A multi-server authentication scheme enables a remote user to access the services provided by multiple servers after registering with the registration center. Recently, Pippal et al. (Wirel Pers Commun 2013, doi:10.1007/s11277-013-1039-6) introduced a robust smart card authentication scheme for multi-server architecture. They also illustrated that their scheme could be free from potential network attacks, and validated the scheme by using BAN logic. In this paper, by presenting concrete attacks, we demonstrate that Pippal et al.’s scheme can not withstand off-line password guessing attacks, impersonation attacks and privileged insider attacks. Furthermore, to overcome these attacks, we propose an improved authentication scheme for multi-server architecture using smart card and password. Security and efficiency analysis indicates that our scheme not only actually achieves intended security goals (e.g., two-factor authentication, perfect forward secrecy etc.), but also is efficient enough to be implemented for practical applications.
Liao, E., Lee, C. C., & Hwang, M. S. (2006). A password authentication scheme over insecure networks. Journal of Computer and System Science, 72(4), 727–740.CrossRefzbMATHMathSciNetGoogle Scholar
Hwang, M., & Li, L. (2000). A new remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 46(1), 28–30.CrossRefGoogle Scholar
Lee, N. Y., & Chiu, Y. C. (2005). Improved remote authentication scheme with smart card. Computer Standards & Interfaces, 27(2), 177–180.CrossRefGoogle Scholar
Xu, J., Zhu, W. T., & Feng, D. G. (2009). An improved smart card based password authentication scheme with provable security. Computer Standards & Interfaces, 31(4), 723–728.CrossRefGoogle Scholar
Wang, R. C., Juang, W. S., & Lei, C. L. (2011). Provably secure and efficient identification and key agreement protocol with user anonymity. Journal of Computer and System Sciences, 77(4), 790–798.CrossRefzbMATHMathSciNetGoogle Scholar
Chang, C. C., Le, H. D., & Chang, C. H. (2013). Novel untraceable authenticated key agreement protocol suitable for mobile communication. Wireless Personal Communications, 71(1), 425–437.CrossRefGoogle Scholar
Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.CrossRefGoogle Scholar
Hsiang, C., & Shih, W. K. (2009). Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, 31(6), 1118–1123.CrossRefGoogle Scholar
Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.CrossRefGoogle Scholar
Wang, B., & Ma, M. (2013). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications, 68(2), 361–378.CrossRefGoogle Scholar
He, D., & Wu, S. (2013). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications, 70(1), 323–329.CrossRefGoogle Scholar
Pippal, R. S., Jaidhar, C. D., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications. doi:10.1007/s11277-013-1039-6.
Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Proceedings of advances in cryptology (pp. 388–397).Google Scholar
Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.CrossRefMathSciNetGoogle Scholar
Lee, C. C., Lin, T. H., & Chang, R. X. (2011). A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.Google Scholar