ProVerif based on applied pi calculus.     

An Enhanced Authentication Scheme with Privacy Preservation for Roaming Service in Global Mobility Networks

Global mobility network (GLOMONET) provides global roaming service to ensure ubiquitous connectivity for users traveling from one network to another. It is very crucial not only to authenticate roaming users, but to protect the privacy of users. However, due to the broadcast nature of wireless channel and resource limitations of terminals, providing efficient user authentication with privacy preservation is challenging. Recently, He et al. proposed a secure and lightweight user authentication scheme with anonymity for roaming service in GLOMONETs. However, in this paper, we identify that the scheme fails to achieve strong two-factor security, and suffers from domino effect, privileged insider attack and no password change option, etc. Then we propose an enhanced authentication scheme with privacy preservation based on quadratic residue assumption. Our improved scheme enhances security strength of He et al.’s protocol while inheriting its merits of low communication and computation cost. Specifically, our enhanced scheme achieves two-factor security and user untraceability.     

Design and Validation of an Efficient Authentication Scheme with Anonymity for Roaming Service in Global Mobility Networks

Designing a user authentication protocol with anonymity for the global mobility network (GLOMONET) is a difficult task because wireless networks are susceptible to attacks and each mobile user has limited power, processing and storage resources. In this paper, a secure and lightweight user authentication protocol with anonymity for roaming service in the GLOMONET is proposed. Compared with other related approaches, our proposal has many advantages. Firstly, it uses low-cost functions such as one-way hash functions and exclusive-OR operations to achieve security goals. Having this feature, it is more suitable for battery-powered mobile devices. Secondly, it uses nonces instead of timestamps to avoid the clock synchronization problem. Therefore, an additional clock synchronization mechanism is not needed. Thirdly, it only requires four message exchanges between the user, foreign agent and home agent. Further, the security properties of our protocol are formally validated by a model checking tool called AVISPA. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity, no password table, and high efficiency in password authentication. Security and performance analyses show that compared with other related authentication schemes, the proposed scheme is more secure and efficient.     

移动漫游中强安全的两方匿名认证密钥协商方案

由于低功耗的移动设备计算和存储能力较低,设计一种高效且强安全的两方匿名漫游认证与密钥协商方案是一项挑战性的工作.现有方案不仅计算开销较高,而且不能抵抗临时秘密泄露攻击.针对这两点不足,提出一种新的两方匿名漫游认证与密钥协商方案.在新方案中,基于Schnorr签名机制,设计了一种高效的基于身份签密算法,利用签密的特性实现实体的相互认证和不可追踪;利用认证双方的公私钥直接构造了一个计算Diffie-Hellman（Computational Diffie-Hellman,CDH）问题实例,能抵抗临时秘密泄露攻击.新方案实现了可证明安全,在eCK（extended Canetti-Krawczyk）模型基础上,探讨两方漫游认证密钥协商方案安全证明过程中可能出现的情形,进行归纳和拓展,并给出新方案的安全性证明,其安全性被规约为多项式时间敌手求解椭圆曲线上的CDH问题.对比分析表明：新方案安全性更强,需要实现的算法库更少,计算和通信开销较低.新方案可应用于移动通信网络、物联网或泛在网络,为资源约束型移动终端提供漫游接入服务.     

Enhanced Delegation Based Authentication Protocol for Secure Roaming Service with Synchronization

Portable communication systems can provide mobile users with global roaming services. Recently, Youn and Lim proposed a delegation-based authentication protocol which achieves unlinkability for secure roaming services. This paper indicates that there are two drawbacks in Youn and Lim's protocol: 1) the synchronization problem will lead to a fail in on-line authentication; and 2) the exhaustive search puts a heavy burden on the off-line authentication process. Moreover, based on Youn and Lim's protocol, a remedy is proposed to address these problems. It is worthwhile to note that the proposed remedy not only keeps the original advantages but also enhances the security and performance.     

基于代理签名的移动通信网络匿名漫游认证协议

随着无线移动终端的广泛应用,漫游认证、身份保密等问题显得日益突出。该文分析了现有的各种漫游认证协议在匿名性及安全性上存在的问题,指出现有协议都无法同时满足移动终端的完全匿名与访问网络对非法认证请求的过滤,进而针对性地提出了一种新的匿名认证协议。该协议基于椭圆曲线加密和代理签名机制,通过让部分移动终端随机共享代理签名密钥对的方式,实现了完全匿名和非法认证请求过滤。此外,协议运用反向密钥链实现了快速重认证。通过分析比较以及形式化验证工具AVISPA验证表明,新协议实现了完全匿名,对非法认证请求的过滤,双向认证和会话密钥的安全分发,提高了安全性,降低了计算负载,适用于能源受限的移动终端。     

Secure Authentication System for Public WLAN Roaming

A serious challenge for seamless roaming between independent wireless LANs (WLANs) is how best to confederate the various WLAN service providers, each having different trust relationships with individuals and each supporting their own authentication schemes, which may vary from one provider to the next. We have designed and implemented a comprehensive single sign-on (SSO) authentication architecture that confederates WLAN service providers through trusted identity providers. Users select the appropriate SSO authentication scheme from the authentication capabilities announced by the WLAN service provider, and can block the exposure of their privacy information while roaming. In addition, we have developed a compound Layer 2 and Web authentication scheme that ensures cryptographically protected access while preserving pre-existing public WLAN payment models. Our experimental results, obtained from our prototype system, show that the total authentication delay is about 2 seconds in the worst case. This time is dominated primarily by our use of industry-standard XML-based protocols, yet is still small enough for practical use. Ana Sanz Merino received her B.S. degree in Electrical Engineering from Universidad Politécnica de Madrid (Spain) in 1999. She was the recipient of the Fundación Telefónica award to the best final thesis in telecommunications networks and services published in Spain in the 1999–2000 academic year. Her area of expertise is data communications, a field in which she has worked in R&D since 1998, first at Universidad Politécnica de Madrid, and later for two companies in the telecom sector, Telefónica and Ericsson. Presently, she is a student of the M.S. in Computer Science and a researcher at University of California, Berkeley, where she works on wireless network security with Professor Randy H. Katz. Yasuhiko Matsunaga is a researcher at NEC Corporation, Japan. He specializes in resource and security management in wireless and broadband networks. He received B.S and M.S degrees from the University of Tokyo in 1992 and 1994. He was a visiting researcher at the computer science division at the University of California, Berkeley from Dec. 2002 to Dec. 2003. Manish Shah is a third year undergraduate student at University of California, Berkeley Computer Science Department. He has been doing research with Prof. Katz and the Sahara Group since May 2003. His research interests are networking related focusing on wireless systems and technologies. He has recently been involved in sensor network related research. Takashi Suzuki received B.E and M.E. degrees in communication engineering from Osaka University, Japan, in 1994 and 1996, respectively. In 1996, he joined NTT DoCoMo, Japan, where he was engaged in research and development of mobile multimedia communication protocols. He was a visiting industrial fellow at University of California, Berkeley from 2001 to 2003, where he worked on web service security and WLAN security. He is now engaged in research on secure mobile terminal architecture at Multimedia Laboratories of NTT DoCoMo. Randy Howard Katz received his undergraduate degree from Cornell University, and his M.S. and Ph.D. degrees from the University of California, Berkeley. He joined the faculty at Berkeley in 1983, where he is now the United Microelectronics Corporation Distinguished Professor in Electrical Engineering and Computer Science. He is a Fellow of the ACM and the IEEE, and a member of the National Academy of Engineering. He has published over 200 refereed technical papers, book chapters, and books. His hardware design textbook, Contemporary Logic Design, has sold over 85,000 copies worldwide, and has been in use at over 200 colleges and universities. He has supervised 35 M.S. theses and 21 Ph.D. dissertations, and leads a research team of over a dozen graduate students, technical staff, and industrial visitors. He has won numerous awards, including seven best paper awards, one “test of time” paper award, one paper selected for a 50 year retrospective on IEEE communications publications, three best presentation awards, the Outstanding Alumni Award of the Computer Science Division, the CRA Outstanding Service Award, the Berkeley Distinguished Teaching Award, the Air Force Exceptional Civilian Service Decoration, the IEEE Reynolds Johnson Information Storage Award, the ASEE Frederic E. Terman Award, and the ACM Karl V. Karlstrom Outstanding Educator Award. With colleagues at Berkeley, he developed Redundant Arrays of Inexpensive Disks (RAID), a $25 billion per year industry sector today. While on leave for government service in 1993–1994, he established whitehouse.gov and connected the White House to the Internet. His current research interests are Internet Services Architecture, Mobile Internet, and the technologies underlying the convergence of telecommunications and packet networks. Prior research interests have included: database management, VLSI CAD, and high performance multiprocessor and storage architectures.This revised version was published online in August 2005 with a corrected cover date.     

基于混合加密的融合网络安全认证计费方案

蜂窝网和Ad Hoc网是提供接入服务的重要技术.由于两者互补的特性,融合蜂窝网和Ad Hoc网能提供在热点地区和通信盲区的持续接入.但两者的融合涉及到许多问题.针对安全问题,在Ad Hoc辅助式的融合网络模型上提出一种基于混合加密的安全认证计费方案.此方案使用对称加密和非对称加密的混合加密机制,另外还采用了散列函数和数字签名技术.安全分析表明所提方案可以防止扮演攻击、重播攻击和中间人攻击,并具有反拒认特性.     

智能车载自组织网络中匿名在线注册与安全认证协议

随着智能交通系统(ITS)的建立,车载自组织网络(VANETs)在提高交通安全和效率方面发挥着重要的作用。由于车载自组织网络具有开放性和脆弱性特点,容易遭受各种安全威胁与攻击,这将阻碍其广泛应用。针对当前车载自组织网络传输中数据的认证性与完整性,以及车辆身份的隐私保护需求,该文提出一种智能车载自组织网络中的匿名在线注册与安全认证协议。协议让智能车辆在公开信道以匿名的方式向交通系统可信中心(TA)在线注册。可信中心证实智能车辆的真实身份后,无需搭建安全信道,在开放网络中颁发用于安全认证的签名私钥。车辆可以匿名发送实时交通信息到附近路边基站单元(RSU),并得到有效认证与完整性检测。该协议使得可信中心可以有效追踪因发送伪造信息引起交通事故的匿名车辆。协议可以让路边基站单元同时对多个匿名车辆发送的交通信息进行批量认证。该协议做了详细的安全性分析和性能分析。性能比较结果表明,该协议在智能车辆端的计算开销以及在路边基站单元端的通信开销都具有明显优势,而且无需搭建安全信道就能够实现匿名在线注册,因此可以安全高效地部署在智能车载自组织网络环境。     

A Strong Authentication Scheme with User Privacy for Wireless Sensor Networks

Wireless sensor networks (WSNs) are used for many real‐time applications. User authentication is an important security service for WSNs to ensure only legitimate users can access the sensor data within the network. In 2012, Yoo and others proposed a security‐performance‐balanced user authentication scheme for WSNs, which is an enhancement of existing schemes. In this paper, we show that Yoo and others' scheme has security flaws, and it is not efficient for real WSNs. In addition, this paper proposes a new strong authentication scheme with user privacy for WSNs. The proposed scheme not only achieves end‐party mutual authentication (that is, between the user and the sensor node) but also establishes a dynamic session key. The proposed scheme preserves the security features of Yoo and others' scheme and other existing schemes and provides more practical security services. Additionally, the efficiency of the proposed scheme is more appropriate for real‐world WSNs applications.     

An Improved Multifactor User Authentication Scheme for Wireless Sensor Networks

Wireless Personal Communications - Wireless Sensor Networks (WSNs) are used to collect and transmitted the data in various applications from normal to those which requires significant security...     

Secure Remote User Mutual Authentication Scheme with Key Agreement for Cloud Environment

Authentication schemes are widely used mechanisms to thwart unauthorized access of resources over insecure networks. Several smart card based password authentication schemes have been proposed in the literature. In this paper, we demonstrate the security limitations of a recently proposed password based authentication scheme, and show that their scheme is still vulnerable to forgery and offline password guessing attacks and it is also unable to provide user anonymity, forward secrecy and mutual authentication. With the intention of fixing the weaknesses of that scheme, we present a secure authentication scheme. We show that the proposed scheme is invulnerable to various attacks together with attacks observed in the analyzed scheme through both rigorous formal and informal security analysis. Furthermore, the security analysis using the widely-accepted Real-Or-Random (ROR) model ensures that the proposed scheme provides the session key (SK) security. Finally, we carry out the performance evaluation of the proposed scheme and other related schemes, and the result favors that the proposed scheme provides better trade-off among security and performance as compared to other existing related schemes.

     

On the Security of A Secure Anonymous Identity-Based Scheme in New Authentication Architecture for Mobile Edge Computing

With the rapidly growing user experience and traffic growth requirements in the Mobile Edge Computing (MEC) environment, the conventional security protocols are no longer capable of meeting the modern demand. In order to cope with this demand, novel security solution such as identity-based cryptography, which does not require complex calculations, has attracted great attention from the research community. Recently, Li et al. (IEEE Syst J 1937–9234, 2021, https://doi.org/10.1109/JSYST.2020.2979006) devised an identity-based protocol for the MEC environment. They claimed that their protocol offers efficient and secure communication among the involved entities. Nevertheless, after performing a careful analysis of their protocol, we discovered that their protocol is vulnerable to MEC server and mobile user impersonation attacks. Similarly, their protocol has no provision of mobile user anonymity and untraceability. Furthermore, it has incorrectness in the authentication phase. Given these limitations, we have suggested a suitable remedy, which counters all the said vulnerabilities and limitations.

     

A Robust User Authentication Scheme Using Dynamic Identity in Wireless Sensor Networks

In modern, wireless sensor networks (WSNs) stand for the next evolutionary and innovative development step in utilities, industrial, building, home, shipboard, and transportation systems automation. The feature of WSNs is easy to deploy and has wide range of applications. Therefore, in distributed and unattended locations, WSNs are deployed to allow a legitimated user to login to the network and access data. Consequently, the authentication between users and sensor nodes has become one of the important security issues. In 2009, M. L. Das proposed a two-factor authentication for WSNs. Based on one-way hash function and exclusive-OR operation, the scheme is well-suited for resource constrained environments. Later, Khan and Algahathbar pointed out the flaws and vulnerabilities of Das’s scheme and proposed an alternative scheme. However, Vaidya et al. found that both Das’s and Khan–Algahathbar’s schemes are vulnerable to various attacks including stolen smart card attacks. Further, Vaidya et al. proposed an improved two-factor user authentication to overcome the security weakness of both schemes. In this paper, we show that Vaidya et al.’s scheme still exposes to a malicious insider attack that seriously threatens the security of WSNs. Furthermore, we propose an improve scheme that mends those vulnerabilities.     

A Secure and Efficient Authentication Scheme for E-coupon Systems

Through the explosive growth of network technologies, electronic commercial businesses have made our lives easier and more convenient. The application of e-coupons is quite a novel issue but is becoming increasingly popular among electronic commercial businesses because the extensive use of e-coupons can help consumers to save money; however, the e-coupon has also brought security issues as attackers can obtain illegitimate benefits from imperfections of the design. Hence, the security of the e-coupon system has become important as well. In this paper, we propose a novel and complete chaotic maps-based authentication scheme for e-coupon systems. Security analysis shows that our scheme satisfies essential security and functionality requirements. Furthermore, performance analysis shows that the execution time of our scheme is efficient and suitable for practical implementation in real life. In other words, users such as shops and customers can use our e-coupon system conveniently and securely.     

An Enhanced Secure Authentication Scheme for Vehicular Ad Hoc Networks Without Pairings

Wireless Personal Communications - In the recent paper, Nai-Wei Lo and Jia-Lun Tsai mathematically proposed an efficient authentication scheme for vehicular sensor network. It uses elliptic curve...     

一种移动通信系统中的用户认证方案

针对移动通信系统的安全特点,设计了一种基于C.Park数字签名方案和Rabin方案的用户认证方案。它在实时的用户鉴别过程中,用户端与网端只需一次交互过程。采用了一种同步数据生成函数,具有时间标记的作用。用户所需的计算都是在预计算阶段,实时通信时不需要任何计算。     

一个动态的可追踪匿名认证方案

该文提出了一个支持身份追踪的匿名认证方案。该方案有下列优点：(1)用户动态加入和吊销特别方便,管理员仅需在公告牌上公布和删除该成员的相关数据。(2)示证人可以灵活地、主动地选择匿名范围,即他可以任意选取多个合法的用户并说明自己在其中。(3)追踪示证人的具体身份是受限制的,管理员无法单独实现身份追踪,必须和验证者合作才能共同追踪示证人的身份。另外,在抵抗外部攻击和伪装攻击方面,该方案具有任意弹性,明显的优于Boneh(1999)的1-弹性方案。