A novel multi-server remote user authentication scheme using self-certified public keys for mobile clients

With the widespread promotion in e-commerce, the number of service servers providing Internet applications to the users is usually more than one and hence secure authentication protocols for multi-server environment are required. On the other hand, people may obtain their service by using the mobile devices in ubiquitous computing environment. Considering the mobile devices with limited energy resources and computing capability, the design of the secure authentication scheme suitable for mobile clients is a nontrivial challenge. In 2008, Tseng et al. proposed a pairing-based user authentication scheme for mobile clients with limited computing capability. They claimed that their scheme can be well applied to the remote user authentication scheme for multi-server environment. However, Tseng et al.'s scheme cannot provide mutual authentication and session key agreement. In this paper, we will show that Tseng et al.'s scheme cannot withstand an insider attack, offline dictionary attack and malicious server attack. Hence, we present a novel pairing-based remote user authentication for multi-server environment. The proposed scheme first provides a more secure key distribution based on self-certified public keys (SCPKs) among the service servers. The proposed scheme can achieve mutual authentication and session key agreement. To withstand an offline dictionary attack due to mobile devices security breach, the proposed scheme enhances the password change phase with the help of the registration server. Security analysis shows that our scheme can withstand various possible attacks resulting from the multi-server environment. Performance analysis and function comparisons demonstrate that the proposed scheme is well suited for mobile clients. (C) 2012 Elsevier B.V. All rights reserved.