Abstract
A multi-server authentication scheme is a useful authentication mechanism in which a remote user can access the services of multiple servers after registering with the registration center (RC). This study shows that the password-based multi-server authentication scheme proposed by Yeh and Lo is vulnerable to undetectable password-guessing attack and offline password-guessing attack. This study proposes a new password-based multi-server authentication scheme to overcome these vulnerabilities. The proposed protocol introduces a new mechanism for protecting user password. The RC sends an alternative key to help the server verify the legitimacy of user instead of the user’s password. The values of these keys are changed with a random large nonce in each session. Therefore, the password-guessing attack cannot work successfully on the proposed scheme.
Similar content being viewed by others
References
Awasthi A. K., Lal S. (2003) A remote user authentication scheme using smart cards with forward secrecy. IEEE Transactions on Consumer Electronics 49(4): 1246–1248
Chang, C. C., Le, H. D., & Chang, C. H. (2012). Novel untraceable authenticated key agreement protocol suitable for mobile communication. Wireless Personal Communications. doi:10.1007/s11277-012-0822-0.
Chen T. H., Hsiang H. C., Shih W. K. (2011) Security enhancement on an improvement on two remote user authentication, schemes using smart cards. Future Generation Computer Systems 27(4): 377–380
Juang W. S., Nien W. K (2008) Efficient password authenticated key agreement using bilinear pairings. Mathematical and Computer Modelling 47(11–12): 1238–1245
Li C. T. (2011) Smart card based password authentication scheme with user anonymity. Information Technology and Control 40(2): 157–162
Tsai J. L., Wu T. C., Tsai K. Y. (2010) New dynamic ID authentication scheme using smart cards. International Journal of Communication Systems 23(12): 1449–1462
Tsai, J. L., Lo, N. W., & Wu, T. C. (2012). Secure delegation-based authentication protocol for wireless roaming service. IEEE Communications Letters 16, 7, 1100–1102.
Yang J. H., Chang C. C. (2012) A low computational-cost electronic payment scheme for mobile commerce with large-scale mobile users. Wireless Personal Communications 63: 83–99
Marcu, I., Halunga, S, Fratu, O., & Vizireanu, D. (2011). Multiuser systems implementations in fading environments, book chapter in the book. In T. Michalowski (Ed.). Applications of MATLAB in science and engineering (pp. 167–180). ISBN 978-953-307-708-6, InTech, 9 Sept. 2011.
Preda R. O., Vizireanu D. N., Robust A. (2011) Wavelet based video watermarking scheme for copyright protection using the human visual system. Journal of Electronic Imaging 20(1): 013–022
Preda R. O., Vizireanu D. N. (2011) Quantization based video watermarking in the wavelet domain with spatial and temporal redundancy. International Journal of Electronics 98(03): 393–405
Preda R. O., Vizireanu D. N. (2010) A robust digital watermarking scheme for video copyright protection in the wavelet domain. Measurement 43(10): 1720–1726
Voicu, C., Halunga, S., & Vizireanu, D. N. (2011). Performances of conventional and MMSE detectors for image transmissions, telecommunication in modern satellite cable and broadcasting services (TELSIKS), 2011. In 10th Intern. Conf. (Vol. 1, pp. 76–79) 5–8 Oct. 2011.
Li L. H., Lin I. C., Hwang M. S. (2001) A remote password authentication scheme for multi-server architecture using neural networks. IEEE Transactions on Neural Network 12(6): 1498–1504
Chang, C. C., & Lee, J. S. (2004). An efficient and secure multi-server password authentication scheme using smart card. In Proc. of the International Conference on Cyberworlds (pp. 417–422).
He, D., & Wu, S. (2012). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications. doi:10.1007/s11277-012-0696-1.
Juang W. S. (2004) Efficient multi-server password authenticated key agreement using smart cards. IEEE Transaction on Consumer Electronics 50(1): 251–255
Lee J. S., Chang Y. F., Chang C. C. (2008) A novel authentication protocol for multi-server architecture without smart cards. International Journal of Innovative Computing, Information and Control 4(6): 1357–1364
Tsai J. L. (2008) Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers & Security 27(3–4): 115–121
Tsai J. L. (2010) Weaknesses and improvement of Hsu-Chuang’s user identification scheme. Information Technology and Control 39(1): 48–50
Wang, B., & Ma, M. (2012). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications. doi:10.1007/s11277-012-0696-1.
Yeh K. H., Lo N. W. (2010) A novel remote user authentication scheme for multi-server environment without using smart cards. International Journal of Innovative Computing Information and Control 6(8): 3467–3478
Ding Y., Horster P. (1995) Undetectable on-line password guessing attacks. ACM Operating Systems Review 29(4): 77–86
Gehringer, E. F. (2002). Choosing passwords: Security and human factors. In IEEE International Symposium on Technology and Society (pp. 369–373) 6–8 June 2002.
Gong L., Lomas M. A., Needham R. M., Saltzer J. H. (1993) Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications 11: 648–656
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Tsai, JL., Lo, NW. & Wu, TC. A New Password-Based Multi-server Authentication Scheme Robust to Password Guessing Attacks. Wireless Pers Commun 71, 1977–1988 (2013). https://doi.org/10.1007/s11277-012-0918-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-012-0918-6