Abstract
With the rapid growth of electronic commerce and demand on variants of Internet based applications, the system providing resources and business services often consists of many servers around the world. So far, a variety of authentication schemes have been published to achieve remote user authentication on multi-server communication environment. Recently, Pippal et al. proposed a multi-server based authentication protocol to pursue the system security and computation efficiency. Nevertheless, based on our analysis, the proposed scheme is insecure against user impersonation attack, server counterfeit attack, and man-in-the-middle attack. In this study, we first demonstrate how these malicious attacks can be invoked by an adversary. Then, a security enhanced authentication protocol is developed to eliminate all identified weaknesses. Meanwhile, the proposed protocol can achieve the same order of computation complexity as Pippal et al.’s protocol does.
Similar content being viewed by others
References
Bellare, M., Pointcheval, D., & Rogaway, P. (2000). Authenticated key exchange secure against dictionary attacks. In Proceedings of EUROCRYPT (Vol. 1807, pp. 140–156). LNCS 2000.
Bellare, M., & Rogaway, P. (1993). Entity authentication and key distribution. In Proceedings of CRYPTO (Vol. 773, pp. 232–249) LNCS.
Blake-Wilson, S., Johnson, D., & Menezes, A. (1997). Key agreement protocols and their security analysis. In Proceedings of th 6th IMA international conference on cryptography and coding (Vol. 1355, pp. 30–45). LNCS.
Chang, C. C., & Lee, J. S. (2004). An efficient and secure multi-server password authentication scheme using smart card. In Proceedings of international conference on cyberworlds (pp. 417–422).
Chang, C. C., & Lee, C. Y. (2012). A secure single sign-on mechanism for distributed computer networks. IEEE Transactions on Industrial Electronics, 59(1), 629–637.
Chen, B. L., Kuo, W. C., & Wu, L. C. (2012). Cryptanalysis of Sood et al.’s dynamic identity based authentication protocol for multi-server architecture. International Journal of Digital Content Technology and its Applications (JDCTA), 6(4), 180–187.
He, D., & Wu, S. (2012). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications,. doi:10.1007/s11277-012-0696-1.
Hsiang, C., & Shih, W. K. (2009). Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, 31(6), 1118–1123.
Juang, W. S. (2004). Efficient multi-server password authenticated key agreement using smart cards. IEEE Transaction on Consumer Electronics, 50(1), 251–255.
Ku, W. C., Chuang, H. M., Chiang, M. H., & Chang, K. T. (2005). Weaknesses of a multi-server password authenticated key agreement scheme. In Proceedings of 2005 national computer symposium (pp. 1–5).
Lee, C. C., Lin, T. H., & Chang, R. X. (2011). A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.
Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.
Liao, Y. P., & Wang, S. S. (2009). A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, 31(1), 24–29.
Pippal, R. S., Jaidhar, C. D., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications. doi:10.1007/s11277-013-1039-6.
Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.
Tsai, J.-L., Lo, N.-W., & Wu, T.-C. (2012). A new password-based multi-server authentication scheme robust to password guessing attacks. Wireless Personal Communications. doi:10.1007/s11277-012-0918-6.
Wang, B., & Ma, M. (2012). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications. doi:10.1007/s11277-011-0456-7.
Yeh, K.-H., Lo, N. W., Hsiang, T.-R., Wei, Y.-C., & Hsieh, H.-Y. (2013). Chaos between password-based authentication protocol and dictionary attacks. Advanced Science Letters, 19(3), 1048–1051(4).
Author information
Authors and Affiliations
Corresponding author
Additional information
The author gratefully acknowledges the support from Taiwan Information Security Center (TWISC) and Ministry of Science and Technology, Taiwan, under the Grants Numbers MOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2.
Rights and permissions
About this article
Cite this article
Yeh, KH. A Provably Secure Multi-server Based Authentication Scheme. Wireless Pers Commun 79, 1621–1634 (2014). https://doi.org/10.1007/s11277-014-1948-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-014-1948-z