Skip to main content
SpringerLink
Log in

A Self-Verifiable Password Based Authentication Scheme for Multi-Server Architecture Using Smart Card

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

In network based services, remote user authentication has become an important and challenging part to ensure authorized access of resource. The traditional two party architectures are not enough to present scalable solution to multi-server environment as user need to follow multiple registrations. On the other hands, multi-server authentication scheme resolves the repeated registration issue, where one time registration is enough to access the multiple servers of an architecture. To achieve efficient solution, Pippel et al. (Wirel Pers Commun 72(1):729–745, 2013) proposed a smart card based authentication scheme for multi-server environment. However, Li et al. (Int J Commun Syst 28(2):374–382, 2015) proved that Pippel et al.’s (2013) proposed scheme is insecure and proposed an improvement to overcome the drawbacks found in Pipple et al.’s scheme. In this paper, we show that Li et al.’s scheme also vulnerable to the known attacks, namely, password guessing attack, denial of service attack, privileged insider attack and known key secrecy attack. We then propose a secure multi-server authentication scheme to withstand the security pitfalls find in the Li et al.’s scheme while retaining the merits of Li et al.’s scheme. Using the widely accepted BAN logic we show that our scheme provides secure mutual authentication. In addition, we prove that our scheme is secure against all known attacks including password guessing attack, denial of service attack, privileged insider attack and known key secrecy attack. Our scheme requires less communication and computation overhead as compared to the existing related scheme. Our scheme provides high security along with less computation and communication overheads as compared to the other related existing schemes in the literature, and as a result, our scheme is much suitable for practical applications.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Mishra, D., Das, A. K., & Mukhopadhyay, S. (2014). A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Systems with Applications, 41(18), 8129–8143.

    Article  Google Scholar 

  2. Sun, H. M. (2000). An efficient remote use authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 46(4), 958–961.

    Article  Google Scholar 

  3. Shen, J. J., Lin, C. W., & Hwang, M. S. (2003). A modified remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 49, 414–416.

    Article  Google Scholar 

  4. Awasthi, A. K., & Lal, S. (2004). An enhanced remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 50(2), 583–586.

    Article  Google Scholar 

  5. Chang, C. C., & Hwang, K. F. (2003). Some forgery attacks on a remote user authentication scheme using smart cards. Informatica, 14(3), 289–294.

    MathSciNet  MATH  Google Scholar 

  6. Das, M., Saxena, A., & Gulati, V. (2004). A dynamic ID-based remote user authentication scheme. IEEE Transactions on Consumer Electronics, 50(2), 629–631.

    Article  Google Scholar 

  7. Li, X., Niu, J., Liao, J., & Liang, W. (2015). Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update. International Journal of Communication Systems, 28(2), 374–382.

    Article  Google Scholar 

  8. Ku, W. C., & Chang, S. T. (2005). Impersonation attack on a dynamic ID-based remote user authentication scheme using smart cards. IEICE Transactions on Communications, E88–B(5), 2165–2167.

    Article  Google Scholar 

  9. Hwang, M. S., Lee, C. C., & Tang, Y. L. (2002). A simple remote user authentication scheme. Mathematical and Computer Modelling, 36(1–2), 103–107.

    Article  MathSciNet  MATH  Google Scholar 

  10. Tsaur, W. J., Wu, C. C., & Lee, W. B. (2004). A smart card-based remote scheme for password authentication in multi-server internet services. Computer Standards & Interfaces, 27(1), 39–51.

    Article  Google Scholar 

  11. Juang, W. S. (2004). Efficient password authenticated key agreement using smart cards. Computers & Security, 23(2), 167–173.

    Article  MathSciNet  Google Scholar 

  12. Li, C. T., Lee, C. C., & Weng, C. Y. (2014). A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information system. Journal of Medical Systems, 38(9), 1–11.

    Article  Google Scholar 

  13. Lee, C. C., Li, C. T., & Hsu, C. W. (2013). A three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps. Nonlinear Dynamics, 73(1–2), 125–132.

    Article  MathSciNet  MATH  Google Scholar 

  14. Li, X., Niu, J., Khan, M. K., Liao, J., & Zhao, X. (2014). Robust three-factor remote user authentication scheme with key agreement for multimedia systems. Security and Communication Networks, 9, 1916–1927.

    Google Scholar 

  15. Farash, M. S., & Attari, M. A. (2014). An efficient and provably secure three-party password-based authenticated key exchange protocol based on chebyshev chaotic maps. Nonlinear Dynamics, 77(1–2), 399–411.

    Article  MathSciNet  MATH  Google Scholar 

  16. Odelu, V., Das, A. K., & Goswami, A. (2014). A secure and efficient ECC-based user anonymity preserving single sign-on scheme for distributed computer networks. Security and Communication Networks, 8, 1732–1751.

    Article  Google Scholar 

  17. Chang, C. C., & Lee, J. S. (November, 2004). An efficient and secure multi-server password authentication scheme using smart cards. In 2004 International Conference on Cyberworlds (pp. 417–422).

  18. Juang, W. S. (2004). Efficient multi-server password authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics, 50(1), 251–255.

    Article  Google Scholar 

  19. Lin, I. C., Hwang, M. S., & Li, L. H. (2003). A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems, 19(1), 13 – 22 Selected papers of the 29th SPEEDUP workshop on distributed computing and high-speed networks, 22–23 March 2001, Bern, Switzerland.

  20. Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770–772.

    Article  MathSciNet  Google Scholar 

  21. Pippal, R., Jaidhar, C., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 72(1), 729–745.

    Article  Google Scholar 

  22. Yeh, K. H. (2014). A provably secure multi-server based authentication scheme. Wireless Personal Communications, 79(3), 1621–1634.

    Article  Google Scholar 

  23. Hsieh, W. B., & Leu, J. S. (2014). An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures. Journal of Supercomputing, 70(1), 133–148.

    Article  Google Scholar 

  24. Lee, Y., Kim, J., & Won, D. (2014). Countermeasure on password-based authentication scheme for multi-server environments. Lecture Notes in Electrical Engineering, 308, 459–466.

    Article  Google Scholar 

  25. Mishra, D. (2014). Cryptanalysis of multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. CoRR arXiv:1401.4790.

  26. Lee, Y., Kim, J., & Won, D. (2011). Cryptanalysis to a remote user authentication scheme using smart cards for multi-server environment. In Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics) (Vol. 6771(PART 1), pp. 321–329). LNCS

  27. Liao, Y. P., & Wang, S. S. (2009). A secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, 31(1), 24–29.

    Article  Google Scholar 

  28. Hsiang, H. C., & Shih, W. K. (2009). Improvement of the secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(6), 1118–1123.

    Article  Google Scholar 

  29. Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.

    Article  Google Scholar 

  30. Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.

    Article  Google Scholar 

  31. Tsai, J. L., Lo, N. W., & Wu, T. C. (2013). A new password-based multi-server authentication scheme robust to password guessing attacks. Wireless Personal Communications, 71(3), 1977–1988.

    Article  Google Scholar 

  32. Yeh, K. H., & Lo, N. W. (2010). A novel remote user authentication scheme for multiyserver environment without using smart cards. International Journal of Innovative Computing, Information and Control, 6(8), 3467–3478.

    Google Scholar 

  33. Li, X., Niu, J., Kumari, S., Liao, J., & Liang, W. (2014) An enhancement of a smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 1–18.

  34. Yang, W. H., & Shieh, S. P. (1999). Password authentication schemes with smart cards. Computers & Security, 18(8), 727–733.

    Article  Google Scholar 

  35. Dolev, D., & Yao, A. C. (1983). On the security of public key protocols. IEEE Transactions on Information Theory, 29(2), 198–208.

    Article  MathSciNet  MATH  Google Scholar 

  36. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., & Shalmani, M. (2008). On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme. In Advances in Cryptology CRYPTO 2008. Volume 5157 of Lecture Notes in Computer Science (pp. 203–220). Berlin: Springer.

  37. Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.

    Article  MathSciNet  Google Scholar 

  38. Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Advances in cryptology—CRYPTO’99 (pp. 789–789). Berlin: Springer.

  39. Rivest, R. (1992). The MD5 message-digest algorithm.

  40. Stinson, D. (2006). Some observations on the theory of cryptographic hash functions. Designs, Codes and Cryptography, 38(2), 259–277.

    Article  MathSciNet  MATH  Google Scholar 

  41. Pub, F. (1995). Secure hash standard. Public Law, 100, 235.

    Google Scholar 

  42. Sarkar, P. (2010). A simple and generic construction of authenticated encryption with associated data. ACM Transactions on Information and System Security (TISSEC), 13(4), 33.

    Article  Google Scholar 

  43. Damgård, I. B. (1990). A design principle for hash functions. In Advances in cryptology CRYPTO89 proceedings (pp. 416–427). Berlin: Springer.

  44. William, S., & Stallings, W. (2006). Cryptography and Network Security (Vol. 4/E). Bengaluru: Pearson Education India.

    Google Scholar 

  45. Harn, L., & Ren, J. (2011). Generalized digital certificate for user authentication and key establishment for secure communications. IEEE Transactions on Wireless Communications, 10(7), 2372–2379.

    Article  Google Scholar 

  46. Needham, R., Burrows, M., & Abadi, M. (1989). A logic of authentication. Operating Systems Review, 1–13.

  47. Burrows, M., Abadi, M., & Needham, R. M. (1989). A logic of authentication. In Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences (Vol. 426, No. 1871, pp. 233–271). The Royal Society.

  48. Ahn, H. S., & Yoon, E. J. (2012). Cryptanalysis of Chang-Changs EC-PAKA protocol for wireless mobile networks. World Academy of Science, Engineering and Technology, 2012(68), 45.

    Google Scholar 

  49. Turkanović, M., Brumen, B., & Hölbl, M. (2014). A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion. Ad Hoc Networks, 20, 96–112.

    Article  Google Scholar 

  50. Lee, C. C., Lin, T. H., & Chang, R. X. (2011). A secure dynamic id based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur, 721 302, India

    Jangirala Srinivas & Sourav Mukhopadhyay

  2. Department of Mathematics, LNM Institute of Information Technology (LNMIIT), Jaipur, 302 031, India

    Dheerendra Mishra

Authors
  1. Jangirala Srinivas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sourav Mukhopadhyay
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dheerendra Mishra
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jangirala Srinivas.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Srinivas, J., Mukhopadhyay, S. & Mishra, D. A Self-Verifiable Password Based Authentication Scheme for Multi-Server Architecture Using Smart Card. Wireless Pers Commun 96, 6273–6297 (2017). https://doi.org/10.1007/s11277-017-4476-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-017-4476-9

Keywords

Search

Navigation