Security plays an important role in several ZigBee applications such as Smart Energy and medical sensor applications. For a secure communication among ZigBee devices, a secret key should be shared among any two ZigBee devices using the Key Distribution protocol. Recently, Yüksel and Nielson proposed a new Key Distribution protocol for ZigBee addressing the security weaknesses of the original ZigBee Key Distribution protocol. In this letter, it is shown that their protocol is not secure against a key de-synchronization attack, and a security-enhanced Key Distribution protocol is newly proposed and analyzed in terms of security.

Remote data possession checking for cloud storage is very important, since data owners can check the integrity of outsourced data without downloading a copy to their local computers. In a previous work, Chen proposed a remote data possession checking protocol using algebraic signature and showed that it can resist against various known attacks. In this paper, we find serious security flaws in Chen's protocol, and shows that it is vulnerable to replay attack by a malicious cloud server. Finally, we propose an improved version of the protocol to guarantee secure data storage for data owners.

Recently, Hwang and Yeh demonstrated that Peyravian-Zunic's password authentication scheme is vulnerable to several attacks, and then proposed a modified version. In this letter, we show that Hwang-Yeh's scheme still has several weaknesses and drawbacks.

Recently, Lin et al. addressed two weaknesses of a new strong-password authentication scheme, the SAS protocol, and then proposed an improved one called the OSPA (Optimal Strong-Password Authentication) protocol. However, we find that both the OSPA protocol and the SAS protocol are vulnerable to the stolen-verifier attack.

Using the great one-time password concept, the widely utilized one-way authentication scheme S/Key provides well protection against replay attacks. In this paper, S/key is enhanced to secure transactions in a critical environment. The proposed scheme is free from any of server spoofing attacks, preplay attacks, and off-line dictionary attacks. A session key here is also established to provide confidentiality. Moreover, simplicity and efficiency are taken into consideration from the user's point of view. A smart card is applied to simplify the user login process and only the hash function is used to keep its efficiency. Therefore, the scheme proposed hereinafter is able to build a safer shield for sensitive transactions like on-line banking or on-line trading in bonds and securities.

Authentication protocols are necessary for the receiver of a message to ascertain its origin in a distributed environment. Since they exchange cryptographic messages at the beginning of communication, their security is an essential requirement. However, most of the protocols have suffered from several kinds of attacks. A replay attack is one kind of those attacks. Attackers could launch it easily by replaying an eavesdropped message. Moreover, there are many types of replay attacks while most of the formal methods are not capable of detecting them. [3] classified various kinds of replay attacks and proposed a taxonomy. Therefore, it is necessary to verify authentication protocols deliberately with such a taxonomy for a basis. In this paper, at first, we give a clear definition and several remarks on replay attacks. Secondly we review the taxonomy of replay attacks presented in [3], and comment on its minor mistake. Finally we examine on the basis of the taxonomy the password-based authentication protocol, K1P, which was proposed in our earlier papers for protecting weak secrets efficiently. As a result of the examination, we have found that three way mutual K1P shown in [2] was vulnerable to one of replay attacks. Therefore, we improve three way K1P on security against the replay attack. Improved three way K1P is secure against replay attacks as well as guessing attacks and therefore it may be useful for security services of various communication networks.