Advertisement

Cryptanalysis of Anonymous Three Factor-Based Authentication Schemes for Multi-server Environment

  • Jiaqing MoEmail author
  • Hang Chen
  • Wei Shen
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 895)

Abstract

Cryptanalyzing the security weaknesses of authentication protocols is extremely important to propose countermeasures and develop a truly secure protocol. Over last few years, many three factor-based authentication schemes with key agreement have been proposed for multi-server environment. In 2017, Ali and Pal developed a three-factor authentication scheme in multi-server environment using elliptic curve cryptography (ECC) to remedy the security flaws in Li et al.’s scheme and claimed their improved version can withstand the passive and active attacks. In this paper, we prove that Ali-Pal’s scheme is subject to offline password guessing attack, replay attack, and known session-specific temporary information (KSSTI) attack. In the same year, Feng et al. examined Kumari et al.’s biometrics-based authentication scheme for multi-server environment and found that their scheme was vulnerable to several attacks. To fix these weaknesses, Feng et al. proposed an enhanced three-factor authentication scheme with key distribution for mobile multi-server environment and claimed that their scheme can satisfy the security and functional requirements. However, we show that Feng et al.’s scheme fails to resist offline password guessing attack, and suffers from replay attack. In addition to point out the security defects, we put forward countermeasures to eliminate the security risks and secure the three factor-based authentication schemes for multi-server environment.

Keywords

Authentication Three-factor security Offline password guessing attack Multi-server environment 

Notes

Acknowledgements

This work was partially supported by the National Natural Science Foundation of China (Project No. 61672007), Science and Technology Innovation Guidance Project 2017 (Project No. 201704030605).

References

  1. 1.
    Liao, Y.P., Wang, S.S.: A secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stan. Interfaces 31, 24–29 (2009)CrossRefGoogle Scholar
  2. 2.
    Liao, Y.P., Wang, S.S.: Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stan. Interfaces 31, 1118–1123 (2009)CrossRefGoogle Scholar
  3. 3.
    Sood, S.K., Sarje, A.K., Singh, K.: A secure dynamic identity based authentication protocol for multi-server architecture. J. Network Comput. Appl. 34, 609–618 (2011)CrossRefGoogle Scholar
  4. 4.
    Li, X., Xiong, Y., Ma, J., Wang, W.: An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. J. Network Comput. Appl. 35, 763–769 (2012)CrossRefGoogle Scholar
  5. 5.
    Han, W.: Weaknesses of a dynamic identity based authentication protocol for multi-server architecture. arXiv preprint arXiv:1201.0883 (2012)
  6. 6.
    Xue, K., Hong, P., Ma, C.: A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J. Comput. Syst. Sci. 80, 195–206 (2014)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Wang, D., Ma, C.-g., Gu, D.-l., Cui, Z.-s.: Cryptanalysis of two dynamic id-based remote user authentication schemes for multi-server architecture. In: International Conference on Network and System Security, pp. 462–475. Springer (2012)Google Scholar
  8. 8.
    Xie, Q., Wong, D.S., Wang, G., Tan, X., Chen, K., Fang, L.: Provably secure dynamic ID-based anonymous two-factor authenticated key exchange protocol with extended security model. IEEE Trans. Inf. Forensics Secur. 12, 1382–1392 (2017)CrossRefGoogle Scholar
  9. 9.
    Chuang, M.-C., Chen, M.C.: An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Syst. Appl. 41, 1411–1418 (2014)CrossRefGoogle Scholar
  10. 10.
    Li, C.-T., Hwang, M.-S.: An efficient biometrics-based remote user authentication scheme using smart cards. J. Network Comput. Appl. 33, 1–5 (2010)CrossRefGoogle Scholar
  11. 11.
    Yang, D., Yang, B.: A biometric password-based multi-server authentication scheme with smart card. In: 2010 International Conference on Computer Design and Applications (ICCDA), pp. V5-554–V555-559. IEEE (2010)Google Scholar
  12. 12.
    Yoon, E.-J., Yoo, K.-Y.: Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J. Supercomput. 63, 235–255 (2013)CrossRefGoogle Scholar
  13. 13.
    He, D.: Security flaws in a biometrics-based multi-server authentication with key agreement scheme. IACR Cryptology ePrint Archive 2011, 365 (2011)Google Scholar
  14. 14.
    Kim, H., Jeon, W., Lee, K., Lee, Y., Won, D.: Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme. In: International Conference on Computational Science and Its Applications, pp. 391–406. Springer (2012)Google Scholar
  15. 15.
    Mishra, D., Das, A.K., Mukhopadhyay, S.: A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst. Appl. 41, 8129–8143 (2014)CrossRefGoogle Scholar
  16. 16.
    Lin, H., Wen, F., Du, C.: An improved anonymous multi-server authenticated key agreement scheme using smart cards and biometrics. Wireless Pers. Commun. 84, 2351–2362 (2015)CrossRefGoogle Scholar
  17. 17.
    Lu, Y., Li, L., Yang, X., Yang, Y.: Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE 10, e0126323 (2015)CrossRefGoogle Scholar
  18. 18.
    Wang, C., Zhang, X., Zheng, Z.: Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. PLoS ONE 11, e0149173 (2016)CrossRefGoogle Scholar
  19. 19.
    He, D., Wang, D.: Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst. J. 9, 816–823 (2015)CrossRefGoogle Scholar
  20. 20.
    Jiang, P., Wen, Q., Li, W., Jin, Z., Zhang, H.: An anonymous and efficient remote biometrics user authentication scheme in a multi server environment. Frontiers Comput. Sci. 9, 142–156 (2015)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Odelu, V., Das, A.K., Goswami, A.: A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans. Inf. Forensics Secur. 10, 1953–1966 (2015)CrossRefGoogle Scholar
  22. 22.
    Reddy, A.G., Yoon, E.-J., Das, A.K., Odelu, V., Yoo, K.-Y.: Design of mutually authenticated key agreement protocol resistant to impersonation attacks for multi-server environment. IEEE Access 5, 3622–3639 (2017)CrossRefGoogle Scholar
  23. 23.
    Ali, R., Pal, A.K.: An efficient three factor-based authentication scheme in multiserver environment using ECC. Int. J. Commun Syst 31, e3484 (2017)CrossRefGoogle Scholar
  24. 24.
    Feng, Q., He, D., Zeadally, S., Wang, H.: Anonymous biometrics-based authentication scheme with key distribution for mobile multi-server environment. Future Gener. Comput. Syst. 84, 239–251 (2017)CrossRefGoogle Scholar
  25. 25.
    Pippal, R.S., Jaidhar, C., Tapaswi, S.: Robust smart card authentication scheme for multi-server architecture. Wireless Pers. Commun. 72, 729–745 (2013)CrossRefGoogle Scholar
  26. 26.
    Wei, J., Liu, W., Hu, X.: Cryptanalysis and improvement of a robust smart card authentication scheme for multi-server architecture. Wireless Pers. Commun. 77, 2255–2269 (2014)CrossRefGoogle Scholar
  27. 27.
    Guo, D., Wen, F.: Analysis and improvement of a robust smart card based-authentication scheme for multi-server architecture. Wireless Pers. Commun. 78, 475–490 (2014)CrossRefGoogle Scholar
  28. 28.
    Ali, R., Pal, A.K.: Three-factor-based confidentiality-preserving remote user authentication scheme in multi-server environment. Arab. J. Sci. Eng. 42, 3655–3672 (2017)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Li, X., Niu, J., Kumari, S., Liao, J., Liang, W.: An enhancement of a smart card authentication scheme for multi-server architecture. Wireless Pers. Commun. 80, 175–192 (2015)CrossRefGoogle Scholar
  30. 30.
    Kumari, S., Li, X., Wu, F., Das, A.K., Choo, K.-K.R., Shen, J.: Design of a provably secure biometrics-based multi-cloud-server authentication scheme. Future Gener. Comput. Syst. 68, 320–330 (2017)CrossRefGoogle Scholar
  31. 31.
    Wang, D., He, D., Wang, P., Chu, C.-H.: Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Tran. Dependable Secure Comput. 1 (2015)Google Scholar
  32. 32.
    Wang, D., Wang, P.: Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans. Dependable Secure Comput. (2016) Google Scholar
  33. 33.
    Wang, D., Gu, Q., Cheng, H., Wang, P.: The request for better measurement: a comparative evaluation of two-factor authentication schemes. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 475–486. ACM (2016)Google Scholar
  34. 34.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Annual International Cryptology Conference, pp. 388–397. Springer (1999)Google Scholar
  35. 35.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51, 541–552 (2002)MathSciNetCrossRefGoogle Scholar
  36. 36.
    Islam, S.H.: Design and analysis of an improved smartcard-based remote user password authentication scheme. Int. J. Commun Syst 29, 1708–1719 (2016)CrossRefGoogle Scholar
  37. 37.
    Wang, D., Wang, P.: Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks. Ad Hoc Netw. 20, 1–15 (2014)CrossRefGoogle Scholar
  38. 38.
    Ma, C.G., Wang, D., Zhao, S.D.: Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun Syst 27, 2215–2227 (2014)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.School of Computer Science and SoftwareZhaoqing UniversityZhaoqingChina

Personalised recommendations