Skip to main content
Springer Nature Link
Log in

Cryptanalysis of Two Dynamic ID-Based Remote User Authentication Schemes for Multi-server Architecture

  • Conference paper
Network and System Security (NSS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7645))

Included in the following conference series:

  • 1336 Accesses

Abstract

In NSS’10, Shao and Chin pointed out that Hsiang and Shih’s dynamic ID-based remote user authentication scheme for multi-server environment has several security flaws and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that Shao-Chin’s scheme still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.’s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their ambitions, Li et al.’s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, which is the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Bouyoucef, K., Khorasani, K.: A robust distributed congestion-control strategy for differentiated-services network. IEEE Transactions on Industrial Electronics 56(3), 608–617 (2009)

    Article  Google Scholar 

  2. Barolli, L., Xhafa, F.: JXTA-OVERLAY: A P2P platform for distributed, collaborative and ubiquitous computing. IEEE Transactions on Industrial Electronics 58(6), 2163–2172 (2010)

    Article  Google Scholar 

  3. Lin, S., Hung, M., Tsai, C., Chou, L.: Development of an ease-of-use remote healthcare system architecture using rfid and networking technologies. Journal of Medical Systems, 1–15 (2012), doi:10.1007/s10916-012-9836-0

    Google Scholar 

  4. Chang, C.C., Wu, T.C.: Remote password authentication with smart cards. IEE Proceedings-Computers and Digital Techniques 138(3), 165–168 (1991)

    Article  Google Scholar 

  5. Ma, C.-G., Wang, D., Zhang, Q.-M.: Cryptanalysis and Improvement of Sood et al.’s Dynamic ID-Based Authentication Scheme. In: Ramanujam, R., Ramaswamy, S. (eds.) ICDCIT 2012. LNCS, vol. 7154, pp. 141–152. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  6. Wu, S.H., Zhu, Y.F., Pu, Q.: Robust smart-cards-based user authentication scheme with user anonymity. Security and Communication Networks 5(2), 236–248 (2012)

    Article  Google Scholar 

  7. Wang, D., Ma, C.G., Wu, P.: Secure Password-Based Remote User Authentication Scheme with Non-tamper Resistant Smart Cards. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 114–121. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  8. Wang, Y.: Password Protected Smart Card and Memory Stick Authentication against Off-Line Dictionary Attacks. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 489–500. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  9. Lin, I., Hwang, M., Li, L.: A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems 19(1), 13–22 (2003)

    Article  MATH  Google Scholar 

  10. Tsaur, W., Wu, C., Lee, W.: A smart card-based remote scheme for password authentication in multi-server internet services. Computer Standards & Interfaces 27(1), 39–51 (2004)

    Article  Google Scholar 

  11. Liao, Y., Wang, S.: A secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces 31(1), 24–29 (2009)

    Article  Google Scholar 

  12. Hsiang, H., Shih, W.: Improvement of the secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces 31(6), 1118–1123 (2009)

    Article  Google Scholar 

  13. Tan, Z.: Cryptanalysis of two id based password authentication schemes for multi-server environments. International Journal of Digital Content Technology and its Applications 5(1), 87–94 (2011)

    Article  Google Scholar 

  14. Yeh, K., Lo, N., Li, Y.: Cryptanalysis of hsiang-shihs authentication scheme for multi-server architecture. International Journal of Communication Systems 24(7), 829–836 (2011)

    Article  Google Scholar 

  15. Sood, S., Sarje, A., Singh, K.: A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications 34(2), 609–618 (2011)

    Article  Google Scholar 

  16. Shao, M., Chin, Y.: A novel approach to dynamic id-based remote user authentication scheme for multi-server environment. In: 2010 4th International Conference on Network and System Security (NSS 2010), pp. 548–553. IEEE Press, New York (2010)

    Chapter  Google Scholar 

  17. Li, X., Xiong, Y., Ma, J., Wang, W.: An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 35(2), 763–769 (2012)

    Article  Google Scholar 

  18. Han, W.: Weaknesses of a dynamic identity based authentication protocol for multi-server architecture. Arxiv preprint arXiv:1201.0883 (2012), http://arxiv.org/abs/1201.0883

  19. Xue, K., Hong, P., Ma, C.: A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. Arxiv preprint arXiv:1204.3831 (2012), http://arxiv.org/abs/1204.3831

  20. Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–789. Springer, Heidelberg (1999)

    Google Scholar 

  21. Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers 51(5), 541–552 (2002)

    Article  MathSciNet  Google Scholar 

  22. Kasper, T., Oswald, D., Paar, C.: Side-Channel Analysis of Cryptographic RFIDs with Analog Demodulation. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 61–77. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  23. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of WWW 2007, pp. 657–666. ACM Press, New York (2007)

    Chapter  Google Scholar 

  24. Klein, D.V.: Foiling the cracker: A survey of, and improvements to, password security. In: Proceedings of the 2nd USENIX Security Workshop, pp. 5–14 (1990)

    Google Scholar 

  25. Bao, F., Deng, R.: Privacy Protection for Transactions of Digital Goods. In: Qing, S., Okamoto, T., Zhou, J. (eds.) ICICS 2001. LNCS, vol. 2229, pp. 202–213. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  26. Tang, C., Wu, D.: Mobile privacy in wireless networks-revisited. IEEE Transactions on Wireless Communications 7(3), 1035–1042 (2008)

    Article  Google Scholar 

  27. Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. ACM Transactions on Information and System Security 2(3), 230–268 (1999)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Computer Science and Technology, Harbin Engineering University, Harbin City, 150001, China

    Ding Wang, Chun-guang Ma, De-li Gu & Zhen-shan Cui

  2. Automobile Management Institute of PLA, Bengbu City, 233011, China

    Ding Wang

Authors
  1. Ding Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chun-guang Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. De-li Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhen-shan Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Mathematics and Computer Science, Fujian Normal University, 350108, Fuzhou, Fujian, China

    Li Xu

  2. Department of Computer Science, CERIAS and Cyber Center, Purdue University, 47907-2107, West Lafayette, IN, USA

    Elisa Bertino

  3. School of Computer Science and Software Engineering, University of Wollongong, 2522, Wollongong, NSW, Australia

    Yi Mu

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wang, D., Ma, Cg., Gu, Dl., Cui, Zs. (2012). Cryptanalysis of Two Dynamic ID-Based Remote User Authentication Schemes for Multi-server Architecture. In: Xu, L., Bertino, E., Mu, Y. (eds) Network and System Security. NSS 2012. Lecture Notes in Computer Science, vol 7645. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34601-9_35

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34601-9_35

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34600-2

  • Online ISBN: 978-3-642-34601-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics