A novel multi-server remote user authentication scheme using self-certified public keys for mobile clients

With the widespread promotion in e-commerce, the number of service servers providing Internet applications to the users is usually more than one and hence secure authentication protocols for multi-server environment are required. On the other hand, people may obtain their service by using the mobile devices in ubiquitous computing environment. Considering the mobile devices with limited energy resources and computing capability, the design of the secure authentication scheme suitable for mobile clients is a nontrivial challenge. In 2008, Tseng et al. proposed a pairing-based user authentication scheme for mobile clients with limited computing capability. They claimed that their scheme can be well applied to the remote user authentication scheme for multi-server environment. However, Tseng et al.'s scheme cannot provide mutual authentication and session key agreement. In this paper, we will show that Tseng et al.'s scheme cannot withstand an insider attack, offline dictionary attack and malicious server attack. Hence, we present a novel pairing-based remote user authentication for multi-server environment. The proposed scheme first provides a more secure key distribution based on self-certified public keys (SCPKs) among the service servers. The proposed scheme can achieve mutual authentication and session key agreement. To withstand an offline dictionary attack due to mobile devices security breach, the proposed scheme enhances the password change phase with the help of the registration server. Security analysis shows that our scheme can withstand various possible attacks resulting from the multi-server environment. Performance analysis and function comparisons demonstrate that the proposed scheme is well suited for mobile clients.

[1]  John T. Kohl,et al.  The Evolution of the Kerberos Authentication Service , 1992 .

[2]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[3]  Min-Shiang Hwang,et al.  A modified remote user authentication scheme using smart cards , 2003, IEEE Trans. Consumer Electron..

[4]  Michael Scott,et al.  Implementing Cryptographic Pairings on Smartcards , 2006, CHES.

[5]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[6]  Wen-Shenq Juang,et al.  Efficient password authenticated key agreement using bilinear pairings , 2008, Math. Comput. Model..

[7]  Kazuhiro Yokoyama,et al.  Elliptic curve cryptosystem , 2000 .

[8]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[9]  Guanfei Fang,et al.  Improvement of recently proposed Remote User Authentication Schemes , 2006, IACR Cryptol. ePrint Arch..

[10]  Atul Negi,et al.  Cryptanalysis of recently proposed Remote User Authentication Schemes , 2006, IACR Cryptol. ePrint Arch..

[11]  Lijiang Zhang,et al.  A Dynamic ID-Based User Authentication and Key Agreement Scheme for Multi-Server Environment Using Bilinear Pairings , 2008, 2008 Workshop on Power Electronics and Intelligent Transportation System.

[12]  Woei-Jiunn Tsaur,et al.  A Flexible User Authentication Scheme for Multi-server Internet Services , 2001, ICN.

[13]  Cheng-Chi Lee,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards , 2011, Expert Syst. Appl..

[14]  Shuenn-Shyang Wang,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[15]  Hung-Min Sun,et al.  An Efficient Remote User Authentication Scheme Using Smart Cards , 2000 .

[16]  Cheng-Chi Lee,et al.  A flexible remote user authentication scheme using smart cards , 2002, OPSR.

[17]  Jung Hee Cheon,et al.  Batch Verifications with ID-Based Signatures , 2004, ICISC.

[18]  Nigel P. Smart,et al.  AN IDENTITY BASED AUTHENTICATED KEY AGREEMENT PROTOCOL BASED ON THE WEIL PAIRING , 2001 .

[19]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[20]  Wen-Shenq Juang,et al.  Efficient multi-server password authenticated key agreement using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[21]  Wei-Chi Ku,et al.  Impersonation Attack on a Dynamic ID-Based Remote User Authentication Scheme Using Smart Cards , 2005, IEICE Trans. Commun..

[22]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[23]  Yuh-Min Tseng,et al.  A Pairing-Based User Authentication Scheme for Wireless Clients with Smart Cards , 2008, Informatica.

[25]  Yuh-Min Tseng GPRS/UMTS-aided authentication protocol for wireless LANs , 2006 .

[26]  Xiaoping Wu,et al.  Cryptanalysis of a Remote User Authentication Scheme Using Smart Cards , 2009, 2009 5th International Conference on Wireless Communications, Networking and Mobile Computing.

[27]  Liqun Chen,et al.  Identity based authenticated key agreement protocols from pairings , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[28]  Hung-Min Sun,et al.  An efficient remote use authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[29]  Kuldip Singh,et al.  A secure dynamic identity based authentication protocol for multi-server architecture , 2011, J. Netw. Comput. Appl..

[30]  Ashutosh Saxena,et al.  A novel remote user authentication scheme using bilinear pairings , 2006, Comput. Secur..

[31]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[32]  Debasis Giri,et al.  An Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings , 2007, IACR Cryptol. ePrint Arch..

[33]  Kenneth G. Paterson,et al.  ID-based Signatures from Pairings on Elliptic Curves , 2002, IACR Cryptol. ePrint Arch..

[34]  Chin-Chen Chang,et al.  An efficient and secure multi-server password authentication scheme using smart cards , 2004, 2004 International Conference on Cyberworlds.

[35]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[36]  Min-Shiang Hwang,et al.  A new remote user authentication scheme for multi-server architecture , 2003, Future Gener. Comput. Syst..

[37]  Ashutosh Saxena,et al.  An improved bilinear pairing based remote user authentication scheme , 2009, Comput. Stand. Interfaces.

[38]  Amit K. Awasthi Comment on A dynamic ID-based Remote User Authentication Scheme , 2004, ArXiv.

[39]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[40]  Markus Jakobsson,et al.  Threshold Password-Authenticated Key Exchange , 2002, Journal of Cryptology.

[41]  Zhijie Jerry Shi,et al.  Studying Software Implementations of Elliptic Curve Cryptography , 2006, Third International Conference on Information Technology: New Generations (ITNG'06).

[42]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[43]  Amit K. Awasthi,et al.  An enhanced remote user authentication scheme using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[44]  Ashutosh Saxena,et al.  A dynamic ID-based remote user authentication scheme , 2004, IEEE Transactions on Consumer Electronics.

[45]  Marc Girault,et al.  Self-Certified Public Keys , 1991, EUROCRYPT.

[46]  Chun-I Fan,et al.  Robust remote authentication scheme with smart cards , 2005, Comput. Secur..

[47]  Yalin Chen,et al.  Improvement of Manik et al.¡¦s remote user authentication scheme , 2005, IACR Cryptol. ePrint Arch..

[48]  Chin-Chen Chang,et al.  Some Forgery Attacks on a Remote User Authentication Scheme Using Smart Cards , 2003, Informatica.

[49]  Markus Jakobsson,et al.  Mutual Authentication for Low-Power Mobile Devices , 2002, Financial Cryptography.

[50]  Min-Shiang Hwang,et al.  A remote password authentication scheme for multiserver architecture using neural networks , 2001, IEEE Trans. Neural Networks.

[51]  Chien-Lung Hsu,et al.  Efficient user identification scheme with key distribution preserving anonymity for distributed computer networks , 2004, Comput. Secur..

[52]  Wei-Chi Ku,et al.  Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[53]  Robert H. Deng,et al.  New efficient user identification and key distribution scheme providing enhanced security , 2004, Comput. Secur..

[54]  Chi-Kwong Chan,et al.  Cryptanalysis of a modified remote user authentication scheme using smart cards , 2003, IEEE Trans. Consumer Electron..

[55]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[56]  Hyang-Sook Lee,et al.  IDENTITY BASED AUTHENTICATED KEY AGREEMENT FROM PAIRINGS , 2005 .

[57]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[58]  Patrick Horster,et al.  Self-certified keys — Concepts and Applications , 1997 .