Abstract
Cryptanalyzing the security weaknesses of authentication protocols is extremely important to propose countermeasures and develop a truly secure protocol. Over last few years, many three factor-based authentication schemes with key agreement have been proposed for multi-server environment. In 2017, Ali and Pal developed a three-factor authentication scheme in multi-server environment using elliptic curve cryptography (ECC) to remedy the security flaws in Li et al.’s scheme and claimed their improved version can withstand the passive and active attacks. In this paper, we prove that Ali-Pal’s scheme is subject to offline password guessing attack, replay attack, and known session-specific temporary information (KSSTI) attack. In the same year, Feng et al. examined Kumari et al.’s biometrics-based authentication scheme for multi-server environment and found that their scheme was vulnerable to several attacks. To fix these weaknesses, Feng et al. proposed an enhanced three-factor authentication scheme with key distribution for mobile multi-server environment and claimed that their scheme can satisfy the security and functional requirements. However, we show that Feng et al.’s scheme fails to resist offline password guessing attack, and suffers from replay attack. In addition to point out the security defects, we put forward countermeasures to eliminate the security risks and secure the three factor-based authentication schemes for multi-server environment.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Liao, Y.P., Wang, S.S.: A secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stan. Interfaces 31, 24–29 (2009)
Liao, Y.P., Wang, S.S.: Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stan. Interfaces 31, 1118–1123 (2009)
Sood, S.K., Sarje, A.K., Singh, K.: A secure dynamic identity based authentication protocol for multi-server architecture. J. Network Comput. Appl. 34, 609–618 (2011)
Li, X., Xiong, Y., Ma, J., Wang, W.: An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. J. Network Comput. Appl. 35, 763–769 (2012)
Han, W.: Weaknesses of a dynamic identity based authentication protocol for multi-server architecture. arXiv preprint arXiv:1201.0883 (2012)
Xue, K., Hong, P., Ma, C.: A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J. Comput. Syst. Sci. 80, 195–206 (2014)
Wang, D., Ma, C.-g., Gu, D.-l., Cui, Z.-s.: Cryptanalysis of two dynamic id-based remote user authentication schemes for multi-server architecture. In: International Conference on Network and System Security, pp. 462–475. Springer (2012)
Xie, Q., Wong, D.S., Wang, G., Tan, X., Chen, K., Fang, L.: Provably secure dynamic ID-based anonymous two-factor authenticated key exchange protocol with extended security model. IEEE Trans. Inf. Forensics Secur. 12, 1382–1392 (2017)
Chuang, M.-C., Chen, M.C.: An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Syst. Appl. 41, 1411–1418 (2014)
Li, C.-T., Hwang, M.-S.: An efficient biometrics-based remote user authentication scheme using smart cards. J. Network Comput. Appl. 33, 1–5 (2010)
Yang, D., Yang, B.: A biometric password-based multi-server authentication scheme with smart card. In: 2010 International Conference on Computer Design and Applications (ICCDA), pp. V5-554–V555-559. IEEE (2010)
Yoon, E.-J., Yoo, K.-Y.: Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J. Supercomput. 63, 235–255 (2013)
He, D.: Security flaws in a biometrics-based multi-server authentication with key agreement scheme. IACR Cryptology ePrint Archive 2011, 365 (2011)
Kim, H., Jeon, W., Lee, K., Lee, Y., Won, D.: Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme. In: International Conference on Computational Science and Its Applications, pp. 391–406. Springer (2012)
Mishra, D., Das, A.K., Mukhopadhyay, S.: A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst. Appl. 41, 8129–8143 (2014)
Lin, H., Wen, F., Du, C.: An improved anonymous multi-server authenticated key agreement scheme using smart cards and biometrics. Wireless Pers. Commun. 84, 2351–2362 (2015)
Lu, Y., Li, L., Yang, X., Yang, Y.: Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE 10, e0126323 (2015)
Wang, C., Zhang, X., Zheng, Z.: Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. PLoS ONE 11, e0149173 (2016)
He, D., Wang, D.: Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst. J. 9, 816–823 (2015)
Jiang, P., Wen, Q., Li, W., Jin, Z., Zhang, H.: An anonymous and efficient remote biometrics user authentication scheme in a multi server environment. Frontiers Comput. Sci. 9, 142–156 (2015)
Odelu, V., Das, A.K., Goswami, A.: A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans. Inf. Forensics Secur. 10, 1953–1966 (2015)
Reddy, A.G., Yoon, E.-J., Das, A.K., Odelu, V., Yoo, K.-Y.: Design of mutually authenticated key agreement protocol resistant to impersonation attacks for multi-server environment. IEEE Access 5, 3622–3639 (2017)
Ali, R., Pal, A.K.: An efficient three factor-based authentication scheme in multiserver environment using ECC. Int. J. Commun Syst 31, e3484 (2017)
Feng, Q., He, D., Zeadally, S., Wang, H.: Anonymous biometrics-based authentication scheme with key distribution for mobile multi-server environment. Future Gener. Comput. Syst. 84, 239–251 (2017)
Pippal, R.S., Jaidhar, C., Tapaswi, S.: Robust smart card authentication scheme for multi-server architecture. Wireless Pers. Commun. 72, 729–745 (2013)
Wei, J., Liu, W., Hu, X.: Cryptanalysis and improvement of a robust smart card authentication scheme for multi-server architecture. Wireless Pers. Commun. 77, 2255–2269 (2014)
Guo, D., Wen, F.: Analysis and improvement of a robust smart card based-authentication scheme for multi-server architecture. Wireless Pers. Commun. 78, 475–490 (2014)
Ali, R., Pal, A.K.: Three-factor-based confidentiality-preserving remote user authentication scheme in multi-server environment. Arab. J. Sci. Eng. 42, 3655–3672 (2017)
Li, X., Niu, J., Kumari, S., Liao, J., Liang, W.: An enhancement of a smart card authentication scheme for multi-server architecture. Wireless Pers. Commun. 80, 175–192 (2015)
Kumari, S., Li, X., Wu, F., Das, A.K., Choo, K.-K.R., Shen, J.: Design of a provably secure biometrics-based multi-cloud-server authentication scheme. Future Gener. Comput. Syst. 68, 320–330 (2017)
Wang, D., He, D., Wang, P., Chu, C.-H.: Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Tran. Dependable Secure Comput. 1 (2015)
Wang, D., Wang, P.: Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans. Dependable Secure Comput. (2016)
Wang, D., Gu, Q., Cheng, H., Wang, P.: The request for better measurement: a comparative evaluation of two-factor authentication schemes. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 475–486. ACM (2016)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Annual International Cryptology Conference, pp. 388–397. Springer (1999)
Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51, 541–552 (2002)
Islam, S.H.: Design and analysis of an improved smartcard-based remote user password authentication scheme. Int. J. Commun Syst 29, 1708–1719 (2016)
Wang, D., Wang, P.: Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks. Ad Hoc Netw. 20, 1–15 (2014)
Ma, C.G., Wang, D., Zhao, S.D.: Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun Syst 27, 2215–2227 (2014)
Acknowledgements
This work was partially supported by the National Natural Science Foundation of China (Project No. 61672007), Science and Technology Innovation Guidance Project 2017 (Project No. 201704030605).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Mo, J., Chen, H., Shen, W. (2020). Cryptanalysis of Anonymous Three Factor-Based Authentication Schemes for Multi-server Environment. In: Yang, CN., Peng, SL., Jain, L. (eds) Security with Intelligent Computing and Big-data Services. SICBS 2018. Advances in Intelligent Systems and Computing, vol 895. Springer, Cham. https://doi.org/10.1007/978-3-030-16946-6_36
Download citation
DOI: https://doi.org/10.1007/978-3-030-16946-6_36
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16945-9
Online ISBN: 978-3-030-16946-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)