Abstract
The growth of the Internet and telecommunication technology has facilitated remote access. During the last decade, numerous remote user authentication schemes based on dynamic ID have been proposed for the multi-server environment using smart cards. Recently, Shunmuganathan et al. pointed out that Li et al.’s scheme is defenseless in resisting the password guessing attack, stolen smart card attack and forgery attack. Furthermore, they showed the poor repairability and no two-factor security in Li et al.’s scheme. To surmount these security disadvantages, Shunmuganathan et al. proposed a remote user authentication scheme using smart card for multi-server environment and claimed that their scheme is secure and efficient. In this paper, we show that Shunmuganathan et al.’s scheme is also defenseless in resisting the password guessing attack, stolen smart card attack, user impersonation attack, forgery attack, forward secrecy and session key secrecy. Moreover, the two-factor security is also not preserved in their scheme. In our proposed scheme, a user is free to choose his/her login credentials such as user id and password. And also a user can regenerate the password any time. Simultaneously the proposed scheme preserves the merits of Shunmuganathan et al.’s scheme and also provides better functionality and security features, such as mutual authentication, session key agreement and perfect forward secrecy. The security analysis using the widely accepted Burrows–Abadi–Needham logic shows that the proposed scheme provides the mutual authentication proof between a user and a server. Through the rigorous formal and informal security analysis, we show that the proposed scheme is secure against possible known attacks. In addition, we carry out the simulation of the proposed scheme using the most-widely accepted and used Automated Validation of Internet Security Protocols and Applications tool and the simulation results clearly indicate that our scheme is secure.
Similar content being viewed by others
References
AVISPA. Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/. Accessed on January 2015.
Burrows, M., Abadi, M., & Needham, R. (1990). A logic of authentication. ACM Transactions on Computer Systems, 8(1), 18–36.
Chang, C. C., & Lee, J. S. (2004). An efficient and secure multi-server password authentication scheme using smart cards. In International conference on cyberworlds (Cw 2004) (pp. 417–422) Tokyo.
Chatterjee, S., Roy, S., Das, A. K., Chattopadhyay, S., Kumar, N., & Vasilakos, A. V. (2016). Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment. IEEE Transactions on Dependable and Secure Computing,. doi:10.1109/TDSC.2016.2616876.
Damgård, I. B. (1990). A design principle for hash functions. In 9th Annual international cryptology conference (CRYPTO’89) (pp. 416–427) Santa Barbara.
Das, A. K. (2015). A secure and efficient user anonymity-preserving three-factor authentication protocol for large-scale distributed wireless sensor networks. Wireless Personal Communications, 82(3), 1377–1404.
Das, A. K. (2016). A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Networking and Applications, 9(1), 223–244.
Das, M. L., Saxena, A., & Gulati, V. P. (2004). A dynamic id-based remote user authentication scheme. IEEE Transactions on Consumer Electronics, 50(2), 629–631.
Dolev, D., & Yao, C. A. (1983). On the security of public key protocols. IEEE Transactions on Information Theory, 29(2), 198–208.
Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., & Shalmani, M., et al. (2008). On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme. In 28th Annual international cryptology conference (CRYPTO 2008), volume 5157 of lecture notes in computer science California, USA (pp. 203–220) Santa Barbara.
He, D., Chen, J., & Hu, J. (2012). An ID-based client authentication with key agreement protocol for mobile clientserver environment on ECC with provable security. Information Fusion, 13(3), 223–230.
Hsiang, H. C., & Shih, W. K. (2009). Improvement of the secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(6), 1118–1123.
Hwang, M. S., & Li, L. H. (2000). A new remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 46(1), 28–30.
Juang, W. S. (2004). Efficient multi-server password authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics, 50(1), 251–255.
Juang, W. S., Chen, S. T., & Liaw, H. T. (2008). Robust and efficient password-authenticated key agreement using smart cards. IEEE Transactions on Industrial Electronics, 55(6), 2551–2556.
Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In 19th Annual international cryptology conference (CRYPTO’99). LNCS California (Vol. 1666, pp. 388–397) Santa Barbara.
Ku, W. C., & Chang, S. T. (2005). Impersonation attack on a dynamic id-based remote user authentication scheme using smart cards. IEICE Transactions on Communications, E88–B(5), 2165–2167.
Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770–772.
Lee, C. C., Lai, Y. M., & Li, C. T. (2012). An improved secure dynamic id based remote user authentication scheme for multi-server environment. International Journal of Security and Its Applications, 6(2), 203–209.
Lee, C. C., Lin, T. H., & Chang, R. X. (2011). A secure dynamic id based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.
Li, X., Ma, J., Wang, W., Xiong, Y., & Zhang, J. (2013). A novel smart card and dynamic id based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling, 58(1), 85–95.
Li, X., Niu, J., Kumari, S., Liao, J., & Liang, W. (2015). An enhancement of a smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 80(1), 175–192.
Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.
Liao, Y. P., & Wang, S. S. (2009). A secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(1), 24–29.
Lin, I. C., Hwang, M. S., & Li, L. H. (2003). A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems, 19(1), 13–22.
Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.
Mishra, D., Das, A. K., & Mukhopadhyay, S. (2014). A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Systems with Applications, 41(18), 8129–8143.
Mishra, D., Das, A. K., & Mukhopadhyay, S. (2016). A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card. Peer-to-Peer Networking and Applications, 9(1), 171–192.
Odelu, V., Das, A. K., & Goswami, A. (2015). DMAMA: Dynamic migration access control mechanism for mobile agents in distributed networks. Wireless Personal Communications, 84(1), 207–230.
Odelu, V., Das, A. K., & Goswami, A. (2015). An effective and robust secure remote user authenticated key agreement scheme using smart cards in wireless communication systems. Wireless Personal Communications, 84(4), 2571–2598.
Odelu, V., Das, A. K., & Goswami, A. (2015). A secure and scalable group access control scheme for wireless sensor networks. Wireless Personal Communications, 85(4), 1765–1788.
Odelu, V., Das, A. K., & Goswami, A. (2015). A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security, 10(9), 1953–1966.
Odelu, V., Das, A. K., & Goswami, A. (2016). SEAP: Secure and efficient authentication protocol for NFC applications using pseudonyms. IEEE Transactions on Consumer Electronics, 62(1), 30–38.
Odelu, V., Das, A. K., Wazid, M., & Conti, M. (2016). Provably secure authenticated key agreement scheme for smart grid. IEEE Transactions on Smart Grid,. doi:10.1109/TSG.2016.2602282.
Reddy, A. G., Das, A. K., Yoon, E.-J., & Yoo, K.-Y. (2016). A secure anonymous authentication protocol for mobile services on elliptic curve cryptography. IEEE Access, 4, 4394–4407.
Sarkar, P. (2010). A simple and generic construction of authenticated encryption with associated data. ACM Transactions on Information and System Security, 13(4), 33.
Secure hash standard. (1995). FIPS PUB 180-1, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, April 1995. http://csrc.nist.gov/publications/fips/fips180-2/fips180-2. Accessed on January 2015.
Shunmuganathan, S., Saravanan, R. D., & Palanichamy, Y. (2015). Secure and efficient smart-card-based remote user authentication scheme for multiserver environment. Canadian Journal of Electrical and Computer Engineering, 38(1), 20–30.
Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.
Stallings, W. (2006). Cryptography and network security: Principles and practice, 5/E. Upper Saddle River, NJ: Prentice Hall Press.
Stinson, D. R. (2006). Some observations on the theory of cryptographic hash functions. Designs, Codes and Cryptography, 38(2), 259–277.
Sun, H. M. (2000). An efficient remote use authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 46(4), 958–961.
Tsai, J. L. (2008). Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers and Security, 27(3), 115–121.
Tsaur, W. J., Wu, C. C., & Lee, W. B. (2004). A smart card-based remote scheme for password authentication in multi-server internet services. Computer Standards and Interfaces, 27(1), 39–51.
von Oheimb, D. (2005). The high-level protocol specification language hlpsl developed in the eu project avispa. In Proceedings of APPSEM 2005 workshop (pp. 1–17) Frauenchiemsee.
Wang, D., He, D., Wang, P., & Chu, C.-H. (2015). Anonymous two-factor authentication in distributed systems: Certain goals are beyond attainment. IEEE Transactions on Dependable and Secure Computing, 12(4), 428–442.
Xue, K., Hong, P., & Ma, C. (2014). A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. Journal of Computer and System Sciences, 80(1), 195–206.
Yang, W. H., & Shieh, S. P. (1999). Password authentication schemes with smart cards. Computers and Security, 18(8), 727–733.
Zhao, D., Peng, H., Li, S., & Yang, Y. (2013). An efficient dynamic id based remote user authentication scheme using self-certified public keys for multi-server environment. arXiv:1305.6350.
Acknowledgements
The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the Editor of this Journal, which have improve the content and presentation of the paper.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Jangirala, S., Mukhopadhyay, S. & Das, A.K. A Multi-server Environment with Secure and Efficient Remote User Authentication Scheme Based on Dynamic ID Using Smart Cards. Wireless Pers Commun 95, 2735–2767 (2017). https://doi.org/10.1007/s11277-017-3956-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-017-3956-2