On the Security of a Privacy-Aware Authentication Scheme for Distributed Mobile Cloud Computing Services
ABSTRACT
Recently, Tsai and Lo proposed a privacy aware authentication scheme for distributed mobile cloud computing services. It is claimed that the scheme achieves mutual authentication and withstands all major security threats. However, we first identify that their scheme fails to achieve mutual authentication, because it is vulnerable to the service provider impersonation attack. Beside this major defect, it also suffers from some minor design flaws, including the problem of biometrics misuse, wrong password, and fingerprint login, no user revocation facility when the smart card is lost/stolen. Some suggestions are provided to avoid these design flaws in the future design of authentication schemes.
EXISTING SYSTEM :
we have analyzed a recent user authentication scheme proposed. for wireless sensor networks and identified their vulnerabilities and limitations. We also have proposed an efficient authentication scheme with unlink ability for wireless sensor networks that eliminates the identified security flaws and improves the efficiency. Meanwhile, our proposed scheme provides relatively more security features , such as resilience of weak stolen smart card attack, user anonymity and unlink ability, without causing too much overhead. The proposed solution provides a secure authentication system offering balanced features in terms of security and performance.
PROPOSED SYSTEM :
To this end, Tsai and Lo proposed an efficient authentication scheme using identity based cryptosystem for distributed mobile cloud computing services. Their scheme has the following advantages. First, a mobile user can access multiple services from different mobile cloud service providers using only one single private key. Second, no verification table is required to be implemented at service providers or the trusted third party. Third, the trusted third party is not required to be involved in regular user authentication session, thus greatly reducing the total user authentication processing time.
Finally, due to the usage of bilinear pairing in an elliptic curve , their scheme incurs less computing resources on both the mobile devices and service providers .It is claimed that the scheme achieves mutual authentication, key exchange, user anonymity, and user intractability, and withstands all major security threats.
However, we observe that their scheme fails to achieve mutual authentication, because its vulnerable to the service provider impersonation attack. Beside this major defect, it also suffers from some minor design flaws, including misuse of biometrics, wrong password and fingerprint login, and no user revocation facility when the smartcard is lost/stolen. We then provide some suggestions to avoid these design flaws in the future design of authentication schemes combining passwords, smart cards, and biometrics.
CONCLUSION
We have analyzed an efficient and provably secure authentication scheme for mobile computing services by Tsai and Lo. Although their scheme is equipped with a claimed proof of provable security, we have pointed out the scheme fails to achieve mutual authentication by demonstrating its vulnerability to the service provider impersonation attack. Besides this major defect, it also suffers from some minor design flaws, including the misuse of biometrics, wrong password and fingerprint login, and no user revocation facility when the smartcard is lost/stolen.
We have provided some suggestions to avoid these design flaws in the future design of authentication schemes combining passwords, smart cards, and biometrics. A natural direction for further study is to design a secure and efficient authentication scheme for distributed mobile cloud services.