Master of Computer Science by Research
School of Computer Science and Software Engineering
Yu, Jiangshan, Remote user authentication in distributed networks and systems, Master of Computer Science by Research thesis, School of Computer Science and Software Engineering, University of Wollongong, 2012. http://ro.uow.edu.au/theses/3711
Entity authentication is becoming more and more important. With widespread use of distributed computer networks, for example, cellular networks, virtual reality communities, World Wide Web, peer-to-peer networks and multiplayer online games, there is a need to be more vigilant about the security and privacy of users. One way to address the security and privacy concerns is remote user authentication and this is widely used in distributed systems for identifying users and servers. Remote user authentication is a means of identifying a user and verifying whether this user has permission to access the network services and resources. However, an attacker may impersonate a server to communicate with a user and then, the attacker is able to steal the user's information. Thereafter, the attacker can pass authentication with the real server by using the stolen information of the user. Therefore, mutual authentication is needed in order to prevent bogus server attacks. Other requirements of user authentication include ensuring the confidentiality of further exchanging messages, protecting user privacy, providing user anonymity and achieving unlinkability. In the complex environments of computer networks, however, it is a challenge to design efficient and secure mutual authentication protocols under such security requirements.
The research reported here aims to provide efficient and secure identification services with further security requirements for users in distributed systems and networks. In general, the identification services may require three factors, i.e., password, smart card and biometric characteristics. The authentication which basedon password is called password-based authentication. Password-based authentication together with another factor, smart card, is called two-factor authentication. In which, a successful user authentication can be achieved if the user has a correct password together with a corresponding smart card. The biometric-based authentication mainly based on the biometric characteristics, for example, finger print, iris scan and a face, and it may also require a smart card. The three-factor authentication call of these three factors, i.e., password, smart card and biometric characteristics.There is another concept which belongs to two-factor authentication, called single sign-on (SSO). It enables a user to use a unitary secure credential (or token) to access multiple computers and systems where he/she has access permissions.
The contributions of this thesis are research on both single sign-on and three-factor authentication. In particular, this research will analyse the recent, supposed secure single sign-on scheme proposed in 2012 by Chang and Lee [CL12]. However, their scheme is actually not secure as we show that it fails to meet credential privacy and soundness of authentication. Based on this analysis, this research will suggest repairs to the scheme by employing the efficient verifiable encryption of RSA signature (RSA-VES) proposed by Ateniese [Ate99] for realising fair exchange of RSA signatures. In addition, this research will formalize the security model of single sign-on schemes with authenticated key exchange, and based on the model, a provably secure single sign-on scheme will be proposed. This scheme satisfies soundness, preserves credential privacy, meets user anonymity and supports session key exchange. For users who have higher security requirements, this research also proposes an improved generic framework, which is an efficiently systematic approach which upgrades two-factor authentication schemes to three-factor authentication schemes. This research also provides a provably secure concrete instantiation of the framework with comparison, practicability analysis, privacy discussion and formal security proof.