Sourav Mukhopadhyay

A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards

Abstract Advancement in communication technology provides a scalable platform for various services, where a remote user can access the server from anywhere without moving from its place. It provides a unique opportunity for online services such that a user does not need to be physically present at the service center. These services adopt authentication and key agreement protocols in order to ensure authorized and secure access to the resources. Most of the authentication schemes proposed in the literature support a single-server environment, where the user has to register with each server. If a user wishes to access multiple application servers, he/she requires to register with each server. The multi-server authentication introduces a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on a user’s password and biometrics (Chuang and Chen, 2014). Their scheme is a lightweight, which requires the computation of only hash functions. In this paper, we first analyze Chuang and Chen’s scheme and then identify that their scheme does not resist stolen smart card attack which causes the user’s impersonation attack and server spoofing attack. We also show that their scheme fails to protect denial-of-service attack. We aim to propose an efficient improvement on Chuang and Chen’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Chuang and Chen’s scheme. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against the replay and man-in-the-middle attacks. In addition, our scheme is comparable in terms of the communication and computational overheads with Chuang and Chen’s scheme and other related existing schemes.

Cryptanalysis and Improvement of Yan et al.'s Biometric-Based Authentication Scheme for Telecare Medicine Information Systems

Remote user authentication is desirable for a Telecare Medicine Information System (TMIS) for the safety, security and integrity of transmitted data over the public channel. In 2013, Tan presented a biometric based remote user authentication scheme and claimed that his scheme is secure. Recently, Yan et al. demonstrated some drawbacks in Tan’s scheme and proposed an improved scheme to erase the drawbacks of Tan’s scheme. We analyze Yan et al.’s scheme and identify that their scheme is vulnerable to off-line password guessing attack, and does not protect anonymity. Moreover, in their scheme, login and password change phases are inefficient to identify the correctness of input where inefficiency in password change phase can cause denial of service attack. Further, we design an improved scheme for TMIS with the aim to eliminate the drawbacks of Yan et al.’s scheme.

Efficient Self-healing Key Distribution with Revocation for Wireless Sensor Networks Using One Way Key Chains

Security of group communication for large mobile wireless sensor network hinges on efficient key distribution and key management mechanism. As the wireless medium is characterized by its lossy nature, reliable communication cannot be assumed in the key distribution schemes. Therefore, self-healing is a good property for key distribution in wireless applications. The main idea of self-healing key distribution scheme is that even if during a certain session some broadcast messages are lost due to network faults, the users are capable of recovering lost session keys on their own, without requesting additional transmission from the group manager. The only requirement for a user to recover the lost session keys, is its membership in the group both before and after the sessions in which the broadcast packets containing the keys are sent. Self-healing approach of key distribution is stateless in the sense that a user who has been off-line for some period is able to recover the lost session keys immediately after coming back on-line. In this paper, we propose two constructions for scalable self-healing key distribution with trevocation capability. The novelty of our constructions are that we apply a different and more efficient self-healing mechanism compared to the ones in the literature using one-way key chain. The main improvements that our proposed schemes achieve over previous approaches are (a) communication bandwidth reduces from O((tj+ ji¾? ti¾? 1)logq) to O((t+ 1)logq), and (b) computation costs for our first and second constructions reduce from O(2tj+ j) to O(2t+ 1) and O(2(t2+ t)) respectively, where mis the maximum number of sessions, jis the current session number, tis the maximum number of compromised group members that may collude and qis a large prime number. We achieve this result without any increase in the storage complexity. The schemes are scalable to very large groups in highly mobile, volatile and hostile network. We prove in an appropriate security framework that our constructions are computationally secure and achieve both forward secrecy and backward secrecy.

Security Enhancement of a Biometric based Authentication Scheme for Telecare Medicine Information Systems with Nonce

Telecare medicine information systems (TMIS) present the platform to deliver clinical service door to door. The technological advances in mobile computing are enhancing the quality of healthcare and a user can access these services using its mobile device. However, user and Telecare system communicate via public channels in these online services which increase the security risk. Therefore, it is required to ensure that only authorized user is accessing the system and user is interacting with the correct system. The mutual authentication provides the way to achieve this. Although existing schemes are either vulnerable to attacks or they have higher computational cost while an scalable authentication scheme for mobile devices should be secure and efficient. Recently, Awasthi and Srivastava presented a biometric based authentication scheme for TMIS with nonce. Their scheme only requires the computation of the hash and XOR functions.pagebreak Thus, this scheme fits for TMIS. However, we observe that Awasthi and Srivastava’s scheme does not achieve efficient password change phase. Moreover, their scheme does not resist off-line password guessing attack. Further, we propose an improvement of Awasthi and Srivastava’s scheme with the aim to remove the drawbacks of their scheme.

A Secure and Efficient Chaotic Map-Based Authenticated Key Agreement Scheme for Telecare Medicine Information Systems

Advancement in network technology provides new ways to utilize telecare medicine information systems (TMIS) for patient care. Although TMIS usually faces various attacks as the services are provided over the public network. Recently, Jiang et al. proposed a chaotic map-based remote user authentication scheme for TMIS. Their scheme has the merits of low cost and session key agreement using Chaos theory. It enhances the security of the system by resisting various attacks. In this paper, we analyze the security of Jiang et al.’s scheme and demonstrate that their scheme is vulnerable to denial of service attack. Moreover, we demonstrate flaws in password change phase of their scheme. Further, our aim is to propose a new chaos map-based anonymous user authentication scheme for TMIS to overcome the weaknesses of Jiang et al.’s scheme, while also retaining the original merits of their scheme. We also show that our scheme is secure against various known attacks including the attacks found in Jiang et al.’s scheme. The proposed scheme is comparable in terms of the communication and computational overheads with Jiang et al.’s scheme and other related existing schemes. Moreover, we demonstrate the validity of the proposed scheme through the BAN (Burrows, Abadi, and Needham) logic.

Constant Storage Self-Healing Key Distribution with Revocation in Wireless Sensor Network

A self-healing key distribution scheme enables a large group of users (sensor nodes) to establish a session key dynamically over an unreliable, or lossy wireless network. The main property of self-healing ensures that the qualified users can recover the lost session keys on their own from the broadcast packets and some private information, without any additional communication with the group manager, thus decreasing the load on the group manager. The only requirement for a user to recover the lost session keys, is its membership in the group both before and after the sessions in which the broadcast packets containing the keys are sent. Self-healing approach of key distribution is stateless in the sense that a user who has been off-line for some period is able to recover the lost session keys immediately after coming back on-line. This paper presents a new self-healing key distribution scheme with revocation capability that requires constant storage of personal keys for each user and we feel, it is more efficient than the previous schemes in terms of communication complexity. The novelty of this scheme is to use a different and more efficient self-healing mechanism compared to the ones in the literature. The scheme is supported by a proper security analysis in an appropriate security model. It is unconditionally secure and achieves both forward and backward secrecy. Moreover, unlike previous works, proposed self-healing key distribution is not restricted to m sessions in Setup phase.

Improved Self-Healing Key Distribution with Revocation in Wireless Sensor Network

In this paper, we develop and analyze a new self-healing key distribution scheme with revocation capability, scalable to very large groups in unreliable ad hoc wireless environment. The main emphasis of our proposed scheme is that it has significant improvement in terms of both storage and communication overhead compared to the previous works. The storage overhead of our self-healing key distribution with t revocation capability is O((t + 1) log q), and the communication complexity is O((t+1+j) log q), where q is a large prime and j is the current session number. In contrast to the previous schemes, we use a different and more efficient self-healing technique. On a more positive note, our scheme enables reuse of personal key of a user to next m sessions and consequently, overcomes the restriction of m sessions in setup phase, unlike previous works. Moreover, we analyze our scheme in an appropriate security framework and proved that it is unconditionally secure and achieves both forward secrecy and backward secrecy.

A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card

The Session Initiation Protocol (SIP) is a signaling communications protocol, which has been chosen for controlling multimedia communication in 3G mobile networks. The proposed authentication in SIP is HTTP digest based authentication. Recently, Tu et al. presented an improvement of Zhang et al.’s smart card-based authenticated key agreement protocol for SIP. Their scheme efficiently resists password guessing attack. However, in this paper, we analyze the security of Tu et al.’s scheme and demonstrate their scheme is still vulnerable to user’s impersonation attack, server spoofing attack and man-in-the middle attack. We aim to propose an efficient improvement on Tu et al.’s scheme to overcome the weaknesses of their scheme, while retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Tu et al.’s scheme. Furthermore, we simulate our scheme for the formal security analysis using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks. Additionally, the proposed scheme is comparable in terms of the communication and computational overheads with Tu et al.’s scheme and other related existing schemes.

A secure password-based authentication and key agreement scheme using smart cards

Authentication schemes present a user-friendly and scalable mechanism to establish the secure and authorized communication between the remote entities over the insecure public network. Later, several authentication schemes have proposed in the literature. However, most of the existing schemes do not satisfy the desirable attributes, such as resistance against known attacks and user anonymity. In 2012, Chen et?al. designed a robust authentication scheme to erase the weaknesses of Sood et?al.s scheme. In 2013, Jiang et?al. showed that Chen et?al.s scheme is vulnerable to password guessing attack. Furthermore, Jiang et?al. presented an efficient solution to overcome the shortcoming of Chen et?al.s scheme. We demonstrate that Jiang et?al.s scheme does not withstand insider attack, on-line and off-line password guessing attacks, and user impersonation attack. Their scheme also fails to provide users anonymity. To overcome these drawbacks, we aim to propose an enhanced scheme, which reduces the computation overhead and satisfies all desirable security attributes, while retaining the original merits of Jiang et?al.s scheme. The proposed scheme is also comparable in terms of the communication and computational overheads with Jiang et?al.s scheme and other existing schemes. Furthermore, we simulate the enhanced scheme for the formal security analysis utilizing the widely-accepted AVISPA tool and show that the proposed scheme is resistant against active and passive attacks.

Original Research Paper: Computationally secure self-healing key distribution with revocation in wireless ad hoc networks

This paper introduces a novel self-healing technique for key distribution with revocation and demonstrates how it improves the efficiency over the previous approaches while using the existing idea of secret sharing or revocation polynomial in designing self-healing key distribution schemes with revocation. Unlike the existing approaches, our self-healing mechanism does not need to send the history of revoked users and consequently enables better performance gain over the previous approaches in terms of storage, communication and computation complexity. We propose and analyze a generalized self-healing key distribution using a vector space access structure in order to reach more flexible performance of the scheme. We describe three efficient constructions for scalable self-healing key distribution with t-revocation capability. We provide a rigorous treatment of the security of our constructions in an appropriate security framework and show that they are computationally secure and achieve both forward and backward secrecy.