Cryptanalysis and Improvement of a Robust Smart Card Authentication Scheme for Multi-server Architecture

A multi-server authentication scheme enables a remote user to access the services provided by multiple servers after registering with the registration center. Recently, Pippal et al. (Wirel Pers Commun 2013, doi:10.1007/s11277-013-1039-6) introduced a robust smart card authentication scheme for multi-server architecture. They also illustrated that their scheme could be free from potential network attacks, and validated the scheme by using BAN logic. In this paper, by presenting concrete attacks, we demonstrate that Pippal et al.’s scheme can not withstand off-line password guessing attacks, impersonation attacks and privileged insider attacks. Furthermore, to overcome these attacks, we propose an improved authentication scheme for multi-server architecture using smart card and password. Security and efficiency analysis indicates that our scheme not only actually achieves intended security goals (e.g., two-factor authentication, perfect forward secrecy etc.), but also is efficient enough to be implemented for practical applications.

[1]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[2]  Cheng-Chi Lee,et al.  A password authentication scheme over insecure networks , 2006, J. Comput. Syst. Sci..

[3]  Ching-Hsiang Chang,et al.  Novel Untraceable Authenticated Key Agreement Protocol Suitable for Mobile Communication , 2013, Wirel. Pers. Commun..

[4]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[5]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[6]  Cheng-Chi Lee,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards , 2011, Expert Syst. Appl..

[7]  Kuldip Singh,et al.  A secure dynamic identity based authentication protocol for multi-server architecture , 2011, J. Netw. Comput. Appl..

[8]  Yu-Chung Chiu,et al.  Improved remote authentication scheme with smart card , 2005, Comput. Stand. Interfaces.

[9]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.

[10]  Jian Ma,et al.  An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards , 2012, J. Netw. Comput. Appl..

[11]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[12]  Bin Wang,et al.  A Smart Card Based Efficient and Secured Multi-Server Authentication Scheme , 2012, Wireless Personal Communications.

[13]  Debiao He,et al.  Security Flaws in a Smart Card Based Authentication Scheme for Multi-server Environment , 2012, Wireless Personal Communications.

[14]  Shashikala Tapaswi,et al.  Robust Smart Card Authentication Scheme for Multi-server Architecture , 2013, Wireless Personal Communications.

[15]  Chin-Laung Lei,et al.  Provably secure and efficient identification and key agreement protocol with user anonymity , 2011, J. Comput. Syst. Sci..