A secure dynamic identity based authentication protocol for multi-server architecture

Most of the password based authentication protocols rely on single authentication server for the user's authentication. User's verification information stored on the single server is a main point of susceptibility and remains an attractive target for the attacker. In 2009, Hsiang and Shih improved Liao and Wang's dynamic identity based smart card authentication protocol for multi-server environment. However, we found that Hsiang and Shih's protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang and Shih's protocol is incorrect. This paper presents a secure dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned security flaws, while keeping the merits of Hsiang and Shih's protocol. It uses two-server paradigm in which different levels of trust are assigned to the servers and the user's verifier information is distributed between these two servers known as the service provider server and the control server. The service provider server is more exposed to the clients than the control server. The back-end control server is not directly accessible to the clients and thus it is less likely to be attacked. The user's smart card uses stored information in it and random nonce value to generate dynamic identity. The proposed protocol is practical and computationally efficient because only nonce, one-way hash functions and XOR operations are used in its implementation. It provides a secure method to change the user's password without the server's help. In e-commerce, the number of servers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required.

[1]  Chin-Chen Chang,et al.  An efficient and secure multi-server password authentication scheme using smart cards , 2004, 2004 International Conference on Cyberworlds.

[2]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[3]  Jia-Lun Tsai,et al.  Efficient multi-server authentication scheme based on one-way hash function without verification table , 2008, Comput. Secur..

[4]  Ari Juels,et al.  A New Two-Server Approach for Authentication with Short Secrets , 2003, USENIX Security Symposium.

[5]  Robert H. Deng,et al.  A practical password-based two-server authentication and key exchange system , 2006, IEEE Transactions on Dependable and Secure Computing.

[6]  Ashutosh Saxena,et al.  A dynamic ID-based remote user authentication scheme , 2004, IEEE Transactions on Consumer Electronics.

[7]  Min-Shiang Hwang,et al.  A remote password authentication scheme for multiserver architecture using neural networks , 2001, IEEE Trans. Neural Networks.

[8]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[9]  David P. Jablon Password Authentication Using Multiple Servers , 2001, CT-RSA.

[10]  Wen-Shenq Juang,et al.  Efficient multi-server password authenticated key agreement using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[11]  Hung-Yu Chien,et al.  A remote authentication scheme preserving user anonymity , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[12]  Yixian Yang,et al.  An Efficient Multi-server Password Authenticated Key Agreement Scheme Using Smart Cards , 2007, 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE'07).

[13]  Rosario Gennaro,et al.  Provably secure threshold password-authenticated key exchange , 2003, J. Comput. Syst. Sci..

[14]  Min-Shiang Hwang,et al.  A new remote user authentication scheme for multi-server architecture , 2003, Future Gener. Comput. Syst..

[15]  Wei-Bin Lee,et al.  A smart card-based remote scheme for password authentication in multi-server Internet services , 2004, Comput. Stand. Interfaces.

[16]  Cheng-Chi Lee,et al.  Security enhancement for a dynamic ID-based remote user authentication scheme , 2005, International Conference on Next Generation Web Services Practices (NWeSP'05).

[17]  Burton S. Kaliski,et al.  Server-assisted generation of a strong secret from a password , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[18]  Eun-Jun Yoon,et al.  Improving the Dynamic ID-Based Remote Mutual Authentication Scheme , 2006, OTM Workshops.

[19]  Shuenn-Shyang Wang,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[20]  Markus Jakobsson,et al.  Threshold Password-Authenticated Key Exchange , 2002, Journal of Cryptology.

[21]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.