An Efficient and Transparent One-Time Authentication Protocol with Non-interactive Key Scheduling and Update

Authentication protocols prevent resources to be accessed by unauthorized users. Password authentication is one of the simplest and most convenient authentication mechanism over insecure networks and, in particular, the one-time authentication mechanism, in which the password is valid only for one login session or transaction are a good compromise between simplicity of use and security. Nowadays many of such protocols have been proposed to implement that type of authentication. However, most of them have several drawbacks because they are characterized by considerable overhead in the Key Setup, Key Scheduling and Key Update phases. In addition, they are often vulnerable to several known attacks and are not particularly suitable to be used by mobile terminals. Furthermore, they often rely on smart-card and other hardware tokens, thus requiring an active participation by the user. In this paper, we present a robust one-time authentication protocol, based on two cryptographically strong building blocks, namely, the Authenticated Key Exchange key exchange and the keyed Hash Message Authentication Code (HMAC), that provides several advantages with respect to most of the available solutions at the state of the art. First, it enables transparent mutual authentication between two endpoints. Moreover, Key Setup, Key Scheduling and Key Update operations are accomplished independently by both endpoints, without requiring any interaction among them, thus ensuring the fully independence by any Trusted Third Party. Finally, the proposed protocol is cryptographically secure, under standard assumptions against most of the already known OTP attacks.

[1]  Xiaomin Wang,et al.  Security Improvement on the Timestamp-based Password Authentication Scheme Using Smart Cards , 2006, 2006 IEEE International Conference on Engineering of Intelligent Systems.

[2]  Shiuh-Pyng Shieh,et al.  Password authentication schemes with smart cards , 1999, Comput. Secur..

[3]  Tzong-Chen Wu,et al.  Remote login authentication scheme based on a geometric approach , 1995, Comput. Commun..

[4]  Hung-Yu Chien,et al.  An Efficient and Practical Solution to Remote Authentication: Smart Card , 2002, Comput. Secur..

[5]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[6]  Yang Yang Broadcast encryption based non-interactive key distribution in MANETs , 2014, J. Comput. Syst. Sci..

[7]  Aviel D. Rubin Independent One-Time Passwords , 1996, Comput. Syst..

[8]  Kouichi Sakurai,et al.  A design of Diffie-Hellman based key exchange using one-time ID in pre-shared key model , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[9]  Cheng-Chi Lee,et al.  An Improvement of SPLICE/AS in WIDE against Guessing Attack , 2001, Informatica.

[10]  Min-Shiang Hwang,et al.  Cryptanalysis of a remote login authentication scheme , 1999, Comput. Commun..

[11]  Jing-Jang Hwang,et al.  A Secure One-Time Password Authentication Scheme Using Smart Cards , 2002 .

[12]  Matu-Tarow Noda,et al.  Simple and Secure Password Authentication Protocol (SAS) , 2000 .

[13]  Huan Guo Zhang,et al.  Cryptanalysis of a Remote User Authentication Scheme , 2013 .

[14]  Min-Shiang Hwang,et al.  Security enhancement for the timestamp-based password authentication scheme using smart cards , 2003, Comput. Secur..

[15]  Cheng-Chi Lee,et al.  A simple remote user authentication scheme , 2002 .

[16]  M. Bellare,et al.  HMAC: Keyed-Hashing for Message Authentication, RFC 2104 , 2000 .

[17]  Hung-Min Sun,et al.  Attacks and Solutions on Strong-Password Authentication , 2001 .

[18]  Chin-Chen Chang,et al.  Remote password authentication with smart cards , 1991 .

[19]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[20]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[21]  Akihiro Shimizu,et al.  A dynamic password authentication method using a one-way function , 1991, Systems and Computers in Japan.

[22]  Bin Wang,et al.  Cryptanalysis of an enhanced timestamp-based password authentication scheme , 2003, Comput. Secur..

[23]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[24]  Cheng-Chi Lee,et al.  Password Authentication Schemes: Current Status and Key Issues , 2006, Int. J. Netw. Secur..

[25]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[26]  Chris J. Mitchell,et al.  Comments on the S/KEY user authentication scheme , 1996, OPSR.

[27]  Sung-Ming Yen,et al.  Shared Authentication Token Secure Against Replay and Weak Key Attacks , 1997, Inf. Process. Lett..

[28]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[29]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[30]  Yu-Yi Chen,et al.  "Paramita wisdom" password authentication scheme without verification tables , 1998, J. Syst. Softw..

[31]  Chin-Chen Chang,et al.  A secure one-time password authentication scheme with low-computation for mobile communications , 2004, OPSR.

[32]  Cheng-Chi Lee,et al.  A password authentication scheme over insecure networks , 2006, J. Comput. Syst. Sci..

[33]  K. Okayama,et al.  Design and implementation of an authentication system in WIDE Internet environment , 1990, IEEE TENCON'90: 1990 IEEE Region 10 Conference on Computer and Communication Systems. Conference Proceedings.

[34]  Shengmei Zhao,et al.  A novel one-time password mutual authentication scheme on sharing renewed finite random sub-passwords , 2013, J. Comput. Syst. Sci..

[35]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.