A Privacy-Preserving Dynamic ID-Based Remote User Authentication Scheme with Access Control for Multi-Server Environment

Min-Hua SHAO  Ying-Chih CHIN  

IEICE TRANSACTIONS on Information and Systems   Vol.E95-D   No.1   pp.161-168
Publication Date: 2012/01/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.E95.D.161
Print ISSN: 0916-8532
Type of Manuscript: Special Section PAPER (Special Section on Trust, Security and Privacy in Computing and Communication Systems)
Category: Privacy
anonymity,  single registration,  key agreement,  smart card,  security,  

Full Text: PDF(870.1KB)>>
Buy this Article

Since the number of server providing the facilities for users is usually more than one, remote user authentication schemes used for multi-server architectures, rather than single server circumstance, is considered. As far as security is concerned, privacy is the most important requirements, though some other properties are also desirable in practice. Recently, a number of dynamic ID-based user authentication schemes have been proposed. However, most of those schemes have more or less weaknesses and/or security flaws. In the worst case, user privacy cannot be achieved since malicious servers or users can mount some attacks, i.e., server spoofing attack and impersonation attack, to identify the unique identifier of users and masquerade of one entity as some other. In this paper, we analyze two latest research works and demonstrate that they cannot achieve true anonymity and have some other weaknesses. We further propose the improvements to avoid those security problems. Besides user privacy, the key features of our scheme are including no verification table, freely chosen password, mutual authentication, low computation and communication cost, single registration, session key agreement, and being secure against the related attacks.