Abstract
Recently, many dynamic ID based remote user authentication schemes using smart card have been proposed to improve the security in multiple servers architecture authentication systems. In 2017, Kumari and Om proposed an anonymous multi-server authenticated key agreement scheme, which is believed to be secure against a range of network attacks. Nevertheless, in this paper we reanalyze the security of their scheme, and show that the scheme is vulnerable to impersonation attack and server spoofing attack launched by any adversary without knowing any secret information of the victim users. In addition, their protocol fails to achieve the claimed user privacy protection. For handling these aforementioned shortcomings, we introduce a new biometric-based authentication scheme for multi-server architecture preserving user anonymity. Besides, Burrows—Abadi—Needham (BAN)-logic validated proof and discussion on possible attacks demonstrate the completeness and security of our scheme, respectively. Further, the comparisons in terms of security analysis and performance evaluation of several related protocols show that our proposal can provide stronger security without sacrificing efficiency.
Highlights
In the multiple servers architecture based authentication system, registration center, service providing servers and users are major participants
In 2009, Liao and Wang [13] proposed a remote user authentication scheme for multi-server architecture preserving user anonymity to eliminate the risk of ID-theft
In 1999, Juels and Wattenberg fetched out the definition of fuzzy extractor which focused on verifying the legality of users by biometric template
Summary
In the multiple servers architecture based authentication system, registration center, service providing servers and users are major participants. Compared with the conventional two-party authentication system, a multi-server architecture based authentication system offers registration procedure one time and allows users to access services from multiple servers. Many dynamic ID authentication schemes are published to enhance the security properties and reduce the communication and computation costs [2,3,4,5,6,7,8,9,10,11,12] These schemes are designed for single-server architecture which are not suitable for a multi-server environment. In 2009, Liao and Wang [13] proposed a remote user authentication scheme for multi-server architecture preserving user anonymity to eliminate the risk of ID-theft Their scheme is proved to be susceptible to insider attack, masquerade attack and fail to provide a mutual authentication.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have