A Secure Dynamic Identity Based Authentication Protocol with Smart Cards for Multi-Server Architecture

Transcription

1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 31, (2015) A Secure Dynamc Identty Based Authentcaton Protocol wth Smart Cards for Mult-Server Archtecture CHUN-TA LI 1, CHENG-CHI LEE 2;3,*, CHI-YAO WENG 4 AND CHUN-I FAN 5 1 Department of Informaton Management Tanan Unversty of Technology Tanan Cty, 710 Tawan E-mal: th0040@maltutedutw 2 Department of Lbrary and Informaton Scence Fu Jen Catholc Unversty New Tape Cty, 242 Tawan E-mal: cclee@malfuedutw 3 Department of Photoncs and Communcaton Engneerng Asa Unversty Tachung Cty, 413 Tawan 4 Department of Computer Scence Natonal Pngtung Unversty Pngtung Cty, 900 Tawan E-mal: cyweng@malnptuedutw 5 Department of Computer Scence and Engneerng Natonal Sun Yat-sen Unversty Kaohsung Cty, 804 Tawan E-mal: cfan@csensysuedutw Due to the rapd growth of computer networks and servce provdng servers, many network envronments have been becomng mult-server archtecture and varous multserver authentcaton protocols have been proposed In such an envronment, a user can obtan dfferent network servces from multple network servers wthout repeatng regstraton to each server Recently, L et al proposed a secure dynamc ID based authentcaton protocol for mult-server archtecture usng smart cards They clamed that ther protocol preserves mutual authentcaton and protected from several attacks However, n ths paper, we fnd that L et al s protocol cannot provde the protecton aganst leakof-verfer attack, mpersonaton attack, sesson key dsclosure attack and many logged-n users attack To remedy these securty flaws, we propose an mproved verson of dynamc ID based authentcaton protocol, whch covers all the dentfed weaknesses of L et al s protocol and s more secure and effcent for practcal mult-server envronments Keywords: dynamc dentty, password authentcaton, smart card, mult-server archtecture, user anonymty 1 INTRODUCTION Wth the rapd growth of the Internet and network technologes, recently smart card based password authentcaton protocols have been extensvely deployed n the Internet or wreless network servces for authentcatng the valdty of a logn user Consderng the low-computng capablty of smart cards, the authentcaton scheme desgn based on Receved May 27, 2014; revsed August 15 & October 11, 2014; accepted October 20, 2014 Communcated by Hung-Mn Sun * Ths work was partally supported by the Mnstry of Scence and Technology, Tawan, under Contract No MOST E and MOST E

2 1976 CHUN-TA LE, CHENG-CHI LEE, CHI-YAO WENG AND CHUN-I FAN tradtonal symmetrc or asymmetrc key cryptosystems s a nontrval challenge [5, 9] For reducng the computaton costs, numerous smart card based password authentcaton protocols usng the one-way hash functon and exclusve-or operaton had been proposed [1, 4, 6, 7, 10, 14, 15, 18] Currently, more and more sngle-server servces are provded wth all walks of lfe, such as onlne games, moble shoppng, telecare medcne nformaton systems, ntegrated electronc medcal record systems etc On the other hand, the mult-server envronment emphaszes that any user can obtan dfferent servces from multple network servers wthout repeatng regstraton to each server because t s mpractcal for a user to remember numerous dfferent denttes and passwords to logn and access dfferent servce provdng servers In 1994, a well-known Kerberos system [12] n such an envronment s proposed However, t s nsecure aganst password guessng attacks f a user uses a weak password In 2001, L et al [17] proposed a user authentcaton protocol usng neural networks and asymmetrc key cryptosystems For solvng the effcency problem of L et al s protocol, n 2003, Ln et al [21] proposed a remote user authentcaton protocol based on dscrete logarthm problem for mult-server envronments Later, n 2004, Juang [11] proposed an effcent mult-server authentcaton protocol based on one-way hashng functon and symmetrc key cryptosystem However, n the same year, Chang and Lee [3] showed that Juang s protocol s vulnerable to off-lne dctonary attack In 2008, Tsa [23] proposed a mult-server authentcaton protocol based on one-way hashng functon and wthout mantanng a verfer table However, Tsa s protocol s vulnerable to mpersonaton attack and any attacker who ntercepts a logn message sent from a user, the attacker can resubmt t to the server for ganng llegal access Furthermore, all the above password authentcaton protocols for mult-server envronment are based on statc ID and user s logn ID s changeless and sent n the form of plan-text va publc channels It gves the attacker an opportunty to ntercept the logn ID from the publc channels, uses t to trace the legal user and damages user prvacy over publc networks Recently, Lao and Wang [20] proposed a dynamc ID based authentcaton protocol and they clamed that ther protocol can prevent varous attacks However, Hsang and Shh [8] showed that Lao-Wang s protocol cannot resst nsder attack, masquerade attack, server spoofng attack and regstraton center spoofng attack and proposed an mprovement on Lao-Wang s protocol However, Sood et al [22] and Lee et al [13] ponted that Hsang-Shh s protocol s stll vulnerable to leak-of-verfer attack, stolen smart card attack, masquerade attack and server spoofng attack, and t s not easly reparable To resst these securty weaknesses, Sood et al proposed a secure dynamc ID based authentcaton protocol for mult-server archtecture and clamed ther protocol can prevent attacks and acheve user anonymty However, L et al [16] ponted out that Sood et al s protocol s vulnerable to leak-of-verfer attack, stolen smart card problem and ncorrect authentcaton and sesson key agreement phase L et al further proposed an effcent and securty dynamc ID based authentcaton protocol for mult-server archtecture usng smart cards to tackle these problems Unfortunately, through carefully analyss, we fnd that L et al s protocol s stll vulnerable to leak-of-verfer attack, mpersonaton attack, sesson key dsclosure attack and many logged-n users attack We proposed an mproved protocol to solve these securty weaknesses Moreover, our protocol s more effcent than some dynamc ID based authentcaton protocols regardng

3 A SECURITY DYNAMIC IDENTITY BASED AUTHENTICATION PROTOCOL 1977 performance by usng lghtweght one-way hash functon and exclusve OR computaton The rest of the paper s organzed as follows: Secton 2 brefly revews L et al s authentcaton protocol and shows the weaknesses on ther protocol n Secton 3 In Secton 4, our dynamc ID based authentcaton protocol n mult-server envronments s proposed The securty and performance analyss are descrbed n Secton 5 Fnally, some concludng remarks are ncluded n Secton 6 2 REVIEW OF LI ET AL S PROTOCOL In ths secton, a bref revew of L et al s protocol [16] that contans four phases: regstraton, logn, authentcaton and sesson key agreement and password change, are gven below, where the followng notatons have been used n Table 1 L et al s protocol nvolves three partcpants: the control server (), the servce provdng server (S ) and the user (U ) s a trusted party and t s responsble for regstraton and authentcaton of U and S When S regster wth use dentty SID, computes SID y) and x y) and submt them to S through a secure channel Detaled steps of four phases are descrbed as follows 21 Regstraton Phase When a user U wants to access the servce and perform regstraton wth, U chooses hs/her dentty ID, password P and a random number b, computes A b P ) and submts (ID, A ) to the control server through a secure channel Upon recevng the regstraton request, computes B =ID x), C =ID y) A ), D B ID A ) and E B y x) and stores (C, D, E, ), y)) n U s smart card Then, delvers the smart card to U through a secure channel U stores b nto hs/her smart card and U s smart card contans (C, D, E, ), y), b) 22 Logn Phase In ths phase, we assume that U wants to logn to the server S and asks a servce from S U must perform the flowng steps: Step 1: U nserts hs/her smart card nto a card reader and nputs dentty ID, password P and the server s dentty SID Then, smart card computes A =b P ) and C =ID y) A ) and checks whether C =C If t holds, t means U s a legal user Step 2: After verfcaton, the smart card computes B =D ID A ), F y) N 1, P E y) N 1 SID ), CID A B F N 1 ) and G B A N 1 ) and submts the logn request (F, G, P, CID ) to S va a publc channel, where N 1 s a random number chosen by U 23 Authentcaton and Key Agreement Phase Upon recevng the logn request message (F, G, P, CID ) from U, S and performs the followng steps to verfy the valdty of U :

4 1978 CHUN-TA LE, CHENG-CHI LEE, CHI-YAO WENG AND CHUN-I FAN Step 1: S computes K =SID y) N 2 and M x y) N 2 ) and sends the logn request (F, G, P, CID, SID, K, M ) to the control server, where N 2 s a random number chosen by S Table 1 Notatons used n ths paper Notatons Descrpton U The th user S The th server The control server ID The dentty of U P The password of U SID The dentty of S x The master secret key chosen by y A secret number chosen by b A random number chosen by U for regstraton CID The dynamc dentty generated by U for authentcaton N 1 A random number generated by U s smart card for sesson key agreement N 2 A random number generated by S for sesson key agreement N 3 A random number generated by for sesson key agreement ) A collson free one-way hash functon Exclusve OR operaton SK A common sesson key shared among U, S and Message concatenaton operaton Step 2: Upon recevng the logn request message (F, G, P, CID, SID, K, M ) from S, computes N 2 K SID y) and M =x y) N 2 ) and checks whether M M If t holds, the valdty of S s authentcated by Otherwse, reects ths sesson Step 3: computes N 1 =F y), B =P y) N 1 SID ) y x)=e y x), A = CID B F N 1 ) and G =B A N 1 ) and checks whether G =G If t holds, the valdty of U s authentcated by Otherwse, reects ths sesson Step 4: computes Q N 1 N 3 SID N 2 ), R =A B ) N 1 N 2 N 3 ), V =A B ) N 1 N 2 N 3 )) and T =N 2 N 3 A B N 1 ) and submts the mutual authentcaton message (Q, R, V, T ) to S va a publc channel Step 5: Upon recevng the authentcaton message (Q, R, V, T ) from, S computes N 1 N 3 Q SID N 2 ), A B )=R N 1 N 2 N 3 ) and V I A B ) N 1 N 2 N 3 )) and checks whether V V If t holds, the legtmacy of the control server s authentcated by S Then S sends the response message (V, T ) to U va a publc channel Step 6: Upon recevng the response message (V, T ) from S, U s smart card computes N 2 N 3 =T A B N 1 ) and V I A B ) N 2 N 3 N 1 )) and checks whether V V If t holds, the legtmacy of the control server and the server S are authentcated by

5 A SECURITY DYNAMIC IDENTITY BASED AUTHENTICATION PROTOCOL 1979 U Fnally, U, S and agree on a common sesson key SK by computng SK=h (A B ) N 1 N 2 N 3 )) 24 Password Change Phase When a user U wants to change hs/her password P wth a new password P new wthout the help of the control server U nserts the smart card nto a card reader and nputs ID and P Then smart card computes A =b P ), B =D ID A ) and C =ID y) A) and checks whether C =C If t holds, U s asked to nputs a new password P new and the smart card computes A new b P new ), C new ID y) A new ) and D new B ID A new ) and replaces (C, D ) wth (C new, D new ) 3 SECURITY ANALYSIS OF LI ET AL S PROTOCOL Although L et al clamed that ther protocol can resst many types of attacks and satsfy all the essental requrements for mult-server archtecture authentcaton However, the actual stuaton s not the case and the cryptanalyss of L et al s protocol has been made n ths secton The detaled analyss are descrbed as follows 31 Leak-of-verfer Attack In L et al s protocol, we found that ther protocol may suffer from leak-of-verfer attack and a malcous prvleged user U k who possesses the smart card can easly derve the values of y) and y x) by performng the followng steps: Step 1: U k extracted the stored values from hs/her smart card by montorng ts power consumpton As we know, the content of the smart card s {C k, D k, E k, ), y), b} Step 2: U k nputs ID k and P k and computes A k =b P k ), ID k A k ) and B k =D k ID k A k ) Step 3: U k derves the value y x) by computng E k B k =y x) From above-mentoned steps show, the user ID k can easly derve the system secrets of y) and y x) Note that y) and y x) are used n all the prvleged users Thus, L et al s protocol cannot prevent leak-of-verfer attack 32 Impersonaton Attack Due to y) and y x) are used n all the prvleged users, n case of system secrets y) and y x) are successfully derved by U k, U k can use them to derve any prvleged user U s B ID x) Once y), y x) and U s B are leaked accdentally to U k, he/she can easly make a vald logn request to mpersonate the user U to logn to the server S The detals of ths attack are descrbed as follows Step 1: U k eavesdrops U s logn request message and gets {F, G, P, CID } over a publc channel Step 2: U k derves U s N 1 by computng N 1 =F y), where y) s derved from U k s

6 1980 CHUN-TA LE, CHENG-CHI LEE, CHI-YAO WENG AND CHUN-I FAN smart card Step 3: U k computes y) N 1 SID ) and derves E by computng E =P y) N 1 SID ) Step 4: U k derves U s secret value B by computng B =E y x), where y x) s derved from U k s smart card As shown n above-mentoned steps, U s secret value B can be easly derved Then, U k can choose a new random number N 1, generate a unmeanng value A and make a vald logn request {F, G, P, CID } to S, where F =y) N 1, G I h B A N 1 ), P =B y x) y) N 1 SID ) and CID =A B F N 1 ) Moreover, U k can establsh a new sesson key SK=A B ) (N 1 N 2 N 3 )) wth S and and acheve the purpose of a cheat So, L et al s protocol cannot resst the mpersonaton attack as they clamed 33 Sesson Key Dsclosure Attack As shown n the mpersonaton attack, n case of U s secret value B s successfully derved by U k, U k can use t to dsclose the sesson key shared among the user U, the server S and the control server The detals of ths attack are descrbed as follows Step 1: U k eavesdrops U s logn request message and gets {F, G, P, CID } over a publc channel Step 2: U k eavesdrops S s response message and gets {V, T } over a publc channel Step 3: U k derves U s random number N 1 by computng N 1 =F y), where y) s derved from U k s smart card Step 4: U k derves U s secret value B by launchng the attack mentoned n Secton 32 Step 5: U k derves U s secret value A by computng A =CID B F N 1 ), where CID and F are collected from Step 1 Step 6: U k derves N 2 N 3 by computng N 2 N 3 =T A B N 1 ), where T s collected from Step 2 Step 7: Fnally, U k can easly dsclose the sesson key SK by computng SK=A B ) (N 1 N 2 N 3 )) 34 Many Logged-In Users Attack In L et al s protocol, the smultaneous access of a legtmate user s account n the control server by multple non-regstered users usng the same dentty and password of the user and the control server s not aware of havng caused weakness We assume that a regstered user s smart card s massvely duplcated and U s ID and P s ntentonally exposed to n attackers U kx, where x1, 2,, n Then all who has smart card and knows ID and P can logn to the control server at the same tme by performng the followng steps: Step 1: Each U kx generates hs/her random number N kx and sends a vald logn request (F kx, G kx, P x, CID kx ) to, where F kx =y) N kx, G kx =B A N kx ), P x =E y) N kx SID ), CID kx =A B F kx N kx ) and x=1, 2,, n

7 A SECURITY DYNAMIC IDENTITY BASED AUTHENTICATION PROTOCOL 1981 Step 2: Upon recevng all the logn requests (F k1, G k1, P 1, CID k1 ), (F k2, G k2, P 2, CID k2 ),, (F kn, G kn, P n, CID kn ) from U k1, U k2,, U kn, gets the same dentty ID wth dfferent random numbers N k1, N k2,, N kn Fnally, allows all of U k1, U k2,, U kn to logn and access U s account smultaneously 4 THE PROPOSED PROTOCOL In ths secton, we propose a strong and effcent protocol to overcome the securty weaknesses of L et al s protocol Our protocol conssts of four phases namely: regstraton, logn, authentcaton and sesson key agreement and password change S regsters tself wth by usng dentty SID Then, computes SID y) and x y) and submt them to S through a secure channel These four phases are further llustrated below and shown n Fg 1 Fg 1 The proposed protocol

8 1982 CHUN-TA LE, CHENG-CHI LEE, CHI-YAO WENG AND CHUN-I FAN 41 Regstraton Phase When a user U wants to perform regstraton wth the control server, U chooses hs/her ID, P and a large random number b, computes A =ID b P ) and submts {ID, A } to through a secure channel Upon recevng the regstraton request, generates a pseudonym TID, computes B =ID x), C =ID y) A ) and D =B x y) A and stores (TID, C, D, ), y)) n U s smart card Moreover, stores each legal user s pseudonym, user-verfer and a status-bt n a protected verfer table as depcted n Table 2, where the status-bt ndcates the logn status of the user to wthstand many logged-n users attack If the user s logged-n to, the status-bt s set to 1, otherwse t s set to 0 Fnally, delvers the smart card to U through a secure channel U stores b nto hs/her smart card and U s smart card contans (TID, C, D, ), y), b) 42 Logn Phase Table 2 The verfer table of after fnshng the regstraton phase User pseudonym User-verfer Status-bt TID TID B ID x) B ID x) 0/1 0/1 In ths phase, we assume that U wants to logn to the server S and asks a servce from S U must perform the flowng steps: Step 1: U nserts hs/her smart card nto a card reader and nputs dentty ID, password P and the server s dentty SID Then, smart card computes A =ID b P ) and C ID y) A ) and checks whether C C If t holds, t means U s a legal user Step 2: After verfcaton, the smart card generates a random number N 1 and computes F =D A N 1 and G =y) N 1 SID ) Then, the smart card submts the logn request (TID, F, G ) to S va a publc channel 43 Authentcaton and Sesson Key Agreement Phase Upon recevng the logn request message (TID, F, G ) from U, S and performs the followng steps to verfy the valdty of U : Step 1: S computes K SID y) N 2 and M x y) N 2 ) and sends the logn request (TID, F, G, K, M ) to the control server, where N 2 s a random number chosen by S Step 2: Upon recevng the logn request message (TID, F, G, K, M ) from S, computes N 2 =K SID y) and M =x y) N 2 )=) and checks whether M M If t holds, the valdty of S s authentcated by Otherwse, reects ths sesson Step 3: Accordng to user s pseudonym TID, retreves user s verfer B, computes N 1 =F B x y) and G =y) N 1 SID ) and checks whether G =G If t holds, the

9 A SECURITY DYNAMIC IDENTITY BASED AUTHENTICATION PROTOCOL 1983 valdty of U s authentcated by Otherwse, reects ths sesson Step 4: refreshes a new pseudonym TID new for U by computng TID new =TID N 1 and replaces TID wth TID new Step 5: computes Q =N 1 N 3 SID N 3 ), R =B x y)) N 1 N 2 N 3 ), V = (B x y)) N 1 N 2 N 3 )) and T =N 2 N 3 B x y) TID new )) and submts the mutual authentcaton message (Q, R, V, T ) to S va a publc channel Step 6: Upon recevng the authentcaton message (Q, R, V, T ) from, S computes N 1 N 3 =Q SID N 2 ), B x y))=r N 1 N 2 N 3 ) and V =B (x y)) h (N 1 N 2 N 3 )) and checks whether V =V If t holds, the legtmacy of the control server s authentcated by S Then S sends the response message (V, T ) to U va a publc channel Step 7: Upon recevng the response message (V, T ) from S, U s smart card computes TID new =TID N 1, B x y)=d A, N 2 N 3 =T B x y) TID new )) and V = B x y) N 2 N 3 N 1 )) and checks whether V =V If t holds, the legtmacy of the control server and the server S are authentcated by U and the smart card replaces TID wth TID new Fnally, U, S and agree on a common sesson key SK by computng SK=B x y) N 1 N 2 N 3 )) 44 Password Change Phase When a user U wants to change hs/her password P wth a new password P new wthout the help of the control server U nserts the smart card nto a card reader and nputs ID and P Then smart card computes A =ID b P ) and C ID y) A), and checks whether C C If t holds, U s asked to nputs a new password P new Then, the smart card computes A new ID b P new ) and C new ID y) A new ), and store C new nto the smart card to replace C to fnsh the password change phase 5 ANALYSIS OF THE PROPOSED PROTOCOL In ths secton, we evaluate the securty of our protocol and make comparsons wth other related dynamc ID based mult-server authentcaton protocols [8, 16, 19, 20, 22] n terms of performance and functonalty The proposed protocol can not only resst malcous attacker from launchng several well-known cryptographc attacks but also provde much better performance when compared to related dynamc ID protocols for mult-server archtecture Pror to demonstraton of preventng possble attacks, some assumptons of securty are gven Assumpton 1: U s dentty and password are well-protected by the user and securely sent to n the regstraton phase Assumpton 2: There s a secure channel between each server S and the control server n the regstraton phase Assumpton 3: Durng the logn, authentcaton and sesson key agreement phases, the attacker U k has control over the communcaton channels between U, S and such as

10 1984 CHUN-TA LE, CHENG-CHI LEE, CHI-YAO WENG AND CHUN-I FAN eavesdroppng, nterceptng, nsertng and deletng any transmtted messages n these publc channels Assumpton 4: A prvleged user can extract the stored values from hs/her smart card by montorng ts power consumpton Assumpton 5: The bt length of (x, y, b, N 1, N 2, N 3 ) are large enough and these values are hgh entropy secret keys and random numbers The detals of several securty attrbutes n the proposed protocol are descrbed n Fg 1 51 Securty Analyss As mentoned n prevous researches, the followng securty features are mportant for dynamc ID based user authentcaton protocol and we compare the proposed protocol wth L et al s protocol [16], Sood et al s protocol [22], Lao et al s protocol [20], Hsang et al s protocol [8] and L et al s protocol [19] The securty comparsons of the proposed protocol wth some related dynamc ID based mult-server authentcaton protocols are gven n Table 3 Table 3 Securty comparsons Protocols/Securty crtera S1 S2 S3 S4 S5 S6 S7 S8 Hsang et al s protocol (2009) [8] No Yes No Yes Yes Yes No Yes Lao et al s protocol (2009) [20] No Yes No Yes Yes Yes No Yes Sood et al s protocol (2011) [22] No No No No Yes Yes No Yes L et al s protocol (2011) [16] Yes No No No Yes Yes No Yes L et al s protocol (2013) [19] Yes Yes Yes Yes Yes Yes No Yes The proposed protocol Yes Yes Yes Yes Yes Yes Yes Yes S1: Resstance to smart card lost problem The smart card lost problem s an nherent lmtaton of user authentcaton protocol We found that the best soluton s to prohbt the guesstmate chance of the malcous off-lne password guessng attack and the secret values stored on the smart card are {TID, C, D, ), y), b} n our proposed protocol We assume that the secrets and b extracted from user s smart card, t stll cannot help an attacker U k to derve or update the user s password wthout knowng the user s ID and P On the other hand, snce x and y are unknown to U k, he/she cannot compute B y x) and cannot perform the mpersonaton attack usng the stolen or lost smart card S2: Resstance to leak-of-verfer attack In the proposed protocol, a malcous prvleged user U k who possesses the smart card may try to derve the values y x) and ID x) However, U k stll cannot successfully launches a leak-of-verfer attack on t because y x) and ID x) are protected by the one-way hash functon Snce x and y are protected by the one-way hash functon, U k cannot ensure whch ID s correspondng to ID x) and cannot forge a vald logn message (TID, F, G ) As a result, U k can mpersonate as a servce provng server or a prv-

11 A SECURITY DYNAMIC IDENTITY BASED AUTHENTICATION PROTOCOL 1985 leged user and our proposed protocol can resst the leak-of-verfer attack S3: Resstance to mpersonaton attack In ths attack, the attacker U k may try to forge a vald logn request (TID, F, G ) to mpersonate as a legtmate user usng the prevously eavesdropped messages However, n the proposed protocol, U k cannot generate TID, F B y x) N k1 and G =y) N k1 SID ) snce he/she wthout the knowledge of N k1, y), B y x) and user s pseudonym TID s updated and refreshed n every sesson, so U k cannot mpersonate as the legtmate user U, where N k1 s a random number generated by U k S4: Resstance to sesson key dsclosure attack In ths type of attack, we assume that the attacker U k eavesdrops the prevously sesson messages (TID, F, G, K, M ) and (Q, R, V, T ) Snce the user verfer B x y) s protected by U, U k cannot derve U s nonce value N k1 from F and cannot derve S s and s nonce values N k2 N k3 from T Therefore, U k cannot derve the common sesson key SK=B x y)) (N k1 N k2 N k3 )) and the proposed protocol ressts the sesson key dsclosure attack S5: Resstance to stolen-verfer attack The stolen-verfer attack means that an attacker U k steals the verfer table from the control server and launches an mpersonaton attack Thus, U k can masquerade as a legtmate user U to logn control server In the proposed protocol, the verfer table contans U s pseudonym TID and user-verfer B ID x) However, t s mpossble to make a vald value B x y) because x and y are well-protected by So the proposed protocol can resst the stolen-verfer attack S6: Resstance to tme synchronzaton problem The replay attack s an mportant ssue n any mult-party based authentcaton protocol and the malcous attacker may masquerade as a legal user by replayng the logn request eavesdroppng from a prevous sesson Therefore, many dynamc ID based user authentcaton protocols used tmestamp to provde the securty aganst the replay attack n a remote logn system However, the tmestamp arses the tme synchronzaton problem and the proposed protocol replaces the tmestamp wth nonce values to avod ths problem We use three dfferent nonce values (N k1, N k2, N k3 ) to prevent replay attack and tme synchronzaton problem and three partcpatng partes establsh a common sesson key by fnshng four-round challenge-response mechansm S7: Resstance to many logged-n users attack In the proposed protocol, we assume that the user s pseudonym TID and B x y) are leaked to more than one mpostor However, the control server mantaned a status-bt n ts verfer table and no one allowed to logn control server at the same tme out of all who know the vald pseudonym TID and B x y) Based on the verfer table, we can say that our proposed protocol can resst the many logged-n users attack S8: Provson of user anonymty In the regstraton phase of the proposed protocol, a user pseudonym and a secure

12 1986 CHUN-TA LE, CHENG-CHI LEE, CHI-YAO WENG AND CHUN-I FAN channel between the user and the control server are used for protectng the user s real dentty from dsclosure In the logn phase, the user sends the pseudonym as a substtute for the real dentty for ts authentcaton to the servce provdng server and the control server Moreover, the attacker cannot dstngush dfferent sessons correspondng to a certan user snce user s dynamc dentty TID s dfferent for each sesson when the user logns to the server Therefore, the user anonymty s ensured n our proposed 52 Correctness Analyss In ths subsecton, we use the BAN logc [2] to analyze the correctness of the sesson key between user, servce server and control server Some notatons used n BAN logc analyss are descrbed as follows: A X : It means that A beleves the formula X s true A X : It means that A sees the formula X A X : It means that A has complete control over the formula X A X : It means that A has once sad the formula X #(X): It means that X s fresh The formula X has not been used before or X s a nonce A K B : It means that prncpals A and B may use the shared key K to communcate Note that K wll never be dscovered by any prncpals except A and B <X>Y : It means that formula X s combned wth a secret parameter Y (X)K : It means that formula X s hashed wth a key K Rule1 A creates random X : It can nfer Rule 2 from Rule 1 For example, means that Rule 2 A #( X ) prncpal A creates X, so A beleves X s fresh SK: A sesson key establshed n each sesson Accordng to the analytc procedures of BAN logc, two partcpators U and S cooperatvely run the proposed protocol wth the help of the control server and we lst the verfcaton goals of our protocol as follows: (G1): U (G2): S (G3): U (G4): S U SK S U SK S S U SK S U U SK S Next, we use BAN logc to transform our protocol, llustrated n Fg 1 nto the dealzed form The protocol generc types are shown n the followng: Message 1: U S : TID, ID x) x y) N 1, y) N 1 SID ) Message 2: S : TID, ID x) x y), y) N 1 SID ), SID y) N 2, x y) N 2 ) Message 3: S : N 1 N 3 SID N 2 ), B x y)) N 1 N 2 N 3 ), B x y)) N 1 N 2 N 3 ), N 2 N 3 B x y)) TID new )) Message 4: S U : B x y)) N 1 N 2 N 3 )), N 2 N 3 B x y)) TID

13 A SECURITY DYNAMIC IDENTITY BASED AUTHENTICATION PROTOCOL 1987 new )) Idealze form of the proposed protocol: Message 1 U S : TID, << (ID, x) >(x, y) > N 1, < (y), SID ) > N 1 Message 2: S : TID, << (ID, x) >(x, y) > N 1, < (y), SID ) > N 1, < (SID, y) > N 2, (x, y) N 2 Message 3: S : < (SID, N 2 )> (N 1, N 3 ), < (N 1, N 2, N 3 ) > (ID, x), x, y)), < (< (ID, x) > ( x, y), TID new ) > ( N 2, N 3 ) Message 4: S U : < (N 1, N 2, N 3 ) > (ID, x), x, y)), < (< (ID, x) > ( x, y), TID new ) > ( N 2, N 3 ) To analyze the proposed protocol, the followng assumptons are also requred: (A1): U # ( N 1) (A2): S #( N 2) (A3): #( N 3) (A4): U U ID, x) (A5): U ID, x) (A6): U U TID (A7): U TID (A8): S S SID, y) (A9): S SID, y) (A10): S S x, y) (A11): S x, y) (A12): U U y) (A13): U y) (A14): U U SK S (A15): S U SK S (A16): U S U SK S (A17): S U SK S Based on the above-mentoned assumptons, the prelmnary procedures of BAN logc are well prepared and we show the man steps of the verfcaton proof as follows: Accordng to the Message 1, we could obtan: (V1): S (TID, << (ID, x) >(x, y) > N 1, < (y), SID ) > N 1 ) Accordng to the Message 2, we could obtan: (V2): (TID, << (ID, x) >(x, y) > N 1, < (y), SID ) > N 1, < (SID, y) > N 2, (x, y) N 2 ) Accordng to the assumpton (A9), we would apply the message meanng rule to get: (V3): S ~ N2 Accordng to the assumpton (A2), we could apply the freshness conun-catenaton

14 1988 CHUN-TA LE, CHENG-CHI LEE, CHI-YAO WENG AND CHUN-I FAN rule to get: (V4): #( x, y) N 2 Accordng to the (V3) and (V4), we could apply nonce verfcaton rule to get: (V5): S ( x, y) N 2 Accordng to the assumpton (A11) and (V5), we could apply the ursdcton rule to get: (V6): N2 Accordng to the assumptons (A5) and (A7), we could apply the message meanng rule to get: (V7): U ~ N1 Accordng to the assumpton (A1), we could apply the freshness conun-catenaton rule to get: (V8): # < (y), SID ) > N 1 Accordng to the (V7) and (V8), we could apply nonce verfcaton rule to get: (V9): U < (y), SID ) > N 1 Accordng to the assumpton (A13) and (V9), we could apply the ursdcton rule to get: (V10): N1 Accordng to the Message 3, we could obtan: (V11): S < (SID, N 2 )> (N 1, N 3 ), < (N 1, N 2, N 3 ) > (ID, x), x, y)), < (< (ID, x) > ( x, y), TID new ) > ( N 2, N 3 ) Accordng to (V11) and (V6), we could obtan: S (V12): S N2, S ( SID, N S ~ SID, N 2 2 ( N, N 1 ) ( N, N ) 2 1 Accordng to (V12), we could obtan: (V13): S ~ ( N1, N3) Accordng to (V13), (V11) and assumpton (A2), we could obtan: S #( N2), S ~ ( N 1, N3), S ( N 1, N2, N3) ( ID, x), x, y)) (V14): S ~ ( N 1, N2, N3) ( ID, x), x, y)) Accordng to (V14), we could obtan: (V15): S ~ (ID, x), x, y)) Accordng to SKID, x) x, y) (N 1 N 2 N 3 )), (V13), (V15) and assumpton (A2), we could obtan: (V16): S # ( U SK S ) Accordng to (V16) and assumptons (A15) and (A17), we could obtan: (V17): S U ~ U SK S Accordng to (V16) and (V17), we could obtan: (V18): S U U SK S Accordng to the Message 4, we could obtan: new (V19): U ( N1, N2, N3) ( ID, ), (, )), ( (, ) (, ), ) x h x y ID x x y TID ( N 2, N 3 ) Accordng to (V19) and (V10), we could obtan: ) 3

15 A SECURITY DYNAMIC IDENTITY BASED AUTHENTICATION PROTOCOL 1989 new U (V20): U N 1, U ( ( ID, x) ( x, y), TID ) ( N2, N3) new U ~ ( ( ID, x) ( x, y), TID ) ( N2, N3) Accordng to (V20), we could obtan: (V21): U ~ ( N2, N3) Accordng to (V21), (V19) and assumpton (A1), we could obtan: (V22): U #( N 1), U ~ ( N2, N3), U ( N 1, N2, N3) ( ID, x), x, y)) U ~ ( N 1, N2, N3) ( ID, x), x, y) Accordng to (V22), we could obtan: (V23): U ~ ( ID, x), x, y)) Accordng to SKID, x) x) x y)) (N 1 N 2 N 3 )), (V21), (V23) and assumpton (A1), we could obtan: (V24): U # ( U SK S ) Accordng to (V24) and assumptons (A14) and (A16), we could obtan: (V25): U S ~ U SK S Accordng to (V24) and (V25), we could obtan: (V26): U S U SK S Fnally, nferrng from formulas A17, V18 and V26, we have proven the proposed protocol acheves the verfcaton goals as well as establshes a common sesson key between U and S 53 Performance Analyss In ths subsecton, we compare the computatonal prmtves nvolved n logn, authentcaton and sesson key agreement phases of our proposed protocol wth some related dynamc ID based mult-server authentcaton protocols [8, 16, 20, 22] and tabulate the results n Table 4 We defne the notaton T h as the tme complexty for one-way hashng functon and t s usually neglgble consderng the computaton cost of exclusve-or operaton because t requres very few computatons Obvously, n our proposed protocol, the user s smart card adopts only three computatons of one-way hash functon n the logn process, and therefore the total computatons of our protocol s lower than most of authentcaton protocols On the other hand, Lao et al s protocol [20] adopts only 15 computatons of one-way hash functon to construct a mult-server authentcaton protocol However, Hsang et al [8] ponted out that Lao et al s protocol s not secure aganst many types of attacks such as server spoofng attack, regstraton center spoofng attack, nsder attacker and masquerade attack Table 4 Performance comparsons Protocols/Phases Logn phase Verfcaton phase Total computatons Hsang et al s protocol (2009) [8] Lao et al s protocol (2009) [20] Sood et al s protocol (2011) [22] 7Th 6Th 7Th 17Th 9Th 18Th 24Th 15Th 25Th L et al s protocol (2011) [16] 7Th 21Th 28Th L et al s protocol (2013) [19] The 6Th 10Th 16Th proposed protocol 3Th 20Th 23Th

16 1990 CHUN-TA LE, CHENG-CHI LEE, CHI-YAO WENG AND CHUN-I FAN 6 CONCLUSIONS In ths paper, we have shown that L et al s secure dynamc ID based authentcaton protocol s vulnerable to leak-of-verfer attack, mpersonaton attack, sesson key dsclosure attack, many logged-n users attack, and s not easly reparable We have proposed a more effcent and secure dynamc ID based password authentcaton protocol wth smart cards for mult-server archtecture and removed the securty flaws on L et al s protocol We demonstrate that our protocol not only satsfes all of the essental requrements but also acheves performance effcency Therefore, t s more sutable for adoptng our protocol n practcal applcatons REFERENCES 1 R Abdellatf, H K Aslan, and S H Elramly, New real tme multcast authentcaton, Internatonal Journal of Network Securty, Vol 12, 2011, pp M Burrows, M Abad, and R Needham, A logc of authentcaton, ACM Transactons Computer Systems, Vol 8, 1990, pp C C Chang and J S Lee, An effcent and secure mult-server password authentcaton scheme usng smart cards, n Proceedngs of the 3rd Internatonal Conference on Cyberworlds, 2004, pp C C Chang, H L Wu, Z H Wang, and Q Mao, An effcent smart card based authentcaton scheme usng mage encrypton, Journal of Informaton Scence and Engneerng, Vol 29, 2013, pp D Cho, H Jeong, D Won, and S Km, Hybrd key management archtecture for robust SCADA systems, Journal of Informaton Scence and Engneerng, Vol 29, 2013, pp E El-Emam, M Koutb, H Kelash, and O S Faragallah, An authentcaton protocol based on Kerberos 5, Internatonal Journal of Network Securty, Vol 12, 2011, pp D He, J Chen, and J Hu, Weaknesses of a remote user password authentcaton scheme usng smart card, Internatonal Journal of Network Securty, Vol 13, 2011, pp H C Hsang and W K Shh, Improvement of the secure dynamc ID based remote user authentcaton scheme for mult-server envronment, Computer Standards and Interfaces, Vol 31, 2009, pp S J Hwang and J Y Chen, A strong desgnated verfer rng sgncrypton scheme provdng strongest sgners anonymty, Journal of Informaton Scence and Engneerng, Vol 30, 2014, pp M S Hwang, S K Chong, and T Y Chen, Dos-resstant ID-based password authentcaton scheme usng smart cards, Journal of Systems and Software, Vol 83, 2010, pp W Juang, Effcent mult-server password authentcated key agreement usng smart cards, IEEE Transactons on Consumer Electroncs, Vol 50, 2004, pp J T Kohl, B C Neuman, and T Tso, The evaluaton of the Kerberos authentcaton system, n Dstrbuted Open System, IEEE Press, 1994, pp 78-94

17 A SECURITY DYNAMIC IDENTITY BASED AUTHENTICATION PROTOCOL C C Lee, T H Ln, and R X Chang, A secure dynamc ID based remote user authentcaton scheme for mult-server envronment usng smart cards, Expert Systems wth Applcatons, Vol 38, 2011, pp C C Lee, C T Chen, C T L, and P H Wu, A practcal RFID authentcaton mechansm for dgtal televson, Telecommuncaton Systems, Vol 57, 2014, pp Y C Lee, Weakness and mprovement of the smart card based remote user authentcaton scheme wth anonymty, Journal of Informaton Scence and Engneerng, Vol 29, 2013, pp X L, Y Xong, J Ma, and W Wang, An effcent and securty dynamc dentty based authentcaton protocol for mult-server archtecture usng smart cards, Journal of Network and Computer Applcatons, Vol 35, 2012, pp L H L, I C Ln, and M S Hwang, A remote password authentcaton scheme for mult-server archtecture usng neural networks, IEEE Transactons on Neural Network, Vol 12, 2001, pp C T L and C C Lee, An novel user authentcaton and prvacy preservng scheme wth smart cards for wreless communcatons, Mathematcal and Computer Modellng, Vol 55, 2012, pp X L, J Ma, W Wang, Y Xong, and J Zhang, A novel smart card and dynamc ID based remote user authentcaton scheme for mult-server envronments, Mathematcal and Computer Modellng, Vol 58, 2013, pp Y P Lao and S S Wang, A secure dynamc ID based remote user authentcaton scheme for mult-server envronment, Computer Standards and Interfaces, Vol 31, 2009, pp I C Ln, M S Hwang, and L H L, A new remote user authentcaton scheme for mult-server archtecture, Future Generaton Computer Systems, Vol 19, 2003, pp S K Sood, A K Sare, and K Sngh, A secure dynamc dentty based authentcaton protocol for mult-server archtecture, Journal of Network and Computer Applcatons, Vol 34, 2011, pp J L Tsa, Effcent mult-server authentcaton scheme based on one-way hash functon wthout verfcaton table, Computers and Securty, Vol 27, 2008, pp Chun-Ta L ( ) receved the PhD degree n Computer Scence and Engneerng from Natonal Chung Hsng Unversty, Tawan, n 2008 He s currently an Assstant Professor of the Department of Informaton Management, Tanan Unversty of Technology, Tanan, Tawan Hs research nterests nclude nformaton securty, wreless sensor networks, moble computng, and securty protocols for ad hoc networks

18 1992 CHUN-TA LE, CHENG-CHI LEE, CHI-YAO WENG AND CHUN-I FAN Cheng-Ch Lee ( ) receved the PhD degree n Computer Scence from Natonal Chung Hsng Unversty, Tawan, n 2007 He s currently an Assocate Professor wth the Department of Lbrary and Informaton Scence at Fu Jen Catholc Unversty Hs current research nterests nclude data securty, cryptography, network securty, moble communcatons and computng, wreless communcatons Ch-Yao Weng ( ) receved the Ph D degree n Computer Scence from Natonal Tsng Hua Unversty, Hsnchu, Tawan, n 2011 He s currently an Assstant Professor wth the Department of Computer Scence at Natonal Pngtung Unversty, Pngtung, Tawan Hs current research nterests nclude data analyss, moble securty, multmeda securty, dgtal rght management and nformaton forenscs Chun-I Fan ( ) receved the PhD degree n Electrcal Engneerng at Natonal Tawan Unversty n 1998 From 1999 to 2003, he was an Assocate Researcher and proect leader of Telecommuncaton Laboratores, Chunghwa Telecom Co, Ltd, Tawan He has been a Full Professor snce 2010 Hs current research nterests nclude appled cryptology, cryptographc protocols, nformaton and communcaton securty