nach oben

International Journal of Information Security

Erschienen in:

08.03.2021 | regular contribution

Public key versus symmetric key cryptography in client–server authentication protocols

verfasst von: An Braeken

Erschienen in: International Journal of Information Security | Ausgabe 1/2022

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Every month, several new protocols are popping up, comparing themselves with a few others and claiming to outperform the whole state of the art. The most popular domain of protocols is the one for authentication in a client–server architecture for which both symmetric key- and public key-based protocols are being proposed. The usage of public key-based mechanisms has several consequences, not only with respect to an increased computational and communication cost, but also with respect to increased possibilities to strengthen the protocol by making it resistant against a semi-trusted third party. On the other hand, we also recall that symmetric key-based protocols can already offer a nice set of security features. We see a trend in the current generation of papers published on public key-based client–server authentication protocols, showing that only a very limited amount of them really exploit the power that public key cryptography can offer with respect to this privacy towards a semi-trusted third party, and most of them do not even satisfy the same security features able to be also realised by a much more efficient symmetric key-based protocol. This paper serves as a warm wake-up call to all protocol designers to rethink the usage of more heavyweight constructions compared to symmetric key-based mechanisms in order to ensure that if they are used, they also fully exploit their inherent strength.

Vorheriger Artikel Privacy preserving data sharing and analysis for edge-based architectures

Nächster Artikel Robotics cyber security: vulnerabilities, attacks, countermeasures, and recommendations

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Tomar, A., Dhar, J.: An ECC based secure authentication and key exchange scheme in multi-server environment. Wireless Pers. Commun. 107, 351–372 (2019)CrossRef

Haq, I.U., Wang, J., Zhu, Y.: Secure two-factor authentication protocol using self-certified public key cryptography for multi-server 5G networks. J. Netw. Comput. Appl. 161, 102660 (2020)CrossRef

Yao, H., Fu, X., Wang, C., Meng, C., Hai, B., Zhu, S.: Cryptanalysis and improvement of a remote anonymous authentication protocol for mobile multi-server environments. In: IEEE Fourth International Conference on Data Science in Cyberspace (DSC) (2019)

Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)MathSciNetMATHCrossRef

Shannon, C.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)MathSciNetMATHCrossRef

Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetMATHCrossRef

Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)MathSciNetMATHCrossRef

Miller, V.: Use of elliptic curves in cryptography. Crypto Lect. Notes Comput. Sci. 85, 417–426 (1985)

Certicom Research. SEC4: elliptic curve Qu-Vanstone implicit certificate scheme. In: Standards for Efficient Cryptography Group. Version 1.0. Retrieved May 15, 2020 from http://www.secg.org/sec4-1.0.pdf (2013)

10.

Porambage, P., Schmitt, C., Kumar, P., Gurtov, A., Ylianttila, M.: Two-phase authentication protocol for wireless sensor networks in distributed IoT applications. In: IEEE Wireless Communications and Networking Conference (WCNC), pp. 2728–2733. Istanbul (2014)

11.

Ha, D.A., Nguyen, K.T., Zao, J.K.: Efficient authentication of resource-constrained IoT devices based on ECQV 505 implicit certificates and datagram transport layer security protocol. In: Proceedings of the Seventh Symposium on Information and Communication Technology, pp. 173–179 (2016)

12.

Shabisha, P., Braeken, A., Kumar, P., Steenhaut, K.: Fog-orchestrated and server-controlled anonymous group authentication and key agreement. IEEE Access 7, 150247–150261 (2019)CrossRef

13.

Complete guide to GDPR, Retrieved May 15, 2020 from https://gdpr.eu

14.

Bernstein, D.J.: Introduction to post-quantum cryptography. In: Post-Quantum Cryptography (2009)

15.

Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetMATHCrossRef

16.

https://en.wikipedia.org/wiki/Post-quantum_cryptography

17.

Sowjanya, K., Dasgupta, M., Ray, S.: An elliptic curve cryptography based enhanced anonymous authentication protocol for wearable health monitoring systems. Int. J. Inf. Secur. 19, 129–146 (2020)CrossRef

18.

Li, X., Peng, J., Kumari, S., Wu, F., Karuppiah, M., Choo, K.K.R.: An enhanced 1-round authentication protocol for wireless body area networks with user anonymity. Comput. Electr. Eng. 61(C), 238–249 (2017)CrossRef

19.

Zhao, Z.: An efficient anonymous authentication scheme for wireless body area networks using elliptic curve cryptosystem. J. Med. Syst. 38(2), 1–7 (2014)CrossRef

20.

He, D., Zeadally, S., Kumar, N., Lee, J.H.: Anonymous authentication for wireless body area networks with provable security. IEEE Syst. J. 11(4), 2590–2601 (2017)CrossRef

21.

Dinarvand, N., Barati, H.: An efficient and secure RFID authentication protocol using elliptic curve cryptography. Wireless Netw. 25, 415–428 (2019)CrossRef

22.

Liao, Y.P., Hsiao, C.M.: A secure ECC-based RFID authentication scheme using hybrid protocols. Adv. Intell. Syst. Appl. 2, 1–13 (2013)

23.

Alamr, A.A., Kausar, F., Kim, J.S.: Secure mutual authentication protocol for RFID based on elliptic curve cryptography. In: Proceedings of the 2016 International Conference on Platform Technology and Service (PlatCon), pp. 1–7. IEEE (2016)

24.

Jin, C., Xu, C., Zhang, X., Li, F.: A secure ECC-based RFID mutual authentication protocol to enhance patient medication safety. J. Med. Syst. 40(1), 6 (2016)CrossRef

25.

Merabet, F., Cherif, A., Belkadi, M., Blazy, O., Conchon, E., Sauveron, D.: New efficient M2C and M2M mutual authentication protocols for IoT-based healthcare applications. In: Peer-to-Peer Networking and Applications. Springer (2019)

26.

Panda, P.K., Chattopadhyay, S.: A secure mutual authentication protocol for IoT environment. J Reliab. Intell. Environ. 6, 79–94 (2020)CrossRef

27.

Islam, S.K.H., Biswas, G.P.: A more efficient and secure ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. J. Syst. Softw. 84, 1892–1898 (2011)CrossRef

28.

Kalra, S.: Secure authentication scheme for IoT and cloud servers. Pervasive Mob. Comput. 24, 210–223 (2015)CrossRef

29.

Chang, C.C., Wu, H.L., Sun, C.Y.: Notes on secure authentication scheme for IoT and cloud servers. Pervasive Mob. Comput. 38, 275–278 (2016)CrossRef

30.

Wang, F., Chen, C.M., Fang, W., Wu, T.Y.: A secure authentication scheme for Internet of Things. Pervasive Mob. Comput. 42, 15–26 (2017)CrossRef

31.

Kumari, S., Karuppiah, M., Das, A.K., Kumar, N.: A secure authentication scheme based on elliptic curve cryptography for IoT and cloud servers. J. Supercomput. 74, 6428–6453 (2017)CrossRef

32.

Bhuvaneshwari, S., Narayanan, A.V.: Enhanced mutual authentication scheme for cloud of things. Int. J. Pure Appl. Math. 119(15), 1571–1583 (2018)

33.

Ying, B., Nayak, A.: Lightweight remote user authentication protocol for multi-server 5G networks using self-certified public key cryptography. J. Netw. Comput. Appl. 131, 66–74 (2019)CrossRef

34.

Hsieh, W., Leu, J.: An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures. J. Supercomput. 70(1), 133–148 (2014)CrossRef

35.

Wang, D.H.D.: Robust biometrics based authentication scheme for multi server environment. IEEE Syst. J 9(3), 816–823 (2015)CrossRef

36.

Odelu, V., Das, A.K., Goswami, A.: A secure biometrics based multi server authentication protocol using smart cards. IEEE Trans. Inf. Forensics Secur. 10(9), 1953–1966 (2015)CrossRef

37.

Shafiq, A., Altaf, I., Mahmood, K., Kumari, S., Chen, C.M.: An ECC based remote user authentication protocol. J. Internet Technol. 21, 285–294 (2020)

38.

Qu, J., Tan, X.L.: Two-factor user authentication with key agreement scheme based on elliptic curve cryptosystem. J. Electr. Comput. Eng. 2014, 1–6 (2014)

39.

Huang, B., Khan, M.L., Wu, L., Muhaya, F.T.B., He, D.: An efficient remote user authentication with key agreement scheme using Elliptic Curve Cryptography. Wireless Pers. Commun. 85(1), 225–240 (2015)CrossRef

40.

Chaudhry, S.A., Naqvi, H., Mahood, K., Ahmad, H.F., Khan, M.K.: An improved remote user authentication scheme using Elliptic Curve Cryptography. Wireless Pers. Commun. 96(4), 5335–5373 (2017)CrossRef

41.

Kumari, A., Jangirala, S., Abbasi, M.Y., Kumar, V., Alam, M.: ESEAP: ECC based secure and efficient mutual authentication protocol using smart card. J. Inf. Secur. Appl. 51, 102443 (2020)

42.

Kumari, S., Khan, K., Li, X.: An improved remote user authentication scheme with key agreement. Comput. Electr. Eng. 40(6), 1997–2012 (2014)CrossRef

43.

Kumari, S., Li, X., Wu, F., Das, A.K., Odelu, V., Khan, M.K.: A user anonymous mutual authentication protocol. KSII Trans. Internet Inf. Syst. 10(9), 4508–4528 (2016)

44.

Jiang, Q., Ma, J., Li, G., Li, X.: Improvement of robust smart-card-based password authentication scheme. Int. J. Commun. Syst. 28(2), 383–393 (2015)CrossRef

45.

Islam, S.K.H.: Design and analysis of an improved smartcard-based remote user password authentication scheme. Int. J. Commun. Syst. 29, 1708–1719 (2014)CrossRef

46.

Karuppiah, M., Ramakrishnan, S.: A secure remote user mutual authentication scheme using smart cards. J. Inf. Secur. Appl. 19(4–5), 282–294 (2014)

47.

Maitra, T., Obaidat, M.S., Amin, R., Islam, S., Chaudhry, S.A., Giri, D.: A robust ElGamal-based password-authentication protocol using smart card for client-server communication. Int. J. Commun. Syst. 30(11), e3242 (2016)CrossRef

48.

Xie, Q., Wong, D.S., Wang, G., Tan, X., Chen, K., Fang, L.: Provably secure dynamic ID-based anonymous two-factor authenticated key exchange protocol with extended security model. IEEE Trans. Inf. Forensics Secur. 12, 1382–1392 (2017)CrossRef

49.

Wang, C., Wang, D., Xu, G., Guo, Y.: A lightweight password-based authentication protocol using smart card. Int. J. Commun. Syst. 30, e3336 (2017)CrossRef

50.

Jangirala, S., Das, A.K., Kumar, N., Rodrigues, J.: Cloud centric authentication for wearable healthcare monitoring system. IEEE Trans. Dependable Secure Comput. 17, 942–956 (2018)

51.

Wang, D., Wang, P.: Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans. Dependable Secure Comput. 15, 708–722 (2016)

52.

Muhaya, F.T.B.: Cryptanalysis and security enhancement of Zhu’s authentication scheme for Telecare medicine information system. Secur. Commun. Netw. 8(2), 149–158 (2015)CrossRef

53.

Amin, A.R., Islam, S.K.H., Gope, P., Choo, K.K.R., Tapas, N.: Anonymity preserving and lightweight multi-medical server authentication protocol for telecare medical information system. IEEE J. Biomed. Health Inform. 23, 1749–1759 (2018)CrossRef

54.

Wang, D., Wang, P.: Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity. Inf. Sci. 321, 162–178 (2015)MATHCrossRef

55.

Wu, F., Xu, L., Kumari, S., Li, X.: A new and secure authentication scheme for wireless sensor networks with formal proof. Peer-to-Peer Netw. Appl. 10(1), 16–30 (2015)CrossRef

56.

Ali, R., Pal, A.K., Kumari, S., Karuppiah, M., Conti, M.: A secure user authentication and key-agreement scheme using wireless sensor networks for agriculture monitoring. Future Gener. Comput. Syst. 84, 200–215 (2017)CrossRef

57.

Luo, H., Wen, G.J., Su, J.: Lightweight three factor scheme for real-time data access in wireless sensor networks. Wireless Netw. 26(11), 955–970 (2018)

58.

Roy, S., Das, A.K., Chatterjee, S., Chattopadhyay, S., Rodrigues, J.J.: Provably secure fine-grained data access control over multiple cloud servers in mobile cloud computing based healthcare applications. IEEE Trans. Ind. Inf. 15, 457–468 (2018)CrossRef

59.

Wan, T., Liu, X., Liao, W., Jiang, N.: Cryptanalysis and improvement of a smart card based authentication scheme for multi-server architecture using ECC. Int. J. Netw. Secur. 21(6), 993–1002 (2019)

60.

Wei, J.H., Liu, W.F., Hu, X.X.: Cryptanalysis and improvement of a robust smart card authentication scheme for multi-server architecture. Wireless Pers. Commun. 77(3), 2255–2269 (2014)CrossRef

61.

Wang, B., Ma, M.D.: A smart card based efficient and secured multi-server authentication scheme. Wireless Pers. Commun. 68(2), 361–378 (2013)CrossRef

62.

He, D.B., Wu, S.H.: Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Pers. Commun. 70(1), 323–329 (2013)CrossRef

63.

Pippal, R.S., Jaidhar, C.D., Tapaswi, S.: Robust smart card authentication scheme for multi-server architecture. Wireless Pers. Commun. 72(1), 729–745 (2013)CrossRef

64.

Naeem, M., Chaudhry, S.A., Mahmood, K., Karuppiah, M., Kumari, S.: A scalable and secure RFID mutual authentication protocol using ECC for Internet of Things. Int. J. Commun. Syst. 33(13), 3906 (2019)CrossRef

65.

Tewari, A., Gupta, B.B.: Cryptanalysis of a novel ultra-lightweight mutual authentication protocol for IoT devices using RFID tags. J. Supercomput. 73(3), 1085–1102 (2017)CrossRef

66.

Braeken, A.: Highly efficient symmetric key based authentication and key agreement protocol using Keccak. Sensors 20(8), 2160 (2020)CrossRef

67.

Kumar, P., Braeken, A., Gurtov, A., Iinatti, J., Ha, P.H.: Anonymous secure framework in connected smart home environments. IEEE Trans. Inf. Forensics Secur. 12(4), 968–979 (2017)CrossRef

68.

Lara, E., Aguilar, L., Sanchez, M.A., Garcia, J.A.: Lightweight authentication protocol for M2M communications of resource-constrained devices in industrial internet of things. Sensors 20(2), 501 (2020)CrossRef

69.

Chen, J., Gui, Z., Ji, S., Shen, J., Tan, H., Tang, Y.: Cloud-aided lightweight certificateless authentication protocol with anonymity for wireless body area networks. J. Netw. Comput. Appl. 106, 117–123 (2018)CrossRef

70.

Mansoor, K., Ghani, A., Chaudhry, S.A., Shamshirband, S., Ghayyur, S.A.K., Mosavi, A.: Securing IoT-based RFID systems: a robust authentication protocol using symmetric cryptography. Sensors 19(21), 4752 (2019)CrossRef

71.

Avoine, G., Canard, S., Ferreira, L.: Symmetric-key authenticated key exchange (SAKE) with perfect forward secrecy. In: Topics in Cryptology-CT-RSA 2020. Lecture Notes Computer Science, vol. 12006, pp. 199–224 (2020)

72.

Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Advances in Cryptology EUROCRYPT 2001, pp. 453–474. Springer (2001)

73.

Braeken, A., Kumar, P., Martin, A.: Efficient and provably secure key agreement for modern smart metering communications. Energies 11(10), 2662 (2018)CrossRef

74.

Odelu, V., Kumar, A., Wazid, M., Conti, M.: Provably secure authenticated key agreement scheme for smart grid. IEEE Trans. Smart Grid 9, 1900–1910 (2018)

75.

Chen, Y., Martinez, J.G., Catellejo, P., Lopez, L.: An anonymous authentication and key establish scheme for smart grid: FAuth. Energies 10, 1345 (2018)

76.

Abbasinezhad-Mood, D., Nikoohgadam, M.: Anonymous ECC-based self-certified key distribution scheme for smart grid. IEEE Trans. Ind. Electron. 65(8), 7996–8004 (2018)CrossRef

Titel: Public key versus symmetric key cryptography in client–server authentication protocols
verfasst von: An Braeken
Publikationsdatum: 08.03.2021
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 1/2022
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-021-00543-w

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2022

[m]allotROPism: a metamorphic engine for malicious software variation development

Track for surveys

A new smart smudge attack using CNN

Automatic analysis of attack graphs for risk mitigation and prioritization on large-scale and complex networks in Industry 4.0

DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules

Robotics cyber security: vulnerabilities, attacks, countermeasures, and recommendations

Premium Partner