Journal of Computer and Communications, 2014, 2, 196-200
Published Online March 2014 in SciRes. http://www.scirp.org/journal/jcc
http://dx.doi.org/10.4236/jcc.2014.24026
How to cite this paper: Madhusudhan, R. and Praveen, A. (2014) Weaknesses of a Dynamic ID Based Remote User Authen-
tication Protocol for Multi-Server Environment. Journal of Computer and Communications, 2, 196-200.
http://dx.doi.org/10.4236/jcc.2014.24026
Weaknesses of a Dynamic ID Based Remote
User Authentication Protocol for
Multi-Server Environment
R. Madhusudhan, Adireddi Praveen
Department of Mathematical & Computational Sciences, National Institute of Technology Karnataka, Surathkal,
India
Email: madhu_nitks@yahoo.com
Received December 2013
Abstract
Currently, smart card based remote user authentication schemes have been widely adopted due to
their low cost and convenient portability. With the purpose of using various different internet ser-
vices with single registration and to protect the users from being tracked, various dynamic ID
based multi-server authentication protocols have been proposed. Recently, Li et al. proposed an
efficient and secure dynamic ID based authentication protocol using smart cards. They claimed
that their protocol provides strong security. In this paper, we have demonstrated that Li et al.’s
protocol is vulnerable to replay attack, denial of service attack, smart card lost attack, eavesdrop-
ping attack and server spoofing attacks.
Keywords
Authentication; Smart Card; Dynamic ID; Multi-Server Environments; Password
1. Introduction
With the rapid growth of internet technologies and mobile communication services, remote user authentication
is being more and more critical in order to prevent access to illegal users. Password based authentication is one
of the simplest and the most convenient authentication mechanisms over remote access networks but it is not
secure over insecure communication channels. Hence a large number of smart card based authentication proto-
cols have been proposed to overcome the drawbacks of traditional password based protocols. These can be ca-
tegorized as static ID [1-3] and dynamic ID based protocols. To achieve users anonymity, dynamic ID based
authentication techniques [4-6] have been developed by many researchers.
In general, an efficient remote user authentication protocol should satisfy some functional and security re-
quirements [7 -11]. Based on the use of environment, authentications protocols can be divided into two catego-
ries: single-server and multi-server environments. Multi server architecture [12-15] provides the flexibility of
using single registration across various different networks.
In 2009, Liao and Wang [16] proposed a dynamic ID based authentication protocol for multi-server environ-
R. Madhusudhan, A. Praveen
197
ments. Hsiang and Shih [17] found that Liao-Wang s protocol is vulnerable to insiders attack, masquerade attack,
server spoofing attack, registration center spoofing attack. To overcome these weaknesses Hsiang and Shih pro-
posed an improved protocol. But Lee et al. [18] found that this protocol is also not secure and susceptible to
masquerade attack and server spoofing attack. To overcome the weaknesses of Hsiang and Shihs protocol, Lee
et al. proposed an improved protocol and claimed that their protocol can resist all kinds of attacks.
In 2013, Li et al. [19] found that Lee et al.’s protocol is vulnerable to forgery attack, server spoofing attack
and proposed a dynamic ID based authentication protocol for multi-server environments. They claimed that it is
secure and can resist various attacks. However, in this paper we have demonstrated that Li et al.’s protocol is
vulnerable to replay attack, denial of service attack, smart card lost attack, eavesdropping attack and server
spoofing attacks.
The rest of this paper is organized as follows. In Section 2, we have given a brief review on Li et al.’s proto-
col. Section 3 provides the cryptanalysis of Li et al.’s protocol. Finally we conclude this paper in Section 4.
2. Review of Li et al.’s Protocol
The notations used in this paper are described in Table 1.
Li et al.’s protocol contains three participants, the user Ui, the server Sj, and the registration center RC. RC
chooses the master secret key x and a secret number y to compute h(x||y) and h(SIDj||h(y)), and then shares them
with Sj via a secure channel. There are four phases in the protocol: registration phase, login phase, verification
phase, and password change phase.
2.1. Registration Phase
When the user Ui wants to access the services, the user Ui and the registration center RC need to perform the
following steps to finish the registration phase:
1) Ui freely chooses his identity IDi, the password PWi, and computes Ai = h(b PWi), where b is a random
number generated by Ui. Then Ui sends ID and Ai to the registration center RC for registration through a secure
channel.
2) Now, Registration center, RC computes Bi = h(IDi||x), Ci = h(IDi||h( y)||Ai), Di = h(Bi||h(x||y) ), Ei = Bi
h(x||y). RC stores {Ci, Di, Ei, h(.), h(y)} on the users smart card and sends it to user Ui via a secure channel.
3) User keys b into smart card and finally it contains {Ci, Di, Ei, b, h(.), h(y)}.
2.2. Login Phase
Whenever Ui wants to login Sj, he must perform the following steps to generate a login request message:
Table 1. Notations used.
Ui The ith user
IDi The identity of Ui
PWi The password of Ui
Sj The jth server
RC Registration center
SIDj Identity of Sj
CIDi dynamic ID of Ui
x master secret key maintained by registration center
y secret number generated by RC
h(.) one-way hash function
Exclusive-or operation
|| Message concatenation operation
A common channel
A secure channel
R. Madhusudhan, A. Praveen
198
1) Ui inserts his smart card into the card reader and inputs IDi and PWi. Then the smart card computes Ai =
h(b PWi), Ci* = h(IDi||h(y)||A i), and checks whether the computed Ci* is equal to Ci. If they are equal, Ui
proceed the following steps. Otherwise the smart card aborts the session.
2) The smart card generates a random number Ni and computes Pij = Ei h(h(SID j||h(y)) ||Ni), CI Di = Ai
h(Di||SID j||Ni), M1 = h(Pij||CI Di||Di||Ni) and M2 = h(SIDj||h(y)) Ni.
3) Ui submits {Pij, CIDi, M1, M2} to Sj as a login request message.
2.3. Verification Phase
After Sj receiving the login message {Pij, CIDi, M1, M2}, Sj and Ui perform the following steps for mutual au-
thentication and session key agreement.
1) Sj computes Ni = M2 h(SIDj||h(y)), Ei = Pij h(h(SIDj||h(y))||Ni), Bi = Ei h(x||y), Di = h(Bi||h(x||y))
and Ai = CIDi h(Di||SI Dj||N i) by using {Pij, CIDi, M1, M2}, h(SIDj||h(y)) and h(x||y).
2) Sj computes h(PijCIDiDiNi) and checks whether it is equal to M1. If they are not equal, Sj rejects the
login request and terminates this session. Otherwise, Sj accepts the login request message. Then Sj generates a
nonce Nj and computes M3 = h (Di||A i||Nj||SIDj), M4 = Ai Ni Nj. Finally, Sj sends the message {M3, M4}
to Ui.
3) After receiving the response message {M3, M4} sent from Sj, Ui computes Nj = Ai Ni M4, h(Di||Ai||
Nj||SIDj) and checks this with the received message M3. If they are equal, Ui successfully authenticates Sj. Then,
the user Ui computes the mutual authentication message M5 = h(Di||Ai||Ni||SI Dj) and sends {M5} to the server Sj.
4) Upon receiving the message {M5}, Sj computes h(Di||Ai||Ni||SIDj) and checks it with the received message
{M5}. If they are equal, Sj authenticates Ui. User Ui and the server Sj compute SK = h(Di||Ai||Ni||Nj||SI Dj), which
is taken as their session key for further communication.
2.4. Password Change Phase
This phase is invoked whenever Ui wants to change his password PWi to a new password PWnew. There is no
need for a secure channel for password change and it can be finished without communicating with the registra-
tion center RC.
1) Ui inserts smart card into the card reader and inputs IDi and PWi.
2) The smart card computes Ai = h(b PWi), Ci* = h(IDi||h (y)||A i), and checks whether the computed Ci* is
equal to Ci. If they are not equal, the smart card rejects the password change request. Otherwise, the user Ui in-
puts a new password PWnew and a new random number bnew.
3) The smart card computes Ainew = h(bnew PWnew) and Cinew = h(IDi||h(y) ||Ainew).
4) Finally, the smart card replaces Ci with Cinew to finish the password change phase.
3. Cryptanalysis of Li et al.’s Protocol
In this section, we demonstrate that Li et al.’s protocol is vulnerable to replay attack, denial of service attack,
smart card lost attack, eavesdropping attack and server spoofing attacks.
3.1. Vulnerable to Replay Attack
Assume that a malicious attacker can eavesdrop the communication channel and intercepts the message {Pij,
CIDi, M1, M2}.Now if he resends this message, server S does not verify the freshness of nonce, Ni and computes
Ni = h(SIDj||h(y)) M2, Ei = Pij h(h(SIDj||h(y) ||N i), Bi = Ei h(x||y), Di = h(Bi||h(x||y)) and h(Pij||CIDi||Di||Ni)
and compares with M1. The condition satisfies and S accepts the login request.
Now, S computes M3 = h(Di||Ai| |Nj||SID j), M4 = Ai Ni Nj and sends {M3, M4} to Ui. Here the attacker
cannot find Nj but he is successful in wasting servers valuable computing resources. A large number of replay
attacks launched at the same time can also form denial-of-service attack.
3.2. Vulnerable to Denial-of-Service Attack
n active attacker who is also a valid user knowing h(y) can fabricate the message M2 using different nonce, say
NA and sends the fabricated message {Pij, CIDi, M1, M2} to server, Sj where M2 = h(SIDj||h(y)) NA. After
R. Madhusudhan, A. Praveen
199
performing the steps mentioned in 2.3.1, server Sj rejects the login request of Ui, who is a legitimate user, as
h(Pij||CIDi||Di||Ni) does not equal to the received M1. Hence, denial-of-service attack is possible.
3.3. Vulnerable to Smart Card Lost Attack and Password Guessing Attack
Assume that the users smart card has been lost or stolen. The attacker can extract the information Ci,Di,Ei, h (.) ,
h(y), b from the smart card [20,21]. By previously intercepted message, attacker can find Ni, Ei using the fol-
lowing calculations.
Ni = M2 h(SIDj||h(y)),
Ei = Pij h(h(SIDj||h(y))||N i)
Now, Ai = CIDi h(Di||SIDj||Ni).
Using offline dictionary attack, attacker can find the ID, password PW of Ui by performing following opera-
tions:
1) Compare Ci with h(IDguess||h(y)||Ai). Whenever it equals, IDguess is IDi of the user Ui.
2) Compare Ai with h(b PWguess).Whenever it equals, PWguess is the original PW of Ui.
As the ID and Password are known, attacker can use the smart card impersonating the original user.
3.4. Vulnerable to Eavesdropping Attack
Assume that attacker found the smart card details. He can intercept the message {Pij, CIDi, M1, M2}. He can find
Ni = h (SIDj||h(y)) M2 and Ai = IDi h(Di||SIDj||N i), intercepts the message {M3, M4} from server and
computes Nj = Ai Ni M4. Now he acquires the session key, SK = h(Di||Ai||Ni||N j||SI Dj). Hence, the entire
communication is compromised using this passive attack as the attacker has known the session key.
3.5. Vulnerable to Server Spoofing Attack
If we assume the attacker, A broke into a server or acquired a malicious server, then attacker have h(x||y) and
h(SID j||h(y)). Attacker, A can masquerade as server, Sj to spoof user, Ui.
After intercepting the login request message {Pij, CIDi, M1, M2}, A can compute Ni = h (SID j||h(y) M2, Ei
= Pij h(h(SIDj||h(y))||Ni), Bi = Ei h(x||y), Di = h(Bi||h(x||y)), Ai = CIDi h(Di||SIDj||Ni). A can choose a
nonce, NA and compute M3 = h(Di||Ai||NA||SIDj), M4 = Ai Ni NA. A then sends the message {M3, M4} to
user Ui masquerading as server Sj. Ui computes NA = Ai Ni M4, and compares M3 with h(Di||Ai||NA|| SIDj).
Then Ui computes mutual authentication message M5 = h(Di||Ai||Ni||SIDj) and sends to attacker, A who is mas-
querading as Sj. Then A verifies M5 and mutual authentication is done. Finally attacker, A and User, Ui com-
putes the session key, SK = h(Di||Ai||Ni||NA||SID j).
4. Conclusion
In this paper, we have shown that Li et al.’s dynamic ID based authentication protocol cannot resist many at-
tacks and is vulnerable to replay attack, denial of service attack, smart card lost attack, eavesdropping attack and
server spoofing attacks. We strongly feel that a remote user authentication protocol should provide security
against the above mentioned attacks so that it can be used in the real world applications.
References
[1] Hsiang, H. and Shih, W. (2009) Weaknesses and IMPROVEMENTs of the Yoon-Ry u-Yoo Remote User Authentica-
tion Scheme Using Smart Cards. Computer Communications, 32, 649-652.
http://dx.doi.org/10.1016/j.comcom.2008.11.019
[2] Yoon, E.J., Ryu, E.K. and Yoo, K.Y. (2004) Further Improvement of An Efficient Password Based Remote User Au-
thentication Scheme Using Smart Cards. IEEE Transactions on Consumer Electronics, 50, 612-614.
http://dx.doi.org/10.1109/TCE.2004.1309437
[3] Wang, X., Z hang , W., Zhang, J. and Khan, M.K. (2007) Cryptanalysis and Improvement on Two Efficient Remote Us-
er Authentication Scheme Using Smart Cards. Computer Standards and Interfaces, 29, 507-512.
http://dx.doi.org/10.1016/j.csi.2006.11.005
[4] Lee, C.C ., Lai, Y.M. and Li, C.T. (2012) An Improved Secure Dynamic ID Based Remote User Authentication
R. Madhusudhan, A. Praveen
200
Scheme for Multi-Server Environment. International Journal of Security and Its Applications, 6, 203-209.
[5] Sood, S.K., Sarje, A.K. and Singh , K. (2011) A Secure Dynamic Identity Based Authentication Protocol for Multi-
Server Architecture. Journal of Network and Computer Applications, 34, 609-618.
http://dx.doi.org/10.1016/j.jnca.2010.11.011
[6] Guo, D.L. and Wen, F.T. (2013) A More Secure Dynamic ID Based Remote User Authentication Scheme for Multi-
Server Environment. Journal of Computational Information Systems, 9, 407-414.
[7] Madhusudhan, R. and Mittal, R.C. (2012) Dynamic ID-Based Remote User Password Authentication Schemes Using
Smart Cards: A Review. Journal of Network and Computer Applications, 35, 1235-1248.
http://dx.doi.org/10.1016/j.jnca.2012.01.007
[8] Chena, T.-H., Hsia n g, H.-C. and Shih, W.-K. (2011) Security Enhancement on an Improvement on Two Remote User
Authentication Schemes Using Smart Cards. Future Generation Computer Systems, 27, 377-380.
http://dx.doi.org/10.1016/j.future.2010.08.007
[9] Fan, C.I ., Cha n, Y.C. and Zhang, Z.K. (2005) Robust Remote Authentication Scheme with Smart Cards. Computers &
Security, 24, 619-628. http://dx.doi.org/10.1016/j.cose.2005.03.006
[10] Lin, I.C., Hwang, M.S. and Li, L.H. (2003) A New Remote User Authentication Scheme for Multi-Server Architecture.
Future Generation Computer Systems, 19, 13-22. http://dx.doi.org/10.1016/S0167-739X(02)00093-6
[11] Liao, I.E., Lee, C.C. and Hwang, M. S. (2006) A Password Authentication Scheme over Insecure Networks. Journal of
Computer and System Sciences, 72, 727-740. http://dx.doi.org/10.1016/j.jcss.2005.10.001
[12] Li, X., Xiong, Y.P., Ma, J. and Wang, W.D. (2012) An Efficient and Security Dynamic Identity Based Authentication
Protocol for Multi-Server Architecture Using Smart Cards. Journal of Network and Computer Applications, 35, 763-
769. http://dx.doi.org/10.1016/j.jnca.2011.11.009
[13] Chang, C.C. and Lee, J. S. (2004) An Efficient and Secure Multi-Server Password Authentication Protocol Using Smart
Cards. Proceedings of the Third International Conference on Cyberworlds, November, 417-422.
[14] Tsaur, W.J., Wu, C.C. and Lee, W.B. (2004) A Smart Card-Based Remote Scheme for Password Authentication in
Multi-Server Internet Services. Computer Standards & Interfaces, 27, 39-51.
http://dx.doi.org/10.1016/j.csi.2004.03.004
[15] Tsai, J.L. (2008) Efficient Multi-Server Authentication Scheme Based on One-Way Hash Function Without Verifica-
tion Table. Computers & Security, 27, 115-121. http://dx.doi.org/10.1016/j.cose.2008.04.001
[16] Liao, Y.P. and Wang, S.S. (2009) A Secure Dynamic ID Based Remote User Authentication Scheme for Multi-Server
Environment. Computer Standards & Interfaces, 31, 24-29. http://dx.doi.org/10.1016/j.csi.2007.10.007
[17] Hsiang, H.C. and Shih, W.K. (2009) Improvement of the Secure Dynamic ID Based Remote User Authentication
Scheme for Multi-Server Environment. Computer Standards & Interfaces, 31, 1118-1123.
http://dx.doi.org/10.1016/j.csi.2008.11.002
[18] Lee, C.C., Lin, T.H. and Chang, R.X. (2011) A Secure Dynamic ID Based Remote User Authentication Scheme for
Multi-Server Environment Using Smart Cards. Expert Systems with Applications, 38, 13863-13870.
[19] Li, X., Ma, J., Wang, W.D., Xiong, Y.P. and Zhang, J.S. (2013) A Novel Smart Card and Dynamic ID Based Remote
User Authentication Scheme for Multi-Server Environments. Mathematical and Computer Modelling, 58, 85-95.
http://dx.doi.org/10.1016/j.mcm.2012.06.033
[20] Kocher, P., Jaffe, J. and Jun, B. (1666) Differential Power Analysis, Advances in Cryptology. Proceedings of CRYPTO’99,
LNCS, 1999, 388-397
[21] Messaerges, T.S., Dabbish, E.A. and Sloan, R.H. (2002) Examining Smart Card Security under the Threat of Power
Analysis Attacks. IEEE Transactions on Computers, 51, 541-552. http://dx.doi.org/10.1109/TC.2002.1004593