SEARCH WITHIN CONTENT
Citation Information : International Journal on Smart Sensing and Intelligent Systems. Volume 6, Issue 4, Pages 1,700-1,724, DOI: https://doi.org/10.21307/ijssis-2017-611
License : (CC BY-NC-ND 4.0)
Received Date : 17-March-2013 / Accepted: 22-July-2013 / Published Online: 05-September-2013
Cloud Computing, as an emerging, virtual, large-scale distributed computing model, has gained increasing attention these years. Meanwhile it also faces many security challenges, one of which is authentication. Lots of researches have been done in this area. Recently, Choudhury et al proposed a user authentication framework to ensure user legitimacy before entering into the cloud. They claimed their scheme could provide identity management, mutual authentication, session key agreement between the user and the cloud server, and demanded user password change. However, we find the scheme will easily suffer from some attacks such as the masquerading attack, the OOB (out of band) attack, and the password change flaw through our analysis. In this paper, we first point out the security vulnerabilities to the Choudhury et al’s scheme, and present the detailed attacks on the scheme. Then, based on some remote user authentication schemes such as Ku-Chen’s scheme and Chen’s scheme, we apply the two-factor authentication technology to propose our advanced secure user authentication framework which can overcome above security shortages. Without sending one time key through secure OOB channel, our new protocol is able to ensure that only legitimate users can access the cloud service based on smartcard. In addition, our advanced scheme can hold all the merits of the Choudhury et al’s scheme. Formal security analysis, which is based on the strand space model and authentication test, proves that our proposed scheme is secure under standard cryptographic. Also, the simulation results illustrate that our advanced scheme is more efficient on the communication performance than other schemes.
 Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy Katz, Andy Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica, Matei Zaharia, “A view of cloud computing”, Communications of the ACM, 53 (4), 2010, pp.50-58.  Hassan Takabi, James B. D. Joshi, Gail-Joon Ahn, “Secure Cloud: Towards a Comprehensive Security Framework for Cloud Computing Environments”, Proceedings of 34th IEEE Conference Workshops on Computer Software and Applications, 19-23 July, 2010, Pittsburgh, PA, USA, pp. 393-398.
 Chun-Ting Huang, Zhongyuan Qin, C.-C. Jay Ku, “Multimedia Storage Security in Cloud computing: An Overview”, Proceedings of 13th IEEE International Workshop on Multimedia Signal Processing, 17-19 October, 2011, Los Angles, CA, USA, pp.1-6.Jack Newton, “Beyond Passwords: Two Factor Authentication Comes to the Cloud”, http:// www.slaw.ca /2010 /09/20/, 2010.  L. Lamport, “Password authentication with insecure communication”, Communications of the ACM, 24 (11), 1981, pp. 770–771.  M.S. Hwang, and L.H. Li, "A New Remote User Authentication Scheme using Smart Cards", IEEE Transactions on Consumer Electronics, 46 (1), 2000, pp.28-30.  H.Y. Chien, J.K. Jan, Y.M. Tseng, “An efficient and practical solution to remote authentication smart card”, Computers & Security, 21(4), 2002, pp. 372–375.  W.C. Ku, S.M. Chen, “Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards”, IEEE Transactions on Consumer Electronics, 50 (1), 2004, pp.204–207.  C. Mitchell, “Limitations of challenge-response entity authentication”, Electronic Letters, 25 (17), 1989, pp. 1195–1196.  W.C. Ku, C.M. Chen, H.L. Lee, “Cryptanalysis of a variant of Peyravian–Zunic’s password authentication scheme”, IEICE Transactions on Communication, E86-B (5), 2003, pp.1682–1684.  T. H. Chen and J. C. Huang, “A novel user-participating authentication scheme,” The Journal of Systems and Software, 83(5), 2010, pp.861–867.  Chun-Ta Li, Cheng-Chi Lee, “A robust remote user authentication scheme using smart card”, Information Technology and Control, 40 (3), 2011, pp. 236-245.
 H. C. Hsiang and W. K. Shih, “Weaknesses and improvements of the Yoon-Ryu-Yoo remote user authentication scheme using smart cards,” Computer Communications, 32(4), 2009, pp. 649–652.  Amlan Jyoti Choudhury, Pardeep Kumar, Managal Sain, Hyotaek Lim, Hoon Jae-Lee, “A Strong User Authentication Framework for Cloud Computing”, Proceedings of 2011 IEEE Asia-Pacific Services Computing Conference, Jeju, South Korea, December 12-15, 2011, pp.110-115.  I-En Liao, Cheng-Chi Lee, Min-Shiang Hwang, “A password authentication scheme over insecure networks”, Journal of Computer and System Sciences , 72(4), 2006, pp.727-740.  S21sec, “ZeuS Mitmo: Man-in-the-mobile”, http: //securityblog.s21sec.com/2010/09/zeus–man – in – mobile –i.html, 2011.
 Szu-yu Lin, “Enhancing the security of out-of-band one-time password two factor authentication in cloud computing”, http://pc01.lib.ntust.edu.tw/ETD-db/ETD-search/view_etd?URN=etd-0720111-153542, 2011.  F. T. Fábrega, J. Herzog, and J. Guttman, “Strand spaces: Proving security protocols correct,” Journal of Computer Security, 7(2/3), 1999, pp.191–230.  J. D. Guttman and F. J. Thayer Fabrega, “Authentication tests and the structure of bundles”, Theoretical Computer Science, 283(2), 2002, pp.333-380.