An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards

https://doi.org/10.1016/j.jnca.2011.11.009Get rights and content

Abstract

Generally, if a user wants to use numerous different network services, he/she must register himself/herself to every service providing server. It is extremely hard for users to remember these different identities and passwords. In order to resolve this problem, various multi-server authentication protocols have been proposed. Recently, Sood et al. analyzed Hsiang and Shih's multi-server authentication protocol and proposed an improved dynamic identity based authentication protocol for multi-server architecture. They claimed that their protocol provides user's anonymity, mutual authentication, the session key agreement and can resist several kinds of attacks. However, through careful analysis, we find that Sood et al.'s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack. Besides, since there is no way for the control server CS to know the real identity of the user, the authentication and session key agreement phase of Sood et al.'s protocol is incorrect. We propose an efficient and security dynamic identity based authentication protocol for multi-server architecture that removes the aforementioned weaknesses. The proposed protocol is extremely suitable for use in distributed multi-server architecture since it provides user's anonymity, mutual authentication, efficient, and security.

Introduction

With the rapid development of the Internet and electronic commerce technology, many services are provided through the Internet such as online shopping, online game, distributed electronic medical records system, etc., which makes life very convenient. In this case, it is a very important issue to authenticate the identity of remote users in a public environment before he/she can access a service. Users should have proper access rights to access resources at remote systems through the public network environment, and the password authentication is one of the simplest and the most convenient authentication mechanisms to deal with secret data over insecure networks. Lamport (1981) first proposed a remote password authentication protocol for the insecure communication. However, in their protocol, the server must store a password list, and it cannot resist interpolation attacks. Hwang and Li (2000) proposed a remote user authentication protocol using smart cards based on ElGamal's (1985) public key cryptosystem which does not require storing a password table for authentication. After that, in order to eliminate the security problems and to reduce the communication and computation costs, numerous smart card based single-server authentication protocols using the one-way hash function had been proposed (Fan et al., 2005, Hwang et al., 2010, Lee et al., 2005, Li and Hwang, 2010, Li et al., 2011, Liu et al., 2008, Song, 2010).

However, it is extremely hard for a user to remember these numerous different identities and passwords when he/she uses the single-server authentication protocol to login and access different remote service providing servers. In order to resolve this problem, Li et al. (2001) proposed a remote user authentication protocol using neural networks, their protocol can be compatible with multi-server network architecture without repetitive registration. However, Li et al.'s protocol requires extremely high communication and computation costs since each user must have large memory to store public parameters for authentication. For tackling the efficiency problem of Li et al.'s protocol, Juang (2004) proposed an efficient multi-server password authenticated key agreement protocol based on the hash function and symmetric key cryptosystem. However, Chang and Lee (2004) pointed out that Juang's (2004) protocol still lacks efficiency since the computation and storage costs of each user are proportional to the number of users and servers, furthermore if the secret value of the smart card is extracted by some way, Juang's (2004) protocol is vulnerable to off-line dictionary attack. Therefore, Chang and Lee proposed a novel remote user authentication protocol to remedy these weaknesses. However, their protocol was found vulnerable to insider attack, spoofing attack and registration center spoofing attack. Tsaur et al. (2004) proposed a multi-server authentication protocol based on the RSA cryptosystem and Lagrange interpolation polynomial. However, Tsaur et al.'s protocol is also not efficient because it needs high communication and computation costs. Tsai (2008) also proposed an efficient multi-server authentication protocol without a verification table. Tsai's protocol only uses the nonce and one-way hash function, it is very suitable to be used in the distributed network environment because of their low computation costs.

However, all the above password authentication protocols for multi-server architecture are based on static ID which gives the adversary a chance to trace the legal user. Liao and Wang (2009) proposed a dynamic identity based remote user authentication protocol for multi-server architecture. They claimed that their protocol can resist various attacks and can achieve mutual authentication. However, Hsiang and Shih (2009) pointed out that Liao–Wang protocol is vulnerable to insider attack, masquerade attack, server spoofing attack, registration center spoofing attack, and it is not reparable. Besides, Liao–Wang protocol cannot achieve mutual authentication. To solve these problems, Hsiang and Shih (2009) proposed an improved protocol on Liao–Wang (2009) protocol. Recently, Sood et al. (2011) pointed out that Hsiang and Shih's protocol is still not secure. They found that Hsiang–Shih (2009) protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Furthermore, the password change phase of their protocol is wrong. To overcome these security flaws, Sood et al. proposed a secure dynamic identity based authentication protocol. Sood et al. claimed their protocol can achieve user's anonymity and can resist different kinds of attacks. However, through carefully analysis, we find that Sood et al.'s (2011) protocol is vulnerable to leak-of-verifier attack (An attacker who steals the password-verifier from the server can get some useful information or can use the leaked verifier to impersonate a legal user to login to the system.), stolen smart card attack (If the user's smart card is lost or stolen, the attacker can extract the information stored in the smart card and can easily change the password of the smart card, or can guess the password of the user by using password guessing attacks, or can impersonate the user to login to the system.), furthermore, their protocol had a fatal mistake which deduces it cannot finish the mutual authentication and session key agreement. Therefore, we propose an efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards to tackle these problems.

The rest of the paper is organized as follows: in Section 2, we provide a brief review of Sood et al.'s (2011) protocol. Section 3 points out the security weaknesses of Sood et al.'s protocol. The proposed protocol and corresponding protocol analysis are presented in 4 The proposed scheme, 5 Protocol analysis, respectively. Finally, we draw our conclusions in Section 6.

Section snippets

Overview of Sood et al.'s scheme

The notations used throughout this paper are summarized in Table 1. For a detailed analysis, we review Sood et al.'s (2011) dynamic identity based authentication protocol for multi-server architecture. There are three parties in Sood et al.'s protocol, i.e., the user, the service providing server, and the control server CS. The control server CS is equivalent to the registration center, and it is not directly accessible to the users and thus it is less likely to be attacked. Their protocol

Protocol analysis

Although Sood et al. claimed that their protocol can resist many types of attacks, the actual situation is not the case. In this section, we analyze the security weaknesses and its correctness of Sood et al.'s protocol. Through careful analysis, we find that Sood et al.'s protocol cannot resist leak-of-verifier attack and stolen smart card attack as they claimed. Furthermore, there is a fatal error on Sood et al.'s authentication protocol which deduces the three parties cannot complete the

The proposed scheme

In this section, we propose an efficient and security protocol to avoid the security flaws of Sood et al.'s protocol. Our protocol also involves three participants, i.e., the user (Ui), the service providing server (Sj) and the control server (CS). It is assumed that CS is a trusted party responsible for the registration and authentication of the Ui and Sj. CS chooses the master secret key x and a secret number y. When service providing servers Sj register himself/herself with CS use his/her

Protocol analysis

In this section, we discuss the security features of the proposed dynamic identity based multi-server authentication protocol. Then we evaluate the performance and functionality of our proposed protocol and make comparisons with some related dynamic identity based multi-server authentication protocols.

Conclusions

In this paper, we have shown that Sood et al.'s dynamic ID based multi-server architecture authentication protocol is vulnerable to leak-of-verifier attack, stolen smart card attack. Furthermore, it cannot provide correct mutual authentication and session key agreement since there is no way for the server Sk and the control server CS to know the real identity of the user Ui. Then we propose an efficient protocol with user's anonymity to remedy these weaknesses. We demonstrate that our protocol

Acknowledgments

The authors are grateful to the editor and anonymous reviewers for their valuable suggestions which improved the paper. This work was supported by the Fundamental Research Funds for the Central Universities under Grant No. 2011RC0504, and the National Basic Research Program of China (973 Program) Granted No. 2009CB320504.

References (18)

There are more references available in the full text version of this article.

Cited by (260)

  • A secure three-factor authentication scheme for IoT environments

    2022, Journal of Parallel and Distributed Computing
  • A novel system architecture for secure authentication and data sharing in cloud enabled Big Data Environment

    2022, Journal of King Saud University - Computer and Information Sciences
  • A secure demand response management authentication scheme for smart grid

    2021, Sustainable Energy Technologies and Assessments
View all citing articles on Scopus
View full text