Dynamic Identity Based Authentication Protocol for Two-Server Architecture
Author(s)
Sandeep K. Sood*
Affiliation(s)
Department of Computer Science & Engineering, Regional Campus Gurdaspur, Gurdaspur, India.
Department of Computer Science & Engineering, Regional Campus Gurdaspur, Gurdaspur, India.
ABSTRACT
Most of the password based authentication protocols make use of the single authentication server for user's authentication. User's verifier information stored on the single server is a main point of susceptibility and remains an attractive target for the attacker. On the other hand, multi-server architecture based authentication protocols make it difficult for the attacker to find out any significant authentication information related to the legitimate users. In 2009, Liao and Wang proposed a dynamic identity based remote user authentication protocol for multi-server environment. However, we found that Liao and Wang's protocol is susceptible to malicious server attack and malicious user attack. This paper presents a novel dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned flaws, while keeping the merits of Liao and Wang's protocol. It uses two-server paradigm by imposing different levels of trust upon the two servers and the user's verifier information is distributed between these two servers known as the service provider server and the control server. The proposed protocol is practical and computational efficient because only nonce, one-way hash function and XOR operations are used in its implementation. It provides a secure method to change the user's password without the server's help. In e-commerce, the number of servers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required.
Most of the password based authentication protocols make use of the single authentication server for user's authentication. User's verifier information stored on the single server is a main point of susceptibility and remains an attractive target for the attacker. On the other hand, multi-server architecture based authentication protocols make it difficult for the attacker to find out any significant authentication information related to the legitimate users. In 2009, Liao and Wang proposed a dynamic identity based remote user authentication protocol for multi-server environment. However, we found that Liao and Wang's protocol is susceptible to malicious server attack and malicious user attack. This paper presents a novel dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned flaws, while keeping the merits of Liao and Wang's protocol. It uses two-server paradigm by imposing different levels of trust upon the two servers and the user's verifier information is distributed between these two servers known as the service provider server and the control server. The proposed protocol is practical and computational efficient because only nonce, one-way hash function and XOR operations are used in its implementation. It provides a secure method to change the user's password without the server's help. In e-commerce, the number of servers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required.
Cite this paper
S. K. Sood, "Dynamic Identity Based Authentication Protocol for Two-Server Architecture," Journal of Information Security, Vol. 3 No. 4, 2012, pp. 326-334. doi: 10.4236/jis.2012.34040.
S. K. Sood, "Dynamic Identity Based Authentication Protocol for Two-Server Architecture," Journal of Information Security, Vol. 3 No. 4, 2012, pp. 326-334. doi: 10.4236/jis.2012.34040.
References
[1] W. Ford and B. S. Kaliski, “Server-Assisted Generation of a Strong Secret from a Password,” Proceedings of IEEE 9th International Workshop Enabling Technologies, June 2000, pp. 176-180. [2] D. P. Jablon, “Password Authentication Using Multiple Servers,” Proceedings of RSA Security Conference, April 2001, pp. 344-360. [3] I. C. Lin, M. S. Hwang and L. H. Li, “A New Remote User Authentication Scheme for Multi-Server Architecture,” Future Generation Computer System, Vol. 19, No. 1, 2003, pp. 13-22. [4] W. S. Juang, “Efficient Multi-Server Password Authenticated Key Agreement using Smart Cards,” IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, 2004, pp. 251-255. [5] C. C. Chang and J. S. Lee, “An Efficient and Secure Multi-Server Password Authentication Scheme Using Smart Cards,” Proceedings of International Conference on Cyber Worlds, November 2004, pp. 417-422. [6] L. Hu, X. Niu and Y. Yang, “An Efficient Multi-Server Password Authenticated Key Agreement Scheme Using Smart Cards,” Proceedings of International Conference on Multimedia and Ubiquitous Engineering (MUE’07), April 2007, pp. 903-907. [7] Y. Yang, R. H. Deng and F. Bao, “A Practical Password-Based Two-Server Authentication and Key Exchange System,” IEEE Transactions on Dependable and Secure Computing, Vol. 3, No. 2, 2006, pp. 105-114. [8] J. L. Tsai, “Efficient Multi-Server Authentication Scheme Based on One-Way Hash Function without Verification Table,” Computers & Security, Vol. 27, No. 3-4, 2008, pp. 115-121. [9] Y. P. Liao and S. S. Wang, “A Secure Dynamic ID-Based Remote User Authentication Scheme for Multi-Server Environment,” Computer Standards & Interface, Vol. 31, No. 1, 2009, pp. 24-29. [10] H. C. Hsiang and W. K. Shih, “Improvement of the Secure Dynamic ID Based Remote User Authentication Scheme for Multi-Server Environment,” Computer Standards & Interface, Vol. 31, No. 6, 2009, pp. 1118-1123. [11] S. K. Sood, A. K. Sarje and K. Singh, “A Secure Dynamic Identity Based Authentication Protocol for Multi-Server Architecture,” Journal of Network and Computer Applications, Vol. 34, No. 2, 2011, pp. 609-618. [12] P. Kocher, J. Jaffe and B. Jun, “Differential Power Analysis,” Proceedings of CRYPTO 99, Springer-Verlag, August 1999, pp. 388-397. [13] T. S. Messerges, E. A. Dabbish and R. H. Sloan, “Examining Smart-Card Security under the Threat of Power Analysis Attacks,” IEEE Transactions on Computers, Vol. 51, No. 5, 2002, pp. 541-552.
[1] W. Ford and B. S. Kaliski, “Server-Assisted Generation of a Strong Secret from a Password,” Proceedings of IEEE 9th International Workshop Enabling Technologies, June 2000, pp. 176-180. [2] D. P. Jablon, “Password Authentication Using Multiple Servers,” Proceedings of RSA Security Conference, April 2001, pp. 344-360. [3] I. C. Lin, M. S. Hwang and L. H. Li, “A New Remote User Authentication Scheme for Multi-Server Architecture,” Future Generation Computer System, Vol. 19, No. 1, 2003, pp. 13-22. [4] W. S. Juang, “Efficient Multi-Server Password Authenticated Key Agreement using Smart Cards,” IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, 2004, pp. 251-255. [5] C. C. Chang and J. S. Lee, “An Efficient and Secure Multi-Server Password Authentication Scheme Using Smart Cards,” Proceedings of International Conference on Cyber Worlds, November 2004, pp. 417-422. [6] L. Hu, X. Niu and Y. Yang, “An Efficient Multi-Server Password Authenticated Key Agreement Scheme Using Smart Cards,” Proceedings of International Conference on Multimedia and Ubiquitous Engineering (MUE’07), April 2007, pp. 903-907. [7] Y. Yang, R. H. Deng and F. Bao, “A Practical Password-Based Two-Server Authentication and Key Exchange System,” IEEE Transactions on Dependable and Secure Computing, Vol. 3, No. 2, 2006, pp. 105-114. [8] J. L. Tsai, “Efficient Multi-Server Authentication Scheme Based on One-Way Hash Function without Verification Table,” Computers & Security, Vol. 27, No. 3-4, 2008, pp. 115-121. [9] Y. P. Liao and S. S. Wang, “A Secure Dynamic ID-Based Remote User Authentication Scheme for Multi-Server Environment,” Computer Standards & Interface, Vol. 31, No. 1, 2009, pp. 24-29. [10] H. C. Hsiang and W. K. Shih, “Improvement of the Secure Dynamic ID Based Remote User Authentication Scheme for Multi-Server Environment,” Computer Standards & Interface, Vol. 31, No. 6, 2009, pp. 1118-1123. [11] S. K. Sood, A. K. Sarje and K. Singh, “A Secure Dynamic Identity Based Authentication Protocol for Multi-Server Architecture,” Journal of Network and Computer Applications, Vol. 34, No. 2, 2011, pp. 609-618. [12] P. Kocher, J. Jaffe and B. Jun, “Differential Power Analysis,” Proceedings of CRYPTO 99, Springer-Verlag, August 1999, pp. 388-397. [13] T. S. Messerges, E. A. Dabbish and R. H. Sloan, “Examining Smart-Card Security under the Threat of Power Analysis Attacks,” IEEE Transactions on Computers, Vol. 51, No. 5, 2002, pp. 541-552.