Research On Password-based Multi-factor User Authentication Protocols

The rapid development of the mobile networks and the Internet of Things has brought profound changes to our life,and also brings new challenges to traditional information processing and privacy-preserving technologies.User authentication is the first line of defense to ensure the security of information systems.How to verify the users' identities is the key issue that must be solved firstly to ensure secure,real-time communication in a mobile environment.Due to the convenience and ease of deployment of passwords,passwords will remain one of the main authentication factors for user authentication in the foresee-able future.Under this case,password-based multi-factor user authentication schemes have attracted much attentions.However,the threat model and security requirements of traditional multi-factor user authentication protocols are too simple to apply to the constantly developing and changing network environment.Therefore,the design of a se-cure multi-factor authentication protocols under new network environment and security requirements become an important topic in the field of security proto-cols.In this paper,we aim to design a secure and efficient password-based multi-factor user remote authentication protocols.On the one hand,we inves-tigate several multi-factor user authentication protocols under three typical en-vironments including:user authentication protocols for mobile Internet;user authentication protocols for wireless sensor networks;user authentication pro-tocols for cloud-assisted Internet of Things.On the other hand,we analyze the two most prevalent attacks in multi-factor user authentication protocols,namely,offline dictionary attacks and node capture attacks.In summary,the main contributions of this paper are given as follows:(1)We point out the security threats in multi-factor authentication proto-cols for client-server service model,and propose two secure anonymous multi-factor authentication protocols.We identify the security threats and their essen-tial reasons in single-server and multi-server user authentication protocols by using the schemes of Maitra et al.(2016 IJCS)and Maitra et al.(2016 SCN)as study cases,respectively.Then,based on the RSA public key algorithm to design a secure multi-factor authentication protocol for a single server environ-ment;and based on the Elliptic Curve computational Diffie-Hellman problem,we propose a security enhanced two-factor user authentication protocols for multi-server environments.(2)We point out the security threats in multi-factor authentication pro-tocols for wireless sensor networks,and propose a secure and efficient multi-factor authentication protocols with forward secrecy.Firstly,we show that Park et al.'s protocol cannot resist internal attacks and offline dictionary attacks and so on.Secondly,we discuss which public key cryptographic algorithm is suit-able to authentication protocols for WSNs,and explore how to meet the security requirements of the protocols for WSNs,and design a secure multi-factor au-thentication protocol for a single-gateway wireless sensor network,and prove its security by using a random oracle model.Compared with related public-key-algorithm-based protocols,the security of our proposed protocol is superior to other schemes,the performance of our scheme is also comparable to others.In addition,we also discuss the method of extending the authentication protocol for single-gateway to multi-gateways.(3)We point out that most user authentication protocols for cloud-assisted Internet of Things(IoT)environment have many weaknesses.Thus,we pro-pose a secure and efficient three-factor user authentication protocols for cloud-assisted IoT.Firstly,we identify the common weaknesses in most user authen-tication protocols for cloud-assisted IoT.Then,we propose a secure protocol based on elliptic curve cryptosystem.The results of security analysis and com-parison with other related schemes,show that our protocol meets all security requirements and has better performance.(4)We propose a secure protocol design framework for designing an au-thentication protocol that is resistant to offline dictionary attacks.Due to the vague definition of off-line dictionary guessing attacks in academia,protocol designers often cannot accurately use the existing solutions to deal with these attacks.Therefore,we divide offline dictionary guessing attacks into two cat-egories from the perspective of protocol designers,and propose a method to deal with each type of attacks in combination with the research results in the academy.In addition,we study how to use public key algorithm to the offline dictionary guessing attacks,and present a secure protocol design framework.(5)We for the first time,make a comprehensive analysis of node capture attacks against user authentication protocols,and improve the existing evalu-ation criteria.Based on the analysis of nearly 90 remote user authentication protocols for wireless sensor networks,we find that only three protocols can resist node capture attacks.Obviously,protocol designers are often powerless in the face of node capture attacks.Therefore,we systematically analyze the node capture attacks from the causes and consequences of the attacks,and di-vide the attacks into ten categories,and then propose their countermeasures.It is worth noting that due to the long-neglected node capture attacks,the existing evaluation criteria have natural vulnerabilities,which will exclude a realistic attack scenario.In fact,this is also an important reason why most of the current protocols are not be assessed well.Therefore,this paper further improves the existing evaluation criteria.