Internatonal Journal of Network Securty, Vol.18, No.1, PP.143-150, Jan. 2016 143 3C-Auth: A New Scheme for Enhancng Securty Narasmhan Harn and Tattamangalam R. Padmanabhan (Correspondng author: Narasmhan Harn) Department of Computer Scence and Engneerng & Amrta Unversty Amrtanagar P.O., Ettmada, Combatore 641 112, Inda (Emal: nharn2003@gmal.com) (Receved Aug. 1, 2013; revsed and accepted May 20 & Nov. 3, 2014) Abstract A mult factor authentcaton scheme called 3C-Auth s proposed n ths paper. The scheme carres out a comprehensve authentcaton process usng the smart card, secret-pn, regstered fnger prnt, and regstered moble number of the user. The user s password s nether transmtted n plantext form nor revealed to the authentcaton server. The scheme s shone to be proof aganst phshng, password guessng, replay, or stolen-verfer attacks. Resstance to parallel sesson and denal of servce attacks and the use of QR-Code n preference to SMS for OTP transfer together, make the scheme attractve for operaton under peak loads. Integraton of the 3C-Auth nto Mult-Layered Flterng (MLF) scheme leads to secure handlng of peak loads on the server ensurng concurrency and avalablty as well. Ths clearly enhances the QoS n terms of makng rght admttance to rght resources. Authentcaton, peak load, QR-code, smart- Keywords: card 1 Introducton As Internet servces become more popular and pervasve, a serous problem that arses s managng the performance of servces under ntense load. One of the most challengng problems for publc Internet s the delvery of performance targets to users gven the randomness of Web accesses. Internet has become ndspensable for busness and more and more people rely on t for ther day to day actvtes; n turn t evolves contnuously and s subject to more and more cyber securty threats. Analyss of securty breaches and other cyber securty ssues wth partcular focus on personal prvacy and data securty have been actve research ssues over the past two decades. A multfactor authentcaton scheme named 3C-Auth s presented n ths paper that uses true authentcaton to protect resources wth hgh securty requrements; t expects the user to possess all the tokens (smart-card, secret-pn, regstered fnger prnt and regstered moble phone) to prove hs/her dentty. Rest of the paper s organzed as follows: Relevant research n lterature whch forms the motvaton for the present work s revewed n Secton 2. Sectons 3 and 4 detal the proposed scheme and analyze ts performance. Integraton of the scheme wth MLF ( Mult Layer Flterng) archtecture [2, 3] s presented n Secton 5 and conclusons are n Secton 6. 2 Related Work 2.1 Internet Archtecture The changeover from the academc Internet to a multfunctonal busness Internet puts much hgher requrements on the archtectural supports to control and balance the nterests of all stake holders (lke users, servce provders, data owners, etc.). Ther hopes and expectatons for new applcatons and servces demand new archtectures that overcome the fundamental lmtatons of Internet lke lack of data dentty, lack of methods for relable processng, real-tme dspensaton, scalng to deal wth flash crowds, and so on. Snce ts creaton, the Internet s drven by a small set of fundamental desgn prncples rather than beng based on a proper formal archtecture that s created on a whte board by a standardzaton or research group. The archtectural prncples and desgn model of the Internet are all about processng, storng, transmttng and controllng data. Ths trend s bound to escalate n the future, pontng to a clear need for extensons, enhancements, and re-engneerng n Internet archtecture. Whle mprovements are needed n each dmenson, these should be cohesve demandng a holstc approach. The archtecture can be generalzed to sut dfferent categores of applcatons by ntegratng the admttance control polces that provde metrc based dfferentaton and consecutvely maxmze the proft earned for havng servced a certan class of requests [16]. Research n ths area has dentfed some key approaches to face overload, such as admsson control (per request, per sesson), request schedulng, servce dfferentaton, servce degradaton, and resource management.
Internatonal Journal of Network Securty, Vol.18, No.1, PP.143-150, Jan. 2016 144 2.2 Current State of Internet Servces and Authentcaton Requrement The followng form the key features of the state of art of nternet servces: Generc nature; Accommodaton of technologcal nnovatons; Robustness at tmes of overload. As access to more and more servces s pushed onlne, the range of senstve nformaton that a user must protect wdens wth tme. It s also equally mportant to understand that complcated securty schemes wll not acheve wdespread adopton among Internet users. Today hackers have the opton of usng many technques to steal passwords such as shoulder surfng, snoopng, snffng, guessng, etc. Implyng that busnesses should use commensurate secure approach. The challenge here s to balance strong securty wth usablty. One Tme Passwords (OTPs) for sngle sesson/transacton usage have been dentfed as the best way of protectng onlne transactons. 2.3 Authentcaton Schemes In 1981, Lamport proposed a scheme to authentcate a remote user on a remote server over an nsecure network. The requrement for storng verfcaton tables used by the scheme was overcome by a scheme proposed n by [7]. Later [10] proposed a new remote authentcaton based on ElGamal crypto scheme explotng tamper resstance property of smart cards. Most of the remote dentty based remote authentcaton schemes proposed by researchers [7, 10, 13, 16] rely prmarly on passwords for securty. The schemes are vulnerable to dctonary attacks [6]. To overcome ths problem random cryptographc secret key could be used [14]. However, such large key values (are dffcult to be remembered and hence) requre to be stored somewhere. Further these strong passwords and secret keys fal to provde non repudaton. An authentcaton scheme of Khan et al and L et al uses bometrc keys wth advantages lke cannot be lost, dffcult to forge, cannot be guessed etc. [10] proposed an effcent bometrc based smart card authentcaton scheme. [7] showed that the scheme makes two assumptons to ensure ts correctness and securty that may restrct ts use for real tme applcatons. [8] proposes a generc framework for preservng securty n dstrbuted systems. The three factor authentcaton scheme n [7] s based on password, smart card and bometrc characterstcs. The authors clam two benefts n the usage of fuzzy extractor: Elmnaton of the assumpton of L-Hwangs scheme that stores the hash of bometrc template; Use of bometrc authentcaton that supports reasonable tolerance. In the analyss of ther scheme the authors have shown how ther protocol s secured aganst attackers of Type I (smart card and bometrc), Type II (password and Bometrc), and Type III (smart card and Password). Although the generc constructon proposed by Huang et al satsfes the securty requrements of three factor authentcaton the system may fal to secure resources that requre very hgh degree of securty the reason beng bometrc systems that are fast wth the false rejecton rate under 1% (together wth a reasonably low false acceptance rate) are rare even today. 2.4 Securty wth OTP Authentcaton of users n a dstrbuted envronment s an ncreasngly dffcult task. As network and software grow n sophstcaton so do means and methods of malcous attackers. Today computer crackers use enormous resources to obtan nformaton necessary to mpersonate other users. Authentcaton systems based on one tme passwords [5] provde more relablty than those based on remembered/stored ones. Hence, securty senstve ndustres (banks, government etc.) deploy one tme password systems to reduce the damage of phshng and spyware attacks. 2.4.1 SMS-OTP Most of the two factor authentcaton schemes authentcate users based on what they know and what they have, ncorporatng token-less second factor (e.g. moble). Each method has a reason to exst based on desgn crtera for the overall usage. Onlne bankng s a good example where strong remote authentcaton s guaranteed usng two-factors as de facto standard. In practce, the frst factor s usually n the form of PIN or password that the user types (for nstance) nto a web-based Internet applcaton. The second factor s usually n the form of moble phone that s known to be able to receve OTP as SMS drected to a partcular moble phone number. If the user successfully retypes ths OTP nto the web applcaton, the second authentcaton factor s regarded as successfully verfed (.e. the user has the moble phone). Securty of the aforesad scenaro reles on the practcal dffculty for an attacker to smultaneously compromse the operatng envronment of both the partcular phone and the web browser where the user part of the servng applcaton runs. 2.4.2 Problems wth SMS-OTP The man problems wth the SMS-OTP desgn are under overloaded stuatons. These are: Delay n delvery of SMS; Low Coverage Areas; Non-avalablty of Moble Phone;
Internatonal Journal of Network Securty, Vol.18, No.1, PP.143-150, Jan. 2016 145 Downtme wth SMS Gateway; Non-avalablty of servce for roamng user; Hgh Cost for roamng user; Complexty assocated wth sequence of operatons n obtanng OTP from SMS when moble phone s used for connectng to the Internet. 2.4.3 Authentcaton Usng QR Code In 2002, Clarke et al. suggested the usage of camera-based devces as an alternatve but more secured authentcaton method for crtcal transactons wth un-trusted computers. Wth the explosve growth n the amount of cameraequpped smart phones around us moble based authentcaton [11] may become a popular authentcaton method n the near future. QR-code (a two-dmensonal barcode) - as ntroduced by Japanese company Denso-Wave n 1994 s a more effectve alternatve. Its error correcton capablty facltates data restoraton even under condtons when substantal parts of the code are damaged. Modern cellular phones are natvely equpped wth the QR-code decodng software. Fortunately, for camera phones that are not equpped wth QR-code readers, Quck-Mark and -ngma are free tools that are avalable for many manufactured models and devces to decode QR-Codes free of cost. Dependng on the data recognzed and the nature of the applcaton. 2.4.4 Summary of Fndngs Internet has become the most mportant platform for busness relatons and socal nteractons. The rapd growth of Internet of Thngs and Servces clearly shows that the ever ncreasng amount of physcal tems of our daly lfe whch become addressable through a network could be made more easly manageable and usable through the use of Internet servces. Ths course of exposed resources along wth the level of prvacy and value of the nformaton they hold, together wth ncrease n ther usage, has led to the escalaton n the number of securty threats and volaton attempts that exstng systems do not appear robust enough to address. Internet archtecture of tomorrow must meet the changng requrements of the Internet, ISPs (Internet Servce Provders), Users etc. Perhaps one of the most compellng problems of the modern Internet s the lack of a comprehensve and unfyng approach to deal wth servce concurrency, securty, and avalablty partcularly at tmes of overloads. It s also mportant to understand that the nternet and ts users are under contnuous attacks.e., securty s the underlyng problem for many of the Internet servces. One has to clearly understand that the mpact of an attack can be major, and can nclude costly and embarrassng servce dsruptons, down-tme, lost productvty, stolen data, regulatory fnes, and rrtated customers. Strong authentcaton has no precse defnton; t s not a strctly mathematcal concept wth quanttatve measurements but rather a qualtatve measure that s evaluated usng a relatve scale. The present sophstcaton level of hackers, demands authentcaton schemes to be based on more than one factor. Evaluatng mult-factor authentcaton solutons calls for a look nto the followng measures: Securty and scalablty of the technology; Hurdles to user adopton; Cost; Deployablty. 3 Proposed Scheme The prmary goal here s to enhance the performance of Mult-layered Flterng (MLF) scheme and enable real world applcatons to take advantage of ths added functonalty. A scheme that performs admsson control wth enhanced mult factor authentcaton called 3CAuth, s proposed n ths paper and the same evaluated for effcency. The scheme provdes true authentcaton by expectng the user to possess all the relevant tokens (smart card, secret-pn, regstered fnger prnt, and regstered moble phone) to prove hs/her dentty. The benefts of the scheme nclude: NOT revealng users password to the server; NOT transmttng passwords n plantext over the Internet, and at the same tme; RESISTING the major possble attacks lke replay attack, password guessng attack, stolen-verfer attack, and phshng attack. The scheme operates n two phases namely regstraton and logn-authentcaton. Table 1 s the notatons used n the two phases. 3.1 Regstraton Phase Fgure 1 depcts the actvtes n the regstraton process. As shown n Fgure 1 t nvolves the steps/actvtes n Algorthm 1. The sequence of operatons for regsterng ONE user s llustrated n Fgure 2. 3.2 Logn Phase When U wshes to logn to server (S), he/she must nsert the smart card nto a card reader, provde bometrc data BF, capture the QR code dsplayed on the web page, decrypt t usng the software nstalled n the moble, and present the OTP for authentcaton purpose. The sequence s shown n block dagram form n Fgure 3.
Internatonal Journal of Network Securty, Vol.18, No.1, PP.143-150, Jan. 2016 146 Table 1: Table of notatons Notatons Descrpton U th User ID Unque Identfer of th User P W D Password of the th User d Prvate key n RSA e Publc key n RSA n Computed as product of chosen prme numbers (p and q) g Generator element prmtve to GF (p) and GF (q) SID Smart card Identfer of th User IMEI Internatonal Moble Staton Equpment Identty IMSI Internatonal moble subscrber dentty MID Unque Key for moble of th user R 1 and R 2 Random numbers chosen for verfcaton T s Tme at whch the request s generated BF Bometrc feature of th user Random Challenge (n ths context - One Tme Password) R c Fgure 1: Regstraton process Fgure 3: Logn phase Fgure 2: Regstraton process
Internatonal Journal of Network Securty, Vol.18, No.1, PP.143-150, Jan. 2016 147 Algorthm 1 Steps n regstraton process 1: Begn 2: The user U chooses a password P W D and provdes hs/her bometrc feature BF. 3: The regstraton server sequences through the followng further steps: 4: whle More users to Regster do 5: Assgns an ID for the user and generates two large prme numbers p and q, and computes n = p q. For securty reasons, the lengths of p and q are recommended to be 512 bts at least. 6: Chooses ntegers e and d whch satsfy e d mod ((p 1) (q 1)) 1 Further t also fnds an nteger g whch s a prmtve element n both GF (p) and GF (q). 7: Generates a smart card dentfer SID for the user U. In addton t generates a moble phone dentfer: MID = (IMEI, IMSI) for the user U. 8: Calculates U s secret nformaton as S ID (SID d) mod n V g (d BF) mod n MS ID (MID d) mod n MV g (d P W D) mod n. 9: Stores (ID, SID, MID, S, V, MS, MV, n, e, g) n the smart card, nstalls an applcaton (for capturng and decodng QR code after obtanng secret pn from the user) n user s moble and ssues the smart card to the user U over a secure channel. 10: end whle 11: End Fgure 4: Authentcaton phase Algorthm 2 Verfcaton of possesson of bometrc characterstcs and smart card 1: Begn 2: Check f ID s a vald user dentty and SID s a legal smart card dentty; f not reject the logn request. 3: Check f T s s wthn the legal tme nterval lmt due to transmsson delay (may be ntalzed n SLAservce level agreement); f not reject the logn request. 4: Verfy f Y e? (ID (SID) X T s mod n); The above equaton holds ff BF = BF..e. the correct bometrc value s provded durng logn phase. That s because and Y e (R1 T s) (S V mod n) e ID (SID d e) g (d BF e R1) mod n. (Snce d e 1 mod n we have) ID (SID) 5: End ID (SID) g (BF R1) mod n (X T s ) ID (SID) g (BF R1) mod n; 3.3 Authentcaton Phase The authentcaton phase (Fgure 4) s executed by the remote host to determne whether U s allowed to logn or not. The steps n logn process are shown n Fgure 3. The authentcaton server upon recevng the logn request from the user verfes the possesson of smart card, bometrc feature, and moble phone as descrbed n Algorthms 2 and 3. 4 Strengths of 3C-Auth Resstance of the proposed method to dfferent possble securty attacks s explaned here. 4.1 Parallel Sesson Attack Here an attacker mpersonates a legtmate user by nterceptng the logn request (ID, SID, S, V, M, N, n, e, g, T s ) and attemptng to modfy t to succeed n authentcaton. However the attacker has no way of obtanng the Bometrc feature BF, P W D, and the random numbers R 1 and R 2 ; hence he/she cannot compute M, N, X, and Y whch are dependent on P W D and R 1 ; a vald request cannot be created and the attempt fals. Hence t follows that the proposed scheme s secured aganst ths type of attack. 4.2 Password Guessng Attack The attacker attempts to guess user s secret parameters here. Although, one can extract parameters (n, e, g, S, V, SM, V M ) from the user s smart card, obtanng BF or P W D from the smart card wthout the knowledge of d from g (d BF) and g (d BF), s not possble. Thus the dffculty of obtanng the dscrete logarthm secures the scheme from password guessng attack even under stolen smart card stuatons.
Internatonal Journal of Network Securty, Vol.18, No.1, PP.143-150, Jan. 2016 148 Algorthm 3 Verfcaton of possesson of secret-pn and moble phone 1: Begn 2: Confrm f ID s a vald user dentty and MID s a legal moble phone dentty; f not reject the logn request. 3: Confrm f T s s wthn the legal tme nterval lmt due to transmsson delay (may be ntalzed n SLAservce level agreement), f not, reject the logn request. 4: Check whether the followng equaton holds: N e = M (Rc T s) mod n The equaton here holds ff R 2 = Rc.e the correct OTP s provded by the user durng logn phase. The correct OTP can be obtaned only n the moble on whch the applcaton software s nstalled durng regstraton phase and only f the password provded to t s correct. Ths s because ID (MID) (R2 T s) ID (MID d e) ID (MID) N e (MS MV and ID (MID) ) e mod n g (d P W D e R2 T s) mod n g (P W D R2 T s) mod n M (Rc T s) mod n ID (MID) g (P W D Rc T s) mod n; If the logn request s rejected three tmes the user account s locked. He/She has to contact regstraton server to unlock the account. 5: End 4.3 Resstance to Replay Attack Interceptng the logn request message (ID, SID, S, V, M, N, n, e, T s ) of a user U and replayng the same message to the server becomes useless because the card reader puts a new tmestamp n each new logn request. The equatons Y e ID (CID X) mod n and N e ID (MID) M r1 mod n wll fal durng the authentcaton phase. 4.4 Denal of Servce Attack In the proposed scheme an adversary can use nvald ID, PWD and BFs and overload the server by contnuously keepng t busy. Even though an ntal flterng for ths type of attacks takes place n Stage I of MLF archtecture non-legtmate requests that pass Stage I of MLF are blocked by the proposed scheme. Ths s obvous from the fact that a vald logn request cannot be created (as dscussed n Secton 4.1). Further after three unsuccessful attempts the scheme automatcally locks the user s account; the same can be unlocked only wth the help of regstraton server. 4.5 Resstance to Phshng Attacks The am of phshng s manly to collect prvate nformaton that can be used to mpersonate vctms. A possble readng of the QR code (and extractng the OTP) by a hacker yelds only the encrypted value of R 1 ; even f he manages to access the data typed by user, the prvate key remans naccessble thanks to the strength of the RSA scheme. Thus the phshng attempt fals. 5 Integraton of 3C-Auth wth MLF MLF s a practcal (secured-concurrent-avalable) end-toend framework based on admsson control polces - a strategy that acheves robust performance on a wde range of Internet servces subject to huge varaton n load. MPAC (Mult Phase Admsson Control) [3] enhances MLF to maxmze the reward earned for havng servced a partcular class of requests. 3C-Auth scheme descrbed here can be ntegrated wth ths enhanced MLF framework to make t more comprehensve by addng securty assurance. The ntegraton nvolves two steps namely: 1) Enhancng SLA to nclude new features specfc to authentcaton; 2) Modfyng admsson control polcy to support 3C- Auth. The 3C-Auth process s to be nserted at Stage II of the MLF framework at the Access Node component. Request processng n Stage II of the comprehensve MLF scheme s llustrated n Fgure 5. 5.1 Servce Level Agreement The SLA that spells out the scope of servce provders allotment to the e-commerce n terms of resource capacty and tme commtment used n MPAC s shown as follows: Contract: Ecommerce System Servce : Classfcaton of Customers Customer Class = Premum, Ordnary, New Inter-sesson States = Home, Browse, Item, Addcart, BuyReq, BuyConfrm Servce : Processng Requests (Peakload) Avalablty >$mnavalablty; TmeBound <$maxdelay; Throughput >$mnthroughput; Utlzaton <$maxutlzaton; WeghtAdjustment(Forward) = $weght(postve)
Internatonal Journal of Network Securty, Vol.18, No.1, PP.143-150, Jan. 2016 149 Fgure 5: Request processng n Stage II of enhanced MLF (MLF+MPAC) WeghtAdjsutment(Backward) = $weght(zero,negatve) The template can be modfed to support 3C- Auth by ncludng the followng specfcatons: Securty: Authservce Servce : Servcename /* Generc */ Resource Class = Unclassfed, secret,topsecret Factors Class = Password/PIN, Hardwaretoken, Bo- Hard, Softtoken Protocol Class None, 2CAuth,3C-Auth Servce : News /* nstance*/ Resource Class Unclassfed Regstraton Factors Class Protocol Class None Servce : Internet Bankng /* Announcements regardng new schemes for loans Resources Class Unclassfed Regstraton Factors Class Protocol Class // Onlne bankng Resources Class topsecret Regstraton REQUIRED Factors Class PIN, Hardwaretoken (Smart card), Softtoken Protocol Class 2CAuth[3] 5.2 Admsson Control Polcy MPAC uses a reward functon defned by the applcaton/servce provder to mprove the QoS usng servce dfferentaton. It computes the Expected Reward and the Cost Incurred n servcng the request and uses them as basc parameters to prortze customers for E-commerce applcatons. The scheme can be made more comprehensve by re-computng prortes wth authentcaton factors as well, for better securty assurances. Ths s acheved n the comprehensve MLF framework (MLF + MPAC + 3C-Auth) as follows: Resources added to the pool are tagged wth weghts (based on SLA) that specfy the number of factors requred to access t; Incomng requests from Stage I are drected to the Access nodes by the publc server for authentcaton; The access nodes proceed to authentcate users by assgnng an ntal weght of 0 to each request and updatng t as per the credentals (number of factors) valdated; Possessed weghts are compared wth the tagged weghts assocated wth resources and n case of match n ther weghts access to the resource s permtted. 5.3 Results of Integraton The performance analyss demonstrated that the presented scheme performs a comprehensve authentcaton process satsfyng the mportant requrements ncludng frendlness, resstance to varous knds of sophstcated attacks, and stolen credentals. Further resstance offered by the scheme to parallel sesson attack and denal of servce attack made the scheme more sutable for operaton under peak loads. QR-Code based OTP has been found to show mproved performance at peak load tmes compared to SMS-OTP method. Wth nstantaneous SMS delvery the performance was on par wth that of SMS-OTP scheme. The vulnerablty assocated wth the n-absenta verfcaton of the user s effectvely handled by the scheme. Moreover, the scheme was found to be more user-frendly wthout sacrfcng securty assurances. Wth all these benefts contrbuton of the scheme towards mprovement n QoS n terms of grantng rght access to resources can be consdered sgnfcant.
Internatonal Journal of Network Securty, Vol.18, No.1, PP.143-150, Jan. 2016 150 6 Dscussons and Conclusons The proposed protocol s smple, fast and effcent f the user provdes vald credentals for authentcaton. A detaled analyss of the proposed scheme has clearly brought out ts advantages over authorzaton methods that use SMS to thwart attacks. Moreover, the scheme aptly fts at the access nodes n the enhanced MLF archtecture makng t more user-frendly wthout sacrfcng securty assurances. Improvng n computatonal effcency of the scheme s an nterestng area of work; t can add substantally to ts effectveness. References [1] T. H. Feng, C. H. Lng, and M. S. Hwang, Cryptanalyss of Tan s mprovement on a password authentcaton scheme for mult-server envronments, Internatonal Journal of Network Securty, vol. 16, no. 4, pp. 318 321, 2014. [2] N. Harn and T. R. Padmanabhan, A securedconcurrent-avalable archtecture for mprovng performance of web servers, n Proceedngs of 6th Internatonal Conference on Informaton Processng (ICIP 2012), pp 621-631, Bangalore, Inda, Aug. 10-12, 2012. [3] N. Harn and T. R. Padmanabhan, Admsson control and request schedulng for secured-concurrentavalable Archtecture, Internatonal Journal of Computer Applcatons, vol. 63, no. 6, pp. 24 30, 2013. [4] N. Harn and T. R. Padmanabhan, 2CAuth: A new two factor authentcaton scheme usng QR-code, Internatonal Journal of Engneerng and Technology (IJET), vol. 5, no. 2, pp. 1087 1094, 2013. [5] N. Harn, T. R. Padmanabhan and C. K. Shyamala, Cryptography and Securty, Wley Inda, Frst Edton, 2011. [6] D. He, W. Zhao, and S. Wu, Securty analyss of a dynamc ID-based authentcaton scheme for multserver envronment usng smart cards, Internatonal Journal of Network Securty, vol. 15, no. 5, pp. 350 356, 2013. [7] C. H. Huang, J. S. Chou, Y. Chen, Improved multserver authentcaton protocol, Internatonal journal of Securty and Communcaton Networks, vol. 5, no. 3, pp. 331 341, 2012. [8] X. Huang, Y. Xang, A. Chonka, J. Zhou, and R. H. Deng, A generc framework for three-factor authentcaton: Preservng securty and prvacy n dstrbuted systems, IEEE Transactons on Parallel and Dstrbuted Systems, vol. 22, no. 8, pp. 1390 1397, 2011. [9] Q Jang, J. Ma, G. L, and L Yang, Robust twofactor authentcaton and key agreement preservng user prvacy, Internatonal Journal of Network Securty, vol. 16, no. 3, pp. 229 240, 2014. [10] C. T. L and M. S. Hwang, An effcent bometrcsbased remote user authentcaton scheme usng smart cards, Journal of Network and Computer Applcatons, vol. 33, no. 1, pp. 1 5, 2010. [11] K. C. Lao and W. H. Lee, A novel user authentcaton scheme based on QR-code, Journal of Networks, vol. 5, no. 8, pp. 937 941, 2010. [12] J. J. Shen and P. W. Hsu, A fragle assocatve watermarkng on 2D barcode for data authentcaton, Internatonal Journal of Network Securty, vol. 7, no. 3, pp. 301 309, 2008. [13] J. J. Shen, C. W. Ln and M. S. Hwang, Securty enhancement for the tmestamp-based password authentcaton, Computers and Securty, vol. 22, no. 7, pp. 591 595, 2003. [14] H. Tang, X. Lu, L. Jang, A robust and effcent tmestamp-based remote user authentcaton scheme wth smart card lost attack resstance, Internatonal Journal of Network Securty, vol. 15, no. 6, pp. 446 454, 2013. [15] A. Totok, V. Karamchet, RDRP: Reward-drven request prortzaton for e-commerce Web stes, Electronc Commerce Research and Applcatons, vol. 9, pp. 549 561, 2010. [16] L Yang, J. F. Ma, and Q Jang, Mutual authentcaton scheme wth smart cards and password under trusted computng, Internatonal Journal of Network Securty, vol. 14, no. 3, pp. 156 163, 2012. [17] X. Zhuang, C. C. Chang, Z. H. Wang, Y. Zhu, A smple password authentcaton scheme based on geometrc hashng functon, Internatonal Journal of Network Securty, vol. 16, no. 4, pp. 271 277, 2014. N. Harn s an Assstant Professor n the department of Computer Scence and Engneerng, Amrta Vshwa Vdyapeetham. She has 3 years of ndustral and 15 years of teachng and research experence. She s currently pursung her Ph D n Securty. Her research nterests nclude cryptography, securty. She has currently co-authored a book on Cryptography and Securty. T. R. Padmanabhan wth MTech and PhD at the IIT Kharagpur, was n the faculty there from 1964 to 1979. Wth 20 years of development experence n the ndustry and an equal perod n academc nsttutons, he s currently a Professor Emertus at the Amrta School of Engneerng. Hs research nterests are securty, dgtal communcaton, and VLSI desgn. He has (co)authored fve books.