An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards

An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards

Journal of Network and Computer Applications 35 (2012) 763–769 Contents lists available at SciVerse ScienceDirect Journal of Network and Computer Ap...
Download PDF
779KB Sizes 7 Downloads 129 Views
Report

Journal of Network and Computer Applications 35 (2012) 763–769

Contents lists available at SciVerse ScienceDirect

Journal of Network and Computer Applications journal homepage: www.elsevier.com/locate/jnca

An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards Xiong Li a,n, Yongping Xiong a, Jian Ma a,b, Wendong Wang a a b

State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, PR China Wuxi SensingNet Industrialization Research Institute, Wuxi, Jiangsu 214135, PR China

a r t i c l e i n f o

abstract

Article history: Received 31 May 2011 Received in revised form 22 October 2011 Accepted 10 November 2011 Available online 20 November 2011

Generally, if a user wants to use numerous different network services, he/she must register himself/ herself to every service providing server. It is extremely hard for users to remember these different identities and passwords. In order to resolve this problem, various multi-server authentication protocols have been proposed. Recently, Sood et al. analyzed Hsiang and Shih’s multi-server authentication protocol and proposed an improved dynamic identity based authentication protocol for multi-server architecture. They claimed that their protocol provides user’s anonymity, mutual authentication, the session key agreement and can resist several kinds of attacks. However, through careful analysis, we find that Sood et al.’s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack. Besides, since there is no way for the control server CS to know the real identity of the user, the authentication and session key agreement phase of Sood et al.’s protocol is incorrect. We propose an efficient and security dynamic identity based authentication protocol for multi-server architecture that removes the aforementioned weaknesses. The proposed protocol is extremely suitable for use in distributed multi-server architecture since it provides user’s anonymity, mutual authentication, efficient, and security. & 2011 Elsevier Ltd. All rights reserved.

Keywords: Authentication Dynamic identity Smart card Password Multi-server architecture

1. Introduction With the rapid development of the Internet and electronic commerce technology, many services are provided through the Internet such as online shopping, online game, distributed electronic medical records system, etc., which makes life very convenient. In this case, it is a very important issue to authenticate the identity of remote users in a public environment before he/she can access a service. Users should have proper access rights to access resources at remote systems through the public network environment, and the password authentication is one of the simplest and the most convenient authentication mechanisms to deal with secret data over insecure networks. Lamport (1981) first proposed a remote password authentication protocol for the insecure communication. However, in their protocol, the server must store a password list, and it cannot resist interpolation attacks. Hwang and Li (2000) proposed a remote user authentication protocol using smart cards based on ElGamal’s (1985) public key cryptosystem which does not require storing a password table for authentication. After that, in order to eliminate the security problems and to reduce the communication and computation costs, numerous smart card based single-server authentication protocols using the one-way hash function had been proposed (Fan et al.,

n

Corresponding author. Tel.: þ86 15010249305. E-mail addresses: [email protected], [email protected] (X. Li).

1084-8045/$ - see front matter & 2011 Elsevier Ltd. All rights reserved. doi:10.1016/j.jnca.2011.11.009

2005; Hwang et al., 2010; Lee et al., 2005; Li and Hwang, 2010; Li et al., 2011; Liu et al., 2008; Song, 2010). However, it is extremely hard for a user to remember these numerous different identities and passwords when he/she uses the single-server authentication protocol to login and access different remote service providing servers. In order to resolve this problem, Li et al. (2001) proposed a remote user authentication protocol using neural networks, their protocol can be compatible with multi-server network architecture without repetitive registration. However, Li et al.’s protocol requires extremely high communication and computation costs since each user must have large memory to store public parameters for authentication. For tackling the efficiency problem of Li et al.’s protocol, Juang (2004) proposed an efficient multi-server password authenticated key agreement protocol based on the hash function and symmetric key cryptosystem. However, Chang and Lee (2004) pointed out that Juang’s (2004) protocol still lacks efficiency since the computation and storage costs of each user are proportional to the number of users and servers, furthermore if the secret value of the smart card is extracted by some way, Juang’s (2004) protocol is vulnerable to off-line dictionary attack. Therefore, Chang and Lee proposed a novel remote user authentication protocol to remedy these weaknesses. However, their protocol was found vulnerable to insider attack, spoofing attack and registration center spoofing attack. Tsaur et al. (2004) proposed a multi-server authentication protocol based on the RSA cryptosystem and Lagrange interpolation polynomial. However, Tsaur et al.’s protocol is also not efficient because it

764

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769

needs high communication and computation costs. Tsai (2008) also proposed an efficient multi-server authentication protocol without a verification table. Tsai’s protocol only uses the nonce and one-way hash function, it is very suitable to be used in the distributed network environment because of their low computation costs. However, all the above password authentication protocols for multi-server architecture are based on static ID which gives the adversary a chance to trace the legal user. Liao and Wang (2009) proposed a dynamic identity based remote user authentication protocol for multi-server architecture. They claimed that their protocol can resist various attacks and can achieve mutual authentication. However, Hsiang and Shih (2009) pointed out that Liao–Wang protocol is vulnerable to insider attack, masquerade attack, server spoofing attack, registration center spoofing attack, and it is not reparable. Besides, Liao–Wang protocol cannot achieve mutual authentication. To solve these problems, Hsiang and Shih (2009) proposed an improved protocol on Liao–Wang (2009) protocol. Recently, Sood et al. (2011) pointed out that Hsiang and Shih’s protocol is still not secure. They found that Hsiang–Shih (2009) protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Furthermore, the password change phase of their protocol is wrong. To overcome these security flaws, Sood et al. proposed a secure dynamic identity based authentication protocol. Sood et al. claimed their protocol can achieve user’s anonymity and can resist different kinds of attacks. However, through carefully analysis, we find that Sood et al.’s (2011) protocol is vulnerable to leak-of-verifier attack (An attacker who steals the password-verifier from the server can get some useful information or can use the leaked verifier to impersonate a legal user to login to the system.), stolen smart card attack (If the user’s smart card is lost or stolen, the attacker can extract the information stored in the smart card and can easily change the password of the smart card, or can guess the password of the user by using password guessing attacks, or can impersonate the user to login to the system.), furthermore, their protocol had a fatal mistake which deduces it cannot finish the mutual authentication and session key agreement. Therefore, we propose an efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards to tackle these problems. The rest of the paper is organized as follows: in Section 2, we provide a brief review of Sood et al.’s (2011) protocol. Section 3 points out the security weaknesses of Sood et al.’s protocol. The proposed protocol and corresponding protocol analysis are presented in Sections 4 and 5, respectively. Finally, we draw our conclusions in Section 6.

2. Overview of Sood et al.’s scheme The notations used throughout this paper are summarized in Table 1. For a detailed analysis, we review Sood et al.’s (2011) dynamic identity based authentication protocol for multi-server architecture. There are three parties in Sood et al.’s protocol, i.e., the user, the service providing server, and the control server CS. The control server CS is equivalent to the registration center, and it is not directly accessible to the users and thus it is less likely to be attacked. Their protocol contains four phases, i.e., the registration phase, the login phase, the authentication and session key agreement phase, and the password change phase. We show the protocol in Fig. 1 and more details are provided as follows.

2.1. Registration phase When the user Ui wants to become a legal client to access the services, the user must register himself/herself to the CS, at the

Table 1 Notations used in this paper. Ui Sk CS IDi Pi SIDk yi x b CIDi SK Ni1 Ni2 Ni3 hðÞ  J

The ith user The kth service providing server The control server The identity of the user Ui The password of the user Ui The identity of the server Sk The random number chosen by CS for user Ui The master secret key maintained by CS A random number chosen by the user for registration The dynamic identity generated by the user Ui for authentication A session key shared among the user, the service providing server and the CS A random number generated by the user Ui’s smart card A random number generated by the server Sk for the user Ui A random number generated by the CS for the user Ui A one-way hash function Exclusive-OR operation Message concatenation operation

same time, the service providing servers register themselves with the CS and the details of registration phase are as follows: Step 1: The user Ui chooses a random number b, then the user Ui computes Ai ¼ hðIDi JbÞ, Bi ¼ hðb  Pi Þ and submits Ai ,Bi to the control server CS via a secure communication channel. Step 2: After receiving the messages Ai, Bi. The CS computes F i ¼ Ai  yi , Gi ¼ Bi  hðyi Þ  hðxÞ and C i ¼ Ai  hðyi Þ  x, where x is the master secret key of the CS and yi is a unique random number chosen by the CS for the user Ui, at the same time, the CS stores ðC i ,yi  xÞ in its client’s database. Then the CS stores security parameters ðF i ,Gi ,hðÞÞ to the user’s smart card and sends the smart card to the user Ui through a secure channel. Step 3: After the user Ui receiving the smart card, the user Ui computes Di ¼ b  hðIDi JP i Þ, Ei ¼ hðIDi JP i Þ  Pi and enters the value of Di and Ei in his/her smart card. Finally, the smart card contains security parameters as ðDi ,Ei ,F i ,Gi ,hðÞÞ. The service providing server Sk registers himself/herself in identity SIDk with the CS and agrees on a unique secret key SKk with the CS. The server Sk remembers the SKk and the CS stores ðSIDk ,SK k  hðxJSIDk ÞÞ in its server’s database. 2.2. Login phase Step 1: When the user Ui wants to login to the server Sk, the user Ui inserts his/her smart card into a card reader and inputs his/her identity IDni , password P ni and the server’s identity SIDk. The smart card computes Eni ¼ hðIDni JPni Þ  P ni and checks whether Eni ¼ Ei , where the value of Ei is stored in the smart card. If they are equal, it means the Ui is a legal user. Step 2: After verifying the validity of the user, the smart card generates a random number Ni1, and computes b ¼ Di  hðIDi JPi Þ, Ai ¼ hðIDi JbÞ, Bi ¼ hðb  P i Þ, yi ¼ F i  Ai , hðxÞ ¼ Gi  Bi  hðyi Þ, 2 Z i ¼ h ðxÞ  N i1 , CIDi ¼ Ai  hðyi Þ  hðxÞ  Ni1 and M i ¼ hðhðxÞJyi J SIDk JNi1 Þ. Then, the smart card sends the login request message ðSIDk ,Z i ,CIDi ,M i Þ to the server Sk over a public channel. 2.3. Authentication and session key agreement phase Step 1: After receiving the login request from the user Ui, the server Sk chooses a random number Ni2, and computes Ri ¼ Ni2  SK k . Then, the server Sk sends the login request message ðSIDk ,Z i ,CIDi ,M i ,Ri Þ to the CS. Step 2: The CS first extracts SKk from SK k  hðxJSIDk Þ by using x 2 and SIDk. Then the CS computes N i1 ¼ Z i  h ðxÞ, Ni2 ¼ Ri  SK k , n C i ¼ CIDi  Ni1  hðxÞ  x, and finds the matching value of Ci corresponding to C ni from its client database. If the value of C ni does not match with any value of Ci in its client database, the CS

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769

765

Fig. 1. Sood et al.’s protocol.

rejects the login request and terminates this session. Otherwise, the CS performs step 3. Step 3: The CS extracts yi from yi  x corresponding to C ni from its client database. Then the CS computes Mni ¼ hðhðxÞJyi JSIDk JN i1 Þ and compares M ni with the received value of Mi to verify the legitimacy of the user Ui and the server Sk. If they are equal, the CS accepts the login request. Otherwise, the session is terminated. Step 4: If step 3 is achieved, the CS generates a random number Ni3, and computes K i ¼ N i1  Ni3  hðSK k JNi2 Þ, X i ¼ hðIDi Jyi JNi1 Þ  hðNi1  N i2  Ni3 Þ, V i ¼ h½hðN i1  Ni2  Ni3 ÞJhðIDi Jyi JNi1 Þ, T i ¼ Ni2  N i3  hðyi JIDi JhðxÞJNi1 Þ and sends the mutual authentication message ðK i ,X i ,V i ,T i Þ back to the server Sk. Step 5: Upon receiving the authentication message ðK i ,X i ,V i ,T i Þ from the control server CS, the server Sk computes N i1  Ni3 ¼ K i  hðSK k JNi2 Þ from Ki, and hðIDi Jyi JNi1 Þ ¼ X i  hðNi1  N i2  Ni3 Þ. Then the server Sk computes V ni ¼ h½hðNi1  Ni2  N i3 ÞJhðIDi Jyi JNi1 Þ and compares V ni with the received value of Vi to verify the legitimacy of the CS. Step 6: The server Sk sends ðV i ,T i Þ to smart card of the user Ui. The smart card computes Ni2  Ni3 ¼ T i  hðyi JIDi JhðxÞJNi1 Þ, V ni ¼ h½hðNi1 ? N i2  Ni3 ÞJhðIDi Jyi JNi1 Þ and checks V ni ¼ V i . If it holds, the legitimacy of the CS and the Sk are authenticated, else the connection is

interrupted. Finally, the user Ui’s smart card, the server Sk and the CS agree on the common session key SK ¼ hðhðIDi Jyi JNi1 ÞJðNi1  Ni2 Ni3 ÞÞ. 2.4. Password change phase The user Ui can change his password without the help of the CS. When the user Ui wants to change his password, the user Ui inserts the smart card into a card reader and enters his identity IDni and password P ni . The smart card computes Eni ¼ hðIDni JP ni Þ  P ni and checks whether Eni ¼ Ei . If Ei is valid, the smart card computes the value of b,hðyi Þ,hðxÞ and the card holder inputs a new password Pnew , then the smart card computes Dnew ¼ b  hðIDi JP new Þ, i i i new new new new new Ei ¼ hðIDi JP i Þ  P i and Gi ¼ hðb  P i Þ  hðyi Þ  hðxÞ. Finally, the smart card stores Dnew , Enew , Gnew on the smart card to i i i replace Di, Ei, Gi which completes the password change process.

3. Protocol analysis Although Sood et al. claimed that their protocol can resist many types of attacks, the actual situation is not the case. In this section, we analyze the security weaknesses and its correctness of Sood et al.’s protocol. Through careful analysis, we find that Sood et al.’s protocol cannot resist leak-of-verifier attack and stolen smart card attack as they claimed. Furthermore, there is a fatal error on Sood et al.’s authentication protocol which deduces the three parties cannot complete the authentication and session key agreement process. The detailed analysis are described as follows.

766

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769

3.1. Leak-of-verifier attack As shown in Sood et al.’s protocol, the control server CS stores yi  x corresponding to C i ¼ Ai  hðyi Þ  x in its client’s database, and stores SK k  hðxJSIDk Þ corresponding to server identity SIDk in its service providing server’s database. Sood et al. claimed that the attacker cannot compute the values of x and yi from the verifier information stored on the control server, and cannot calculate user’s identity and password, so their protocol is secure against leak-of-verifier attack. However, we find the actual situation is not the case, and under the condition that the malicious privileged user accesses the control sever CS, he/she can perform the leak-of-verifier attack as below. It is the same as Sood et al.’s analysis of Hsiang and Shih’s protocol, we also suppose that a malicious privileged user Uk having his own smart card can gather information ðDk ,Ek ,F k ,Gk ,hðÞÞ from his own smart card. Using his identity IDk, password Pk and the smart card information, he can compute bk ¼ Dk  hðIDk JPk Þ, Ak ¼ hðIDk Jbk Þ, yk ¼ F k  Ak , Bk ¼ hðbk  Pk Þ, hðxÞ ¼ Gk  Bk  hðyk Þ, so he can get yk and h(x). If the data ðyi  x,C i ¼ Ai  hðyi Þ  xÞ which are stored in CS’s client database are leaked to the malicious privileged user Uk, the malicious user Uk can get x from yk, h(x) and all yi  x, then he can get the data pairs ðyi ,Ai Þ from x, yi  x and C i ¼ Ai  hðyi Þ  x. With the data pairs ðyi ,Ai Þ and h(x) value, the malicious user Uk can forge a valid login message of the user Ui. First, the malicious user Uk generates a random number N0i1 , and computes CID0i ¼ Ai  hðyi Þ  hðxÞ  N 0i1 , 2 M 0i ¼ hðhðxÞJyi JSIDj JN 0i1 Þ, Z 0i ¼ h ðxÞ  N0i1 , then the malicious user Uk submits the forged login message ðSIDj ,Z 0i ,CID0i ,M0i Þ to the server Sj. After receiving the login message ðSIDj ,Z 0i ,CID0i ,M 0i Þ, the Sj generates a random number Ni2 and computes Ri ¼ Ni2  SK j , then the Sj submits the login request message ðSIDj ,Z 0i ,CID0i ,M 0i ,Ri Þ to the control server CS. Upon receiving the message ðSIDj ,Z 0i ,CID0i ,M0i ,Ri Þ, the CS extracts SKj from SK j  hðxJSIDj Þ, and 2 computes N0i1 ¼ Z 0i  h ðxÞ, N i2 ¼ Ri  SK j , C ni ¼ CID0i  N0i1  hðxÞ  x ¼ Ai  hðyi Þ  x ¼ C i , so the CS extracts yi from yi  x corresponding to C ni from its client database. Then the CS computes Mni ¼ hðhðxÞJyi JSIDj JN0i1 Þ ¼ M 0i , so the CS accepts the login request, and the legitimacy of the user Ui and the server Sj are authenticated. So if the verifier information which is stored in the CS was leaked, the malicious privileged user Uk not only can calculate x and yi, but also can perform an impersonation attack. 3.2. Stolen smart card attack In Sood et al.’s protocol security analysis, they claimed that even if the smart card was stolen and the information was extracted by an attacker, the attacker cannot guess two parameters out of IDi, h(x), yi and Pi correctly at the same time. However, we find it is not true when we look back at the protocol. As shown in the leak-of-verifier attack, the malicious privileged user Uk having his own smart card can gather information ðDk ,Ek ,F k ,Gk ,hðÞÞ stored in his own smart card and can get h(x) from these information. If ðSIDj ,Z i ,CIDi ,M i Þ was a previously valid login message launched by user Ui which was eavesdropped by the malicious user Uk. Then the user Uk can compute 2 Ni1 ¼ Z i  h ðxÞ, Ai  hðyi Þ ¼ CIDi  hðxÞ  N i1 . In case of the user Ui’s smart card was stolen by the malicious user Uk, he can extract the information ðDi ,Ei ,F i ,Gi ,hðÞÞ. Then, the malicious user Uk can compute bi  Pi ¼ Di  Ei , hðbi  Pi Þ ¼ Bi , hðyi Þ ¼ Gi  Bi  hðxÞ, so he can compute Ai ¼ hðyi Þ  ðAi  hðyi ÞÞ, and gets yi ¼ F i  Ai . According to the above analysis, when the user’s smart card was stolen by the malicious privileged user Uk, then he can compute h(x) and yi correctly at the same time. Furthermore, with the information h(x), Ai and yi, the malicious user Uk can forge a valid login request message of user Ui as shown in Section 3.1. So, Sood

et al.’s protocol cannot resist the stolen smart card attack as they claimed. 3.3. Incorrect authentication and session key agreement phase In registration phase of Sood et al.’s protocol, the user Ui submits the Ai and Bi rather than the true identity IDi to the CS for registration, and the CS does not store the user’s real identity in its client’s database. As shown in its identity protection analysis in Sood et al.’s protocol, instead of sending the real identity IDi of the user Ui for authentication, the pseudo identification CIDi ¼ Ai  hðyi Þ  hðxÞ  Ni1 is generated by user Ui’s smart card for its authentication to the service providing server Sk and the control server CS. There is no real identity information about the user during the login and authentication and session key agreement phase. That is to say, there is no way for the server Sk and the control server CS to get the real identity of the user Ui, IDi throughout any phases of Sood et al.’s protocol, so the Sk and the CS cannot compute and verify any verification information using the real identity of the user Ui in authentication and session key agreement phase. However, in step 4 of authentication and session key agreement phase of Sood et al.’s protocol, the control server CS computes the mutual authentication information: X i ¼ hðIDi Jyi JN i1 Þ  hðN i1  Ni2  Ni3 Þ, V i ¼ h½hðNi1  Ni2  N i3 ÞJhðIDi Jyi JNi1 Þ, T i ¼ N i2  Ni3  hðyi JIDi JhðxÞJNi1 Þ, using the real identity of the user Ui, IDi, and this is a contradiction. So, actually, the authentication and session key agreement phase of Sood et al.’s protocol is incorrect since there is no way for the server Sk and the control server CS to know the real identity of the user Ui, IDi, and we think this is a fatal mistake of this protocol. 4. The proposed scheme In this section, we propose an efficient and security protocol to avoid the security flaws of Sood et al.’s protocol. Our protocol also involves three participants, i.e., the user ðU i Þ, the service providing server ðSj Þ and the control server ðCSÞ. It is assumed that CS is a trusted party responsible for the registration and authentication of the Ui and Sj. CS chooses the master secret key x and a secret number y. When service providing servers Sj register himself/ herself with CS use his/her identity SIDj, the control server CS computes hðSIDj JyÞ and hðxJyÞ, then the control server CS shares hðxJyÞ with Sj and submits hðSIDj JyÞ to the Sj through a secure channel. There are four phases in our protocol: the registration phase, the login phase, the authentication and session key agreement phase, and the password change phase. Detailed steps of these phases are described as follows and are in Fig. 2. 4.1. Registration phase When the user Ui wants to access the services, he/she has to submit his/her identity IDi and password information to CS for registration. The steps of the registration phase are as follows: Step 1: The user Ui freely chooses his/her identity IDi and password Pi, and chooses a random number b. Then Ui computes Ai ¼ hðbJP i Þ, and submits IDi and Ai to the control center CS for registration via a secure channel. This secure channel ensures that the transmitted user identity IDi in plaintext can avoid the network attacks such as impersonation attack. Step 2: After receiving the message IDi and Ai, the control server CS computes Bi ¼ hðIDi JxÞ, C i ¼ hðIDi JhðyÞJAi Þ, Di ¼ Bi  hðIDi JAi Þ, Ei ¼ Bi  hðyJxÞ, then the CS stores ðC i ,Di ,Ei ,hðÞ,hðyÞÞ in

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769

767

Fig. 2. The proposed protocol.

Ui’s smart card and submits the smart card to the user Ui via a secure channel. Step 3: When receiving the smart card, the user Ui enters b into the smart card. At last, the smart card contains parameters ðC i ,Di ,Ei ,hðÞ,hðyÞ,bÞ. 4.2. Login phase Step 1: When the user Ui wants to login to the server Sj, the user Ui inserts his smart card into a card reader and inputs his identity IDi, password Pi and the server’s identity SIDj. The smart card computes Ai ¼ hðbJP i Þ and C 0i ¼ hðIDi JhðyÞJAi Þ, and checks whether C 0i ¼ C i . If they are equal, it means the Ui is a legal user. Step 2: After verification, the smart card generates a random number Ni1, and computes Bi ¼ Di  hðIDi JAi Þ, F i ¼ hðyÞ  N i1 , P ij ¼ Ei  hðhðyÞJN i1 JSIDj Þ, CIDi ¼ Ai  hðBi JF i JN i1 Þ, Gi ¼ hðBi JAi JN i1 Þ. Then, the smart card sends the login request message ðF i ,Gi ,P ij ,CIDi Þ to the server Sj over a public channel. 4.3. Authentication and session key agreement phase Step 1: After receiving the login request from the user Ui, the server Sj chooses a random number Ni2, and computes K i ¼

hðSIDj JyÞ  Ni2 and M i ¼ hðhðxJyÞJN i2 Þ. Then the server Sj sends the login request message ðF i ,Gi ,Pij ,CIDi ,SIDj ,K i ,M i Þ to the CS. Step 2: When receiving the login request message ðF i ,Gi , Pij ,CIDi ,SIDj ,K i ,M i Þ, the CS computes Ni2 ¼ K i  hðSIDj JyÞ, M 0i ¼ hðhðxJyÞJN i2 Þ, and checks whether M 0i equal to the received Mi. If they are equal, the validity of the server Sj is verified by the control server CS. Otherwise, the CS terminates the session. Step 3: The control server CS computes N i1 ¼ F i  hðyÞ, Bi ¼ Pij  hðhðyÞJN i1 JSIDj Þ  hðyJxÞð ¼ Ei  hðyJxÞÞ, ? Ai ¼ CIDi  hðBi JF i JNi1 Þ, G0i ¼ hðBi JAi JNi1 Þ, and checks G0i ¼ Gi . If they are equal, the validity of the user Ui is verified by the control server CS. Otherwise the CS terminates the session. Step 4: The control server CS generates a random number Ni3, and computes Q i ¼ Ni1  N i3  hðSIDj JN i2 Þ, Ri ¼ hðAi JBi Þ  hðNi1  N i2  Ni3 Þ, V i ¼ hðhðAi JBi ÞJhðNi1  Ni2  N i3 ÞÞ, T i ¼ N i2  Ni3  hðAi JBi J Ni1 Þ. Then, the control server CS submits ðQ i ,Ri ,V i ,T i Þ as the mutual authentication message to the server Sj. Step 5: When receiving the authentication message ðQ i ,Ri ,V i ,T i Þ from the control server CS, the server Sj computes N i1  Ni3 ¼ Q i  hðSIDj JNi2 Þ, hðAi JBi Þ ¼ Ri  hðN i1  Ni3  Ni2 Þ, V 0i ¼ hðh ? ðAi JBi ÞJhðNi1  N i3  Ni2 ÞÞ, and checks V 0i ¼ V i . If they are not equal, the server Sj terminates the session. On the contrary, if they are equal, the legitimacy of the control server CS is verified by the

768

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769

5.3. Stolen smart card attack

server Sj. Then the server Sj submits the message ðV i ,T i Þ to the user Ui. Step 6: Upon receiving the message ðV i ,T i Þ from the server Sj, the smart card computes Ni2  Ni3 ¼ T i  hðAi JBi JNi1 Þ, V 0i ¼ hðhðAi J ? Bi ÞJhðNi2  Ni3  N i1 ÞÞ, and checks V 0i ¼ V i . If they are not equal, the user Ui terminates the session. On the contrary, if they are equal, the legitimacy of the control server CS and the server Sj are verified by the user Ui. Finally, the user Ui, the server Sj and the control server CS agree on a common session key as SK ¼ hðhðAi JBi ÞJðNi1  Ni2  N i3 ÞÞ.

We assume that the user Ui’s smart card has been lost or stolen, then the attacker can breach the information ðC i ,Di ,Ei ,hðÞ,hðyÞ,bÞ which are stored in the smart card. Since x and y are unknown to the attacker, he/she cannot guess IDi and Pi from the breached information. So the attacker cannot derive or update the user Ui’s password. In addition, he/she cannot compute Ai, Bi and cannot perform the impersonation attack using the lost or stolen smart card. Therefore, the protocol can resist the stolen smart card attack.

4.4. Password change phase

5.4. Leak-of-verifier attack

This phase is invoked whenever Ui wants to change his/her password Pi to a new password P new without the help of the i control server CS. The user Ui inserts his smart card into a card reader and enters his identity IDi and password Pi. The smart card computes Ai ¼ hðbJPi Þ, Bi ¼ Di  hðIDi JAi Þ and C 0i ¼ hðIDi JhðyÞJAi Þ, and checks whether C 0i ¼ C i . If they are equal, the user Ui is asked to submit a new password P new . Then, the smart card computes i new new new Anew ¼ hðbJP Þ, C ¼ hðID JhðyÞJA Þ, Dnew ¼ Bi  hðIDi JAnew Þ, i i i i i i i new new and stores C i ,Di into the smart card to replace C i ,Di to finish the password change phase.

In Sood et al.’s protocol, if the verifier information which is stored in the CS was stolen by the malicious privileged user Uk, he/she not only can calculate the master secret key x and secret random number yi, but also can perform an impersonation attack. Our proposed protocol addressed this very specific attack. In our proposed protocol, there are no any verifier information stored in the control server CS side, so even the malicious privileged user cannot get any useful information from the CS, and cannot impersonate a legal user to login to the system. On the service providing server side, if the malicious privileged user have accessed to the memory of the server Sk, and gets the information hðSIDk JyÞ and hðxJyÞ, since the identity SIDk of the Sk is protected by the one way hash function, he/she cannot ensure which SID is corresponding to hðSIDk JyÞ and cannot forge a valid login message ðF i ,Gi ,P ik ,CIDi ,SIDk ,K i ,Mi Þ. Therefore, the malicious privileged user cannot impersonate as a service providing server. Based on the above two points, we can say that our proposed protocol can resist the leak-of-verifier attack.

5. Protocol analysis In this section, we discuss the security features of the proposed dynamic identity based multi-server authentication protocol. Then we evaluate the performance and functionality of our proposed protocol and make comparisons with some related dynamic identity based multi-server authentication protocols. 5.1. Replay attack An attacker may attempt to pretend to be a valid user to login to the server by sending messages previously transmitted by a legal user. In each session of our protocol, the user Ui, the server Sj and the control server CS choose different nonce values Ni1 ,Ni2 ,N i3 , respectively, for compute and verify the authentication message, which ensures that authentication messages exposed in an insecure channel are distinct among different sessions and valid for that session only. Thus, an attacker has no way to successfully replay used messages. 5.2. Impersonation attack In this type of attack, the attacker or a malicious user forges a valid login request ðF i ,Gi ,P ij ,CIDi Þ to impersonate as a legitimate user using the previously eavesdropped messages or the information obtained from the lost smart card. However, in our protocol, the attacker and any malicious user Uk cannot compute P ij ¼ Ei  hðhðyÞJNi1 JSIDj Þ, CIDi ¼ Ai  hðBi JF i JN i1 Þ, Gi ¼ hðAi JBi JNi1 Þ since he/ she without the knowledge of Ai, Bi, Ei, so he/she cannot impersonate as the legitimate user Ui. In addition, even if the adversary or a malicious user has obtained the smart card of user Ui and extracts the parameters ðC i ,Di ,Ei ,hðÞ,hðyÞ,bÞ which are stored in the smart card by some way. He/She cannot use the parameters ðC i ,Di ,Ei ,hðÞ,hðyÞ,bÞ to compute Ai, Bi since he/she have no way to get the valid IDi, Pi and the master secret key x, where they are all protected by the oneway hash function, and he/she cannot forge a valid login request message ðF i ,Gi ,Pij ,CIDi Þ. Therefore, the proposed protocol is secure against impersonation attack, also the attacker cannot get the valid IDi, Pi, so the proposed protocol can resist the denial of service attack.

5.5. User’s anonymity In the registration phase, a secure channel between the user and the control sever CS is used for protect the user’s identity from disclosure. In the login phase of the proposed protocol, the user Ui submits the masked identity CIDi ¼ Ai  hðBi JF i JN i1 Þ as a substitute for the real identity IDi for its authentication to the service providing server Sj and the control server CS. The authentication and session key agreement of the proposed scheme is based on computation of the secret information Ai and Bi, but not on the real identity IDi. Furthermore, since the dynamic identity CIDi is different for each session when the user logins to the system, the attacker cannot distinguish different sessions corresponding to a certain user. From the above analysis, we can see that our proposed protocol can provide the user’s anonymity. 5.6. Proper mutual authentication and session key agreement As shown in Section 3.3, Sood et al.’s protocol cannot provide the correct mutual authentication and cannot agree on a shared session key since there is no way for the server Sk and the control server CS to know the real identity of the user Ui, but the control server CS computes the verification messages using Ui’s real identity IDi. In the authentication and session key agreement phase of the proposed protocol, the CS authenticates the server Sj by checks M 0i ¼ ? hðhðxJyÞJN i2 Þ ¼ M i , and authenticates the user Ui by checks ? 0 Gi ¼ hðBi JAiJN i1 Þ ¼ Gi . It is different from Sood et al.’s protocol, the control server CS computes the authentication messages by Ai, Bi which are computed by the received login request message. For the purpose of mutual authentication, the server Sj authenticates the ? control server CS by checks V 0i ¼ hðhðAi JBi ÞJhðN i1  N i3  Ni2 ÞÞ ¼ V i , and the user authenticates the control server CS and the server Sj by ? checks V 0i ¼ hðhðAi JBi ÞJhðN i2  Ni3  N i1 ÞÞ ¼ V i . At last, the user Ui, the server Sj and the control server CS can agree on a shared session key SK ¼ hðhðAi JBi ÞJðNi1  Ni2  N i3 ÞÞ. Therefore, the proposed

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769

Table 2 Performance comparisons of our protocol and other related protocols. Protocols

Login phase

Verification phase

Total

Proposed protocol Sood et al. (2011) Hsiang and Shih (2009) Liao and Wang (2009)

7T h 7T h 7T h 6T h

21T h 18T h 17T h 9T h

28T h 25T h 24T h 15T h

Table 3 Functionality comparisons of our protocol and other related protocols. Functionalities

User’s anonymity Computation cost Single registration No time synchronization Resist replay attack Resist impersonation attack Resist leak-of-verifier attack Resist stolen smart card attack Correct password update Correct mutual authentication Correct session key agreement

769

key agreement since there is no way for the server Sk and the control server CS to know the real identity of the user Ui. Then we propose an efficient protocol with user’s anonymity to remedy these weaknesses. We demonstrate that our protocol can satisfy all the essential requirements for multi-server architecture authentication. Compared with Sood et al.’s (2011) protocol and other related protocols, our proposed protocol keeps the efficiency and is more secure. Therefore, our protocol is more suitable for the practical applications.

Acknowledgments

Proposed protocol

Sood et al. (2011)

Liao and Hsiang and Shih Wang (2009) (2009)

Yes Low Yes Yes Yes Yes Yes Yes Yes Yes Yes

Yes Low Yes Yes Yes No No No Yes No No

Yes Low Yes Yes No No Yes No No Yes Yes

Yes Low Yes Yes No No Yes No Yes Yes Yes

protocol can provide proper mutual authentication and session key agreement. 5.7. Performance and functionality analysis In this section, we evaluate the performance and functionality of our proposed protocol and make comparisons with some related dynamic ID based multi-server authentication protocols. To analyze the computational complexity of the protocols, we define the notation Th as the time complexity for hashing function. Because exclusive-OR operation requires very few computations, it is usually negligible considering its computation cost. Table 2 shows the performance comparisons of our proposed protocol and some other related protocols. We mainly consider the computations of login phase, authentication and session key agreement phase since these two phases are the principal parts of an authentication protocol and should be implemented for each session. In Table 2, it is obvious that our improved protocol almost with the same computation cost with Sood et al.’s protocol and Hsiang–Shih protocol. However, it is worth several additional hash operations to achieve these security and functionality properties. Table 3 lists the functionality comparisons among our proposed protocol and other related protocols. It demonstrates that our protocol has many excellent features and is more secure than other related protocols.

6. Conclusions In this paper, we have shown that Sood et al.’s dynamic ID based multi-server architecture authentication protocol is vulnerable to leak-of-verifier attack, stolen smart card attack. Furthermore, it cannot provide correct mutual authentication and session

The authors are grateful to the editor and anonymous reviewers for their valuable suggestions which improved the paper. This work was supported by the Fundamental Research Funds for the Central Universities under Grant No. 2011RC0504, and the National Basic Research Program of China (973 Program) Granted No. 2009CB320504.

References Chang C-C, Lee J-S. An efficient and secure multi-server password authentication scheme using smart cards. In: Proceedings of the third international conference on cyberworlds November 2004; 2004. p. 417–22. ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 1985;32(4): 469–72. Fan C-I, Chan Y-C, Zhang Z-K. Robust remote authentication scheme with smart cards. Computers & Security 2005;24(8):619–28. Hsiang H-C, Shih W-K. Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces 2009;31(6):1118–23. Hwang M-S, Chong S-K, Chen T-Y. Dos-resistant ID-based password authentication scheme using smart cards. Journal of Systems and Software 2010;83(1): 163–72. Hwang M-S, Li L-H. A new remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics 2000;46(1):28–30. Juang W-S. Efficient multi-server password authenticated key agreement using smart cards. IEEE Transaction on Consumer Electronics 2004;50(1): 251–5. Lamport L. Password authentication with insecure communication. Communications of the ACM 1981;24(11):770–2. Lee S-W, Kim H-S, Yoo K-Y. Efficient nonce-based remote user authentication scheme using smart cards. Applied Mathematics and Computation 2005;167(1):355–61. Li C-T, Hwang M-S. An efficient biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications 2010;33(1):1–5. Li L-H, Lin L-C, Hwang M-S. A remote password authentication scheme for multi-server architecture using neural networks. IEEE Transactions on Neural Networks 2001;12(6):1498–504. Li X, Niu J-W, Ma J, Wang W-D, Liu C-L. Cryptanalysis and improvement of a biometric-based remote authentication scheme using smart cards. Journal of Network and Computer Applications 2011;34(1):73–9. Liao Y-P, Wang S-S. A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces 2009;31(1) 24–9. Liu J-Y, Zhou A-M, Gao M-X. A new mutual authentication scheme based on nonce and smart cards. Computer Communications 2008;31(10):2205–9. Song R-G. Advanced smart card based password authentication protocol. Computer Standards & Interfaces 2010;32(5-6):321–5. Sood S-K, Sarje A-K, Singh K. A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications 2011;34(2):609–18. Tsai J-L. Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers & Security 2008;27(3-4):115–21. Tsaur W-J, Wu C-C, Lee W-B. A smart card-based remote scheme for password authentication in multi-server Internet services. Computer Standards & Interfaces 2004;27(1):39–51.