Security Weaknesses of Two Dynamic ID-based User Authentication and Key Agreement Schemes for Multi-server Environment

(1)

Security Weaknesses of Two Dynamic ID-based

User Authentication and Key Agreement Schemes

for Multi-server Environment

Yun-Hsin Chuang

Department of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua 500, Taiwan

[email protected]

Yuh-Min Tseng

Department of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua 500, Taiwan

[email protected]

Abstract― A remote user authentication scheme for multi-server environment provides mutual authentication and session key establishment between users and multiple servers. Recently, two dynamic ID-based remote user au-thentication schemes for multi-server environment were proposed. In this article, we analyze the security of both schemes. One scheme was proposed by Geng and Zhang. And we show that the proposed scheme suffers from a user-spoofing attack. In 2009, Hsiang and Shih also pro-posed the other scheme. We show that Hsiang and Shih’s scheme is vulnerable to an insider attack and a server-spoofing server attack.

Index Terms― security, user authentication, key agree-ment, multi-server, anonymous.

I. INTRODUCTION

With the popularity of Internet, more and more applications are constructed on multi-server envi-ronment, in which users may access multiple serv-ers remotely. In this multi-server environment, the system often consists of many different servers around the world, which provides services or re-sources to be accessed over open communication networks. For providing mutual authentication be-tween users and servers, there are three kinds of ap-proaches: password-based, public-key based and ID-based authentications.

Traditional remote user authentication is only suitable for solving the privacy and security prob-lems in the single server architecture. The issue of remote login authentication for the single server en-vironment has already been solved by a variety of schemes [3, 6, 9, 15]. If the traditional remote user authentication schemes are applied to the multi-server environment, each user must register and remember many credentials for multiple servers. Therefore, a secure remote user authentication

scheme for the multi-server environment is needed to solve this problem. Several schemes [1, 2, 7, 11, 14] have been presented to study accessing the re-sources securely in the multi-server environment.

In some situations, users want to access the re-sources of the service providers anonymously. Sev-eral schemes [8, 10, 12] have been proposed to solve this issue. These schemes use dynamic IDs to login the service providers to achieve user’s ano-nymity. However, these schemes are only suitable for the single server environment. Recently, to de-velop a dynamic ID-based user authentication scheme for the multi-server environment becomes a new research issue. In 2008, Geng and Zhang [4] proposed a dynamic ID-based user authentication and key agreement scheme for the multi-server en-vironment using bilinear pairings. In 2009, Liao and Wang [13] also proposed a dynamic ID-based user authentication scheme for the multi-server envi-ronment. Later on, Hsiang and Shih showed that Liao and Wang’s scheme is vulnerable to insider at-tack, masquerade atat-tack, server-spoofing atat-tack, and registration center spoofing attack. Meanwhile, Hsiang and Shih [5] also proposed an improvement on the Liao-Wang scheme to remedy these attacks. In this paper, unfortunately, we will demon-strate the security weaknesses of two recently pro-posed schemes. We show that Hsiang and Shih’s scheme [5] is vulnerable to an insider attack and a server-spoofing attack. For Geng and Zhang’s scheme [4], we will show that their scheme suffers from a user-spoofing attack. The remainder of this paper is organized as follows. We review and show the security weaknesses of the Hsiang-Shih and the Geng-Zhang schemes in Section 2 and 3, respec-tively. Section 4 draws our conclusion and future

(2)

work.

II. ANALYSIS OF HSIANG AND SHIH’S SCHEME

In this section, we briefly review Hsiang and Shih’s scheme and show their security weaknesses.

A. Review of Hsiang and Shih’s scheme

Without loss of generality, suppose that the multi-server system consists of one registration center (RC), m users and n service providers. The notations used in this scheme are summarized as follows:

• h( ): a one-way hash function. • Sj: the j-th server.

• Ui: the i-th user.

• IDi: the identity of Ui.

• PWi: the password of Ui.

• RC: the registration center. • r, x, y : the secret keys of RC. • SIDj: the identity of Sj.

• ⊕: the exclusive-or operation. • ||: the concatenation operation.

The registration center RC knows a master se-cret key x and two sese-cret numbers r and y. For each service provider, said Sj, the registration center RC

uses SIDj to compute a shared secret key h(SIDj||y)

between RC and Sj, and then sends h(SIDj||y) to the

service provider Sj via a secure channel. Hsiang and

Shih’s scheme mainly consists of three phases: the registration phase, the login phase, as well as the mutual authentication and key agreement phase. We briefly review these phases as follows:

[Registration phase]

1. Ui selects a password PWi and a random number b. Then, Ui computes h(b⊕PWi) and sends IDi

and h(b⊕PW i) to RC through a secure channel.

2. RC computes (Ti, Vi, Ai, Bi, Ri, Hi), where Ti=h(IDi||x), Vi=Ti⊕h(IDi||h(b⊕PWi)), Ai=h(h(b

⊕PWi)||r)♁h(x⊕r), Bi=Ai♁h(b⊕PWi), Ri=h(h(b

⊕PWi)||r), and Hi=h(Ti). RC stores <Vi, Bi, Hi, Ri, h(·)> into a smart card and issues it to the user Ui

via a secure channel.

Without loss of generality, assume that Ui

wants to login the service provider Sj. The login

phase as well as mutual authentication and key

agreement phase are depicted in Figure 1. [Login phase]

In the login phase, Ui keys his/her IDi, PWi

and the server identity SIDj to the smart card, and

then the smart card performs the following steps. 1. The smart card computes Ti = Vi⊕h(IDi||h(b⊕

PWi)) and Hi*=h(Ti), then the smart card checks

whether H i* is equal to H i . If it holds, the

le-gitimacy of the cardholder can be assured; oth-erwise the login request is rejected.

2. The smart card generates a nonce Ni and

com-putes Ai=Bi ⊕ h(b ⊕ PWi), CID_i =h(b⊕PW_i)⊕h(T_i||A_i||N_i), P_ij =T_i⊕h(A_i||N_i||SID_j), Q_i =h(B_i||A_i||N_i), D_i =R_i ⊕SID_j ⊕N_i,

and C₀ =h(A_i||N_i+1||SID_j) . Then the smart card sends <CID_i, P_ji, Q_i, D_i, C₀,N_i >to the server Sj.

[Mutual authentication and key agreement phase] Upon receiving the login request message

>

<CID_i, P_ji, Q_i, D_i, C₀,N_i , the service provider

Sj authenticates the user Ui as follows.

1. Sj generates a nonce Njr and computes

jr j

jr h SID y N

M = ( || )⊕ , and then sends the message<M_jr, SID_j, D_i, C₀, N_i > to the reg-istration center RC.

2. Upon receiving <M_jr, SID_j, D_i, C₀, N_i >, RC computes ) (SID||y h M ' N_jr = _jr⊕ _j , i j i i' D SID N R = ⊕ ⊕ , and )A_i'=R_i'⊕h(x⊕r .

Then RC checks whether h(A_i'||N_i +1||SID_j) is equal to C0 or not. If it does not hold, RC

re-jects the request and terminates the session. 3. RC chooses *

q R

rj Z

N ∈ and computes (C1, C2),

where )C₁ =h(N_jr'||h(SID_j||y)||N_rj and ) ) ( ( 2 A h h SID||y||N ' C = _i⊕ _j _jr . Then RC sends <C₁, C₂, N_rj > to Sj.

(3)

4. Upon receiving the message<C₁, C₂, N_rj >, the server Sj checks whether h(Njr||h(SIDj||y)||Nrj)

is equal to C1 or not. If it does not hold, the

server Sj terminates the session.

5. The server Sj computes (Ai, Ti, h(b♁PWi), Bi),

where )A_i =C₂ ⊕h(h(SID_j||y)||N_rj , ) ( _i _i _j ij i P h A||N||SID T = ⊕ , ) ( ) (b PW_i CID_i h T_i||A_i||N_i h ⊕ = ⊕ , and ⊕ ⊕ = A h b B_i _i ( PW . _i)

Sj checks whether Qi is equal to h(Bi||Ai||Ni)

or not. If it does not hold, the server Sj rejects

the login request and terminates the session.

User Ui Server Sj ) 1 ( ) ( ) ( ) ( ( ) ( ) ( )) ( ( 0 i i j i j i i i i i i j i i i ij i i i i i i i i * q R i i * i i * i i i i i j * i * i ||SID ||N A h C N SID R D ||N ||A B h Q ||SID ||N A h T P ||N ||A T h ) PW b h CID PW b h B A Z choose N H H check if T h H PW b ||h ID h V T ,SID ,PW Submit ID + = ⊕ ⊕ = = ⊕ = ⊕ ⊕ = ⊕ ⊕ = ∈ = = ⊕ ⊕ = > <CID_i, P_ij, Q_i, D_i, C₀_,N_i jr j jr * q R jr N y || SID h M Z choose N ⊕ = ∈ ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ) ( ( ) ( ( 2 1 j i i i ij * q R j i i i i i i i i i i i i j i i ij i rj j i rj j jr ||SID ||A ||N B h ' M Z choose N Q ||N ||A B check if h PW b h A B ||N ||A T h CID PW b h ||SID ||N A h P T ||N ||y SID h h C A C ||y)||N SID ||h N h check if = ∈ = ⊕ ⊕ = ⊕ = ⊕ ⊕ = ⊕ = = ) ( ) ( j j i i i j i j i ij ||SID ||N ||N ||A B h SK ||SID ||A ||N B h '' M check if = = RC > <M_jr, SID_j, D_i, C0_,N_i ) ) ( ( ) ) ( ( ) 1 ( ) ( ) ( 2 1 0 ' ||N ||y SID h h A C ||N ||y SID '||h N h C Z choose N C ||SID '||N A check if h r x h ' R ' A N SID D ' R ||y SID h M ' N jr j i rj j jr * q R rj j i i i i i j i i j jr jr ⊕ = = ∈ = + ⊕ ⊕ = ⊕ ⊕ = ⊕ = > <C₁, C₂, N_rj > <M_ij', N_j ) ( ) ( ) ( j j i i i j i j i ij ij j i i i ||SID ||N ||N ||A B h SK ||SID ||A ||N B h '' M ' M ||SID ||A ||N B h check if = = = > <M_ij''

(4)

6. The server Sj chooses Nj∈R Z*q and computes ) ( _i _i _i _j ij h B||N||A||SID M = . Sj sends <M_ij', N_j > to the user Ui.

7. Upon receiving (Mij′, Nj), Ui checks whether '

M_ij is equal to h(B_i||N_i||A_i||SID_j)or not. If it does not hold, Ui interrupts the connection.

8. Ui computesM_ij'' =h(B_i||N_j||A_i||SID_j), and then

sends it to the server Sj.

9. Upon receiving the messageM_ij'', the server Sj

checks whether M_ij'' is equal to )

(B_i||N_j||A_i||SID_j

h or not. If it holds, the legal-ity of the user Ui can be assured.

After finishing the mutual authentication and key agreement phase, both the user Ui and the

server Sj can compute the common session key

) (B_i||A_i||N_i||N_j||SID_j h

SK = .

B. Attacks on Hsiang and Shih’s scheme

In this subsection, we demonstrate that Hsiang and Shih’s scheme is vulnerable to an insider attack and a server-spoofing attack. We show that any le-gal user can compute a secret value h(x⊕r). Meanwhile, a server can also compute h(x⊕r) when any user has ever login the server. Then we will show that anyone who has h(x⊕r) can compute any session keys between users and servers, as well as counterfeit the other servers.

Since Ui is a legal user and has <h(b ⊕ PWi), Vi, Bi, Ri, Hi >, Ui can obtain h(x⊕r) by computing Ai= Bi ⊕ h(b ⊕ PWi),

and

h(x ⊕ r)= Ai ⊕ Ri = Bi ⊕ h(b ⊕ PWi) ⊕ Ri.

At the same reason, suppose that there exists a user Ui who had ever login the server Sj, so Sj can

get <CIDi, Pij, Qi, Di, C0, Ni>, <C1,C2, Nrj> and Mij’.

Then, Sj can obtain h(x ⊕ r)= Ai ⊕ Ri by computing Ai=C2 ⊕ h(h(SIDj||y) ⊕ Nrj), Ri = Di⊕ SIDj ⊕ Ni.

According to the descriptions above, we have showed that any legal users or any servers can obtain h(x⊕r). In the following, we show that any attacker with h(x⊕ r) can perform an insider attack and a server-spoofing attack.

(i) Insider attack

Here, we show that Hsiang and Shih’s scheme cannot resist the insider attack. Without loss of generality, suppose that the malicious insider Ui is a legal user and has obtained h(x⊕r).

The malicious insider Ui can perform the following

steps to get the session key SK=h(Ba||Aa|| Na||Nb||SIDb) between the any user Ua and any

server Sb.

1. Ui may intercept the transmission < CIDa, Pab, Da, Na, Nb> between the user Ua and the server Sb. 2. Ui computes (Ra, Aa, Ta, h(b ⊕ PWa), Ba), where Ra=Da ⊕ SIDb ⊕ Na, Aa=Ra ⊕ h(x⊕ r), Ta= Pab ⊕ h(Aa|| Na||SIDb), h(b ⊕ PWa)=CIDa ⊕ h(Ta||Aa||Na), and Ba= Aa ⊕ h(b ⊕ PWa).

Thus, the malicious insider Ui can get the

session key SK=h(Ba||Aa||Na||Nb||SIDb).

(ii) Server-spoofing attack

In the following, we show that any attacker with the value h(x⊕ r) can counterfeit any server. Hence, Hsiang and Shih’s scheme cannot resist the server-spoofing attack. Since we have shown that any legitimate user Ui can obtain h(x⊕ r), the

legitimate user Ui can do the following steps to

impersonate any server Sb to any user Ua

1. When Ua sends < CIDa, Pab, Qa, Da, C0, Na> to Ui, Ui randomly chooses Nj∈Zq* and computes

(Ra, Aa, Ta, h(b ⊕ PWa), Ba, Mab), where Ra = Da ⊕ SIDb⊕ Na, Aa=Ra ⊕ h(x⊕r), Ta= Pab⊕ h(Aa|| Na||SIDb), h(b ⊕ PWa)=CIDa⊕ h(Ta||Aa||Na), Ba= Aa⊕ h(b ⊕ PWa), and Mab=h(Ba||Na||Aa||SIDb).

Then, Ui sends < Mab, Nj> to the user Ua.

2. The user Ua will check whether Mab = h(Ba||Na||Aa||SIDb) holds or not. It is clear that Mab is equal to h(Ba||Na||Aa||SIDb). Hence, Ua

will believe that Ui is the server Sb.

(5)

In this section, we briefly review Geng and Zhang’s scheme and then demonstrate the security weakness of their scheme.

A. Review of Geng and Zhang’s scheme

We briefly present the definitions and proper-ties of bilinear pairings, which are used in Geng and Zhang’s scheme. Let G1 be an additive cyclic

group with a prime order q and G2 be a

multiplica-tive group with the same order q. G1 is a subgroup

of points on an elliptic curve over a finite field E(Fp)

and P is the generator of G1. G2 is a subgroup of

the multiplicative group over a finite field. A bilin-ear pairing is a map eˆ: G1×G1→G2 which satisfies

the following requirements:

1. Bilinear:eˆ(aP, bQ)=eˆ(P, Q)ab for all P, Q ∈ G1

and a, b ∈ Zq*.

2. Non-degenerate: there exist P, Q∈ G1 such that

eˆ(P, Q) ≠1.

3. Computability: there is an efficient algorithm to compute eˆ(P, Q) for all P, Q∈ G1.

The notations used in this scheme are summa-rized as follows:

• H( ): a one-way hash function {0, 1}∗_{→ G} 1.

• f ( ): a one-way hash function {0, 1}∗_{→ Z}

q*.

• s: the secret key of RC.

• PubRC: the public key of RC, where PubRC = sP.

• xj : the secret key of Sj.

• Pubj: the public key of Sj, where Pubj = xjP.

• IDi: the identity of Ui.

• PWi: the password of Ui.

Without loss of generality, suppose that the multi-server system consists of one registration center (RC), m users and n service providers. Geng and Zhang’s scheme mainly consists of two phases, the registration phase, as well as the login and ses-sion key agreement phase. We briefly review two phases as follows:

[Registration Phase]

In the registration phase, a user Ui submits IDi

and h(PWi) to the registration center RC. Then, RC

computes (SIDi, Pi, Vi, Veri), where

) ( _i _RC i H ID,ID SID = , i i s SID P = ⋅ , )) ( || ( _i _i i i P H ID h PW V = + , and ) ( _i i f P Ver = . RC computes _ˆ₍ ₍ ₎ ₎f(s) i RC i e H ID ,SID AID = and

stores <SID_i, V_i, Ver_i, AID_i, H( , f) () > into a smart card and issues it to the user Ui via a

se-cure channel.

[Login & Session Key Agreement Phase]

When the user Ui wants to access the

re-sources of the server Sj, Ui inserts the smart card

and keys his/her IDi*, PWi* and the session identity

SIDj. The smart card computes

) ( - * i * i i * i V H ID||PW

P = and checks whether

) ( *

i

P

f is equal to Ver or not. If it holds, the va-_i

lidity of the cardholder can be assured. The login and session key agreement phase is depicted in Figure 2. The smart card (Ui) and Sj perform the

following steps to achieve mutual authentication and key agreement.

1. Ui randomly chooses r1,Ni∈R Z*q and computes

P r C₁= ₁ , j i i SID r Pub CID = + ₁⋅ , ) (N||C₁ f h= _i , and ) ( 1 1 P hP r W * i - ₊ = .

Then, Ui sends the login request message

>

<CID_i, C₁, N_i, W to the service provider Sj .

2. Upon receiving the login request message >

<CID_i, C₁, N_i, W , the service provider Sj

computes SID* CID_i-x_j C₁

i = ⋅ and h=f(Ni||C1).

The service provider Sj checks whether

h RC i,Pub e P,P SID e W, C eˆ( ₁)= ˆ( )⋅ ˆ( ) holds or not. If it does not hold, Sj rejects the login request

and terminates the session.

3. Sj randomly chooses r₂∈_R Z_q* and computes

(C2, sk, AIDi*, Ver), where P r C₂ = ₂ , ) (r₂ C₁ f sk= ⋅ , ) ( ) ) ( ( ˆ f s i RC * i e H ID ,SID AID = , and ) (AID||C₁||N||sk f Ver * _i i = .

(6)

Then, Sj sends <C₂, Ver> to Ui.

4. Upon receiving the message <C₂, Ver>, Ui

computes )sk* ₌ f(r₁_⋅C₂ _{and checks whether}

) ( ₁ * i * i||C||N||sk AID

f is equal to Ver or not. 5. Ui computes Ver'= f(AID_i||C₂||N_i||sk*) and

sends it to the server Sj.

6. Upon receiving the message Ver', the service provider Sj checks whether Ver' is equal

to ( ₂ *)

i

i||C||N||sk

AID

f . Meanwhile, Ui and Sj

have obtained an identical session key sk= ) (r₂ C₁ f ⋅ = f(r₁⋅C₂). User Ui Server Sj ) ( ) ( ) ( ) ( 1 1 1 1 1 1 1 hP P r W ||C N f h Pub r SID CID P r C Z ,N choose r Ver P f check if ||PW ID -H V P ,SID ,PW Submit ID * i -i j i i * q R i i * i * i * i i * i j * i * i + = = ⋅ + = = ∈ = = > <CID_i, C₁, N_i, W ) ( ) ) ( ( ) ( ( ) ( ) ( ) ( 1 ) ( 1 2 2 2 2 1 1 1 ||sk ||N ||C AID f Ver ,SID ID H eˆ AID C r f sk P r C Z choose r P,P) eˆ ,Pub SID eˆ W, C eˆ check if ||C N f h C -x CID SID i * i s f i RC * i * q R h RC i i j i * i = = ⋅ = = ∈ ⋅ = = ⋅ = > <C₂, Ver ) ( ) ( ) ( 2 1 2 1 * i i * i * i * ||sk ||N ||C AID f Ver' Ver ||sk ||N ||C AID f check if C r f sk = = ⋅ = > <Ver' ) ( ₂ * i i||C||N||sk AID f Ver' check if =

Fig.2. the login and session key agreement phase of Geng-Zhang’s scheme

B. Attack on Geng and Zhang’s scheme

In this subsection, we will show that Geng and Zhang’s scheme is vulnerable to a user-spoofing attack, i.e., any legal user can create a new user without the registration center RC. The concrete scenario is presented as follows.

Let Ui be any legal user, then Ui can create a

new user, said Ua, without the registration center RC. Since Ui has <SIDi, Vi, Veri, AIDi> and can

compute Pi=Vi-H(IDi||h(PWi)), then Ui chooses a

random integer r∈Zq* and computes SIDa= r⋅SIDi, Pa= r⋅Pi, AIDa= (AIDi)r, Va=Pa+H(IDa||h(PWa))

and Vera=f(Pa) for the new spoofing user Ua.

We are going to show that the spoofing user

Ua can successfully login any server, said Sj, as a

legitimate user.

1. Ua randomly chooses r1, Na∈Zq* and computes

(C1, CIDa, h, W), where C1= r1P,

CIDa= SIDa+r1⋅Pubj, h=f(Na||C1),

and

W= r1-1(Pa+hP).

Then, Ua sends < CIDa, C1, Na, W > to Sj.

2. Sj computes SIDa= CIDa-xj⋅C1, and checks if

) ( ˆW, C₁ e = h RC a, Pub e P, P SID eˆ( )⋅ˆ( ) . It is clear

(7)

that this check will hold. Since Pa= r⋅Pi= r⋅s⋅SIDi, we have eˆ(W, C₁)=ˆ( 1( ) ₁ ) 1 P hP , rP r e - _a ₊ =eˆ(P_a +hP, P) =eˆ(r⋅s⋅SID_i+hP, P) =eˆ(r⋅s⋅SID_i, P)⋅eˆ(hP, P) =eˆ(r⋅SID_i, sP)⋅eˆ(hP, P) = h RC a, Pub e P, P SID eˆ( )⋅ˆ( ) .

The server Sj randomly chooses r2∈Zq*, and

computes (C2, sk, AIDa*, Ver), where C2=r2P, sk=f(r2⋅C1), ) ( ) ), ( ( ˆ f s a RC * a e H ID SID AID = , and Ver=f( * a AID ,C1, Na, sk).

Then, Sj sends < C2, Ver > to the user Ua.

3. The user Ua computes Ver’= f(AIDa, C2, Na, sk)

and sends it to the server Sj.

4. The server Sj checks if Ver’ =f(AID , C*_a 2, Na, sk)

or not. Since AIDa=(AIDi)r = f s r i RC ,SID ID H e_ˆ₍ ₍ ₎ ₎ ( ⋅) =_ˆ₍ ₍ ₎ ₎f(s) i RC ,r SID ID H e ⋅ =_ˆ₍ ₍ ₎ ₎f(s) a RC ,SID ID H e = * a AID

, it will pass the verification. Hence, the spoof-ing user Ua can successfully login any server Sj.

IV. CONCLUSION AND FUTURE WORK

In this paper, we have shown that two dy-namic ID-based remote user authentication and key agreement schemes for multi-server environment have security weaknesses. Hsiang and Shih’ scheme is vulnerable to an insider attack and a server-spoofing attack. Geng and Zhang’s scheme suffers from a user-spoofing attack that each legal user can create a new user without the registration center RC.

Recently, to develop a dynamic ID-based re-mote user authentication scheme for the multi-server environment has become a new re-search topic. However, the recently proposed schemes for this issue do not establish the attack

model and provide formal security proof. Thus, they are easy to suffer from some attacks. In the future, we hope to construct the attack model and propose a provably secure dynamic ID-based re-mote user authentication and key agreement for the multi-server environment.

ACKNOWLEDGEMENTS

This research is partially supported by Na-tional Science Council, Taiwan, R.O.C., under contract no. NSC97-2221-E-018-010-MY3.

REFERENCES

[1] C.C. Chang and J.S. Lee, “An efficient and

se-cure multi-server password authentication scheme using smart cards”, Proceedings of the

2004 International Conference on Cyberworlds,

2004, pp. 417-422.

[2] C.C. Chang and J.Y. Kuo, “An efficient

multi-server password authenticated keys agreement scheme using smart cards with access control”, Proceedings of the 19th International

Conference on Advanced Information Network-ing and Applications, Vol. 2, 2005, pp. 257-260.

[3] H.Y. Chien, J.K. Jan, and Y.M. Tseng, “An

effi-cient and practical solution to remote authenti-cation: Smart Card,” Computers and Security, Vol. 21, No. 4, 2002, pp. 372-375.

[4] J. Geng and L. Zhang, ”A Dynamic ID-based

User Authentication and Key Agreement Scheme for Multi-server Environment Using Bi-linear Pairings”, Proceedings of the 2008

Workshop on Power Electronics and Intelligent Transportation System, 2008, pp. 33-37.

[5] C. Hsiang and W.K. Shih, ”Improvement of the

secure dynamic ID based remote user authenti-cation scheme for multi-server environment”,

Computer Standards & Interfaces, 2009,

ac-cepted and in press.

[6] M.S. Hwang, L.H. Li, “A new remote user

au-thentication scheme using smart cards”, IEEE

Trans. Consumer Electronics, Vol. 46, No. 1,

2000, pp. 28– 30.

[7] W.S. Juang, “Efficient multi-server password

(8)

IEEE Trans. Consumer Electronics, Vol. 50,

No.1, 2004, pp. 251–255.

[8] W.S. Juang, J.L. Wu, “Efficient User

Authenti-cation and Key Agreement with User Privacy Protection”, Journal of Information Science and

Engineering, Vol. 7, No. 1, 2008, pp. 120-129.

[9] M. Kim, C.K. Koc, “A Secure Hash-Based

Strong-Password Authentication Protocol Using One-Time Public-Key Cryptography”, Journal

of Information Science and Engineering, Vol. 24,

No. 4, 2008, pp. 1213-1227

[10] Y.C. Lee, G.K. Chang, W.C. Kuo, and J.L. Chu,

“Improvement on the dynamic ID-based remote user authentication scheme”, Proceedings of

Machine Learning and Cybernetics 2008, Vol.

6, 2008, pp. 3283-3287.

[11] L.H. Li, I.C. Lin, and M.S. Hwang, “A remote

password authentication scheme for multi-server architecture using neural networks”, IEEE Trans.

Neural Networks, Vol.12, No. 6, 2001,

pp.1498–1504.

[12] I.E. Liao, C.C. Lee, and M.S. Hwang, “Security

enhancement for a dynamic ID-based remote user authentication scheme”, Proceedings of the

International Conference on Next Generation Web Services Practices, 2005, pp.437

[13] Y.P. Liao, S.S. Wang, “A secure dynamic ID

based remote user authentication scheme for multi-server environment”, Computer Standards

& Interfaces, Vol. 31, No. 1, 2009, pp.24–29

[14] J.L. Tsai, “Efficient multi-server authentication

scheme based on one-way hash function without verification table”, Computers & Security, Vol. 27, No. 3-4, 2008, pp. 115-121.

[15] Y.M. Tseng, T.Y. Wu, J.D. Wu, “A

pair-ing-based user authentication scheme for wire-less clients with smart cards”, Informatica:

In-ternational Journal, Vol. 19, No. 2, 2008, pp.