Abstract
Investigating the security pitfalls of cryptographic protocols is crucial to understanding how to improve security. At ICCCS’17, Wu and Xu proposed an efficient smart-card-based password authentication scheme to cope with the vulnerabilities in Jiang et al.’s scheme. However, in this paper, we reveal that Wu-Xu’s scheme actually is subject to critical security defects, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services, and further suggested a user-friendly scheme which is claimed to be suitable for multi-server architecture and robust against various attacks. In this work, we show that Roy et al.’s scheme cannot achieve truly two-factor security and is of poor scalability. Our results invalidate any use of the scrutinized schemes for cloud computing environments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
All Data Breach Sources, February 2018. https://breachalarm.com/all-sources
Alsaleh, M., Mannan, M., Van Oorschot, P.: Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Dependable Secur. Comput. 9(1), 128–141 (2012)
Chen, B., Kuo, W.: Robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 27(2), 377–389 (2014)
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Hao, Z., Zhong, S., Yu, N.: A time-bound ticket-based mutual authentication scheme for cloud computing. Int. J. Comput. Commun. Control 6(2), 227–235 (2011)
He, D., Chen, J., Hu, J.: An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security. Inf. Fusion 13(3), 223–230 (2012)
Huang, X., Chen, X., Li, J., Xiang, Y., Xu, L.: Further observations on smart-card-based password-authenticated key agreement in distributed systems. IEEE Trans. Parallel Distrib. Syst. 25(7), 1767–1775 (2014)
Islam, S.: Design and analysis of an improved smartcard-based remote user password authentication scheme. Int. J. Commun. Syst. 29(11), 1708–1719 (2016)
Jiang, Q., Khan, M.K., Lu, X., Ma, J., He, D.: A privacy preserving three-factor authentication protocol for e-Health clouds. J. Supercomput. 72(10), 3826–3849 (2016)
Jiang, Q., Ma, J., Li, G., Li, X.: Improvement of robust smart-card-based password authentication scheme. Int. J. Commun. Syst. 28(2), 383–393 (2014)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Li, X., Niu, J., Liao, J., Liang, W.: Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update. Int. J. Commun. Syst. 28(2), 374–382 (2015)
Ma, C.G., Wang, D., Zhao, S.D.: Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun. Syst. 27(10), 2215–2227 (2014)
Memon, N.: How biometric authentication poses new challenges to our security and privacy [in the spotlight]. IEEE Signal Process. Mag. 34(4), 194–196 (2017)
Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5), 541–552 (2002)
Odelu, V., Das, A.K., Kumari, S., Huang, X., Wazid, M.: Provably secure authenticated key agreement scheme for distributed mobile cloud computing services. Future. Gener. Comput. Syst. 68, 74–88 (2017)
Roy, S., Chatterjee, S., Das, A.K., Chattopadhyay, S., Kumar, N., Vasilakos, A.V.: On the design of provably secure lightweight remote user authentication scheme for mobile cloud computing services. IEEE Access 5, 25808–25825 (2017)
Song, R.: Advanced smart card based password authentication protocol. Comput. Stand. Interfaces 32(5), 321–325 (2010)
Sood, S.K., Sarje, A.K., Singh, K.: An improvement of Xu et al’.s authentication scheme using smart cards. In: Proceedings of ACM COMPUTE 2010, pp. 1–5. ACM (2010)
Tsai, J.L., Lo, N.W.: A privacy-aware authentication scheme for distributed mobile cloud computing services. IEEE Syst. J. 9(3), 805–815 (2015)
Wang, C., Xu, G.: Cryptanalysis of three password-based remote user authentication schemes with non-tamper resistant smart card. Secur. Commun. Netw. (2017). https://doi.org/10.1002/sec.817
Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: Proceedings of NDSS 2018, pp. 1–16. ISOC (2018)
Wang, D., He, D., Wang, P., Chu, C.H.: Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans. Dependable Secur. Comput. 12(4), 428–442 (2015)
Wang, D., Wang, P.: Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans. Dependable Secur. Comput. 15(4), 708–722 (2018). https://doi.org/10.1109/TDSC.2016.2605087
Wei, F., Zhang, R., Ma, C.: A provably secure anonymous two-factor authenticated key exchange protocol for cloud computing. Fundam. Inform. 157(1), 201–220 (2018)
Wu, F., Xu, L.: A chaotic map-based authentication and key agreement scheme with user anonymity for cloud computing. In: Sun, X., Chao, H.-C., You, X., Bertino, E. (eds.) ICCCS 2017. LNCS, vol. 10603, pp. 189–200. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68542-7_16
Xie, Q., Wong, D.S., Wang, G.: Provably secure dynamic ID-based anonymous two-factor authenticated key exchange protocol with extended security model. IEEE Trans. Inf. Forensics Secur. 12(6), 1382–1392 (2017)
Xu, J., Zhu, W., Feng, D.: An improved smart card based password authentication scheme with provable security. Comput. Stand. Interfaces 31(4), 723–728 (2009)
Yang, G.M., Wong, D.S., Wang, H.X., Deng, X.T.: Two-factor mutual authentication based on smart cards and passwords. J. Comput. Syst. Sci. 74(7), 1160–1172 (2008)
Acknowledgments
This research was supported by the National Natural Science Foundation of China under Grants No. 61472016, and by the National Key Research and Development Plan under Grants Nos. 2016YFB0800603 and 2017YFB1200700.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Shen, Y., Wang, D., Wang, P. (2018). Revisiting Anonymous Two-Factor Authentication Schemes for Cloud Computing. In: Sun, X., Pan, Z., Bertino, E. (eds) Cloud Computing and Security. ICCCS 2018. Lecture Notes in Computer Science(), vol 11064. Springer, Cham. https://doi.org/10.1007/978-3-030-00009-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-00009-7_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00008-0
Online ISBN: 978-3-030-00009-7
eBook Packages: Computer ScienceComputer Science (R0)