Abstract: We show that a number of recent definitions and constructions of fuzzy extractors are not adequate for multiple uses of the same fuzzy secret---a major shortcoming in the case of biometric applications. We propose two particularly stringent security models that specifically address the case of fuzzy secret reuse, respectively from an outsider and an insider perspective, in what we call a chosen perturbation attack. We characterize the conditions that fuzzy extractors need to satisfy to be secure, and present generic constructions from ordinary building blocks. As an illustration, we demonstrate how to use a biometric secret in a remote fuzzy authentication protocol that does not require any storage on the client's side.

Abstract: Recently, Chien et al. proposed an efficient remote authentication scheme using smart cards. However, we find that their scheme is vulnerable to a reflection attack and an insider attack. In addition, their scheme lacks reparability. Herein, we first show the weaknesses of Chien et al.'s scheme, and then propose an improved scheme with better security strength.

Abstract: Digital multimedia is ubiquitous today. Multimedia is easily reproduced and modified without any trace of manipulations. In most cases, a human will not be able to judge whether a multimedia signal is authentic by perceptual inspection. In this article we provide a compact yet fairly comprehensive introduction of multimedia authentication (MA) to the general signal processing audience. The article gives a brief discussion on the different MA technologies such as hard authentication, soft authentication, quality-based authentication, content-based authentication, block authentication, and lossless watermarking.

Abstract: With the rapid growth of computer networks and communication technologies, more and more computers are linked together such that facilities can be shared through the networks However, most resources provided by the servers over the Internet are not free for all users Therefore, providers of the facilities have to make resources under appropriate protection The password authentication schemes are usually regarded as the most efficient and practical ones to protect the resources of the remote servers Nevertheless, most of the proposed password schemes are only designed for the single-server environment, the user who wants to access from the different servers needs to register many times In 2004, Juang proposed an authentication scheme for multiserver architecture However, Juang's scheme lacks efficiency In this article, we propose a more efficient and secure authentication scheme for multiserver architecture such that it can be applied in the real world

Abstract: Improving authentication delay is a key issue for achieving seamless handovers across networks and domains. This paper presents an overview of fast authentication methods when roaming within or across IEEE 802.11 Wireless-LANs. Besides this overview, the paper analyses the applicability of IEEE 802.11f and Seamoby solutions to enable fast authentication for inter-domain handovers. The paper proposes a number of possible changes to these solutions (typically in terms of network architectures and/or required trust relationships) for inter-domain operation. In addition, the paper identifies the crucial research issues therein. Possible solutions and directions for future research include: update to security infrastructure, inter-layer communication and discovery of appropriate networks.

Abstract: User authentication processing is executed and an authentication session ID is returned to a terminal (500) (A14). An authentication server (600) issues/holds an authentication ticket (A17). The authentication ticket and the authentication session are returned to the terminal (500) (A18). A user (100) transmits a request for providing a service and the authentication ticket to a service providing company server (700) and the service providing company server (700) transmits the authentication ticket to an authentication server (600) (A20). The authentication server (600) performs authentication processing of the authentication ticket (A21) and the authentication result is reported (A22). In case of authentication permission, a notification for permission and a service session ID are issued (A23). When the notification of the authentication permission is received, the terminal (500) establishes a session by using the service session ID received and holds the service session ID (A27).

Abstract: There is provided a device authentication system capable of effectively authenticating devices by using a common key method. When a CE device requests for service provision from a service server, the service server requests the CE device to perform a device authentication in the device authentication server. Upon reception of this request, the CE device requests the device authentication server to perform a device authentication and transmits the device authentication result to the service server. The service server receives the device authentication result from the CE device and if the device authentication server has confirmed that this is the one performed by the device authentication server, the service server starts service provision. The CE device and the device authentication server share a pass phrase. The CE device and the device authentication server mutually perform authentication by checking whether the partner has the pass phrase.

Abstract: Systems, computer program products and methods for authentication using a one-time password. In system that includes a client, a service provider, and an authentication service, the authentication service generates an authentication service identifier for the client. Any suitable identifier may be used for the authentication service identifier, which generally takes the form of an arbitrary number of characters. From the client, the authentication service receives a client moniker (e.g., a username) for the client to use when accessing the authentication service. The authentication service sends a one-time password to the client for the client to use in accessing the service provider. When the authentication service receives a one-time password from the service provider, the authentication service sends the authentication service identifier for the client to the service provider to authenticate the client if the one-time password received from the service provider matches the one-time password sent to the client.

Abstract: This article presents a novel approach of a cryptographic authentication protocol for radio frequency identification (RFID) smart tags. RFID smart tags are microchips which can be attached to products in order to allow their contactless identification via radio frequency. Cryptographic authentication is necessary to provide security for products like branded goods or immobilizer systems in cars. However, existing protocols do not include cryptographic authentication mechanisms. Therefore, a new approach for authentication is presented in this paper. Due to the limited computing power, die-size, and low-power restrictions, a two-way challenge-response authentication scheme is proposed. Packet and frame formats extend the existing RFID protocol which is defined in the ISO/IEC 18000 standard (International Organization for Standardization, March 2003). The analysis of the authentication mechanism was done using Java models at different abstraction levels. The hardware implementation of the tag was realized in VHDL using a customized embedded microcontroller.

Abstract: This paper investigates the use of unique finger traces, or doodles, as a means of authentication in a pervasive environment. Velocity here is investigated as means to uniquely identify a doodle. A blurred distribution grid created from combined training samples and the variance across this grid is also used for recognition. These three systems used together have produced accurate results for a population of ten users. The research presented here may have applications to hand writing and drawing recognition as well. 1 Lightweight Authentication Mechanisms New demands of authentication today are simplicity and effortlessness. Biometric technologies offer a partial solution but are be too robust for the relatively small issues such as personalization. Privacy concerns and trust also inhibit public acceptance due to the inextricable ties of biometric imprinting. The remainder of this paper discusses the design and implementation of a lightweight “passdoodle” system where a unique finger trace or doodle is used to quickly identify users in an integrated intelligent (or pervasive) computing environment. 1

Abstract: Many real-world applications use credentials such as passwords as means of user authentication. When accessed from untrusted public terminals, such applications are vulnerable to credential sniffing attacks, as shown by recent highly publicized compromises. In this paper, we describe a secure remote terminal application that allows users possessing a trusted device to delegate their credentials for performing a task to a public terminal without being in danger of disclosing any long-term secrets. Instead, the user gives the terminal the capability of performing a task temporarily (as long as the user is in its proximity). Our model is intuitive in the sense that the user exposes to the untrusted terminal only what he sees on the display, and nothing else. We present the design and implementation of such a system. The overhead - in terms of additional network traffic - created by introducing a trusted third party is a moderate 12%.

Abstract: In 1981, Lamport introduced a remote password authentication scheme using a password table. In 2000, Hwang and Li proposed a remote user authentication scheme using smart cards to solve the problems of Lamport scheme. First, Chan-Chang, Shen-Lin-Hwang and then Chang-Hwang pointed out some attacks on Hwang-Li's scheme. Shen-Lin-Hwang also proposed a modified scheme. In 2003, Leung-Cheng-Fong-Chan showed that a modified scheme proposed by Shen-Lin-Hwang is still vulnerable to all previous attacks. This paper presents a new remote user authentication scheme. This scheme is secure against Chan-Cheng and all the extended attacks.

Abstract: The idea of the present invention is to replace the existing password/user ID based authentication process by a new digital signature authentication process in which preferably the first HTTP-request header is extended by the client authentication information independently of the authentication process used by the destination server and without server requesting authentication information. The authentication information preferably includes the client certificate containing the client public key, signed by certification authority, and preferably a hash value calculated over the HTTP-request header data being sent in the request, and encrypted with the Client's private key. The certificate and digital signature may be added during the creation of the HTTP-request header in the client system itself, or may be added later in a server acting as a gateway, proxy, or tunnel. A destination server that does not support the new digital signature authentication process will simply ignore the certificate and digital signature in the HTTP-request header and will automatically initiate its own authentication process. The present invention simplifies the existing digital signature authentication process and concurrently allows the coexistence of different authentication processes without changing the HTTP-protocol or causing unnecessary network traffic.

Abstract: A Chip Authentication Program based on 3-D Secure protocols is provided for authenticating customers' (180) on-line transactions. An issuer, who may be a payment card issuer, operates Access Control and Authentication Request Servers (120) for authenticating transactions by individual customers (180) who are identified by their personal EMV-complaint smart cards (170). An authentication token is generated at the point of interaction (POI) for each transaction based on information from the customer's smart card (170) and transaction specific information sent directly by the issuer to populate a web page at the POI. Authentication tokens generated at the POI are evaluated by the Authentication Request Server (120) to authenticate individual customer and/or card presence at the transaction POI. Authentication values are transported on-line in designated Universal Cardholder Authentication Fields consistent with 3-D Secure protocols.

Abstract: A first identity credential (for example, a username and password), in conjunction with a second identity credential (for example, a token identifier and a token-generated password) verified by an authentication provider, permits access to a protected resource (for example, a bank account) maintained by a service provider (for example, a bank) where the service provider is a separate entity from the authentication provider. Such separation of the service provider from the authentication provider allows multiple service providers to use the same authentication provider such that subscribers of services from multiple service providers may register a single authentication provider, and thus use a single method to produce the second identity credential. An authentication provider provides a common validation service to a plurality of unrelated service providers. An electronic user interface and a key-chain token for carrying out the authentication process are also disclosed.

Abstract: A user authentication method is applicable to an image forming apparatus connectable via a network to an authentication apparatus that performs authentication of a user and including authentication set information that sets whether to perform authentication in the authentication apparatus. The user authentication method includes: a user authentication information obtaining step of obtaining user authentication information for performing authentication of the user; an authentication party determination step of determining whether to perform authentication of the user in the authentication apparatus or in the image forming apparatus based on the authentication set information; an authentication step of performing authentication of the user in an authentication party determined in the authentication party determination step by using the user authentication information; an authentication result obtaining step of obtaining a result of the authentication in the authentication step; and an authentication result specifying step of specifying the obtained authentication result to the user.

Abstract: We study a general version of the multicast authentication problem where the underlying network, controlled by an adversary, may drop chosen packets, rearrange the order of the packets in an arbitrary way, and inject new packets into the transmitted stream. Prior work on the problem has focused on less general models, where random, rather than adversarially-selected packets may be dropped and altered, or no additional packets may be injected into the stream. We describe an efficient and scalable authentication scheme that is based on a novel combination of error-correcting codes with standard cryptographic primitives. We prove the security of our scheme and analyze its performance in terms of the computational effort at the sender and receiver and the communication overhead. We also discuss specific design and implementation choices and compare our scheme with previously proposed approaches.

Abstract: An apparatus, system, and method are disclosed for facilitating authenticated communication between authentication realms. The present invention includes an authentication gateway configured to authenticate a principal using a first authentication protocol. The first authentication protocol may be one of a variety of authentication protocols. A generator in communication with the authentication gateway generates a foreign realm authentication token that is compatible with a second authentication protocol and configured for inter-realm communication. A foreign realm authentication module then authenticates the principal to access services of a foreign realm using the foreign realm authentication token. The authentication is performed by the foreign realm authentication module in accordance with the second authentication protocol. The first authentication protocol may be a non-Kerberos protocol and the second authentication protocol may be a Kerberos protocol.

Abstract: We present a cryptographically sound security proof of the well-known Needham-Schroeder-Lowe public-key protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that it is secure against arbitrary active attacks if it is implemented using standard provably secure cryptographic primitives. Nevertheless, our proof does not have to deal with the probabilistic aspects of cryptography and is, hence, in the scope of current automated proof tools. We achieve this by exploiting a recently proposed Dolev-Yao-style cryptographic library with a provably secure cryptographic implementation. Besides establishing the cryptographic security of the Needham-Schroeder-Lowe protocol, our result exemplifies the potential of this cryptographic library and paves the way for the cryptographically sound verification of security protocols by automated proof tools.

Abstract: A mobile terminal transmits an N-th authentication key to an authentication server when the mobile terminal has moved from a coverage area under a certain radio access point to a coverage area under another radio access point. The N-th authentication key is generated by applying a hash function to a random number a number of times one smaller than an (N−1)th authentication key which was transmitted when the mobile terminal moved to the coverage area under the certain radio access point. Upon receipt of the N-th authentication key from the mobile terminal, the authentication server applies the hash function once to the N-th authentication key, and compares the result with the (N−1)th authentication key. Then, the authentication server determines that the authentication is successful when there is a match between both keys.

Abstract: Exemplary embodiments provide a license-authentication functioned output system which enables data protection positive and enhances and/or improves a user's convenience, further being suited to reduce processing load. A printer receives document data and a user ID and sends design resource-data authentication information and the user ID included in the document data, together with an authentication request, to a data authentication server. When a use-permitting information is received, it prints a design resource within a use-permitted scope depending upon the use-permitting information and design resource data. A data authentication server searches through a license information register table on the basis of the authentication information and reads out license information concerned. The data authentification server decides whether or not the received user ID is included in the license information. When it is decided that the user ID is included, the use-permitting information included in the license information is sent to the printer.

Abstract: A system and method for automatically selecting a procedure for resetting an authentication data, such as a password, a PIN, a secret key, or a private key, according to the value of the user data protected by the authentication data and/or the likelihood for the user to forget or otherwise lose the authentication data. The user's preference is also considered in selecting the procedure for resetting the authentication data.

Abstract: As part of a network node authentication process, a MAC address or other globally unique identifier of an access point through which the network node will access a computer network is transmitted in an EAP or other authentication message to an authentication server to uniquely identify the access point to the authentication server

Abstract: CorSSO is a distributed service for authentication in networks. It allows application servers to delegate client identity checking to combinations of authentication servers that reside in separate administrative domains. CorSSO authentication policies enable the system to tolerate expected classes of attacks and failures. A novel partitioning of the work associated with authentication of principals means that the system scales well with increases in the numbers of users and services.