Authentication Protocols For Multi-server Environment Research Articles

A password less authentication protocol for multi-server environment using physical unclonable function

A password less authentication protocol for multi-server environment using physical unclonable function

An Enhanced Authentication Protocol for Multi-server Environment Using Password and Smart Card

In the past two decades, numerous two-factor authentication protocols have been proposed for the multi-server environment using a smart card and password. Sahoo et al. recently proposed an authentication protocol for the multi-server environments. Our cryptanalysis shows that the Sahoo et al. scheme is susceptible to several attacks such as offline password guessing, spoofing, replay and smart-card-lost. Also their scheme does not provide two-factor security truly. We propose a new secure, mutually authenticated key-sharing protocol for the multi-server environment to overcome the security flaws in their scheme. We formally prove the secure authentication of the proposed scheme using Burrows–Abadi–Needham logic and simulate various attacks through the automated validation of internet security protocols and applications tool. Additionally, we provide an informal security analysis to show the security and functionality features of the proposed scheme. Moreover, the security and performance comparison results shows that the proposed scheme offers better security and performance.

A secure three factor-based fully anonymous user authentication protocol for multi-server environment

A single sign-on authentication scheme is required protocol in multi-server environment. Recently, an authentication protocol based on Lagrange interpolation polynomial to satisfy multi-server environment with low computational and communication cost is proposed. In this paper, we have analysed the above scheme and show that their scheme is vulnerable to various attacks like insider attack, server impersonation attack, user impersonation attack and stolen smart card attack. We also show that their scheme fails to provide server anonymity, user revocation in case smart card is lost/stolen or users authentication parameters are revealed. We have also proposed enhanced multi-server authentication protocol using biometric-based smart card and Lagrange interpolation which is more secure. The proposed protocol is analysed using BAN logic to show that the proposed protocol provides secure authentication. In addition, we have simulated our scheme using widely accepted and used AVISPA tool to prove that our scheme is secure against passive and active attacks. The proposed protocol provides high security and anonymity along with low communication and computational cost and various security functions.

A secure three factor-based fully anonymous user authentication protocol for multi-server environment

A single sign-on authentication scheme is required protocol in multi-server environment. Recently, an authentication protocol based on Lagrange interpolation polynomial to satisfy multi-server environment with low computational and communication cost is proposed. In this paper, we have analysed the above scheme and show that their scheme is vulnerable to various attacks like insider attack, server impersonation attack, user impersonation attack and stolen smart card attack. We also show that their scheme fails to provide server anonymity, user revocation in case smart card is lost/stolen or users authentication parameters are revealed. We have also proposed enhanced multi-server authentication protocol using biometric-based smart card and Lagrange interpolation which is more secure. The proposed protocol is analysed using BAN logic to show that the proposed protocol provides secure authentication. In addition, we have simulated our scheme using widely accepted and used AVISPA tool to prove that our scheme is secure against passive and active attacks. The proposed protocol provides high security and anonymity along with low communication and computational cost and various security functions.

A new three-factor authentication and key agreement protocol for multi-server environment

Several password and smart-card based two-factor security remote user authentication protocols for multi-server environment have been proposed for the last two decades. Due to tamper-resistant nature of smart cards, the security parameters are stored in it and it is also a secure place to perform authentication process. However, if the smart card is lost or stolen, it is possible to extract the information stored in smart card using power analysis attack. Hence, the two factor security protocols are at risk to various attacks such as password guessing attack, impersonation attack, replay attack and so on. Therefore, to enhance the level of security, researchers have focused on three-factor (Password, Smart Card, and Biometric) security authentication scheme for multi-server environment. In existing biometric based authentication protocols, keys are generated using fuzzy extractor in which keys cannot be renewed. This property of fuzzy extractor is undesirable for revocation of smart card and re-registration process when the smart card is lost or stolen. In addition, existing biometric based schemes involve public key cryptosystem for authentication process which leads to increased computation cost and communication cost. In this paper, we propose a new multi-server authentication protocol using smart card, hash function and fuzzy embedder based biometric. We use Burrows–Abadi–Needham logic to prove the correctness of the new scheme. The security features and efficiency of the proposed scheme is compared with recent schemes and comparison results show that this scheme provides strong security with a significant efficiency.

A Novel Multiserver Authentication Protocol with Multifactors for Cloud Service

Secure and efficient authentication protocols are necessary for cloud service. Multifactor authentication protocols taking advantage of smart card, user’s password, and biometric, are more secure than password-based single-factor authentication protocols which are widely used in practice. However, most of the multiserver authentication protocols may have weak points, such as smart card loss attack, man-in-the-middle attack, anonymity, and high computation cost of authentication center. In order to overcome the above weaknesses, we propose a novel multiserver multifactor authentication protocol based on the Kerberos protocol using the extended Chebyshev chaotic mapping as a cryptographic algorithm. The proposed protocol achieves anonymity without sharing secret keys in advance and needs the user to register with the authentication center only once. Finally, we prove the security of the new protocol with BAN logic and compare it with other multifactor authentication protocols for multiserver environment. The results show that our proposed protocol is more secure and efficient and better for practical application.

Cryptanalysis and Improvement of Chandrakar and Om’s Remote User Authentication Protocol for the Multiserver Environment

Recently, Amin and Biswas proposed a bilinear pairing-based remoter user authentication protocol for multiserver environment, claiming it to be secure under various attacks. However, Chandrakar and Om found that the protocol suffers from an identity guessing attack, a password guessing attack, a user-server impersonation attack and so forth. To erase these weaknesses in Amin and Biswas’s protocol, they later proposed an enhanced ECC-based remoter user authentication protocol. Unfortunately, in this paper, we demonstrate that Chandrakar and Om’s protocol is still vulnerable to a user impersonation attack and cannot provide perfect forward secrecy. To solve the drawbacks, we suggest some simple but effective modification.

An efficient and secure 3‐factor user‐authentication protocol for multiserver environment

SummaryIn the last decade, the number of web‐based applications is increasing rapidly, which leads to high demand for user authentication protocol for multiserver environment. Many user‐authentication protocols have been proposed for different applications. Unfortunately, most of them either have some security weaknesses or suffer from unsatisfactory performance. Recently, Ali and Pal proposed a three‐factor user‐authentication protocol for multiserver environment. They claimed that their protocol can provide mutual authentication and is secure against many kinds of attacks. However, we find that Ali and Pal's protocol cannot provide user anonymity and is vulnerable to 4 kinds of attacks. To enhance security, we propose a new user‐authentication protocol for multiserver environment. Then, we provide a formal security analysis and a security discussion, which indicate our protocol is provably secure and can withstand various attacks. Besides, we present a performance analysis to show that our protocol is efficient and practical for real industrial environment.

Design of Mutually Authenticated Key Agreement Protocol Resistant to Impersonation Attacks for Multi-Server Environment

Three-factor mutually authenticated key agreement protocols for multi-server environments have gained momentum in recent times due to advancements in wireless technologies and associated constraints. Several authors have put forward various authentication protocols for multi-server environment during the past decade. Wang et al. recently proposed a biometric-based authentication with key agreement protocol for multi-server environment and claimed that their protocol is efficient and resistant to prominent security attacks. The careful investigation of this paper shows that Wang et al. protocol’s users are sharing personal identifiable information with the application servers during the registration and authentication process. This nature of disclosing credentials leads to severe threats particularly insider attacks, user impersonation attacks, and server impersonation attacks. As a remedy of the aforementioned problems, this paper proposes a novel biometric-based mutually authenticated key agreement protocols for multi-server architecture based on elliptic curve cryptography. We prove that the proposed protocol achieves secure mutual authentication property using the broadly used Burrows–Abadi–Needham logic. The formal security of the proposed protocol is verified using the widely accepted automated validation of Internet security protocols and applications tool to show that our protocol can withstand active and passive attacks including the replay and man-in-the-middle attacks. The proposed protocol is robust and efficient compared with the existing related protocols.

Remote three-factor authentication protocol with strong robustness for multi-server environment

If a user wants to acquire different network services from various application servers in a traditional single server environment, the user must register these servers separately and remember different usernames and passwords for different servers. To solve these problems, a lot of authentication schemes for multi-server environment have been proposed. Recently, Odelu and Das et al. proposed a secure multi-server authentication protocol based on smart card, biometric and elliptic curve cryptography (ECC). We firstly analyze Odelu et al.'s scheme and find some flaws as follows: 1) the scheme may suffer Denial of Service (Dos) attack and insider attack; 2) The scheme doesn't have strong robustness because improper work of the register center (RC) may lead to the collapse of the whole system; 3) There are some design flaws in this scheme. For example, the user cannot choose his/her identity randomly and the register center needs to maintain a data table. In order to solve these problems, this paper proposes a new secure three-factor authentication protocol for multi-server environment based on Chebyshev chaotic map and secure sketch algorithm. To verify the security of the proposed scheme, we simulate our scheme using BAN logic and ProVerif tool. Through a thorough analysis, we can see that the proposed scheme not only has stronger security but also has less computation cost than Odelu et al.'s protocol.

Cryptanalysis and Extended Three-Factor Remote User Authentication Scheme in Multi-Server Environment

Recently, Wen et al. have developed three-factor authentication protocol for multi-server environment, claiming it to be resistant to several kinds of attacks. In this paper, we review Wen et al.’s protocol and find that it does not fortify against many security vulnerabilities: (1) inaccurate password change phase, (2) failure to achieve forward secrecy, (3) improper authentication, (4) known session-specific temporary information vulnerability and (5) lack of smart card revocation and biometric update phase. To get rid of these security weaknesses, we present a safe and reliable three-factor authentication scheme usable in multi-server environment. The Burrows–Abadi–Needham logic shows that our scheme is accurate, and the formal and informal security verifications show that it can defend against various spiteful threats. Further, we simulate our scheme using the broadly known Automated Validation of Internet Security Protocols and Applications tool, which ensures that it is safe from the active and passive attacks and also prevent the replay and man-in-the-middle attacks. The performance evaluation shows that the presented protocol gives strong security as well as better complexity in the terms of communication cost, computation cost and estimated time.

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.'s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.'s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.'s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.'s protocol is still susceptible to the trace attack. Besides, Liao et al.'s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.

Weaknesses of a Dynamic ID Based Remote User Authentication Protocol for Multi-Server Environment

Currently, smart card based remote user authentication schemes have been widely adopted due to their low cost and convenient portability. With the purpose of using various different internet services with single registration and to protect the users from being tracked, various dynamic ID based multi-server authentication protocols have been proposed. Recently, Li et al. proposed an efficient and secure dynamic ID based authentication protocol using smart cards. They claimed that their protocol provides strong security. In this paper, we have demonstrated that Li et al.’s protocol is vulnerable to replay attack, denial of service attack, smart card lost attack, eavesdropping attack and server spoofing attacks.

A novel multi-server remote user authentication scheme using self-certified public keys for mobile clients

With the widespread promotion in e-commerce, the number of service servers providing Internet applications to the users is usually more than one and hence secure authentication protocols for multi-server environment are required. On the other hand, people may obtain their service by using the mobile devices in ubiquitous computing environment. Considering the mobile devices with limited energy resources and computing capability, the design of the secure authentication scheme suitable for mobile clients is a nontrivial challenge. In 2008, Tseng et al. proposed a pairing-based user authentication scheme for mobile clients with limited computing capability. They claimed that their scheme can be well applied to the remote user authentication scheme for multi-server environment. However, Tseng et al.’s scheme cannot provide mutual authentication and session key agreement. In this paper, we will show that Tseng et al.’s scheme cannot withstand an insider attack, offline dictionary attack and malicious server attack. Hence, we present a novel pairing-based remote user authentication for multi-server environment. The proposed scheme first provides a more secure key distribution based on self-certified public keys (SCPKs) among the service servers. The proposed scheme can achieve mutual authentication and session key agreement. To withstand an offline dictionary attack due to mobile devices security breach, the proposed scheme enhances the password change phase with the help of the registration server. Security analysis shows that our scheme can withstand various possible attacks resulting from the multi-server environment. Performance analysis and function comparisons demonstrate that the proposed scheme is well suited for mobile clients.

Dynamic Identity Based Authentication Protocol for Two-Server Architecture

Most of the password based authentication protocols make use of the single authentication server for user's authentication. User's verifier information stored on the single server is a main point of susceptibility and remains an attractive target for the attacker. On the other hand, multi-server architecture based authentication protocols make it difficult for the attacker to find out any significant authentication information related to the legitimate users. In 2009, Liao and Wang proposed a dynamic identity based remote user authentication protocol for multi-server environment. However, we found that Liao and Wang's protocol is susceptible to malicious server attack and malicious user attack. This paper presents a novel dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned flaws, while keeping the merits of Liao and Wang's protocol. It uses two-server paradigm by imposing different levels of trust upon the two servers and the user's verifier information is distributed between these two servers known as the service provider server and the control server. The proposed protocol is practical and computational efficient because only nonce, one-way hash function and XOR operations are used in its implementation. It provides a secure method to change the user's password without the server's help. In e-commerce, the number of servers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required.

A secure dynamic identity based authentication protocol for multi-server architecture

Most of the password based authentication protocols rely on single authentication server for the user's authentication. User's verification information stored on the single server is a main point of susceptibility and remains an attractive target for the attacker. In 2009, Hsiang and Shih improved Liao and Wang's dynamic identity based smart card authentication protocol for multi-server environment. However, we found that Hsiang and Shih's protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang and Shih's protocol is incorrect. This paper presents a secure dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned security flaws, while keeping the merits of Hsiang and Shih's protocol. It uses two-server paradigm in which different levels of trust are assigned to the servers and the user's verifier information is distributed between these two servers known as the service provider server and the control server. The service provider server is more exposed to the clients than the control server. The back-end control server is not directly accessible to the clients and thus it is less likely to be attacked. The user's smart card uses stored information in it and random nonce value to generate dynamic identity. The proposed protocol is practical and computationally efficient because only nonce, one-way hash functions and XOR operations are used in its implementation. It provides a secure method to change the user's password without the server's help. In e-commerce, the number of servers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required.

A secure dynamic ID based remote user authentication scheme for multi-server environment

Since the number of server providing the facilities for the user is usually more than one, the authentication protocols for multi-server environment are required for practical applications. Most of password authentication schemes for multi-server environment are based on static ID, so the adversary can use this information to trace and identify the user's requests. It is unfavorable to be applied to special applications, such as e-commerce. In this paper, we develop a secure dynamic ID based remote user authentication scheme to achieve user's anonymity. The proposed scheme only uses hashing functions to implement a robust authentication scheme for the multi-server environment. It provides a secure method to update password without the help of third trusted party. The proposed scheme does not only satisfy all requirements for multi-server environment but also achieve efficient computation. Besides, our scheme provides complete functionality to suit with the real applications.