Abstract
Authenticated key agreement protocols play an important role to ensure authorized and secure communication over public network. In recent years, several authentication protocols have been proposed for single-server environment. Most of these protocols present efficient and secure solution for single-server environment. However, adoption of these protocols for multi-server environment is not feasible as user have to register on each server, separately. On the contrary, multi-server authentication schemes require single registration. The one time registration mechanism makes the system user-friendly and supports inter-operability. Unfortunately, most of the existing multi-server authentication schemes require all servers to be trusted, involvement of central authority in mutual authentication or multiple secret keys. In general, a servers may be semi-trusted, thus considering all server to be trusted does not seems to be realistic scenario. Involvement of central authority in mutual authentication may create bottleneck scenario for large network. Also, computation of multiple secret keys may not be suitable for smart card based environment as smart card keeps limited storage space. To overcome these drawbacks, we aim to design an authentication scheme for multi-server environment, where all servers does not need to be trusted, central authority does not require in mutual authentication and smart card need not to store multiple secret keys. In this paper, we first analyze the security of recently proposed Yeh’s smart card based multi-server authentication scheme (Yeh in Wirel Pers Commun 79(3):1621–1634, 2014). We show that Yeh’s scheme does not resist off-line password guessing attack, insider attack and user impersonation attack. Furthermore, we propose an efficient multi-server authentication scheme which does not require all servers to be trusted, central authority no longer needed in authentication and smart card need not to store multiple secret keys. We prove the correctness of mutual authentication of our scheme using the widely-accepted BAN logic. Through the security analysis, we show that our scheme is secure against various known attacks including the attacks found in Yeh’s scheme. In addition, the proposed scheme is comparable in terms of the communication and computational overheads with related schemes.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Mishra, D. (2015). On the security flaws in ID-based password authentication schemes for telecare medical information systems. Journal of Medical Systems, 39(1), 1–16.
Mishra, D., & Mukhopadhyay, S. (2014). Cryptanalysis of Yang et al.’s digital rights management authentication scheme based on smart card. Recent Trends in Computer Networks and Distributed Systems Security, 420, 288–297.
Ojanperä, T., & Mononen, R. (2002). Security and authentication in the mobile world. Wireless Personal Communications, 22(2), 229–235.
He, D., Zhang, Y., & Chen, J. (2014). Cryptanalysis and improvement of an anonymous authentication protocol for wireless access networks. Wireless Personal Communications, 74(2), 229–243.
He, D., & Zeadally, S. (2015). Authentication protocol for an ambient assisted living system. IEEE Communications Magazine, 53(1), 71–77.
Mishra, D., Chaturvedi, A., & Mukhopadhyay, S. (2015). An improved biometric-based remote user authentication scheme for connected healthcare. International Journal of Ad Hoc and Ubiquitous Computing, 18(1–2), 75–84.
He, D., Kumar, N., & Chilamkurti, N. (2015). A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Information Sciences. doi:10.1016/j.ins.2015.02.010.
Shen, J., Tan, H., Wang, J., Wang, J., & Lee, S. (2015). A novel routing protocol providing good transmission reliability in underwater sensor networks. Journal of Internet Technology, 16(1), 171–178.
Chaturvedi, A., Mishra, D., & Mukhopadhyay, S. (2013). Improved biometric-based three-factor remote user authentication scheme with key agreement using smart card. In Information systems security (pp. 63–77). Springer.
Moon, J. S., Park, J. H., Lee, D. G., & Lee, I.-Y. (2010). Authentication and ID-based key management protocol in pervasive environment. Wireless Personal Communications, 55(1), 91–103.
Guo, P., Wang, J., Geng, X. H., Kim, C. S., & Kim, J.-U. (2014). A variable threshold-value authentication architecture for wireless mesh networks. Journal of Internet Technology, 15(6), 929–936.
Li, X., Ma, J., Wang, W., Xiong, Y., & Zhang, J. (2013). A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling, 58(1), 85–95.
Li, L.-H., Lin, L.-C., & Hwang, M.-S. (2001). A remote password authentication scheme for multiserver architecture using neural networks. IEEE Transactions on Neural Networks, 12(6), 1498–1504.
Lin, I.-C., Hwang, M.-S., & Li, L.-H. (2003). A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems, 19(1), 13–22.
Cao, X., & Zhong, S. (2006). Breaking a remote user authentication scheme for multi-server architecture. IEEE Communications Letters, 10(8), 580–581.
Juang, W.-S. (2004). Efficient multi-server password authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics, 50(1), 251–255.
Chang, C.-C., & Lee, J.-S. (2004). An efficient and secure multi-server password authentication scheme using smart cards. In 2004 international conference on cyberworlds, IEEE (pp. 417–422).
Tsai, J.-L. (2008). Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers and Security, 27(3), 115–121.
Chen, Y., Huang, C.-H., & Chou, J.-S. (2008). Comments on two multi-server authentication protocols. IACR Cryptology ePrint Archive, 2008, 544.
Tsaur, W.-J., Li, J.-H., & Lee, W.-B. (2012). An efficient and secure multi-server authentication scheme with key agreement. Journal of Systems and Software, 85(4), 876–882.
Chou, J.-S., Chen, Y., Huang, C.-H., & Huang, Y.-S. (2012). Comments on four multi-server authentication protocols using smart card. IACR Cryptology ePrint Archive, 2012, 406.
Liao, Y.-P., & Wang, S.-S. (2009). A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(1), 24–29.
Chen, T.-Y., Hwang, M.-S., Lee, C.-C., & Jan, J.-K. (2009). Cryptanalysis of a secure dynamic id based remote user authentication scheme for multi-server environment. In 2009 fourth international conference on innovative computing, information and control (ICICIC), IEEE (pp. 725–728).
Hsiang, H.-C., & Shih, W.-K. (2009). Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(6), 1118–1123.
Lee, C.-C., Lin, T.-H., & Chang, R.-X. (2011). A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.
Truong, T.-T., Tran, M.-T., & Duong, A.-D. (2013). Robust secure dynamic id based remote user authentication scheme for multi-server environment. In Computational science and its applications–ICCSA 2013 (pp. 502–515). Springer.
Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.
Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.
He, D., & Wang, D. (2015). Robust biometrics-based authentication scheme for multiserver environment. IEEE System Journal, 9(3), 816–823. doi:10.1109/JSYST.2014.2301517.
Wang, B., & Ma, M. (2013). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications, 68(2), 361–378.
He, D., & Wu, S. (2013). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications, 70(1), 323–329.
Pippal, R. S., Jaidhar, C., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 72(1), 729–745.
He, D., Chen, J., Shi, W., & Khan, M. K. (2013). On the security of an authentication scheme for multi-server architecture. International Journal of Electronic Security and Digital Forensics, 5(3), 288–296.
Yeh, K.-H. (2014). A provably secure multi-server based authentication scheme. Wireless Personal Communications, 79(3), 1621–1634.
Burrows, M., Abadi, M., & Needham, R. M. (1989). A logic of authentication. Proceedings of the Royal Society of London A: Mathematical and Physical Sciences, 426(1871), 233–271.
Syverson, P., & Cervesato, I. (2001). The logic of authentication protocols. In Foundations of security analysis and design (pp. 63–137). Springer.
Boyd, C., & Mao, W. (1994). On a limitation of ban logic. In Advances in CryptologyEUROCRYPT93 (pp. 240–247). Springer.
Bellare, M., Canetti, R., & Krawczyk, H. (1996). Keying hash functions for message authentication. In Advances in cryptology (CRYPTO’96) (pp. 1–15). Springer.
Bellare, M., & Rogaway, P. (1997). Collision-resistant hashing: Towards making uowhfs practical. In Advances in cryptology (CRYPTO’97) (pp. 470–484). Springer.
Koblitz, N. (1987). Elliptic curve cryptosystems. Mathematics of Computation, 48(177), 203–209.
Miller, V. S. (1986). Use of elliptic curves in cryptography. In Advances in CryptologyCRYPTO85 proceedings (pp. 417–426). Springer.
Boyd, C., & Mathuria, A. (2003). Protocols for authentication and key establishment. Berlin: Springer.
Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., & Shalmani, M. T. M. (2008). On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme. In Advances in cryptology-CRYPTO 2008 (pp. 203–220). Springer.
Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Advances in cryptology-CRYPTO’99 (pp. 388–397). Springer.
Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.
Dolev, D., & Yao, A. C. (1983). On the security of public key protocols. IEEE Transactions on Information Theory, 29(2), 198–208.
Aumasson, J. P., Henzen, L., Meier, W., & Plasencia, M. N. (2010). Quark: A lightweight hash. In Proceedings of workshop on cryptographic hardware and embedded systems (CHES 2010), lecture notes in computer science (Vol. 6225, pp. 1–15). Springer.
Das, A. K., Massand, A., & Patil, S. (2013). A novel proxy signature scheme based on user hierarchical access control policy. Journal of King Saud University: Computer and Information Sciences, 25(2), 219–228.
Abdalla, M., & Pointcheval, D. (2005). Interactive diffie–hellman assumptions with applications to password-based authentication. In Financial cryptography and data security (pp. 341–356). Springer.
Islam, S. H. (2014). Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps. Nonlinear Dynamics, 78(3), 2261–2276.
Standard, S. H. FIPS PUB 180-1, National Institute of Standards and Technology (NIST), US Department of Commerce, April 1995. Accessed November 2010.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Mishra, D. Design and Analysis of a Provably Secure Multi-server Authentication Scheme. Wireless Pers Commun 86, 1095–1119 (2016). https://doi.org/10.1007/s11277-015-2975-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-015-2975-0