Cryptanalysis and security enhancement of a robust two‐factor authentication and key agreement protocol

Xie, Qi; Dong, Na; Wong, Duncan S.; Hu, Bin

doi:10.1002/dac.2858

Cited by 34 publications

(22 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…ProVerif is an automated tool which make use of applied p calculus to verify cryptographic protocols [36]. ProVerif can verify trace equivalences like reachability, authentication and secrecy to prove a given protocol cannot reach to a bad state [37]. ProVerif can also be used to prove observational equivalences like anonymity & privacy [38,39].…”

Section: Protocol Verification Using Proverifmentioning

confidence: 99%

A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography

Chaudhry

Farash

Naqvi

et al. 2015

Electron Commer Res

View full text Add to dashboard Cite

The use of e-payment system for electronic trade is on its way to make daily life more easy and convenient. Contrarily, there are a number of security issues to be addressed, user anonymity and fair exchange have become important concerns along with authentication, confidentiality, integrity and non-repudiation. In a number of existing e-payment schemes, the customer pays for the product before acquiring it. Furthermore, many such schemes require very high computation and communication costs. To address such issues recently Yang et al. proposed an authenticated encryption scheme and an e-payment scheme based on their authenticated encryption. They excluded the need of digital signatures for authentication. Further they claimed their schemes to resist replay, man-in-middle, impersonation and identity theft attack while providing confidentiality, authenticity, integrity and privacy protection. However our analysis exposed that Yang et al.'s both authenticated encryption scheme and e-payment system are vulnerable to impersonation attack. An adversary just having knowledge of public parameters can easily masquerade as a legal user. Furthermore, we proposed improved authenticated encryption and e-payment schemes to overcome weaknesses of Yang et al.'s schemes. We prove the security of our schemes using automated tool ProVerif. The & Mohammad Sabzinejad Farash improved schemes are more robust and more lightweight than Yang et al.'s schemes which is evident from security and performance analysis.

show abstract

Section: Protocol Verification Using Proverifmentioning

confidence: 99%

A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography

Chaudhry

Farash

Naqvi

et al. 2015

Electron Commer Res

View full text Add to dashboard Cite

show abstract

“…Maitra et al 's work [18] just ignored this problem and supposed that the adversary can never learn about the long term secret key; as, for Amin's work, he assumed that a valid user can always know the secret information and may provide it to the adversary, while, in fact, these two statements are both not accurate enough. A widely accepted assumption is that an adversary can know the long term secret key only when evaluating the forward secrecy [28][29][30][31][32].…”

Section: Adversary Modelmentioning

confidence: 99%

A Secure and Anonymous Two-Factor Authentication Protocol in Multiserver Environment

Wang

2018

Security and Communication Networks

View full text Add to dashboard Cite

With the great development of network technology, the multiserver system gets widely used in providing various of services. And the two-factor authentication protocols in multiserver system attract more and more attention. Recently, there are two new schemes for multiserver environment which claimed to be secure against the known attacks. However, after a scrutinization of these two schemes, we found that (1) their description of the adversary's abilities is inaccurate; (2) their schemes suffer from many attacks. Thus, firstly, we corrected their description on the adversary capacities to introduce a widely accepted adversary model and then summarized fourteen security requirements of multiserver based on the works of pioneer contributors. Secondly, we revealed that one of the two schemes fails to preserve forward secrecy and user anonymity and cannot resist stolen-verifier attack and off-line dictionary attack and so forth and also demonstrated that another scheme fails to preserve forward secrecy and user anonymity and is not secure to insider attack and off-line dictionary attack, and so forth. Finally, we designed an enhanced scheme to overcome these identified weaknesses, proved its security via BAN logic and heuristic analysis, and then compared it with other relevant schemes. The comparison results showed the superiority of our scheme.

show abstract

“…Fortunately, ProVerif is one of the best tools to examine security protocols. It can be used to analyze different security aspects like secrecy []. It can deal with most of the symmetric cryptography primitives.…”

Section: Protocol Verification Through Proverifmentioning

confidence: 99%

“…[]. Subsequently, a large number of smart card‐based authentication schemes are proposed [,]. The past research on authentication has ascertained that the development of a correct authentication scheme is exceptionally difficult [] as smart card is a very small device equipped with limited computation, memory, and power resources.…”

Section: Introductionmentioning

confidence: 99%

“…So authentication schemes [] based on symmetric key primitives (hash, message authentication code , exclusive or, symmetric encryption, etc.) look more desirable instead of schemes [] based on expensive asymmetric primitives (point multiplication, exponentiation, pairing, etc. ), but keeping in mind the sensitivity of tasks (e.g., financial and health care) carried out by such schemes, which are also having additional threats as compared with traditional threats, asymmetric cryptography looks more promising which can resist impersonation, password guessing, and replay attacks.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An enhanced privacy preserving remote user authentication scheme with provable security

Chaudhry

Farash

Naqvi

et al. 2015

Security Comm Networks

View full text Add to dashboard Cite

Very recently, Kumari et al. proposed a symmetric key and smart card‐based remote user password authentication scheme to enhance Chung et al.'s scheme. They claimed their enhanced scheme to provide anonymity while resisting all known attacks. In this paper, we analyze that Kumari et al.'s scheme is still vulnerable to anonymity violation attack as well as smart card stolen attack. Then we propose a supplemented scheme to overcome security weaknesses of Kumari et al.'s scheme. We have analyzed the security of the proposed scheme in random oracle model which confirms the robustness of the scheme against all known attacks. We have also verified the security of our scheme using automated tool ProVerif. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

Cryptanalysis and security enhancement of a robust two‐factor authentication and key agreement protocol

Cited by 34 publications

References 24 publications

A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography

A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography

A Secure and Anonymous Two-Factor Authentication Protocol in Multiserver Environment

An enhanced privacy preserving remote user authentication scheme with provable security

Contact Info

Product

Resources

About