Skip to main content
Log in

Design and Analysis of a Provably Secure Multi-server Authentication Scheme

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Authenticated key agreement protocols play an important role to ensure authorized and secure communication over public network. In recent years, several authentication protocols have been proposed for single-server environment. Most of these protocols present efficient and secure solution for single-server environment. However, adoption of these protocols for multi-server environment is not feasible as user have to register on each server, separately. On the contrary, multi-server authentication schemes require single registration. The one time registration mechanism makes the system user-friendly and supports inter-operability. Unfortunately, most of the existing multi-server authentication schemes require all servers to be trusted, involvement of central authority in mutual authentication or multiple secret keys. In general, a servers may be semi-trusted, thus considering all server to be trusted does not seems to be realistic scenario. Involvement of central authority in mutual authentication may create bottleneck scenario for large network. Also, computation of multiple secret keys may not be suitable for smart card based environment as smart card keeps limited storage space. To overcome these drawbacks, we aim to design an authentication scheme for multi-server environment, where all servers does not need to be trusted, central authority does not require in mutual authentication and smart card need not to store multiple secret keys. In this paper, we first analyze the security of recently proposed Yeh’s smart card based multi-server authentication scheme (Yeh in Wirel Pers Commun 79(3):1621–1634, 2014). We show that Yeh’s scheme does not resist off-line password guessing attack, insider attack and user impersonation attack. Furthermore, we propose an efficient multi-server authentication scheme which does not require all servers to be trusted, central authority no longer needed in authentication and smart card need not to store multiple secret keys. We prove the correctness of mutual authentication of our scheme using the widely-accepted BAN logic. Through the security analysis, we show that our scheme is secure against various known attacks including the attacks found in Yeh’s scheme. In addition, the proposed scheme is comparable in terms of the communication and computational overheads with related schemes.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Mishra, D. (2015). On the security flaws in ID-based password authentication schemes for telecare medical information systems. Journal of Medical Systems, 39(1), 1–16.

    Article  Google Scholar 

  2. Mishra, D., & Mukhopadhyay, S. (2014). Cryptanalysis of Yang et al.’s digital rights management authentication scheme based on smart card. Recent Trends in Computer Networks and Distributed Systems Security, 420, 288–297.

  3. Ojanperä, T., & Mononen, R. (2002). Security and authentication in the mobile world. Wireless Personal Communications, 22(2), 229–235.

    Article  Google Scholar 

  4. He, D., Zhang, Y., & Chen, J. (2014). Cryptanalysis and improvement of an anonymous authentication protocol for wireless access networks. Wireless Personal Communications, 74(2), 229–243.

    Article  Google Scholar 

  5. He, D., & Zeadally, S. (2015). Authentication protocol for an ambient assisted living system. IEEE Communications Magazine, 53(1), 71–77.

    Article  Google Scholar 

  6. Mishra, D., Chaturvedi, A., & Mukhopadhyay, S. (2015). An improved biometric-based remote user authentication scheme for connected healthcare. International Journal of Ad Hoc and Ubiquitous Computing, 18(1–2), 75–84.

    Article  Google Scholar 

  7. He, D., Kumar, N., & Chilamkurti, N. (2015). A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Information Sciences. doi:10.1016/j.ins.2015.02.010.

  8. Shen, J., Tan, H., Wang, J., Wang, J., & Lee, S. (2015). A novel routing protocol providing good transmission reliability in underwater sensor networks. Journal of Internet Technology, 16(1), 171–178.

    Google Scholar 

  9. Chaturvedi, A., Mishra, D., & Mukhopadhyay, S. (2013). Improved biometric-based three-factor remote user authentication scheme with key agreement using smart card. In Information systems security (pp. 63–77). Springer.

  10. Moon, J. S., Park, J. H., Lee, D. G., & Lee, I.-Y. (2010). Authentication and ID-based key management protocol in pervasive environment. Wireless Personal Communications, 55(1), 91–103.

    Article  Google Scholar 

  11. Guo, P., Wang, J., Geng, X. H., Kim, C. S., & Kim, J.-U. (2014). A variable threshold-value authentication architecture for wireless mesh networks. Journal of Internet Technology, 15(6), 929–936.

    Google Scholar 

  12. Li, X., Ma, J., Wang, W., Xiong, Y., & Zhang, J. (2013). A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling, 58(1), 85–95.

    Article  Google Scholar 

  13. Li, L.-H., Lin, L.-C., & Hwang, M.-S. (2001). A remote password authentication scheme for multiserver architecture using neural networks. IEEE Transactions on Neural Networks, 12(6), 1498–1504.

    Article  Google Scholar 

  14. Lin, I.-C., Hwang, M.-S., & Li, L.-H. (2003). A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems, 19(1), 13–22.

    Article  MATH  Google Scholar 

  15. Cao, X., & Zhong, S. (2006). Breaking a remote user authentication scheme for multi-server architecture. IEEE Communications Letters, 10(8), 580–581.

    Article  Google Scholar 

  16. Juang, W.-S. (2004). Efficient multi-server password authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics, 50(1), 251–255.

    Article  Google Scholar 

  17. Chang, C.-C., & Lee, J.-S. (2004). An efficient and secure multi-server password authentication scheme using smart cards. In 2004 international conference on cyberworlds, IEEE (pp. 417–422).

  18. Tsai, J.-L. (2008). Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers and Security, 27(3), 115–121.

    Article  Google Scholar 

  19. Chen, Y., Huang, C.-H., & Chou, J.-S. (2008). Comments on two multi-server authentication protocols. IACR Cryptology ePrint Archive, 2008, 544.

    Google Scholar 

  20. Tsaur, W.-J., Li, J.-H., & Lee, W.-B. (2012). An efficient and secure multi-server authentication scheme with key agreement. Journal of Systems and Software, 85(4), 876–882.

    Article  Google Scholar 

  21. Chou, J.-S., Chen, Y., Huang, C.-H., & Huang, Y.-S. (2012). Comments on four multi-server authentication protocols using smart card. IACR Cryptology ePrint Archive, 2012, 406.

    Google Scholar 

  22. Liao, Y.-P., & Wang, S.-S. (2009). A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(1), 24–29.

    Article  Google Scholar 

  23. Chen, T.-Y., Hwang, M.-S., Lee, C.-C., & Jan, J.-K. (2009). Cryptanalysis of a secure dynamic id based remote user authentication scheme for multi-server environment. In 2009 fourth international conference on innovative computing, information and control (ICICIC), IEEE (pp. 725–728).

  24. Hsiang, H.-C., & Shih, W.-K. (2009). Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(6), 1118–1123.

    Article  Google Scholar 

  25. Lee, C.-C., Lin, T.-H., & Chang, R.-X. (2011). A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.

    Google Scholar 

  26. Truong, T.-T., Tran, M.-T., & Duong, A.-D. (2013). Robust secure dynamic id based remote user authentication scheme for multi-server environment. In Computational science and its applications–ICCSA 2013 (pp. 502–515). Springer.

  27. Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.

    Article  Google Scholar 

  28. Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.

    Article  Google Scholar 

  29. He, D., & Wang, D. (2015). Robust biometrics-based authentication scheme for multiserver environment. IEEE System Journal, 9(3), 816–823. doi:10.1109/JSYST.2014.2301517.

    Article  Google Scholar 

  30. Wang, B., & Ma, M. (2013). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications, 68(2), 361–378.

    Article  Google Scholar 

  31. He, D., & Wu, S. (2013). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications, 70(1), 323–329.

    Article  Google Scholar 

  32. Pippal, R. S., Jaidhar, C., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 72(1), 729–745.

    Article  Google Scholar 

  33. He, D., Chen, J., Shi, W., & Khan, M. K. (2013). On the security of an authentication scheme for multi-server architecture. International Journal of Electronic Security and Digital Forensics, 5(3), 288–296.

    Article  Google Scholar 

  34. Yeh, K.-H. (2014). A provably secure multi-server based authentication scheme. Wireless Personal Communications, 79(3), 1621–1634.

    Article  Google Scholar 

  35. Burrows, M., Abadi, M., & Needham, R. M. (1989). A logic of authentication. Proceedings of the Royal Society of London A: Mathematical and Physical Sciences, 426(1871), 233–271.

    Article  MathSciNet  MATH  Google Scholar 

  36. Syverson, P., & Cervesato, I. (2001). The logic of authentication protocols. In Foundations of security analysis and design (pp. 63–137). Springer.

  37. Boyd, C., & Mao, W. (1994). On a limitation of ban logic. In Advances in CryptologyEUROCRYPT93 (pp. 240–247). Springer.

  38. Bellare, M., Canetti, R., & Krawczyk, H. (1996). Keying hash functions for message authentication. In Advances in cryptology (CRYPTO’96) (pp. 1–15). Springer.

  39. Bellare, M., & Rogaway, P. (1997). Collision-resistant hashing: Towards making uowhfs practical. In Advances in cryptology (CRYPTO’97) (pp. 470–484). Springer.

  40. Koblitz, N. (1987). Elliptic curve cryptosystems. Mathematics of Computation, 48(177), 203–209.

    Article  MathSciNet  MATH  Google Scholar 

  41. Miller, V. S. (1986). Use of elliptic curves in cryptography. In Advances in CryptologyCRYPTO85 proceedings (pp. 417–426). Springer.

  42. Boyd, C., & Mathuria, A. (2003). Protocols for authentication and key establishment. Berlin: Springer.

    Book  MATH  Google Scholar 

  43. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., & Shalmani, M. T. M. (2008). On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme. In Advances in cryptology-CRYPTO 2008 (pp. 203–220). Springer.

  44. Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Advances in cryptology-CRYPTO’99 (pp. 388–397). Springer.

  45. Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.

    Article  MathSciNet  Google Scholar 

  46. Dolev, D., & Yao, A. C. (1983). On the security of public key protocols. IEEE Transactions on Information Theory, 29(2), 198–208.

    Article  MathSciNet  MATH  Google Scholar 

  47. Aumasson, J. P., Henzen, L., Meier, W., & Plasencia, M. N. (2010). Quark: A lightweight hash. In Proceedings of workshop on cryptographic hardware and embedded systems (CHES 2010), lecture notes in computer science (Vol. 6225, pp. 1–15). Springer.

  48. Das, A. K., Massand, A., & Patil, S. (2013). A novel proxy signature scheme based on user hierarchical access control policy. Journal of King Saud University: Computer and Information Sciences, 25(2), 219–228.

    Google Scholar 

  49. Abdalla, M., & Pointcheval, D. (2005). Interactive diffie–hellman assumptions with applications to password-based authentication. In Financial cryptography and data security (pp. 341–356). Springer.

  50. Islam, S. H. (2014). Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps. Nonlinear Dynamics, 78(3), 2261–2276.

    Article  MathSciNet  Google Scholar 

  51. Standard, S. H. FIPS PUB 180-1, National Institute of Standards and Technology (NIST), US Department of Commerce, April 1995. Accessed November 2010.

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Dheerendra Mishra.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mishra, D. Design and Analysis of a Provably Secure Multi-server Authentication Scheme. Wireless Pers Commun 86, 1095–1119 (2016). https://doi.org/10.1007/s11277-015-2975-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-015-2975-0

Keywords

Navigation