Abstract
In the past two decades, numerous two-factor authentication protocols have been proposed for the multi-server environment using a smart card and password. Sahoo et al. recently proposed an authentication protocol for the multi-server environments. Our cryptanalysis shows that the Sahoo et al. scheme is susceptible to several attacks such as offline password guessing, spoofing, replay and smart-card-lost. Also their scheme does not provide two-factor security truly. We propose a new secure, mutually authenticated key-sharing protocol for the multi-server environment to overcome the security flaws in their scheme. We formally prove the secure authentication of the proposed scheme using Burrows–Abadi–Needham logic and simulate various attacks through the automated validation of internet security protocols and applications tool. Additionally, we provide an informal security analysis to show the security and functionality features of the proposed scheme. Moreover, the security and performance comparison results shows that the proposed scheme offers better security and performance.
References
Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24, 770–772.
Chang, C. C., & Wu, T. C. (1991). Remote password authentication with smart cards. In Proceedings of the computers and digital techniques (pp. 165–168).
Wang, D., & Wang, P. (2016). Two birds with one stone: Two-factor authentication with security beyond conventional bound. IEEE Transactions on Dependable and Secure Computing. https://doi.org/10.1109/TDSC.2016.2605087.
Jan, J. K., & Chen, Y. Y. (1998). 'Paramita wisdom’ password authentication scheme without verification tables. Journal of Systems and Software, 42, 45–57.
Hwang, M. S., & Li, L. H. (2000). New remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 46, 28–30.
Awashti, A. K., & Lal, S. (2004). An enhanced remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 50(2), 583–586.
Li, L. H., Lin, L. C., & Hwang, M. S. (2001). A remote password authentication scheme for multi-server architecture using neural networks. IEEE Transactions on Neural Networks, 2, 1498–1504.
Lin, I. C., Hwang, M. S., & Li, L. H. (2003). A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems, 19, 13–22.
Juang, W. S. (2004). Efficient multi-server password-authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics, 50, 251–255.
Chao, J. (2012). An Improved remote password authentication scheme with a smart card. Journal of Electronics, 29, 550–555.
Yoon, E. J., Ryu, E. K., & Yoo, K. Y. (2004). Efficient remote user authentication scheme based on generalized ElGamal signature scheme. IEEE Transactions on Consumer Electronics, 50, 568–570.
Das, M., Saxena, A., & Gulati, V. (2014). A dynamic ID-based remote user authentication scheme. IEEE Transactions on Consumer Electronics, 50, 629–631.
Liao, Y. P., & Wang, S. S. (2009). A secure dynamic ID-based remote user authentication scheme for a multi-server environment. Computer Standards & Interfaces, 31, 24–29.
Hsiang, H. C., & Shih, W. K. (2009). Improvement of the secure dynamic ID-based remote user authentication scheme for a multi-server environment. Computer Standards & Interfaces, 31, 1118–1123.
Lee, C. C., Lin, T. H., & Chang, R. X. (2011). A secure dynamic ID based remote user authentication scheme for multi-serverenvironment using smart cards. Expert Systems with Applications, 38, 13863–13870.
Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34, 609–618.
Li, X. J., et al. (2013). A novel smart card and dynamic ID based remote user authentication scheme for multi-server environment. Mathematical and Computer Modelling, 58, 85–95.
Saraswathi, S., Renukadevi, S., & Yogesh, P. (2015). Secure and efficient smart-card-based remote user authentication scheme for multi-server environment. IEEE Canadian Journal of Electrical and Computer Engineering, 38, 20–30.
Islam, S. K. (2016). Design and analysis of an improved smartcard based remote user password authentication scheme. International Journal of Communication Systems, 29, 708–1719.
Srinivas, J., Sourav, M., & Ashok Kumar, D. (2017). A multi-server environment with secure and efficient remote user authentication scheme based on dynamic ID using smart cards. Wireless Personal Communications, 95, 2735–2767.
Sahoo, S. S., Mohanty, S., & Majhi, B. (2018). An improved and secure two-factor dynamic ID based authenticated key agreement scheme for multi-server environment. Wireless Personal Communications, 101, 1307–1333.
Fan, C., Chan, Y., & Zhang, Z. (2005). Robust remote authentication scheme with smart cards. Computers & Security, 24(8), 619–628.
Yang, G. M., Wong, D. S., Wang, H. X., & Deng, X. T. (2008). Twofactor mutual authentication based on smart cards and passwords. Journal of Computer and System Sciences, 74(7), 1160–1172.
Xu, J., Zhu, W., & Feng, D. (2009). An improved smart card based password authentication scheme with provable security. Computer Standards & Interfaces, 31(4), 723–728.
Shirvanian, M., Jarecki, S., Saxena, N., & Nathan, N. (2014). Two-factor authentication resilient to server compromise using mix-bandwidth devices. In Proceedings of the NDSS 2014 (pp. 1–16). The Internet Society.
Wu, S. H., Zhu, Y. F., & Pu, Q. (2012). Robust smart-cards-based user authentication scheme with user anonymity. Security and Communication Networks, 5(2), 236–248.
Wang, D., Ma, C. G., & Wu, P. (2012). Secure password-based remote user authentication scheme with non-tamper resistant smart cards. In Proceedings of the DBSec 2012, ser. LNCS (pp. 114–121). Springer.
Tsai, J.-L., Lo, N.-W., & Wu, T.-C. (2013). Novel anonymous authentication scheme using smart cards. IEEE Transactions on Industrial Informatics, 9(4), 2004–2013.
Li, X., Niu, J., Khan, M. K., & Liao, J. (2013). An enhanced smart card based remote user password authentication scheme. Journal of Network and Computer Applications, 36(5), 1365–1371.
Madhusudhan, R., & Mittal, R. (2012). Dynamic id-based remote user password authentication schemes using smart cards: A review. Journal of Network and Computer Applications, 35(4), 1235–1248.
Kumari, S., & Khan, M. K. (2014). Cryptanalysis and improvement of ‘a robust smart-card-based remote user password authentication scheme’. International Journal of Communication Systems, 27(12), 3939–3955.
Byun, J. W. (2015). Privacy preserving smartcard-based authentication system with provable security. Security and Communication Networks, 8(17), 3028–3044.
Jiang, Q., Ma, J., Li, G., & Li, X. (2015). Improvement of robust smart-cardbased password authentication scheme. International Journal of Communication Systems, 28(2), 383–393.
Truong, T.-T., Tran, M.-T., Duong, A.-D., & Echizen, I. (2015). Chaotic Chebyshev polynomials based remote user authentication scheme in client–server environment. Proceedings of the SEC, 2015, 479–494.
Guosheng, X., Shuming, Q., Haseeb, A., Guoai, X., Yanhui, G., Miao, Z., et al. (2018). A multi-server two-factor authentication scheme with un-traceability using elliptic curve cryptography. Sensors, 2018(18), 1–19.
Chenyu, W., Guoai, X., & Wenting, L. (2018). A secure and anonymous two-factor authentication protocol in multi-server environment. Security and Communication Networks, 2018, 1–15.
Hao, L., Fengtong, W., & Chunxia, D. (2015). An improved anonymous multi-server authenticated key agreement scheme using smart cards and biometrics. Wireless Personal Communications, 2015(84), 2351–2362.
Subhas, B., Ashok Kumar, D., Debasis, S., Samiran, C., Joel, J. P. C. R., & Youngho, P. (2018). Provably secure multi-server authentication protocol using fuzzy commitment. IEEE Access, 6, 38578–38594.
Burrows, M., Abadi, R., & Needham, A. (1990). Logic of authentication. ACM Transactions on Computer Systems, 8, 18–36.
Security Protocol Animator for AVISPA. Retrieved September, 2017, from http://www.irisa.fr/celtique/genet/span/.
AVISPA. Automated validation of internet security protocols and applications. Retrieved 2006, from http://www.avispa-project.org/.
Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Proceedings of 19th annual international cryptology conference CRYPTO’99 (pp. 388–397).
Messergers, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51, 541–552.
Bonneau, J. (2012). The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proceedings of the IEEE S&P (pp. 538–552).
Ma, J., Yang, W., Luo, M., & Li, N. (2014). A study of probabilistic password models. In Proceedings of the IEEE S&P 2014 (pp. 538–552). IEEE.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Sudhakar, T., Natarajan, V., Gopinath, M. et al. An Enhanced Authentication Protocol for Multi-server Environment Using Password and Smart Card. Wireless Pers Commun 115, 2779–2803 (2020). https://doi.org/10.1007/s11277-020-07462-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-020-07462-4