Saru Kumari

An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the Internet of Things environment

The concept of Internet of Things (IOT), which is already at our front doors, is that every object in the Internet infrastructure (II) is interconnected into a global dynamic expanding network. Sensors and smart objects are beside classical computing devices key parties of the IOT. We can already exploit the benefits of the IOT by using various weareables or smart phones which are full of diverse sensors and actuators and are connected to the II via GPRS or Wi-Fi. Since sensors are a key part of IOT, thus are wireless sensor networks (WSN). Researchers are already working on new techniques and efficient approaches on how to integrate WSN better into the IOT environment. One aspect of it is the security aspect of the integration. Recently, Turkanovic et?al.s proposed a highly efficient and novel user authentication and key agreement scheme (UAKAS) for heterogeneous WSN (HWSN) which was adapted to the IOT notion. Their scheme presented a novel approach where a user from the IOT can authenticate with a specific sensor node from the HWSN without having to communicate with a gateway node. Moreover their scheme is highly efficient since it is based on a simple symmetric cryptosystem. Unfortunately we have found that Turkanovic et?al.s scheme has some security shortcomings and is susceptible to some cryptographic attacks. This paper focuses on overcoming the security weaknesses of Turkanovic et?al.s scheme, by proposing a new and improved UAKAS. The proposed scheme enables the same functionality but improves the security level and enables the HWSN to dynamically grow without influencing any party involved in the UAKAS. The results of security analysis by BAN-logic and AVISPA tools confirm the security properties of the proposed scheme.

Cryptanalysis and Improvement of Yan et al.'s Biometric-Based Authentication Scheme for Telecare Medicine Information Systems

Remote user authentication is desirable for a Telecare Medicine Information System (TMIS) for the safety, security and integrity of transmitted data over the public channel. In 2013, Tan presented a biometric based remote user authentication scheme and claimed that his scheme is secure. Recently, Yan et al. demonstrated some drawbacks in Tan’s scheme and proposed an improved scheme to erase the drawbacks of Tan’s scheme. We analyze Yan et al.’s scheme and identify that their scheme is vulnerable to off-line password guessing attack, and does not protect anonymity. Moreover, in their scheme, login and password change phases are inefficient to identify the correctness of input where inefficiency in password change phase can cause denial of service attack. Further, we design an improved scheme for TMIS with the aim to eliminate the drawbacks of Yan et al.’s scheme.

Cryptanalysis and improvement of 'a robust smart-card-based remote user password authentication scheme'

With the use of smart card in user authentication mechanisms, the concept of two-factor authentication came into existence. This was a forward move towards more secure and reliable user authentication systems. It elevated the security level by requiring a user to possess something in addition to know something. In 2010, Sood et al. and Song independently examined a smart-card-based authentication scheme proposed by Xu et al. They showed that in the scheme of Xu et al., an internal user of the system can turn hostile to impersonate other users of the system. Both of them also proposed schemes to improve the scheme of Xu et al. Recently, Chen et al. identified some security problems in the improved schemes proposed by Sood et al. and Song. To fix these problems, Chen et al. presented another scheme, which they claimed to provide mutual authentication and withstand lost smart card attack. Undoubtedly, in their scheme, a user can also verify the legitimacy of server, but we find that the scheme fails to resist impersonation attacks and privileged insider attack. We also show that the scheme does not provide important features such as user anonymity, confidentiality to air messages, and revocation of lost/stolen smart card. Besides, the scheme defies the very purpose of two-factor security. Furthermore, an attacker can guess a users password from his or her lost/stolen smart card. To meet these challenges, we propose a user authentication method with user anonymity. We show through analysis and comparison that the proposed scheme exhibits enhanced efficiency in contrast to related schemes, including the scheme of Chen et al. Copyright

Cryptanalysis and Improvement of `A Privacy Enhanced Scheme for Telecare Medical Information Systems'

To ensure reliable telecare services some user authentication schemes for telecare medical information system (TMIS) have been presented in literature. These schemes are proposed with intent to regulate only authorized access to medical services so that medical information can be protected from misuse. Very recently Jiang et al. proposed a user authentication scheme for TMIS which they claimed to provide enhanced privacy. They made use of symmetric encryption/decryption with cipher block chaining mode (CBC) to achieve the claimed user privacy. Their scheme provides features like user anonymity and user un-traceability unlike its preceding schemes on which it is built. Unluckily, authors overlook some important aspects in designing their scheme due to which it falls short to resist user impersonation attack, guessing attacks and denial of service attack. Besides, its password change phase is not secure; air message confidentiality is at risk and also has some other drawbacks. Therefore, we propose an improved scheme free from problems observed in Jiang et al.’s scheme and more suitable for TMIS.

An enhanced privacy preserving remote user authentication scheme with provable security

Very recently, Kumari et al. proposed a symmetric key and smart card-based remote user password authentication scheme to enhance Chung et al.s scheme. They claimed their enhanced scheme to provide anonymity while resisting all known attacks. In this paper, we analyze that Kumari et al.s scheme is still vulnerable to anonymity violation attack as well as smart card stolen attack. Then we propose a supplemented scheme to overcome security weaknesses of Kumari et al.s scheme. We have analyzed the security of the proposed scheme in random oracle model which confirms the robustness of the scheme against all known attacks. We have also verified the security of our scheme using automated tool ProVerif. Copyright

Security Enhancement of a Biometric based Authentication Scheme for Telecare Medicine Information Systems with Nonce

Telecare medicine information systems (TMIS) present the platform to deliver clinical service door to door. The technological advances in mobile computing are enhancing the quality of healthcare and a user can access these services using its mobile device. However, user and Telecare system communicate via public channels in these online services which increase the security risk. Therefore, it is required to ensure that only authorized user is accessing the system and user is interacting with the correct system. The mutual authentication provides the way to achieve this. Although existing schemes are either vulnerable to attacks or they have higher computational cost while an scalable authentication scheme for mobile devices should be secure and efficient. Recently, Awasthi and Srivastava presented a biometric based authentication scheme for TMIS with nonce. Their scheme only requires the computation of the hash and XOR functions.pagebreak Thus, this scheme fits for TMIS. However, we observe that Awasthi and Srivastava’s scheme does not achieve efficient password change phase. Moreover, their scheme does not resist off-line password guessing attack. Further, we propose an improvement of Awasthi and Srivastava’s scheme with the aim to remove the drawbacks of their scheme.

User authentication schemes for wireless sensor networks

Wireless sensor networks (WSNs) are applicable in versatile domains ranging from very common to those which demand crucial security concerns. The deployment of WSNs in unattended environments and the resource-constrained nature of the constituent sensor nodes give rise to an open challenge to ensure that only authorized access to the information is available through the sensor nodes. Many researchers have made considerable efforts to meet this challenge by designing secure and dependable user authentication mechanisms. Every proposed scheme, with its advantages and disadvantages is cryptanalyzed to measure its respective strength and shortcomings. In this study, we first present twenty two features that a reliable user authentication scheme for WSNs should possess. We then evaluate seven of the available schemes against these twenty two features. A common tendency among all the available schemes is their failure to resist gateway node bypass attack, node capture attack and user impersonation attack. There is hardly any scheme that provides user anonymity and reparability in case of smart card loss or theft. Further mutual establishment of a session key between the three participating entities namely user, gateway node and sensor node is achieved in only one scheme; it is an integral characteristic to achieve the confidentiality of messages transmitted over open channels. The mutual authentication between the participating entities is another important aspect which is somewhat fulfilled by only two schemes; only one scheme resists denial of service attack and provides security to gateway node secret parameter. It is time to take halt, ponder upon the acquired objectives and set new goals to equip the contemporary state of art in this field with more viable and promising approaches. We review the state of art in this area; our goal is to explore the course of action for future proposals resulting in protocols with greater potential of usage in industry, military and other purposes. We opine that researchers should develop authentication schemes which take into account the desirable features discussed in this paper. We also discuss future path with some key issues and challenges in the area.

A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks

Display Omitted We point out that Yeh et al.s scheme is not secure because it has several disadvantages in security.We point out that Khan et al.s scheme is not secure with some weaknesses.We present a new three-factor scheme based on ECC.We prove our scheme secure with a formal proof and analysis.By comparing with some latest schemes, our scheme is more practical for application due to the security and efficiency. The biometrics, the password and the storage device are the elements of the three-factor authentication. In 2013, Yeh et al. proposed a three-factor user authentication scheme based on elliptic curve cryptography. However, we find that it has weaknesses including useless user identity, ambiguous process, no session key and no mutual authentication. Also, it cannot resist the user forgery attack and the server spoofing attack. Moreover, Khan et al. propose a fingerprint-based remote authentication scheme with mobile devices. Unfortunately it cannot withstand the user impersonation attack and the De-synchronization attack. Furthermore, the users identity cannot be anonymous, either. To overcome the disadvantages, we propose a new three-factor remote authentication scheme and give a formal proof with strong forward security. It could provide the users privacy and is secure. Compared to some recent three-factor authentication schemes, our scheme is secure and practical.

An Enhancement of a Smart Card Authentication Scheme for Multi-server Architecture

User authentication is an important security issue for network based services. Multi-server authentication scheme resolves the repeated registration problem of single-server authentication scenario where the user has to register at different servers to access different types of network services. Recently, Pippal et al. proposed a smart card authentication scheme for multi-server architecture. They claimed that their scheme has some advantages and can resist kinds of attacks. However, we find their scheme cannot provide correct authentication, cannot resist impersonation attack, stolen smart card attack, and insider attack. Besides, their scheme is non-extensible when a new server added into the system. In order to overcome the aforementioned weaknesses of Pippal et al.’s scheme, we propose an improved smart card authentication scheme for multi-server architecture. We analyze the security of the proposed scheme using BAN logic, and the analysis result shows that the proposed scheme is more efficient and secure than Pippal et al.’s scheme.

A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security

Summary Ubiquitous networks provide roaming service for mobile nodes enabling them to use the services extended by their home networks in a foreign network. A mutual authentication scheme between the roamed mobile node and the foreign network is needed to be performed through the home network. Various authentication schemes have been developed for such networks, but most of them failed to achieve security in parallel to computational efficiency. Recently, Shin et al. and Wen et al. separately proposed two efficient authentication schemes for roaming service in ubiquitous networks. Both argued their schemes to satisfy all the security requirements for such systems. However, in this paper, we show that Shin et al.s scheme is susceptible to: (i) user traceability; (ii) user impersonation; (iii) service provider impersonation attacks; and (iv) session key disclosure. Furthermore, we show that Wen et al.s scheme is also insecure against: (i) session key disclosure; and (ii) known session key attacks. To conquer the security problems, we propose an improved authentication scheme with anonymity for consumer roaming in ubiquitous networks. The proposed scheme not only improved the security but also retained a lower computational cost as compared with existing schemes. We prove the security of proposed scheme in random oracle model. Copyright