KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Cryptanalysis and improvement of a Multi-server Authentication protocol by Lu et al.

  • Irshad, Azeem (Department of Computer Science & Software Engineering, International Islamic University) ;
  • Sher, Muhammad (Department of Computer Science & Software Engineering, International Islamic University) ;
  • Alzahrani, Bander A. (Faculty of Computing & Information Technology, King Abdulaziz University) ;
  • Albeshri, Aiiad (Faculty of Computing & Information Technology, King Abdulaziz University) ;
  • Chaudhry, Shehzad Ashraf (Department of Computer Science & Software Engineering, International Islamic University) ;
  • Kumari, Saru (Chaudhary Charan Singh University)
  • Received : 2016.11.21
  • Accepted : 2017.11.02
  • Published : 2018.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

The increasing number of subscribers and demand of multiplicity of services has turned Multi-Server Authentication (MSA) into an integral part of remote authentication paradigm. MSA not only offers an efficient mode to register the users by engaging a trusted third party (Registration Centre), but also a cost-effective architecture for service procurement, onwards. Recently, Lu et al.'s scheme demonstrated that Mishra et al.'s scheme is unguarded to perfect forward secrecy compromise, server masquerading, and forgery attacks, and presented a better scheme. However, we discovered that Lu et al.'s scheme is still susceptible to malicious insider attack and non-compliant to perfect forward secrecy. This study presents a critical review on Lu et al.'s scheme and then proposes a secure multi-server authentication scheme. The security properties of contributed work are validated with automated Proverif tool and proved under formal security analysis.

Keywords

References

  1. Ch, S. A., Sher, M., Ghani, A., Naqvi, H., & Irshad, A., "An efficient signcryption scheme with forward secrecy and public verifiability based on hyper elliptic curve cryptography," Multimedia Tools and Applications, 74(5), 1711-1723, 2015. https://doi.org/10.1007/s11042-014-2283-9
  2. Lamport L., "Password authentication with insecure communication," ACM Communication, 24 (11), 770-772, 1981. https://doi.org/10.1145/358790.358797
  3. Sun D, Huai J, Sun J, Li J, Zhang J, Feng Z., "Improvements of Juang's password authenticated key agreement scheme using smart cards," IEEE Transactions on Industrial Electronics, 56(6), 2284-2291, 2009. https://doi.org/10.1109/TIE.2009.2016508
  4. Yu J, Wang G, Mu Y, Gao W., "An efficient generic framework for three-factor authentication with provably secure instantiation," IEEE Transactions on Information Forensics and Security, 9(12), 2302-2313, 2014. https://doi.org/10.1109/TIFS.2014.2362979
  5. Lu Y, Li L, Yang Y., "Robust and efficient biometrics based password authentication scheme for telecare medicine information systems using extended chaotic maps," Journal of Medical Systems, 2015.
  6. Li C, Hwang M., "An efficient biometrics-based remote user authentication scheme using smart cards," Journal of Network and Computer Applications, 33(1), 1-5, 2010. https://doi.org/10.1016/j.jnca.2009.08.001
  7. He D, Kumar N, Chen J, Lee C, Chilamkurti N, Yeo S., "Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks," Multimedia Systems, 21(1), 49-60, 2013. https://doi.org/10.1007/s00530-013-0346-9
  8. Lu Y, Li L, Peng H, Yang Y., "An enhanced biometric based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem," Journal of Medical Systems, 39(3), 1-8, 2015.
  9. Wang D, Ma C, Gu D, Cui Z., "Cryptanalysis of two dynamic ID-based remote user authentication schemes for multi-server architecture," Network and System Security, 7645, 462-475, 2012.
  10. Li X, Ma J, Wang W, Liu C., "A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments," Mathematical and Computer Modelling, 58, 85-95, 2013. https://doi.org/10.1016/j.mcm.2012.06.033
  11. He D, Zeadally S., "Authentication protocol for an ambient assisted living system," IEEE Communications Magazine, 53(1): 71-77, 2015. https://doi.org/10.1109/MCOM.2015.7010518
  12. Tsai J., "Efficient multi-server authentication scheme based on one-way hash function without verification table," Computers & Security, 27(3-4): 115-121, 2008. https://doi.org/10.1016/j.cose.2008.04.001
  13. Yang D, Yang B., "A biometric password-based multi-server authentication scheme with smart card," IEEE International Conference on Computer Design and Applications (ICCDA), 5, 554-559, 2010.
  14. Irshad, A., Sher, M., Chaudhary, S. A., Naqvi, H., & Farash, M. S., "An efficient and anonymous multi-server authenticated key agreement based on chaotic map without engaging Registration Centre," The Journal of Supercomputing, 72(4), 1623-1644, 2016. https://doi.org/10.1007/s11227-016-1688-9
  15. Chaudhry, S. A., Khan, I., Irshad, A., Ashraf, M. U., Khan, M. K., & Ahmad, H. F., "A provably secure anonymous authentication scheme for Session Initiation Protocol," Security and Communication Networks, 2016.
  16. Irshad, A., Sher, M., Nawaz, O., Chaudhry, S. A., Khan, I., & Kumari, S., "A secure and provable multi-server authenticated key agreement for TMIS based on Amin et al. scheme," Multimedia Tools and Applications, 1-27, 2016.
  17. Yoon E, Yoo K., "Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem," Journal of Supercomputing, 63(1), 235-255, 2013. https://doi.org/10.1007/s11227-010-0512-1
  18. He D., "Security flaws in a biometrics-based multi-server authentication with key agreement scheme," IACR Cryptology, 1-9, 2011.
  19. Irshad, A., Sher, M., Chaudhry, S. A., Xie, Q., Kumari, S., & Wu, F., "An improved and secure chaotic map based authenticated key agreement in multi-server architecture," Multimedia Tools and Applications, 1-38, 2017.
  20. Chuang M, Chen M., "An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics," Expert Systems with Applications, 41, 1411-1418, 2014. https://doi.org/10.1016/j.eswa.2013.08.040
  21. Mishra D, Ashok K. D, Mukhopadhyay S., "A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards," Expert Systems with Applications, 41(18), 8129-8143, 2014. https://doi.org/10.1016/j.eswa.2014.07.004
  22. Li, X., Niu, J., Kumari, S., Liao, J., & Liang, W., "An enhancement of a smart card authentication scheme for multi-server architecture," Wireless Personal Communications, 80(1), 175-192, 2015. https://doi.org/10.1007/s11277-014-2002-x
  23. Wu, F., Xu, L., Kumari, S., & Li, X., "A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks," Computers & Electrical Engineering, 45, 274-285, 2015. https://doi.org/10.1016/j.compeleceng.2015.02.015
  24. He D, Wang D., "Robust biometrics-based authentication scheme for multiserver environment," IEEE Systems Journal, 9(3), 816-823, 2015. https://doi.org/10.1109/JSYST.2014.2301517
  25. Burrow M, Abadi M, Needham R., "A logic of authentication," ACM Transactions on Computer Systems, 8(1), 18-36, 1990. https://doi.org/10.1145/77648.77649
  26. Li, X., Niu, J., Kumari, S., Khan, M. K., Liao, J., & Liang, W., "Design and analysis of a chaotic maps-based three-party authenticated key agreement protocol," Nonlinear Dynamics, 80(3), 1209-1220, 2015. https://doi.org/10.1007/s11071-015-1937-0
  27. Jiang, Q., Ma, J., Lu, X., & Tian, Y., "An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks," Peer-to-Peer Networking and Applications, 8(6), 1070-1081, 2015. https://doi.org/10.1007/s12083-014-0285-z
  28. Jiang, Q., Ma, J., Li, G., & Li, X., "Improvement of robust smart-card-based password authentication scheme," International Journal of Communication Systems, 28(2), 383-393, 2015. https://doi.org/10.1002/dac.2644
  29. Jiang, Q., Khan, M. K., Lu, X., Ma, J., & He, D., "A privacy preserving three-factor authentication protocol for e-Health clouds," The Journal of Supercomputing, 72(10), 3826-3849, 2016. https://doi.org/10.1007/s11227-015-1610-x
  30. Li, X., Niu, J., Kumari, S., Islam, S. H., Wu, F., Khan, M. K., & Das, A. K., "A novel chaotic maps-based user authentication and key agreement protocol for multi-server environments with provable security. Wire. Pers. Comm., 89(2), 569-597, 2016. https://doi.org/10.1007/s11277-016-3293-x
  31. Lu, Y., Li, L., Peng, H., & Yang, Y., "A biometrics and smart cards-based authentication scheme for multi-server environments," Security and Communication Networks, 8(17), 3219-3228, 2015. https://doi.org/10.1002/sec.1246
  32. Dodis Y, Reyzin L, Smith A., "Fuzzy extractors: how to generate strong keys from biometrics and other noisy data" Advances in Cryptology-EUROCRYPT, 3027: 523-540, 2004.
  33. Dodis Y, Kanukurthi B, Katz J, Reyzin L, Smith A., "Robust Fuzzy Extractors and Authenticated Key Agreement From Close Secrets," IEEE Transactions on Information Theory, 58(9), 6207-6222, 2012. https://doi.org/10.1109/TIT.2012.2200290
  34. Odelu, V., Ashok, K. D., and Adrijit G. "A secure biometrics-based multi-server authentication protocol using smart cards," IEEE Transactions on Information Forensics and Security, 10(9), 1953-1966, 2015. https://doi.org/10.1109/TIFS.2015.2439964
  35. Koblitz, N., Elliptic Curve Cryptosystems. Math. Of Comp., Vol. 48, 203-209, 1987. https://doi.org/10.1090/S0025-5718-1987-0866109-5
  36. Ashok, K. D., Odelu, V., and Adrijit G., "A Secure and Robust User Authenticated Key Agreement Scheme for Hierarchical Multi-medical Server Environment in TMIS," Journal of Medical Systems, 39(9), 1-24, 2015. https://doi.org/10.1007/s10916-014-0182-2
  37. Ashok, K. D., "A secure user anonymity-preserving three-factor remote user authentication scheme for the telecare medicine information systems," Journal of medical systems, 39(3), 1-20, 2015. https://doi.org/10.1007/s10916-014-0182-2
  38. Chatterjee, S., and Das, A.K., "An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks," Secur. Commun. Netw., 8(9), 1752-1771, 2015. https://doi.org/10.1002/sec.1140
  39. Das, A.K., Paul, N.R., Tripathy, L., "Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem," Information Sciences, 209(C), 80-92, 2012. https://doi.org/10.1016/j.ins.2012.04.036
  40. Chaudhry SA, Farash MS, Naqvi H, Islam SH, Shon T, Sher M, "A robust and efficient privacy aware handover authentication scheme for wireless networks," Wireless Personal Communication, 2015.
  41. Xie, Q., Hu, B., Dong, N., & Wong, D. S., "Anonymous three-party password-authenticated key exchange scheme for telecare medical information systems," PLoS One, 9(7), e102,747, 2014. https://doi.org/10.1371/journal.pone.0102747
  42. Odelu, V., Das, A. K., & Goswami, A., "SEAP: secure and efficient authentication protocol for NFC applications using pseudonyms," IEEE Transactions on Consumer Electronics, 62(1), 30-38, 2016. https://doi.org/10.1109/TCE.2016.7448560
  43. Amin, R., Islam, S. H., Biswas, G. P., Khan, M. K., & Kumar, N., "An efficient and practical smart card based anonymity preserving user authentication scheme for TMIS using elliptic curve cryptography," Journal of medical systems, 39(11), 1-18, 2015. https://doi.org/10.1007/s10916-014-0182-2
  44. Kilinc, H. H., & Yanik, T., "A survey of SIP authentication and key agreement schemes," Communications Surveys & Tutorials, IEEE, 16(2), 1005-1023, 2014. https://doi.org/10.1109/SURV.2013.091513.00050

Cited by

  1. Performance analysis of NTRU algorithm with non-post-quantum algorithms vol.24, pp.5, 2021, https://doi.org/10.1080/09720529.2021.1932926
  2. Authentication in opportunistic networks: State and art vol.24, pp.6, 2018, https://doi.org/10.1080/09720529.2021.1873254