A Provably Secure Two-Factor Authentication Scheme for USB Storage Devices

Universal Serial Bus (USB) is widely used, for example to facilitate hot-swapping and plug-and-play. However, USB ports can be exploited by an adversary to extract private or personal data from the connected devices. Hence, a number of organizations and workplaces have prohibited their employees from using USB devices, and there have been efforts to design secure USB storage device schemes to more effectively resist different known security attacks. However, designing such schemes is challenging. For example, in this article we revisit the Wei et al.’s scheme, and demonstrate that it is vulnerable to attacks such as password guessing and user impersonation. We also explain that the scheme does not verify the correctness of user’s input in the login phase, which is another design flaw. Then, we present an improved scheme and prove it secure in the random oracle model.

[1]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[2]  Gang Zhou,et al.  On Inferring Browsing Activity on Smartphones via USB Power Analysis Side-Channel , 2017, IEEE Transactions on Information Forensics and Security.

[3]  Guoai Xu,et al.  A Robust Mutual Authentication Scheme Based on Elliptic Curve Cryptography for Telecare Medical Information Systems , 2018, IEEE Access.

[4]  Youwen Zhu,et al.  An Efficient Authenticated Key Agreement Scheme for Consumer USB MSDs Resilient to Unauthorized File Decryption , 2019, IEEE Transactions on Consumer Electronics.

[5]  Chun-I Fan,et al.  Provably Secure Remote Truly Three-Factor Authentication Scheme With Privacy Protection on Biometrics , 2009, IEEE Transactions on Information Forensics and Security.

[6]  Marc Joye,et al.  Side-Channel Analysis , 2005, Encyclopedia of Cryptography and Security.

[7]  Ping Wang,et al.  Efficient Multi-Factor User Authentication Protocol with Forward Secrecy for Real-Time Data Access in WSNs , 2020, ACM Trans. Cyber Phys. Syst..

[8]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.

[9]  Xiong Li,et al.  Design of a Secure Three-Factor Authentication Scheme for Smart Healthcare , 2019, Journal of Medical Systems.

[10]  Cheng-Chi Lee,et al.  Three-factor control protocol based on elliptic curve cryptosystem for universal serial bus mass storage devices , 2013, IET Comput. Digit. Tech..

[11]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[12]  Robert Simon Sherratt,et al.  Enhanced three-factor security protocol for consumer USB mass storage devices , 2014, IEEE Transactions on Consumer Electronics.

[13]  Wenfen Liu,et al.  Secure control protocol for universal serial bus mass storage devices , 2015, IET Comput. Digit. Tech..

[14]  SK Hafizul Islam,et al.  Design and analysis of an improved smartcard‐based remote user password authentication scheme , 2016, Int. J. Commun. Syst..

[15]  Fuw-Yi Yang,et al.  A secure control protocol for USB mass storage devices , 2010, IEEE Transactions on Consumer Electronics.

[16]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..