Abstract
In network based services, remote user authentication has become an important and challenging part to ensure authorized access of resource. The traditional two party architectures are not enough to present scalable solution to multi-server environment as user need to follow multiple registrations. On the other hands, multi-server authentication scheme resolves the repeated registration issue, where one time registration is enough to access the multiple servers of an architecture. To achieve efficient solution, Pippel et al. (Wirel Pers Commun 72(1):729–745, 2013) proposed a smart card based authentication scheme for multi-server environment. However, Li et al. (Int J Commun Syst 28(2):374–382, 2015) proved that Pippel et al.’s (2013) proposed scheme is insecure and proposed an improvement to overcome the drawbacks found in Pipple et al.’s scheme. In this paper, we show that Li et al.’s scheme also vulnerable to the known attacks, namely, password guessing attack, denial of service attack, privileged insider attack and known key secrecy attack. We then propose a secure multi-server authentication scheme to withstand the security pitfalls find in the Li et al.’s scheme while retaining the merits of Li et al.’s scheme. Using the widely accepted BAN logic we show that our scheme provides secure mutual authentication. In addition, we prove that our scheme is secure against all known attacks including password guessing attack, denial of service attack, privileged insider attack and known key secrecy attack. Our scheme requires less communication and computation overhead as compared to the existing related scheme. Our scheme provides high security along with less computation and communication overheads as compared to the other related existing schemes in the literature, and as a result, our scheme is much suitable for practical applications.
Similar content being viewed by others
References
Mishra, D., Das, A. K., & Mukhopadhyay, S. (2014). A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Systems with Applications, 41(18), 8129–8143.
Sun, H. M. (2000). An efficient remote use authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 46(4), 958–961.
Shen, J. J., Lin, C. W., & Hwang, M. S. (2003). A modified remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 49, 414–416.
Awasthi, A. K., & Lal, S. (2004). An enhanced remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 50(2), 583–586.
Chang, C. C., & Hwang, K. F. (2003). Some forgery attacks on a remote user authentication scheme using smart cards. Informatica, 14(3), 289–294.
Das, M., Saxena, A., & Gulati, V. (2004). A dynamic ID-based remote user authentication scheme. IEEE Transactions on Consumer Electronics, 50(2), 629–631.
Li, X., Niu, J., Liao, J., & Liang, W. (2015). Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update. International Journal of Communication Systems, 28(2), 374–382.
Ku, W. C., & Chang, S. T. (2005). Impersonation attack on a dynamic ID-based remote user authentication scheme using smart cards. IEICE Transactions on Communications, E88–B(5), 2165–2167.
Hwang, M. S., Lee, C. C., & Tang, Y. L. (2002). A simple remote user authentication scheme. Mathematical and Computer Modelling, 36(1–2), 103–107.
Tsaur, W. J., Wu, C. C., & Lee, W. B. (2004). A smart card-based remote scheme for password authentication in multi-server internet services. Computer Standards & Interfaces, 27(1), 39–51.
Juang, W. S. (2004). Efficient password authenticated key agreement using smart cards. Computers & Security, 23(2), 167–173.
Li, C. T., Lee, C. C., & Weng, C. Y. (2014). A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information system. Journal of Medical Systems, 38(9), 1–11.
Lee, C. C., Li, C. T., & Hsu, C. W. (2013). A three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps. Nonlinear Dynamics, 73(1–2), 125–132.
Li, X., Niu, J., Khan, M. K., Liao, J., & Zhao, X. (2014). Robust three-factor remote user authentication scheme with key agreement for multimedia systems. Security and Communication Networks, 9, 1916–1927.
Farash, M. S., & Attari, M. A. (2014). An efficient and provably secure three-party password-based authenticated key exchange protocol based on chebyshev chaotic maps. Nonlinear Dynamics, 77(1–2), 399–411.
Odelu, V., Das, A. K., & Goswami, A. (2014). A secure and efficient ECC-based user anonymity preserving single sign-on scheme for distributed computer networks. Security and Communication Networks, 8, 1732–1751.
Chang, C. C., & Lee, J. S. (November, 2004). An efficient and secure multi-server password authentication scheme using smart cards. In 2004 International Conference on Cyberworlds (pp. 417–422).
Juang, W. S. (2004). Efficient multi-server password authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics, 50(1), 251–255.
Lin, I. C., Hwang, M. S., & Li, L. H. (2003). A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems, 19(1), 13 – 22 Selected papers of the 29th SPEEDUP workshop on distributed computing and high-speed networks, 22–23 March 2001, Bern, Switzerland.
Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770–772.
Pippal, R., Jaidhar, C., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 72(1), 729–745.
Yeh, K. H. (2014). A provably secure multi-server based authentication scheme. Wireless Personal Communications, 79(3), 1621–1634.
Hsieh, W. B., & Leu, J. S. (2014). An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures. Journal of Supercomputing, 70(1), 133–148.
Lee, Y., Kim, J., & Won, D. (2014). Countermeasure on password-based authentication scheme for multi-server environments. Lecture Notes in Electrical Engineering, 308, 459–466.
Mishra, D. (2014). Cryptanalysis of multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. CoRR arXiv:1401.4790.
Lee, Y., Kim, J., & Won, D. (2011). Cryptanalysis to a remote user authentication scheme using smart cards for multi-server environment. In Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics) (Vol. 6771(PART 1), pp. 321–329). LNCS
Liao, Y. P., & Wang, S. S. (2009). A secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, 31(1), 24–29.
Hsiang, H. C., & Shih, W. K. (2009). Improvement of the secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(6), 1118–1123.
Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.
Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.
Tsai, J. L., Lo, N. W., & Wu, T. C. (2013). A new password-based multi-server authentication scheme robust to password guessing attacks. Wireless Personal Communications, 71(3), 1977–1988.
Yeh, K. H., & Lo, N. W. (2010). A novel remote user authentication scheme for multiyserver environment without using smart cards. International Journal of Innovative Computing, Information and Control, 6(8), 3467–3478.
Li, X., Niu, J., Kumari, S., Liao, J., & Liang, W. (2014) An enhancement of a smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 1–18.
Yang, W. H., & Shieh, S. P. (1999). Password authentication schemes with smart cards. Computers & Security, 18(8), 727–733.
Dolev, D., & Yao, A. C. (1983). On the security of public key protocols. IEEE Transactions on Information Theory, 29(2), 198–208.
Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., & Shalmani, M. (2008). On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme. In Advances in Cryptology CRYPTO 2008. Volume 5157 of Lecture Notes in Computer Science (pp. 203–220). Berlin: Springer.
Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.
Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Advances in cryptology—CRYPTO’99 (pp. 789–789). Berlin: Springer.
Rivest, R. (1992). The MD5 message-digest algorithm.
Stinson, D. (2006). Some observations on the theory of cryptographic hash functions. Designs, Codes and Cryptography, 38(2), 259–277.
Pub, F. (1995). Secure hash standard. Public Law, 100, 235.
Sarkar, P. (2010). A simple and generic construction of authenticated encryption with associated data. ACM Transactions on Information and System Security (TISSEC), 13(4), 33.
Damgård, I. B. (1990). A design principle for hash functions. In Advances in cryptology CRYPTO89 proceedings (pp. 416–427). Berlin: Springer.
William, S., & Stallings, W. (2006). Cryptography and Network Security (Vol. 4/E). Bengaluru: Pearson Education India.
Harn, L., & Ren, J. (2011). Generalized digital certificate for user authentication and key establishment for secure communications. IEEE Transactions on Wireless Communications, 10(7), 2372–2379.
Needham, R., Burrows, M., & Abadi, M. (1989). A logic of authentication. Operating Systems Review, 1–13.
Burrows, M., Abadi, M., & Needham, R. M. (1989). A logic of authentication. In Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences (Vol. 426, No. 1871, pp. 233–271). The Royal Society.
Ahn, H. S., & Yoon, E. J. (2012). Cryptanalysis of Chang-Changs EC-PAKA protocol for wireless mobile networks. World Academy of Science, Engineering and Technology, 2012(68), 45.
Turkanović, M., Brumen, B., & Hölbl, M. (2014). A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion. Ad Hoc Networks, 20, 96–112.
Lee, C. C., Lin, T. H., & Chang, R. X. (2011). A secure dynamic id based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Srinivas, J., Mukhopadhyay, S. & Mishra, D. A Self-Verifiable Password Based Authentication Scheme for Multi-Server Architecture Using Smart Card. Wireless Pers Commun 96, 6273–6297 (2017). https://doi.org/10.1007/s11277-017-4476-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-017-4476-9