Vulnerabilities in a Two-Factor User Authentication in Multi-server Networks Protocol

Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 299)


Multi-server authentication schemes allow users to register to a registration center once in order to get services offered by multiple servers. Many of the protocols for multi-server environment make use of a smart card and most of them are vulnerable to a smart card loss attack which allows adversaries to get sensible information and carry on various efficient attacks. In this paper we focus on a smart-card based multi-server authentication scheme which is claimed to withstand some usual attacks for this kind of protocol. Unfortunately, the authors do not provide a formal security analysis of the proposed protocol and therefore, we show that it is vulnerable to online password guessing, impersonation attacks and most important, session key disclosure.


multi-server authentication impersonation attacks online password guessing hash function 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Fan, C.I., Chan, Y.C., Zhang, Z.K.: Robust remote authentication scheme with smart cards. Computers & Security 24(8), 619–628 (2005)CrossRefGoogle Scholar
  2. 2.
    Lee, S.W., Kim, H.S., Yoo, K.Y.: Efficient nonce-based remote user authentication scheme using smart cards. Applied Mathematics and Computation 167(1), 355–361 (2005)CrossRefMATHMathSciNetGoogle Scholar
  3. 3.
    Juang, W.S.: Efficient multi-server password authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics 50(1), 251–255 (2004)CrossRefGoogle Scholar
  4. 4.
    Lin, I.C., Hwang, M.S., Li, L.H.: A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems 19(1), 13–22 (2003)CrossRefMATHGoogle Scholar
  5. 5.
    Tsai, J.L.: Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers & Security 27(3), 115–121 (2008)CrossRefGoogle Scholar
  6. 6.
    Huang, C.H., Chou, J.S., Chen, Y., Wun, S.Y.: Improved multi-server authentication protocol. Security and Communication Networks 5(3), 331–341 (2012)CrossRefGoogle Scholar
  7. 7.
    Chang, C.C., Cheng, T.F.: A robust and efficient smart card based remote login mechanism for multi-server architecture. International Journal of Innovative Computing, Information and Control 7(8), 4589–4602 (2011)Google Scholar
  8. 8.
    Li, C.T., Weng, C.Y., Fan, C.I.: Two-factor user authentication in multi-server networks. International Journal of Security & Its Applications 6(2) (2012)Google Scholar
  9. 9.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  10. 10.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    The AVISPA project,

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of BucharestBucharestRomania

Personalised recommendations