Entity

Time filter

Source Type


Wang D.,Peking University | Wang P.,National Engineering Research Center for Software Engineering
Ad Hoc Networks | Year: 2014

Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this work, we investigate two recent proposals in the area of smart-card-based password authentication for security-critical real-time data access applications in hierarchical wireless sensor networks (HWSN). Firstly, we analyze an efficient and DoS-resistant user authentication scheme introduced by Fan et al. in 2011. This protocol is the first attempt to address the problems of user authentication in HWSN and only involves lightweight cryptographic primitives, such as one-way hash function and XOR operations, and thus it is claimed to be suitable for the resource-constrained HWSN environments. However, it actually has several security loopholes being overlooked, and we show it is vulnerable to user anonymity violation attack, smart card security breach attack, sensor node capture attack and privileged insider attack, as well as its other practical pitfalls. Then, A.K. Das et al.'s protocol is scrutinized, and we point out that it cannot achieve the claimed security goals: (1) It is prone to smart card security breach attack; (2) it fails to withstand privileged insider attack; and (3) it suffers from the defect of server master key disclosure. Our cryptanalysis results discourage any practical use of these two schemes and reveal some subtleties and challenges in designing this type of schemes. Furthermore, using the above two foremost schemes as case studies, we take a first step towards investigating the underlying rationale of the identified security failures, putting forward three basic principles which we believe will be valuable to protocol designers for advancing more robust two-factor authentication schemes for HWSN in the future. © 2014 Elsevier B.V. All rights reserved. Source


Wan Z.,Peking University | Wang P.,National Engineering Research Center for Software Engineering | Wang P.,Peking University
Proceedings of International Conference on Service Science, ICSS | Year: 2015

Cloud computing has certainly gained attention and skyrocketed in the technical and economic world because of the appealing features. With decades of development there are lots of on-premises applications and systems in use. Consequently, the demand of migrating on-premises applications and systems to the cloud computing is gigantic. Thus, the cloud migration is not systematically reviewed with a proper taxonomy due to the variety of cloud computing architecture and the complexity of applications and systems. This paper surveys the cloud computing architectures and cloud migration decision frameworks by both the industry and the academia. Then, it proposes cloud migration taxonomy for a clear understanding of related approaches. Finally, it addresses the future challenges and direction as well. © 2014 IEEE. Source


Wang D.,Peking University | Wang D.,National Engineering Research Center for Software Engineering | Wang P.,National Engineering Research Center for Software Engineering | Wang P.,Peking University
Computer Networks | Year: 2014

Anonymity is among the important properties of two-factor authentication schemes for wireless sensor networks (WSNs) to preserve user privacy. Though impressive efforts have been devoted to designing schemes with user anonymity by only using lightweight symmetric-key primitives such as hash functions and block ciphers, to the best of our knowledge none has succeeded so far. In this work, we take an initial step to shed light on the rationale underlying this prominent issue. Firstly, we scrutinize two previously-thought sound schemes, namely Fan et al.'s scheme and Xue et al.'s scheme, and demonstrate the major challenges in designing a scheme with user anonymity. Secondly, using these two foremost schemes as case studies and on the basis of the work of Halevi-Krawczyk (1999) [44] and Impagliazzo-Rudich (1989) [43], we put forward a general principle: Public-key techniques are intrinsically indispensable to construct a two-factor authentication scheme that can support user anonymity. Furthermore, we discuss the practical solutions to realize user anonymity. Remarkably, our principle can be applied to two-factor schemes for universal environments besides WSNs, such as the Internet, global mobility networks and mobile clouds. We believe that our work contributes to a better understanding of the inherent complexity in achieving user privacy, and will establish a groundwork for developing more secure and efficient privacy-preserving two-factor authentication schemes. © 2014 Elsevier B.V. All rights reserved. Source


Wang D.,Peking University | Wang D.,National Engineering Research Center for Software Engineering | Wang P.,National Engineering Research Center for Software Engineering | Wang P.,Peking University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2015

The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals, namely, Hsieh-Leu’s scheme and Wang’s PSCAV scheme. We show that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim’s password when getting temporary access to the victim’s smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang’s original protocol security model, reveals a new attacking scenario and gives rise to the strongest adversary model so far. In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications. © Springer International Publishing Switzerland 2015. Source


Wang D.,Peking University | Wang D.,National Engineering Research Center for Software Engineering | Wang P.,National Engineering Research Center for Software Engineering | Wang P.,Peking University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2015

While much has changed in Internet security over the past decades, textual passwords remain as the dominant method to secure user web accounts and they are proliferating in nearly every new web services. Nearly every web services, no matter new or aged, now enforce some form of password creation policy. In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. We observe that no two sites enforce the same password creation policy, there is little rationale under their choices of policies when changing policies, and Chinese sites generally enforce more lenient policies than their English counterparts. We proceed to investigate the effectiveness of these 50 policies in resisting against the primary threat to password accounts (i.e. online guessing) by testing each policy against two types of weak passwords which represent two types of online guessing. Our results show that among the total 800 test instances, 541 ones are accepted: 218 ones come from trawling online guessing attempts and 323 ones come from targeted online guessing attempts. This implies that, currently, the policies enforced in leading sites largely fail to serve their purposes, especially vulnerable to targeted online guessing attacks. © Springer International Publishing Switzerland 2015. Source

Discover hidden collaborations