Design and Analysis of a Provably Secure Multi-server Authentication Scheme

Abstract Authenticated key agreement protocols play an important role to ensure authorized and secure communication over public network. In recent years, several authentication protocols have been proposed for single-server environment. Most of these protocols present efficient and secure solution for single-server environment. However, adoption of these protocols for multi-server environment is not feasible as user have to register on each server, separately. On the contrary, multi-server authentication schemes require single registration. The one time registration mechanism makes the system user-friendly and supports inter-operability. Unfortunately, most of the existing multi-server authentication schemes require all servers to be trusted, involvement of central authority in mutual authentication or multiple secret keys. In general, a servers may be semi-trusted, thus considering all server to be trusted does not seems to be realistic scenario. Involvement of central authority in mutual authentication may create bottleneck scenario for large network. Also, computation of multiple secret keys may not be suitable for smart card based environment as smart card keeps limited storage space. To overcome these drawbacks, we aim to design an authentication scheme for multi-server environment, where all servers does not need to be trusted, central authority does not require in mutual authentication and smart card need not to store multiple secret keys. In this paper, we first analyze the security of recently proposed Yeh’s smart card based multi-server authentication scheme (Yeh in Wirel Pers Commun 79(3):1621–1634, 2014). We show that Yeh’s scheme does not resist off-line password guessing attack, insider attack and user impersonation attack. Furthermore, we propose an efficient multi-server authentication scheme which does not require all servers to be trusted, central authority no longer needed in authentication and smart card need not to store multiple secret keys. We prove the correctness of mutual authentication of our scheme using the widely-accepted BAN logic. Through the security analysis, we show that our scheme is secure against various known attacks including the attacks found in Yeh’s scheme. In addition, the proposed scheme is comparable in terms of the communication and computational overheads with related schemes.

[1]  Chin-Chen Chang,et al.  An efficient and secure multi-server password authentication scheme using smart cards , 2004, 2004 International Conference on Cyberworlds.

[2]  Xiang Cao,et al.  Breaking a remote user authentication scheme for multi-server architecture , 2006, IEEE Communications Letters.

[3]  Mihir Bellare,et al.  Collision-Resistant Hashing: Towards Making UOWHFs Practical , 1997, CRYPTO.

[4]  Jian Ma,et al.  An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards , 2012, J. Netw. Comput. Appl..

[5]  Kuo-Hui Yeh,et al.  A Provably Secure Multi-server Based Authentication Scheme , 2014, Wirel. Pers. Commun..

[6]  Sourav Mukhopadhyay,et al.  An improved biometric-based remote user authentication scheme for connected healthcare , 2015, Int. J. Ad Hoc Ubiquitous Comput..

[7]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[8]  Yalin Chen,et al.  Comments on four multi-server authentication protocols using smart card , 2012, IACR Cryptol. ePrint Arch..

[9]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[10]  Min-Shiang Hwang,et al.  A new remote user authentication scheme for multi-server architecture , 2003, Future Gener. Comput. Syst..

[11]  Minh-Triet Tran,et al.  Robust Secure Dynamic ID Based Remote User Authentication Scheme for Multi-server Environment , 2013, ICCSA.

[12]  Muhammad Khurram Khan,et al.  On the security of an authentication scheme for multi-server architecture , 2013, Int. J. Electron. Secur. Digit. Forensics.

[13]  Yuanyuan Zhang,et al.  Cryptanalysis and Improvement of an Anonymous Authentication Protocol for Wireless Access Networks , 2013, Wireless Personal Communications.

[14]  Dheerendra Mishra On the Security Flaws in ID-based Password Authentication Schemes for Telecare Medical Information Systems , 2014, Journal of Medical Systems.

[15]  David Pointcheval,et al.  Interactive Diffie-Hellman Assumptions with Applications to Password-Based Authentication , 2005, Financial Cryptography.

[16]  Jia-Lun Tsai,et al.  Efficient multi-server authentication scheme based on one-way hash function without verification table , 2008, Comput. Secur..

[17]  Jian Shen,et al.  A Novel Routing Protocol Providing Good Transmission Reliability in Underwater Sensor Networks , 2015 .

[18]  Raghavendra Mishra,et al.  A Privacy Preserving Secure and Efficient Authentication Scheme for Telecare Medical Information Systems , 2015, Journal of Medical Systems.

[19]  Sourav Mukhopadhyay,et al.  Improved Biometric-Based Three-factor Remote User Authentication Scheme with Key Agreement Using Smart Card , 2013, ICISS.

[20]  Sk Hafizul Islam,et al.  Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps , 2014 .

[21]  Risto Mononen,et al.  Security and Authentication in the Mobile World , 2002, Wirel. Pers. Commun..

[22]  Bin Wang,et al.  A Smart Card Based Efficient and Secured Multi-Server Authentication Scheme , 2012, Wireless Personal Communications.

[23]  Jong Hyuk Park,et al.  Authentication and ID-Based Key Management Protocol in Pervasive Environment , 2010, Wirel. Pers. Commun..

[24]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[25]  Cheng-Chi Lee,et al.  Cryptanalysis of a Secure Dynamic ID Based Remote User Authentication Scheme for Multi-Server Environment , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[26]  Sourav Mukhopadhyay,et al.  Cryptanalysis of Yang et al.'s Digital Rights Management Authentication Scheme Based on Smart Card , 2014, SNDS.

[27]  Wei-Bin Lee,et al.  An efficient and secure multi-server authentication scheme with key agreement , 2012, J. Syst. Softw..

[28]  Shuenn-Shyang Wang,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[29]  Colin Boyd,et al.  On a Limitation of BAN Logic , 1994, EUROCRYPT.

[30]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[31]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[32]  María Naya-Plasencia,et al.  Quark: A Lightweight Hash , 2010, CHES.

[33]  Yalin Chen,et al.  Comments on Three Multi-Server Authentication Protocols , 2013, IACR Cryptol. ePrint Arch..

[34]  Sagar Patil,et al.  A novel proxy signature scheme based on user hierarchical access control policy , 2013, J. King Saud Univ. Comput. Inf. Sci..

[35]  Naveen K. Chilamkurti,et al.  A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks , 2015, Inf. Sci..

[36]  Wen-Shenq Juang,et al.  Efficient multi-server password authenticated key agreement using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[37]  Paul F. Syverson,et al.  The Logic of Authentication Protocols , 2000, FOSAD.

[38]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[39]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[40]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[41]  Jin Wang,et al.  A Variable Threshold-Value Authentication Architecture for Wireless Mesh Networks , 2014 .

[42]  Jian Ma,et al.  A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments , 2013, Math. Comput. Model..

[43]  Min-Shiang Hwang,et al.  A remote password authentication scheme for multiserver architecture using neural networks , 2001, IEEE Trans. Neural Networks.

[44]  Debiao He,et al.  Security Flaws in a Smart Card Based Authentication Scheme for Multi-server Environment , 2012, Wireless Personal Communications.

[45]  Sherali Zeadally,et al.  Authentication protocol for an ambient assisted living system , 2015, IEEE Communications Magazine.

[46]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[47]  Debiao He,et al.  Robust Biometrics-Based Authentication Scheme for Multiserver Environment , 2015, IEEE Systems Journal.

[48]  Kuldip Singh,et al.  A secure dynamic identity based authentication protocol for multi-server architecture , 2011, J. Netw. Comput. Appl..

[49]  Shashikala Tapaswi,et al.  Robust Smart Card Authentication Scheme for Multi-server Architecture , 2013, Wireless Personal Communications.

[50]  Cheng-Chi Lee,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards , 2011, Expert Syst. Appl..

[51]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.