Abstract
Recently, Wen et al. have developed three-factor authentication protocol for multi-server environment, claiming it to be resistant to several kinds of attacks. In this paper, we review Wen et al.’s protocol and find that it does not fortify against many security vulnerabilities: (1) inaccurate password change phase, (2) failure to achieve forward secrecy, (3) improper authentication, (4) known session-specific temporary information vulnerability and (5) lack of smart card revocation and biometric update phase. To get rid of these security weaknesses, we present a safe and reliable three-factor authentication scheme usable in multi-server environment. The Burrows–Abadi–Needham logic shows that our scheme is accurate, and the formal and informal security verifications show that it can defend against various spiteful threats. Further, we simulate our scheme using the broadly known Automated Validation of Internet Security Protocols and Applications tool, which ensures that it is safe from the active and passive attacks and also prevent the replay and man-in-the-middle attacks. The performance evaluation shows that the presented protocol gives strong security as well as better complexity in the terms of communication cost, computation cost and estimated time.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
Khan, M.K.; Kumari, S.: An authentication scheme for secure access to healthcare services. J. Med. Syst. 37(4), 1–12 (2013)
He, D.; Kumar, N.; Khan, M.H.; Lee, J.H.: Anonymous two-factor authentication for consumer roaming service in global mobility networks. IEEE Trans. Consum. Electron. 59(4), 811–817 (2013)
Islam, S.H.; Khan, M.K.: Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems. J. Med. Syst. 38(10), 1–16 (2014)
Amin, R.; Biswas, G.P.: A secure three-factor user authentication and key agreement protocol for tmis with user anonymity. J. Med. Syst. 39(8), 1–19 (2015)
Amin, R.; Islam, S.H.; Biswas, G.P.; Khan, M.K.; Li, X.: Cryptanalysis and enhancement of anonymity preserving remote user mutual authentication and session key agreement scheme for e-health care systems. J. Med. Syst. 39(11), 1–21 (2015)
Kumari, S.; Om, H.: Authentication protocol for wireless sensor networks applications like safety monitoring in coal mines. Comput. Netw. 104, 137–154 (2016)
Amin, R.; Biswas, G.P.: A novel user authentication and key agreement protocol for accessing multi-medical server usable in tmis. J. Med. Syst. 39(3), 1–17 (2015)
Mishra, D.; Kumari, S.; Khan, M.K.; Mukhopadhyay, S.: An anonymous biometricbased remote userauthenticated key agreement scheme for multimedia systems. Int. J. Commun. Syst.(2015). doi:10.1002/dac.2946
Kim, M.; Park, N.; Won, D.: Security improvement on a dynamic ID-based remote user authentication scheme with session key agreement for multi-server environment. SecTech/CA/CES3 339, 122–127 (2012)
Amin, R.; Biswas, G.P.: Design and analysis of bilinear pairing based mutual authentication and key agreement protocol usable in multi-server environment. Wirel. Personal Commun. 84(1), 439–462 (2015)
Guo, D.; Wen, F.: Analysis and improvement of a robust smart card basedauthentication scheme for multi-server architecture. Wirel. Personal Commun. 78(1), 475–490 (2014)
Tsai, J.L.; Lo, N.W.; Wu, T.C.: A new password-based multi-server authentication scheme robust to password guessing attacks. Wirel. Personal Commun. 71(3), 1977–1988 (2013)
Chang, C.C.; Cheng, T.F.; Hsueh, W.Y.: A robust and efficient dynamic identitybased multiserver authentication scheme using smart cards. Int. J. Commun. Syst. 29(2), 290–306 (2016)
Chen, C.T.; Lee, C.C.: A two-factor authentication scheme with anonymity for multiserver environments. Secur. Commun. Netw. 8(8), 1608–1625 (2015)
Tsai, J.L.; Lo, N.W.: Secure chaotic mapsbased authenticated key agreement protocol without smartcard for multiserver environments. Secur. Commun. Netw. 8(11), 1971–1978 (2015)
Ford, W.; Jr.; B. S. K.: Server-assisted generation of a strong secret from a password. In: Proceedings of the 9th IEEE International Workshops on Enabling Technologies, pp. 176–180 (2000)
Jablon, D.P.: Password authentication using multiple servers. In: Proceedings of the RSA security conference, LNCS 2020, 344–360 (2001)
Liao, Y.P.; Hsiao, C.M.: A novel multi-server remote user authentication scheme using self-certified public keys for mobile clients. Future Gener. Comput. Syst. 29(3), 886–900 (2013)
Hsiang, H.C.; Shih, W.K.: Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stand. Interfaces 31(6), 1118–1123 (2009)
Sood, S.K.; Sarje, A.K.; Singh, K.: A secure dynamic identity based authentication protocol for multi-server architecture. J. Netw. Comput. Appl. 34(2), 609–618 (2011)
Li, X.; Xiong, Y.; Ma, J.; Wang, W.: An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. J. Netw. Comput. Appl. 35(2), 763–769 (2012)
Mishra, D.; Das, A.K.; Mukhopadhyay, S.: A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst. Appl. 41(18), 8129–8143 (2014)
Lu, Y.; Li, L.; Peng, H.; Yang, Y.: A biometrics and smart cardsbased authentication scheme for multiserver environments. Secur. Commun. Netw. 8(17), 3219–3228 (2015)
Lu, Y.; Li, L.; Yang, X.; Yang, Y.: Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. 10(5) (2015). doi:10.1371/journal.pone.0126323 PMID:25978373
Chaudhry, S. A.; Naqvi, H.; Farash, M. S.; Shon, T.; Sher, M.: An improved and robust biometrics-based three factor authentication scheme for multiserver environments. J. Super Comput. 1–17 (2015). doi:10.1007/s11227-015-1601-y
Chaudhry, S. A.: A secure biometric based multi-server authentication scheme for social multimedia networks. Multimed. Tools Appl. 75(20), 12705–12725 (2016). doi:10.1007/s11042-015-3194-0
Das, A.K.: Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf. Secur. 5(3), 145–151 (2011)
An, Y.: Security Analysis and Enhancements of an Effective Biometric-Based Remote User Authentication Scheme Using Smart Cards. J. Biomed. Biotechnol. 16, 1–6 (2012). doi:10.1155/2012/519723. Article ID 519723
Khan, M.K.; Kumari, S.: An improved biometrics-based remote user authentication scheme with user anonymity. BioMed. Res. Int. 19 (2013). doi:10.1155/2013/491289. Article ID 491289
Wen, F.; Susilo, W.; Yang, G.: Analysis and improvement on a biometric-based remote user authentication scheme using smart cards. Wirel. Personal Commun. 80(4), 1747–1760 (2015)
Mishra, D.; Das, A.K.; Mukhopadhyay, S.: A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card. Peer-to-Peer Netw. Appl. 9(1), 171–192 (2016)
Giri, D.; Sherratt, R.S.; Maitra, T.; Amin, R.: Efficient biometric and password based mutual authentication for consumer usb mass storage devices. IEEE Trans. Consum. Electron. 61(4), 491499 (2015)
Amin, R.; Biswas, G.P.; Khan, M.K.; Leng, L.; Kumar, N.: Design of an anonymity- preserving, three- factor authenticated key exchange protocol for wireless sensor networks. Comput. Netw. 101, 42–62 (2015)
Kocher, P.; Jaffe, J.; Jun, B.: Differential power analysis. In: Advances in Cryptology CRYPTO 99, Lecture Notes in Computer Science. 1666, 388397 (1999)
Messerges, T.S.; Dabbish, E.A.; Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5), 541–552 (2002)
Burrows, M.; Abadi, M.; Needham, R.: A logic of authentication. ACM Trans. Comput. Syst. 8(1), 1836 (1990). doi:10.1145/77648.77649
AVISPA: Automated validation of internet security protocols and applications. http://www.avispaproject.org/. Accessed Oct 2015
Tool, A. W.: http://www.avispa-project.org/web-interface/expert.php/ use on September (2015)
Dolev, D.; Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198208 (1983)
Jiang, Qi; Ma, J.; Yang, G.L.L.: An efficient ticket based authentication protocol with unlinkability for wireless access networks. Wirel. Personal Commun. 77(2), 1489–1506 (2014)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chandrakar, P., Om, H. Cryptanalysis and Extended Three-Factor Remote User Authentication Scheme in Multi-Server Environment. Arab J Sci Eng 42, 765–786 (2017). https://doi.org/10.1007/s13369-016-2341-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13369-016-2341-x