Your search keyword '"Fushan WEI"' showing total 32 results

1. Automated State-Machine-Based Analysis of Hostname Verification in IPsec Implementations

Author

Jiaxing Guo, Chunxiang Gu, Xi Chen, Siqi Lu, and Fushan Wei

Subjects

Hostname, Authentication, Network security, business.industry, computer.internet_protocol, Computer science, Cryptography, Cryptographic protocol, Certificate, Computer security, computer.software_genre, Security testing, Computer Science Applications, Control and Systems Engineering, IPsec, Electrical and Electronic Engineering, business, computer

Abstract

Owing to the advent and rapid development of Internet communication technology, network security protocols with cryptography as their core have gradually become an important means of ensuring secure communications. Among numerous security protocols, certificate authentication is a common method of identity authentication, and hostname verification is a critical but easily neglected process in certificate authentication. Hostname verification validates the identity of a remote target by checking whether the hostname of the communication partner matches any name in the X.509 certificate. Notably, errors in hostname verification may cause security problems with regard to identity authentication. In this study, we use a model-learning method to conduct security testing for hostname verification in internet protocol security (IPsec). This method can analyze the problems entailed in implementing hostname verification in IPsec by effectively inferring the deterministic finite automaton model that can describe the matching situation between the certificate subject name and the hostname for different rules. We analyze two popular IPsec implementations, Strongswan and Libreswan, and find five violations. We use some of these violations to conduct actual attack tests on the IPsec implementation. The results show that under certain conditions, attackers can use these flaws to carry out identity impersonation attacks and man-in-the-middle attacks.

Published

2021

2. An Intelligent Terminal Based Privacy-Preserving Multi-Modal Implicit Authentication Protocol for Internet of Connected Vehicles

Author

Pandi Vijayakumar, Fushan Wei, Sherali Zeadally, Debiao He, and Neeraj Kumar

Subjects

Password, 050210 logistics & transportation, Authentication, Computer science, business.industry, Mechanical Engineering, 05 social sciences, Computer security, computer.software_genre, Authentication server, Computer Science Applications, Terminal (electronics), Authentication protocol, 0502 economics and business, Automotive Engineering, Ciphertext, The Internet, business, computer, Intelligent transportation system

Abstract

The Internet of connected Vehicles (IOV) can collect, process, compute and release the information of intelligent transportation systems. IOV is an integrated service system that can support the applications for automatic driving, intelligent transport and information services. As the number of incidents on IOV has been on the rise in the past few years, IOV security is becoming increasingly important in the IOV architecture. One of the most notable risks of IOV faces is intelligent terminal security. The vehicle’s intelligent terminal can be used to launch for further attacks on the on-board operating system to penetrate into the internal network of connected vehicle, and consequently threaten the safety of the vehicle. Thus, it is of paramount importance that we protect the security of the intelligent terminal. We propose two intelligent terminal based privacy-preserving multi-modal implicit authentication protocols to protect the security of the intelligent terminal in IOV. The proposed protocols use the password and the vehicle owner’s behavior features as the authentication factors to protect the security of the intelligent terminal. Since the vehicle owner’s behavior features are sensitive and the privacy information of the user must be protected, we also consider the privacy protection of the behavior features. Our protocols do not reveal any information about the vehicle owner’s behavior features to the authentication server and the adversary except the ciphertext size of the feature vector. We analyze the security of our proposed protocol and compare them with other related protocols in terms of computation and communications costs. Our results demonstrate that our proposed protocols yield better security and efficiency.

Published

2021

3. Efficient cloud-aided verifiable secret sharing scheme with batch verification for smart cities

Author

Jian Shen, Fushan Wei, Xingming Sun, Dengzhi Liu, and Yang Xiang

Subjects

Scheme (programming language), Security analysis, Computer Networks and Communications, business.industry, Electronic voting, Computer science, Electronic cash, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Secret sharing, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Verifiable secret sharing, business, computer, Software, computer.programming_language

Abstract

With the wide usage of the information and communication technology (ICT) in smart cities, people’s lives become easier and more convenient. Cloud computing, as a burgeoning technology of the ICT, provides consumers with unlimited computing capabilities and storage resources. Using the cloud to promote the progress of the ICT-based applications meets the requirement of the practical usage, and is also in line with the sustainable development. As we all know, the secret sharing is a hot topic in the security community. Many security-assurance applications can be realized with the assistance of secret sharing. In this paper, an efficient cloud-aided verifiable secret sharing scheme is proposed based on the polynomial commitment for smart cities, which can be used in a variety of practical applications such as electronic voting and revocable electronic cash. In the proposed scheme, users can verify the received shares from the cloud. Moreover, in order to meet the requirement of the real-world usage, we extend our scheme to support the batch verification with the aid of a third-party arbitration center. In addition, the aggregate signature is used to verify whether a subset of users possess the shares that indeed sent by the cloud. The security analysis shows that the proposed scheme can satisfy the security requirements of the verifiable secret sharing (VSS) and the performance analysis shows that our scheme is more efficient than previous schemes in terms of the communication and the computation.

Published

2020

4. Model Learning and Model Checking of IPSec Implementations for Internet of Things

Author

Xi Chen, Jiaxing Guo, Chunxiang Gu, and Fushan Wei

Subjects

Model checking, Finite-state machine, General Computer Science, IPSec protocol, business.industry, Computer science, computer.internet_protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, General Engineering, Computer security, computer.software_genre, model checking, IPv6, Secure communication, model learning, IPsec, General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, 6LoWPAN, Implementation, Protocol (object-oriented programming), computer, lcsh:TK1-9971

Abstract

With the development of Internet of Things (IoT) technology, the demand for secure communication by smart devices has dramatically increased, and the security of the IoT protocol has become the focus of cyberspace. Recently, some scholars have attempted to extend the IPSec protocol to IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN) to ensure end-to-end security, which makes it essential to analyze the vulnerability of the IPSec protocol to enhance the security of the IoT. In this study, we use a method combining model learning and model checking to analyze the dynamic vulnerability of IPSec protocol implementations. This method automatically infers the black-box model and compares it with the relevant specifications to expose the defects of the system implementation and search its logic vulnerabilities. We first employ model learning on three IPSec implementations to infer state machine models; then, we use model checking to verify that these models satisfy basic security properties and conform to the RFCs. Our analysis reveals three new security issues: a wrong interaction causing server exception and two violations of the standard.

Published

2019

5. Security Analysis and Design of Authentication Key Agreement Protocol in Medical Internet of Things

Author

Fushan Wei, Siqi Lu, Xi Chen, Jiaxing Guo, and Chunxiang Gu

Subjects

Key-agreement protocol, Authentication, Security analysis, 020205 medical informatics, Computer science, Data security, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Identity theft, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Replay attack, Secure transmission, computer

Abstract

With the rise and rapid development of the Internet of Things, the electronic healthcare (e-health) system gradually become a universal trend in the global medical industry. As a typical e-health application, Telecare Medical Information System (TMIS) can assist patients and medical staffs in monitoring and communicating for medical aid. However, TMIS usually runs in untrusted public channels, which makes it urgent to provide a secure authentication scheme to achieve user authentication, data security, and privacy protection purposes. In 2014, Li et al. proposed a biometric-based remote user authentication scheme that supported secure transmission and provided patient privacy protection. However, we analyze the scheme of Li et al. and identify that this scheme is vulnerable to identity theft attack, user impersonation attack, replay attack, and key compromise impersonation attack. We improve the original scheme to solve these problems and give the security proof as well as formal analysis of our scheme. Besides, we provide detailed heuristic security analysis to verify that our scheme can resist potential attacks and provide various security properties. Finally, performance analysis shows that the security of the improved protocol is enhanced without excessively increasing the computational cost.

Published

2020

6. Privacy-Preserving and Lightweight Key Agreement Protocol for V2G in the Social Internet of Things

Author

Yang Xiang, Fushan Wei, Tianqi Zhou, Jian Shen, and Xingming Sun

Subjects

Key-agreement protocol, Security analysis, Authentication, Computer Networks and Communications, business.industry, Computer science, 020208 electrical & electronic engineering, Internet privacy, 020206 networking & telecommunications, 02 engineering and technology, Mutual authentication, Computer security model, Computer security, computer.software_genre, Computer Science Applications, Smart grid, Hardware and Architecture, Signal Processing, 0202 electrical engineering, electronic engineering, information engineering, The Internet, business, Protocol (object-oriented programming), computer, Information Systems

Abstract

The concept of the Social Internet of Things (SIoT) can be viewed as the integration of prevailing social networking and the Internet of Things, which is making inroads into the daily operation of many industries. Smart grids, which are cost-effective and environmentally friendly applications, are a promising field of the SIoT. However, security and privacy concerns are the dark aspects of smart grids. The goal of this paper is to address the security and privacy issues in the vehicle-to-grid (V2G) networks with the intention of promoting a more extensive deployment of V2G networks for smart grids. Driven by this motivation, in this paper, we propose a robust key agreement protocol that can achieve mutual authentication without exposing the real identities of users. Efficiency is also a major concern in resource-constrained environments. By leveraging only hash functions and bitwise exclusive-OR operations, the proposed protocol is highly efficient compared with pairing-based protocols. In addition, we define a formal security model for our privacy-preserving key agreement protocol for V2G networks. Using this model, a formal security analysis shows that the proposed protocol is secure. Moreover, an informal security analysis demonstrates that our protocol can withstand different types of attacks.

Published

2018

7. Cryptanalysis and Security Enhancement of Three Authentication Schemes in Wireless Sensor Networks

Author

Bin Li, Yiming Zhao, Ping Wang, Wenting Li, and Fushan Wei

Subjects

Article Subject, Computer Networks and Communications, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, lcsh:Technology, lcsh:Telecommunication, law.invention, law, Forward secrecy, lcsh:TK5101-6720, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Password, 021110 strategic, defence & security studies, Authentication, Cryptographic primitive, lcsh:T, business.industry, Password cracking, 020206 networking & telecommunications, Lightweight protocol, Smart card, business, Cryptanalysis, computer, Wireless sensor network, Information Systems, Anonymity

Abstract

Nowadays wireless sensor networks (WSNs) have drawn great attention from both industrial world and academic community. To facilitate real-time data access for external users from the sensor nodes directly, password-based authentication has become the prevalent authentication mechanism in the past decades. In this work, we investigate three foremost protocols in the area of password-based user authentication scheme for WSNs. Firstly, we analyze an efficient and anonymous protocol and demonstrate that though this protocol is equipped with a formal proof, it actually has several security loopholes been overlooked, such that it cannot resist against smart card loss attack and violate forward secrecy. Secondly, we scrutinize a lightweight protocol and point out that it cannot achieve the claimed security goal of forward secrecy, as well as suffering from user anonymity violation attack and offline password guessing attack. Thirdly, we find that an anonymous scheme fails to preserve two critical properties of forward secrecy and user friendliness. In addition, by adopting the “perfect forward secrecy (PFS)” principle, we provide several effective countermeasures to remedy the identified weaknesses. To test the necessity and effectiveness of our suggestions, we conduct a comparison of 10 representative schemes in terms of the underlying cryptographic primitives used for realizing forward secrecy.

Published

2018

8. On the Security of a Privacy-Aware Authentication Scheme for Distributed Mobile Cloud Computing Services

Author

Fushan Wei, Qi Jiang, and Jianfeng Ma

Subjects

Challenge-Handshake Authentication Protocol, 021103 operations research, Computer Networks and Communications, Computer science, Data_MISCELLANEOUS, 0211 other engineering and technologies, 020206 networking & telecommunications, 02 engineering and technology, Mutual authentication, Multi-factor authentication, Computer security, computer.software_genre, Computer Science Applications, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Control and Systems Engineering, Generic Bootstrapping Architecture, Authentication protocol, Lightweight Extensible Authentication Protocol, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Challenge–response authentication, computer, Data Authentication Algorithm, Information Systems

Abstract

Recently, Tsai and Lo proposed a privacy aware authentication scheme for distributed mobile cloud computing services. It is claimed that the scheme achieves mutual authentication and withstands all major security threats. However, we first identify that their scheme fails to achieve mutual authentication, because it is vulnerable to the service provider impersonation attack. Beside this major defect, it also suffers from some minor design flaws, including the problem of biometrics misuse, wrong password, and fingerprint login, no user revocation facility when the smart card is lost/stolen. Some suggestions are provided to avoid these design flaws in the future design of authentication schemes.

Published

2018

9. A provably secure password-based anonymous authentication scheme for wireless body area networks

Author

Jian Shen, Fushan Wei, Li Li, Ruijie Zhang, and Pandi Vijayakumar

Subjects

Password, Password policy, Zero-knowledge password proof, General Computer Science, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Random oracle, S/KEY, Control and Systems Engineering, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Zero-knowledge proof, Electrical and Electronic Engineering, business, computer, Anonymity, Computer network

Abstract

Wireless body area networks (WBANs) comprise many tiny sensor nodes which are planted in or around a patient’s body. These sensor nodes can collect biomedical data of the patient and transmit these valuable data to a data sink or a personal digital assistant. Later, health care service providers can get access to these data through authorization. The biomedical data are usually personal and privacy. Consequently, data confidentiality and user privacy are primary concerns for WBANs. In order to achieve these goals, we propose an anonymous authentication scheme for WBANs based on low-entropy password and prove its security in the random oracle model. Our scheme enjoys strong anonymity in the sense that only the client knows his identity during the authentication phase of the scheme. Compared with other related proposals, our scheme is efficient in terms of computation. Moreover, the authentication of the client relies on human-rememberable password, which makes our scheme more suitable for applications in WBANs.

Published

2018

10. An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks

Author

Yuanyuan Yang, Youliang Tian, Qi Jiang, Fushan Wei, Jian Shen, and Jianfeng Ma

Subjects

Scheme (programming language), Authentication, Computer Networks and Communications, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Mutual authentication, Multi-factor authentication, Computer security, computer.software_genre, Computer Science Applications, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Smart card, Elliptic curve cryptography, business, computer, Wireless sensor network, Computer network, computer.programming_language

Abstract

Recently, He et al. proposed an anonymous two-factor authentication scheme following the concept of temporal-credential for wireless sensor networks (WSNs), which is claimed to be secure and capable of withstanding various attacks. However, we reveal that the authentication phase of their scheme has several pitfalls. Firstly, their scheme is susceptible to malicious user impersonation attack, in which a legal but malicious user can impersonate as other registered users. In addition, their scheme is also vulnerable to stolen smart card attack. Furthermore, the scheme cannot provide untraceability and is prone to tracking attack. Then we put forward an untraceable two-factor authentication scheme based on elliptic curve cryptography (ECC) for WSNs. Our new scheme makes up for the missing security features necessary for real-life applications while maintaining the desired features of the original scheme. We prove that the scheme fulfills mutual authentication in the Burrows-Abadi-Needham (BAN) logic. Moreover, by way of informal security analysis, we show that the proposed scheme can resist a variety of attacks and provide more security features than He et al.’s scheme.

Published

2016

11. DOAS: Efficient data owner authorized search over encrypted cloud data

Author

Yinbin Miao, Junwei Zhang, Fushan Wei, Zhiquan Liu, Jianfeng Ma, and Ximeng Liu

Subjects

020203 distributed computing, Security analysis, Cryptographic primitive, Database, Computer Networks and Communications, business.industry, Computer science, Data security, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, computer.software_genre, Encryption, Computer security, Random oracle, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, Chosen-plaintext attack, business, computer, Software

Abstract

Data outsourcing service can shift the local data storage and maintenance to cloud service provider (CSP) to ease the burden from data owner, but it brings the data security threats as CSP is always considered to honest-but-curious. Therefore, searchable encryption (SE) technique which allows cloud clients (including data owner and data user) to securely search over ciphertext through keywords and selectively retrieve files of interest is of prime importance. However, in practice, data user’s access permission always dynamically varies with data owner’s preferences. Moreover, existing SE schemes which are based on attribute-based encryption (ABE) incur heavy computational burden through attribution revocation and policy updating. To allow data owner to flexibly grant access permissions, we design a secure cryptographic primitive called as efficient data owner authorized search over encrypted data scheme through utilizing identity-based encryption (IBE) technique. The formal security analysis proves that our scheme is secure against chosen-plaintext attack (CPA) and chosen-keyword attack (CKA) without random oracle. Besides, empirical experiments over real-world dataset show that our scheme is efficient and feasible with regard to data access control.

Published

2016

12. VMKDO: Verifiable multi-keyword search over encrypted cloud data for dynamic data-owner

Author

Zhiquan Liu, Jianfeng Ma, Fushan Wei, Ximeng Liu, Yinbin Miao, and Limin Shen

Subjects

020203 distributed computing, Cloud computing security, Cryptographic primitive, Database, Computer Networks and Communications, business.industry, Computer science, Dynamic data, Data_MISCELLANEOUS, Data security, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Encryption, Data retrieval, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Cloud storage, Software

Abstract

The advantages of cloud computing encourage individuals and enterprises to outsource their local data storage and computation to cloud server, however, data security and privacy concerns seriously hinder the practicability of cloud storage. Although searchable encryption (SE) technique enables cloud server to provide fundamental encrypted data retrieval services for data-owners, equipping with a result verification mechanism is still of prime importance in practice as semi-trusted cloud server may return incorrect search results. Besides, single keyword search inevitably incurs many irrelevant results which result in waste of bandwidth and computation resources. In this paper, we are among the first to tackle the problems of data-owner updating and result verification simultaneously. To this end, we devise an efficient cryptographic primitive called as verifiable multi-keyword search over encrypted cloud data for dynamic data-owner scheme to protect both data confidentiality and integrity. Rigorous security analysis proves that our scheme is secure against keyword guessing attack (KGA) in standard model. As a further contribution, the empirical experiments over real-world dataset show that our scheme is efficient and feasible in practical applications.

Published

2016

13. VCSE: Verifiable conjunctive keywords search over encrypted data without secure-channel

Author

Fushan Wei, Cunbo Lu, Yinbin Miao, Jianfeng Ma, Xu An Wang, and Zhiquan Liu

Subjects

Security analysis, Service (systems architecture), Cryptographic primitive, Computer Networks and Communications, Computer science, business.industry, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Encryption, Computer security, computer.software_genre, Data integrity, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Verifiable secret sharing, business, computer, Software, Secure channel

Abstract

Data outsourcing service has gained remarkable popularity with considerable amount of enterprises and individuals, as it can relief heavy computation and management burden locally. While in most existing models, honest-but-curious cloud service provider (CSP) may return incorrect results and inevitably give rise to serious security breaches, thus the results verification mechanism should be raised to guarantee data accuracy. Furthermore, the construction of secure-channel incurs heavy cryptographic operations and single keyword search returns many irrelevant results. Along these directions, we further design a significantly more effective and secure cryptographic primitive called as verifiable conjunctive keywords search over encrypted data without secure-channel scheme to assure data integrity and availability. Formal security analysis proves that it can effectively stand against outside keyword-guessing attack. As a further contribution, our actual experiments show that it can admit wide applicability in practice.

Published

2016

14. Robust extended chaotic maps-based three-factor authentication scheme preserving biometric template privacy

Author

Fushan Wei, Shuai Fu, Guangsong Li, Jianfeng Ma, Qi Jiang, and Abdulhameed Alelaiwi

Subjects

Engineering, Data_MISCELLANEOUS, Aerospace Engineering, Ocean Engineering, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, One-time password, Password strength, S/KEY, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, 010301 acoustics, Password, Password policy, business.industry, Applied Mathematics, Mechanical Engineering, 020206 networking & telecommunications, Mutual authentication, Multi-factor authentication, Control and Systems Engineering, Challenge–response authentication, business, computer

Abstract

Due to its high level of security, three-factor authentication combining password, smart card and biometrics has received much interest in the past decades. Recently, Islam proposed a dynamic identity-based three-factor authentication scheme using extended chaotic map which attempts to fulfill three-factor security and resist various known attacks, offering many advantages over existing works. However, in this paper we first show that the process of password verification in the login phase is invalid. Besides this defect, it is also vulnerable to user impersonation attack and off-line password guessing attack, under the condition that the smart card is lost or stolen. Furthermore, it fails to preserve biometric template privacy in the case that the password and the smart card are compromised. To remedy these flaws, we propose a robust three-factor authentication scheme, which not only resists various known attacks, but also provides more desired security features. We demonstrate that our scheme provides mutual authentication using the Burrows–Abadi–Needham logic. Our scheme provides high security strength as well as low computational cost.

Published

2015

15. A New Privacy-Aware Handover Authentication Scheme for Wireless Networks

Author

Qi Jiang, Fushan Wei, Chuangui Ma, and Guangsong Li

Subjects

Scheme (programming language), Computer science, Wireless network, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Data_MISCELLANEOUS, Computer security, computer.software_genre, Computer Science Applications, Handover authentication, Electrical and Electronic Engineering, business, computer, Computer network, computer.programming_language

Abstract

A fast handover authentication scheme is essential to seamless services for delay-sensitive applications in wireless networks. User privacy is a notable issue which should be considered in secure communications. This paper proposes a new privacy-aware handover authentication scheme. The proposed scheme achieves user privacy with good performance.

Published

2014

16. m2-ABKS: Attribute-Based Multi-Keyword Search over Encrypted Personal Health Records in Multi-Owner Setting

Author

Fushan Wei, Zhiquan Liu, Yinbin Miao, Jianfeng Ma, Ximeng Liu, and Xu An Wang

Subjects

Security analysis, Cryptographic primitive, business.industry, Computer science, Medicine (miscellaneous), 020206 networking & telecommunications, Health Informatics, Access control, Cloud computing, 02 engineering and technology, Encryption, Computer security, computer.software_genre, Health Information Management, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Confidentiality, Attribute-based encryption, business, Cloud storage, computer, Information Systems

Abstract

Online personal health record (PHR) is more inclined to shift data storage and search operations to cloud server so as to enjoy the elastic resources and lessen computational burden in cloud storage. As multiple patients' data is always stored in the cloud server simultaneously, it is a challenge to guarantee the confidentiality of PHR data and allow data users to search encrypted data in an efficient and privacy-preserving way. To this end, we design a secure cryptographic primitive called as attribute-based multi-keyword search over encrypted personal health records in multi-owner setting to support both fine-grained access control and multi-keyword search via Ciphertext-Policy Attribute-Based Encryption. Formal security analysis proves our scheme is selectively secure against chosen-keyword attack. As a further contribution, we conduct empirical experiments over real-world dataset to show its feasibility and practicality in a broad range of actual scenarios without incurring additional computational burden.

Published

2016

17. An efficient and practical threshold gateway-oriented password-authenticated key exchange protocol in the standard model

Author

Chuangui Ma, Ruijie Zhang, Fushan Wei, Jianfeng Ma, and Xu An Wang

Subjects

TheoryofComputation_MISCELLANEOUS, Challenge-Handshake Authentication Protocol, Password, Otway–Rees protocol, General Computer Science, Computer science, business.industry, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, Authentication server, Computer security, computer.software_genre, 01 natural sciences, Authenticated Key Exchange, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 010201 computation theory & mathematics, Server, Authentication protocol, 0202 electrical engineering, electronic engineering, information engineering, business, computer, Key exchange, Computer network

Abstract

With the assistance of an authentication server, a gateway-oriented password-authenticated key exchange (GPAKE) protocol can establish a common session key shared between a client and a gateway. Unfortunately, a GPAKE protocol becomes totally insecure if an adversary can compromise the authentication server and steal the passwords of the clients. In order to provide resilience against adversaries who can hack into the authentication server, we propose a threshold GPAKE protocol and then present its security proof in the standard model based on the hardness of the decisional Diffie-Hellman (DDH) problem. In our proposal, the password is shared among $n$ authentication servers and is secure unless the adversary corrupts more than $t+1$ servers. Our protocol requires $n>3t$ servers to work. Compared with existing threshold PAKE protocols, our protocol maintains both stronger security and greater efficiency.

Published

2016

18. Cryptanalysis and Improvement of an Enhanced Two-Factor User Authentication Scheme in Wireless Sensor Networks

Author

Qi Jiang, Fushan Wei, Jianfeng Ma, Chuangui Ma, and Jian Shen

Subjects

Scheme (programming language), Biometrics, business.industry, Computer science, Key distribution, 020206 networking & telecommunications, 02 engineering and technology, Multi-factor authentication, Computer security, computer.software_genre, Computer Science Applications, law.invention, Control and Systems Engineering, law, Sensor node, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Smart card, Electrical and Electronic Engineering, business, Cryptanalysis, Wireless sensor network, computer, computer.programming_language

Abstract

In order to address the scenario in which the user wants to access the real-time data directly from the sensor node in wireless sensor networks (WSNs), Das proposed a two-factor authentication scheme. In 2010, Khan et al. pointed out that Das's scheme has some security flaws and proposed an improved scheme. Recently, Yuan demonstrated that Khan et at.'s improvement is still insure against several attacks. Yuan also proposed an enhanced two-factor user authentication scheme using user's biometrics to fix the security flaws in Khan et al.'s scheme. In this paper, we show that Yuan's scheme still suffers from the stolen smart card attack and the GW-node impersonation attack. Moreover, biometric keys are misused in Yuan's scheme such that even the valid user cannot pass the biometric verification. To remedy these problems, we propose an improved two-factor authenticated key distribution scheme based on fuzzy extractors. Security and performance analysis demonstrates that our scheme is more secure and efficient thanprevious schemes. DOI: http://dx.doi.org/10.5755/j01.itc.45.1.11949

Published

2016

19. m

Author

Yinbin, Miao, Jianfeng, Ma, Ximeng, Liu, Fushan, Wei, Zhiquan, Liu, and Xu An, Wang

Subjects

Electronic Health Records, Humans, Cloud Computing, Algorithms, Computer Security, Confidentiality

Abstract

Online personal health record (PHR) is more inclined to shift data storage and search operations to cloud server so as to enjoy the elastic resources and lessen computational burden in cloud storage. As multiple patients' data is always stored in the cloud server simultaneously, it is a challenge to guarantee the confidentiality of PHR data and allow data users to search encrypted data in an efficient and privacy-preserving way. To this end, we design a secure cryptographic primitive called as attribute-based multi-keyword search over encrypted personal health records in multi-owner setting to support both fine-grained access control and multi-keyword search via Ciphertext-Policy Attribute-Based Encryption. Formal security analysis proves our scheme is selectively secure against chosen-keyword attack. As a further contribution, we conduct empirical experiments over real-world dataset to show its feasibility and practicality in a broad range of actual scenarios without incurring additional computational burden.

Published

2016

20. Two Factor Authenticated Key Exchange Protocol for Wireless Sensor Networks: Formal Model and Secure Construction

Author

Ruijie Zhang, Chuangui Ma, and Fushan Wei

Subjects

Provable security, Computer science, Cryptography, 02 engineering and technology, Oakley protocol, Computer security, computer.software_genre, law.invention, Random oracle, law, 0202 electrical engineering, electronic engineering, information engineering, Password, Authentication, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 020206 networking & telecommunications, Computer security model, Authenticated Key Exchange, Key distribution in wireless sensor networks, 020201 artificial intelligence & image processing, Smart card, Cryptanalysis, business, Wireless sensor network, computer, Computer network

Abstract

Two-factor authenticated key exchange (TFAKE) protocols are critical tools for ensuring identity authentication and secure data transmission in wireless sensor networks (WSNs). Until now, numerous TFAKE protocols based on smart cards and passwords are proposed for WSNs. Unfortunately, most of them are found insecure against various attacks. Researchers focus on cryptanalysis of these protocols and then fixing the loopholes. Little attention has been paid to design rationales and formal security models of these protocols. In this paper, we first put forward a formal security model for TFAKE protocols in WSNs. We then present an efficient TFAKE protocol for WSNs without using expensive asymmetric cryptology mechanisms. Our protocol can be proven secure in the random oracle model and achieves user anonymity. Compared with other TFAKE protocols, our protocol is more efficient and enjoys provable security.

Published

2016

21. Improved Anonymous Authentication Scheme with Enhanced Security for Wireless Communications

Author

Cong Liu, Chuangui Ma, and Fushan Wei

Subjects

Scheme (programming language), General Computer Science, Computer science, business.industry, General Mathematics, Anonymous authentication, Wireless, business, Computer security, computer.software_genre, computer, computer.programming_language, Computer network

Published

2012

22. Gateway-oriented password-authenticated key exchange protocol in the standard model

Author

Zhenfeng Zhang, Chuangui Ma, and Fushan Wei

Subjects

Password, Dictionary attack, Computer science, Authentication server, Computer security, computer.software_genre, Random oracle, Authenticated Key Exchange, Hardware and Architecture, Default gateway, Session key, computer, Software, Key exchange, Information Systems, Standard model (cryptography)

Abstract

A gateway-oriented password-based authenticated key exchange (GPAKE) is a 3-party protocol, which allows a client and a gateway to establish a common session key with the help of an authentication server. GPAKE protocols are suitable for mobile communication environments such as GSM (Global System for Mobile Communications) and 3GPP (The Third Generation Partnership Project). To date, most of the published protocols for GPAKE have been proven secure in the random oracle model. In this paper, we present the first provably-secure GPAKE protocol in the standard model. It is based on the 2-party password-authenticated key exchange protocol of Jiang and Gong. The protocol is secure under the DDH assumption (without random oracles). Furthermore, it can resist undetectable on-line dictionary attacks. Compared with previous solutions, our protocol achieves stronger security with similar efficiency.

Published

2012

23. Analysis and improvement of a new authenticated group key agreement in a mobile environment

Author

Qingfeng Cheng, Fushan Wei, and Chuangui Ma

Subjects

Key-agreement protocol, Authentication, Otway–Rees protocol, Computer science, business.industry, Mutual authentication, Oakley protocol, Computer security, computer.software_genre, Public-key cryptography, Electrical and Electronic Engineering, Key management, business, computer, Group key

Abstract

In 2009, Lee et al. (Ann Telecommun 64:735–744, 2009) proposed a new authenticated group key agreement protocol for imbalanced wireless networks. Their protocol based on bilinear pairing was proven the security under computational Diffie–Hellman assumption. It remedies the security weakness of Tseng’s nonauthenticated protocol that cannot ensure the validity of the transmitted messages. In this paper, the authors will show that Lee et al.’s authenticated protocol also is insecure. An adversary can impersonate any mobile users to cheat the powerful node. Furthermore, the authors propose an improvement of Lee et al.’s protocol and prove its security in the Manulis et al.’s model. The new protocol can provide mutual authentication and resist ephemeral key compromise attack via binding user’s static private key and ephemeral key.

Published

2010

24. A Secure User Authentication Scheme against Smart-Card Loss Attack for Wireless Sensor Networks Using Symmetric Key Techniques

Author

Chuangui Ma, Fushan Wei, and Lei Chen

Subjects

Password, Password policy, Article Subject, Computer Networks and Communications, business.industry, Computer science, General Engineering, Multi-factor authentication, Computer security, computer.software_genre, lcsh:QA75.5-76.95, Symmetric-key algorithm, Authentication protocol, Network Access Control, Session key, Smart card, lcsh:Electronic computers. Computer science, Challenge–response authentication, business, Wireless sensor network, computer, Data Authentication Algorithm, Computer network

Abstract

User authentication in wireless sensor networks (WSNs) is a critical security issue due to their unattended and hostile deployment in the field. In order to protect the security of real-time data query from an external user, many two-factor (password and smart-card) user authentication schemes are proposed. However, most of them are insecure against various attacks. This paper summarizes attacks and security requirements for two-factor user authentication in WSNs. Based on security requirements, a user authentication and session key establishment scheme is also proposed, and this scheme can resist smart-card loss attack merely by using symmetric key techniques. Security and performance analysis demonstrate that, compared to the existing schemes, the proposed approach is more secure and highly efficient.

Published

2015

25. mOT+: An Efficient and Secure Identity-Based Diffie-Hellman Protocol over RSA Group

Author

Fushan Wei, Baoping Tian, and Chuangui Ma

Subjects

Diffie–Hellman key exchange, Public-key cryptography, Computer science, business.industry, Forward secrecy, Ephemeral key, Session key, Adversary, Diffie hellman protocol, business, Computer security, computer.software_genre, computer

Abstract

In 2010, Rosario Gennaro et al. revisited the old and elegant Okamoto-Tanaka scheme and presented a variant of it called mOT. However the compromise of ephemeral private key will lead to the leakage of the session key and the user's static private key. In this paper, we propose an improved version of mOTdenoted as mOT+. Moreover, based on RSA assumption and CDH assumption we provide a tight and intuitive security reduction in the id-eCK model. Without any extra computational cost, mOT+ achieves security in the id-eCK model, and furthermore it also meets full perfect forward secrecy against active adversary.

Published

2015

26. A Lightweight Anonymous Authentication Protocol Using k-Pseudonym Set in Wireless Networks

Author

Jianfeng Ma, Fushan Wei, Xinghua Li, Hai Liu, and Weidong Yang

Subjects

Challenge-Handshake Authentication Protocol, Authentication, business.industry, Computer science, Email authentication, Shared secret, Multi-factor authentication, Computer security, computer.software_genre, Authentication server, Chip Authentication Program, Public-key cryptography, Attack model, Generic Bootstrapping Architecture, Authentication protocol, Lightweight Extensible Authentication Protocol, Challenge–response authentication, business, computer, Data Authentication Algorithm, Computer network

Abstract

In recent years, since people pay more and more attention to the protection of their privacy, anonymous authentication in wireless networks has become a hot topic. Currently, most anonymous authentication schemes are based on the asymmetric keys whose tedious computation leads to serious resource consumption, therefore, they are unsuitable for mobile devices with limited capacity. To solve this problem, by introducing the k-pseudonym set we propose an anonymous authentication protocol based on a shared secret key. In the authentication process, the user sends the k- pseudonym set which includes his real identity and other k-1 pseudonyms. After the authentication server traversals the shared keys with each of the users in the set and verifies the authentication information, it can determine the real user and complete the authentication. In this methodology, the construction of the pseudonym set is a key issue, and we give two attack models and respectively present the construction methods of the k-pseudonym set under those two models. Compared with the existing schemes, our scheme outperforms them in the security and practicality. Especially, user untractability can be realized. A testbed is set up and extensive experiments are conducted, and the results show the authentication latency of our scheme is short and it changes a little with the increase of k.

Published

2014

27. Gateway-Oriented Password-Authenticated Key Exchange Based on Chameleon Hash Function

Author

Fushan Wei, Chuangui Ma, and Fengxiu Gao

Subjects

Dictionary attack, Network security, Computer science, Hash function, Computer security, computer.software_genre, Authentication server, One-time password, S/KEY, Default gateway, Session key, Password, Authentication, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Cryptographic protocol, Hash-based message authentication code, Authenticated Key Exchange, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication protocol, Hash chain, Challenge–response authentication, Semantic security, business, computer, Computer network

Abstract

A gateway-oriented password-based authenticated key exchange (GPAKE) is a three-party protocol, which allows a client and a gateway to establish a common session key with the help of an authentication server. Besides the semantic security of the session key, the desirable security properties of a GPAKE protocol also include password protection with respect to malicious gateways and key privacy with respect to honest-but-curious authentication servers. Unfortunately, previous solutions are suspectable to undetectable on-line dictionary attacks by a malicious gateway. To overcome this shortcoming, we propose a GPAKE protocol based on chameleon hash function in this paper. By the merit of chameleon hash function, the authentication server can distinguish an honest authentication request by a client from an on-line impersonation attack by a malicious gateway. The proposed protocol is secure against undetectable on-line dictionary attacks. In addition, it is as efficient as previous solutions.

Published

2012

28. Gateway-Oriented Password-Authenticated Key Exchange Protocol with Stronger Security

Author

Chuangui Ma, Fushan Wei, and Zhenfeng Zhang

Subjects

Password, Authenticated Key Exchange, Authentication, Dictionary attack, Computer science, Default gateway, Session key, Computer security model, Computer security, computer.software_genre, Authentication server, computer

Abstract

A gateway-oriented password-based authenticated key exchange (GPAKE) is a three-party protocol, which allows a client and a gateway to establish a common session key with the help of an authentication server. To date, most of the published GPAKE protocols have been subjected to undetectable on-line dictionary attacks. The security models for GPAKE are not strong enough to capture such attacks. In this paper, we define a new security model for GPAKE, which is stronger than previous models and captures desirable security requirement of GPAKE. We also propose an efficient GPAKE protocol and prove its security under the DDH assumption in our model. Our scheme assumes no preestablished secure channels between the gateways and the server unlike previous schemes, but just authenticated channels between them. Compared with related schemes, our protocol achieves both higher efficiency and stronger security.

Published

2011

29. Multi-Factor Authenticated Key Exchange Protocol in the Three-Party Setting

Author

Ying Liu, Fushan Wei, and Chuangui Ma

Subjects

Password, Authenticated Key Exchange, Protocol (science), Authentication, Biometrics, Computer science, Factor (programming language), Challenge–response authentication, Computer security, computer.software_genre, computer, computer.programming_language, Random oracle

Abstract

A great deal of authenticated key exchange (AKE) protocols have been proposed in recent years. Most of them were based on 1-factor authentication. In order to increase the security for AKE protocols, various authentication means can be used together. In fact, the existing multi-factor AKE protocols provide an authenticated key exchange only between a client and a server. This paper presents a new multifactor AKE protocol in the three-party settings (3MFAKE), in which the authentication means combine a password, a secure device, and biometric authentications. We also prove the security of the protocol in the random oracle model.

Published

2011

30. Formal Analysis and Improvement of Two-Factor Authenticated Key Exchange Protocol

Author

Fushan Wei, Ying Liu, and Chuangui Ma

Subjects

Password, Password policy, Encrypted key exchange, Zero-knowledge password proof, business.industry, Computer science, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Authenticated Key Exchange, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, business, computer, Computer network

Abstract

Many two-factor authenticated key exchange protocols have been proposed, and the common ones are based on a secure device and a user's password. But most of them do not use the one-time password system. In one-time password systems, users have many passowrds and use each password only once. This paper presents a new two-factor authenticated key exchange protocol using one-time passwords and a secure device, which achieves mutual authentication, session key agreement, and resistance to phishing attacks. This paper also gives a formal proof for security of the protocol.

Published

2010

31. An Efficient Password Authenticated Key Exchange Protocol with Bilinear Parings

Author

Chuangui Ma, Fushan Wei, Shumin Chen, and Xiaofei Ding

Subjects

Password, Zero-knowledge password proof, Computer science, business.industry, Bilinear interpolation, Computer security, computer.software_genre, Password strength, Random oracle, Authenticated Key Exchange, Forward secrecy, business, Protocol (object-oriented programming), computer, Computer network

Abstract

In recent years, many password authenticated key exchange (PAKE) protocols have been proposed. However, many of them have been broken or have no security proof. In this paper, we propose an efficient password authenticated key exchange protocol using bilinear pairings. Compared with previous PAKE protocol using bilinear pairings, our protocol is quite efficient both in communication cost and computational cost. Moreover, this paper proves that the novel protocol is forward secrecy under the Bilinear Diffie-Hellman (BDH) assumption in the random oracle model.

Published

2009

32. Anonymous gateway-oriented password-based authenticated key exchange based on RSA

Author

Fushan Wei, Qingfeng Cheng, and Chuangui Ma

Subjects

Password, Dictionary attack, Computer science, Computer Networks and Communications, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Gateway (computer program), Computer security, computer.software_genre, Authentication server, Random oracle, Computer Science Applications, Authenticated Key Exchange, Default gateway, Signal Processing, Session key, computer, Key exchange, Anonymity

Abstract

A gateway-oriented password-based authenticated key exchange (GPAKE) is a three-party protocol, which allows a client and a gateway to establish a common session key with the help of an authentication server. To date, most of the published protocols for GPAKE have been based on Diffie-Hellman key exchange. In this article, we present the first GPAKE protocol based on RSA, then prove its security in the random oracle model under the RSA assumption. Furthermore, our protocol can resist both e-residue and undetectable on-line dictionary attacks. Finally, we investigate whether or not a GPAKE protocol can achieve both client anonymity and resistance against undetectable on-line dictionary attacks by a malicious gateway. We provide an affirmative answer by adding client anonymity with respect to the server. Preprint submitted to EURASIP JWCN October 16, 2011 to our basic protocol.