A Self-Verifiable Password Based Authentication Scheme for Multi-Server Architecture Using Smart Card

In network based services, remote user authentication has become an important and challenging part to ensure authorized access of resource. The traditional two party architectures are not enough to present scalable solution to multi-server environment as user need to follow multiple registrations. On the other hands, multi-server authentication scheme resolves the repeated registration issue, where one time registration is enough to access the multiple servers of an architecture. To achieve efficient solution, Pippel et al. (Wirel Pers Commun 72(1):729-745, 2013) proposed a smart card based authentication scheme for multi-server environment. However, Li et al. (Int J Commun Syst 28(2):374-382, 2015) proved that Pippel et al.'s (2013) proposed scheme is insecure and proposed an improvement to overcome the drawbacks found in Pipple et al.'s scheme. In this paper, we show that Li et al.'s scheme also vulnerable to the known attacks, namely, password guessing attack, denial of service attack, privileged insider attack and known key secrecy attack. We then propose a secure multi-server authentication scheme to withstand the security pitfalls find in the Li et al.'s scheme while retaining the merits of Li et al.'s scheme. Using the widely accepted BAN logic we show that our scheme provides secure mutual authentication. In addition, we prove that our scheme is secure against all known attacks including password guessing attack, denial of service attack, privileged insider attack and known key secrecy attack. Our scheme requires less communication and computation overhead as compared to the existing related scheme. Our scheme provides high security along with less computation and communication overheads as compared to the other related existing schemes in the literature, and as a result, our scheme is much suitable for practical applications.