Cryptanalysis and Security Enhancement of Three-Factor Remote User Authentication Scheme for Multi-Server Environment

Cryptanalysis and Security Enhancement of Three-Factor Remote User Authentication Scheme for Multi-Server Environment

Preeti Chandrakar (Indian Institute of Technology (Indian School of Mines), Dhanbad, India) and Hari Om (Indian Institute of Technology (Indian School of Mines), Dhanbad, India)
DOI: 10.4018/IJBDCN.2017010108
OnDemand PDF Download:


Recently, Om et al. proposed three-factor remote user authentication protocol using ElGamal cryptosystem and ensured that it is withstands to various kinds of security attacks. But, the authors review carefully Om et al.'s scheme and discover that it unable to resist three attacks (like password guessing; denial of service; and user impersonation). Moreover, their protocol is not facilitating user anonymity. To solve these security vulnerabilities, the authors devise a secure and robust anonymous identity based authentication scheme for multi-server environment. The authentication proof of the proposed scheme has validated using BAN (Burrows-Abadi-Needham) logic, which confirms the protocol facilitates mutual authentication and session-key negotiation securely. Informal security analysis also confirms that it is well protected against various security attacks. In addition, the proposed work is compared along with other schemes (in the context of smart card storage and computation costs as well as execution time).
Article Preview

1. Introduction

Authentication is a security mechanism that checks the validity of an individual. Generally, remote user authentication schemes depend on various factors like password, biometric, smart card, etc. In 1981, Lamport devised firstly remote user authentication which is based on password verifier table. In 2000, Hwang et al. examined that his scheme is not defending stolen verifier attack and then proposed an improvement scheme using ElGamal public key encryption in which the server is not holding any type of password verification table. In 2000, Chan et al. find out impersonation attack in Hwang et al., 2000. Followed their work, various authentication schemes are devised by so many authors (Das et al., 2006; Giri et al., 2006; Goriparthi et al., 2009; Islam et al., 2013; Li, 2013; Xu et al., 2015; He et al., 2015).

In 2006, Das et al. suggested an authentication protocol by the help of bilinear pairing and proclaimed that it is able to prevent many logged in users by one login id. In addition, it provides password change facility without intervening server. In 2006, Giri et al. devised an improvement of Das et al. (2006). In 2009, Goriparthie et al. also reviewed of Das et al. (2006) and found that it suffers from replay and forgery attacks. To solve these security pitfalls, they suggested an extended authentication protocol and proclaimed that it is completely safe against various kinds of security attacks.

In 2013, Islam et al. devised remote user authentication protocol by using ECC and claiming that it is able to defend against various security threats. However, Li reviewed Islam et al.’s protocol and found that it is suffering to three attacks (i.e., password guessing, stolen verifier and insider). In order to solve those security threats, they developed an extended remote user authentication protocol by the help of ECC. It includes two versions: (1) First version does not facilitate user anonymity property; (2) Second version facilitates the user anonymity property. Li (2013) asserted that their scheme is secure from various spiteful security threats with efficient complexity. Unfortunately, Xu et al. (2015) found three attacks (i.e., password guessing, user impersonation and denial of service) in the scheme (Li, 2013). To surmount these security weaknesses, they introduced an enhancement of remote user authentication scheme by the help of ECC.

In recent time, many user authentication protocols are developed by so many authors (He et al., 2015; Odelu et al., 2014; Om et al., 2013; Chandrakar et al., 2016; Wen et al., 2012; Chandrakar et al., 2015; Chen et al., 2012; Arshad et al., 2014; Kumar et al., 2014). In 2015, He at al. proposed authentication protocol in multi-server platform and proclaimed that it is safe from various security threats. But, Odelu et al. (2014) find out two threats (i.e., known session temporary information and user impersonation) in the scheme (He et al., 2015). Moreover, this scheme is not providing user-anonymity, smartcard revocation and re-registration property. In 2013, Om et al. developed biometric based remote user authentication scheme and proclaimed that the protocol is fully secure from various security attacks. In this article, we cryptanalysis of and explained that it is not defending password guessing, user-impersonation and denial of service attacks. Moreover, does not providing user anonymity property. To remove these security shortcomings, we project an enhanced three-factor based remote user authentication protocol based on ECC usable in multi-server environment.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 13: 2 Issues (2017)
Volume 12: 2 Issues (2016)
Volume 11: 2 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing