Cryptanalysis of Anonymous Three Factor-Based Authentication Schemes for Multi-server Environment
Cryptanalyzing the security weaknesses of authentication protocols is extremely important to propose countermeasures and develop a truly secure protocol. Over last few years, many three factor-based authentication schemes with key agreement have been proposed for multi-server environment. In 2017, Ali and Pal developed a three-factor authentication scheme in multi-server environment using elliptic curve cryptography (ECC) to remedy the security flaws in Li et al.’s scheme and claimed their improved version can withstand the passive and active attacks. In this paper, we prove that Ali-Pal’s scheme is subject to offline password guessing attack, replay attack, and known session-specific temporary information (KSSTI) attack. In the same year, Feng et al. examined Kumari et al.’s biometrics-based authentication scheme for multi-server environment and found that their scheme was vulnerable to several attacks. To fix these weaknesses, Feng et al. proposed an enhanced three-factor authentication scheme with key distribution for mobile multi-server environment and claimed that their scheme can satisfy the security and functional requirements. However, we show that Feng et al.’s scheme fails to resist offline password guessing attack, and suffers from replay attack. In addition to point out the security defects, we put forward countermeasures to eliminate the security risks and secure the three factor-based authentication schemes for multi-server environment.
KeywordsAuthentication Three-factor security Offline password guessing attack Multi-server environment
This work was partially supported by the National Natural Science Foundation of China (Project No. 61672007), Science and Technology Innovation Guidance Project 2017 (Project No. 201704030605).
- 5.Han, W.: Weaknesses of a dynamic identity based authentication protocol for multi-server architecture. arXiv preprint arXiv:1201.0883 (2012)
- 7.Wang, D., Ma, C.-g., Gu, D.-l., Cui, Z.-s.: Cryptanalysis of two dynamic id-based remote user authentication schemes for multi-server architecture. In: International Conference on Network and System Security, pp. 462–475. Springer (2012)Google Scholar
- 11.Yang, D., Yang, B.: A biometric password-based multi-server authentication scheme with smart card. In: 2010 International Conference on Computer Design and Applications (ICCDA), pp. V5-554–V555-559. IEEE (2010)Google Scholar
- 13.He, D.: Security flaws in a biometrics-based multi-server authentication with key agreement scheme. IACR Cryptology ePrint Archive 2011, 365 (2011)Google Scholar
- 14.Kim, H., Jeon, W., Lee, K., Lee, Y., Won, D.: Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme. In: International Conference on Computational Science and Its Applications, pp. 391–406. Springer (2012)Google Scholar
- 31.Wang, D., He, D., Wang, P., Chu, C.-H.: Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Tran. Dependable Secure Comput. 1 (2015)Google Scholar
- 32.Wang, D., Wang, P.: Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans. Dependable Secure Comput. (2016) Google Scholar
- 33.Wang, D., Gu, Q., Cheng, H., Wang, P.: The request for better measurement: a comparative evaluation of two-factor authentication schemes. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 475–486. ACM (2016)Google Scholar
- 34.Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Annual International Cryptology Conference, pp. 388–397. Springer (1999)Google Scholar