计算机科学
计算机安全
密码
前向保密
认证(法律)
云计算
方案(数学)
质询-响应身份验证
保密
身份验证协议
一次性密码
钥匙(锁)
加密
公钥密码术
操作系统
数学分析
数学
作者
Meijia Xu,Ding Wang,Qingxuan Wang,Qiaowen Jia
标识
DOI:10.1016/j.sysarc.2021.102206
摘要
Currently, password-based remote authentication mechanism has become an essential procedure to ensure users access the resources of the cloud server securely. Dozens of password-based multi-factor authentication schemes have been successively proposed recently. Unfortunately, most of them are vulnerable to various known attacks. The key to designing a secure and privacy-preserving authentication scheme is drawing some lessons from the security failures of existing schemes. In this work, we investigate three anonymous multi-factor authentication schemes based on passwords for cloud environments (i.e., Karuppiah et al.’s scheme at MONET’19, Lin’s scheme at IEEE Syst J’19, Rajamanickam et al.’s scheme at IEEE Syst J’20), and demonstrate that these three schemes all suffer from off-line guessing attacks and are short of an important property (i.e., forward secrecy). We also propose several effective countermeasures to remedy these weaknesses. Our analysis shows that none of these three protocols can achieve their security goals. Furthermore, we make a summary of the causes of the flaws, and reveal that the vulnerabilities of these schemes are caused by violating the basic design principles for a secure protocol (e.g., Ma et al.’s principles at IJCS’14). In addition, we investigate whether dozens of recently proposed schemes follow the design principles of Ma et al..
科研通智能强力驱动
Strongly Powered by AbleSci AI