Wen-Bin Hsieh

Efficient and secure dynamic ID-based remote user authentication scheme for distributed systems using smart cards

In a distributed environment, a fundamental concern is authentication of local and remote users in insecure communication networks. Absolutely, legitimate users are more powerful attackers, since they possess internal system information not available to an intruder. Therefore many remote user authentication schemes for distributed systems have been proposed. These schemes claimed that they could resist various attacks. However, they were found to have some weaknesses later. Lee et al . proposed a secure dynamic ID-based remote user authentication scheme for the multi-server environment using smart cards and claimed that their scheme could protect against masquerade attacks, server spoofing attack, registration server spoofing attack and insider attack. In this study, the authors show that Lee et al .s scheme is still vulnerable to password guessing attack, server spoofing attack and masquerade attack. To propose a viable authentication scheme for distributed systems, we remedy the flaws of Lee et al .s scheme and propose an efficient improvement over Lee et al .s scheme. Furthermore, we compare the proposed scheme with related ones to prove that the computation cost, security and efficiency of the proposed scheme are well suitable for practical applications in a distributed system.

Anonymous authentication protocol based on elliptic curve Diffie–Hellman for wireless access networks

Anonymous channel tickets have been proposed as a way to provide user anonymity and to reduce the overhead of re-authentication for authentication in wireless environments. Chen et al. proposed a secure and efficient protocol, based on a protocol proposed by Yang et al., which is resistant to guessing attacks on networks from which users’ secret keys are easy to obtain. However, their scheme is time-consuming in the phases of ticket issuing and authentication. Furthermore, a malicious attacker can utilize the expired time, Texp, to launch a denial of authentication (DoA) attack, which is a type of denial of service attack. Because Texp is exposed to any user, it would be easy to launch a DoA attack that could make the scheme impractical. To resist against DoAs that the scheme of Chen et al. might suffer, we propose an improved scheme based on elliptic curve cryptography in this paper. Our scheme not only reduces time cost but also enhances security. The basis of the proposed scheme is the elliptic curve discrete logarithm problem. The operations of points of an elliptic curve are faster and use fewer bits to achieve the same level of security. Therefore, our scheme is more suitable for mobile devices, which have limited computing power and storage. Copyright

Exploiting hash functions to intensify the remote user authentication scheme

Nowadays, the client-server model plays an important part in the Internet architecture. The procedure that a server authenticates a remote user securely has become a significant issue. Hence, many remote user authentication schemes are proposed. Hsiang and Shih pointed out the weaknesses of Yoon et al.s scheme and proposed an improved scheme not only preserving original merits but also mending the weaknesses. The scheme protects against masquerading attacks, offline password guessing attacks and parallel session attacks. However, He et al. found that Hsiang et al.s scheme is still vulnerable to password guessing attack, masquerading server attack and masquerading attack. Furthermore, we also found Hsiang-Shihs scheme could be threatened by a malicious insider that can originate an infringed account attack and a resembling account attack. In this paper, we first describe how a malicious insider carries out an infringed account attack and then present a resembling account attack on Hsiang-Shihs scheme. After that, we propose an improvement assisted by hashing functions to enhance Hsiang-Shihs scheme.

Design of a time and location based One-Time Password authentication scheme

As the mobile networks are springing up, mobile devices become a must gadget in our daily life. People can easily access Internet application services anytime and anywhere via the hand-carried mobile devices. Most of modern mobile devices are equipped with a GPS module, which can help get the real-time location of the mobile device. In this paper, we propose a novel authentication scheme which exploits volatile passwords - One-Time Passwords (OTPs) based on the time and location information of the mobile device to transparently and securely authenticate users while accessing Internet services, such as online banking services and e-commerce transactions. Compared to a permanent password base scheme, an OTP based one can prevent users from being eavesdropped. In addition to a memoryless feature, the scheme restricts the validness of the OTP password not only in a certain time period but also in a tolerant geometric region to increase the security protection. However, if a legitimate user is not in the anticipated tolerant region, the user may fail to be authenticated. Hence, a Short Message Service (SMS) based mutual authentication mechanism is also proposed in the article to supplement the unexpected misjudgement. The proposed method with a volatile time/location-based password features more secure and more convenient for user authentication.

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.’s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.’s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.’s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.’s protocol is still susceptible to the trace attack. Besides, Liao et al.’s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.

A Robust User Authentication Scheme Using Dynamic Identity in Wireless Sensor Networks

In modern, wireless sensor networks (WSNs) stand for the next evolutionary and innovative development step in utilities, industrial, building, home, shipboard, and transportation systems automation. The feature of WSNs is easy to deploy and has wide range of applications. Therefore, in distributed and unattended locations, WSNs are deployed to allow a legitimated user to login to the network and access data. Consequently, the authentication between users and sensor nodes has become one of the important security issues. In 2009, M. L. Das proposed a two-factor authentication for WSNs. Based on one-way hash function and exclusive-OR operation, the scheme is well-suited for resource constrained environments. Later, Khan and Algahathbar pointed out the flaws and vulnerabilities of Das’s scheme and proposed an alternative scheme. However, Vaidya et al. found that both Das’s and Khan–Algahathbar’s schemes are vulnerable to various attacks including stolen smart card attacks. Further, Vaidya et al. proposed an improved two-factor user authentication to overcome the security weakness of both schemes. In this paper, we show that Vaidya et al.’s scheme still exposes to a malicious insider attack that seriously threatens the security of WSNs. Furthermore, we propose an improve scheme that mends those vulnerabilities.

A dynamic identity user authentication scheme in wireless sensor networks

Wireless sensor networks (WSNs) represent the next evolutionary development step in utilities, industrial, building, home, shipboard, and transportation systems automation. WSNs are easy to deploy and have wide range of applications. Therefore, in distributed and unattended locations, WSNs are deployed to allow a legitimated user to login to the network and access data. Consequently, the authentication between users and sensor nodes has become one of the important security issues. In 2009, M. L. Das proposed a two-factor authentication for WSNs. Based on one-way hash function and exclusive-OR operation, the scheme is well-suited for resource constrained environments. Later, Khan and Algahathbar pointed out the flaws and vulnerabilities of Dass scheme and proposed an alternative scheme. However, Vaidya et al. found that both Dass and Khan-Algahathbars schemes are vulnerable to various attacks including stolen smart card attacks. Further, Vaidya et al. proposed an improved two-factor user authentication to overcome the security weakness of both schemes. In this paper, we show that Vaidya et al.s scheme still exposes to a malicious insider attack that seriously threatens the security of WSNs. We hope that by identifying this vulnerability, similar schemes can avoid these weaknesses.

Design and Implementation of a VoIP Broadcasting Service over Embedded Systems in a Heterogeneous Network Environment

As the digitization is integrated into daily life, media including video and audio are heavily transferred over the Internet nowadays. Voice-over-Internet Protocol (VoIP), the most popular and mature technology, becomes the focus attracting many researches and investments. However, most of the existing studies focused on a one-to-one communication model in a homogeneous network, instead of one-to-many broadcasting model among diverse embedded devices in a heterogeneous network. In this paper, we present the implementation of a VoIP broadcasting service on the open source—Linphone—in a heterogeneous network environment, including WiFi, 3G, and LAN networks. The proposed system featuring VoIP broadcasting over heterogeneous networks can be integrated with heterogeneous agile devices, such as embedded devices or mobile phones. VoIP broadcasting over heterogeneous networks can be integrated into modern smartphones or other embedded devices; thus when users run in a traditional AM/FM signal unreachable area, they still can receive the broadcast voice through the IP network. Also, comprehensive evaluations are conducted to verify the effectiveness of the proposed implementation.

Implementing a secure VoIP communication over SIP-based networks

Recent years the Session Initiation Protocol (SIP) is commonly used in establishing Voice over IP (VoIP) calls and has become the centerpiece for most VoIP architecture. As wireless and mobile all-IP networks become prosperous, free VoIP applications are utilized in all places. Consequently, the security VoIP is a crucial requirements for its adoption. Many authentication and key agreement schemes are proposed to protect the SIP messages, however, lacking concrete implementations. The performance of VoIP is critical for users’ impressions. In view of this, this paper studies the performance impact of using key agreements, elliptic curve Diffie–Hellman and elliptic curve Menezes–Qu–Vanstone, for making a SIP-based VoIP call. We evaluate the key agreement cost using spongycastle.jce.provider package in Java running on android-based mobile phones, the effect of using different elliptic curves and analyze the security of both key agreements. Furthermore, we design a practical and efficient authentication mechanism to deploy our VoIP architecture and show that a VoIP call can be established in an acceptable interval. As a result, this paper provides a concrete and feasible architecture to secure a VoIP call.

An Improved Mutual Authentication Mechanism for Securing Smart Phones

As technology advances, many wired and wireless devices have been created to fulfill consumer needs. With the popularity of the Internet and wireless networks, communication between devices has become necessary for accessing services. It is important for service providers that only legal clients with authorization access these services. By contrast, service consumers must verify that services are provided by legitimate servers. Therefore, many mutual authentication protocols have been developed to achieve this goal. This type of research has mainly been applied to server–client and peer-to-peer architecture, including radio frequency identification, wireless mobile networks, and wireless sensor networks. The proposed protocols have focused on securing exchanged messages in communication channels, and they assume that devices are secure. However, hackers have exposed devices, such as smart phones, to more threats and attacks. Hackers have begun targeting the Android platform because it has become a popular smart phone platform. Malware and phishing websites can steal sensitive information such as user account details and passwords. This negates protocol security. This paper improves the scheme developed by Li et al. and proposes a security mechanism to better protect protocol parameters. The proposed mechanism enhances mobile device security and allows protocols to take effect.