Comments on a secure dynamic ID-based remote user authentication scheme for multi-server environment using smart cards

The security of a dynamic ID-based remote user authentication scheme for multi-server environment using smart cards proposed by Lee et al. [Lee, C-C., Lin, T-H., Chang, R-X., A Secure Dynamic ID based Remote User Authentication Scheme for Multi-server Environment using Smart Cards, Expert Systems with Applications (2011), doi: 10.1016/j.eswa.2011.04.190] is analyzed. Three kinds of attacks are presented in different scenario

Security flaws in a biometrics-based multi-server authentication with key agreement scheme

Recently, Yoon et al. proposed an efficient biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem (ECC) for multi-server communication environments [E.-J. Yoon, K.-Y. Yoo(2011) Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem, Journal of Supercomputing, DOI: 10.1007/s11227-010-0512-1]. They claimed their scheme could withstand various attacks. In the letter, we will show Yoon et al.’s scheme is vulnerable to the privileged insider attack, the masquerade attack and the smart cart lost attack

Cryptanalysis of a key agreement protocol based on chaotic Hash

With the rapid development of theory and application of chaos, more and more researchers are focusing on chaos based cryptosystems. Recently, Guo et al.’s [X. Guo, J. Zhang, Secure group key agreement protocol based on chaotic Hash, Information Sciences 180 (2010) 4069–4074] proposed a secure key agreement protocol based on chaotic Hash. They claimed that their scheme could withstand various attacks. Unfortunately, by giving concrete attacks, we indicate that Guo et al.’s scheme is vulnerable to the off-line password guessing attack. The analysis shows Guo et al.’s scheme is not secure for practical application

Cryptanalysis of a Provably Secure Gateway-Oriented Password-Based Authenticated Key Exchange Protocol

Recently, Chien et al. proposed a gateway-oriented password-based authenticated key exchange (GPAKE) protocol, through which a client and a gateway could generate a session key for future communication with the help of an authentication server. They also demonstrated that their scheme is provably secure in a formal model. However, in this letter, we will show that Chien et al.’s protocol is vulnerable to the off-line password guessing attack. To overcome the weakness, we also propose an efficient countermeasure

Comments on a password authentication and update scheme based on elliptic curve cryptography

The security of a password authentication and update scheme based on elliptic curve cryptography proposed by Islam et al. [S.K. Hafizul Islam, G.P. Biswas, Design of improved password authentication and update scheme based on elliptic curve cryptography, Mathematical and Computer Modelling (2011), doi:10.1016/j.mcm.2011.07.001] is analyzed. Three kinds of attacks are presented in different scenarios

Lightweight Three-Factor Authentication and Key Agreement Protocol for Internet-Integrated Wireless Sensor Networks

Wireless sensor networks (WSNs) will be integrated into the future Internet as one of the components of the Internet of Things, and will become globally addressable by any entity connected to the Internet. Despite the great potential of this integration, it also brings new threats, such as the exposure of sensor nodes to attacks originating from the Internet. In this context, lightweight authentication and key agreement protocols must be in place to enable end-to-end secure communication. Recently, Amin et al. proposed a three-factor mutual authentication protocol for WSNs. However, we identified several flaws in their protocol. We found that their protocol suffers from smart card loss attack where the user identity and password can be guessed using offline brute force techniques. Moreover, the protocol suffers from known session-specific temporary information attack, which leads to the disclosure of session keys in other sessions. Furthermore, the protocol is vulnerable to tracking attack and fails to fulfill user untraceability. To address these deficiencies, we present a lightweight and secure user authentication protocol based on the Rabin cryptosystem, which has the characteristic of computational asymmetry. We conduct a formal verification of our proposed protocol using ProVerif in order to demonstrate that our scheme fulfills the required security properties. We also present a comprehensive heuristic security analysis to show that our protocol is secure against all the possible attacks and provides the desired security features. The results we obtained show that our new protocol is a secure and lightweight solution for authentication and key agreement for Internet-integrated WSNs

Lightweight Data Aggregation Scheme Against Internal Attackers in Smart Grid Using Elliptic Curve Cryptography

Recent advances of Internet and microelectronics technologies have led to the concept of smart grid which has been a widespread concern for industry, governments, and academia. The openness of communications in the smart grid environment makes the system vulnerable to different types of attacks. The implementation of secure communication and the protection of consumers’ privacy have become challenging issues. The data aggregation scheme is an important technique for preserving consumers’ privacy because it can stop the leakage of a specific consumer’s data. To satisfy the security requirements of practical applications, a lot of data aggregation schemes were presented over the last several years. However, most of them suffer from security weaknesses or have poor performances. To reduce computation cost and achieve better security, we construct a lightweight data aggregation scheme against internal attackers in the smart grid environment using Elliptic Curve Cryptography (ECC). Security analysis of our proposed approach shows that it is provably secure and can provide confidentiality, authentication, and integrity. Performance analysis of the proposed scheme demonstrates that both computation and communication costs of the proposed scheme are much lower than the three previous schemes. As a result of these aforementioned benefits, the proposed lightweight data aggregation scheme is more practical for deployment in the smart grid environment

Compact Hardware Implementation of a SHA-3 Core for Wireless Body Sensor Networks

One of the most important Internet of Things applications is the wireless body sensor network (WBSN), which can provide universal health care, disease prevention, and control. Due to large deployments of small scale smart sensors in WBSNs, security, and privacy guarantees (e.g., security and safety-critical data, sensitive private information) are becoming a challenging issue because these sensor nodes communicate using an open channel, i.e., Internet. We implement data integrity (to resist against malicious tampering) using the secure hash algorithm 3 (SHA-3) when smart sensors in WBSNs communicate with each other using the Internet. Due to the limited resources (i.e., storage, computation, and communication capabilities) of sensors in WBSNs, a lightweight implementation of SHA-3 is needed. To address this challenge, we propose a new implementation of the SHA-3, which has a compact hardware architecture. Our implementation of SHA-3 consists of a reliable logic structure, random access memory, and an enhanced finite state machine. The simulation on a Vitrtex-5 field programmable gate array shows that the proposed implementation is suitable for the WBSN on different applications. We evaluate the sensor area of the proposed SHA-3 implementation and compare it with other recently proposed hardware implementations of SHA-3. In addition, our hardware implementation approach reduces the area by almost 74.7% compared with the recently proposed hardware implementation which has the smallest area