Public-key cryptography and password protocols
ACM Transactions on Information and System Security (TISSEC)
Examining Smart-Card Security under the Threat of Power Analysis Attacks
IEEE Transactions on Computers
Privacy Protection for Transactions of Digital Goods
ICICS '01 Proceedings of the Third International Conference on Information and Communications Security
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
A secure dynamic ID based remote user authentication scheme for multi-server environment
Computer Standards & Interfaces
Computer Standards & Interfaces
A Novel Approach to Dynamic ID-Based Remote User Authentication Scheme for Multi-server Environment
NSS '10 Proceedings of the 2010 Fourth International Conference on Network and System Security
A secure dynamic identity based authentication protocol for multi-server architecture
Journal of Network and Computer Applications
Cryptanalysis of Hsiang-Shih's authentication scheme for multi-server architecture
International Journal of Communication Systems
Journal of Network and Computer Applications
Cryptanalysis and improvement of sood et al.'s dynamic ID-Based authentication scheme
ICDCIT'12 Proceedings of the 8th international conference on Distributed Computing and Internet Technology
Side-channel analysis of cryptographic RFIDs with analog demodulation
RFIDSec'11 Proceedings of the 7th international conference on RFID Security and Privacy
Mobile Privacy in Wireless Networks-Revisited
IEEE Transactions on Wireless Communications
Robust smart-cards-based user authentication scheme with user anonymity
Security and Communication Networks
Secure password-based remote user authentication scheme with non-tamper resistant smart cards
DBSec'12 Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy
Journal of Medical Systems
| Hi-index | 0.00 |
In NSS'10, Shao and Chin pointed out that Hsiang and Shih's dynamic ID-based remote user authentication scheme for multi-server environment has several security flaws and further proposed an improved version which is claimed to be efficient and secure. In this study, however, we will demonstrate that Shao-Chin's scheme still cannot achieve the claimed security goals, and we report its following flaws: (1) It cannot withstand offline password guessing attack under their non-tamper resistance assumption of the smart card; (2) It fails to provide user anonymity; (3) It is prone to user impersonation attack. More recently, Li et al. found that Sood et al.'s dynamic ID-based authentication protocol for multi-server architecture is still vulnerable to several kinds of attacks and presented a new scheme that attempts to overcome the identified weaknesses. Notwithstanding their ambitions, Li et al.'s scheme is still found vulnerable to various known attacks by researchers. In this study, we perform a further cryptanalysis and uncover its two other vulnerabilities: (1) It cannot achieve user anonymity, which is the essential goal of a dynamic ID-based scheme; (2) It is susceptible to offline password guessing attack. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.