An integrated user authentication and access control scheme without public key cryptography

Conventionally, user authentication and access control are two separate security mechanisms in many distributed systems. An integrated design of user authentication and access control may provide better performance in terms of security and computational complexity. We discuss the pros and cons of the separate approach and the integrated approach, and then propose a new integrated scheme without using public key cryptography. The new scheme has several practical merits - no user-sensitive data stored on the server, no storage for access list or capability list on the server, extreme low computational cost, the freedom of choosing users' passwords, and mutual authentication.

[1]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[2]  Lein Harn,et al.  Integration of user authentication and access control , 1992 .

[3]  Shiuh-Pyng Shieh,et al.  Password authentication schemes with smart cards , 1999, Comput. Secur..

[4]  P. Hawkes Automatic user authentication and access control , 1992 .

[5]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[6]  Tai-Yang Hwang,et al.  Access Control with Single-Key-Lock , 1984, IEEE Transactions on Software Engineering.

[7]  Hiroshi G. Okuno,et al.  An access control with handling private information , 2001, Proceedings 15th International Parallel and Distributed Processing Symposium. IPDPS 2001.

[8]  Sung-Ming Yen,et al.  Shared Authentication Token Secure Against Replay and Weak Key Attacks , 1997, Inf. Process. Lett..

[9]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[10]  T.-C. Wu,et al.  Security of the Jan-Tseng integrated schemes for user authentication and access control , 2000 .

[11]  Hung-Yu Chien,et al.  Impersonation attack on Tan-Zhu's remote login scheme , 2000 .

[12]  Hung-Yu Chien,et al.  Robust and Simple Authentication Protocol , 2003, Comput. J..

[13]  Pekka Nikander,et al.  Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[14]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[15]  Pekka Nikander,et al.  Stateless connections , 1997, ICICS.

[16]  Hung-Yu Chien,et al.  Cryptanalysis on dynamic authentication protocol for personal communication system , 2001 .

[17]  Hung-Yu Chien,et al.  An Efficient and Practical Solution to Remote Authentication: Smart Card , 2002, Comput. Secur..

[18]  Sung-Ming Yen,et al.  The design of dynamic access control scheme with user authentication , 1993 .

[19]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[20]  Patrick Horster,et al.  Undetectable on-line password guessing attacks , 1995, OPSR.

[21]  Yuh-Min Tseng,et al.  Two integrated schemes of user authentication and access control in a distributed computer network , 1998 .

[22]  Nam-Yih Lee Integrating access control with user authentication using smart cards , 2000, IEEE Trans. Consumer Electron..

[23]  M. Lassus Smart-cards-a cost-effective solution against electronic fraud , 1997 .

[24]  Josep Domingo-Ferrer Achieving Rights Untransferability with Client-Independent Servers , 1996, Des. Codes Cryptogr..