Paper 2012/484
Cryptanalysis of Two Dynamic ID-based Remote User Authentication Schemes for Multi-Server Architecture
Ding Wang, Chun-guang Ma, De-li Gu, and Zhen-shan Cui
Abstract
Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In NSS'10, Shao and Chin showed that Hsiang and Shih's dynamic ID-based remote user authentication scheme for multi-server environment is vulnerable to server spoofing attack and fails to preserve user anonymity, and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that, although Shao-Chin's scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.'s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their intentions, Li et al.'s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.
Metadata
- Available format(s)
- PS
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. It is the full version of a paper to be presented in NSS 2012.
- Contact author(s)
- wangdingg @ mail nankai edu cn
- History
- 2012-10-02: last of 3 revisions
- 2012-08-22: received
- See all versions
- Short URL
- https://ia.cr/2012/484
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2012/484, author = {Ding Wang and Chun-guang Ma and De-li Gu and Zhen-shan Cui}, title = {Cryptanalysis of Two Dynamic {ID}-based Remote User Authentication Schemes for Multi-Server Architecture}, howpublished = {Cryptology {ePrint} Archive, Paper 2012/484}, year = {2012}, url = {https://eprint.iacr.org/2012/484} }