Understanding security failures of multi-factor authentication schemes for multi-server environments

Abstract Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. Dozens of multi-factor authentication schemes for multi-server environments were successively proposed, yet most of them have been shortly found problematic. The research pattern of this area has fallen into the undesirable “break-fix-break-fix” cycle, in which lots of efforts have been devoted but little real progress has been made. In this paper, we revisit five leading two-factor authentication schemes for multi-server environments (i.e., Xu et al. scheme at ICICS’17, Wu et al. scheme at FC’17, Leu-Hsieh’s scheme at IET IS’14, Zhou et al. scheme at WINET’18 and Roy et al. scheme at IEEE TII’19), and demonstrate that all of them suffer from critical security defects (e.g., no truly multi-factor security and temporary information leakage attack) or are short of important properties (e.g., no user anonymity). Our results invalidate any use of these five schemes for practical applications without further improvement, and underscore some new challenges (e.g., attacks arising from the leakage of session-specific parameters and from malicious insiders) in designing sound multi-factor schemes for multi-server environments. We also draw some useful lessons from the cryptanalysis results.

[1]  Samiran Chattopadhyay,et al.  Provably Secure Fine-Grained Data Access Control Over Multiple Cloud Servers in Mobile Cloud Computing Based Healthcare Applications , 2019, IEEE Transactions on Industrial Informatics.

[2]  Kim-Kwang Raymond Choo,et al.  Anonymity Preserving and Lightweight Multimedical Server Authentication Protocol for Telecare Medical Information System , 2019, IEEE Journal of Biomedical and Health Informatics.

[3]  Lixiang Li,et al.  A biometrics and smart cards-based authentication scheme for multi-server environments , 2015, Secur. Commun. Networks.

[4]  Peilin Hong,et al.  A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture , 2012, J. Comput. Syst. Sci..

[5]  Hongfeng Zhu,et al.  Flexible and Password-Authenticated Key Agreement Scheme Based on Chaotic Maps for Multiple Servers to Server Architecture , 2015, Wirel. Pers. Commun..

[6]  Jian Shen,et al.  An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment , 2017, J. Netw. Comput. Appl..

[7]  Fagen Li,et al.  A Privacy-Preserving RLWE-Based Remote Biometric Authentication Scheme for Single and Multi-Server Environments , 2019, IEEE Access.

[8]  Athanasios V. Vasilakos,et al.  Secure Biometric-Based Authentication Scheme Using Chebyshev Chaotic Map for Multi-Server Environment , 2018, IEEE Transactions on Dependable and Secure Computing.

[9]  Ping Wang,et al.  Revisiting Anonymous Two-Factor Authentication Schemes for Multi-server Environment , 2018, ICICS.

[10]  Dheerendra Mishra,et al.  Secure and efficient user authentication scheme for multi-gateway wireless sensor networks , 2017, Ad Hoc Networks.

[11]  Chin-Chen Chang,et al.  Comment on Remote Password Authentication with Smart Cards , 1992 .

[12]  Sourav Mukhopadhyay,et al.  A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards , 2014, Expert Syst. Appl..

[13]  Muhammad Khurram Khan,et al.  An enhanced multi-server authentication protocol using password and smart-card: cryptanalysis and design , 2016, Secur. Commun. Networks.

[14]  Chenyu Wang,et al.  A Provably Secure Biometrics-Based Authentication Scheme for Multiserver Environment , 2019, Secur. Commun. Networks.

[15]  Daojing He,et al.  An efficient and DoS-resistant user authentication scheme for two-tiered wireless sensor networks , 2011, Journal of Zhejiang University SCIENCE C.

[16]  Ping Wang,et al.  On the Implications of Zipf's Law in Passwords , 2016, ESORICS.

[17]  Jian Shen,et al.  Efficient Privacy-Aware Authentication Scheme for Mobile Cloud Computing Services , 2018, IEEE Systems Journal.

[18]  Chih-Ming Hsiao,et al.  A novel multi-server remote user authentication scheme using self-certified public keys for mobile clients , 2013, Future Gener. Comput. Syst..

[19]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.

[20]  Samiran Chattopadhyay,et al.  A Secure Authentication Protocol for Multi-Server-Based E-Healthcare Using a Fuzzy Commitment Scheme , 2019, IEEE Access.

[21]  Benoit Feix,et al.  Power Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms , 2007, Selected Areas in Cryptography.

[22]  Chin-Chen Chang,et al.  A Provably Secure, Efficient, and Flexible Authentication Scheme for Ad hoc Wireless Sensor Networks , 2016, IEEE Transactions on Wireless Communications.

[23]  Ping Wang,et al.  Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity , 2015, Inf. Sci..

[24]  Yongge Wang,et al.  Password Protected Smart Card and Memory Stick Authentication Against Off-line Dictionary Attacks , 2012, IACR Cryptol. ePrint Arch..

[25]  Saru Kumari,et al.  Secure Remote User Mutual Authentication Scheme with Key Agreement for Cloud Environment , 2019, Mob. Networks Appl..

[26]  Xiaotie Deng,et al.  Two-factor mutual authentication based on smart cards and passwords , 2008, J. Comput. Syst. Sci..

[27]  Sheetal Kalra,et al.  Advanced remote user authentication protocol for multi-server architecture based on ECC , 2013, J. Inf. Secur. Appl..

[28]  Jongho Moon,et al.  Improvement of Efficient and Secure Smart Card Based Password Authentication Scheme , 2017, Int. J. Netw. Secur..

[29]  Wang Shiuh-Jeng,et al.  Refereed paper: Smart card based secure password authentication scheme , 1996 .

[30]  Muhammad Sher,et al.  An efficient and anonymous Chaotic Map based authenticated key agreement for multi-server architecture , 2016, KSII Trans. Internet Inf. Syst..

[31]  Xiong Li,et al.  An improved remote user authentication scheme with key agreement , 2014, Comput. Electr. Eng..

[32]  Mike Burmester,et al.  On the Risk of Opening Distributed Keys , 1994, CRYPTO.

[33]  Peilin Hong,et al.  A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks , 2013, J. Netw. Comput. Appl..

[34]  Dongho Won,et al.  Cryptanalysis of flexible remote password authentication scheme of ICN'01 , 2002 .

[35]  Chin-Chen Chang,et al.  An Untraceable Biometric-Based Multi-server Authenticated Key Agreement Protocol with Revocation , 2016, Wirel. Pers. Commun..

[36]  Jenq-Shiou Leu,et al.  Efficient and secure dynamic ID-based remote user authentication scheme for distributed systems using smart cards , 2014, IET Inf. Secur..

[37]  Ping Wang,et al.  Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment , 2015, IEEE Transactions on Dependable and Secure Computing.

[38]  Benhui Chen,et al.  Comments on "Provably Secure Dynamic Id-Based Anonymous Two-Factor Authenticated Key Exchange Protocol With Extended Security Model" , 2019, IEEE Trans. Inf. Forensics Secur..

[39]  Xiaoming Wang,et al.  Authentication scheme based on smart card in multi-server environment , 2020, Wirel. Networks.

[40]  Jia-Lun Tsai,et al.  Efficient multi-server authentication scheme based on one-way hash function without verification table , 2008, Comput. Secur..

[41]  Hu Xiong,et al.  Enabling Telecare Medical Information Systems With Strong Authentication and Anonymity , 2017, IEEE Access.

[42]  SK Hafizul Islam,et al.  Design and analysis of an improved smartcard‐based remote user password authentication scheme , 2016, Int. J. Commun. Syst..

[43]  Ping Wang,et al.  Zipf’s Law in Passwords , 2017, IEEE Transactions on Information Forensics and Security.

[44]  Xiong Li,et al.  A Secure Three-Factor Multiserver Authentication Protocol against the Honest-But-Curious Servers , 2018, Wirel. Commun. Mob. Comput..

[45]  Joel J. P. C. Rodrigues,et al.  Secure Three-Factor User Authentication Scheme for Renewable-Energy-Based Smart Grid Environment , 2017, IEEE Transactions on Industrial Informatics.

[46]  Yixian Yang,et al.  Robust Biometrics Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards , 2015, PloS one.

[47]  Woei-Jiunn Tsaur,et al.  A Flexible User Authentication Scheme for Multi-server Internet Services , 2001, ICN.

[48]  Shuenn-Shyang Wang,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[49]  Vanga Odelu,et al.  A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards , 2015, IEEE Transactions on Information Forensics and Security.

[50]  Debiao He,et al.  An efficient and secure 3‐factor user‐authentication protocol for multiserver environment , 2018, Int. J. Commun. Syst..

[51]  Qi Xie,et al.  Security Analysis of a Single Sign-On Mechanism for Distributed Computer Networks , 2013, IEEE Transactions on Industrial Informatics.

[52]  Jian Song,et al.  A Novel Multiserver Authentication Protocol with Multifactors for Cloud Service , 2018, Secur. Commun. Networks.

[53]  Manik Lal Das,et al.  Two-factor user authentication in wireless sensor networks , 2009, IEEE Transactions on Wireless Communications.

[54]  Muhammad Khurram Khan,et al.  A Two-Factor RSA-Based Robust Authentication System for Multiserver Environments , 2017, Secur. Commun. Networks.

[55]  Yi Mu,et al.  An Efficient Generic Framework for Three-Factor Authentication With Provably Secure Instantiation , 2014, IEEE Transactions on Information Forensics and Security.

[56]  Debiao He,et al.  Robust Biometrics-Based Authentication Scheme for Multiserver Environment , 2015, IEEE Systems Journal.

[57]  Ping Wang,et al.  The Request for Better Measurement: A Comparative Evaluation of Two-Factor Authentication Schemes , 2016, AsiaCCS.

[58]  Wei-Bin Lee,et al.  An enhanced user authentication scheme for multi-server Internet services , 2005, Appl. Math. Comput..

[59]  Ping Wang,et al.  Efficient Multi-Factor User Authentication Protocol with Forward Secrecy for Real-Time Data Access in WSNs , 2020, ACM Trans. Cyber Phys. Syst..

[60]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[61]  Arup Kumar Pal,et al.  An efficient three factor-based authentication scheme in multiserver environment using ECC , 2018, Int. J. Commun. Syst..

[62]  Chin-Laung Lei,et al.  User authentication scheme with privacy-preservation for multi-server environment , 2009, IEEE Communications Letters.

[63]  Willy Susilo,et al.  Secure Remote User Authenticated Key Establishment Protocol for Smart Home Environment , 2020, IEEE Transactions on Dependable and Secure Computing.

[64]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[65]  Dheerendra Mishra,et al.  Design and Analysis of a Provably Secure Multi-server Authentication Scheme , 2016, Wirel. Pers. Commun..

[66]  Jianfeng Ma,et al.  Improvement of robust smart‐card‐based password authentication scheme , 2015, Int. J. Commun. Syst..

[67]  Fan Wu,et al.  A New Chaotic Map-Based Authentication and Key Agreement Scheme with User Anonymity for Multi-server Environment , 2017 .

[68]  Elizabeth Stobert,et al.  The Password Life Cycle , 2018, ACM Trans. Priv. Secur..

[69]  Xinyi Huang,et al.  Secure and Efficient Two-Factor Authentication Protocol Using RSA Signature for Multi-server Environments , 2017, ICICS.

[70]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[71]  Athanasios V. Vasilakos,et al.  On the Design of Provably Secure Lightweight Remote User Authentication Scheme for Mobile Cloud Computing Services , 2017, IEEE Access.

[72]  Xiong Li,et al.  A new and secure authentication scheme for wireless sensor networks with formal proof , 2017, Peer-to-Peer Netw. Appl..

[73]  Nasir D. Memon How Biometric Authentication Poses New Challenges to Our Security and Privacy [In the Spotlight] , 2017, IEEE Signal Process. Mag..

[74]  Cheng-Chi Lee,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards , 2011, Expert Syst. Appl..

[75]  Chin-Chen Chang,et al.  Remote password authentication with smart cards , 1991 .

[76]  Muhammad Khurram Khan,et al.  Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks , 2016, Comput. Networks.

[77]  Nenghai Yu,et al.  Anonymous authentication scheme for smart home environment with provable security , 2019, Comput. Secur..

[78]  Min-Shiang Hwang,et al.  A new remote user authentication scheme for multi-server architecture , 2003, Future Gener. Comput. Syst..

[79]  Ankur Gupta,et al.  A lightweight anonymous user authentication and key establishment scheme for wearable devices , 2019, Comput. Networks.

[80]  Wei Liang,et al.  An Enhancement of a Smart Card Authentication Scheme for Multi-server Architecture , 2015, Wirel. Pers. Commun..

[81]  Sherali Zeadally,et al.  Lightweight Three-Factor Authentication and Key Agreement Protocol for Internet-Integrated Wireless Sensor Networks , 2017, IEEE Access.

[82]  Li Xu,et al.  Further Observations on Smart-Card-Based Password-Authenticated Key Agreement in Distributed Systems , 2014, IEEE Transactions on Parallel and Distributed Systems.

[83]  Ping Wang,et al.  Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound , 2018, IEEE Transactions on Dependable and Secure Computing.

[84]  Yuting Xiao,et al.  Efficient Multi-Factor Authenticated Key Exchange Scheme for Mobile Communications , 2019, IEEE Transactions on Dependable and Secure Computing.

[85]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[86]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[87]  Feng Hao On Robust Key Agreement Based on Public Key Authentication , 2010, Financial Cryptography.

[88]  Ximeng Liu,et al.  SUAA: A Secure User Authentication Scheme with Anonymity for the Single & Multi-server Environments , 2019, Inf. Sci..

[89]  Robert H. Deng,et al.  A Generic Framework for Three-Factor Authentication: Preserving Security and Privacy in Distributed Systems , 2011, IEEE Transactions on Parallel and Distributed Systems.

[90]  Shashikala Tapaswi,et al.  Robust Smart Card Authentication Scheme for Multi-server Architecture , 2013, Wireless Personal Communications.

[91]  Chunguang Ma,et al.  Security flaws in two improved remote user authentication schemes using smart cards , 2014, Int. J. Commun. Syst..

[92]  Guoai Xu,et al.  A Secure and Anonymous Two-Factor Authentication Protocol in Multiserver Environment , 2018, Secur. Commun. Networks.

[93]  Victor I. Chang,et al.  A light weight authentication protocol for IoT-enabled devices in distributed Cloud Computing environment , 2018, Future Gener. Comput. Syst..

[94]  Chin-Chen Chang,et al.  Using smart cards to authenticate remote passwords , 1993 .

[95]  Ying Wang,et al.  Cryptanalysis of Two Efficient Password-based Authentication Schemes Using Smart Cards , 2015, Int. J. Netw. Secur..

[96]  Ping Wang,et al.  On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions , 2014, Comput. Networks.

[97]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[98]  Jian Ma,et al.  An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards , 2012, J. Netw. Comput. Appl..

[99]  Muhammad Sher,et al.  An Anonymous and Efficient Multiserver Authenticated Key Agreement With Offline Registration Centre , 2019, IEEE Systems Journal.

[100]  Dariush Abbasinezhad-Mood,et al.  Three party secure data transmission in IoT networks through design of a lightweight authenticated key agreement scheme , 2019, Future Gener. Comput. Syst..

[101]  Kuo-Yu Tsai,et al.  Analysis and design of a smart card based authentication protocol , 2013, Journal of Zhejiang University SCIENCE C.

[102]  Sherali Zeadally,et al.  Efficient and Anonymous Mobile User Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server Architectures , 2016, IEEE Transactions on Information Forensics and Security.