Abstract
Numerous smart card based authentication protocols have been proposed to provide strong system security and robust individual privacy for communication between parties these days. Nevertheless, most of them do not provide formal analysis proof, and the security robustness is doubtful. Chang and Cheng (2011) proposed an efficient remote authentication protocol with smart cards and claimed that their proposed protocol could support secure communication in a multi-server environment. Unfortunately, there are opportunities for security enhancement in current schemes. In this paper, we identify the major weakness, i.e., session key disclosure, of a recently published protocol. We consequently propose a novel authentication scheme for a multi-server environment and give formal analysis proofs for security guarantees.
Similar content being viewed by others
References
Armando, A., Compagna, L., 2004. SATMC: a SAT-based model checker for security protocols. Log. Artif. Intell., 3229:730–733. [doi:10.1007/978-3-540-30227-8_68]
AVISPA Project, 2003. Automated Validation of Internet Security Protocols and Applications. Available from http://www.avispa-project.org.
Basin, D., Mödersheim, S., Viganò, L., 2005. OFMC: a symbolic model-checker for security protocols. Int. J. Inf. Secur., 4(3):181–208. [doi:10.1007/s10207-004-0055-7]
Boichut, Y., Héam, P.C., Kouchnarenko, O., Oehl, F., 2004. Improvements on the Genet and Klay Technique to Automatically Verify Security Protocols. Proc. 3rd Int. Workshop on Automated Verification of Infinite States Systems, p.1–11.
Burrows, M., Abadi, M., Needham, R., 1990. A logic of authentication. ACM Trans. Comput. Syst., 8(1):18–36. [doi:10.1145/77648.77649]
Chang, C.C., Cheng, T.F., 2011. A robust and efficient smart card based remote login mechanism for multi-server architecture. Int. J. Innov. Comput. Inf. Control, 7(8):4589–4602.
Chang, C.C., Lee, J.S., 2004. An Efficient and Secure Multi-server Password Authentication Scheme Using Smart Card. Int. Conf. on Cyberworlds, p.417-422. [doi:10.1109/CW.2004.17]
Chang, C.C., Tsai, H.C., 2010. An anonymous and self-verified mobile authentication with authenticated key agreement for large-scale wireless networks. IEEE Trans. Wirel. Commun., 9(11):3346–3353. [doi:10.1109/TWC.2010.092410.090022]
Chen, C.L., Lai, Y.L., Chen, C.C., Chen, Y.L., 2011. A smart card-based mobile secure transaction system for medical treatment examination reports. Int. J. Innov. Comput. Inf. Control, 7(5):2257–2267.
Juang, W.S., 2004. Efficient multi-server password authenticated key agreement using smart cards. IEEE Trans. Consum. Electron., 50(1):251–255. [doi:10.1109/TCE.2004.1277870]
Lee, J.S., Chang, Y.F., Chang, C.C., 2008. A novel authentication protocol for multi-server architecture without smart cards. Int. J. Innov. Comput. Inf. Control, 4(6):1357–1364.
Liaw, H.T., Lin, J.F., Wu, W.C., 2006. An efficient and complete remote user authentication scheme using smart cards. Math. Comput. Modell., 44(1–2):223–228. [doi:10.1016/j.mcm.2006.01.015]
Lin, I.C., Hwang, M.S., Li, L.H., 2003. A new remote user authentication scheme for multi-server architecture. Fut. Gener. Comput. Syst., 19(1):13–22. [doi:10.1016/S0167-739X(02)00093-6]
Turuani, M., 2006. The CL-Atse Protocol Analyser. LNCS, 4098:277–286. [doi:10.1007/11805618_21]
Author information
Authors and Affiliations
Corresponding author
Additional information
Project (Nos. 102-2218-E-259-004, 102-2218-E-146-002, and 102-2218-E-011-012) supported by Taiwan Information Security Center (TWISC) and National Science Council, Taiwan
Rights and permissions
About this article
Cite this article
Yeh, KH., Tsai, KY. & Hou, JL. Analysis and design of a smart card based authentication protocol. J. Zhejiang Univ. - Sci. C 14, 909–917 (2013). https://doi.org/10.1631/jzus.C1300158
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/jzus.C1300158