Skip to main content

Advertisement

Log in

A lightweight authentication scheme with user untraceability

  • Published:
Frontiers of Information Technology & Electronic Engineering Aims and scope Submit manuscript

Abstract

With the rapid growth of electronic commerce and associated demands on variants of Internet based applications, application systems providing network resources and business services are in high demand around the world. To guarantee robust security and computational efficiency for service retrieval, a variety of authentication schemes have been proposed. However, most of these schemes have been found to be lacking when subject to a formal security analysis. Recently, Chang et al. (2014) introduced a formally provable secure authentication protocol with the property of user-untraceability. Unfortunately, based on our analysis, the proposed scheme fails to provide the property of user-untraceability as claimed, and is insecure against user impersonation attack, server counterfeit attack, and man-in-the-middle attack. In this paper, we demonstrate the details of these malicious attacks. A security enhanced authentication scheme is proposed to eliminate all identified weaknesses.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

Explore related subjects

Discover the latest articles and news from researchers in related subjects, suggested using machine learning.

References

  • Bellare, M., Rogaway, P., 1994. Entity authentication and key distribution. LNCS, 773:232–249.

    MathSciNet  Google Scholar 

  • Bellare, M., Pointcheval, D., Rogaway, P., 2000. Authenticated key exchange secure against dictionary attacks. Advances in Cryptology-EUROCRYPT, p.139–155.

    Google Scholar 

  • Blake-Wilson, S., Johnson, D., Menezes, A., 1997. Key agreement protocols and their security analysis. 6th IMA Int. Conf. on Cryptography Coding, p.30–45.

    Google Scholar 

  • Burrows, M., Abadi, M., Needham, R., 1990. A logic of authentication. ACM Trans. Comput. Syst., 8(1):18–36. [doi:10.1145/77648.77649]

    Article  Google Scholar 

  • Chang, C.C., Lee, C.Y., 2012. A secure single sign-on mechanism for distributed computer networks. IEEE Trans. Ind. Electron., 59(1):629–637. [doi:10.1109/TIE.2011.2130500]

    Article  Google Scholar 

  • Chang, Y.F., Tai, W.L., Chang, H.C., 2014. Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update. Int. J. Commun. Syst., 27(11):3430–3440. [doi:10.1002/dac.2552]

    Google Scholar 

  • He, D., Wu, S., 2012. Security flaws in a smart card based authentication scheme for multi-server environment. Wirel. Pers. Commun., 70(1):323–329. [doi:10.1007/s11 277-012-0696-1]

    Article  Google Scholar 

  • Hsiang, C., Shih, W.K., 2009. Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stand. Interf., 31(6): 1118–1123. [doi:10.1016/j.csi.2008.11.002]

    Article  Google Scholar 

  • Hsieh, W., Leu, J., 2012. Exploiting hash functions to intensify the remote user authentication scheme. Comput. Secur., 31(6):791–798. [doi:10.1016/j.cose.2012.06.001]

    Article  Google Scholar 

  • Huang, X., Chen, X., Li, J., et al., 2013. Further observations on smart-card-based password-authenticated key agreement in distributed systems. IEEE Trans. Parall. Distr. Syst., 25(7):1767–1775. [doi:10.1109/TPDS.2013.230]

    Article  Google Scholar 

  • Juang, W.S., Chen, S.T., Liaw, H.T., 2008. Robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Ind. Electron., 55(6):2551–2556. [doi:10.1109/TIE.2008.921677]

    Article  Google Scholar 

  • Kumari, S., Khan, M.K., 2014. Cryptanalysis and improvement of a robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst., 27(12): 3939–3955. [doi:10.1002/dac.2590]

    Article  Google Scholar 

  • Lamport, L., 1981. Password authentication with insecure communication. Commun. ACM, 24(11):770–772. [doi:10.1145/358790.358797]

    Article  MathSciNet  Google Scholar 

  • Li, C.T., Lee, C.C., Liu, C.J., et al., 2011. A robust remote user authentication scheme against smart card security breach. 25th Annual IFIPWG11. 3 Conf., p.231–238

    Google Scholar 

  • Li, X., Qiu, W., Zheng, D., et al., 2010. Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Ind. Electron., 57(2):793–800. [doi:10.1109/TIE.2009.2028351]

    Article  Google Scholar 

  • Li, X., Xiong, Y., Ma, J., et al., 2012. An efficient and security dynamic identity based authentication protocol for multiserver architecture using smart cards. J. Network Comput. Appl., 35(2):763–769. [doi:10.1016/j.jnca.2011. 11.009]

    Article  Google Scholar 

  • Liao, Y.P., Wang, S.S., 2009. A secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stand. Interf., 31(1):24–29. [doi:10. 1016/j.csi.2007.10.007]

    Article  Google Scholar 

  • Sood, S.K., Sarje, A.K., Singh, K., 2011. A secure dynamic identity based authentication protocol for multi-server architecture. J. Network Comput. Appl., 34(2):609–618. [doi:10.1016/j.jnca.2010.11.011]

    Article  Google Scholar 

  • Sun, D.Z., Huai, J.P., Sun, J.Z., et al., 2009. Improvements of Juang et al.’s password-authenticated key agreement scheme using smart cards. IEEE Trans. Ind. Electron., 56(6):2284–2291. [doi:10.1109/TIE.2009.2016508]

    Article  Google Scholar 

  • Tsai, J.L., Lo, N.W., Wu, T.C., 2013. Novel anonymous authentication scheme using smart cards. IEEE Trans. Ind. Inform., 9(4):2004–2013. [doi:10.1109/TII.2012.2230639]

    Article  Google Scholar 

  • Wang, D., Ma, C.G., 2012. Cryptanalysis and security enhancement of a remote user authentication scheme using smart cards. J. China Univ. Posts Telecommun., 19(5): 104–114. [doi:10.1016/S1005-8885(11)60307-5]

    Article  Google Scholar 

  • Wang, D., Wang, P., 2013. Offline dictionary attack on password authentication schemes using smart cards. 16th Information Security Conf., p.1–16.

    Google Scholar 

  • Wang, D., Wang, P., 2014. On the anonymity of two-factor authentication schemes for wireless sensor networks: attacks, principle and solutions. Comput. Networks, 73:41–57. [doi:10.1016/j.comnet.2014.07.010]

    Article  Google Scholar 

  • Wang, D., Ma, C., Wang, P., et al., 2012a. Pass: privacy preserving two-factor authentication scheme against smart card loss problem. Cryptology ePrint Archive, 439:1–35.

    Google Scholar 

  • Wang, D., Ma, C., Wang, P., 2012b. Secure password-based remote user authentication scheme with non-tamper resistant smart cards. 26th Annual IFIP Conf. on Data and Applications Security and Privacy, p.114–121.

    Google Scholar 

  • Wang, D., He, D., Wang, P., et al., 2014. Anonymous twofactor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans. Depend. Secure Comput., in press. [doi:10.1109/TDSC.2014.2355850]

    Google Scholar 

  • Wang, G., Yu, J., Xie, Q., 2013. Security analysis of a single sign-on mechanism for distributed computer networks. IEEE Trans. Ind. Inform., 9(1):294–302. [doi:10.1109/TII.2012.2215877]

    Article  MathSciNet  Google Scholar 

  • Wang, Y., 2012. Password protected smart card and memory stick authentication against off-line dictionary attacks. 27th IFIP TC 11 Information Security and Privacy Conf., p.489–500.

    Google Scholar 

  • Yeh, K.H., Lo, N.W., Li, Y., 2011. Cryptanalysis of Hsiang-Shih’s authentication scheme for multi-server architecture. Int. J. Commun. Syst., 24(7):829–836. [doi:10.1002/dac.1184]

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Kuo-Hui Yeh.

Additional information

Project supported by the Taiwan Information Security Center (TWISC) and the Ministry of Science and Technology, Taiwan (Nos. MOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2)

ORCID: Kuo-Hui YEH, http://orcid.org/0000-0003-0598-761X

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yeh, KH. A lightweight authentication scheme with user untraceability. Frontiers Inf Technol Electronic Eng 16, 259–271 (2015). https://doi.org/10.1631/FITEE.1400232

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1631/FITEE.1400232

Key words

CLC number