Professional Documents
Culture Documents
Short Papers
On the Security of a Privacy-Aware Authentication Scheme for Distributed
Mobile Cloud Computing Services
Qi Jiang , Jianfeng Ma, and Fushan Wei
Abstract—Recently, Tsai and Lo proposed a privacy aware authentica- privacy aware authentication scheme which enables users to access
tion scheme for distributed mobile cloud computing services. It is claimed various services from distinct service providers by using only one sin-
that the scheme achieves mutual authentication and withstands all major
security threats. However, we first identify that their scheme fails to achieve gle private key or password. Apart from these issues, mobile devices
mutual authentication, because it is vulnerable to the service provider im- are relatively limited in computing capability and power compared with
personation attack. Beside this major defect, it also suffers from some minor desktop computers, the scheme should be efficient in terms of comput-
design flaws, including the problem of biometrics misuse, wrong password, ing. More desirably, the trusted third party, involved in user registration
and fingerprint login, no user revocation facility when the smart card is
lost/stolen. Some suggestions are provided to avoid these design flaws in the
and service provider registration, is not required to participate in each
future design of authentication schemes. user authentication session.
Most authentication protocols [3]–[6], which are designed for single
Index Terms—Authentication, bilinear pairing, mobile cloud computing, server environment, are not suitable for distributed services environ-
security, user anonymity, user untraceability.
ment in which multiple servers offer a plethora of services. Although
traditional single sign-on (SSO) schemes such as Passport [7] and
I. INTRODUCTION OpenID [8] are possible solutions to address this issue, these schemes
require the trusted third party to participate in each user authentica-
1937-9234 © 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.
2040 IEEE SYSTEMS JOURNAL, VOL. 12, NO. 2, JUNE 2018
[3] H. Li, Y. Dai, L. Tian, and H. Yang, “Identity-based authentication for [15] D. He and D. Wang, “Robust biometrics-based authentication scheme
cloud computing,” in Proc. Cloud Comput., 2009, pp. 157–166. for multiserver environment,” IEEE Syst. J., vol. 9, no. 3, pp. 816–823,
[4] Q. Jiang, M. K. Khan, X. Lu, J. Ma, and D. He, “A privacy preserving Sep. 2015.
three-factor authentication protocol for e-health clouds,” J. Supercomput., [16] V. Odelu, A. K. Das, and A. Goswami, “A secure biometrics-based multi-
2016. DOI: 10.1007/s11227-015-1610-x. server authentication protocol using smart cards,” IEEE Trans. Inf. Foren-
[5] D. He, S. Zeadally, N. Kumar, and J.-H. Lee, “Anonymous authentication sics Secur., vol. 10, no. 9, pp. 1953–1966, Sep. 2015.
for wireless body area networks with provable security,” IEEE Syst. J., [17] X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, “A generic
vol. 11, no. 4, pp. 2590–2601, Dec. 2017. framework for three-factor authentication: Preserving security and privacy
[6] Q. Jiang, J. Ma, X. Lu, and Y. Tian, “An efficient two-factor user authen- in distributed systems,” IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 8,
tication scheme with unlinkability for wireless sensor networks,” Peer-to- pp. 1390–1397, Aug. 2011.
Peer Netw. Appl., vol. 8, no. 6, pp. 1070–1081, 2015 [18] Q. Jiang et al., “Robust extended chaotic maps-based three-factor authen-
[7] Microsoft, Windows Live ID. (2011). [Online]. Available: https://account. tication scheme preserving biometric template privacy,” Nonlinear Dyn.,
live.com/. vol. 83, no. 4, pp. 2085–2101, 2016.
[8] OpenID Foundation, OpenID Authentication 2.0. (2007). [Online]. Avail- [19] J. Yu, G. Wang, Y. Mu, and W. Gao, “An efficient and improved generic
able: http://openid.net/specs/openid-authentication-2_0.html framework for three-factor authentication with provably secure instantia-
[9] J. L. Tsai and N. W. Lo, “A privacy-aware authentication scheme for tion, ” IEEE Trans. Inf. Forensics Security, vol. 9, no. 12, pp. 2302–2313,
distributed mobile cloud computing services,” IEEE Syst. J., vol. 9, no. 3, Dec. 2014.
pp. 805–815, Sep. 2015. [20] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generate
[10] D. Boneh and M. Franklin, “Identity-based encryption from the Weilpair- strong keys from biometrics and other noisy data,” in Proc. Adv. Cryptol.,
ing,” in Proc. Adv. Cryptol., 2001, vol. 2139, pp. 213–229. 2004, pp. 523–540.
[11] K. Lauter, “The advantages of elliptic curve cryptography for wireless [21] A. Juels and M. Sudan, “A fuzzy vault scheme,” in Proc. Int. Symp. Inf.
security,” IEEE Wireless Commun., vol. 11, no. 1, pp. 62–67, Feb. 2004. Theory, 2002, p. 408.
[12] D. He, S. Zeadally, and L. Wu. “Certificateless public auditing scheme for [22] T. C. Clancy, “Secure smartcard-based fingerprint authentication,” in Proc.
cloud-assisted wireless body area networks,” IEEE Syst. J., vol. 12, no. 1, ACM Workshop Biometrics: Methods Appl., 2003, pp. 45–52.
pp. 64–73, Mar. 2018. [23] D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous two-factor au-
[13] B. S. Abhilasha, S. Anna, and M. Shimon, “Privacy preserving multi- thentication in distributed systems: Certain goals are beyond attainment,”
factor authentication with biometrics,” J. Comput. Security, vol. 15, no. 5, IEEE Trans. Dependable Secure Comput., vol. 12, no. 4, pp. 428–442,
pp. 529–560, 2007. Jul./Aug. 2015.
[14] D. He, N. Kumar, J.-H. Lee, and R. Sherratt, “Enhanced three-factor se- [24] D. Wang and P. Wang, “On the usability of two-factor authentication,” in
curity protocol for USB consumer storage devices,” IEEE Trans. Consum. Proc. 10th Int. Conf. Security Privacy Commun. Netw., Sep. 24–26, 2014,
Electron., vol. 60, no. 1, pp. 30–37, Feb. 2014. pp. 141–150.