Skip to main content
Log in

A Reliable Lightweight Two Factor Mutual Authenticated Session Key Agreement Protocol for Multi-Server Environment

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Today's hyper-connected digital environment makes two-way authentication and secured key agreement a fundamental requirement for a secure connection. The research community has proposed many two-way authentication and secured key agreement schemes for remote access environments. There are schemes especially built for a multi-server environment where individual user can authenticate to multiple servers through a single registration. These multi-server single registration based authentication schemes are not as secure as those available for a single server environment. Recently Sahoo et al., proposed “an improved and secure two-factor dynamic identity based authenticated key agreement scheme for multi-server environment” and declare it as perfectly secured. Our vulnerability analysis on Sahoo et al.’s demonstrates the possibility of a smart-card attack and forgery attack. In addition, we detect their scheme lacks in providing perfect two-factor security, complete two-way authentication, and good repairability. We cater a new light-weight two factor secured multi-server session key agreement scheme based on two-way authentication. The strength of the scheme is proven through three manifestations of security analysis, namely informal proof through cryptanalysis, reduction-based proof using Burrows, Abadi, and Needham logic, and formal proof using cryptographic protocol verification tool. The tool-based analysis is made using two different tools, Automated Validation of Internet Security Protocols and Applications, and Scyther in-order to affirm the security analysis of our proposed scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

Similar content being viewed by others

References

  1. Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770–772.

    Article  MathSciNet  Google Scholar 

  2. Netop–VPN Survey, Deployed to Spiceworks Voice of IT panel, February 2014. https://fdocuments.in/document/netop-vpn-survey-final-report.html

  3. Wang, D., & Wang, P. (2016). Two birds with one stone: Two-factor authentication with security beyond conventional bound. IEEE Transactions on Dependable and Secure Computing, 15(4), 708–722.

    Google Scholar 

  4. Wang, D., Zhang, X., Zhang, Z., & Wang, P. (2020). Understanding security failures of multi-factor authentication schemes for multi-server environments. Computers & Security.

  5. Tsaur, W. J. (2001). A flexible user authentication scheme for multi-server internet services. In International conference on networking (pp. 174–183). Springer, Berlin, Heidelberg.

  6. Lin, I. C., Hwang, M. S., & Li, L. H. (2003). A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems, 19(1), 13–22.

    Article  Google Scholar 

  7. Tsai, J. L. (2008). Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers and Security, 27(3–4), 115–121.

    Article  Google Scholar 

  8. Liao, Y. P., & Wang, S. S. (2009). A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(1), 24–29.

    Article  Google Scholar 

  9. Bogdanov, A., & Kizhvatov, I. (2011). Beyond the limits of DPA: Combined side-channel collision attacks. IEEE Transactions on Computers, 61(8), 1153–1164.

  10. Kasper, T., Oswald, D., & Paar, C. (2011). Side-channel analysis of cryptographic RFIDs with analog demodulation. International workshop on radio frequency identification: Security and privacy issues (pp. 61–77). Springer.

    Google Scholar 

  11. Kim, T. H., Kim, C., & Park, I. (2012). Side channel analysis attacks using AM demodulation on commercial smart cards with SEED. Journal of Systems and Software, 85(12), 2899–2908.

    Article  Google Scholar 

  12. Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. Annual International Cryptology Conference (pp. 388–439). Springer.

    Google Scholar 

  13. Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat, power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.

    Article  MathSciNet  Google Scholar 

  14. Mangard, S., Oswald, E., & Popp, T. (2008). Power analysis attacks: Revealing the secrets of smart cards. Springer.

  15. Hsiang, H. C., & Shih, W. K. (2009). Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(6), 1118–1123.

    Article  Google Scholar 

  16. Chuang, M. C., & Chen, M. C. (2014). An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications, 41(4), 1411–1418.

    Article  Google Scholar 

  17. Wang, Y. C., Juang, W. S., & Lei, C. L. (2009). User authentication scheme with privacy-preservation for multi-server environment. IEEE Communications Letters, 13(2), 157–159.

    Article  Google Scholar 

  18. Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.

    Article  Google Scholar 

  19. Shao, M. H., & Chin, Y. C. (2010). A novel approach to dynamic id-based remote user authentication scheme for multi-server environment. In 2010 Fourth international conference on network and system security (pp. 548–553).

  20. Lee, C. C., Lin, T. H., & Chang, R. X. (2011). A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.

    Google Scholar 

  21. Li, X., Ma, J., Wang, W., Xiong, Y., & Zhang, J. (2013). A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling, 58(1–2), 85–95.

    Article  Google Scholar 

  22. Lee, C. C., Lai, Y. M., & Li, C. T. (2012). An improved secure dynamic ID based remote user authentication scheme for multi-server environment. International Journal of Security and Its Applications, 6(2), 203–209.

    Google Scholar 

  23. Zhao, D., Peng, H., Li, S., & Yang, Y. (2013). An efficient dynamic ID based remote user authentication scheme using self-certified public keys for multi-server environment, arXiv preprint arXiv:1305.6350.

  24. Shunmuganathan, S., Saravanan, R. D., & Palanichamy, Y. (2015). Secure and efficient smart-card-based remote user authentication scheme for multiserver environment. Canadian Journal of Electrical and Computer Engineering, 38(1), 20–30. https://doi.org/10.1109/cjece.2014.2344447

    Article  Google Scholar 

  25. Banerjee, S., Dutta, M. P., & Bhunia, C. T. (2015). An improved smart card based anonymous multi-server remote user authentication scheme. International Journal of Smart Home, 9(5), 11–22.

    Article  Google Scholar 

  26. Braeken, A. (2015). Efficient anonym smart card based authentication scheme for multi-server architecture. International Journal of Smart Home, 9(9), 177–184.

    Article  Google Scholar 

  27. Jangirala, S., Mukhopadhyay, S., & Das, A. K. (2017). A multi-server environment with secure and efficient remote user authentication scheme based on dynamic ID using smart cards. Wireless Personal Communications, 95(3), 2735–2767.

    Article  Google Scholar 

  28. Sahoo, S. S., Mohanty, S., & Majhi, B. (2018). An improved and secure two-factor dynamic id based authenticated key agreement scheme for multiserver environment. Wireless Personal Communications, 101(3), 1307–1333.

    Article  Google Scholar 

  29. Burrows, M., Abadi, M., & Needham, R. M. (1989). A logic of authentication. Proceedings of the Royal Society of London, Mathematical and Physical Sciences, 426(1871), 233–271.

    Article  MathSciNet  Google Scholar 

  30. Automated Validation of Internet Security Protocols and Applications (AVISPA) Tool “avispa-project.org/download.html”.

  31. Carrie Meadows. (2002). Advice on Writing an Internet Draft Amenable to Security Analysis”.

  32. Cas Cremers. (2014). “Scyther User Manual”.

Download references

Funding

The author did not receive support from any organization for the submitted work.

Author information

Authors and Affiliations

Authors

Contributions

The complete work is the author’s own contribution.

Corresponding author

Correspondence to Saraswathi Shunmuganathan.

Ethics declarations

Conflict of interest

The author do not have conflicts of interest to declare that are relevant to the content of this article.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shunmuganathan, S. A Reliable Lightweight Two Factor Mutual Authenticated Session Key Agreement Protocol for Multi-Server Environment. Wireless Pers Commun 121, 2789–2822 (2021). https://doi.org/10.1007/s11277-021-08850-0

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-021-08850-0

Keywords

Navigation