Skip to main content
SpringerLink
Log in

Breaking Three Remote user Authentication Systems for Mobile Devices

  • Published:
Journal of Signal Processing Systems Aims and scope Submit manuscript

Abstract

Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments. In this paper, we review three password-based authentication schemes with smart cards proposed by Mishra et al., in JISA 2015, Wu et al. in SCN 2015 and Moon et al. in IJNS 2017, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in all schemes, Mishra et al.’s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to a new insider attack scenario; and (2) Wu et al.’s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.’s scheme. (3) Moon et al.’s scheme cannot achieve user anonymity and is susceptible to a novel impersonation attack. Furthermore, with the cryptanalysis of these three schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2

Similar content being viewed by others

Notes

  1. 1 https://github.com/miracl/MIRACL

References

  1. Althobaiti, O., Al-Rodhaan, M., Al-Dhelaan, A. (2013). An efficient biometric authentication protocol for wireless sensor networks. Int J Distrib Sens Netw Available at: https://doi.org/10.1155/2013/407971.

  2. Amin, R., Islam, S.H., Biswas, G., Khan, M.K., Leng, L., Kumar, N. (2016). Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks. Computer Network, 101, 42–62.

    Article  Google Scholar 

  3. Chang, C.C., & Wu, T.C. (1991). Remote password authentication with smart cards. IEE Computer Digital Technology, 138(3), 165–168.

    Article  Google Scholar 

  4. Chen, B.L., Kuo, W.C., Wuu, L.C. (2014). Robust smart-card-based remote user password authentication scheme. International Journal of Communication Systems, 27(2), 377–389.

    Article  Google Scholar 

  5. Chen, T.H., & Shih, W.K. (2010). A robust mutual authentication protocol for wireless sensor networks. ETRI Journal, 32(5), 704–712.

    Article  Google Scholar 

  6. Dai, W., Qiu, M., Qiu, L., Chen, L., Wu, A. (2017). Who moved my data? Privacy protection in smartphones. IEEE Communications Magazine, 55(1), 20–25.

    Article  Google Scholar 

  7. Das, A.K. (2017). A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor. International Journal of Communication Systems, 30(1). https://doi.org/10.1002/dac.2933.

  8. Das, M.L. (2009). Two-factor user authentication in wireless sensor networks. IEEE Transactions on Wireless Communications, 8(3), 1086–1090.

    Article  Google Scholar 

  9. Das, M.L., Saxena, A., Gulati, V.P. (2004). A dynamic id-based remote user authentication scheme. IEEE Transactions on Consumer Electronics, 50(2), 629–631.

    Article  Google Scholar 

  10. Doshi, N., Kumari, S., Mishra, D., Li, X., Choo, K.K.R., Sangaiah, A.K. (2017). A password based authentication scheme for wireless multimedia systems. Multimedia Tools Application 1–26. https://doi.org/10.1007/s11042-017-4701-2.

  11. Farash, M.S., Turkanović, M., Kumari, S., Hölbl, M. (2016). An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the internet of things environment. Ad Hoc Network, 36, 152–176.

    Article  Google Scholar 

  12. Florencio, D., & Herley, C. (2007). A large-scale study of web password habits. In Proceedings of WWW 2007 (pp. 657–666). ACM.

  13. Gai, K., Qiu, M., Zhao, H., Xiong, J. (2016). Privacy-aware adaptive data encryption strategy of big data in cloud computing. In Proceedings of CSCloud 2016 (pp. 273–278). IEEE.

  14. Gai, K., Qiu, L., Chen, M., Zhao, H., Qiu, M. (2017). Sa-east: security-aware efficient data transmission for its in mobile heterogeneous cloud computing. ACM Transactions on Embedded Computing Systems, 16(2), 60.

    Article  Google Scholar 

  15. Gai, K., Qiu, M., Ming, Z., Zhao, H., Qiu, L. (2017). Spoofing-jamming attack strategy using optimal power distributions in wireless smart grid networks. IEEE Transactions Smart Grid. https://doi.org/10.1109/TSG.2017.2664043.

  16. He, D., & Wang, D. (2015). Robust biometrics-based authentication scheme for multiserver environment. IEEE Systems Journal, 9(3), 816–823.

    Article  Google Scholar 

  17. He, D., Gao, Y., Chan, S., Chen, C., Bu, J. (2010). An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sensing Wireless Network, 10(4), 361– 371.

    Google Scholar 

  18. He, D., Kumar, N., Chilamkurti, N. (2015). A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Information Sciences, 321, 263–277.

    Article  Google Scholar 

  19. Hsiao, T.C., Liao, Y.T., Huang, J.Y., Chen, T.S., Horng, G.B. (2012). An authentication scheme to healthcare security under wireless sensor networks. Journal of Medical Systems, 36(6), 3649–3664.

    Article  Google Scholar 

  20. Huang, X., Xiang, Y., Chonka, A., Zhou, J., Deng, R.H. (2011). A generic framework for three-factor authentication: preserving security and privacy in distributed systems. IEEE Transactions Paragraph Distributed Systems, 22(8), 1390–1397.

    Article  Google Scholar 

  21. Hughes, D., & Shmatikov, V. (2004). Information hiding, anonymity and privacy: a modular approach. Computer Security, 12(1), 3–36.

    Article  Google Scholar 

  22. Jiang, Q., Ma, J., Lu, X., Tian, Y. (2014). Robust chaotic map-based authentication and key agreement scheme with strong anonymity for telecare medicine information systems. Journal of Medical Systems, 38(12), 12.

    Article  Google Scholar 

  23. Jiang, Q., Ma, J., Li, G., Li, X. (2015). Improvement of robust smart-card-based password authentication scheme. International Journal of Communication Systems, 28(2), 383–393.

    Article  Google Scholar 

  24. Kim, J., Lee, D., Jeon, W., Lee, Y., Won, D. (2014). Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks. Sensors, 14(4), 6443–6462.

    Article  Google Scholar 

  25. Kim, K.k., & Kim, M.H. (2012). An enhanced anonymous authentication and key exchange scheme using smartcard. In Proceedings of ICISC 2012 (pp. 487–494). Springer.

  26. Krawczyk, H. (2005). Hmqv: A high-performance secure diffie-hellman protocol. In Proceedings of CRYPTO 2005 (p. 546). Springer.

  27. Kumari, S., & Khan, M.K. (2014). Cryptanalysis and improvement of a robust smart-card-based remote user password authentication scheme. International Journal of Communication Systems, 27(12), 3939–3955.

    Article  Google Scholar 

  28. Kumari, S., & Khan, M.K. (2014). More secure smart card-based remote user password authentication scheme with user anonymity. Security Communications and Networking, 7(11), 2039–2053.

    Article  Google Scholar 

  29. Kumari, S., Li, X., Wu, F., Das, A.K., Arshad, H., Khan, M.K. (2016). A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps. Future Generation Computer Systems, 63, 56–75.

    Article  Google Scholar 

  30. Lamport, L. (1981). Password authentication with insecure communication. Communication of the ACM, 24 (11), 770–772.

    Article  MathSciNet  Google Scholar 

  31. Li, X., Xiong, Y., Ma, J., Wang, W. (2012). An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.

    Article  Google Scholar 

  32. Li, X., Ibrahim, M.H., Kumari, S., Sangaiah, A.K., Gupta, V., Choo, K.K.R. (2017). Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. Computer Network. https://doi.org/10.1016/j.comnet.2017.03.013 https://doi.org/10.1016/j.comnet.2017.03.013.

  33. Li, Y., Gai, K., Ming, Z., Zhao, H., Qiu, M. (2016). Intercrossed access controls for secure financial services on multimedia big data in cloud systems. ACM Transactions on Multimedia Computing, Communications, and Applications, 12(4s), 67.

    Google Scholar 

  34. Madhusudhan, R., & Mittal, R. (2012). Dynamic id-based remote user password authentication schemes using smart cards: A review. Journal of Network and Computer Applications, 35(4), 1235–1248.

    Article  Google Scholar 

  35. Madhusudhan, R., & Suvidha, K. (2017). An efficient and secure user authentication scheme with anonymity in global mobility networks. In Proceedings AINA 2017 (pp. 19–24). IEEE.

  36. Mangipudi, K., & Katti, R. (2006). A secure identification and key agreement protocol with user anonymity (sika). Computer Security, 25(6), 420–425.

    Article  Google Scholar 

  37. Mishra, D., Das, A.K., Chaturvedi, A., Mukhopadhyay, S. (2015). A secure password-based authentication and key agreement scheme using smart cards. Journal of Information Security Application, 23, 28–43.

    Article  Google Scholar 

  38. Moon, J., Lee, D., Jung, J., Won, D. (2017). Improvement of efficient and secure smart card based password authentication scheme. International Journal of Network Security, 19(6), 1053–1061.

    Google Scholar 

  39. Qiu, M., Zhang, L., Ming, Z., Chen, Z., Qin, X., Yang, L.T. (2013). Security-aware optimization for ubiquitous computing systems with seat graph approach. Journal of Computer and Systems Sciences, 79(5), 518–529.

    Article  MathSciNet  MATH  Google Scholar 

  40. Qiu, M., Gai, K., Thuraisingham, B., Tao, L., Zhao, H. (2016). Proactive user centric secure data scheme using attribute-based semantic access controls for mobile clouds in financial industry. Future Gener. Comput. Syst. https://doi.org/10.1016/j.future.2016.01.006 https://doi.org/10.1016/j.future.2016.01.006.

  41. Schuster, F., Costa, M., Fournet, C., Gkantsidis, C., Peinado, M., Mainar-Ruiz, G., Russinovich, M. (2015). Vc3: Trustworthy data analytics in the cloud using sgx. In Proceedings of S&P 2015 (pp. 38–54). IEEE.

  42. Shen, J., Liu, D., Shen, J., Liu, Q., Sun, X. (2017). A secure cloud-assisted urban data sharing framework for ubiquitouscities. Pervasive Mobile Computer. https://doi.org/10.1016/j.pmcj.2017.03.013 https://doi.org/10.1016/j.pmcj.2017.03.013.

  43. Shi, Y., & Li, J. (2007). Two-party authenticated key agreement in certificateless public key cryptography. Wuhan University Journal of Natural Sciences, 12(1), 71–74.

    Article  MathSciNet  Google Scholar 

  44. Song, R. (2010). Advanced smart card based password authentication protocol. Computers and Standards & Interior, 32(5), 321–325.

    Article  Google Scholar 

  45. Sood, S.K., Sarje, A.K., Singh K. (2010). An improvement of xu others.’s authentication scheme using smart cards. In Proceedings ACM Compute (pp. 1–5).

  46. Srinivas, J., Mukhopadhyay, S., Mishra, D. (2017). Secure and efficient user authentication scheme for multi-gateway wireless sensor networks. Ad Hoc Network, 54, 147–169.

    Article  Google Scholar 

  47. Srinivas, J., Mukhopadhyay, S., Mishra, D. (2017). A self-verifiable password based authentication scheme for multi-server architecture using smart card. Wirel. Pers. Commun. (pp. 1–25) .

  48. Truong, T.T., Tran, M.T., Duong, A.D., Echizen, I. (2015). Chaotic chebyshev polynomials based remote user authentication scheme in client-server environment. In Proceedings of IFIP ISC 2015 (pp. 479–494). Springer.

  49. Wang, D., & Wang, P. (2016). Two birds with one stone: Two-factor authentication with security beyond conventional bound. IEEE Trans. Depend. Secur. Comput. https://doi.org/10.1109/TDSC.2016.2605087 https://doi.org/10.1109/TDSC.2016.2605087.

  50. Wang, D., Ma, C.g., Wu, P. (2012). Secure password-based remote user authentication scheme with non-tamper resistant smart cards. In Proceedings of IFIP DBSec (Vol 2012, pp. 114–121).

  51. Wang, D., Gu, Q., Cheng, H., Wang, P. (2016). The request for better measurement: A comparative evaluation of two-factor authentication schemes. In Proceedings of ACM ASIACCS 2016 (pp. 475–486).

  52. Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X. (2016). Targeted online password guessing: An underestimated threat. In Proceedings of ACM CCS 2016 (pp. 1242–1254).

  53. Wang, Y.G. (2012). Password protected smart card and memory stick authentication against off-line dictionary attacks. In Proceedings of IFIP SEC (Vol. 2012, pp. 489–500.

  54. Wu, F., Xu, L., Kumari, S., Li, X., Alelaiwi, A. (2015). A new authenticated key agreement scheme based on smart cards providing user anonymity with formal proof. Security Communications and Networking, 8(18), 3847–3863.

    Article  Google Scholar 

  55. Wu, F., Xu, L., Kumari, S., Li, X. (2017). A new and secure authentication scheme for wireless sensor networks with formal proof. Peer Peer Network of Application, 10(1), 16–30.

    Article  Google Scholar 

  56. Xia, Z., Wang, X., Zhang, L., Qin, Z., Sun, X., Ren, K. (2016). A privacy-preserving and copy-deterrence content-based image retrieval scheme in cloud computing. IEEE Transaction of Information and Forening Security, 11(11), 2594–2608.

    Article  Google Scholar 

  57. Xu, J., Zhu, W.T., Feng, D.G. (2009). An improved smart card based password authentication scheme with provable security. Computers and Standards & Interior, 31(4), 723–728.

    Article  Google Scholar 

  58. Xue, K., Ma, C., Hong, P., Ding, R. (2013). A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks. Journal of Network Computer Applications, 36(1), 316–323.

    Article  Google Scholar 

  59. Yuan, C., Sun, X., Lv, R. (2016). Fingerprint liveness detection based on multi-scale lpq and pca. China Communications, 13(7), 60–65.

    Article  Google Scholar 

  60. Zhou, Y., Yu, Y., Standaert, F.X., Quisquater, J.J. (2013). On the need of physical security for small embedded devices: a case study with comp128-1 implementations in sim cards. In Proceedings of FC (Vol 2013, pp. 230–238).

  61. Zhou, Z., Wu, Q.J., Huang, F., Sun, X. (2017). Fast and accurate near-duplicate image elimination for visual sensor networks. International Journal and Distribution Sensor Network, 13(2), 1–12. https://doi.org/10.1177/1550147717694172.

    Google Scholar 

Download references

Acknowledgments

This research was partially supported by the National Natural Science Foundation of China (NSFC) under Grant No. 61472016, the National Key R&D Program of China under Grant No. 2016YFB0800603 and No. 2017YFB1200700.

Author information

Authors and Affiliations

  1. School of Software and Microelectronics, Peking University, Beijing, 100871, China

    Wenting Li & Ping Wang

  2. School of Electronic and Computer Engineering, Peking University Shenzhen Graduate School, Shenzhen, 518052, China

    Yaosheng Shen

  3. National Engineering Research Center for Software Engineering, Beijing, China

    Ping Wang

Authors
  1. Wenting Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yaosheng Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ping Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ping Wang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Li, W., Shen, Y. & Wang, P. Breaking Three Remote user Authentication Systems for Mobile Devices. J Sign Process Syst 90, 1179–1190 (2018). https://doi.org/10.1007/s11265-017-1305-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11265-017-1305-z

Keywords

Search

Navigation