A Self-Verifiable Password Based Authentication Scheme for Multi-Server Architecture Using Smart Card

AbstractIn network based services, remote user authentication has become an important and challenging part to ensure authorized access of resource. The traditional two party architectures are not enough to present scalable solution to multi-server environment as user need to follow multiple registrations. On the other hands, multi-server authentication scheme resolves the repeated registration issue, where one time registration is enough to access the multiple servers of an architecture. To achieve efficient solution, Pippel et al. (Wirel Pers Commun 72(1):729–745, 2013) proposed a smart card based authentication scheme for multi-server environment. However, Li et al. (Int J Commun Syst 28(2):374–382, 2015) proved that Pippel et al.’s (2013) proposed scheme is insecure and proposed an improvement to overcome the drawbacks found in Pipple et al.’s scheme. In this paper, we show that Li et al.’s scheme also vulnerable to the known attacks, namely, password guessing attack, denial of service attack, privileged insider attack and known key secrecy attack. We then propose a secure multi-server authentication scheme to withstand the security pitfalls find in the Li et al.’s scheme while retaining the merits of Li et al.’s scheme. Using the widely accepted BAN logic we show that our scheme provides secure mutual authentication. In addition, we prove that our scheme is secure against all known attacks including password guessing attack, denial of service attack, privileged insider attack and known key secrecy attack. Our scheme requires less communication and computation overhead as compared to the existing related scheme. Our scheme provides high security along with less computation and communication overheads as compared to the other related existing schemes in the literature, and as a result, our scheme is much suitable for practical applications.

[1]  Kuo-Hui Yeh,et al.  A Provably Secure Multi-server Based Authentication Scheme , 2014, Wirel. Pers. Commun..

[2]  Marko Hölbl,et al.  A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion , 2014, Ad Hoc Networks.

[3]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[4]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[5]  Eun-Jun Yoon,et al.  Cryptanalysis of Chang-Chang-s EC-PAKA Protocol for Wireless Mobile Networks , 2012 .

[6]  Wei Liang,et al.  An Enhancement of a Smart Card Authentication Scheme for Multi-server Architecture , 2015, Wirel. Pers. Commun..

[7]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[8]  Min-Shiang Hwang,et al.  A modified remote user authentication scheme using smart cards , 2003, IEEE Trans. Consumer Electron..

[9]  Di Liu,et al.  A Stationary Wavelet Transform Based Approach to Registration of Planning CT and Setup Cone beam-CT Images in Radiotherapy , 2014, Journal of Medical Systems.

[10]  Jenq-Shiou Leu,et al.  An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures , 2014, The Journal of Supercomputing.

[11]  Jian Ma,et al.  An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards , 2012, J. Netw. Comput. Appl..

[12]  Shiuh-Pyng Shieh,et al.  Password authentication schemes with smart cards , 1999, Comput. Secur..

[13]  Cheng-Chi Lee,et al.  A three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps , 2013 .

[14]  Dongho Won,et al.  Countermeasure on Password-Based Authentication Scheme for Multi-server Environments , 2014 .

[15]  Lein Harn,et al.  Generalized Digital Certificate for User Authentication and Key Establishment for Secure Communications , 2011, IEEE Transactions on Wireless Communications.

[16]  Vanga Odelu,et al.  A secure and efficient ECC-based user anonymity preserving single sign-on scheme for distributed computer networks , 2015, Secur. Commun. Networks.

[17]  Shuenn-Shyang Wang,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[18]  Xiong Li,et al.  Robust three-factor remote user authentication scheme with key agreement for multimedia systems , 2016, Secur. Commun. Networks.

[19]  Sourav Mukhopadhyay,et al.  A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards , 2014, Expert Syst. Appl..

[20]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[21]  Shashikala Tapaswi,et al.  Robust Smart Card Authentication Scheme for Multi-server Architecture , 2013, Wireless Personal Communications.

[22]  Cheng-Chi Lee,et al.  A Secure Chaotic Maps and Smart Cards Based Password Authentication and Key Agreement Scheme with User Anonymity for Telecare Medicine Information Systems , 2014, Journal of Medical Systems.

[23]  Cheng-Chi Lee,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards , 2011, Expert Syst. Appl..

[24]  Chin-Chen Chang,et al.  Some Forgery Attacks on a Remote User Authentication Scheme Using Smart Cards , 2003, Informatica.

[25]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[26]  Cheng-Chi Lee,et al.  A simple remote user authentication scheme , 2002 .

[27]  Mohammad Sabzinejad Farash,et al.  An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps , 2014 .

[28]  Wen-Shenq Juang,et al.  Efficient multi-server password authenticated key agreement using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[29]  Wei-Bin Lee,et al.  A smart card-based remote scheme for password authentication in multi-server Internet services , 2004, Comput. Stand. Interfaces.

[30]  Hung-Min Sun,et al.  An efficient remote use authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[31]  Palash Sarkar,et al.  A Simple and Generic Construction of Authenticated Encryption with Associated Data , 2010, TSEC.

[32]  Kuldip Singh,et al.  A secure dynamic identity based authentication protocol for multi-server architecture , 2011, J. Netw. Comput. Appl..

[33]  Amit K. Awasthi,et al.  An enhanced remote user authentication scheme using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[34]  Ashutosh Saxena,et al.  A dynamic ID-based remote user authentication scheme , 2004, IEEE Transactions on Consumer Electronics.

[35]  Wei-Chi Ku,et al.  Impersonation Attack on a Dynamic ID-Based Remote User Authentication Scheme Using Smart Cards , 2005, IEICE Trans. Commun..

[36]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[37]  Xiaofei Zhang,et al.  Reduced-Dimensional ESPRIT for Direction Finding in Monostatic MIMO Radar with Double Parallel Uniform Linear Arrays , 2014, Wirel. Pers. Commun..

[38]  Quynh H. Dang,et al.  Secure Hash Standard | NIST , 2015 .

[39]  Dongho Won,et al.  Cryptanalysis to a Remote User Authentication Scheme Using Smart Cards for Multi-server Environment , 2011, HCI.

[40]  Wen-Shenq Juang,et al.  Efficient password authenticated key agreement using smart cards , 2004, Comput. Secur..

[41]  Dheerendra Mishra Cryptanalysis of Multi-Server Authenticated Key Agreement Scheme Based on Trust Computing Using Smart Cards and Biometrics , 2014, ArXiv.

[42]  William Stallings,et al.  Cryptography and network security , 1998 .

[43]  Chin-Chen Chang,et al.  An efficient and secure multi-server password authentication scheme using smart cards , 2004, 2004 International Conference on Cyberworlds.

[44]  Min-Shiang Hwang,et al.  A new remote user authentication scheme for multi-server architecture , 2003, Future Gener. Comput. Syst..

[45]  Jia-Lun Tsai,et al.  A New Password-Based Multi-server Authentication Scheme Robust to Password Guessing Attacks , 2012, Wireless Personal Communications.

[46]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[47]  Wei Liang,et al.  Cryptanalysis of a dynamic identity‐based remote user authentication scheme with verifiable password update , 2015, Int. J. Commun. Syst..

[48]  Douglas R. Stinson,et al.  Some Observations on the Theory of Cryptographic Hash Functions , 2006, Des. Codes Cryptogr..

[49]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[50]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.