Skip to main content
SpringerLink
Log in

A New Password-Based Multi-server Authentication Scheme Robust to Password Guessing Attacks

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

    We’re sorry, something doesn't seem to be working properly.

    Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Abstract

A multi-server authentication scheme is a useful authentication mechanism in which a remote user can access the services of multiple servers after registering with the registration center (RC). This study shows that the password-based multi-server authentication scheme proposed by Yeh and Lo is vulnerable to undetectable password-guessing attack and offline password-guessing attack. This study proposes a new password-based multi-server authentication scheme to overcome these vulnerabilities. The proposed protocol introduces a new mechanism for protecting user password. The RC sends an alternative key to help the server verify the legitimacy of user instead of the user’s password. The values of these keys are changed with a random large nonce in each session. Therefore, the password-guessing attack cannot work successfully on the proposed scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Awasthi A. K., Lal S. (2003) A remote user authentication scheme using smart cards with forward secrecy. IEEE Transactions on Consumer Electronics 49(4): 1246–1248

    Article  Google Scholar 

  2. Chang, C. C., Le, H. D., & Chang, C. H. (2012). Novel untraceable authenticated key agreement protocol suitable for mobile communication. Wireless Personal Communications. doi:10.1007/s11277-012-0822-0.

  3. Chen T. H., Hsiang H. C., Shih W. K. (2011) Security enhancement on an improvement on two remote user authentication, schemes using smart cards. Future Generation Computer Systems 27(4): 377–380

    Article  MATH  Google Scholar 

  4. Juang W. S., Nien W. K (2008) Efficient password authenticated key agreement using bilinear pairings. Mathematical and Computer Modelling 47(11–12): 1238–1245

    Article  MathSciNet  MATH  Google Scholar 

  5. Li C. T. (2011) Smart card based password authentication scheme with user anonymity. Information Technology and Control 40(2): 157–162

    Article  Google Scholar 

  6. Tsai J. L., Wu T. C., Tsai K. Y. (2010) New dynamic ID authentication scheme using smart cards. International Journal of Communication Systems 23(12): 1449–1462

    Article  Google Scholar 

  7. Tsai, J. L., Lo, N. W., & Wu, T. C. (2012). Secure delegation-based authentication protocol for wireless roaming service. IEEE Communications Letters 16, 7, 1100–1102.

    Google Scholar 

  8. Yang J. H., Chang C. C. (2012) A low computational-cost electronic payment scheme for mobile commerce with large-scale mobile users. Wireless Personal Communications 63: 83–99

    Article  Google Scholar 

  9. Marcu, I., Halunga, S, Fratu, O., & Vizireanu, D. (2011). Multiuser systems implementations in fading environments, book chapter in the book. In T. Michalowski (Ed.). Applications of MATLAB in science and engineering (pp. 167–180). ISBN 978-953-307-708-6, InTech, 9 Sept. 2011.

  10. Preda R. O., Vizireanu D. N., Robust A. (2011) Wavelet based video watermarking scheme for copyright protection using the human visual system. Journal of Electronic Imaging 20(1): 013–022

    Article  Google Scholar 

  11. Preda R. O., Vizireanu D. N. (2011) Quantization based video watermarking in the wavelet domain with spatial and temporal redundancy. International Journal of Electronics 98(03): 393–405

    Article  Google Scholar 

  12. Preda R. O., Vizireanu D. N. (2010) A robust digital watermarking scheme for video copyright protection in the wavelet domain. Measurement 43(10): 1720–1726

    Article  Google Scholar 

  13. Voicu, C., Halunga, S., & Vizireanu, D. N. (2011). Performances of conventional and MMSE detectors for image transmissions, telecommunication in modern satellite cable and broadcasting services (TELSIKS), 2011. In 10th Intern. Conf. (Vol. 1, pp. 76–79) 5–8 Oct. 2011.

  14. Li L. H., Lin I. C., Hwang M. S. (2001) A remote password authentication scheme for multi-server architecture using neural networks. IEEE Transactions on Neural Network 12(6): 1498–1504

    Article  Google Scholar 

  15. Chang, C. C., & Lee, J. S. (2004). An efficient and secure multi-server password authentication scheme using smart card. In Proc. of the International Conference on Cyberworlds (pp. 417–422).

  16. He, D., & Wu, S. (2012). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications. doi:10.1007/s11277-012-0696-1.

  17. Juang W. S. (2004) Efficient multi-server password authenticated key agreement using smart cards. IEEE Transaction on Consumer Electronics 50(1): 251–255

    Article  Google Scholar 

  18. Lee J. S., Chang Y. F., Chang C. C. (2008) A novel authentication protocol for multi-server architecture without smart cards. International Journal of Innovative Computing, Information and Control 4(6): 1357–1364

    MathSciNet  Google Scholar 

  19. Tsai J. L. (2008) Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers & Security 27(3–4): 115–121

    Article  Google Scholar 

  20. Tsai J. L. (2010) Weaknesses and improvement of Hsu-Chuang’s user identification scheme. Information Technology and Control 39(1): 48–50

    Google Scholar 

  21. Wang, B., & Ma, M. (2012). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications. doi:10.1007/s11277-012-0696-1.

  22. Yeh K. H., Lo N. W. (2010) A novel remote user authentication scheme for multi-server environment without using smart cards. International Journal of Innovative Computing Information and Control 6(8): 3467–3478

    Google Scholar 

  23. Ding Y., Horster P. (1995) Undetectable on-line password guessing attacks. ACM Operating Systems Review 29(4): 77–86

    Article  Google Scholar 

  24. Gehringer, E. F. (2002). Choosing passwords: Security and human factors. In IEEE International Symposium on Technology and Society (pp. 369–373) 6–8 June 2002.

  25. Gong L., Lomas M. A., Needham R. M., Saltzer J. H. (1993) Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications 11: 648–656

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information Management, National Taiwan University of Science and Technology, Taipei, 106, Taiwan

    Jia-Lun Tsai, Nai-Wei Lo & Tzong-Chen Wu

  2. Taiwan Information Security Center (TWISC), National Taiwan University of Science and Technology, Taipei, 106, Taiwan

    Tzong-Chen Wu

Authors
  1. Jia-Lun Tsai
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nai-Wei Lo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tzong-Chen Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nai-Wei Lo.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Tsai, JL., Lo, NW. & Wu, TC. A New Password-Based Multi-server Authentication Scheme Robust to Password Guessing Attacks. Wireless Pers Commun 71, 1977–1988 (2013). https://doi.org/10.1007/s11277-012-0918-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-012-0918-6

Keywords

Search

Navigation