Abstract: We present a protocol which allows a client to have a server carry out a quantum computation for her such that the client's inputs, outputs and computation remain perfectly private, and where she does not require any quantum computational power or memory. The client only needs to be able to prepare single qubits randomly chosen from a finite set and send them to the server, who has the balance of the required quantum computational resources. Our protocol is interactive: after the initial preparation of quantum states, the client and server use two-way classical communication which enables the client to drive the computation, giving single-qubit measurement instructions to the server, depending on previous measurement outcomes. Our protocol works for inputs and outputs that are either classical or quantum. We give an authentication protocol that allows the client to detect an interfering server; our scheme can also be made fault-tolerant. We also generalize our result to the setting of a purely classical client who communicates classically with two non-communicating entangled servers, in order to perform a blind quantum computation. By incorporating the authentication protocol, we show that any problem in BQP has an entangled two-prover interactive proof with a purely classical verifier. Our protocol is the first universal scheme which detects a cheating server, as well as the first protocol which does not require any quantum computation whatsoever on the client's side. The novelty of our approach is in using the unique features of measurement-based quantum computing which allows us to clearly distinguish between the quantum and classical aspects of a quantum computation.

Abstract: Cloud computing is a recently developed new technology for complex systems with massive-scale services sharing among numerous users. Therefore, authentication of both users and services is a significant issue for the trust and security of the cloud computing. SSL Authentication Protocol (SAP), once applied in cloud computing, will become so complicated that users will undergo a heavily loaded point both in computation and communication. This paper, based on the identity-based hierarchical model for cloud computing (IBHMCC) and its corresponding encryption and signature schemes, presented a new identity-based authentication protocol for cloud computing and services. Through simulation testing, it is shown that the authentication protocol is more lightweight and efficient than SAP, specially the more lightweight user side. Such merit of our model with great scalability is very suited to the massive-scale cloud.

Abstract: The design of ultralightweight authentication protocols that conform to low-cost tag requirements is imperative. This paper analyses the most important proposals (except for those based in hard problems such as the HB [1-3] family) in the area [4-6] and identifies the common weaknesses that have left all of them open to various attacks [7-11]. Finally, we present Gossamer, a new protocol inspired by the recently published SASI scheme [13], that was lately also the subject of a disclosure attack by Hernandez-Castro et al.[14]. Specifically, this new protocol is designed to avoid the problems of the past, and we examine in some deep its security and performance.

Abstract: This specification defines a new EAP method, EAP-AKA', a small revision of the EAP-AKA method The change is a new key derivation function that binds the name of the access network to the keys derived within the method The new key derivation mechanism has been defined in 3GPP This specification allows its use in EAP in an interoperable manner In addition, EAP-AKA' employs a new hash function, SHA256 This specification also updates RFC 4187 EAP-AKA to add support for preventing bidding down attacks between itself and EAP-AKA'

Abstract: End users of a multi-factor authentication service can utilize an account management service, and third-party website can register to utilize the multi-factor authentication service. Registering a third-party website can comprise the multi-factor authentication service receiving a valid digital identity certificate for the third-party website, and receiving an agreement to terms of use of the multi-factor authentication service for the third-party website. Once received, the multi-factor authentication service can enable the third-party website to utilize the service (e.g., switch the service on, or send an authorization key to the third-party website). Further, registering a user to the multi-factor authentication service can comprise determining availability of service, and providing a location-specific access code. Additionally, registering the user can comprise registering the user's mobile device, for example, to provide multi-factor authentication. Also, an Internet-based user account management user interface can be provided that allows a user to view transactions on their account, and an ability to shut off a designated mobile device's ability to authenticate.

Abstract: The invention relates to a method for the two-factor authentication of a user in an application service running on an application server (5). The authentication method is characterised in that the first authentication factor is a PIN authentication code known only by the user and the application service, and in that the second authentication factor is the mobile communication terminal (3) of the user on which is installed a reliability application obtained from a reliable third party or certified by the same, said reliability application being capable of generating, using said PIN identification code and a secret key (Ks) shared only with the reliable third party, a single use authentication code (OTP) for each authentication of the user in said application service.

Abstract: Providing dynamic authentication of a user requesting access to a system via a mobile device is disclosed. An account holder tailors a set of customized security challenges and responses. When a request for account authentication is received from a mobile device, the system conducts a multi-step user authentication process that includes dynamically selecting and prompting the user with the custom security challenges.

Abstract: In recent years, Session Initiation Protocol (SIP) is more and more popular. However, there are many security problems in the Session Initiation Protocol. In 2005, Yang et al. [9] proposed a secure authentication scheme for Session Initiation Protocol. This authentication scheme is based on Diffe-Hellman [2] concept, so the computation cost of this authentication scheme is very high. In order to improve this shortcoming, Durlanik et al. [3] also proposed an authentication Scheme using ECDH in 2005. However, the computation cost of this authentication scheme is still very high. In this paper, we propose an efficient nonce-based authentication scheme. The computation cost of this authentication scheme is lower than Yang et al. s authentication scheme and Durlanik et al.s authentication scheme, and it is very suitable for low computation power equipment.

Abstract: Method and systems for single sign on with dynamic authentication levels is described. The method include receiving a data request for access to a second application, where the user is already authenticated to the first application at a first authentication level. Application information about the authentication level necessary to access the second application is retrieved. In response to a request, the user provides the further authentication data for accessing the second application. The type of the further authentication data required is based on the first authentication level and the minimum authentication level necessary to access the second application. The user is then authenticated to the second application at the minimum authentication level necessary to access the second application.

Abstract: A system, method and computer program product are provided for managing authentication information for a user. According to the method, a master digital key is received from the user, and authentication of the user is obtained based on the master digital key. There is received from the user a selection of one identity from among a plurality of identities that are stored for the user. Authentication information for the user is provided into an application or web page based on the one identity selected by the user. In one embodiment, the authentication information is provided by recognizing a web page for which authentication information is stored, and automatically filling the authentication information for the user into appropriate elements of the web page.

Abstract: The present invention is a method and apparatus for protection of various items against counterfeiting using physical unclonable features of item microstructure images. The protection is based on the proposed identification and authentication protocols coupled with portable devices. In both cases a special transform is applied to data that provides a unique representation in the secure key-dependent domain of reduced dimensionality that also simultaneously resolves performance-security-complexity and memory storage requirement trade-offs. The enrolled database needed for the identification can be stored in the public domain without any risk to be used by the counterfeiters. Additionally, it can be easily transportable to various portable devices due to its small size. Notably, the proposed transformations are chosen in such a way to guarantee the best possible performance in terms of identification accuracy with respect to the identification in the raw data domain. The authentication protocol is based on the proposed transform jointly with the distributed source coding. Finally, the extensions of the described techniques to the protection of artworks and secure key exchange and extraction are disclosed in the invention.

Abstract: A key agreement protocol is a protocol whereby two or more communicating parties can agree on a key or exchange information over an open communication network in such a way that both of them agree on the established session keys for use in subsequent communications. Recently, several key agreement protocols based on chaotic maps are proposed. These protocols require a verification table to verify the legitimacy of a user. Since this approach clearly incurs the risk of tampering and the cost of managing the table and suffers from the stolen-verifier attack, we propose a novel key agreement protocol based on chaotic maps to enhance the security. The proposed protocol not only achieves mutual authentication without verification tables, but also allows users to anonymously interact with the server. Moreover, security of the proposed protocol is modelled and analyzed with Petri nets. Our analysis shows that the proposed protocol can successfully defend replay attacks, forgery attacks, and stolen-verifier attacks.

Abstract: User authentication is essential for customized services and privileged access control in wireless sensor network. In 2009, Das proposed a novel two-factor authentication scheme for wireless sensor network, where a user must prove the possession of both a password and a smart card. His scheme is well-designed for sensor nodes which typically have limited resources in the sense that its authentication procedure requires no public key operations but it utilizes only cryptographic hash function. In this letter, we point out that Das’s protocol is vulnerable to an offline password guessing attack, and also show a countermeasure to overcome the vulnerability without sacrificing any efficiency and usability. Besides the patch, we suggest a method to protect query response messages from wireless a sensor node to a user, which is necessary in serving a user in a confidential and authentic way.

Abstract: Wireless sensor networks (WSNs) are vulnerable to different types of security threats that can degrade the performance of the whole network; that might result in fatal problems like denial of service (DoS) attacks, routing attacks, Sybil attack etc. Key management protocols, authentication protocols and secure routing cannot provide security to WSNs for these types of attacks. Intrusion detection system (IDS) is a solution to this problem. It analyzes the network by collecting sufficient amount of data and detects abnormal behavior of sensor node(s). IDS based security mechanisms proposed for other network paradigms such as ad hoc networks, cannot directly be used in WSNs. Researchers have proposed various intrusion detection systems for wireless sensor networks during the last few years. We classify these approaches into three categories i.e. purely distributed, purely centralized and distributed-centralized. In this paper, we present a survey of these mechanisms. These schemes are further differentiated in the way they perform intrusion detection.

Abstract: Systems and methods are provided for enabling optimization of communications within a networked computing environment requiring secure, authenticated client-server communication connections. Optimization is performed by a pair of intermediary network devices installed in a path of communications between the client and the server. A secure, authenticated communication connection between the client and server is split-terminated at a pair of intermediary network devices by intercepting a request from the client for a client-server connection, authenticating the client at the intermediaries, establishing a first secure, authenticated connection to the client, authenticating the client or an intermediary to the server, and establishing a second secure, authenticate connection to the server. Depending on the operative authentication protocol (e.g., NTLM, Kerberos), an intermediary may interface with a domain controller, key distribution center or other entity.

Abstract: The 3rd Generation Partnership Project(3GPP) standard is developing System Architecture Evolution(SAE)/Long Term Evolution(LTE) architecture for the next generation mobile communication system. The SAE/LTE architecture provides secure service and 3G-WLAN interworking [9]. To provide secure 3G-WLAN interworking in the SAE/LTE architecture, Extensible Authentication Protocol-Authentication and Key Agreement(EAP-AKA) is used. However, EAP-AKA has several vulnerabilities such as disclosure of user identity, man-in-the-middle attack, Sequence Number(SQN) synchronization, and additional bandwidth consumption. Therefore, this paper analyzes threats and attacks in 3G-WLAN interworking and proposes a new authentication and key agreement protocol based on EAPAKA. The proposed protocol combines Elliptic Curve Diffie-Hellman(ECDH) with symmetric key cryptosystem to overcome these vulnerabilities. Moreover, our protocol provides Perfect Forward Secrecy(PFS) to guarantee stronger security, mutual authentication, and resistance to replay attack. Compared with previous protocols which use public key cryptosystem with certificates, our protocol can reduce computational overhead.

Abstract: In WiSec'08, Song and Mitchell proposed an RFID mutual authentication protocol. Song also extended this protocol for RFID tag ownership transfer. These two protocols are designed to have the most security properties in the literature. We discover that, however, the mutual authentication protocol is vulnerable to both tag impersonation attack and reader impersonation attack, which enable an adversary to impersonate any legitimate reader or tag. We also discover that the ownership transfer protocol is vulnerable to a de-synchronization attack, which prevents a legitimate reader from authenticating a legitimate tag, and vice versa. We analyze the vulnerabilities of these protocols and propose our revisions to eliminate the vulnerabilities with comparable storage and computational requirements.

Abstract: EPCglobal Class-1 Generation-2 specification (Gen2 in brief) has been approved as ISO18000-6C for global use, but the identity of tag (TID) is transmitted in plaintext which makes the tag traceable and clonable. Several solutions have been proposed based on traditional encryption methods, such as symmetric or asymmetric ciphers, but they are not suitable for low-cost RFID tags. Recently, some lightweight authentication protocols conforming to Gen2 have been proposed. However, the message flow of these protocols is different from Gen2. Existing readers may fail to read new tags. In this paper, we propose a novel authentication protocol based on Gen2, called Gen2+, for low-cost RFID tags. Our protocol follows every message flow in Gen2 to provide backward compatibility. Gen2+ is a multiple round protocol using shared pseudonyms and Cyclic Redundancy Check (CRC) to achieve reader-to-tag authentication. Conversely, Gen2+ uses the memory read command defined in Gen2 to achieve tag-to-reader authentication. We show that Gen2+ is more secure under tracing and cloning attacks.

Abstract: As the number of RFID applications grows, concerns about their security and privacy become greatly amplified. At the same time, the acutely restricted and cost-sensitive nature of RFID tags rules out simple reuse of traditional security/privacy solutions and calls for a new generation of extremely lightweight identification and authentication protocols.This article describes a universally composable security framework designed especially for RFID applications. We adopt RFID-specific setup, communication, and concurrency assumptions in a model that guarantees strong security, privacy, and availability properties. In particular, the framework supports modular deployment, which is most appropriate for ubiquitous applications. We also describe a set of simple, efficient, secure, and anonymous (untraceable) RFID identification and authentication protocols that instantiate the proposed framework. These protocols involve minimal interaction between tags and readers and place only a small computational load on the tag, and a light computational burden on the back-end server. We show that our protocols are provably secure within the proposed framework.

Abstract: Aspects of the subject matter described herein relate to authentication for a distributed secure content management system. In aspects, a request to access a resource available through the Internet is routed to a security component. The security component is one of a plurality of security components distributed throughout the Internet and responsible for authenticating entities associated with an enterprise. The security component determines an authentication protocol to use with the entity and then authenticates the entity. If the entity is authenticated, the entity is allowed to use a forward proxy.

Abstract: Systems and methods for authenticating electronic transactions are provided. The authentication methods employ a combination of security features. These security features can be based, for example, on unique knowledge of the person being authenticated, unique personal features and attributes of the person, the ability of the person to respond, and to do so in a fashion that a machine cannot, and so forth. Methods for enrolling the person prior to authentication are also provided, as well as systems for enrollment and authentication.

Abstract: Based on identity-based cryptography, this paper proposes a remote authentication protocol featured with client anonymity, nonrepudiation, and improved efficiency for value-added services in a mobile environment. First, an identity-based signature scheme is proposed, and the verification result of the signature is a constant with respect to the signer's identifier. Then, a remote authentication protocol is constructed by combining the proposed signature scheme with a new concept called the client account index, which helps to realize client anonymity with no encryption operations. A formal proof and a theoretical analysis are provided to show the security strength of the proposals. Performance evaluation shows that compared with previous identity-based remote authentication schemes, the new protocol reduces at least 21.7% of the overall running time with stronger security; the reductions in the overall running time and signaling traffic reach 31.9% and 82.0%, respectively, compared with previous Rivest-Shamir-Adleman-based schemes.

Abstract: Radio Frequency IDentifiers (RFID) are low-cost pervasive devices used in various settings for identification purposes: although they have originally been introduced to ease the supply chain management, they are already used in many other applications. Some of these applications need secure identification and ad-hoc authentication protocols have to be designed for that purpose. But the intrusion of RFID in the life of end-users might additionally require a higher level of user-privacy. Such security and privacy requirements conflict with the highly constrained environment of RFID systems. Ohkubo, Suzuki, and Kinoshita first proposed an appealing RFID protocol that meets the highest privacy requirements. However, their scheme and its known variants suffer from limitations in terms of computational complexity and provable security which this paper aims to address. We propose a novel forward private authentication scheme built upon less computationally expensive cryptographic ingredients, namely pseudo-random generators and universal hash functions instead of one way hash functions. In contrast with existing schemes, we provide security proofs of our construction in the standard model instead of the random oracle model.

Abstract: A vehicular biometric authentication system is equipped with a portable terminal that includes a receiver that receives authentication data output from a data management center, and an on-board device that acquires the authentication data via the portable terminal and uses the acquired authentication data to carry out identity verification when communication with the management center is impossible. When a vehicle is stopped outside the communication range of the data management center, the on-board device acquires via the portable terminal the authentication data output from the data management center. Thus, the on-board device utilizes the authentication data acquired via the portable terminal to carry out identity verification.

Abstract: With the rapid proliferation of online learning, students are increasingly demanding easy and flexible access to learning content at a time and location of their choosing. In these environments, remote users connecting via the public Internet or other unsecure networks must be authenticated prior to being granted access to sensitive content such as tests or personal/private records. Today, the overwhelming majority of online learning systems rely on weak authentication mechanisms to verify the identity of remote users only at the start of each session. One-time authentication using password, personal identification number (PIN), or even hardware tokens is clearly inadequate in that it cannot defend against insider attacks including remote user impersonation or illegal sharing or disclosure of these authentication secrets. As such, these methods are entirely unsuitable for circumstances where the outcome of an online assessment or a course of study is the granting of a formal degree, professional certification, or qualification or requalification for a particular skill or function. This paper examines the problem of remote authentication in online learning environments and explores the challenges and options of using biometric technology to defend against user impersonation attacks by certifying the presence of the user in front of the computer, at all times. It also leverages a 5-step process as the basis for a systems approach to ensuring that the proposed solution will meet the critical remote authentication assurance requirements. The process and systems approach employed here are generic, and can be exploited when introducing biometric-enabled authentication solutions to other applications and business domains. The paper concludes by presenting a biometrics-based client-server architecture for continuous user authentication in e-learning environments.

Abstract: In order to protect privacy, radio frequency identification (RFID) systems employ privacy-preserving authentication (PPA) to allow valid readers to explicitly authenticate their dominated tags without leaking private information. Typically, an RF tag sends an encrypted message to the reader, then the reader searches for the key that can decrypt the cipher to identify the tag. Due to the large-scale deployment of today's RFID systems, the key search scheme for any PPA requires a short response time. Previous designs construct balance-tree based key management structures to accelerate the search speed to 0(logN), where N is the number of tags. Being efficient, such approaches are vulnerable to compromising attacks. By capturing a small number of tags, compromising attackers are able to identify other tags that have not been corrupted. To address this issue, we propose an Anti- Compromising authenticaTION protocol, ACTION, which employs a novel sparse tree architecture, such that the key of every tag is independent from one another. The advantages of this design include: 1) resilience to the compromising attack, 2) reduction of key storage for tags from 0(logN) to 0(1), which is significant for resource critical tag devices, and 3) high search efficiency, which is 0(logN), as good as the best in the previous designs.