An Improved Timestamp-Based Password Authentication Scheme Using Smart Cards

With the recent proliferation of distributed systems and networking, remote authentication has become a crucial task in many networking applications. Various schemes have been proposed so far for the two-party remote authentication; however, some of them have been proved to be insecure. In this paper, we propose an efficient timestamp-based password authentication scheme using smart cards. We show various types of forgery attacks against a previously proposed timestamp-based password authentication scheme and improve that scheme to ensure robust security for the remote authentication process, keeping all the advantages that were present in that scheme. Our scheme successfully defends the attacks that could be launched against other related previous schemes. We present a detailed cryptanalysis of previously proposed Shen et. al scheme and an analysis of the improved scheme to show its improvements and efficiency.Comment: 6 page

A Formal Study of the Privacy Concerns in Biometric-Based Remote Authentication Schemes

With their increasing popularity in cryptosystems, biometrics have attracted more and more attention from the information security community. However, how to handle the relevant privacy concerns remains to be troublesome. In this paper, we propose a novel security model to formalize the privacy concerns in biometric-based remote authentication schemes. Our security model covers a number of practical privacy concerns such as identity privacy and transaction anonymity, which have not been formally considered in the literature. In addition, we propose a general biometric-based remote authentication scheme and prove its security in our security model

Dynamic Multi-Factor Security

This thesis identifies the current limitations of electronic remote authentication systems and presents a new remote authentication system that addresses these limitations. Examples of these limitations can be easily observed in everyday life. Some more common examples include: credit card theft, identity theft, insurance fraud and hacking of private computer networks. Our proposed solution includes a multi-factor protocol which has two key features. First, it dynamically updates private ID numbers such that no two iterations of the authentication protocol use the same set if private IDs for each involved party, using a True Random Number Generator (TRNG). This prevents any unauthorized access of private information, and even if this information is compromised, the authentication protocol is not compromised, since the subsequent iteration of authentication uses new IDs. Second, the protocol uses multiple authentication factors (two in our implementation), to further enhance security. These additional authentication factors are also dynamically updated after each iteration of the protocol. The protocol was implemented in a system which simulates a credit card transaction, highlighting the usefulness of our protocol in real world remote authentication. We expect this new electronic remote authentication system to solve many of the current failings of modern electronic authentication schemes

Cryptanalysis of Sun and Cao's Remote Authentication Scheme with User Anonymity

Dynamic ID-based remote user authentication schemes ensure efficient and anonymous mutual authentication between entities. In 2013, Khan et al. proposed an improved dynamic ID-based authentication scheme to overcome the security flaws of Wang et al.'s authentication scheme. Recently, Sun and Cao showed that Khan et al. does not satisfies the claim of the user's privacy and proposed an efficient authentication scheme with user anonymity. The Sun and Cao's scheme achieve improvement over Khan et al.'s scheme in both privacy and performance point of view. Unfortunately, we identify that Sun and Cao's scheme does not resist password guessing attack. Additionally, Sun and Cao's scheme does not achieve forward secrecy

Authentication System based on ID-Network Smart Cards (ID-NSCards) for Critical Environments

Researchers in the Information Security area in the Carlos III University of Madrid (Spain) are interested to exploit the potential of an emerging technology: network smart cards. These new devices have a number of additional advantages for communications security in networked systems, comparing with the traditional smart cards. These interesting features could be applied to individuals identification procedures in environments where critical tasks or operations take place. The required collaboration would be focused in the development and implementation of an authentication system for critical environments based on this technology

Cryptanalysis of Yang-Wang-Chang's Password Authentication Scheme with Smart Cards

In 2005, Yang, Wang, and Chang proposed an improved timestamp-based password authentication scheme in an attempt to overcome the flaws of Yang-Shieh_s legendary timestamp-based remote authentication scheme using smart cards. After analyzing the improved scheme proposed by Yang-Wang-Chang, we have found that their scheme is still insecure and vulnerable to four types of forgery attacks. Hence, in this paper, we prove that, their claim that their scheme is intractable is incorrect. Also, we show that even an attack based on Sun et al._s attack could be launched against their scheme which they claimed to resolve with their proposal.Comment: 3 Page

Two-factor remote authentication protocol with user anonymity based on elliptic curve cryptography

In order to provide secure remote access control, a robust and efficient authentication protocol should realize mutual authentication and session key agreement between clients and the remote server over public channels. Recently, Chun-Ta Li proposed a password authentication and user anonymity protocol by using smart cards, and they claimed that their protocol has satisfied all criteria required by remote authentication. However, we have found that his protocol cannot provide mutual authentication between clients and the remote server. To realize ‘real’ mutual authentication, we propose a two-factor remote authentication protocol based on elliptic curve cryptography in this paper, which not only satisfies the criteria but also bears low computational cost. Detailed analysis shows our proposed protocol is secure and more suitable for practical application

Experimental Study of DIGIPASS GO3 and the Security of Authentication

Based on the analysis of $6$-digit one-time passwords(OTP) generated by DIGIPASS GO3 we were able to reconstruct the synchronisation system of the token, the OTP generating algorithm and the verification protocol in details essential for an attack. The OTPs are more predictable than expected. A forgery attack is described. We argue the attack success probability is $8^{-5}$. That is much higher than $10^{-6}$ which may be expected if all the digits are independent and uniformly distributed. Under natural assumptions even in a relatively small bank or company with $10^4$ customers the number of compromised accounts during a year may be more than $100$