Wireless Personal Communications

, Volume 77, Issue 3, pp 2255–2269 | Cite as

Cryptanalysis and Improvement of a Robust Smart Card Authentication Scheme for Multi-server Architecture

  • Jianghong WeiEmail author
  • Wenfen Liu
  • Xuexian Hu


A multi-server authentication scheme enables a remote user to access the services provided by multiple servers after registering with the registration center. Recently, Pippal et al. (Wirel Pers Commun 2013, doi: 10.1007/s11277-013-1039-6) introduced a robust smart card authentication scheme for multi-server architecture. They also illustrated that their scheme could be free from potential network attacks, and validated the scheme by using BAN logic. In this paper, by presenting concrete attacks, we demonstrate that Pippal et al.’s scheme can not withstand off-line password guessing attacks, impersonation attacks and privileged insider attacks. Furthermore, to overcome these attacks, we propose an improved authentication scheme for multi-server architecture using smart card and password. Security and efficiency analysis indicates that our scheme not only actually achieves intended security goals (e.g., two-factor authentication, perfect forward secrecy etc.), but also is efficient enough to be implemented for practical applications.


Smart card Multi-server Authentication scheme Impersonation attacks Off-line password guessing attacks 



This research was supported by the National Basic Research Program of China under Grants 2012CB315905 and 2012CB315901.


  1. 1.
    Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770–772.CrossRefMathSciNetGoogle Scholar
  2. 2.
    Liao, E., Lee, C. C., & Hwang, M. S. (2006). A password authentication scheme over insecure networks. Journal of Computer and System Science, 72(4), 727–740.CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    Hwang, M., & Li, L. (2000). A new remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 46(1), 28–30.CrossRefGoogle Scholar
  4. 4.
    Lee, N. Y., & Chiu, Y. C. (2005). Improved remote authentication scheme with smart card. Computer Standards & Interfaces, 27(2), 177–180.CrossRefGoogle Scholar
  5. 5.
    Xu, J., Zhu, W. T., & Feng, D. G. (2009). An improved smart card based password authentication scheme with provable security. Computer Standards & Interfaces, 31(4), 723–728.CrossRefGoogle Scholar
  6. 6.
    Wang, R. C., Juang, W. S., & Lei, C. L. (2011). Provably secure and efficient identification and key agreement protocol with user anonymity. Journal of Computer and System Sciences, 77(4), 790–798.CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Chang, C. C., Le, H. D., & Chang, C. H. (2013). Novel untraceable authenticated key agreement protocol suitable for mobile communication. Wireless Personal Communications, 71(1), 425–437.CrossRefGoogle Scholar
  8. 8.
    Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.CrossRefGoogle Scholar
  9. 9.
    Hsiang, C., & Shih, W. K. (2009). Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, 31(6), 1118–1123.CrossRefGoogle Scholar
  10. 10.
    Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.CrossRefGoogle Scholar
  11. 11.
    Wang, B., & Ma, M. (2013). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications, 68(2), 361–378.CrossRefGoogle Scholar
  12. 12.
    He, D., & Wu, S. (2013). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications, 70(1), 323–329.CrossRefGoogle Scholar
  13. 13.
    Pippal, R. S., Jaidhar, C. D., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications. doi: 10.1007/s11277-013-1039-6.
  14. 14.
    Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Proceedings of advances in cryptology (pp. 388–397).Google Scholar
  15. 15.
    Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.CrossRefMathSciNetGoogle Scholar
  16. 16.
    Lee, C. C., Lin, T. H., & Chang, R. X. (2011). A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.State Key Laboratory of Mathematical Engineering and Advanced ComputingZhengzhouChina

Personalised recommendations