Skip to main content
SpringerLink
Log in

Revisiting Anonymous Two-Factor Authentication Schemes for Cloud Computing

  • Conference paper
  • First Online:
Cloud Computing and Security (ICCCS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 11064))

Included in the following conference series:

  • 1937 Accesses

Abstract

Investigating the security pitfalls of cryptographic protocols is crucial to understanding how to improve security. At ICCCS’17, Wu and Xu proposed an efficient smart-card-based password authentication scheme to cope with the vulnerabilities in Jiang et al.’s scheme. However, in this paper, we reveal that Wu-Xu’s scheme actually is subject to critical security defects, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services, and further suggested a user-friendly scheme which is claimed to be suitable for multi-server architecture and robust against various attacks. In this work, we show that Roy et al.’s scheme cannot achieve truly two-factor security and is of poor scalability. Our results invalidate any use of the scrutinized schemes for cloud computing environments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. All Data Breach Sources, February 2018. https://breachalarm.com/all-sources

  2. Alsaleh, M., Mannan, M., Van Oorschot, P.: Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Dependable Secur. Comput. 9(1), 128–141 (2012)

    Article  Google Scholar 

  3. Chen, B., Kuo, W.: Robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 27(2), 377–389 (2014)

    Article  Google Scholar 

  4. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  Google Scholar 

  5. Hao, Z., Zhong, S., Yu, N.: A time-bound ticket-based mutual authentication scheme for cloud computing. Int. J. Comput. Commun. Control 6(2), 227–235 (2011)

    Article  Google Scholar 

  6. He, D., Chen, J., Hu, J.: An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security. Inf. Fusion 13(3), 223–230 (2012)

    Article  Google Scholar 

  7. Huang, X., Chen, X., Li, J., Xiang, Y., Xu, L.: Further observations on smart-card-based password-authenticated key agreement in distributed systems. IEEE Trans. Parallel Distrib. Syst. 25(7), 1767–1775 (2014)

    Article  Google Scholar 

  8. Islam, S.: Design and analysis of an improved smartcard-based remote user password authentication scheme. Int. J. Commun. Syst. 29(11), 1708–1719 (2016)

    Article  Google Scholar 

  9. Jiang, Q., Khan, M.K., Lu, X., Ma, J., He, D.: A privacy preserving three-factor authentication protocol for e-Health clouds. J. Supercomput. 72(10), 3826–3849 (2016)

    Article  Google Scholar 

  10. Jiang, Q., Ma, J., Li, G., Li, X.: Improvement of robust smart-card-based password authentication scheme. Int. J. Commun. Syst. 28(2), 383–393 (2014)

    Article  Google Scholar 

  11. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  12. Li, X., Niu, J., Liao, J., Liang, W.: Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update. Int. J. Commun. Syst. 28(2), 374–382 (2015)

    Article  Google Scholar 

  13. Ma, C.G., Wang, D., Zhao, S.D.: Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun. Syst. 27(10), 2215–2227 (2014)

    Article  Google Scholar 

  14. Memon, N.: How biometric authentication poses new challenges to our security and privacy [in the spotlight]. IEEE Signal Process. Mag. 34(4), 194–196 (2017)

    Article  Google Scholar 

  15. Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5), 541–552 (2002)

    Article  MathSciNet  Google Scholar 

  16. Odelu, V., Das, A.K., Kumari, S., Huang, X., Wazid, M.: Provably secure authenticated key agreement scheme for distributed mobile cloud computing services. Future. Gener. Comput. Syst. 68, 74–88 (2017)

    Article  Google Scholar 

  17. Roy, S., Chatterjee, S., Das, A.K., Chattopadhyay, S., Kumar, N., Vasilakos, A.V.: On the design of provably secure lightweight remote user authentication scheme for mobile cloud computing services. IEEE Access 5, 25808–25825 (2017)

    Article  Google Scholar 

  18. Song, R.: Advanced smart card based password authentication protocol. Comput. Stand. Interfaces 32(5), 321–325 (2010)

    Article  Google Scholar 

  19. Sood, S.K., Sarje, A.K., Singh, K.: An improvement of Xu et al’.s authentication scheme using smart cards. In: Proceedings of ACM COMPUTE 2010, pp. 1–5. ACM (2010)

    Google Scholar 

  20. Tsai, J.L., Lo, N.W.: A privacy-aware authentication scheme for distributed mobile cloud computing services. IEEE Syst. J. 9(3), 805–815 (2015)

    Article  Google Scholar 

  21. Wang, C., Xu, G.: Cryptanalysis of three password-based remote user authentication schemes with non-tamper resistant smart card. Secur. Commun. Netw. (2017). https://doi.org/10.1002/sec.817

  22. Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: Proceedings of NDSS 2018, pp. 1–16. ISOC (2018)

    Google Scholar 

  23. Wang, D., He, D., Wang, P., Chu, C.H.: Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans. Dependable Secur. Comput. 12(4), 428–442 (2015)

    Article  Google Scholar 

  24. Wang, D., Wang, P.: Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans. Dependable Secur. Comput. 15(4), 708–722 (2018). https://doi.org/10.1109/TDSC.2016.2605087

    Article  Google Scholar 

  25. Wei, F., Zhang, R., Ma, C.: A provably secure anonymous two-factor authenticated key exchange protocol for cloud computing. Fundam. Inform. 157(1), 201–220 (2018)

    Article  MathSciNet  Google Scholar 

  26. Wu, F., Xu, L.: A chaotic map-based authentication and key agreement scheme with user anonymity for cloud computing. In: Sun, X., Chao, H.-C., You, X., Bertino, E. (eds.) ICCCS 2017. LNCS, vol. 10603, pp. 189–200. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68542-7_16

    Chapter  Google Scholar 

  27. Xie, Q., Wong, D.S., Wang, G.: Provably secure dynamic ID-based anonymous two-factor authenticated key exchange protocol with extended security model. IEEE Trans. Inf. Forensics Secur. 12(6), 1382–1392 (2017)

    Article  Google Scholar 

  28. Xu, J., Zhu, W., Feng, D.: An improved smart card based password authentication scheme with provable security. Comput. Stand. Interfaces 31(4), 723–728 (2009)

    Article  Google Scholar 

  29. Yang, G.M., Wong, D.S., Wang, H.X., Deng, X.T.: Two-factor mutual authentication based on smart cards and passwords. J. Comput. Syst. Sci. 74(7), 1160–1172 (2008)

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgments

This research was supported by the National Natural Science Foundation of China under Grants No. 61472016, and by the National Key Research and Development Plan under Grants Nos. 2016YFB0800603 and 2017YFB1200700.

Author information

Authors and Affiliations

  1. School of Electronic and Computer Engineering, Peking University Shenzhen Graduate School, Shenzhen, China

    Yaosheng Shen & Ping Wang

  2. School of EECS, Peking University, Beijing, 100871, China

    Ding Wang

  3. National Engineering Research Center for Software Engineering, Beijing, China

    Yaosheng Shen, Ding Wang & Ping Wang

  4. School of Software and Microelectronics, Peking University, Beijing, 100260, China

    Ping Wang

Authors
  1. Yaosheng Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ding Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ping Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ping Wang .

Editor information

Editors and Affiliations

  1. Nanjing University of Information Science and Technology, Nanjing, China

    Xingming Sun

  2. Nanjing University of Information Science and Technology, Nanjing, China

    Zhaoqing Pan

  3. Department of Computer Science, Purdue University, West Lafayette, IN, USA

    Elisa Bertino

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shen, Y., Wang, D., Wang, P. (2018). Revisiting Anonymous Two-Factor Authentication Schemes for Cloud Computing. In: Sun, X., Pan, Z., Bertino, E. (eds) Cloud Computing and Security. ICCCS 2018. Lecture Notes in Computer Science(), vol 11064. Springer, Cham. https://doi.org/10.1007/978-3-030-00009-7_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00009-7_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00008-0

  • Online ISBN: 978-3-030-00009-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation