Journal of Network and Computer Applications 35 (2012) 763–769

Contents lists available at SciVerse ScienceDirect

Journal of Network and Computer Applications

1084-80

doi:10.1

n Corr

E-m

journal homepage: www.elsevier.com/locate/jnca

An efficient and security dynamic identity based authentication protocolfor multi-server architecture using smart cards

Xiong Li a,n, Yongping Xiong a, Jian Ma a,b, Wendong Wang a

a State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, PR Chinab Wuxi SensingNet Industrialization Research Institute, Wuxi, Jiangsu 214135, PR China

a r t i c l e i n f o

Article history:

Received 31 May 2011

Received in revised form

22 October 2011

Accepted 10 November 2011Available online 20 November 2011

Keywords:

Authentication

Dynamic identity

Smart card

Password

Multi-server architecture

45/$ - see front matter & 2011 Elsevier Ltd. A

016/j.jnca.2011.11.009

esponding author. Tel.: þ86 15010249305.

ail addresses: lixiong@bupt.edu.cn, lixiongzhq

a b s t r a c t

Generally, if a user wants to use numerous different network services, he/she must register himself/

herself to every service providing server. It is extremely hard for users to remember these different

identities and passwords. In order to resolve this problem, various multi-server authentication

protocols have been proposed. Recently, Sood et al. analyzed Hsiang and Shih’s multi-server

authentication protocol and proposed an improved dynamic identity based authentication protocol

for multi-server architecture. They claimed that their protocol provides user’s anonymity, mutual

authentication, the session key agreement and can resist several kinds of attacks. However, through

careful analysis, we find that Sood et al.’s protocol is still vulnerable to leak-of-verifier attack, stolen

smart card attack and impersonation attack. Besides, since there is no way for the control server CS to

know the real identity of the user, the authentication and session key agreement phase of Sood et al.’s

protocol is incorrect. We propose an efficient and security dynamic identity based authentication

protocol for multi-server architecture that removes the aforementioned weaknesses. The proposed

protocol is extremely suitable for use in distributed multi-server architecture since it provides user’s

anonymity, mutual authentication, efficient, and security.

& 2011 Elsevier Ltd. All rights reserved.

1. Introduction

With the rapid development of the Internet and electroniccommerce technology, many services are provided through theInternet such as online shopping, online game, distributed electronicmedical records system, etc., which makes life very convenient. In thiscase, it is a very important issue to authenticate the identity of remoteusers in a public environment before he/she can access a service.Users should have proper access rights to access resources at remotesystems through the public network environment, and the passwordauthentication is one of the simplest and the most convenientauthentication mechanisms to deal with secret data over insecurenetworks. Lamport (1981) first proposed a remote password authen-tication protocol for the insecure communication. However, in theirprotocol, the server must store a password list, and it cannot resistinterpolation attacks. Hwang and Li (2000) proposed a remote userauthentication protocol using smart cards based on ElGamal’s (1985)public key cryptosystem which does not require storing a passwordtable for authentication. After that, in order to eliminate the securityproblems and to reduce the communication and computation costs,numerous smart card based single-server authentication protocolsusing the one-way hash function had been proposed (Fan et al.,

ll rights reserved.

@163.com (X. Li).

2005; Hwang et al., 2010; Lee et al., 2005; Li and Hwang, 2010; Liet al., 2011; Liu et al., 2008; Song, 2010).

However, it is extremely hard for a user to remember thesenumerous different identities and passwords when he/she uses thesingle-server authentication protocol to login and access differentremote service providing servers. In order to resolve this problem, Liet al. (2001) proposed a remote user authentication protocol usingneural networks, their protocol can be compatible with multi-servernetwork architecture without repetitive registration. However, Liet al.’s protocol requires extremely high communication and compu-tation costs since each user must have large memory to store publicparameters for authentication. For tackling the efficiency problem ofLi et al.’s protocol, Juang (2004) proposed an efficient multi-serverpassword authenticated key agreement protocol based on the hashfunction and symmetric key cryptosystem. However, Chang and Lee(2004) pointed out that Juang’s (2004) protocol still lacks efficiencysince the computation and storage costs of each user are proportionalto the number of users and servers, furthermore if the secret value ofthe smart card is extracted by some way, Juang’s (2004) protocol isvulnerable to off-line dictionary attack. Therefore, Chang and Leeproposed a novel remote user authentication protocol to remedythese weaknesses. However, their protocol was found vulnerable toinsider attack, spoofing attack and registration center spoofing attack.Tsaur et al. (2004) proposed a multi-server authentication protocolbased on the RSA cryptosystem and Lagrange interpolation poly-nomial. However, Tsaur et al.’s protocol is also not efficient because it

Table 1Notations used in this paper.

Ui The ith user

Sk The kth service providing server

CS The control server

IDi The identity of the user Ui

Pi The password of the user Ui

SIDk The identity of the server Sk

yi The random number chosen by CS for user Ui

x The master secret key maintained by CS

b A random number chosen by the user for registration

CIDi The dynamic identity generated by the user Ui for authentication

SK A session key shared among the user, the service providing server

and the CS

Ni1 A random number generated by the user Ui’s smart card

Ni2 A random number generated by the server Sk for the user Ui

Ni3 A random number generated by the CS for the user Ui

hð�Þ A one-way hash function

� Exclusive-OR operation

J Message concatenation operation

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769764

needs high communication and computation costs. Tsai (2008) alsoproposed an efficient multi-server authentication protocol without averification table. Tsai’s protocol only uses the nonce and one-wayhash function, it is very suitable to be used in the distributed networkenvironment because of their low computation costs.

However, all the above password authentication protocols formulti-server architecture are based on static ID which gives theadversary a chance to trace the legal user. Liao and Wang (2009)proposed a dynamic identity based remote user authenticationprotocol for multi-server architecture. They claimed that their proto-col can resist various attacks and can achieve mutual authentication.However, Hsiang and Shih (2009) pointed out that Liao–Wangprotocol is vulnerable to insider attack, masquerade attack, serverspoofing attack, registration center spoofing attack, and it is notreparable. Besides, Liao–Wang protocol cannot achieve mutualauthentication. To solve these problems, Hsiang and Shih (2009)proposed an improved protocol on Liao–Wang (2009) protocol.Recently, Sood et al. (2011) pointed out that Hsiang and Shih’sprotocol is still not secure. They found that Hsiang–Shih (2009)protocol is susceptible to replay attack, impersonation attack andstolen smart card attack. Furthermore, the password change phase oftheir protocol is wrong. To overcome these security flaws, Sood et al.proposed a secure dynamic identity based authentication protocol.Sood et al. claimed their protocol can achieve user’s anonymity andcan resist different kinds of attacks. However, through carefullyanalysis, we find that Sood et al.’s (2011) protocol is vulnerable toleak-of-verifier attack (An attacker who steals the password-verifierfrom the server can get some useful information or can use the leakedverifier to impersonate a legal user to login to the system.), stolensmart card attack (If the user’s smart card is lost or stolen, theattacker can extract the information stored in the smart card and caneasily change the password of the smart card, or can guess thepassword of the user by using password guessing attacks, or canimpersonate the user to login to the system.), furthermore, theirprotocol had a fatal mistake which deduces it cannot finish themutual authentication and session key agreement. Therefore, wepropose an efficient and security dynamic identity based authentica-tion protocol for multi-server architecture using smart cards to tacklethese problems.

The rest of the paper is organized as follows: in Section 2, weprovide a brief review of Sood et al.’s (2011) protocol. Section 3points out the security weaknesses of Sood et al.’s protocol. Theproposed protocol and corresponding protocol analysis are pre-sented in Sections 4 and 5, respectively. Finally, we draw ourconclusions in Section 6.

2. Overview of Sood et al.’s scheme

The notations used throughout this paper are summarized inTable 1. For a detailed analysis, we review Sood et al.’s (2011)dynamic identity based authentication protocol for multi-serverarchitecture. There are three parties in Sood et al.’s protocol,i.e., the user, the service providing server, and the control serverCS. The control server CS is equivalent to the registration center,and it is not directly accessible to the users and thus it is lesslikely to be attacked. Their protocol contains four phases, i.e., theregistration phase, the login phase, the authentication and sessionkey agreement phase, and the password change phase. We showthe protocol in Fig. 1 and more details are provided as follows.

2.1. Registration phase

When the user Ui wants to become a legal client to access theservices, the user must register himself/herself to the CS, at the

same time, the service providing servers register themselves withthe CS and the details of registration phase are as follows:

Step 1: The user Ui chooses a random number b, then the userUi computes Ai ¼ hðIDiJbÞ, Bi ¼ hðb� PiÞ and submits Ai,Bi to thecontrol server CS via a secure communication channel.

Step 2: After receiving the messages Ai, Bi. The CS computesFi ¼ Ai � yi, Gi ¼ Bi � hðyiÞ � hðxÞ and Ci ¼ Ai � hðyiÞ � x, where x isthe master secret key of the CS and yi is a unique random numberchosen by the CS for the user Ui, at the same time, the CS storesðCi,yi � xÞ in its client’s database. Then the CS stores securityparameters ðFi,Gi,hð�ÞÞ to the user’s smart card and sends thesmart card to the user Ui through a secure channel.

Step 3: After the user Ui receiving the smart card, the user Ui

computes Di ¼ b� hðIDiJPiÞ, Ei ¼ hðIDiJPiÞ � Pi and enters the valueof Di and Ei in his/her smart card. Finally, the smart card containssecurity parameters as ðDi,Ei,Fi,Gi,hð�ÞÞ.

The service providing server Sk registers himself/herself inidentity SIDk with the CS and agrees on a unique secret key SKk

with the CS. The server Sk remembers the SKk and the CS storesðSIDk,SKk � hðxJSIDkÞÞ in its server’s database.

2.2. Login phase

Step 1: When the user Ui wants to login to the server Sk, theuser Ui inserts his/her smart card into a card reader and inputshis/her identity IDn

i , password Pn

i and the server’s identity SIDk.The smart card computes En

i ¼ hðIDn

i JPn

i Þ � Pn

i and checks whetherEn

i ¼ Ei, where the value of Ei is stored in the smart card. If they areequal, it means the Ui is a legal user.

Step 2: After verifying the validity of the user, the smart cardgenerates a random number Ni1, and computes b¼Di � hðIDiJPiÞ,Ai ¼ hðIDiJbÞ, Bi ¼ hðb� PiÞ, yi ¼ Fi � Ai, hðxÞ ¼ Gi � Bi � hðyiÞ,Zi ¼ h2

ðxÞ � Ni1, CIDi ¼ Ai � hðyiÞ � hðxÞ � Ni1 and Mi ¼ hðhðxÞJyiJ

SIDkJNi1Þ. Then, the smart card sends the login request messageðSIDk,Zi,CIDi,MiÞ to the server Sk over a public channel.

2.3. Authentication and session key agreement phase

Step 1: After receiving the login request from the user Ui, theserver Sk chooses a random number Ni2, and computesRi ¼Ni2 � SKk. Then, the server Sk sends the login request messageðSIDk,Zi,CIDi,Mi,RiÞ to the CS.

Step 2: The CS first extracts SKk from SKk � hðxJSIDkÞ by using x

and SIDk. Then the CS computes Ni1 ¼ Zi � h2ðxÞ, Ni2 ¼ Ri � SKk,

Cn

i ¼ CIDi � Ni1 � hðxÞ � x, and finds the matching value of Ci

corresponding to Cn

i from its client database. If the value of Cn

i

does not match with any value of Ci in its client database, the CS

Fig. 1. Sood et al.’s protocol.

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769 765

rejects the login request and terminates this session. Otherwise,the CS performs step 3.

Step 3: The CS extracts yi from yi � x corresponding to Cn

i fromits client database. Then the CS computes Mn

i ¼ hðhðxÞJyiJSIDkJNi1Þ

and compares Mn

i with the received value of Mi to verify thelegitimacy of the user Ui and the server Sk. If they are equal, the CS

accepts the login request. Otherwise, the session is terminated.Step 4: If step 3 is achieved, the CS generates a random number

Ni3, and computes

Ki ¼Ni1 � Ni3 � hðSKkJNi2Þ,

Xi ¼ hðIDiJyiJNi1Þ � hðNi1 � Ni2 � Ni3Þ,

Vi ¼ h½hðNi1 � Ni2 � Ni3ÞJhðIDiJyiJNi1Þ�,

Ti ¼Ni2 � Ni3 � hðyiJIDiJhðxÞJNi1Þ

and sends the mutual authentication message ðKi,Xi,Vi,TiÞ back tothe server Sk.

Step 5: Upon receiving the authentication message ðKi,Xi,Vi,TiÞ

from the control server CS, the server Sk computes Ni1 � Ni3 ¼ Ki �

hðSKkJNi2Þ from Ki, and hðIDiJyiJNi1Þ ¼ Xi � hðNi1 � Ni2 � Ni3Þ. Thenthe server Sk computes Vn

i ¼ h½hðNi1 � Ni2 � Ni3ÞJhðIDiJyiJNi1Þ� andcompares Vn

i with the received value of Vi to verify the legitimacyof the CS.

Step 6: The server Sk sends ðVi,TiÞ to smart card of the user Ui. Thesmart card computes Ni2 � Ni3 ¼ Ti � hðyiJIDiJhðxÞJNi1Þ, Vn

i ¼ h½hðNi1

�Ni2 � Ni3ÞJhðIDiJyiJNi1Þ� and checks Vn

i ¼?

Vi. If it holds, the legiti-macy of the CS and the Sk are authenticated, else the connection is

interrupted. Finally, the user Ui’s smart card, the server Sk and the CS

agree on the common session key SK ¼ hðhðIDiJyiJNi1ÞJðNi1 � Ni2

�Ni3ÞÞ.

2.4. Password change phase

The user Ui can change his password without the help of the CS.When the user Ui wants to change his password, the user Ui insertsthe smart card into a card reader and enters his identity IDn

i andpassword Pn

i . The smart card computes En

i ¼ hðIDn

i JPn

i Þ � Pn

i andchecks whether En

i ¼ Ei. If Ei is valid, the smart card computesthe value of b,hðyiÞ,hðxÞ and the card holder inputs a new passwordPnew

i , then the smart card computes Dnewi ¼ b� hðIDiJPnew

i Þ,Enew

i ¼ hðIDiJPnewi Þ � Pnew

i and Gnewi ¼ hðb� Pnew

i Þ � hðyiÞ � hðxÞ.Finally, the smart card stores Dnew

i , Enewi , Gnew

i on the smart card toreplace Di, Ei, Gi which completes the password change process.

3. Protocol analysis

Although Sood et al. claimed that their protocol can resistmany types of attacks, the actual situation is not the case. In thissection, we analyze the security weaknesses and its correctness ofSood et al.’s protocol. Through careful analysis, we find that Soodet al.’s protocol cannot resist leak-of-verifier attack and stolensmart card attack as they claimed. Furthermore, there is a fatalerror on Sood et al.’s authentication protocol which deduces thethree parties cannot complete the authentication and session keyagreement process. The detailed analysis are described as follows.

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769766

3.1. Leak-of-verifier attack

As shown in Sood et al.’s protocol, the control server CS storesyi � x corresponding to Ci ¼ Ai � hðyiÞ � x in its client’s database,and stores SKk � hðxJSIDkÞ corresponding to server identity SIDk inits service providing server’s database. Sood et al. claimed that theattacker cannot compute the values of x and yi from the verifierinformation stored on the control server, and cannot calculateuser’s identity and password, so their protocol is secure againstleak-of-verifier attack. However, we find the actual situation isnot the case, and under the condition that the malicious privi-leged user accesses the control sever CS, he/she can perform theleak-of-verifier attack as below.

It is the same as Sood et al.’s analysis of Hsiang and Shih’sprotocol, we also suppose that a malicious privileged user Uk

having his own smart card can gather informationðDk,Ek,Fk,Gk,hð�ÞÞ from his own smart card. Using his identity IDk,password Pk and the smart card information, he can computebk ¼Dk � hðIDkJPkÞ, Ak ¼ hðIDkJbkÞ, yk ¼ Fk � Ak, Bk ¼ hðbk � PkÞ,hðxÞ ¼ Gk � Bk � hðykÞ, so he can get yk and h(x). If the data ðyi �

x,Ci ¼ Ai � hðyiÞ � xÞ which are stored in CS’s client database areleaked to the malicious privileged user Uk, the malicious user Uk

can get x from yk, h(x) and all yi � x, then he can get the data pairsðyi,AiÞ from x, yi � x and Ci ¼ Ai � hðyiÞ � x. With the data pairsðyi,AiÞ and h(x) value, the malicious user Uk can forge a valid loginmessage of the user Ui. First, the malicious user Uk generates arandom number N0i1, and computes CID0i ¼ Ai � hðyiÞ � hðxÞ � N0i1,M0i ¼ hðhðxÞJyiJSIDjJN0i1Þ, Z0i ¼ h2

ðxÞ � N0i1, then the malicious userUk submits the forged login message ðSIDj,Z

0i,CID0i,M

0iÞ to the server

Sj. After receiving the login message ðSIDj,Z0i,CID0i,M

0iÞ, the Sj

generates a random number Ni2 and computes Ri ¼Ni2 � SKj,then the Sj submits the login request message ðSIDj,Z

0i,CID0i,M

0i,RiÞ

to the control server CS. Upon receiving the messageðSIDj,Z

0i,CID0i,M

0i,RiÞ, the CS extracts SKj from SKj � hðxJSIDjÞ, and

computes N0i1 ¼ Z0i � h2ðxÞ, Ni2 ¼ Ri � SKj, Cn

i ¼ CID0i � N0i1�

hðxÞ � x¼ Ai � hðyiÞ � x¼ Ci, so the CS extracts yi from yi � x

corresponding to Cn

i from its client database. Then the CS

computes Mn

i ¼ hðhðxÞJyiJSIDjJN0i1Þ ¼M0i, so the CS accepts thelogin request, and the legitimacy of the user Ui and the server Sj

are authenticated. So if the verifier information which is stored inthe CS was leaked, the malicious privileged user Uk not only cancalculate x and yi, but also can perform an impersonation attack.

3.2. Stolen smart card attack

In Sood et al.’s protocol security analysis, they claimed thateven if the smart card was stolen and the information wasextracted by an attacker, the attacker cannot guess two para-meters out of IDi, h(x), yi and Pi correctly at the same time.However, we find it is not true when we look back at the protocol.As shown in the leak-of-verifier attack, the malicious privilegeduser Uk having his own smart card can gather informationðDk,Ek,Fk,Gk,hð�ÞÞ stored in his own smart card and can get h(x)from these information. If ðSIDj,Zi,CIDi,MiÞ was a previously validlogin message launched by user Ui which was eavesdropped bythe malicious user Uk. Then the user Uk can computeNi1 ¼ Zi � h2

ðxÞ, Ai � hðyiÞ ¼ CIDi � hðxÞ � Ni1. In case of the userUi’s smart card was stolen by the malicious user Uk, he can extractthe information ðDi,Ei,Fi,Gi,hð�ÞÞ. Then, the malicious user Uk cancompute bi � Pi ¼Di � Ei, hðbi � PiÞ ¼ Bi, hðyiÞ ¼ Gi � Bi � hðxÞ, sohe can compute Ai ¼ hðyiÞ � ðAi � hðyiÞÞ, and gets yi ¼ Fi � Ai.According to the above analysis, when the user’s smart card wasstolen by the malicious privileged user Uk, then he can computeh(x) and yi correctly at the same time. Furthermore, with theinformation h(x), Ai and yi, the malicious user Uk can forge a validlogin request message of user Ui as shown in Section 3.1. So, Sood

et al.’s protocol cannot resist the stolen smart card attack as theyclaimed.

3.3. Incorrect authentication and session key agreement phase

In registration phase of Sood et al.’s protocol, the user Ui submitsthe Ai and Bi rather than the true identity IDi to the CS forregistration, and the CS does not store the user’s real identity in itsclient’s database. As shown in its identity protection analysis in Soodet al.’s protocol, instead of sending the real identity IDi of the user Ui

for authentication, the pseudo identification CIDi ¼ Ai � hðyiÞ �

hðxÞ � Ni1 is generated by user Ui’s smart card for its authenticationto the service providing server Sk and the control server CS. There isno real identity information about the user during the login andauthentication and session key agreement phase. That is to say,there is no way for the server Sk and the control server CS to get thereal identity of the user Ui, IDi throughout any phases of Sood et al.’sprotocol, so the Sk and the CS cannot compute and verify anyverification information using the real identity of the user Ui inauthentication and session key agreement phase. However, in step4 of authentication and session key agreement phase of Sood et al.’sprotocol, the control server CS computes the mutual authenticationinformation:

Xi ¼ hðIDiJyiJNi1Þ � hðNi1 � Ni2 � Ni3Þ,

Vi ¼ h½hðNi1 � Ni2 � Ni3ÞJhðIDiJyiJNi1Þ�,

Ti ¼Ni2 � Ni3 � hðyiJIDiJhðxÞJNi1Þ,

using the real identity of the user Ui, IDi, and this is a contradiction.So, actually, the authentication and session key agreement phase ofSood et al.’s protocol is incorrect since there is no way for the serverSk and the control server CS to know the real identity of the user Ui,IDi, and we think this is a fatal mistake of this protocol.

4. The proposed scheme

In this section, we propose an efficient and security protocol toavoid the security flaws of Sood et al.’s protocol. Our protocol alsoinvolves three participants, i.e., the user ðUiÞ, the service providingserver ðSjÞ and the control server ðCSÞ. It is assumed that CS is atrusted party responsible for the registration and authenticationof the Ui and Sj. CS chooses the master secret key x and a secretnumber y. When service providing servers Sj register himself/herself with CS use his/her identity SIDj, the control server CS

computes hðSIDjJyÞ and hðxJyÞ, then the control server CS shareshðxJyÞ with Sj and submits hðSIDjJyÞ to the Sj through a securechannel. There are four phases in our protocol: the registrationphase, the login phase, the authentication and session key agree-ment phase, and the password change phase. Detailed steps ofthese phases are described as follows and are in Fig. 2.

4.1. Registration phase

When the user Ui wants to access the services, he/she has tosubmit his/her identity IDi and password information to CS forregistration. The steps of the registration phase are as follows:

Step 1: The user Ui freely chooses his/her identity IDi andpassword Pi, and chooses a random number b. Then Ui computesAi ¼ hðbJPiÞ, and submits IDi and Ai to the control center CS forregistration via a secure channel. This secure channel ensures thatthe transmitted user identity IDi in plaintext can avoid thenetwork attacks such as impersonation attack.

Step 2: After receiving the message IDi and Ai, the controlserver CS computes Bi ¼ hðIDiJxÞ, Ci ¼ hðIDiJhðyÞJAiÞ, Di ¼ Bi�

hðIDiJAiÞ, Ei ¼ Bi � hðyJxÞ, then the CS stores ðCi,Di,Ei,hð�Þ,hðyÞÞ in

Fig. 2. The proposed protocol.

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769 767

Ui’s smart card and submits the smart card to the user Ui via asecure channel.

Step 3: When receiving the smart card, the user Ui enters b intothe smart card. At last, the smart card contains parametersðCi,Di,Ei,hð�Þ,hðyÞ,bÞ.

4.2. Login phase

Step 1: When the user Ui wants to login to the server Sj, theuser Ui inserts his smart card into a card reader and inputs hisidentity IDi, password Pi and the server’s identity SIDj. The smartcard computes Ai ¼ hðbJPiÞ and C0i ¼ hðIDiJhðyÞJAiÞ, and checkswhether C 0i ¼ Ci. If they are equal, it means the Ui is a legal user.

Step 2: After verification, the smart card generates a randomnumber Ni1, and computes Bi ¼Di � hðIDiJAiÞ, Fi ¼ hðyÞ � Ni1,Pij ¼ Ei � hðhðyÞJNi1JSIDjÞ, CIDi ¼ Ai � hðBiJFiJNi1Þ, Gi ¼ hðBiJAiJNi1Þ.Then, the smart card sends the login request message ðFi,Gi,Pij,CIDiÞ

to the server Sj over a public channel.

4.3. Authentication and session key agreement phase

Step 1: After receiving the login request from the user Ui, theserver Sj chooses a random number Ni2, and computes Ki ¼

hðSIDjJyÞ � Ni2 and Mi ¼ hðhðxJyÞJNi2Þ. Then the server Sj sendsthe login request message ðFi,Gi,Pij,CIDi,SIDj,Ki,MiÞ to the CS.

Step 2: When receiving the login request message ðFi,Gi,Pij,CIDi,SIDj,Ki,MiÞ, the CS computes Ni2 ¼ Ki � hðSIDjJyÞ, M0i ¼

hðhðxJyÞJNi2Þ, and checks whether M0i equal to the received Mi. Ifthey are equal, the validity of the server Sj is verified by the controlserver CS. Otherwise, the CS terminates the session.

Step 3: The control server CS computes Ni1 ¼ Fi � hðyÞ, Bi ¼

Pij � hðhðyÞJNi1JSIDjÞ � hðyJxÞð ¼ Ei � hðyJxÞÞ,Ai ¼ CIDi � hðBiJFiJNi1Þ, G0i ¼ hðBiJAiJNi1Þ, and checks G0i ¼

?Gi. If they

are equal, the validity of the user Ui is verified by the controlserver CS. Otherwise the CS terminates the session.

Step 4: The control server CS generates a random number Ni3, andcomputes Qi ¼Ni1 � Ni3 � hðSIDjJNi2Þ, Ri ¼ hðAiJBiÞ � hðNi1 � Ni2�

Ni3Þ, Vi ¼ hðhðAiJBiÞJhðNi1 � Ni2 � Ni3ÞÞ, Ti ¼Ni2 � Ni3 � hðAiJBiJ

Ni1Þ. Then, the control server CS submits ðQi,Ri,Vi,TiÞ as the mutualauthentication message to the server Sj.

Step 5: When receiving the authentication message ðQi,Ri,Vi,TiÞ

from the control server CS, the server Sj computes Ni1�

Ni3 ¼ Qi � hðSIDjJNi2Þ, hðAiJBiÞ ¼ Ri � hðNi1 � Ni3 � Ni2Þ, V 0i ¼ hðh

ðAiJBiÞJhðNi1 � Ni3 � Ni2ÞÞ, and checks V 0i ¼?

Vi. If they are not equal,the server Sj terminates the session. On the contrary, if they areequal, the legitimacy of the control server CS is verified by the

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769768

server Sj. Then the server Sj submits the message ðVi,TiÞ to the userUi.

Step 6: Upon receiving the message ðVi,TiÞ from the server Sj, thesmart card computes Ni2 � Ni3 ¼ Ti � hðAiJBiJNi1Þ, V 0i ¼ hðhðAiJ

BiÞJhðNi2 � Ni3 � Ni1ÞÞ, and checks V 0i ¼?

Vi. If they are not equal, theuser Ui terminates the session. On the contrary, if they are equal,the legitimacy of the control server CS and the server Sj are verified bythe user Ui.

Finally, the user Ui, the server Sj and the control server CS agreeon a common session key as SK ¼ hðhðAiJBiÞJðNi1 � Ni2 � Ni3ÞÞ.

4.4. Password change phase

This phase is invoked whenever Ui wants to change his/herpassword Pi to a new password Pnew

i without the help of thecontrol server CS. The user Ui inserts his smart card into a cardreader and enters his identity IDi and password Pi. The smart cardcomputes Ai ¼ hðbJPiÞ, Bi ¼Di � hðIDiJAiÞ and C0i ¼ hðIDiJhðyÞJAiÞ,and checks whether C0i ¼ Ci. If they are equal, the user Ui is askedto submit a new password Pnew

i . Then, the smart card computesAnew

i ¼ hðbJPnewi Þ, Cnew

i ¼ hðIDiJhðyÞJAnewi Þ, Dnew

i ¼ Bi � hðIDiJAnewi Þ,

and stores Cnewi ,Dnew

i into the smart card to replace Ci,Di to finishthe password change phase.

5. Protocol analysis

In this section, we discuss the security features of the proposeddynamic identity based multi-server authentication protocol.Then we evaluate the performance and functionality of ourproposed protocol and make comparisons with some relateddynamic identity based multi-server authentication protocols.

5.1. Replay attack

An attacker may attempt to pretend to be a valid user to login tothe server by sending messages previously transmitted by a legaluser. In each session of our protocol, the user Ui, the server Sj and thecontrol server CS choose different nonce values Ni1,Ni2,Ni3, respec-tively, for compute and verify the authentication message, whichensures that authentication messages exposed in an insecure channelare distinct among different sessions and valid for that session only.Thus, an attacker has no way to successfully replay used messages.

5.2. Impersonation attack

In this type of attack, the attacker or a malicious user forges avalid login request ðFi,Gi,Pij,CIDiÞ to impersonate as a legitimateuser using the previously eavesdropped messages or the informa-tion obtained from the lost smart card. However, in our protocol,the attacker and any malicious user Uk cannot compute Pij ¼ Ei�

hðhðyÞJNi1JSIDjÞ, CIDi ¼ Ai � hðBiJFiJNi1Þ, Gi ¼ hðAiJBiJNi1Þ since he/she without the knowledge of Ai, Bi, Ei, so he/she cannot imperso-nate as the legitimate user Ui.

In addition, even if the adversary or a malicious user hasobtained the smart card of user Ui and extracts the parametersðCi,Di,Ei,hð�Þ,hðyÞ,bÞ which are stored in the smart card by someway. He/She cannot use the parameters ðCi,Di,Ei,hð�Þ,hðyÞ,bÞ tocompute Ai, Bi since he/she have no way to get the valid IDi, Pi andthe master secret key x, where they are all protected by the one-way hash function, and he/she cannot forge a valid login requestmessage ðFi,Gi,Pij,CIDiÞ.

Therefore, the proposed protocol is secure against impersona-tion attack, also the attacker cannot get the valid IDi, Pi, so theproposed protocol can resist the denial of service attack.

5.3. Stolen smart card attack

We assume that the user Ui’s smart card has been lost or stolen,then the attacker can breach the information ðCi,Di,Ei,hð�Þ,hðyÞ,bÞwhich are stored in the smart card. Since x and y are unknown to theattacker, he/she cannot guess IDi and Pi from the breached informa-tion. So the attacker cannot derive or update the user Ui’s password.In addition, he/she cannot compute Ai, Bi and cannot perform theimpersonation attack using the lost or stolen smart card. Therefore,the protocol can resist the stolen smart card attack.

5.4. Leak-of-verifier attack

In Sood et al.’s protocol, if the verifier information which is storedin the CS was stolen by the malicious privileged user Uk, he/she notonly can calculate the master secret key x and secret random numberyi, but also can perform an impersonation attack. Our proposedprotocol addressed this very specific attack. In our proposed protocol,there are no any verifier information stored in the control serverCS side, so even the malicious privileged user cannot get any usefulinformation from the CS, and cannot impersonate a legal user to loginto the system. On the service providing server side, if the maliciousprivileged user have accessed to the memory of the server Sk, and getsthe information hðSIDkJyÞ and hðxJyÞ, since the identity SIDk of the Sk

is protected by the one way hash function, he/she cannot ensurewhich SID is corresponding to hðSIDkJyÞ and cannot forge a valid loginmessage ðFi,Gi,Pik,CIDi,SIDk,Ki,MiÞ. Therefore, the malicious privi-leged user cannot impersonate as a service providing server. Basedon the above two points, we can say that our proposed protocol canresist the leak-of-verifier attack.

5.5. User’s anonymity

In the registration phase, a secure channel between the userand the control sever CS is used for protect the user’s identityfrom disclosure. In the login phase of the proposed protocol, theuser Ui submits the masked identity CIDi ¼ Ai � hðBiJFiJNi1Þ as asubstitute for the real identity IDi for its authentication to theservice providing server Sj and the control server CS. The authen-tication and session key agreement of the proposed scheme isbased on computation of the secret information Ai and Bi, but noton the real identity IDi. Furthermore, since the dynamic identityCIDi is different for each session when the user logins to thesystem, the attacker cannot distinguish different sessions corre-sponding to a certain user. From the above analysis, we can seethat our proposed protocol can provide the user’s anonymity.

5.6. Proper mutual authentication and session key agreement

As shown in Section 3.3, Sood et al.’s protocol cannot provide thecorrect mutual authentication and cannot agree on a shared sessionkey since there is no way for the server Sk and the control server CS toknow the real identity of the user Ui, but the control server CS

computes the verification messages using Ui’s real identity IDi. Inthe authentication and session key agreement phase of the proposedprotocol, the CS authenticates the server Sj by checks M0i ¼

hðhðxJyÞJNi2Þ ¼?

Mi, and authenticates the user Ui by checksG0i ¼ hðBiJAiJNi1Þ ¼

?Gi. It is different from Sood et al.’s protocol, the

control server CS computes the authentication messages by Ai, Bi

which are computed by the received login request message. For thepurpose of mutual authentication, the server Sj authenticates thecontrol server CS by checks V 0i ¼ hðhðAiJBiÞJhðNi1 � Ni3 � Ni2ÞÞ ¼

?Vi,

and the user authenticates the control server CS and the server Sj bychecks V 0i ¼ hðhðAiJBiÞJhðNi2 � Ni3 � Ni1ÞÞ ¼

?Vi. At last, the user Ui,

the server Sj and the control server CS can agree on a shared sessionkey SK ¼ hðhðAiJBiÞJðNi1 � Ni2 � Ni3ÞÞ. Therefore, the proposed

Table 2Performance comparisons of our protocol and other related protocols.

Protocols Login

phase

Verification

phase

Total

Proposed protocol 7Th 21Th 28Th

Sood et al. (2011) 7Th 18Th 25Th

Hsiang and Shih (2009) 7Th 17Th 24Th

Liao and Wang (2009) 6Th 9Th 15Th

Table 3Functionality comparisons of our protocol and other related protocols.

Functionalities Proposed

protocol

Sood et al.

(2011)

Hsiang

and Shih

(2009)

Liao and

Wang

(2009)

User’s anonymity Yes Yes Yes Yes

Computation cost Low Low Low Low

Single registration Yes Yes Yes Yes

No time synchronization Yes Yes Yes Yes

Resist replay attack Yes Yes No No

Resist impersonation attack Yes No No No

Resist leak-of-verifier attack Yes No Yes Yes

Resist stolen smart card attack Yes No No No

Correct password update Yes Yes No Yes

Correct mutual authentication Yes No Yes Yes

Correct session key agreement Yes No Yes Yes

X. Li et al. / Journal of Network and Computer Applications 35 (2012) 763–769 769

protocol can provide proper mutual authentication and session keyagreement.

5.7. Performance and functionality analysis

In this section, we evaluate the performance and functionalityof our proposed protocol and make comparisons with somerelated dynamic ID based multi-server authentication protocols.To analyze the computational complexity of the protocols, wedefine the notation Th as the time complexity for hashing func-tion. Because exclusive-OR operation requires very few computa-tions, it is usually negligible considering its computation cost.

Table 2 shows the performance comparisons of our proposedprotocol and some other related protocols. We mainly considerthe computations of login phase, authentication and session keyagreement phase since these two phases are the principal parts ofan authentication protocol and should be implemented for eachsession. In Table 2, it is obvious that our improved protocolalmost with the same computation cost with Sood et al.’s protocoland Hsiang–Shih protocol. However, it is worth several additionalhash operations to achieve these security and functionalityproperties.

Table 3 lists the functionality comparisons among our pro-posed protocol and other related protocols. It demonstrates thatour protocol has many excellent features and is more secure thanother related protocols.

6. Conclusions

In this paper, we have shown that Sood et al.’s dynamic IDbased multi-server architecture authentication protocol is vulner-able to leak-of-verifier attack, stolen smart card attack. Further-more, it cannot provide correct mutual authentication and session

key agreement since there is no way for the server Sk and thecontrol server CS to know the real identity of the user Ui. Then wepropose an efficient protocol with user’s anonymity to remedythese weaknesses. We demonstrate that our protocol can satisfyall the essential requirements for multi-server architectureauthentication. Compared with Sood et al.’s (2011) protocol andother related protocols, our proposed protocol keeps the effi-ciency and is more secure. Therefore, our protocol is moresuitable for the practical applications.

Acknowledgments

The authors are grateful to the editor and anonymousreviewers for their valuable suggestions which improved thepaper. This work was supported by the Fundamental ResearchFunds for the Central Universities under Grant No. 2011RC0504,and the National Basic Research Program of China (973 Program)Granted No. 2009CB320504.

References

Chang C-C, Lee J-S. An efficient and secure multi-server password authenticationscheme using smart cards. In: Proceedings of the third international con-ference on cyberworlds November 2004; 2004. p. 417–22.

ElGamal T. A public key cryptosystem and a signature scheme based ondiscrete logarithms. IEEE Transactions on Information Theory 1985;32(4):469–72.

Fan C-I, Chan Y-C, Zhang Z-K. Robust remote authentication scheme with smartcards. Computers & Security 2005;24(8):619–28.

Hsiang H-C, Shih W-K. Improvement of the secure dynamic ID based remote userauthentication scheme for multi-server environment. Computer Standards &Interfaces 2009;31(6):1118–23.

Hwang M-S, Chong S-K, Chen T-Y. Dos-resistant ID-based password authenticationscheme using smart cards. Journal of Systems and Software 2010;83(1):163–72.

Hwang M-S, Li L-H. A new remote user authentication scheme using smart cards.IEEE Transactions on Consumer Electronics 2000;46(1):28–30.

Juang W-S. Efficient multi-server password authenticated key agreementusing smart cards. IEEE Transaction on Consumer Electronics 2004;50(1):251–5.

Lamport L. Password authentication with insecure communication. Communica-tions of the ACM 1981;24(11):770–2.

Lee S-W, Kim H-S, Yoo K-Y. Efficient nonce-based remote user authenticationscheme using smart cards. Applied Mathematics and Computation2005;167(1):355–61.

Li C-T, Hwang M-S. An efficient biometrics-based remote user authenticationscheme using smart cards. Journal of Network and Computer Applications2010;33(1):1–5.

Li L-H, Lin L-C, Hwang M-S. A remote password authentication scheme formulti-server architecture using neural networks. IEEE Transactions on NeuralNetworks 2001;12(6):1498–504.

Li X, Niu J-W, Ma J, Wang W-D, Liu C-L. Cryptanalysis and improvement of abiometric-based remote authentication scheme using smart cards. Journal ofNetwork and Computer Applications 2011;34(1):73–9.

Liao Y-P, Wang S-S. A secure dynamic ID based remote user authentication schemefor multi-server environment. Computer Standards & Interfaces 2009;31(1)24–9.

Liu J-Y, Zhou A-M, Gao M-X. A new mutual authentication scheme based on nonceand smart cards. Computer Communications 2008;31(10):2205–9.

Song R-G. Advanced smart card based password authentication protocol. ComputerStandards & Interfaces 2010;32(5-6):321–5.

Sood S-K, Sarje A-K, Singh K. A secure dynamic identity based authenticationprotocol for multi-server architecture. Journal of Network and ComputerApplications 2011;34(2):609–18.

Tsai J-L. Efficient multi-server authentication scheme based on one-way hash functionwithout verification table. Computers & Security 2008;27(3-4):115–21.

Tsaur W-J, Wu C-C, Lee W-B. A smart card-based remote scheme for passwordauthentication in multi-server Internet services. Computer Standards & Inter-faces 2004;27(1):39–51.