A secure dynamic identity based authentication protocol for multi-server architecture

Most of the password based authentication protocols rely on single authentication server for the user's authentication. User's verification information stored on the single server is a main point of susceptibility and remains an attractive target for the attacker. In 2009, Hsiang and Shih improved Liao and Wang's dynamic identity based smart card authentication protocol for multi-server environment. However, we found that Hsiang and Shih's protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang and Shih's protocol is incorrect. This paper presents a secure dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned security flaws, while keeping the merits of Hsiang and Shih's protocol. It uses two-server paradigm in which different levels of trust are assigned to the servers and the user's verifier information is distributed between these two servers known as the service provider server and the control server. The service provider server is more exposed to the clients than the control server. The back-end control server is not directly accessible to the clients and thus it is less likely to be attacked. The user's smart card uses stored information in it and random nonce value to generate dynamic identity. The proposed protocol is practical and computationally efficient because only nonce, one-way hash functions and XOR operations are used in its implementation. It provides a secure method to change the user's password without the server's help. In e-commerce, the number of servers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required. (C) 2010 Elsevier Ltd. All rights reserved.