Dynamic Identity Based Authentication Protocol for Two-server Architecture

Most of the password based authentication protocols make use of the single authentication server for user's authentica-tion. User's verifier information stored on the single server is a main point of susceptibility and remains an attractive target for the attacker. On the other hand, multi-server architecture based authentication protocols make it difficult for the attacker to find out any significant authentication information related to the legitimate users. In 2009, Liao and Wang proposed a dynamic identity based remote user authentication protocol for multi-server environment. However, we found that Liao and Wang's protocol is susceptible to malicious server attack and malicious user attack. This paper presents a novel dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned flaws, while keeping the merits of Liao and Wang's protocol. It uses two-server paradigm by imposing different levels of trust upon the two servers and the user's verifier information is distributed between these two servers known as the service provider server and the control server. The proposed protocol is practical and computational efficient because only nonce, one-way hash function and XOR operations are used in its implementation. It provides a secure method to change the user's password without the server's help. In e-commerce, the number of serv-ers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required.


Introduction
Most of the existing password authentication protocols are based on single-server model in which the server stores the user's password verifier information in its database.Password verifier information stored on the single server is mainly susceptible to stolen verifier attack.The concept of multi-server model removes this common point of susceptibility.The proposed protocol uses multi-server model consisting of two servers at the server side that work together to authenticate the users.Different levels of trust are assigned to the servers and the service provider server is more exposed to the clients than that of the control server.The back-end control server is not directly accessible to the clients and thus it is less likely to be attacked.Two-server model provides the flexibility to distribute user passwords and the authentication functionality into two servers to eliminate the main point of vulnerability of the single-server model.Therefore, twoserver model appears to be a genuine choice for practical applications.
In a single server environment, the issue of remote login authentication with smart cards has already been solved by a variety of schemes.These conventional sin-gle-server password authentication protocols can not be directly applied to multi-server environment because each user needs to remember different sets of identities and passwords.Different protocols have been suggested to access the resources of multi-server environment.A secure and efficient remote user authentication protocol for multi-server environment should provide mutual authentication, key agreement, secure password update, low computation requirements and resistance to different feasible attacks.
A number of static identity based remote user authentication protocols have been proposed to improve security, efficiency and cost.The user may change his password but can not change his identity in password authentication protocols.During communication, the static identity leaks out partial information about the user's authentication messages to the attacker.Most of the password authentication protocols for multi-server environment are based on static identity and the attacker can use this information to trace and identify the different requests belonging to the same user.On the other hand, the dynamic identity based authentication protocols provide two-factor authentication based on the identity and password and hence more suitable to e-commerce applications.The aim of this paper is to provide a dynamic identity based secure and computational efficient authentication protocol with user's anonymity for multi-server environment using smart cards.It protects the user's identity in insecure communication channel and hence can be applied directly to e-economic applications.
This paper is organized as follows.In Section 2, we explore the literature on existing authentication protocols for multi-server environment.Section 3 reviews the dynamic identity based remote user authentication protocol for multi-server environment proposed by Liao and Wang.Section 4 describes the susceptibility of Liao and Wang's protocol to malicious server attack and malicious user attack.In Section 5, we present dynamic identity based authentication protocol for multi-server architecture using smart cards.Section 6 discusses the security analysis of the proposed protocol.The comparison of the cost and functionality of the proposed protocol with other related protocols is shown in Section 7. Section 8 concludes the paper.

Related Work
A number of smart card based remote user authentication protocols have been proposed due to the convenience and secure computation provided by the smart cards.However, most of these protocols do not protect the user's identities in authentication process.User's anonymity is an important issue in many e-commerce applications.
In 2000, Ford and Kaliski [1] proposed the first multiserver password based authentication protocol that splits a password among multiple servers.This protocol generates a strong secret using password based on the communications exchanges with two or more independent servers.The attacker can not compute the strong secret unless all the servers are compromised.This protocol is highly computation intensive due to the use of public keys by the servers.Moreover, the user requires a prior secure authentication channel with the server.Therefore in 2001, Jablon [2] improved this protocol and proposed multi-server password authentication protocol in which the servers do not use public keys and the user does not require prior secure communication channels with the servers.
In 2003, Lin et al. [3] proposed a multi-server authentication protocol based on the ElGamal digital signature scheme that uses simple geometric properties of the Euclidean and discrete logarithm problem concept.The server does not require keeping any verification table but the use of public keys makes this protocol computation intensive.In 2004, Juang [4] proposed a smart card based multi-server authentication protocol using symmetric encryption algorithm without maintaining any verification table on the server.In 2004, Chang and Lee [5] improved Juang's protocol and proposed a smart card based multiserver authentication protocol using symmetric encryption algorithm without any verification table.Their protocol is more efficient than the multi-server authentication protocol of Juang [4].In 2007, Hu et al. [6] proposed an efficient password authentication key agreement protocol for multi-server architecture in which user can access multiple servers using smart card and one weak password.The client and the server authenticate each other and agree on a common secret session key.The proposed protocol is more efficient and more user friendly than that of Chang and Lee [5] protocol.
In 2006, Yang et al. [7] proposed a password based user authentication and key exchange protocol using twoserver architecture in which only a front-end server communicates directly with the users and a control server does not interact with the users directly.The concept of distributing the password verification information and authentication functionality into two servers requires additional efforts from an attacker to compromise two servers to launch successful offline dictionary attack.In 2008, Tsai [8] proposed a multi-server authentication protocol using smart cards based on the nonce and one-way hash function that does not require storing any verification table on the server and the registration center.The proposed authentication protocol is efficient as compared to other such related protocols because it does not use any symmetric and asymmetric encryption algorithm for its implementation.In 2009, Liao and Wang [9] proposed a dynamic identity based remote user authentication protocol using smart cards to achieve user's anonymity.This protocol uses only hash function to implement a strong authentication for the multi-server environment.It provides a secure method to update the user's password without the help of trusted third party.In their paper, they claimed that suggested protocol can resist various known attacks.However, we show in Section 4 that their protocol is insecure in the presence of an active attacker.In 2009, Hsiang and Shih [10] also found that Liao and Wang's protocol is susceptible to insider attack, masquerade attack, server spoofing attack, registration center spoofing attack and is not reparable.Furthermore, it fails to provide mutual authentication.To remedy these flaws, Hsiang and Shih proposed an improvement over Liao and Wang's protocol.In 2010, Sood et al. [11] found that Hsiang and Shih protocol is also found to be flawed for replay attack, impersonation attack and stolen smart card attack.

Review of Liao and Wang's Protocol
In this section, we describe the dynamic identity based remote user authentication protocol for multi-server environment proposed by Liao and Wang [9].The notations used in this section are listed in Table 1 and the protocol is shown in Figure 1.

Registration Phase
The user U i has to submit his identity ID i and password P i to registration center RC so that he can access the resources of the service provider server S J .The RC computes Then RC issues the smart card with secret parameters (V i , B i , D i , H ( ), y) to the user U i through a secure communication channel.

 
i D H T 

Login Phase
The user U i submits his identity , password and the server identity SID J to smart card in order to login on to the service provider server S The smart card computes and then verifies the equality of calculated value of with the stored value of D i in its memory.If both values of D i match, the legitimacy of the user is assured and smart card proceeds to the next step.Otherwise the login request from the user U i is rejected.Then smart card generates nonce value N i and computes Afterwards, smart card sends the login request message (CID i , P iJ , Q i , N i ) to the server S J .

Mutual Verification and Session Key Agreement Phase
The server S J computes , and then compares the computed  value of i with the received value of Q i .If they are not equal, the server S J rejects the login request and terminates this session.Otherwise, the server S J generates nonce value N J and computes and sends the message (M iJ 1, N J ) back to smart card of the user U i .On receiving the message (M iJ 1, N J ), the user and compares the computed value of M iJ 1 * with the received value of M iJ 1.This equivalency authenticates the legitimacy of the service provider server S J else the connection is interrupted.Then the user U i 's smart card computes and sends M iJ 2 back to the service provider server S J .On receiving the message M iJ 2, the service provider server S J computes  and compares the computed value of M iJ 2 * with the received value of M iJ 2. This equivalency assures the legitimacy of the user U i .After finishing mutual authentication, the user U i and the service provider server S computes  as the session key.

Cryptanalysis of Liao and Wang's Protocol
Liao and Wang [9] claimed that their protocol provides identity privacy and can resist various known attacks.However, we found that this protocol is flawed for malicious server attack and malicious user attack.

Malicious Server Attack
The malicious legitimate server S J can compute the value of T i , H(P i ) and B i corresponding to the user U i during mutual verification and session key agreement phase.This malicious server S J also knows H ( ) function, y and H(x) because Liao and Wang mentioned that y is the shared key among the users, the servers and the registration center and H (x) is used by the legitimate server S J to compute .The malicious server S J can record and compares it with the received value of M ik 2. This equivalency assures the legitimacy of the user U i .After the completion of mutual authentication phase, the malicious server masquerading as the user U i and the service provider S k computes SK H B N N y SID  as the session key.

Malicious User Attack
The malicious privileged user U m can extract information like y and  from his own smart card.He can also intercept the login request message (CID i , P iJ , Q i , N i ) of the user U i to the service provider S J .This malicious user U m can compute . Now this malicious user U m can choose random nonce value N m and computes and masquerade as the legitimate user U i by sending the login request message (CID i , P iJ , Q i , N m ) to the service provider server S J .The service provider server S J computes i , N i during login request message from the user U i and computes and compares the equality of calculated value of Q i * with the received value of Q i to verify the legitimacy of the user U i .Afterwards, the server S J generates nonce value N J , computes M 1 H B N y SID  and sends the message (M iJ 1, N J ) back to the malicious user U m who is masquerading as the user U i .On receiving the message (M iJ 1, N J ), the malicious user U m computes M 2 H B N y SID  and sends M iJ 2 back to the service provider server S J .On receiving the message M iJ 2, the service provider server S J computes M 2 H B N y SID  and compares the computed value of M iJ 2 * with the received value of M iJ 2 to verify the legitimacy of the user U i .After finishing mutual authentication phase, the malicious user U m masquerading as the user U i and the service provider server S J computes SK H B N N y SID  as the session key.
 corresponding to the user U i .Afterwards, the malicious server S J sends the login request message (CID i , P ik , Q i , N i ) to the service provider server S k by masquerading as the user U i .The service provider server S k authenticates the received messages by calculating Q i * from the received messages and checks its equivalency with the received value of Q i .After that, the server S k generates a nonce value N k and computes

Proposed Protocol
 and sends the mes- sage (M ik 1, N k ) back to the malicious server S J who is masquerading as the user U i .On receiving the message (M i k 1, N k ), the malicious server S J computes


In this section, we propose a dynamic identity based authentication protocol for multi-server architecture using smart cards that is free from all the attacks considered above.The notations used in this section are listed in Table 2 and the protocol is summarized in Figure 2.
and sends M ik 2 back to the service provider server S k .On receiving the message

Registration Phase
The user U i has to submit his identity ID i and password P i to the control server CS for its registration over a secure communication channel.
Step 1: U i  CS: ID i , P i The control server CS computes the security parameters x , where x is the secret key of the CS and y i is the random value chosen by the CS for the user U i .The server CS chooses the value of y i corresponding to the user U i in such a way so that the value of C i must be unique for each user.The server CS stores CS and CS agrees on a unique secret key SK k with each service provider server S k .The server S k remembers the secret key SK k and CS stores the secret key SK k as  k  SK H x SID  k corresponding to service provider server identity SID k in its service provider server's database.
Step 3: CS  S k : ID i , H (y i ) The CS sends ID i and H (y i ) corresponding to newly registered user U i to all service provider servers.Each service provider server stores ID i and H (y i ) in its database.

Login Phase
The user U i inserts his smart card into a card reader and submits his identity , password and the server identity SID k to smart card in order to login on to the service provider server S k .Then smart card computes and compares the computed value of Z i * with the stored value of Z i in its memory to verifies the legitimacy of the user U i .
Step 1: Smart card checks ?=Z i * i Z After verification, smart card generates random nonce value N 1 and computes Then smart card sends the login request message (SID k , CID i , M i , E i ) to the service provider server S k .
Step 2: Smart card  S k : SID k , CID i , M i , E i

Authentication and Session Key Agreement Phase
After receiving the login request from the user U i , the server S k generates random nonce value N 2 , computes G i = N 2 SK k and sends the login request message (SID k , CID i , M i , E i , G i ) to the control server CS. Step and finds the matching value of C i corresponding to C i * from its client database.
Step 2: Server CS checks C i * ?=C i If the value of C i * does not match with any value of C i in its client database, the CS rejects the login request and terminates this session.Otherwise, the CS extracts y i from y i x corresponding to C i * from its client database.
Then the CS computes and compares E i * with the received value of E i to verifies the legitimacy of the user U i and the service provider server S k .
Step 3: Server CS checks E i * ?=E i If they are not equal, the CS rejects the login request and terminates this session.Otherwise, the CS extracts SK k from   k k corresponding to SID k in its service provider server's database.Then the CS generates random nonce value N 3 , computes and sends the message (A i , D i , F i , T i ) back to the service provider server S k .The server S k computes Then the server S k extracts H(y i ) corresponding to ID i from its database.Afterwards, the server S k computes and compares F i * with the received value of F i to verifies the legitimacy of the control server CS.
Step 4: Server S k checks F i * ?=F i Then the server S k sends (F i , T i ) to smart card of the user U i .Then smart card computes and compares the computed value of F i * with the received value of F i .
Step 5: Smart card checks F i * ?=F i This equivalency authenticates the legitimacy of the control server CS, the server S k and the login request is accepted else the connection is interrupted.Finally, the user U i 's smart card, the server S k and the control server CS agree on the common session key as

Password Change Phase
The user U i can change his password without the help of control server CS.The user U i inserts his smart card into a card reader and enters his identity and compares the computed value of Z i * with the stored value of Z i in its memory to verifies the legitimacy of the user U i .Once the authenticity of card holder is verified, the smart card asks the card holder to resubmit a new password P i new .Finally, the value of

Security Analysis
Smart card is a memory card that uses an embedded micro-processor from smart card reader machine to perform required operations specified in the protocol.Kocher et al. [12] and Messerges et al. [13] pointed out that all existing smart cards can not prevent the information stored in them from being extracted like by monitoring their power consumption.Some other reverse engineering techniques are also available for extracting information from smart cards.That means once a smart card is stolen by the attacker, he can extract the information stored in it.
A good password authentication scheme should provide protection from different possible attacks relevant to that protocol.

1) Malicious server attack:
A malicious privileged server S k can monitor the authentication process of the user U i and can gather information related to the user U i .The malicious server S k can gather information during login phase corresponding to the legitimate user U i .This malicious server S k can not compute ID i , y i and x from this information.This malicious server S k can compute the identity ID i from D i and can extract H(y i ) corresponding to ID i from its database corresponding to the user U i during authentication and session key agreement phase.To masquerade as the legitimate user U i , this malicious server S k who knows the identity ID i has to guess y i and H(x) correctly at the same time.It is not possible to guess out two parameters correctly at the same time in real polynomial time.In another option, this malicious server S k has to get smart card of the user U i and has to guess the correct password P i in order to login on to the server S m .It is not possible to guess the password P i correctly in real polynomial time even after getting the smart card of legitimate user U i and after knowing the identity ID i of the user U i .Therefore, the proposed protocol is secure against malicious server attack.
2) Malicious user attack: A malicious privileged user U i having his own smart card can gather information like from the memory of smart card.The malicious user U i can compute the value of H(x) from this information.The value of CID m , M m and E m is smart card specific and the malicious user U i requires to know the values of H(x), y m and ID m to masquerade as the legitimate user U m .Therefore, this malicious user U i has to guess y m and ID m correctly at the same time.It is not possible to guess out two parameters correctly at the same time in real polynomial time.Therefore, the proposed protocol is secure against malicious user attack.
3) Stolen smart card attack: In case a user U i 's smart card is stolen by an attacker, he can extract the information stored in the smart card.An attacker can extract from the memory of smart card.Even after gathering this information, an attacker has to guess minimum two parameters out of ID i , H(x), y i and P i correctly at the same time.It is not possible to guess out two parameters correctly at the same time in real polynomial time.Therefore, the proposed protocol is secure against stolen smart card attack.

4) Identity protection:
Our approach provides identity protection in the sense that instead of sending the real identity ID i of the user U i in authentication, the pseudo identification 1 is generated by smart card corresponding to the legitimate user U i for its authentication to the service provider server S k and the control server CS.There is no real identity information about the user during the login and authentication & session key agreement phase.This approach provides the privacy and unlinkability among different login requests belonging to the same user.The attacker can not link different sessions belonging to the same user.

5) Offline dictionary attack:
In offline dictionary attack, the attacker can record messages and attempts to guess user's identity ID i and password P i from recorded messages.An attacker first tries to obtains identity and password verification information such as and then try to guess the identity ID i and password P i by offline guessing.Here an attacker has to guess the identity ID i and password P i correctly at the same time.It is not possible to guess two parameters correctly at the same time in real polynomial time.Therefore, the proposed protocol is secure against offline dictionary attack.

6) Replay attack:
In this type of attack, the attacker first listens to communication between the user and the server and then tries to imitate the user to login on to the server by resending the captured messages transmitted between the user and the server.Replaying a message of one session into another session is useless because the user's smart card, the server S k and the control server CS choose different nonce values (N 1 , N 2 , N 3 ) in each new session, which make all messages dynamic and valid for that session only.Therefore, replaying old dynamic identity and user's verifier information is useless.Moreover, the attacker can not compute the session key because the user U i 's smart card, the server S k and the control server CS contributes different nonce values (N 1 , N 2 , N 3 ) in each new session and the attacker does not know the value of ID i , N 1 , N 2 , N 3 and H(y i ).Therefore, the proposed protocol is secure against replay attack.

7) Mutual authentication:
The goal of mutual authentication is to establish an agreed session key among the user U i , the service provider server S k and the control server CS.All three parties contribute their random nonce values as N , N and N for the derivation of session key  .The control server CS authenticates the user U i using verifier information as , the service provider server S k authenticates the server CS using and the user U i authenticates the server S k and the server CS using

Cost and Functionality Analysis
An efficient authentication protocol must take communication and computation cost into consideration during user's authentication.The cost comparison of the proposed protocol with the relevant smart card based authentication protocols is summarized in bits.The computation cost of registration (E3) is the total time of all operations executed by the user U i in the registration phase.The computation cost of registration (E3) is 4T H .The computation cost of the user (E4) is the time spent by the user during the process of authentication.Therefore, the computation cost of the user (E4) is 8T H .The computation cost of the service provider server and the control server (E5) is the time spent by the service provider server and the control server during the process of authentication.Therefore, the computation cost of the service provider server and the control server (E5) is 12T H .
The proposed protocol uses the control server CS and the service provider server S k for the user's authentication that is why the computation cost of the servers (E5) is high as compared to Liao and Wang protocol [9].On the other hand, the protocol proposed by Liao and Wang in 2009 totally relies on the service provider server S k for the user's authentication and hence susceptible to malicious server attack and malicious user attack.The proposed protocol maintains the user's anonymity by generating dynamic identity and free from different attacks.The proposed protocol requires very less computation as compared to other related protocols and also highly secure as compared to these related protocols.The functionality comparison of the proposed protocol with the relevant smart card based authentication protocols is summarized in Table 4.

Conclusion
We presented a cryptanalysis of a recently proposed Liao and Wang's protocol and showed that their protocol is susceptible to malicious server attack and malicious user attack.An improved protocol is proposed that inherits the merits of Liao and Wang's protocol and resists different possible attacks.We have specified and analyzed a dynamic identity based authentication protocol for multiserver architecture using smart cards which is very effective to thwart different attacks.The proposed protocol helps the service provider servers and the control server to recognize the user's completely by computing their static identity and at the same time keeps the identity of the user dynamic in communication channel.The proposed protocol is practical and efficient because only one-way hash function and XOR operations are used in its implementation.Security analysis proved that the proposed protocol is more secure and practical.

Figure 1 .
Figure 1.Liao and Wang's dynamic identity based on multi-server authentication protocol.

Figure 2 .
Figure 2. Dynamic identity based multi-server authentication protocol.
J Unique Identification of Server S J CID i Dynamic Identity of User U i H ( ) One-Way Hash Function x Master Secret of Registration Center y Shared Secret Key of Registration Center & All Servers  XOR Operation | Concatenation

Table 3 .
Assume that the identity ID i , password P i , x, y i , nonce values (N 1 , N 2 , N 3 ) are all 128 bit long and prime modular operation is 1024 bits long as in most of practical implementations.Moreover, we assume that the output of secure one-way hash function and the block size of secure symmetric cryptosystem are 128 bits.Let T H , T SYM and T EXP are defined as the time complexity for hash function, symmetric encryption/decryption and exponential operation respectively.Typically, time complexity associated with these operations can be roughly expressed as T EXP T SYM > T H .In the proposed protocol, the parameters stored in the smart card are Z i , V i , B i and the memory needed (E1) in the smart card is ) bits.The communication cost of authentication (E2) includes the number of communication parameters involved in the authentication protocol.The number of communication parameters is {SID k , CID i , M i , E i , G i , A i , D i , F i , T i } and hence the communication cost of authentication (E2) is

Table 3 . Cost comparison among related smart card based authentication protocols.
t: Number of servers; T: Time complexity of a modular exponential communication in : | n | = 1024 bits.* n Z