Paper 2012/484

Cryptanalysis of Two Dynamic ID-based Remote User Authentication Schemes for Multi-Server Architecture

Ding Wang, Chun-guang Ma, De-li Gu, and Zhen-shan Cui

Abstract

Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In NSS'10, Shao and Chin showed that Hsiang and Shih's dynamic ID-based remote user authentication scheme for multi-server environment is vulnerable to server spoofing attack and fails to preserve user anonymity, and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that, although Shao-Chin's scheme possesses many attractive features, it still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.'s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their intentions, Li et al.'s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.

Metadata
Available format(s)
PS
Category
Cryptographic protocols
Publication info
Published elsewhere. It is the full version of a paper to be presented in NSS 2012.
Contact author(s)
wangdingg @ mail nankai edu cn
History
2012-10-02: last of 3 revisions
2012-08-22: received
See all versions
Short URL
https://ia.cr/2012/484
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/484,
      author = {Ding Wang and Chun-guang Ma and De-li Gu and Zhen-shan Cui},
      title = {Cryptanalysis of Two Dynamic ID-based Remote User Authentication Schemes for Multi-Server Architecture},
      howpublished = {Cryptology ePrint Archive, Paper 2012/484},
      year = {2012},
      note = {\url{https://eprint.iacr.org/2012/484}},
      url = {https://eprint.iacr.org/2012/484}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.