An ID-based remote user authentication scheme
without using smart cards for multi-server
environment
一種多伺服器環境下以身份為基礎且不需智慧卡
的遠端使用者驗證方案
廖一評 大同大學通訊工程研究所 聖約翰科技大學資訊工程系 Email: newsun87@mail.sju.edu.tw 汪順祥 大同大學通訊工程研究所 Email: sswang@ttu.edu.twAbstract- The issue of remote user authentication scheme using smart cards for multi-server environment has been received much attention recently. Smart cards however are far from ubiquitous since some obstacles have restricted their practical applications. In this paper, we first propose an ID-based remote user authentication scheme without using smart cards for multi-server
environment. The proposed scheme uses one-time
password authentication to enhance the security of password. Furthermore, self-certified public key (SCK) is introduced to reduce the cost of public key management. The proposed scheme makes security analysis and compares functionality with other schemes. The results show that our scheme not only retains all advantages of robust authentication scheme for multi-server environment but also offers several nice properties such as user’s identity protection and forward secrecy.
Key words: Smart cards; Multi-server environment; ID-based; Self-certified public key.
摘要-針對多伺服器環境的遠端使用者驗證方案 的議題近來受到相當的重視。然而一些實際障礙 限制了智慧卡的應用範圍,使得智慧卡無法普 及。在本篇文章我們首度提出一個針對多伺服器 環境,以身份為基礎且不需智慧卡參與的遠端使 用者驗證方案。本方案使用一次密碼驗證來加強 密碼的安全性。此外,本方案也引入自我驗證公 鑰來減輕公鑰管理的負擔。該方案經過了安全的 分析並與其他的方案作功能的比較,結果顯示不 僅可以保有多伺服器環境強固的安全特性而且也 提供一些額外的功能,例如身份隱藏及向前的祕 密。 關鍵字: 智慧卡;多伺服器環境;身份基礎;自 我驗證公鑰。
I.
Introduction
Remote user authentication becomes an
important issue for accessing the remote server’s sources securely. Password authentication is one of the simplest and the most common authentication mechanism over an insecure channel since it allows people to choose and remember their own passwords without any assistance device. In 1981, Lamport proposed a novel password authentication scheme using cryptography hash functions [1]. A
common feature of conventional password
which contains the verifiers of user’s password. Under this situation, verification table is vulnerable to some risks, such as tampering and stolen-verifiers. To reduce these risks and maintenance cost, many password-based remote user authentication schemes using smart cards have been proposed without the password table in single server environment [2-5].
Recently, with the rapid growth of Internet service, more and more network architectures are used for multi-server environment. Hence, the issue of remote user authentication scheme using smart cards for multi-server environment has been received much attention. However, these designed schemes for the single server are not well suited for the multi-server environment. For example, if a user wants to access multiple service servers, it is infeasible to remember several identifiers and the corresponding passwords. Besides, it is an important topic for the secret keys distribution among the involved parties. Until to now, several papers have been devoted to the study of accessing the resources of multi-server network securely [6-13]. Taking computational cost into consideration, those schemes are divided into broad categories, one employs public-key cryptosystems and the other one employs only simple one-way hash function combined with symmetric cryptosystem. However, these published papers still have some weakness unsolved.
In general, a remote user’s authentication scheme aiming at multi-server environment should satisfy the following merits [10]. (1) Single registration; (2) No password table; (3) Keeping free from the serious time synchronization problem; (4) Changing the password securely and freely (5) Preventing various well-known attacks such as guessing attack, forgery attack, server spoofing attack, etc. (6) Efficient performance for the users with low power computing devices. However, since high cost of the cards and the availability of card readers restrict the application of smart card. On the other hand,
researchers assume that the authentication
information stored in the smart card may be acquired by analyzing the leaked information [14] or monitoring the power consumption [15]. Hence, it leads to security flaws due to the leak of the secrets stored in the smart card. For example, the
adversary may obtain the secrets to launch off-line password guessing attack or forgery attack. Furthermore, the system’s reparability is also taken into consideration in practice [2]. These problems have restricted the application of smart cards to the small fields such as financial transactions. With the growth of portable storage devices such as USB memory thumbs, they are now common in offices anywhere and everywhere that today’s mobile workers go, but they lacks for tamper-resistant property. Hence, the password-based authentication schemes using smart cards can not directly be applied to the remote user authentication without using smart cards.
In this paper, we first propose an ID-based remote user authentication scheme without using smart cards for multi-server environment. The
proposed scheme uses one-time password
authentication to enhance the security of password [16]. Our scheme provides a practical remote user
authentication scheme while retaining all
advantages of robust remote user authentication scheme for multi-server environment. Our scheme is highlighted with the following features: (1) It achieves mutual authentication and session key agreement; (2) It prevents from the security attacks due to the disclosure of the secrets stored in common storage device; (3) Each registered server does not maintain any verification table; (4) The public key of each registered server is authenticated without the need of explicit certificate; (5) The private key of each registered server can not revealed by the third trust party (TTP) and the other servers. The remainder of the paper is organized as follows. In section II, we give some preliminaries, including bilinear pairings and the related computational problems. Section III shows the details of the proposed scheme. After that, we make
security analysis and make functionality
comparisons among the related schemes in section IV and V. Finally, the conclusion is given in section VI.
II.
Preliminaries
In this section, we introduce bilinear pairings and the related computational problems.
Bilinear pairings namely the Weil pairings or Tate pairings may be used in important applications
of cryptography. Suppose <G1,+>be an additive
cyclic group of order q generated by P, where q is a prime and<G ,×>
2 a multiplicative cyclic group of
the same order as inG1 . A bilinear pairing is a
mapeˆ:G1×G1 →G2 on the elliptic curve. In view
of shortness, the related properties are omitted and referred to [ ].
B. Computation problems
For providing higher security level of the proposed authentication scheme, some important mathematical assumptions are introduced on elliptic curves.
B-1 Elliptic Curve Discrete Logarithm Problem (ECDLP)
GivenQ=k*P, where P, Q
1
G
∈ . It is relatively
ease to calculate Q given k and P, but it is relatively hard to determine k given Q and P.
B-2 Computational Diffie-Hellman Problem
(CDHP)
Fora, ∈b Z*q , givenP,aP,bP∈G1 , it is hard to
find abP .
III.
The proposed scheme
In this section, we propose an ID-based remote user authentication without using smart card for
multi-server environment. Without loss of
generality, the system’s parties are composed of one
registration center (RC) , m users(Ui)and n service
servers (Sj) . Our scheme involves three-party
authentication key exchange (3P-AKE) protocol and is divided into some phases, including setup phase, registration phase, login phase, verification phase and password change phase. Different phases of work are described as follows and shown in Fig. 1-3.
A. Setup Phase
LetG1be an additive cyclic group of a prime
order q generated by P andG2be a multiplicative
cyclic group of the same order.
Define H :{0,1}* →G1 and h:{0,1}* →{0,1}n be cryptographic hash functions.
When RC permits the entry of Sj , RC and
j
S cooperate to generate the key pair of Sj using
self-certificated public keys (SCK), which are an efficient alternative to certificate based Public Key Infrastructure (PKI) [17]. Under this situation, SCK can reduce communication and management overheads of system’s public keys. Instead of verifying public key using an explicit signature on the corresponding public key, the server’s public key based on SCK is obtained using his identity along with its public key parameter without the need of concrete certificate. The protocol is described below.
S1: Private Key generation: Sjchooses a random
numberk ∈j Zq*and computesKj =kjP. And then
sends Kj and corresponding identity SIDj to RC
over a secure channel. After receivingKjandSIDj,
RCchecks ifSjis eligible. If yes, RC assigns a
random number rj , and computes Rj =Kj +rjP .
Finally, RC uses his own secret keysRCto compute
the signature parameterxjas follows:
j RC j j j h SID R s r x = ( || ) + (1)
Then,xjis transmitted securely toSj . After that,
j
S obtains the corresponding private key as follows:
j j j x k
x = + (2)
S2: Public key Extraction: Through the above pre-deployment, the corresponding public key
j
Pub of Sj can be computed by everyone who
acquires the public key parameterRjandSIDjfrom
the public server’s registration table. Under this
situation, Pubj can be obtained as following
equation: j RC j j j h SID R Pub R Pub = ( || ) + (3) Equation (3) can be proved as follows:
j RC j j j j RC j j j j RC j j j j j j R Pub R SID h P k P r P s R SID h P k P r s R SID h P k x P x Pub + = + + = + + = + = = ) || ( ) ( ) || ( ) ) || ( ( ) ( B. Registration phase
IfUiwants to access the resource of the system,
he performs some steps during registration phase.
R1: Uiselects his identityIDiand passwordPWi.
Next, Uichooses a random numberbi , computes
the hashed passwordhpw =i h(PWi ||bi), and sends
> <
i i hpw
ID, to RC over a secure channel.
R2: After receiving < >
i i hpw
ID , at time Ti ,
RCchecks if the userUiis a registered user. If no,
create an entry forUiin the registration table and
stores IDi , H(IDi) and Treg =Ti in this entry;
otherwise, only update the value of Treg with
timeTiin the existing entry forUi. In this paper,
reg
T is denoted as the registration time for a new user
or re-registered user. Next, RC computes the
identity signature i ID S with (sRCH(IDi)) and i PW g Re with ( 1 ) i ID i S hpw− . After that,
RCdelivers{RegPWi,Ti}toUiover a secure channel.
R3: Ui stores {RegPW ,Ti}
i along with bi into a
common storage device. C. Login phase
Whenever the userUiwants to access the sources
ofSj, he performs the following steps.
L1:Ui submits IDi , PWi andSIDj . After that,Ui
generates a random number *
q i Z
n ∈ and
computes Ni =niP . And
then p =i h(Ni) , L =i niPubRC and
) || || || ( i j i i i h ID SID p T k = is calculated.
L2: Ui computes the hashed
password hpw =i h(PWi ||bi) , the dynamic
identity CID =i piH(IDi) , i PW i i k g TID = Re and
one-time password TPDi =(hpwi⋅pi)P . Finally,
i U sends< > i i i i TID TPD L
CID, , , toSjover a public
channel.
D. Verification phase
1) Authentication of server and RC
After receiving the login
message < >
i i i
i TID TPD L
CID, , , , Sj and RC will
run the following steps to achieve mutual authentication. Furthermore, RC is responsible for
the verification ofUi. Once the identity of Uiis
assured, Sj can derive the secret keyTKij shared
withUi. The procedures are discussed below.
V1: Sj chooses a random number n ∈j Zq* and
computes Nj =njP . Next, Sj computes the
long-term shared secret keyAK =1 xjPubRCon the
security of CDHP. V2:
j
S computes Auth =j h(SIDj ||AK1 ||Nj ||Li) and
sends<CIDi,TIDi,TPDi,Li,Nj,SIDj,Authj >to RC .
V3: According to SCK mentioned above, after
acquiring the public parameterRjfrom the public
server’s registration table, RC computes the public
key Pubj of Sj as equation (3).
Next, RC computes NRC =nRCPand the long-term
secret keyAK =2 sRCPubj. Then, RC checks if the
receivedAuthjis equal toh(SIDj ||AK2 ||Nj ||Li) .
If yes, Sjis authentic; other, reject the connection.
V4: RC computes p =i sRC-1 PubRC and
extracts H(IDi) via pi-1CIDi . And then check if
)
i
H(ID exists in user’s registration table. Next,
RCcomputesk =i h(IDi ||SIDj || pi ||Ti)and checks
if whether eˆ(TIDi,TPDi) is equal
the identity of Uiis assured and continue executing next step, reject otherwise.
V5: RC chooses a random numbernRC ∈Zq*and
computes NRC =nRCP . After
that, RC computes TK =ij h(IDi ||SIDj ||pi ||Nj)
) || || || ( j 2 j RC i RC h SID AK N N ||L Auth = , ij RC TK Auth C = ⊕ 1 and C2 =h(AuthRC ||TKij) . Finally, RC sends<C1,C2,NRC >toSj. V6: Sj computes ) || || || ( j 1 j RC i * RC h SID AK N N ||L Auth = and * * RC 1 ij C Auth
TK = ⊕ . And then verify whether
2
C is equal toh(Auth*RC ||TKij*). If yes, RC is authentic. 2) Authentication of server and user
After the authentication of server and RC,
j
S derivesTKij, which is the temporary secret key
shared with Ui . Then Sj andUi performs the
following steps to achieve mutual authentication.
V7: Sj computes C =3 h(TKij ||Nj) and
sends< >
j
N
C3, toUi.
V8: Ui checks the validity of Sj by way of
computing ( i || j || i || j) * ij h ID SID p N TK = and comparingC3with ( || j) * ij N TK
h . If they are equal,
the identity of Sj is assured. On the other
hand, Ui chooses a random number n'i and
computes Ni niP ' ' = Next, he calculate C =4 h(TKij* ||Nj ||Ni') and sends< ' > i 4,N C toSj. V9: After receiving < ' > i 4,N C from Ui , Sj
calculates h(TKij||Nj ||Ni')and compares it with
the receivedC4. If they are equal,Uiis authentic. At
the same time, bothSjandUiwill store the common
session key ) ( ') i j j ' i ij h(nN h n N SK = = for the
sequential sensitive information protection. E. Password change phase
If the userUiwants to change his password for
some reason, first he sends a password change request to RC . When RC believes that the user’s
identity is Ui and finish mutual authentication
between them, they obtain a common session
keyskij. We omit the authentication process since it
is similar to that mentioned above.
Next,Uiperforms the following step to update the
password.
PC1: Ui selects PWinew and
computesnhpw =i h(PWinew||bi). And then compute
i ij i1 sk nhpw PC = ⊕ and ( || ) i ij i2 h sk nhpw PC = . After that, Uisend< > 2 1, i i PC PC to RC . After receiving< > 2 1, i i PC
PC , RC uses the session
keyskijto perform the following step.
PC2: RC extracts the new hashed
password nhpwi with PC ⊕i1 skij . Check if the
authentication tag PCi2 is equal to the
computedh(skij ||⊕nhpwi) . If yes, compute the
new authentication information
i i i ID new PW nhpw S Reg = −1 , new PW ij i3 sk Reg i PC = ⊕ and i4 ( ij|| Re PWnew) i g sk h PC = ⊕ . PC3: Similarly, RC
extracts RegPWnewi with PC ⊕i3 skij and checks the
correctness of PCi4 with the
computed ( ij || Re PWnew)
i
g sk
h ⊕ . If the validity
of PCi4 is confirmed, RegPWi is replaced
with newPW
i
> < i i i i,TID TPD,L CID , } T , {Reg SC PW i i = i i i RC i PW i ID ID i reg i i i g pw h Reg ), H(ID s Reg T T ID H {ID entry an cretat user new a is U if check : R2 Re } ), ( , 1 − = = = > < i i,hpw ID SC bi → P p hpw TPD g k TID ID H p CID b PW h hpw L p T SID ID h k Pub n L N h p P n N Z n SID PW ID submit : L1 i i i PW i i i i i i i i i i j i i RC i i i i i i q i j i i i, ( ) Re ), ( ), || ( : 2 ) || || || ( , ), ( , , , , * ⋅ = = = = = = = = ∈ ) || ( , , * i i i q i i i b PW h hpw Z b PW ID choose : R1 = ∈ } b , T , {Reg SC PW i i i = {xj} } RC {s i U
RC
phase
on
Registrati
phase
Login
i U SjFig.1 Registration phase
> < RC 2 1,C ,N C > < j j j i i i
i,TID,TPD L SID N Auth
CID , , , , ) || || || ( , , 1 * i j j i RC j 1 j j q j L N AK SID h Auth : V2 Pub x AK P n N Z n : V1 = = = ∈ ) || ( , ) || || || ( : 5 ) ), ( ( ˆ ? ) , ˆ ) || || || ( ) ) 2 1 ij RC ij RC 1 i RC 2 j RC j i j i ij RC RC * q RC RC i i i i i i i j i i i i i i i 1 -RC i i j 2 j j j RC 2 j RC j j j T Auth h C T Auth C ) L || N || AK || h(SID Auth N p SID ID h TK P, n N , Z n V Pub p k ID H e TPD (TID e check p T SID ID h k table on registrati the in existed is H(ID if check CID p H(ID , L s p : V4 ) L || N || AK || h(SID ? Auth check Pub s AK , R )Pub R || h(SID Pub : V3 = ⊕ = = = = ∈ = = = = = = + = − } {xj {sRC} ) || ( : * * * 1 * ij RC 2 RC * ij i RC 2 j RC T Auth h ? C check Auth C T ), L || N || AK || h(SID Auth 6 V = ⊕ = = j
S
RC
RC
and
Server
of
tion
Authentica
Fig.2 Authentication of server and RC in verification phase
> < ' i 4,N C > < j 3,N C ) N || N || TK ( h C , P n N , Z n ) N || h(TK ? C check ) N || p || SID || ID ( h TK : V8 ' i j * ij ' i ' i * q ' i j * ij 3 j i j i * ij = = ∈ = = 4 } TK , {xj ij ) N || h(TK C : 7 V 3= ij j ) N || N || h(TK ? C check : V9 ' i j ij 4 = i
U
S
jserver
and
user
of
tion
Authentica
IV.
Security analysis
In this session, let us discuss the security of the proposed scheme. It aims at matching all of the criteria for robust remote user authentication protocol. Furthermore, the proposed scheme can offer nice properties such as user identity and forward secrecy.
A. Satisfy the criteria of robust remote user authentication protocol
Theorem1: Our scheme achieves mutual authentication and session key agreement.
Proof: According our scheme,Uisends the login
message < > i i i i TID TPD L CID , , , to Sj . After
receiving the login message,Sjrequests RC to verify
the identity ofUi. To recognize the identity of both
sides,Sjand RC achieve mutual authenticated using
hash message authentication code (HMAC) since
they can compute the common secret
keyAK1(AK2)on the security of CDHP. After that,
i
U is authenticated by RC andSjusing the following
operations.
(1) RC checks if the computed eˆ(TIDi,TPDi) is
equal to the computed
) ˆ(H(IDi),kipiPubRC
e based on BLS short
signature scheme [18]. If yes, RC check the
legality of Sj and response
message < >
RC 2 1,C ,N
C to Sj . Next, Sj can
derive the secret key TKij shared
withUifrom< >
RC 2 1,C ,N
C .
The verification works because of the following deduction: ) ), ), ( ( ˆ ) ), ( ( ˆ ) ), ( ( ˆ ) , ( ˆ ) ) ( ), ) (( ˆ ) ) ( , Re ( ˆ ) , ( ˆ 1 1 RC i i i RC i i i i i RC i i ID i i i ID i i i i PW i i i Pub p k ID H e P s p k ID H e P p ID H s k e P p S k e P p hpw S hpw k e P p hpw g k e TPD TID e i i i = = = = ⋅ ⋅ = ⋅ = −
(2) The serverSjauthenticates the identity of Uiby
checking the validity ofC4with the temporary
secret keyTKij.
Similarly, Sj is authenticated by checking the
validity ofC3with the temporary secret keyTKij.
After the verification is finished, Sj anUi can
negotiate the session keyskij on the security of
CDHP.
Theorem 2: Our scheme does not keep any verifier table in the server and RC .
Proof: In our scheme, RC checks if not onlyUiis
eligible but also eˆ(TIDi,TPDi) is equal to the
computed eˆ(H(IDi ),kipiPubRC) . It is obvious
that RC verifies the user’s identity without any verification table or password table.
Theorem 3: Our scheme does not require time synchronization and delay time limitation.
Proof: To use timestamps for authentication, all parties must maintain local clocks that are periodically synchronized in a secure manner with a reliable source of time. Between synchronizations with the reliable time source, local clocks may drift. In our scheme, the transmitted messages among the parties have no concern with timestamps.
Theorem 4: Our scheme allows the user to choose password freely and update password securely.
Proof: In our scheme,Ui can select his favorite
string and submit it to RC in registration phase.
Furthermore,Uimust validate the old password to
start password change.
Theorem 5: Our scheme withstands the following well-known attacks.
(1) Replay attack
Proof: The adversary may replay the same message of the receiver or the sender from a previous session to pass the verification of the system. He may relay
the previous message to masqueradeUi or Sj . Clearly, it cannot works because our scheme
involves the temporary secret key
ij
TK (= h(IDi||SIDj|| pi ||Nj) ) to recognize the
identity of both sides. No one besidesUiorSjcan
deriveTKij.
(2) Impersonation attack
Proof: The adversary may intercept and analyze the login message aiming at the legal user. Next, he constructs a valid login message to pass the verification of the system. According to our scheme,
if the adversary, i.e., Ua , obtains the private
keysRCof RC or the identity signature
i
ID
S of the
userUi , he can construct a valid login request
message. This former case obviously can be ruled
out since the private keysRCis kept secret by RC.
If Ua intercepts previous login request
message< >
i i i
i TID TPD L
CID , , , , he cannot derive
the user’s identity i ID S from i ID i i i k hpw S TID(= ⋅ −1) without knowingkiandhpwi.
(3) Portable storage device loss attack
Proof: With the rapid growth of flash memory, the current trend for portable storage devices are towards small size. So, the results easily bring about other attacks. If the mobile storage device of
i
i
U is lost or stolen for some reason, password guessing attack is effective and powerful among various attacks. The key to password guessing attack determines that the attacker is able to verify the correctness of the guessed password. In our scheme, the adversary may steal the authentication
information {RegPWi,Ti,bi} stored in a common
storage device or intercepts the login request
message < > i i i i TID TPD L CID , , , . Even if } , {RegPW Ti,bi
i is stolen or the login request
message< >
i i i
i TID TPD L
CID , , , is intercepted, they
cannot leak any redundancy to verify the guessed password. Hence, off-line password guessing attack fails. On the other hand, the adversary may guess
the password corresponding to the portable storage device by way of typing the guessed password. Since our scheme can validate the guessed password, the number of guessing password can be restricted to withstand online guessing attack.
(4) Malicious insider attack
Proof: In general, the insider of the system is assumed to be trusted. However, the insider attack should be taken into consideration for real environment. We summarize the published schemes [6-13] and class insider attack into two types as follows.
Insider attack from RC
Proof: As we know, the user Ui submits the
identityIDiandhpw =i( h(PWi ||bi))to RC . Because
the privileged insider cannot derive the
password PWi fromhpwi without knowingbi, he
cannot masqueradeUito access the resources of the
other system using the passwordPWi.
Insider attack from the server
In the following, we show that the insider of the
server Sj with the secret
valueh(IDi ||SIDj ||pi ||Nj)cannot masqueradeUito
cheat other serverSk. We assume that the privileged
insider replays the previous message
>
<CIDi*,TIDi*,TPDi*,L*i to Sk . After achieving
mutual authentication with RC , the serverSk can
derive the secret keyh(IDi ||SIDj ||pi ||N'j)shared
withUi. Because previous nonceNjis not equal
to N'j , the insider cannot
computeh(IDi ||SIDj ||pi ||N'j)by himself. In other
word, the insider ofSjcannot pass the verification of
k
S without knowing the common secret key.
On the other hand, the insider of Sjcannot
masquerade other server Sk since the long-term
privatexkof Skcannot be derived based on SCK.
(5) High reparability
is lost or stolen. Once the corresponding password is leaked, the adversary can masquerade the legal user to access the server’s resource. Under this situation, our scheme can allow the user to submit another selected password without changing the user’s identity. After receiving the user’s request for registration, RC only updates the registration time and submits the related parameters to the user over a secure channel.
B. Offer nice properties (1) Protecting user’s identity
Proof: If the adversary wants to trace the legal user, he may intercept and analyze the transmitted message in a public key channel. In our
scheme, Ui sends a login message
>
<CIDi,TIDi,TPDi,Li to Sj . If the adversary
analysisCIDi , it is infeasible to recognize the
identity of Ui sinceH(IDi) is protected with pi .
Moreover, < > i i i i TID TPD L CID , , , is dynamic
sinceniis different in each session. Therefore, our
scheme can achieve user’s anonymity [6].
(2) Forward secrecy
Proof: Forward secrecy is defined as the assurance
that any previous session keys will not
compromised if the system’s secrets are leaked. In our scheme, any session keys skij(=h(ni'njP)) is dynamic in each session and unconcerned with the
system’s secrets such assRCorxj.
V. Functionality comparison
In this section, we make functionality
comparison between our scheme and other related schemes in Table 1. Obviously, it demonstrates that our scheme can offer nice properties while retaining all advantages of robust authentication scheme for multi-server environment. As for performance analysis, we focus on the computation cost. According to the proposed scheme, the computation cost is concerned with bilinear pairings operations, multiplication operations on elliptic curve, hash operations. Although the computation cost of our scheme is higher than that of hash-based authentication schemes. However, the computation
cost of our scheme does not require expensive
bilinear pairings operation or modular
exponentiation operation at user’s side. Hence, our scheme is well applied to the devices with the limited communication power.
Table 1 Functionality comparison between our scheme and other related schemes
Ours [13] [12] [10] [11] C1 ○ ○ ○ ○ X C2 ○ ○ ○ ○ ○ C3 ○ ○ ○ ○ X C4 ○ ○ ○ ○ X A1 ○ ○ X X ○ A2 ○ ○ X ○ X A3 ○ ○ X X X P1 ○ X ○ ○ X P2 ○ ○ X X X P3 ○ ○ ○ X X P4 ○ X X X X
C1: mutual authentication; C2: no verification table; C3: no time synchronization; C4: password updated securely and freely; A1: prevention of forgery attack; A2: prevention of server spoofing attack; A3: prevention of insider attack; P1: forward secrecy; P2: high reparability; P3: user’s anonymity; P4: no smart cards cooperation.
VI. Conclusions
The issue of remote user authentication scheme using smart cards for multi-server environment has been received much attention recently. Although many authentication schemes using smart card for multi-server environment are presented successively, they are not suitable to the application without using smart card. In this paper, we first propose an ID-based remote user authentication scheme without using smart card for multi-server environment. Furthermore, the proposed scheme first uses one-time password authentication to enhance the security of password for multi-server environment. We show that our scheme not only retains all advantages of robust authentication scheme but also offers several nice properties, such as user’s identity protection and forward secrecy. Moreover, our scheme involves SCK to manage the public keys
among the different service servers without concrete certificate. Moreover, the security of the private keys among the different servers can be achieved under the assumption that the insider of the registration center with privilege is untrusted.
References
[1] L. Lamport, Password authentication with insecure communication, Communication of the ACM 24 (1981) 28-30.
[2] C. Fan, Y. Chan, Z. Zhang, Robust remote authentication scheme with smart cards, IEEE Transactions on Consumer Electronics 50 (1) (2004) 204-207.
[3] T. H. Chen, W. B. Lee, A new method for using
hash functions to solve remote user
authentication, Computer and Electrical
Engineering 34 (2008) 53-62.
[4] M. L. Das, A. Saxena, and V. P. Gulati, A dynamic ID-based remote user authentication scheme, IEEE Trans. Consum. Electron. 50 (2) (2004) 629-631.
[5] M. L. Das, A. Saxena, V. P. Gulati and D. B. Phatak, A novel remote user authentication scheme using bilinear pairings, Computers and Security 25 (3) (2006) 184-189.
[6] W. B. Lee, C. C. Chang, User identification and key distribution maintaining anonymity for
distributed computer network, Computer
System Science, 15(4) (2000) 211-214.
[7] W. J. Tsuar, C. C. Wu, W. B. Lee, A flexible User Authentication for Multi-server Internet
Services, Networking-JCN2001LNCS,
Springer-Verlag, 2093 (2001) 174-183.
[8] L. Li, I. Lin and M. Hwang, A remote Password
Authentication Scheme for Multi-server
Architecture Using Neural Networks, IEEE Trans. On Neural Networks, 12 (6) (2001) 1498-1504.
[9] C. Lin, M. S. Hwang and L, H. Li, A new
remote user authentication scheme for
multi-server architecture, Future Generation Computer Systems, 1(19) (2003)13-22.
[10] W. S. Juang, Efficient multi-server password authenticated key agreement using smart cards, IEEE. Transactions on Consumer Electronics, 50 (1) (2004) 251-255.
[11] C. Chang, J. S. Lee, An efficient and secure
multi-server password authentication scheme using smart cards, IEEE. Proceeding of the
2004 International Conference on
Cyberworlds.
[12] Y. P. Liao, S. S. Wang, A secure dynamic ID-based remote user authentication scheme for multi-server environment, Computer Standards and Interfaces 31 (1) (2009) 24-29. [13] H. C. Hsiang, and W. K. Shih, “Improvement
of the secure dynamic ID based remote user
authentication scheme for multi-server
environment, Computer Standards and
Interfaces (2009), accepted and in press. [14] P. Kocher, J. Jaffe and B. Jun, Differential
power analysis, proceeding of Advances in Cryptology (CRYPTO’99) (1999) 399-397. [15] T. S. Messergers, E. A. Dabbish, and R. H.
Sloan, Examining smart card security under the threat of power analysis attacks, IEEE Transactions on Computers 51 (5) (2002) 541-552.
[16] S. Luo, J. Hu, and Z. Chen, An identity-based one-time password scheme with anonymous authentication, IEEE. 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing, (2009) 864-867.
[17] M. Girault, Self-certified public keys,
Advances in Cryptology, Eurocrypt’91,
Springer-Verlag, (1991) 491-497.
[18] M. L. Das, A. Saxena, V. P. Gulati and D. B. Phatak, “A novel remote user authentication scheme using bilinear pairings,” Computers and Security, vol. 25, no. 3, pp. 184-189, 2006.