Public-Key replacement attacks on lightweight authentication schemes for resource-constrained scenarios

Cyber Security and Applications Pub Date : 2025-06-18 DOI:10.1016/j.csa.2025.100102

Fei Zhu , Ying Hu , Yufei Ren , Bingfei Han , Xu Yang

{"title":"Public-Key replacement attacks on lightweight authentication schemes for resource-constrained scenarios","authors":"Fei Zhu , Ying Hu , Yufei Ren , Bingfei Han , Xu Yang","doi":"10.1016/j.csa.2025.100102","DOIUrl":null,"url":null,"abstract":"<div><div>Ensuring data integrity and data source trustworthiness during data sharing has always attracted the attention of researchers. Very recently, Zhu et al. designed a lightweight conditional privacy-preserving identity authentication scheme for securing vehicular ad-hoc networks. Feng et al. constructed an authentication transmission mechanism for artificial intelligence generated image content. Zhu et al. and Feng et al. proposed a lightweight certificateless aggregate signature (CLAS) scheme as their respective foundation signature schemes. They claimed that their constructions were provably secure against several types of security attacks. In this work, by analyzing their respective underlying CLAS schemes, we found that their schemes are unable to achieve unforgeability, which is the most critical property that a signature scheme should provide. In particular, for each scheme, we show that a malicious public-key replacement attacker has the ability to forge a valid signature on any false message. Taking Zhu et al.’s scheme as an example, such an attack allows a malicious attacker to impersonate an honest vehicle to broadcast fraudulent information about road conditions, causing traffic congestion or even accidents. We also analyze the reason for such an attack and provide corresponding improvement suggestions.</div></div>","PeriodicalId":100351,"journal":{"name":"Cyber Security and Applications","volume":"3 ","pages":"Article 100102"},"PeriodicalIF":0.0000,"publicationDate":"2025-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cyber Security and Applications","FirstCategoryId":"1085","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2772918425000190","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Ensuring data integrity and data source trustworthiness during data sharing has always attracted the attention of researchers. Very recently, Zhu et al. designed a lightweight conditional privacy-preserving identity authentication scheme for securing vehicular ad-hoc networks. Feng et al. constructed an authentication transmission mechanism for artificial intelligence generated image content. Zhu et al. and Feng et al. proposed a lightweight certificateless aggregate signature (CLAS) scheme as their respective foundation signature schemes. They claimed that their constructions were provably secure against several types of security attacks. In this work, by analyzing their respective underlying CLAS schemes, we found that their schemes are unable to achieve unforgeability, which is the most critical property that a signature scheme should provide. In particular, for each scheme, we show that a malicious public-key replacement attacker has the ability to forge a valid signature on any false message. Taking Zhu et al.’s scheme as an example, such an attack allows a malicious attacker to impersonate an honest vehicle to broadcast fraudulent information about road conditions, causing traffic congestion or even accidents. We also analyze the reason for such an attack and provide corresponding improvement suggestions.

查看原文本刊更多论文

针对资源受限场景的轻量级身份验证方案的公钥替换攻击

在数据共享过程中如何保证数据的完整性和数据源的可信度一直是研究人员关注的问题。最近，Zhu等人设计了一种轻量级的条件隐私保护身份认证方案，用于保护车载自组织网络。Feng等人构建了一种人工智能生成图像内容的认证传输机制。Zhu等人和Feng等人提出了一种轻量级的无证书聚合签名（CLAS）方案作为他们各自的基础签名方案。他们声称，他们的建筑可以证明是安全的，可以抵御几种类型的安全攻击。通过分析它们各自的底层CLAS方案，我们发现它们的方案都无法实现不可伪造性，而不可伪造性是签名方案应该提供的最关键的属性。特别是，对于每个方案，我们证明了恶意公钥替换攻击者有能力在任何虚假消息上伪造有效签名。以Zhu等人的方案为例，这种攻击允许恶意攻击者冒充一辆诚实的车辆，广播虚假的路况信息，造成交通拥堵甚至事故。我们还分析了这种攻击的原因，并提出了相应的改进建议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Cyber Security and Applications

CiteScore

5.20

自引率

0.00%

发文量