Improvement of smart card based password authentication scheme for multiserver environments

In multiserver (MS) environments, it is preferable for a remote user to login to different service provider servers by keying in the same password. Recently, Wang et al. proposed an improvement on the dynamic identity-based smart card authentication scheme of Liao and Wang for MS environments. Sandeep et al. improved the dynamic identity-based smart card authentication scheme of Hsiang et al. for MS architecture. However, we found that the schemes of Wang et al. and Sandeep et al. failed to provide service provider server authentication, perfect forward security, and login scalability. In addition, the scheme of Sandeep et al. was insecure against stolen verifier attacks. This paper proposes an improved smart card-based password authentication scheme for MS environments. The new scheme removes all of the abovementioned weaknesses. The proposed identity-based smart card authentication scheme satisfies the following properties: C1. User authentication; C2. Service provider server authentication; C3. Control server authentication; C4. Perfect forward security; C5. Freedom of password change; C6. Scalability of login; C7. Resistance to stolen verifier attacks; and C8. High efficiency.

Anahtar Kelimeler:

Multiserver, password, smart card, CDH assumptions

Improvement of smart card based password authentication scheme for multiserver environments

Keywords:

Multiserver, password, smart card, CDH assumptions,

PDF

___

W. Diﬃe, M.E. Hellman “New directions in cryptography”, IEEE Transactions on Information Theory, Vol. 22, pp. , 1976
L. Lamport, “Password authentication with insecure communication”, Communications of the ACM, Vol. 24, pp. 30, 1981.
K. Bı¸cakcı, N. Baykal, “Improving the security and ﬂexibility of one-time passwords by signature chains”, Turkish Journal of Electrical Engineering and Computer Sciences, Vol. 11, pp. 223-236, 2003.
M.S. Hwang, L.H. Li, “A new remote user authentication scheme using smart cards”, IEEE Transactions on Consumer Electronics, Vol. 46, pp. 28-30, 2000.
L. Li, I. Lin, M. Hwang, “A remote password authentication scheme for multi-server architecture using neural networks”, IEEE Transactions on Neural Networks, Vol. 12, pp. 1498-1504, 2001.
M.L. Das, A. Saxena, V.P. Gulati, “A dynamic ID-based remote user authentication scheme”, IEEE Transactions on Consumer Electronics, Vol. 50, pp. 629-31, 2004.
L.L. Hu, X.X. Niu, Y.X. Yang, “An eﬃcient multi-server password authenticated key agreement scheme using smart cards”, International Conference on Multimedia and Ubiquitous Engineering, pp. 903-907, 2007.
Y.P. Liao, S.S. Wang, “A secure dynamic ID based remote user authentication scheme for multi-server environment”, Computer Standards & Interfaces Vol. 31, pp. 24-29, 2009.
Y.L. Chen, C.H. Huang, J.S. Chou, “A novel multi-server authentication scheme”, Cryptology ePrint Archive, pp. 190, 2009.
E.J. Yoon, K.Y. Yoo, “Robust multi-server authentication scheme”, Sixth IFIP International Conference on Network and Parallel Computing, pp. 197-203, 2009.
W.B. Lee, C.C. Chang, “User identiŞcation and key distribution maintaining anonymity for distributed computer network”, Computer System Science, Vol. 15, pp. 211-214, 2000.
W. Ford, B.S. Kaliski, “Server-assisted generation of a strong secret from a password”, Proceedings of IEEE 9th International Workshop Enabling Technologies, pp. 176-180, 2000.
W.J. Tsaur, C.C. Wu, W.B. Lee, “A ﬂexible user authentication scheme for multi-server Internet services”, Lecture Notes in Computer Science, Vol. 2093, pp. 174-183, 2001.
W.J. Tsaur, C.C. Wu, W.B. Lee, “A smart card-based remote scheme for password authentication in multi-server internet services”, Computer Standards & Interfaces, Vol. 27, pp. 39-51, 2004.
J.S. Chou, C.H. Huang, C.C. Ding, “Security weaknesses in two multi-server password based authentication schemes”, Nanhua University White Paper, available at eprint.iacr.org/2009/338.pdf.
W.S. Juang, “Eﬃcient multi-server password authenticated key agreement using smart cards”, IEEE Transactions on Consumer Electronics, Vol. 50, pp. 251-255, 2004.
C.C. Chang, J.S. Lee, “An eﬃcient and secure multi-server password authentication scheme using smart cards”, International Conference on Cyber Worlds, pp. 417-422, 2004.
J.H. Lee, D.H. Lee, “Eﬃcient and secure remote authenticated key agreement scheme for multi-server using mobile equipment”, Proceedings of the International Conference on Consumer Electronics, pp. 1-2, 2008.
M.H. Lim, S. Lee, H. Lee, “An eﬃcient multi-server password authenticated key agreement scheme revisited”, Third International Conference on Convergence and Hybrid Information Technology, pp. 396-400, 2008.
J.L. Tsai, “Eﬃcient multi-server authentication scheme based on one-way hash function without veriŞcation table”, Computers & Security, Vol. 27, pp. 115-121, 2008.
R.C. Wang, W.S. Juang, C.L. Lei, “User authentication scheme with privacy-preservation for multi-server environ- ment”, IEEE Communications Letters, Vol. 13, pp. 157-159, 2009.
H.C. Hsiang, W.K. Shih, “Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment”, Computer Standards & Interfaces, Vol. 31, pp. 1118-1123, 2009.
K.S. Sandeep AK. Sarje, K. Singh, “A secure dynamic identity based authentication protocol for multi-server architecture”, Journal of Network and Computer Applications, Vol. 34, pp. 609-618, 2011.
Y. Yang, R.H. Deng, F. Bao, “A practical password-based two-server authentication and key exchange system”, IEEE Transactions on Dependable and Secure Computing Vol. 3, pp. 105-114, 2006
T.S. Messerges, E.A. Dabbish, R.H. Sloan, “Examining smart-card security under the threat of power analysis attacks”, IEEE Transactions on Computers, Vol. 51, pp. 541-552, 2002.
P. Kocher, J. Jaﬀe, B. Jun, “Diﬀerential power analysis”, Lecture Notes in Computer Science, Vol. 1666, pp. 388-397,
K.A. Bayam, B. ¨Ors, “Diﬀerential power analysis resistant hardware implementation of the RSA cryptosystem”, Turkish Journal of Electrical Engineering and Computer Sciences, Vol. 18, pp. 129-140, 2010.
C. Lin, M.S. Hwang, L.H. Li, “A new remote user authentication scheme for multi-server architecture”, Future Generation Computer Systems, Vol. 1, pp. 13-22, 2003.