Crytanalysis of Three Anonymous Authentication Schemes for Multi-Server Environment

被引：0

作者：

Wang D. ^{[1
]}

Li W.-T. ^{[2
]}

Wang P. ^{[2
,3
,4
]}

机构：

[1] School of Electronics Engineering and Computer Science, Peking University, Beijing

[2] School of Software and Microelectronics, Peking University, Beijing

[3] National Engineering Research Center for Software Engineering, Beijing

[4] Key Laboratory of High Confidence Software Technologies, Ministry of Education (Peking University), Beijing

来源：

Wang, Ping (pwang@pku.edu.cn) | 1937年 / Chinese Academy of Sciences卷 / 29期

基金：

中国国家自然科学基金; 国家重点研发计划;

关键词：

Authentication protocol; Forward secrecy; Multi-server environment; Offline password guessing attack; User anonymity;

D O I：

10.13328/j.cnki.jos.005361

中图分类号：

学科分类号：

摘要：

The design of secure and efficient user authentication protocols for multi-server environment is becoming a hot research topic in the cryptographic protocol community. Based on the widely accepted adversary model, this paper analyzes three representative, recently proposed user authentication schemes for multi-server environment. The paper reveals that: (1) Wan, et al.'s scheme is subject to offline password guessing attack as opposed to the authors' claim, and it also cannot provide user anonymity and forward secrecy; (2) Amin, et al.'s scheme cannot withstand offline password guessing attack, cannot preserve user anonymity and is vulnerable to two kinds of forward secrecy issues; (3) Reedy, et al.'s scheme cannot resist against user impersonation attack and offline password guessing attack, and also falls short of user un-traceability. The paper highlights three principles for designing more robust anonymous multi-factor authentication schemes: Public key principle, user anonymity principle and forward secrecy principle, explaining the essential reasons for the security flaws of the above protocols. It further proposes some amendments for the identified security flaws. © Copyright 2018, Institute of Software, the Chinese Academy of Sciences. All rights reserved.

引用

页码：1937 / 1952

页数：15

共 69 条

[1] Lamport L., Password authentication with insecure communication, Communications of the ACM, 24, 11, pp. 770-772, (1981)
[2] Huang X., Chen X., Li J., Et al., Further observations on smart-card-based password-authenticated key agreement in distributed systems, IEEE Trans. on Parallel and Distributed Systems, 25, 7, pp. 1767-1775, (2014)
[3] Wang D., He D., Wang P., Et al., Anonymous two-factor authentication in distributed systems: Certain goals are beyond attainment, IEEE Trans. on Dependable and Secure Computing, 12, 4, pp. 428-442, (2015)
[4] Tsaur W.J., A flexible user authentication scheme for multi-server internet services, Proc. of the Int'l Conf. on Networking (ICN 2001), pp. 174-183, (2001)
[5] Yi X., Rao F.Y., Tari Z., Et al., ID2S password-authenticated key exchange protocols, IEEE Trans. on Computers, 65, 12, pp. 3687-3701, (2016)
[6] Jangirala S., Mukhopadhyay S., Das A.K., A multi-server environment with secure and efficient remote user authentication scheme based on dynamic ID using smart cards, Wireless Personal Communications, (2017)
[7] Chatterjee S., Roy S., Das A.K., Et al., Secure biometric-based authentication scheme using chebyshev chaotic cap for multi-server environment, IEEE Trans. on Dependable and Secure Computing, (2016)
[8] Wang D., Wang P., On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions, Computer Networks, 73, pp. 41-57, (2014)
[9] Wei F.S., Zhang G., Ma J.F., Ma C.G., Privacy-Preserving multi-factor authenticated key exchange protocol in the standard model, Ruan Jian Xue Bao/Journal of Software, 27, 6, pp. 1511-1522, (2016)
[10] He D., Wang D., Robust biometrics-based authentication scheme for multiserver environment, IEEE Systems Journal, 9, 3, pp. 816-823, (2015)

← 1 2 3 4 5 6 7 →