Abstract
User authentication over the Internet has long been an issue for Internet service providers and users. A good authentication protocol must provide high security and mutual authentication on both sides. In addition, it must balance security and usability, which has been shown in the literature to be a difficult problem. To solve this problem, we propose a novel mutual authentication protocol with high security and usability. The proposed protocol was developed for quick response code, a type of two-dimensional barcode that can be photographed and quickly decoded by smartphones. We implemented a prototype using the proposed mutual authentication protocol and demonstrated how the prototype improves usability in a mobile communication system. We also used the Gong–Needham–Yahalom logic with several well-known attack models to analyze the security of the proposed protocol, and we obtained satisfactory results. We expect that using the proposed protocol, Internet service providers will be able to provide a mutual authentication mechanism with high security and usability.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Park, D., Boyd, C., Dawson, E.: Classification of authentication protocols: a practical approach. In: The 3rd International Workshop, ISW 2000 Wollongong, Australia. Lecture Notes in Computer Science, vol 1975, Springer, Berlin, pp. 194–208 (2000)
Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., Weippl, E.: QR code security. In: The 8th International Conference on Advances in Mobile Computing and Multimedia (MoMM’10), ACM-proceedings, pp. 430–435 (2010)
Oh, D.S., Kim, B.H., Lee, J.K.: A study on authentication system using QR code for mobile cloud computing environment. In: The 6th International Conference on FutureTech 2011, Loutraki, Greece. Communications in Computer and Information Science, vol. 184, Springer-Verlag GmbH, Berlin, pp. 500–507 (2011)
Liao, K.C., Lee, W.H.: A novel user authentication scheme based on QR-code. Journal of Networks 5(8), 937–941 (2010)
Liao, K.C., Lee, W.H., Sung, M.H., Lin, T.C.: A one-time password scheme with QR-code based on mobile phone, IEEE-Proceedings, The 5th International Joint Conference on Networked Computing and Advanced Information Management (NCM’09), pp. 2069–2071 (2009)
Sahu, S.K., Gonnade, S.K.: Encryption in QR code using steganography. Int. J. Eng. Res. Appl. 3(4), 1738–1741 (2013)
Chung, C.H., Chen, W.Y., Tu, C.M.: Image hidden technique using QR-barcode. In: The 5th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP’09), IEEE-Proceedings, pp. 522–525 (2009)
Vongpradhip, S., Rungraungsilp, S.: QR code using invisible watermarking in frequency domain. In: 2011 9th International Conference on ICT and Knowledge Engineering, pp. 47–52 (2012)
Denso Wave, the Inventor of QR Code. http://www.qrcode.com/en/ (1994)
Chang, Y.H., Chu, C.H., Chen, M.S.: A General scheme for extracting QR code from a non-uniform background in camera phones and applications. In: IEEE-proceedings, The 9th IEEE international symposium on multimedia (ISM 2007), pp. 123–130 (2007)
Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Ind. Appl. Math. 8(2), 300–304 (1960)
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978)
Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks. IEEE Commun. Mag. 32(9), 33–38 (1994)
Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Commun. ACM 24(8), 533–536 (1981)
Lowe, G.: An attack on the Needham–Schroeder public-key authentication protocol. Inf. Process. Lett. 56(3), 131–133 (1995)
Lowe, G.: Breaking and fixing the Needham–Schroeder public-key protocol using FDR. In: The 2nd International Workshop, TACAS 1996 Passau, Germany, Lecture Notes in Computer Science, vol. 1055, Springer, Berlin, pp. 147–166 (1996)
Formal Systems (Europe) Ltd. Failures Divergence Refinement-User Manual and Tutorial ver. 1.3 (1993)
Burrows, M., Abadi, M., Needham, R.M.: A logic of authentication. Proc. R. Soc. A Math. Phys. Sci. 426(1871), 233–271 (1989)
Gong, L., Needham, R., Yahalom, R.: Reasoning about belief in cryptographic protocols. In: IEEE-Proceedings, Computer Society Symposium on Research in Security, pp. 234–248 (1990)
Ding, Y.: An improvement of GNY logic for the reflection attacks. J. Comput. Sci. Technol. 14(6), 619–623 (2010)
Mathuria, A.M., Safavi-Naini, R., Nickolas, P.R.: On the automation of GNY logic. In: IEEE Computer Society Press Los Alamitos, Australian Computer Science Communications, pp. 370–379 (1995)
Asokan, N., Niemi, V., Nyberg, K.: Man-in-the-middle in tunnelled authentication protocols. In: The 11th International Workshop, Cambridge, UK, Lecture Notes in Computer Science, vol. 3364, Springer, Berlin, pp. 28–41 (2005)
Perlman, R.: An overview of PKI trust models. IEEE Netw. 13(6), 38–43 (1999)
Syverson, P.: A taxonomy of replay attacks [rcryptographic protocols]. In: IEEE-Proceedings, Computer Security Foundations Workshop VII (CSFW 7), pp. 187–191 (1994)
Acknowledgments
This research was partially supported by the National Science Council of the Republic of China under the Grant MOST 105-2221-E-008-070-MY2, MOST 104-2221-E-015-001-, NSC 101-2218-E-008-003-, and the Software Research Center, National Central University, Taiwan.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Huang, CT., Zhang, YH., Lin, LC. et al. Mutual authentications to parties with QR-code applications in mobile systems. Int. J. Inf. Secur. 16, 525–540 (2017). https://doi.org/10.1007/s10207-016-0349-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-016-0349-6