An ID-based remote user authentication scheme without using smart cards for multi-server environment

An ID-based remote user authentication scheme

without using smart cards for multi-server

environment

一種多伺服器環境下以身份為基礎且不需智慧卡

的遠端使用者驗證方案

Abstract- The issue of remote user authentication scheme using smart cards for multi-server environment has been received much attention recently. Smart cards however are far from ubiquitous since some obstacles have restricted their practical applications. In this paper, we first propose an ID-based remote user authentication scheme without using smart cards for multi-server

environment. _{The proposed scheme uses one-time}

password authentication to enhance the security of password. Furthermore, self-certified public key (SCK) is introduced to reduce the cost of public key management. The proposed scheme makes security analysis and compares functionality with other schemes. The results show that our scheme not only retains all advantages of robust authentication scheme for multi-server environment but also offers several nice properties such as user’s identity protection and forward secrecy.

Key words: Smart cards; Multi-server environment; ID-based; Self-certified public key.

摘要-針對多伺服器環境的遠端使用者驗證方案 的議題近來受到相當的重視。然而一些實際障礙 限制了智慧卡的應用範圍，使得智慧卡無法普 及。在本篇文章我們首度提出一個針對多伺服器 環境，以身份為基礎且不需智慧卡參與的遠端使 用者驗證方案。本方案使用一次密碼驗證來加強 密碼的安全性。此外，本方案也引入自我驗證公 鑰來減輕公鑰管理的負擔。該方案經過了安全的 分析並與其他的方案作功能的比較，結果顯示不 僅可以保有多伺服器環境強固的安全特性而且也 提供一些額外的功能，例如身份隱藏及向前的祕 密。 關鍵字: 智慧卡；多伺服器環境；身份基礎；自 我驗證公鑰。

I.

Introduction

Remote user authentication becomes an

important issue for accessing the remote server’s sources securely. Password authentication is one of the simplest and the most common authentication mechanism over an insecure channel since it allows people to choose and remember their own passwords without any assistance device. In 1981, Lamport proposed a novel password authentication scheme using cryptography hash functions [1]. A

common feature of conventional password

which contains the verifiers of user’s password. Under this situation, verification table is vulnerable to some risks, such as tampering and stolen-verifiers. To reduce these risks and maintenance cost, many password-based remote user authentication schemes using smart cards have been proposed without the password table in single server environment [2-5].

Recently, with the rapid growth of Internet service, more and more network architectures are used for multi-server environment. Hence, the issue of remote user authentication scheme using smart cards for multi-server environment has been received much attention. However, these designed schemes for the single server are not well suited for the multi-server environment. For example, if a user wants to access multiple service servers, it is infeasible to remember several identifiers and the corresponding passwords. Besides, it is an important topic for the secret keys distribution among the involved parties. Until to now, several papers have been devoted to the study of accessing the resources of multi-server network securely [6-13]. Taking computational cost into consideration, those schemes are divided into broad categories, one employs public-key cryptosystems and the other one employs only simple one-way hash function combined with symmetric cryptosystem. However, these published papers still have some weakness unsolved.

In general, a remote user’s authentication scheme aiming at multi-server environment should satisfy the following merits [10]. (1) Single registration; (2) No password table; (3) Keeping free from the serious time synchronization problem; (4) Changing the password securely and freely (5) Preventing various well-known attacks such as guessing attack, forgery attack, server spoofing attack, etc. (6) Efficient performance for the users with low power computing devices. However, since high cost of the cards and the availability of card readers restrict the application of smart card. On the other hand,

researchers assume that the authentication

information stored in the smart card may be acquired by analyzing the leaked information [14] or monitoring the power consumption [15]. Hence, it leads to security flaws due to the leak of the secrets stored in the smart card. For example, the

adversary may obtain the secrets to launch off-line password guessing attack or forgery attack. Furthermore, the system’s reparability is also taken into consideration in practice [2]. These problems have restricted the application of smart cards to the small fields such as financial transactions. With the growth of portable storage devices such as USB memory thumbs, they are now common in offices anywhere and everywhere that today’s mobile workers go, but they lacks for tamper-resistant property. Hence, the password-based authentication schemes using smart cards can not directly be applied to the remote user authentication without using smart cards.

In this paper, we first propose an ID-based remote user authentication scheme without using smart cards for multi-server environment. The

proposed scheme uses one-time password

authentication to enhance the security of password [16]. Our scheme provides a practical remote user

authentication scheme while retaining all

advantages of robust remote user authentication scheme for multi-server environment. Our scheme is highlighted with the following features: (1) It achieves mutual authentication and session key agreement; (2) It prevents from the security attacks due to the disclosure of the secrets stored in common storage device; (3) Each registered server does not maintain any verification table; (4) The public key of each registered server is authenticated without the need of explicit certificate; (5) The private key of each registered server can not revealed by the third trust party (TTP) and the other servers. The remainder of the paper is organized as follows. In section II, we give some preliminaries, including bilinear pairings and the related computational problems. Section III shows the details of the proposed scheme. After that, we make

security analysis and make functionality

comparisons among the related schemes in section IV and V. Finally, the conclusion is given in section VI.

II.

Preliminaries

In this section, we introduce bilinear pairings and the related computational problems.

Bilinear pairings namely the Weil pairings or Tate pairings may be used in important applications

of cryptography. Suppose <_G1,+>_{be an additive}

cyclic group of order q generated by P, where q is a prime and<_{G ,}×>

2 a multiplicative cyclic group of

the same order as inG₁ . A bilinear pairing is a

mapeˆ:G₁×G₁ →G_{2 on the elliptic curve. In view}

of shortness, the related properties are omitted and referred to [ ].

B. Computation problems

For providing higher security level of the proposed authentication scheme, some important mathematical assumptions are introduced on elliptic curves.

B-1 Elliptic Curve Discrete Logarithm Problem (ECDLP)

GivenQ=k*P_{, where P, Q}

1

G

∈ _{. It is relatively}

ease to calculate Q given k and P, but it is relatively hard to determine k given Q and P.

B-2 Computational Diffie-Hellman Problem

(CDHP)

Fora, ∈b Z*q , givenP,aP,bP∈G1 , it is hard to

find abP .

III.

The proposed scheme

In this section, we propose an ID-based remote user authentication without using smart card for

multi-server environment. Without loss of

generality, the system’s parties are composed of one

registration center (RC) , m users(U_i)and n service

servers (S_j) . Our scheme involves three-party

authentication key exchange (3P-AKE) protocol and is divided into some phases, including setup phase, registration phase, login phase, verification phase and password change phase. Different phases of work are described as follows and shown in Fig. 1-3.

A. Setup Phase

LetG₁be an additive cyclic group of a prime

order q generated by P andG₂be a multiplicative

cyclic group of the same order.

Define H :{0,1}* →G_{1 and h:{0,1}}* →_{0,1}n _be cryptographic hash functions.

When RC permits the entry of S_j , RC and

j

S cooperate to generate the key pair of Sj using

self-certificated public keys (SCK), which are an efficient alternative to certificate based Public Key Infrastructure (PKI) [17]. Under this situation, SCK can reduce communication and management overheads of system’s public keys. Instead of verifying public key using an explicit signature on the corresponding public key, the server’s public key based on SCK is obtained using his identity along with its public key parameter without the need of concrete certificate. The protocol is described below.

S1: Private Key generation: Sjchooses a random

numberk ∈j Zq*and computesKj =kjP. And then

sends K_j and corresponding identity SID_j to RC

over a secure channel. After receivingK_jandSID_j,

RCchecks ifS_jis eligible. If yes, RC assigns a

random number rj , and computes Rj =Kj +rjP .

Finally, RC uses his own secret keys_RCto compute

the signature parameterx_jas follows:

j RC j j j h SID R s r x = _{( || )} + ₍₁₎

Then,x_jis transmitted securely toS_j . After that,

j

S obtains the corresponding private key as follows:

j j j x k

x = + ₍₂₎

S2: Public key Extraction: Through the above pre-deployment, the corresponding public key

j

Pub of S_j can be computed by everyone who

acquires the public key parameterRjandSIDjfrom

the public server’s registration table. Under this

situation, Pub_j can be obtained as following

equation: j RC j j j h SID R Pub R Pub = _{( || )} + ₍₃₎ Equation (3) can be proved as follows:

j RC j j j j RC j j j j RC j j j j j j R Pub R SID h P k P r P s R SID h P k P r s R SID h P k x P x Pub + = + + = + + = + = = ) || ( ) ( ) || ( ) ) || ( ( ) ( B. Registration phase

IfUiwants to access the resource of the system,

he performs some steps during registration phase.

R1: U_iselects his identityID_iand passwordPW_i.

Next, U_ichooses a random numberb_i , computes

the hashed passwordhpw =_i h(PW_i ||b_i), and sends

> <

i i hpw

ID, to RC over a secure channel.

R2: After receiving < >

i i hpw

ID , at time T_i ,

RCchecks if the userU_iis a registered user. If no,

create an entry forU_iin the registration table and

stores ID_i , H(ID_i) and T_reg =T_{i in this entry;}

otherwise, only update the value of Treg with

timeT_iin the existing entry forU_i. In this paper,

reg

T is denoted as the registration time for a new user

or re-registered user. Next, RC computes the

identity signature i ID S with (s_RCH(ID_i)) and i PW g Re with ( 1 ) i ID i S hpw− . After that,

RCdelivers{RegPW_i,Ti}toUiover a secure channel.

R3: U_i stores {Reg_PW ,T_i}

i along with bi into a

common storage device. C. Login phase

Whenever the userU_iwants to access the sources

ofS_j, he performs the following steps.

L1:U_i submits ID_i , PW_i andSID_j . After that,U_i

generates a random number *

q i Z

n ∈ and

computes N_i =n_iP _{. And}

then p =_i h(N_i) , L =_i n_iPub_RC and

) || || || ( _{i j i i} i h ID SID p T k = is calculated.

L2: U_i computes the hashed

password hpw =_i h(PW_i ||b_i) , the dynamic

identity CID =_i p_iH(ID_i) , i PW i i k g TID = Re _and

one-time password TPD_i =(hpw_i⋅p_i)P _{. Finally,}

i U sends< > i i i i TID TPD L

CID, , , toS_jover a public

channel.

D. Verification phase

1) Authentication of server and RC

After receiving the login

message < >

i i i

i TID TPD L

CID, , , , S_j and RC will

run the following steps to achieve mutual authentication. Furthermore, RC is responsible for

the verification ofU_i. Once the identity of U_iis

assured, S_j can derive the secret keyTK_ij shared

withU_i. The procedures are discussed below.

V1: S_j chooses a random number n ∈_j Z_q* and

computes N_j =n_jP _{. Next, Sj computes the}

long-term shared secret keyAK =₁ x_jPub_RCon the

security of CDHP. V2:

j

S computes Auth =_j h(SID_j ||AK₁ ||N_j ||L_i) and

sends<_{CIDi,TIDi,TPDi,Li,Nj,SIDj,Authj} >_{to RC} .

V3: According to SCK mentioned above, after

acquiring the public parameterRjfrom the public

server’s registration table, RC computes the public

key Pub_j of S_j as equation (3).

Next, RC computes N_RC =n_RCP_{and the long-term}

secret keyAK =₂ s_RCPub_j. Then, RC checks if the

receivedAuth_jis equal toh(SID_j ||AK₂ ||N_j ||L_i) .

If yes, Sjis authentic; other, reject the connection.

V4: RC computes p =_i s_RC-1 Pub_RC and

extracts H(ID_i) via p_i-1CID_i . And then check if

)

i

H(ID exists in user’s registration table. Next,

RCcomputesk =_i h(ID_i ||SID_j || p_i ||T_i)and checks

if whether eˆ(TID_i,TPD_i) is equal

the identity of U_iis assured and continue executing next step, reject otherwise.

V5: RC chooses a random numbernRC ∈Zq*and

computes N_RC =n_RCP _{. After}

that, RC computes TK =_ij h(ID_i ||SID_j ||p_i ||N_j)

) || || || ( j 2 j RC i RC h SID AK N N ||L Auth = _, ij RC TK Auth C = ⊕ 1 and C2 =h(AuthRC ||TKij) . Finally, RC sends<_C1,C2,NRC >_toSj. V6: S_j computes ) || || || ( _{j 1 j RC i} * RC h SID AK N N ||L Auth = _and * * RC 1 ij C Auth

TK = ⊕ _{. And then verify whether}

2

C is equal toh(Auth*_RC ||TK_ij*). If yes, RC is authentic. 2) Authentication of server and user

After the authentication of server and RC,

j

S derivesTK_ij, which is the temporary secret key

shared with U_i . Then S_j andU_i performs the

following steps to achieve mutual authentication.

V7: Sj computes C =3 h(TKij ||Nj) and

sends< >

j

N

C₃, toU_i.

V8: Ui checks the validity of Sj by way of

computing ( i || j || i || j) * ij h ID SID p N TK = and comparingC3with ( || j) * ij N TK

h . If they are equal,

the identity of S_j is assured. On the other

hand, U_i chooses a random number n'_i and

computes Ni niP ' ' ₌ Next, he calculate C =₄ h(TK_ij* ||N_j ||N_i') and sends< ' > i 4,N C toS_j. V9: After receiving < ' > i 4,N C from U_i , S_j

calculates h(TK_ij||N_j ||N_i')and compares it with

the receivedC4. If they are equal,Uiis authentic. At

the same time, bothS_jandU_iwill store the common

session key ) ( ') i j j ' i ij h(nN h n N SK = = _{for the}

sequential sensitive information protection. E. Password change phase

If the userU_iwants to change his password for

some reason, first he sends a password change request to RC . When RC believes that the user’s

identity is U_i and finish mutual authentication

between them, they obtain a common session

keysk_ij. We omit the authentication process since it

is similar to that mentioned above.

Next,U_iperforms the following step to update the

password.

PC1: U_i selects PW_inew and

computesnhpw =_i h(PW_inew||b_i). And then compute

i ij i1 sk nhpw PC = ⊕ _{and ( || )} i ij i2 h sk nhpw PC = . After that, U_isend< > 2 1, i i PC PC to RC . After receiving< > 2 1, i i PC

PC , RC uses the session

keysk_ijto perform the following step.

PC2: RC extracts the new hashed

password nhpw_i with PC ⊕_i1 sk_ij . Check if the

authentication tag PCi2 is equal to the

computedh(skij ||⊕nhpwi) . If yes, compute the

new authentication information

i i i ID new PW nhpw S Reg = −1 _, new PW ij i3 sk Reg _i PC = ⊕ _{and i4 ( ij|| Re PW}new₎ i g sk h PC = ⊕ . PC3: Similarly, RC

extracts RegPWnew_i with PC ⊕i3 skij and checks the

correctness of PC_i4 with the

computed ( _ij || Re _PWnew)

i

g sk

h ⊕ _{. If the validity}

of PCi4 is confirmed, RegPW_i is replaced

with new_PW

i

> < i i i i,TID TPD,L CID , } T , {Reg SC _{PW i} i = i i i RC i PW i ID ID i reg i i i g pw h Reg ), H(ID s Reg T T ID H {ID entry an cretat user new a is U if check : R2 Re } ), ( , 1 − = = = > < i i,hpw ID SC bi → P p hpw TPD g k TID ID H p CID b PW h hpw L p T SID ID h k Pub n L N h p P n N Z n SID PW ID submit : L1 i i i PW i i i i i i i i i i j i i RC i i i i i i q i j i i i, ( ) Re ), ( ), || ( : 2 ) || || || ( , ), ( , , , , * ⋅ = = = = = = = = ∈ ) || ( , , * i i i q i i i b PW h hpw Z b PW ID choose : R1 = ∈ } b , T , {Reg SC _{PW i i} i = {x_j} } RC {s i U

_RC

phase

on

Registrati

phase

Login

Fig.1 Registration phase

> < RC 2 1,C ,N C > < j j j i i i

i,TID,TPD L SID N Auth

CID , , , , ) || || || ( , , 1 * i j j i RC j 1 j j q j L N AK SID h Auth : V2 Pub x AK P n N Z n : V1 = = = ∈ ) || ( , ) || || || ( : 5 ) ), ( ( ˆ ? ) , ˆ ) || || || ( ) ) 2 1 ij RC ij RC 1 i RC 2 j RC j i j i ij RC RC * q RC RC i i i i i i i j i i i i i i i 1 -RC i i j 2 j j j RC 2 j RC j j j T Auth h C T Auth C ) L || N || AK || h(SID Auth N p SID ID h TK P, n N , Z n V Pub p k ID H e TPD (TID e check p T SID ID h k table on registrati the in existed is H(ID if check CID p H(ID , L s p : V4 ) L || N || AK || h(SID ? Auth check Pub s AK , R )Pub R || h(SID Pub : V3 = ⊕ = = = = ∈ = = = = = = + = − } {x_j {sRC} ) || ( : * * * 1 * ij RC 2 RC * ij i RC 2 j RC T Auth h ? C check Auth C T ), L || N || AK || h(SID Auth 6 V = ⊕ = = j

S

RC

RC

and

Server

of

tion

Authentica

Fig.2 Authentication of server and RC in verification phase

> < ' i 4,N C > < j 3,N C ) N || N || TK ( h C , P n N , Z n ) N || h(TK ? C check ) N || p || SID || ID ( h TK : V8 ' i j * ij ' i ' i * q ' i j * ij 3 j i j i * ij = = ∈ = = 4 } TK , {x_{j ij} ) N || h(TK C : 7 V 3= ij j ) N || N || h(TK ? C check : V9 ' i j ij 4 = i

U

S

server

and

user

of

tion

Authentica

IV.

Security analysis

In this session, let us discuss the security of the proposed scheme. It aims at matching all of the criteria for robust remote user authentication protocol. Furthermore, the proposed scheme can offer nice properties such as user identity and forward secrecy.

A. Satisfy the criteria of robust remote user authentication protocol

Theorem1: Our scheme achieves mutual authentication and session key agreement.

Proof: According our scheme,U_isends the login

message < > i i i i TID TPD L CID , , , to S_j . After

receiving the login message,Sjrequests RC to verify

the identity ofU_i. To recognize the identity of both

sides,S_jand RC achieve mutual authenticated using

hash message authentication code (HMAC) since

they can compute the common secret

keyAK₁(AK₂)on the security of CDHP. After that,

i

U is authenticated by RC andSjusing the following

operations.

(1) RC checks if the computed eˆ(TID_i,TPD_i) is

equal to the computed

) ˆ(H(ID_i),k_ip_iPub_RC

e based on BLS short

signature scheme [18]. If yes, RC check the

legality of Sj and response

message < >

RC 2 1,C ,N

C to S_j . Next, S_j can

derive the secret key TK_ij shared

withU_ifrom< >

RC 2 1,C ,N

C .

The verification works because of the following deduction: ) ), ), ( ( ˆ ) ), ( ( ˆ ) ), ( ( ˆ ) , ( ˆ ) ) ( ), ) (( ˆ ) ) ( , Re ( ˆ ) , ( ˆ 1 1 RC i i i RC i i i i i RC i i ID i i i ID i i i i PW i i i Pub p k ID H e P s p k ID H e P p ID H s k e P p S k e P p hpw S hpw k e P p hpw g k e TPD TID e i i i = = = = ⋅ ⋅ = ⋅ = −

(2) The serverS_jauthenticates the identity of U_iby

checking the validity ofC4with the temporary

secret keyTKij.

Similarly, S_j is authenticated by checking the

validity ofC3with the temporary secret keyTKij.

After the verification is finished, S_j anU_i can

negotiate the session keyskij on the security of

CDHP.

Theorem 2: Our scheme does not keep any verifier table in the server and RC .

Proof: In our scheme, RC checks if not onlyU_iis

eligible but also eˆ(TID_i,TPD_i) is equal to the

computed eˆ(H(ID_i ),k_ip_iPub_RC) . It is obvious

that RC verifies the user’s identity without any verification table or password table.

Theorem 3: Our scheme does not require time synchronization and delay time limitation.

Proof: To use timestamps for authentication, all parties must maintain local clocks that are periodically synchronized in a secure manner with a reliable source of time. Between synchronizations with the reliable time source, local clocks may drift. In our scheme, the transmitted messages among the parties have no concern with timestamps.

Theorem 4: Our scheme allows the user to choose password freely and update password securely.

Proof: In our scheme,Ui can select his favorite

string and submit it to RC in registration phase.

Furthermore,U_imust validate the old password to

start password change.

Theorem 5: Our scheme withstands the following well-known attacks.

(1) Replay attack

Proof: The adversary may replay the same message of the receiver or the sender from a previous session to pass the verification of the system. He may relay

the previous message to masqueradeU_i or S_j . Clearly, it cannot works because our scheme

involves the temporary secret key

ij

TK (= h(ID_i||SID_j|| p_i ||N_j) ) to recognize the

identity of both sides. No one besidesUiorSjcan

deriveTK_ij.

(2) Impersonation attack

Proof: The adversary may intercept and analyze the login message aiming at the legal user. Next, he constructs a valid login message to pass the verification of the system. According to our scheme,

if the adversary, i.e., Ua , obtains the private

keys_RCof RC or the identity signature

i

ID

S of the

userU_i , he can construct a valid login request

message. This former case obviously can be ruled

out since the private keysRCis kept secret by RC.

If Ua intercepts previous login request

message< >

i i i

i TID TPD L

CID , , , , he cannot derive

the user’s identity i ID S from i ID i i i k hpw S TID(= ⋅ −1) _without knowingk_iandhpw_i.

(3) Portable storage device loss attack

Proof: With the rapid growth of flash memory, the current trend for portable storage devices are towards small size. So, the results easily bring about other attacks. If the mobile storage device of

i

i

U is lost or stolen for some reason, password guessing attack is effective and powerful among various attacks. The key to password guessing attack determines that the attacker is able to verify the correctness of the guessed password. In our scheme, the adversary may steal the authentication

information {RegPW_i,Ti,bi} stored in a common

storage device or intercepts the login request

message < > i i i i TID TPD L CID , , , . Even if } , {Reg_PW T_i,b_i

i is stolen or the login request

message< >

i i i

i TID TPD L

CID , , , is intercepted, they

cannot leak any redundancy to verify the guessed password. Hence, off-line password guessing attack fails. On the other hand, the adversary may guess

the password corresponding to the portable storage device by way of typing the guessed password. Since our scheme can validate the guessed password, the number of guessing password can be restricted to withstand online guessing attack.

(4) Malicious insider attack

Proof: In general, the insider of the system is assumed to be trusted. However, the insider attack should be taken into consideration for real environment. We summarize the published schemes [6-13] and class insider attack into two types as follows.

Insider attack from RC

Proof: As we know, the user Ui submits the

identityIDiandhpw =i( h(PWi ||bi))to RC . Because

the privileged insider cannot derive the

password PW_i fromhpw_i without knowingb_i, he

cannot masqueradeU_ito access the resources of the

other system using the passwordPW_i.

Insider attack from the server

In the following, we show that the insider of the

server Sj with the secret

valueh(ID_i ||SID_j ||p_i ||N_j)cannot masqueradeU_ito

cheat other serverSk. We assume that the privileged

insider replays the previous message

>

<_CIDi*_,TIDi*_,TPDi*_,L*_{i to Sk . After achieving}

mutual authentication with RC , the serverS_k can

derive the secret keyh(ID_i ||SID_j ||p_i ||N'_j)shared

withUi. Because previous nonceNjis not equal

to N'j , the insider cannot

computeh(ID_i ||SID_j ||p_i ||N'_j)by himself. In other

word, the insider ofS_jcannot pass the verification of

k

S without knowing the common secret key.

On the other hand, the insider of Sjcannot

masquerade other server S_k since the long-term

privatex_kof S_kcannot be derived based on SCK.

(5) High reparability

is lost or stolen. Once the corresponding password is leaked, the adversary can masquerade the legal user to access the server’s resource. Under this situation, our scheme can allow the user to submit another selected password without changing the user’s identity. After receiving the user’s request for registration, RC only updates the registration time and submits the related parameters to the user over a secure channel.

B. Offer nice properties (1) Protecting user’s identity

Proof: If the adversary wants to trace the legal user, he may intercept and analyze the transmitted message in a public key channel. In our

scheme, Ui sends a login message

>

<_{CIDi,TIDi,TPDi,Li to Sj . If the adversary}

analysisCID_i , it is infeasible to recognize the

identity of U_i sinceH(ID_i) is protected with p_i .

Moreover, < > i i i i TID TPD L CID , , , is dynamic

sincen_iis different in each session. Therefore, our

scheme can achieve user’s anonymity [6].

(2) Forward secrecy

Proof: Forward secrecy is defined as the assurance

that any previous session keys will not

compromised if the system’s secrets are leaked. In our scheme, any session keys sk_ij(=h(n_i'n_jP)) is dynamic in each session and unconcerned with the

system’s secrets such ass_RCorx_j.

V. Functionality comparison

In this section, we make functionality

comparison between our scheme and other related schemes in Table 1. Obviously, it demonstrates that our scheme can offer nice properties while retaining all advantages of robust authentication scheme for multi-server environment. As for performance analysis, we focus on the computation cost. According to the proposed scheme, the computation cost is concerned with bilinear pairings operations, multiplication operations on elliptic curve, hash operations. Although the computation cost of our scheme is higher than that of hash-based authentication schemes. However, the computation

cost of our scheme does not require expensive

bilinear pairings operation or modular

exponentiation operation at user’s side. Hence, our scheme is well applied to the devices with the limited communication power.

Table 1 Functionality comparison between our scheme and other related schemes

Ours [13] [12] [10] [11] C1 ○ ○ ○ ○ X C2 ○ ○ ○ ○ ○ C3 ○ ○ ○ ○ X C4 ○ ○ ○ ○ X A1 ○ ○ X X ○ A2 ○ ○ X ○ X A3 ○ ○ X X X P1 ○ X ○ ○ X P2 ○ ○ X X X P3 ○ ○ ○ X X P4 ○ X X X X

C1: mutual authentication; C2: no verification table; C3: no time synchronization; C4: password updated securely and freely; A1: prevention of forgery attack; A2: prevention of server spoofing attack; A3: prevention of insider attack; P1: forward secrecy; P2: high reparability; P3: user’s anonymity; P4: no smart cards cooperation.

VI. Conclusions

The issue of remote user authentication scheme using smart cards for multi-server environment has been received much attention recently. Although many authentication schemes using smart card for multi-server environment are presented successively, they are not suitable to the application without using smart card. In this paper, we first propose an ID-based remote user authentication scheme without using smart card for multi-server environment. Furthermore, the proposed scheme first uses one-time password authentication to enhance the security of password for multi-server environment. We show that our scheme not only retains all advantages of robust authentication scheme but also offers several nice properties, such as user’s identity protection and forward secrecy. Moreover, our scheme involves SCK to manage the public keys

among the different service servers without concrete certificate. Moreover, the security of the private keys among the different servers can be achieved under the assumption that the insider of the registration center with privilege is untrusted.

References

[1] L. Lamport, Password authentication with insecure communication, Communication of the ACM 24 (1981) 28-30.

[2] C. Fan, Y. Chan, Z. Zhang, Robust remote authentication scheme with smart cards, IEEE Transactions on Consumer Electronics 50 (1) (2004) 204-207.

[3] T. H. Chen, W. B. Lee, A new method for using

hash functions to solve remote user

authentication, Computer and Electrical

Engineering 34 (2008) 53-62.

[4] M. L. Das, A. Saxena, and V. P. Gulati, A dynamic ID-based remote user authentication scheme, IEEE Trans. Consum. Electron. 50 (2) (2004) 629-631.

[5] M. L. Das, A. Saxena, V. P. Gulati and D. B. Phatak, A novel remote user authentication scheme using bilinear pairings, Computers and Security 25 (3) (2006) 184-189.

[6] W. B. Lee, C. C. Chang, User identification and key distribution maintaining anonymity for

distributed computer network, Computer

System Science, 15(4) (2000) 211-214.

[7] W. J. Tsuar, C. C. Wu, W. B. Lee, A flexible User Authentication for Multi-server Internet

Services, Networking-JCN2001LNCS,

Springer-Verlag, 2093 (2001) 174-183.

[8] L. Li, I. Lin and M. Hwang, A remote Password

Authentication Scheme for Multi-server

Architecture Using Neural Networks, IEEE Trans. On Neural Networks, 12 (6) (2001) 1498-1504.

[9] C. Lin, M. S. Hwang and L, H. Li, A new

remote user authentication scheme for

multi-server architecture, Future Generation Computer Systems, 1(19) (2003)13-22.

[10] W. S. Juang, Efficient multi-server password authenticated key agreement using smart cards, IEEE. Transactions on Consumer Electronics, 50 (1) (2004) 251-255.

[11] C. Chang, J. S. Lee, An efficient and secure

multi-server password authentication scheme using smart cards, IEEE. Proceeding of the

2004 International Conference on

Cyberworlds.

[12] Y. P. Liao, S. S. Wang, A secure dynamic ID-based remote user authentication scheme for multi-server environment, Computer Standards and Interfaces 31 (1) (2009) 24-29. [13] H. C. Hsiang, and W. K. Shih, “Improvement

of the secure dynamic ID based remote user

authentication scheme for multi-server

environment, Computer Standards and

Interfaces (2009), accepted and in press. [14] P. Kocher, J. Jaffe and B. Jun, Differential

power analysis, proceeding of Advances in Cryptology (CRYPTO’99) (1999) 399-397. [15] T. S. Messergers, E. A. Dabbish, and R. H.

Sloan, Examining smart card security under the threat of power analysis attacks, IEEE Transactions on Computers 51 (5) (2002) 541-552.

[16] S. Luo, J. Hu, and Z. Chen, An identity-based one-time password scheme with anonymous authentication, IEEE. 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing, (2009) 864-867.

[17] M. Girault, Self-certified public keys,

Advances in Cryptology, Eurocrypt’91,

Springer-Verlag, (1991) 491-497.

[18] M. L. Das, A. Saxena, V. P. Gulati and D. B. Phatak, “A novel remote user authentication scheme using bilinear pairings,” Computers and Security, vol. 25, no. 3, pp. 184-189, 2006.