Automobile Management Institute of PLA

Bengbu, China

Automobile Management Institute of PLA

Bengbu, China
SEARCH FILTERS
Time filter
Source Type

Wang D.,Harbin Engineering University | Wang D.,Automobile Management Institute of PLA | Ma C.-G.,Harbin Engineering University | Zhao S.-D.,Harbin Engineering University | Zhou C.-L.,Harbin Engineering University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. Recently, Yeh et al. showed that Hsiang and Shih's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is nontamper resistant, and proposed an improved version which was claimed to be efficient and secure. In this study, however, we find that, although Yeh et al.'s scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack and key-compromise impersonation attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity and forward secrecy; (3) It has some other minor defects. The proposed cryptanalysis discourages any use of the scheme under investigation in practice. Remarkably, rationales for the security analysis of password-based authentication schemes using smart cards are discussed in detail. © IFIP International Federation for Information Processing 2012.


Wang D.,Harbin Engineering University | Wang D.,Automobile Management Institute of PLA | Ma C.-G.,Harbin Engineering University | Gu D.-L.,Harbin Engineering University | Cui Z.-S.,Harbin Engineering University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

In NSS'10, Shao and Chin pointed out that Hsiang and Shih's dynamic ID-based remote user authentication scheme for multi-server environment has several security flaws and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that Shao-Chin's scheme still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.'s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their ambitions, Li et al.'s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, which is the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes. © 2012 Springer-Verlag.


Wang D.,Harbin Engineering University | Wang D.,Automobile Management Institute of PLA | Ma C.-G.,Harbin Engineering University | Wu P.,Harbin Engineering University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

In DBSec'11, Li et al. showed that Kim and Chung's password-based remote user authentication scheme is vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved version was proposed and claimed that it is secure against smart card security breach attacks. In this paper, however, we will show that Li et al.'s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also prone to denial of service attack and fails to provide user anonymity and forward secrecy. Therefore, a robust scheme with a brief analysis is presented to overcome the identified drawbacks. © 2012 IFIP International Federation for Information Processing.


Ma C.-G.,Harbin Engineering University | Wang D.,Harbin Engineering University | Wang D.,Automobile Management Institute of PLA | Zhang Q.-M.,Harbin Engineering University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

Anonymity is one of the important properties of remote authentication schemes to preserve user privacy. Recently, Sood et al. showed that Wang et al.'s dynamic ID-based remote user authentication scheme fails to preserve user anonymity and is vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved version of dynamic ID-based authentication scheme was proposed and claimed that it is efficient and secure. In this paper, however, we will show that Sood et al.'s scheme still cannot preserve user anonymity under their assumption. In addition, their scheme is also vulnerable to the offline password guessing attack and the stolen verifier attack. To remedy these security flaws, we propose an enhanced authentication scheme, which covers all the identified weaknesses of Sood et al.'s scheme and is more secure and efficient for practical application environment. © 2012 Springer-Verlag.


Wang D.,Harbin Engineering University | Wang D.,Automobile Management Institute of PLA | Ma C.-G.,Harbin Engineering University
Journal of China Universities of Posts and Telecommunications | Year: 2012

With the broad implementations of the electronic business and government applications, robust system security and strong privacy protection have become essential requirements for remote user authentication schemes. Recently, Chen et al. pointed out that Wang et al.'s scheme is vulnerable to the user impersonation attack and parallel session attack, and proposed an enhanced version to overcome the identified security flaws. In this paper, however, we show that Chen et al.'s scheme still cannot achieve the claimed security goals and report its following problems: (1) It suffers from the offline password guessing attack, key compromise impersonation attack and known key attack; (2) It fails to provide forward secrecy; (3) It is not easily repairable. As our main contribution, a robust dynamic ID-based scheme based on non-tamper resistance assumption of the smart cards is presented to cope with the aforementioned defects, while preserving the merits of different related schemes. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several grave security threats that are difficult to be tackled at the same time in previous scholarship. © 2012 The Journal of China Universities of Posts and Telecommunications.


Wang D.,Harbin Engineering University | Wang D.,Automobile Management Institute of PLA | Ma C.-G.,Harbin Engineering University
Information Fusion | Year: 2013

Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. The design of secure remote user authentication schemes based on elliptic curve crypto-graphy (ECC) for mobile applications is still quite a challenging problem, though many schemes have been published lately. In this paper, we analyze an efficient ID-based scheme for mobile client-server environment without the MapToPoint function introduced by He et al. in 2012. This proposal attempts to overcome many of the well known security and efficiency shortcomings of previous schemes, and it also carries a claimed proof of security in the random oracle model. However, notwithstanding its formal security arguments, we show that He et al.'s protocol even cannot attain the basic goal of mutual authentication by demonstrating its vulnerabilities to reflection attack and parallel session attack. Besides these two security vulnerabilities, their scheme also suffers from some practical pitfalls such as user anonymity violation and clock synchronization problem. In addition, we carry out an investigation into their security proof and propose some changes to the scheme so that it can achieve at least its basic security goal, in the hope that similar mistakes are no longer made in the future. © 2013 Elsevier B.V. All rights reserved.


Wang D.,Harbin Engineering University | Wang D.,Automobile Management Institute of PLA | Ma C.-G.,Harbin Engineering University | Shi L.,Harbin Engineering University | Wang Y.-H.,Rochester Institute of Technology
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

The design of secure remote user authentication schemes for mobile applications is still an open and quite challenging problem, though many schemes have been published lately. Recently, Islam and Biswas pointed out that Lin and Hwang et al.'s password-based authentication scheme is vulnerable to various attacks, and then presented an improved scheme based on elliptic curve cryptography (ECC) to overcome the drawbacks. Based on heuristic security analysis, Islam and Biswas claimed that their scheme is secure and can withstand all related attacks. In this paper, however, we show that Islam and Biswas's scheme cannot achieve the claimed security goals and report its flaws: (1) It is vulnerable to offline password guessing attack, stolen verifier attack and denial of service (DoS) attack; (2) It fails to preserve user anonymity. The cryptanalysis demonstrates that the scheme under study is unfit for practical use. © 2012 Springer-Verlag.


Ma C.-G.,Harbin Engineering University | Wang D.,Harbin Engineering University | Wang D.,Automobile Management Institute of PLA | Zhao P.,Harbin Engineering University | Wang Y.-H.,Rochester Institute of Technology
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

Forward secrecy is one of the important properties of remote user authentication schemes to limit the effects of eventual failure of the entire system when the long-term private keys of one or more parties are compromised. Recently, Tsai et al. showed that Wang et al.'s dynamic ID-based remote user authentication scheme fails to achieve user anonymity and is vulnerable to user impersonation attack, and proposed an enhanced version to overcome all the identified flaws. In this paper, however, we will point out that, Tsai et al.'s scheme still suffers from the denial of service attack and cannot provide forward secrecy. To remedy these security flaws, we propose an enhanced authentication scheme, which covers all the identified weaknesses of Tsai et al.'s scheme and is more suitable for mobile application scenarios where resource constrained and security concerned. © 2012 Springer-Verlag Berlin Heidelberg.


Dong M.,Automobile Management Institute of PLA
Proceedings - 4th International Conference on Intelligent Computation Technology and Automation, ICICTA 2011 | Year: 2011

There are some shortages of knowledge acquisition and inefficency in ES. So, combines ES with ANN to construst military equipment fault diagosis expert system. Introduces the neural network learning system, the knowledge base and the reasoning mechanism of the expert system. After introducing ANN and ES, utilizing the adapting, self-learning abilities of ANN, methods of knowledge acquirement and representation are studied, ways of solving the bottleneck problem of knowledge acquirement in Intelligence Fault Diagnosis Expert system (IFDES) are discussed, and knowledge base of ES founded on ANN is put forward. In the end, the feasibility and validity is testified by an instance. © 2011 IEEE.


Ma C.-G.,Harbin Engineering University | Wang D.,Harbin Engineering University | Wang D.,Automobile Management Institute of PLA | Zhao S.-D.,Harbin Engineering University
International Journal of Communication Systems | Year: 2014

Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. © 2012 John Wiley & Sons, Ltd.

Loading Automobile Management Institute of PLA collaborators
Loading Automobile Management Institute of PLA collaborators