Security Analysis - User Identifications in the Network

Security Analysis

Protecting the user identifications in the network is an important task because they are located everywhere, such as airport lounges, hotels, hospitals, Bank, business centers, and cafes. All sorts of attacks may happen in such location, including key logger, malware, and phishing. So that it is needed to define an authentication protocols is highly important. Hence, this paper we define a threat model and identified that scheme is secure. We classify the following attacks in this authentication category such as password change attack, dictionary attack, brute force attack, impersonation attacks, forgery attack, stolen verifier attack, Replay attack and stolen smart card attack and GW bypassing attack [24].

Password Change attack

The proposed protocol used the user’s unique biometrics Bioi information which is almost feasible and it is impossible for the illegitimate user Ul to be able to impersonate a legal user to modify the password. If the illegitimate user Ul need to change the password then they must be enter the old password UPWi and biometric Bioi information then only they allowed to change the password.

Get quality help now
Marrie pro writer
Verified writer

Proficient in: Computer Networking

5 (204)

“ She followed all my directions. It was really easy to contact her and respond very fast as well. ”

+84 relevant experts are online
Hire writer

In case the illegitimate user Ul gets access to the smart card and extracts ei and fi, they still needs to enter correct biometric Bioi as input to proceed further which are impossible to forge.

Dictionary attack

Most passwords have such low entropy that the system is vulnerable to password guessing attacks, where an attacker intercepts authentication messages, stores them locally and then attempts to use a guessed password to verify the correctness of his/her guess using these authentication messages

If the illegitimate user Ul is trying to guess the user identity UIDi and password UPWi using either stolen smart device or any of the previously transmitted messages then the following steps will explain how the illegitimate user will not get success in guessing the password:

  1. The illegitimate User Ul guesses a password as UPWl.

    Get to Know The Price Estimate For Your Paper
    Number of pages
    Email Invalid email

    By clicking “Check Writers’ Offers”, you agree to our terms of service and privacy policy. We’ll occasionally send you promo and account related email

    "You must agree to out terms of services and privacy policy"
    Write my paper

    You won’t be charged yet!

    In order to legalize this password UPWl, the Illegitimate user needs UIDi s identity as well as biometric Bioi with yi = yu and zi = zu.

  2. To guess the password of the User UPWi, the illegitimate user Ul will require guessing Ui identity UIDi and biometric Bioi along with password UPWi. But, prediction of biometric information or forging it or stealing it is infeasible to achieve, hence the protocol is secure against offline?password?guessing attacks.
  3. If the illegitimate user tries to find out the sensitive information from any of the communicated messages of login and authentication phases, ie, or , then the chances of guess password and biometric are very little.

Brute force attack

The illegitimate user can be extract the security parameters of messages are like {M1, M2, M3, M4 and Ti} from the transmitted messages between GWNi and SNj for the brute force attack. Even the illegitimate user obtained these security parameter, they still could not find the password UPWi as the IAS secret key MK and also Secret keys of PKi and PKu. Therefore, the proposed scheme can resist the brute force attack.

  • M1 = h {PKi, Gen(.) }
  • M2 = h {CK = PKs, Xs, Ti, UIDi }
  • M3= h {PKi, UPWi}
  • M4= h {PKi, Aj}

Impersonation attacks

The illegitimate user Ul enters into the legal communication and retransmits the intercept message to SNj or GWNi if they could not calculate the session key. Because illegitimate user Ul needs to submit personal biometric information of Ui which calculates is impossible to impersonate. Also, if the illegitimate user Ul modifies the login or authentication phase messages, ie, or < Riu ,Hj , Vu , Tru ,Trs , Trg> . To establish a new session, Ul needs to alter the login request message UPg to UlPg= h { xi , Xs, Tru) and UPs to UlPs = n ? xi. The illegitimate user Ul attempt to login will fail at the gateway node, GWNi, as UPg will not match with Qi computed during authentication phase by GWNi.

Forgery attack

In this attack, an illegitimate user Ul computes Message M1 = h {UIDi, PKi, UPWi} and try to pretend to be a user Ui by sending a valid login and authentication request message. But this is absolutely impossible, because they would not know UPWi and UBioi. Suppose that the illegitimate user Ul computes the following forged message M = {M1, M2, Trs, UIDi}, and sends the message to GWNi via SNj.

  • M1 = h{PKf} ? h { UPKf , IDl} ? Tl
  • M2 = h {PKl, IDl, Tl}

where IDl is the identity of the illegitimate user, Tl is the timestamp generated by the illegitimate user Ul, PKl is the secret key of the illegitimate user, and PKf is the fake secret key of GWNi. Then, after computing M2 ? h {PKf } ? Tl, GWNi tries to search h{ PKf , IDl } in its database. If GWNi finds no matching value then it can be easily recognized that message is sent by the illegitimate user Ul not by the User Ui.

Stolen verifier attack

An attacker who steals the password verifier (e.g., hashed passwords) from the server can use the stolen verifier to impersonate a legal user to log in the system.

Our proposed scheme is not used any password tables, so there is no way that an illegitimate user Ul could not gather sensitive information of the user Ui. Thus the illegitimate User Ul could not try and impersonate a user on any other network. Furthermore, when the user Ui initiates the authentication phase, the gateway node GWNi forwards the message to the SNj sensor node so that the illegitimate user Ul cannot extract user Ui password from the message M1 = h { h { h { UPWi, PKi }, Xs } Xs, Trs}, because it is a complex one to calculate due to the one-way property of the hash function. Thus our scheme is resilient against stolen-verifier attacks.

Replay Attacks

The illegitimate user Ul can intercepted the transmitted messages or of any previous session. All the messages transmitted during login and authentication phases have timestamp value. Therefore, an illegitimate user Ul cannot retransmit their messages because the transmission delay ?T is very small. If illegitimate user Ul intercepts a login request message and attempts replaying this message again to a node, it will fail timestamp check because of |Trp ?T| < ?T where Trp denotes the time when the node received the replayed message.

Stolen smart card attack

When the smart card is lost or stolen, unauthorized users can easily change the password of the smart card, or can guess the password of the user by using password guessing attacks, or can impersonate the user to log in the system

Many cryptographic authentication schemes are used for securely store the user data in the smart card. Smart cards are in general tamper-resistant and are safe against simple information stealing. Let us assume a smart card has been lost by or stolen from a user then the illegitimate user has achieves the control of it. The illegitimate user Ul can crack the smart card and obtains the information of {MIDi, ei, fi, Xg } which is stored in the smartcard. If the illegitimate user is trying to use the stolen smart card, they would need to login with the smart card first. Even though they enter the smart card and get into login phase’s Step 1 successfully, but they could not know User Ui’s password and could not precede the Biometric fingerprint Biou. Because it is highly impossible to extract the password from ei = fi ? h { h { UPWi, UPKi }, Xg } , due to the one-way hash function. Thus, it is concluded that the proposed scheme is more strength against stolen smart card attack.

GWN bypassing attack

In this attack, the GWNi sometimes plays the role of a trusted third party. If the illegitimate user Ul enters GWNi would make that they enter into the authentication. This type of attack is not possible of our proposed scheme because it uses a four-step authentication model which is explained in Fig. 2. If the illegitimate user Ul wants to enter the SNj then they must connects with a gateway GWNi to initiate an authentication phase and not directly to the SNj node. In our proposed scheme the gateway node GWNi connects with the SNj after the authentication message has been initiated by the user Ui. So that sensor node SNj handover the authentication process to the GWNi, whereby the GWNi verifies both the sensor node SNj and the GWNi.

Cite this page

Security Analysis - User Identifications in the Network. (2019, Nov 21). Retrieved from

Security Analysis - User Identifications in the Network

👋 Hi! I’m your smart assistant Amy!

Don’t know where to start? Type your requirements and I’ll connect you to an academic expert within 3 minutes.

get help with your assignment