www.ietdl.

org
Published in IET Information Security
Received on 25th June 2012
Revised on 1st March 2013
Accepted on 30th June 2013
doi: 10.1049/iet-ifs.2012.0206

ISSN 1751-8709

Efficient and secure dynamic ID-based remote user

authentication scheme for distributed systems
using smart cards
Jenq-Shiou Leu, Wen-Bin Hsieh
Department of Electronic and Computer Engineering, National Taiwan University of Science and Technology,
Taipei, Taiwan
E-mail: jsleu@mail.ntust.edu.tw

Abstract: In a distributed environment, a fundamental concern is authentication of local and remote users in insecure
communication networks. Absolutely, legitimate users are more powerful attackers, since they possess internal system
information not available to an intruder. Therefore many remote user authentication schemes for distributed systems have
been proposed. These schemes claimed that they could resist various attacks. However, they were found to have some
weaknesses later. Lee et al. proposed a secure dynamic ID-based remote user authentication scheme for the multi-server
environment using smart cards and claimed that their scheme could protect against masquerade attacks, server spoong
attack, registration server spoong attack and insider attack. In this study, the authors show that Lee et al.s scheme is still
vulnerable to password guessing attack, server spoong attack and masquerade attack. To propose a viable authentication
scheme for distributed systems, we remedy the aws of Lee et al.s scheme and propose an efcient improvement over Lee
et al.s scheme. Furthermore, we compare the proposed scheme with related ones to prove that the computation cost, security
and efciency of the proposed scheme are well suitable for practical applications in a distributed system.

Introduction

With the popularity of the internet and wireless networks,

more and more network architectures are used in distributed
systems, in which the users can remotely access services
through open networks. Since the resources provided in the
distributed system are limited, it is important to develop
cryptographic mechanisms to correctly authenticate
legitimate users. That is, if a user wants to access the
services provided by the servers in distributed networks, he/
she has to be authenticated by the servers rst. The issue of
remote user authentication for single server environment has
already been solved by various schemes. In 1981, the rst
remote password-based authentication scheme for secure
communication over an open channel was proposed by
Lamport [1]. In 2000, Hwang and Li [2] found Lamports
scheme vulnerable to the risk of interpolation attack since
the server has to store the veriers of users passwords.
Thus, based on ElGamals [3] public key cryptosystem,
Hwang and Li proposed an improved remote user
authentication scheme using smart cards. Since then, in
order to lessen the communication cost, computation costs
and eliminate the security issues, a large number of smart
card-based authentication schemes for single-server
architecture have been proposed [413]. In 2008, Juang
et al. [14] proposed a password-authenticated key

104
& The Institution of Engineering and Technology 2014

agreement scheme using smart cards, which enjoys many

interesting properties and functionalities, such as anonymity
(identity protection), as well as low computation and
communication
cost,
no
password
table,
no
time-synchronisation problem and so on. Nevertheless, Sun
et al. [15] pointed out the weaknesses of Juang et al.s
scheme, which include the inability of password-changing
operation, session-key problem and inefciency of double
secret keys. Thus, Sun et al. and Li et al. [16] proposed an
improvement of Juang et al.s scheme in 2009 and 2010,
respectively. However, it is difcult and bothersome for a
user to remember numerous varieties of identities and
passwords when using a single-server authentication
scheme to login and access different remote servers.
Therefore Lee and Chang [17] proposed a user
identication and key distribution scheme based on the
difculty of factorisation and hashing function which agrees
with the multi-server environment. The user only needs to
register at the registration server once and can access all the
authorised services in remote servers. After that, many
researches devoted to the study of authentication of
multi-server environments have been proposed [1825].
In 2001, Li et al.s [19] remote user authentication scheme
based on neural networks was found to spend too much time
and cost since users need large memory to store public
parameters for authentication. In 2003, Lin et al. proposed a

IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113

doi: 10.1049/iet-ifs.2012.0206

www.ietdl.org
new remote user authentication scheme utilising the simple
geometric properties of the Euclidean [20]. Later, Juang
[24] showed that Lin et al.s scheme is inefcient and
proposed a new efcient multi-server user authentication
and key agreement based on hashing function and
symmetric key cryptosystem. However, Juangs scheme was
pointed out to suffer from online guessing attack, ofine
password guessing attack and is not repairable. Chang et al.
[25] proposed a novel remote user authentication scheme to
remedy these weaknesses. In Chang et al.s scheme, the
registration server distributed the secret keyx to each
register server via a secure channel. Nevertheless, their
scheme is still vulnerable to insider attack, spoong attack
and registration server spoong attack. In 2008, Tsai [26]
used the nonce and one-way hashing function to propose an
efcient multi-server authentication scheme without a
verication table. Owing to low computation costs, Tsais
scheme is very suitable for distributed networks.
The foregoing schemes are based on static ID which might
be intercepted by an adversary from the public network and
be used to trace the legal user. In 2009, Liao and Wang
[27] rst proposed a dynamic ID-based remote user
authentication scheme for multi-server environment.
However, Hsiang and Shih [28] found that Liao et al.s
scheme is vulnerable to insider attack, masquerade attack,
server spoong attack, registration server spoong attack
and is not repairable. Moreover, Liao et al.s scheme cannot
provide mutual authentication. Therefore Hsiang et al.
proposed an improved scheme to solve these problems. In
2011, Lee et al. [29] pointed out that Hsiang et al.s
scheme is still vulnerable to a masquerade attack, server
spoong attack and is not easily repairable. Furthermore,
Hsiang et al.s scheme cannot provide mutual
authentication. Thus, Lee et al. proposed a secure dynamic
ID-based remote user authentication scheme for

Table 1 Notations used in this paper

Ui
Sj
RC
IDi
PWi
y
x
b
CIDi
SK

||

ith user
jth service providing server
the server which is responsible for processing users
registrations
user Uis identity
user Uis password
a secret number
the master secret key
a random number chosen by the user Ui for authentication
the dynamic identity of the user Ui
a session key shared among the user, the service
providing server and the control server
a secure channel
a common channel
exclusive-OR operation
message concatenation operation

multi-server environment for using smart cards to solve the

weaknesses of Hsiang et al.s scheme. However, through
careful analyses, we nd that Lee et al.s scheme is still
susceptible to masquerade attack, server spoong attack and
password guessing attack.
To develop a viable scheme for distributed systems, we
propose an improved scheme in this paper to tackle the
problems in Lee et al.s scheme which is vulnerable to
masquerade attack, server spoong attack and password
guessing attack. Moreover, after researching the related
studies, we compare the proposed scheme with related ones.
The improved scheme is well suited for a practical
environment.
The rest of the paper is organised as follows. In Section 2, a
brief review of Lee et al.s scheme is presented. The security
aws of Lee et al.s scheme are shown in Section 3. Our
improved scheme is proposed in Section 4. Section 5
presents the security analysis of the proposed scheme and
Section 6 depicts the performance comparison among the
proposed scheme and other related ones. The conclusion is
given in Section 7.

Review of Lee et al.s scheme

The notations used in this paper are listed in Table 1. In this

section, we review Lee et al.s dynamic identity-based
authentication scheme for multi-server environment. In their
scheme, there are three main participants: the user (Ui), the
service providing server (Sj) and the register server (RC).
The RC is assumed to be a trust party. The RC chooses the
master key x and the secret number y to compute h(x||y) and
h(y). Then, the RC shares h(x||y) and h(y) with Sj through a
secure channel. There are four phases in their scheme: the
registration phase, the login phase, the verication phase
and the password change phase. The registration phase of
Lee et al.s scheme is presented in Fig. 1; the login phase
and the verication phase are illustrated in Fig. 2; the
password change phase is shown in Fig. 3.
2.1

Registration phase

Step R1: Ui RC: The user Ui rst chooses his/her identity

IDi, password PWi and a random number b and then
computes h(b||PWi). Next, Ui submits IDi and h(b||PWi) to
the register server RC for registration through a secure
communication channel.
Step R2: RC computes



Ti = h IDi ||x





Vi = Ti h IDi ||h b PWi

Fig. 1 Registration phase of Lee et al.s scheme

IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206

105

& The Institution of Engineering and Technology 2014

www.ietdl.org

Fig. 2 Login phase and verication phase of Lee et al.s scheme

Fig. 3 Password change phase and verication phase of Lee et al.s scheme



Bi = h h b PWi ||h(x||y)

Step L2: The smart card generates a random number Ni,

and computes


Hi = h Ti
Step R3. RC Ui: The register server RC stores (Vi, Bi, Hi,
h(), h(y)) into Uis smart card and submits the smart card to
Ui via a secure channel.
Step R4: On receiving the smart card, the user Ui enters b
into the smart card. At last, the smart card contains (Vi, Bi, Hi,
h(), h(y), b).
2.2

 


Ai = h Ti h(y)Ni


 
Pij = Ti h h(y)Ni SIDj






CIDi = h b PWi h Ti ||Ai ||Ni



Qi = h Bi ||Ai ||Ni
Step L3: Ui Sj: (Qi, Ni, Pij, CIDi)
2.3

Login phase

When the user Ui wants to log into the server Sj, the user Ui
inserts his smart card into a card reader and enters his identity
IDi and password PWi.
Step L1: The smart card computes





Ti = Vi h IDi ||h b PWi


Hi = h Ti
Checks Hi = Hi , if they are equal, Ui is the legal user.
106
& The Institution of Engineering and Technology 2014

Verication phase

Step V1: Upon receiving the login request (Qi, Ni, Pij and
CIDi), Sj computes Pij h(h(y)||Ni||SIDj) to obtain Ti, then
obtains Ai by computing h(Ti||h(y)||Ni). Next, Sj computes h
(b PWi) = CIDi h(Ti||Ai||Ni) and Bi = h(h(b PWi)||h(x||y)).
Step V2: Sj computes h(Bi||Ai||Ni) and compares it with Qi.
If they are not equal, Sj rejects the login request and
terminates this session. Otherwise, Sj accepts the login
request and generates a nonce Nj to compute Mij = h(Bi||Ni||
Ai||SIDj). Finally, Sj Ui: Mij, Nj.
Step V3: After receiving the message (Mij, Nj ), the smart
card computes Mij = h(Bi||Ni||Ai||SIDj ) and compares it with
the received message Mij. If they are not equal, Ui rejects
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206

www.ietdl.org
these messages and nishes this session. Otherwise, Sj is
authenticated successfully and Ui computes Mij = h(Oi||Nj||
Ai||SIDj). Next, Ui sends the message Mij back to Sj.
Step V4: Upon receiving this message Mij, Sj computes Mij =
h(Bi||Nj||Ai||SIDj) and checks it with the received message Mij.
If they are equivalent, Sj authenticates Ui successfully. After
nishing the verication phase, Ui and Sj can compromise a
session
key
SK = h(Bi||Ni||Nj||Ai||SIDj)
for
securing
communications.
2.4

Password change phase

Step P1: Ui inserts his/her smart card into a card reader and
enters his/her identity IDi and password PWi. The smart card
computes





Ti = Vi h IDi ||h b PWi


Hi = h Ti
Checks Hi? = Hi, if they are equal, Ui is asked to input a new
password PWnew and a new random number bnew. Then, the
smart card computes h(bnew PWnew) and Vnew = Ti h
(IDi||h(bnew PWnew)). Finally, Ui sends IDi and h(bnew
PWnew) to RC in the secure channel.
Step P2: After receiving IDi and h(bnew PWnew), the RC
computes



  
Bnew = h h bnew PWnew h(xy
RC sends Bnew back to Ui.
Step P3: Finally, the smart card replaces Vi and Bi with
Vnew and Bnew.

Cryptanalysis of Lee et al.s scheme

In this section, we will show that Lee et al.s scheme is

vulnerable to ofine password guessing attack, server
spoong attack and masquerade attack. To evaluate the
security of the smart card-based user authentication scheme,
an attacker is generally to be assumed to be having the
following capabilities:
(1) The communication channel between the user and the
remote server is totally under the control of the adversary.
That is, the attacker may intercept, insert, delete or modify
any message in the channel.
(2) The adversary may either (i) obtain a users password or
(ii) extract the secrets of the smart card, but cannot achieve
both (i) and (ii).
For capabilities (2)(ii), it has been shown, by monitoring
the power consumption [30] or by analysing the leaked
information [31], that extracting the secrets stored in smart
cards is rather quick and easy. However, some smart card
manufactures have taken the risk of these attacks into
account and provided protections against the reverse
engineering attempt. However, these smart cards are more
costly. Thus, we will focus on the case that the attacker has
capabilities (1) and (2)(ii). To strictly access the security of
the authentication scheme, we also assume that the
legitimate user has already known the servers identity SIDj.
In Lee et al.s scheme, a malicious legitimate user Uk stole
the user Uis smart card and extracted (Vi, Bi, Hi and b) from
it. Then, Uk can perform the following attacks.
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206

3.1

Masquerade attack

A malicious legitimate user Uk can obtain information (h(), h

(y)) from his own smart card. Now, the malicious user Uk can
utilise the user Uis valid login request (CIDi, Pij, Qi and Ni)
which is previously intercepted from the common channel. Uk
rst computes Pij h(h(y)||Ni||SIDj) to obtain Ti. Next, Uk
can obtain Ai by computing h(Ti||h(y)||Ni). Uk subsequently
computes CIDi h(Ti||Ai||Ni) to obtain h(b PWi). Now
that Uk has Ti, h(y) and h(b PWi), he/she can masquerade
as the user Ui by carrying out the following steps.
Step 1: Uk rst generates a nonce Nk to compute Ai = h(Ti||h
(y)||Nk).
Step 2: Then, Uk uses Ai to compute CIDi = h(b PWi) h
(Ti||Ai||Nk), Pij = Ti h(h(y)||Nk||SIDj) and Qi = h(Bi||Ai||
Nk).
Step 3: Finally, Uk sends CIDi, Pij, Qi and Nk to the server Sj.
Since Ti, Bi and h(b PWi) used by Uk are equal to Ui, the
login request will pass the servers verication denitely.
Therefore Uk successfully masquerades as the user Ui.
3.2

Ofine password guessing attack

In the process of the masquerade attack, a malicious

legitimate user Uk can obtain Ti and h(b PWi) by
computing Pij h(h(y)||Ni||SIDj) and CIDi h(Ti||Ai||Ni). Uk
has stolen the user Uis smart card and extracted the stored
information (Vi, Bi, Hi, b). Firstly, Uk can guess PWi to
compute h(b PWi) and compare it with h(b PWi). If
they are equal, Uk obtains the correct password PWi.
Secondly, Uk chooses IDi from a uniformly scattered
dictionary to compute Vi = Ti h(IDi||h(b PWi)). Then,
Uk compares Vi with Vi. If they are the same, Uk
successfully guesses the user Uis identity IDi. Now that Uk
has Uis identity and password, he/she can use the smart
card stolen from Ui to log into the server.
3.3

Server spoong attack

If a malicious legitimate user Uk extracts Bi from Uis smart

card without the awareness of Ui, Uk can launch a server
spoong attack as per the following steps:
Step 1: Uk intercepts Uis login request (CIDi, Pij, Qi and Ni).
Step 2: Uk obtains Ti by computing Pij h(h(y)||Ni||SIDj ),
where h(y) and SIDj are already known to Uk.
Step 3: Uk computes h(Ti||h(y)||Ni) to obtain Ai.
Step 4: Now that Uk has Ai ,Bi and Ni, he/she can compute Mij =
h(Bi||Ni||Ai||SIDj). Then, Uk generates a nonce Nk and sends Nk
and Mij to Ui.
Since Mij computed by Ui is denitely equal to Mij sent by
Uk, the session key SK = h(Bi||Ni||Nk||Ai||SIDj ) will be shared
by Ui and Uk. Thus, Uk successfully launches the server
spoong attack to defraud Uk of his/her information.

Proposed scheme

In this section, we propose an improved efcient and secure

scheme to avoid the security vulnerabilities of Li et al.s
scheme. Also, there are three entities in our scheme, that is,
the user (Ui), the service providing server (Sj) and the
register server (RC). The RC chooses the master secret key
x and secret number y to compute h(x||y) and h(y), and then
107

& The Institution of Engineering and Technology 2014

www.ietdl.org
shares them with Sj through a secure channel. The master
secret key x and secret number y are known to RC only.
The proposed scheme has four phases: the registration
phase, the login phase, the verication phase and the
password change phase. The registration phase of our
protocol is presented in Figs. 4 and 5 which illustrate the
detailed steps of the login phase and the verication phase.
Finally, the password change phase is shown in Fig. 6.
4.1

Registration phase

When the user Ui wants to access the services, he/she has to

submit his/her identity IDi and password PWi to the RC. The
steps of the registration phase are as follows:
Step R1: Ui RC: IDi, h(b PWi). The user Ui freely
chooses his/her identity IDi, password PWi and a random
number b, which is used to protect PWi. Then, Ui computes
Ai = h(b PWi) and submits IDi and Ai to the registration
server RC for registration through a secure channel.
Step R2: On receiving the registration message (IDi, Ai), RC
chooses a random number Ri for the user Ui and computes



Ti = h Ri ||x





Zi = Ri IDi h b PWi //h b PWi = Ai


Vi = Ti h IDi ||h b PWi






   
Bi = h b PWi IDi h h b PWi Ri h(xy)


Hi = h Ti
We use Ri to represent the user instead of using IDi directly,
thus an adversary cannot identify what Ri is. Moreover, since
Ri is a random number, it is more difcult to guess Ri than a
logic identity IDi.
Step R3: RC Ui: RC issues a smart card to Ui, and the card
contains (Zi, Vi, Bi, Hi, h() and h(y)).
Step R4: Then, Ui enters b into his/her smart card, the smart
card contains (Zi, Vi, Bi, Hi, b, h() and h(y)).

4.2

Login phase

When the user Ui wants to log into the server Sj, the user
inserts his/her smart card into the card reader and then
inputs his/her identity IDi, password PWi and the servers
identity SIDj.
Step L1: Then, the smart card computes



Ri = Zi IDi h b PWi





Ti = Vi h IDi ||h b PWi

Fig. 4 Login phase and verication phase of the proposed scheme

Fig. 5 Login phase and verication phase of the proposed scheme

108
& The Institution of Engineering and Technology 2014

IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113

doi: 10.1049/iet-ifs.2012.0206

www.ietdl.org

Fig. 6 Password change phase of the proposed scheme


Hi = h Ti
Checks Hi? = Hi, if they are equal, the smart card proceeds to
the next step. Otherwise, the smart card terminates this
session.
Step L2: The smart card generates a random number Ni and
computes



Oi = h b PWi IDi Bi



  
= h h b PWi Ri h(xy)
 


Ai = h Ti h(y)Ni




  
CIDi = h b PWi Ri h Ti Ai Ni


 
Pij = Ti h h(y)Ni SIDj

  
Qi = h Oi Ai Ni
Step R3: Ui Sj: CIDi, Pij, Qi and Ni
4.3

Verication phase

After receiving the login request sent from Ui, Sj performs the
following tasks to authenticate the users login request. The
steps of the verication phase are as follows:
Step V1: Upon receiving the login request (CIDi, Pij,
Qi and Ni), Sj computes Pij h(h(y)||Ni||SIDj) to obtain Ti,
then obtains Ai by computing h(Ti||h(y)||Ni)). Next, Sj
computes h(b PWi Ri) = CIDi h(Ti||Ai||Ni) and Oi = h
(h(b PWi Ri)||h(x||y))
Step V2: Sj computes h(Oi||Ai||Ni) and compares it with Qi.
If they are not equal, Sj rejects the login request and
terminates this session. Otherwise, Sj accepts the login
request and generates a nonce Nj to compute Mij = h(Oi||Ni||
Ai||SIDj). Finally, Sj Ui: Mij, Nj.
Step V3: After receiving the message (Mij, Nj ), Ui
computes Mij = h(Oi||Ni||Ai||SIDj) and compares it with the
received message Mij. If they are not equal, Ui rejects these
messages and terminates this session. Otherwise, Ui
authenticates Sj successfully and computes Mij = h(Oi||Nj||
Ai||SIDj). Next, Ui sends the message Mij back to Sj.
Step V4: Upon receiving this message Mij, Sj computes Mij
h(Oi||Nj||Ai||SIDj ) and checks it with the received message M
ij. If they are equal, Sj authenticates Ui successfully. After
nishing the verication phase, Ui and Sj can compromise a
session key SK = h(Oi||Ni||Nj||Ai||SIDj ) for securing
communications.
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206

4.4

Password change phase

In this phase, Ui can change his/her password whenever he/

she wants. The steps of the password change phase are as
follows:
Step P1: Ui inserts his/her smart card into the card reader and
inputs IDi and PWi.
Step P2: The smart card computes Vi h(IDi||h(b PWi)) to
obtain Ti . Next, it computes Hi = h(Ti ) and compares Hi
with Hi. If they are the same, the smart card rst computes
Ri = Zi IDi h(b PWi). Then, Ui chooses a new
password PWnew and a new random number bnew to
compute
h(b PWi Ri),
Znew = Ri IDi h(bnew
PWnew) and Vnew = Ti h(IDi||h(bnew PWnew)). Finally, Ui
sends IDi and h(b PWi Ri) to RC in the secure channel.
Step P3: RC computes



   
Bnew = h h bnew PWnew Rnew h(xy)
RC sends Bnew back to Ui.
Step P4: Finally, the smart card replaces Zi, Vi and Bi with
Znew, Vnew and Bnew.

Security analysis and discussion

In this section, we rst use BAN logic to show that the

proposed scheme can guarantee that the user and the server
can authenticate each other and share a trusted session key.
Then, we describe the security properties of the proposed
dynamic identity based multi-server authentication scheme.
Finally, we present the comparisons of our scheme with
some related schemes in Table 2. To evaluate the security
of our scheme, the attacker is assumed to be able to launch
various attacks on the improved scheme. The security
features and the various attacks that the attacker might carry
out are depicted as following:
5.1

Authentication proof based on BAN logic

BAN logic [32, 33] is a set of rules meant to dene and

analyse information exchange protocols that describe the
beliefs of trustworthy parties involved in communication,
and deduction of these beliefs as a result of
communication. In [34], a wide variety of methods have
been suggested for analysing cryptographic protocols. One
of them is the highly inuential BAN-logic. Schneier [35]
indicated that BAN logic is one of the most popular and
widely used logics for analysing the authentication
109

& The Institution of Engineering and Technology 2014

www.ietdl.org
Table 2 Cryptanalysis of our proposed scheme
Functionalities
users anonymity
computation cost
single registration
no time synchronisation
resist replay attack
resist impersonation attack
resist leak-of-verifier attack
resist server spoofing attack
resist password guessing attack
correct password update
correct mutual authentication
correct session key agreement

Sood et al.

Hsiang and Shih

Liao and Wang

Lee et al.

Proposed scheme

yes
high
yes
yes
yes
no
no
yes
yes
yes
no
no

yes
medium
yes
yes
no
no
yes
no
yes
no
yes
yes

yes
low
yes
yes
no
no
yes
no
no
yes
yes
yes

yes
low
yes
yes
yes
no
yes
no
no
yes
yes
yes

yes
low
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes

protocols and it has successfully found defects in several

protocols, including Needham-Schroeder and an early draft
of a CCITT X.509 protocol [36]. Besides, it has disclosed
redundancies in many protocols such as Yahalom,
Needham-Schroeder and Kerberos. Many published papers
use BAN logic to prove the security of their protocol
[3739]. Therefore, based on the capability of BAN logic,
we adopt it to prove the improved protocol that can
provide mutual authentication and generate a trusted
session key.
To describe the logic, let symbols P and Q be principals, X
and Y range over statements and K represents the
cryptographic key. According to BAN logic, the following
constructs are used to show the usage and relationship for
all principals, keys and statements:
P | X: P believes that X is true.
#(X ): The formula X is fresh. That is, X has never been sent
before the present round.
P X: P has jurisdiction over X. That is, P is an authority
and believes X.
P X: P receives some message including X from
someone.
P| X: P sent a message containing X sometime. Also, P
believes X at the time of sending.
(X, Y ): The formula X or Y is one part of the formula (X, Y ).
XY: The formula X combines with a secret parameter Y.
{X}K: The formula X is encrypted with the key K.
(X )h: The formula X is hashed.

The freshness-conjuncatenation rule

P|;#(X )
P|;#(X , Y )
The freshness-introduction rule
A create a random x
A|;#(x)
If the principal P believes that X is fresh, then the principal P
believes freshness of (X, Y ).
The belief rule
P|; X , P|;Y

P; (X , Y )
If the principal P believes X and Y, then the principal P
believes (X, Y )
The nonce-verication rule

P; X (X ), P|;Q|X
P|;Q|;X
If the principal P believes that X is fresh and the principal Q
sent X once then the principal P believes that Q believes X.

P  Q: P and Q use the shared key K to communicate

and K will never be discovered by any principal except P
and Q.
y


P: P has a public key y and the server has the inverse of

y, denoted as x.
SK: The session key which is used in the following
communication.
The message-meaning rule
K

P|;P  Q, P {X }K
P | ;Q |  X
If the principal P believes that the secret key K is shared
with the principal Q and P receives the message X
encrypted with K then, P believes that the principal Q once
sent the message X.
110
& The Institution of Engineering and Technology 2014

The jurisdiction rule

P|;Q X , P|;Q|;X
P |; X
If the principal P believes that Q has jurisdiction over X and
Q believes X, then P believes that X is true.
Introduction of the session keys

P; #(K), P|;Q|;X
K

P|;P  O
If the principal P believes that the session key K is fresh
and the principal Q believes X, which are the necessary
elements for a key, then P believes that he/she shares the
session key K with Q.
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206

www.ietdl.org
To implement BAN logic to prove an authentication
scheme, the following processes should be performed:
1. Idealise the proposed scheme in the language of formal logic.
2. Identify the assumptions about the initial state of the
proposed scheme.
3. Use the productions and rules of the logic to deduce new
predicates.
4. Use logic to discover the beliefs held by the parties in the
proposed scheme.
In the BAN logic, the goals of our scheme can be presented
as follows:
Goal
Goal
Goal
Goal

1:
2:
3:
4:

SK

Ui |; Ui  Sj SK
Ui |; Sj |;
U  Sj
SK i
Si |; Ui  Sj SK
Si |; Uj |; Ui  Sj

We divide these goals into two parts. Firstly, both entities

believe themselves that the session key is privately used for
communication between the user Ui and the server Si.
Secondly, both entities also believe that the other entity
believes in the session key.
Next, we transform our proposed scheme to the idealised
form as follows
M1: Ui Sj: Pij: Ti(h( y)||Ni||SIDj), CIDi: b, PWi, Ri(Ti), Qi:
(Oi||Ni)(Oi)
M2: Sj Ui: Mij: (Oi||Ni||SIDj )(Oi)
M3: Ui Sj: Mij: (Oi||Nj||SIDj)(Oi)

S4. Sj | Ti//By A9, S3 and the jurisdiction rule

S5. Sj | (b, PWi, Ri) //By A10, A11, S4 and the jurisdiction rule
S6. Sj | Oi//By A7, S5 and the belief rule
S7. Sj | Ui | Oi//By S1, S6, the freshness-conjuncatenation
rule and the nonce-verication rule
After successful verication of the users message, the
server Sj sends the message M2 to the user Ui.
M2: Sj Ui: Mij: (Oi||Ni||SIDj )(Oi)
S8. Ui(Oi||Ni||SIDj)(Oi)//By the seeing rule
S9. Ui | Oi//By A8, A10 and the belief rule
S10. Ui | Sj| Oi//By S8, S9 and the message meaning rule
S11. Ui | Sj | Oi//By S10, the freshness-conjuncatenation
rule and the nonce-verication rule
SK
S12. Ui | UiSj//By A3, A4, S11 and Introduction of the
session keys
SK
S13. Ui | Sj | UiSj//By A3, A4, S11 and the
nonce-verication rule
Based on the above, the smart card validates the message
M2, and Goal 1 and Goal 2 are achieved. The user Ui sends
the message M3 to the server Sj.
M3: Ui Sj: Mij: (Oi||Nj||SIDj)(Oi)
S14. Sj (Oi||Ni||SIDj)(Oi)//By the seeing rule
S15. Sj | Ui| Oi//By S6, S14 and the message meaning rule
S16. Sj | Ui | Oi//By S15, the freshness-conjuncatenation
rule and the nonce-verication rule
SK

To further analyse the proposed scheme with the BAN

logic, we dene the prerequisite assumptions as follows:

S17. Sj |; Ui  Sj //By A1, A2, S16 and Introduction of

session keys
SK
S18. Sj |; Ui |; Ui  Sj //By A1, A2, S16, and the
nonce - verication rule

A1:
A2:
A3:
A4:

Finally, Goals 3 and 4 are also completed. We have proven

that the proposed scheme provides mutual authentication and
shares a fresh session key between the user Ui and the service
providing server Sj.

Sj | #(Ni)
Sj | #(Nj )
Ui | #(Ni)
Ui | #(Nj)
h(y)

A5: Sj |; Sj  RC
h(y)

A6: Ui |; Ui  RC
h(xverty)
h(xverty)
A7: Sj |; Sj  RCA8: Ui |; Ui  RCA9: Sj |
Ui Ti, which means that Sj believes that the user Ui has
complete control over Ti
A10: Ui | (b, PWi and Ri)
A11: Si | Ui (b, PWi and Ri)
A12: Ui | SIDj
A13: Sj | SIDj
Based on the aforementioned assumptions, the preliminary
procedures of BAN logic have been well prepared. The
following presents the main steps of the proof.
The smart card rst generates a random number Ni.
According to the assumptions A1A4, Sj and Ui believe Ni
denitely. Then, the user Ui sends the message M1 to
server Sj.
M1:

Ui  Sj :Pij :kTi l(h(y)||Ni||SIDj) , CIDi :kb, PWi, Ri l(Ti) ,
Qi : Oi ||Ni (Oi)


S1.
S Pij :kTi l(h(y)||Ni||SIDj) , CIDi :kb, PWi , Ri l(Ti) ,


 j
Qi : Oi ||Ni (Oi) //By seeing rule
S2. Sj | Ui| Ti//By A5, S1 and the message meaning rule
S3. Sj | Ui | Ti //By A1, S2, the freshness-conjuncatenation
rule and the nonce-verication rule
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206

5.2

Security analysis

5.2.1 Replay attack: An attacker may intercept the

previous login messages transmitted by a legal user Ui and
try to pretend Ui to login to the server by sending the
intercepted messages. However, in each session of our
scheme, the user Ui and the server Sj generate different
random numbers Ni and Nj, respectively, for verication.
The random numbers, Ni and Nj, ensure that the
authentication messages are distinct among different
sessions and valid for that session only. Therefore an
attacker cannot launch a replay attack by repeating used
messages.
5.2.2 Masquerade attack: If an attacker wants to
impersonate a legitimate user to login to the remote server,
he/she has to forge a valid login request (CIDi, Pij, Qi and
Ni) to deceive Sj. However, in our scheme, the attacker
cannot compute CIDi = h(b PWi Ri) h(Ti||Ai||Ni), Pij =
Ti h(h(y)||Ni||SIDj ) and Qi = h(Oi||Ai||Ni) without knowing
Ai, Bi, Ti and Ri.
In addition, even if the attacker steals the smart card of the
user Ui and extracts the parameters (Zi, Vi, Bi, Hi, b, h() and
h(y)) stored in the smart card by some methods, he/she cannot
use the parameters (Zi, Vi, Bi, Hi, b, h() and h(y)) to compute
the correct values of Ti, Ri and h(h(b PWi Ri)||h(x||y))
111

& The Institution of Engineering and Technology 2014

www.ietdl.org
without the knowledge of the users identity IDi, the users
password PWi and the secrets x, y, where they are all well
protected by a one-way hashing function. Thus, the attacker
cannot forge a valid login request (CIDi, Pij, Qi and Ni).
Context: A(SC, (Zi, Vi, Bi, Hi, b, h() and h(y))), which means
that the adversary A has the smart card (SC) and knows the
parameters (Zi, Vi, Bi, Hi, b, h() and h(y)).
Intention: REVEALA(Ti, Ri and h(h(b PWi Ri)||h(x||y))),
which means that the adversary A wants to reveal the
values of Ti, Ri and h(h(b PWi Ri)||h(x||y)).
Result: SuccA[Pr(PW) Pr(x) Pr(y)], which means
that the adversary As success probability of obtaining the
values is equal to nding out the password PW, the master
secret key x and a random number y at the same time. It is
extremely infeasible.
It is obvious that the proposed scheme can resist an
impersonation attack. Besides, the attacker cannot obtain
any information about IDi in the transmitted information,
since Ri is to substitute the real identity. Therefore the
proposed scheme can protect against the denial of service
attack.
5.2.3 Ofine password guessing attack: If an attacker
has intercepted the information CIDi, Pij, Qi and Ni and stolen
the user Uis smart card to obtain Zi, Vi, Bi and Hi, he/she may
compute Pij h(h(y)||Ni||SIDj) to obtain Ti, then obtain Ai by
computing h(Ti||h(y)||Ni)). Next, the attacker computes h(b
PWi Ri) = CIDi h(Ti||Ai||Ni). However, the attacker
cannot guess PWi without knowing Ri. Even the attacker
wants to utilise Zi to nd Ri, he/she cannot guess PWi and
IDi at the same time.
Context: A(CIDi, Pij, Qi, Ni)
Intention: REVEALA(Ri)
Result: SuccA[Pr(ID) Pr(PW)], which means that the
adversary As success probability to nd the value Ri is
equal to guessing the identity ID and password PW at one
time. Also, it is very difcult to conduct the attack.
5.2.4 Server spoong attack: If an attacker wants
to launch a server spoong attack, he/she has to compute
Mij = h(Oi||Ni||Ai||SIDj ) rst. However, there is no way to
nd Oi since the attacker cannot compute h(b PWi)
IDi Bi without the knowledge of IDi and PWi, even the
attacker has extracted Bi form the users smart card.
Context: A(SC, Bi)
Intention: REVEAL(Oi)
Result: SuccA[Pr(ID) Pr(PW)],
success probability of obtaining the
nding the identity ID and password
Also, it is impossible to implement the

the adversary As
value Oi equals to
PW simultaneously.
attack.

5.2.5 Leak-of-verier attack: In the proposed scheme,

neither the registration server nor the service providing
servers store any verier information, so even a malicious
legitimated user cannot obtain any useful information from
them, and cannot impersonate a legal user to login to the
server either. Thus, the proposed scheme can resist the
leak-of-verier attack.
5.2.6 Stolen smart card attack: If the user Uis smart
card has been lost or stolen, an attacker obtains the lost
112
& The Institution of Engineering and Technology 2014

smart card and can extract the information (Zi, Vi, Bi, Hi, b,
h() and h(y)) from the smart card. Since x, y and Ri are
unknown to the attacker, he/she cannot guess IDi and PWi
from the breached information. Therefore the attacker
cannot acquire or change the users password. In addition,
since he/she cannot compute Ai, Bi and Ti, he/she cannot
launch an impersonation attack using the lost or stolen
smart card. Therefore the stolen smart card attack cannot
work on the proposed scheme.
5.2.7 User anonymity: In the registration phase, the
users identity is well protected by a secure communication
channel among the user and the registration server. In the
login phase of the proposed scheme, the user Uitransmits
the dynamic identity CIDi = h(b PWi Ri) h(Ti||Ai||Ni)
as a substitute for the real identity IDi for its authentication
to the service providing server Sj. When the user wants to
login to the server, the dynamic CIDi is different for each
session. Besides, instead of the real identity IDi, the
substitute information Ri is used. Thus, the attacker cannot
distinguish between different sessions corresponding to a
certain user and cannot obtain any clue to the real identity.
According to the above analysis, the proposed scheme can
provide the users anonymity.
5.2.8 Mutual authentication: In our scheme, when the
user Ui wants to access the services, he/she transmits the
login request to the service providing server Sj. Sj will
accept the login request in Step V2, and then respond to the
message Mij and Nj to Ui. On receiving Mij and Nj from Sj,
Ui computes Mij = h(Bi||Ni||Ai||SIDj) and compares Mij with
Mij to authenticate Sj. Then, the user responds Mij to Sj in
Step 3. Upon receiving the message Mij, Sj computes h(Bi||
Nj||Ai||SIDj ) to authenticate Ui in Step V4. When Ui and Sj
successfully authenticate each other, the session key SK =
h(Bi||Ni||Nj||Ai||SIDj ) will be computed to secure the
subsequent
communications.
Therefore
mutual
authentication is achieved in the proposed scheme.

6 Performance analysis of the proposed

scheme
An efcient authentication scheme must take the computation
cost into consideration. In this section, we compare the
improved scheme with the related ones in terms of the
computation costs and summarise the performance
comparison in Table 3. Since the two phases, the login
phase and the verication phase, are the main body of an
authentication scheme, we mainly focus on these two
phases. The notation Thash denotes the time complexity for
the hashing function. Since the exclusion-OR operation
requires very few computations, it is usually neglected
considering its computational cost.
In the login phase of our improved scheme, it only needs
two more hashing operations than Liao-Wangs scheme and
one more hashing operation than Lee et al.s, Sood et al.s
and Hsiang-Shihs. In the verication phase, our improved
scheme requires the same hashing operations as
Liao-Wangs which is much less than the others.
Obviously, our improved scheme does not need the
registration server to participate in the verication phase,
thus, the total computational costs of the improved scheme
only require 17 hashing operations, which is almost equal
to Lee et al.s and Liao-Wangs schemes. That is, our
improved scheme is one of the most efcient schemes. In
addition, in comparison with the security features, our
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206

www.ietdl.org
Table 3 Performance analysis of our proposed scheme
Scheme
Lee et al.
Sood et al.
Hsiang and Shih
Liao and Wang
proposed scheme

Login phase

Verification phase

Total

7Thash
7Thash
7Thash
6Thash
8Thash

8Thash
18Thash
17Thash
9Thash
9Thash

15Thash
25Thash
20Thash
15Thash
17Thash

scheme can resist all the attacks presented in Table 2, while

Lee et al.s and Liao-Wangs cannot. Therefore our scheme
is more secure and efcient than the previous schemes.

Conclusion

In recent years, many studies have tried to propose a secure

and efcient dynamic identity-based authentication scheme.
Nevertheless, most of the proposed schemes were found to
be insecure and the improved scheme was proposed later.
After studying the recent improved schemes, we proposed
the more secure and efcient scheme in this paper. Our
proposed scheme can satisfy all the security features needed
for achieving secure password authentication in multi-server
environments, as compared with the previously proposed
schemes. We presented a cryptanalysis of a recently
proposed Lee et al.s scheme and showed that their scheme
is vulnerable to the impersonation attack, password guessing
attack and the server spoong attack. We have specied and
analysed the proposed dynamic identity-based remote user
authentication scheme for multi-server architecture using
smart cards which is very effective in thwarting various
attacks. In addition, in comparison with the previously
proposed schemes, our improved scheme uses few hashing
operations in its implementation. Security and performance
analysis prove that the proposed scheme is more secure and
practical. In the future work, we will survey the possible
solutions to further reduce the communication cost and
improve the performance of our scheme.

References

1 Lamport, L.: Password authentication with insecure communication,

Commun. ACM, 1981, 24, (11), pp. 770772
2 Hwang, M.-S., Li, L.-H.: A new remote user authentication scheme using
smart cards, IEEE Trans. Consum. Electron., 2000, 46, (1), pp. 2830
3 ElGamal, T.A.: Public key cryptosystem and a signature scheme based on
discrete logarithms, IEEE Trans. Inf. Theory, 1985, 32, (4), pp. 46972
4 Hwang, T., Ku, W.C.: Reparable key distribution schemes for Internet
environments, IEEE Trans. Consum. Electron., 1995, 43, (5),
pp. 19471949
5 Sun, H.M.: An efcient remote user authentication scheme using smart
cards, IEEE Trans. Consum. Electron., 2000, 46, (4), pp. 958961
6 Shen, J.J., Lin, C.W., Hwang, M.S.: A modied remote user
authentication scheme using smart cards, IEEE Trans. Consum.
Electron., 2003, 49, (2), pp. 414416
7 Awashti, A.K., Lal, S.: An enhanced remote user authentication scheme
using smart cards, IEEE Trans. Consum. Electron., 2004, 50, (2),
pp. 583586
8 Chang, C., Hwang, K.F.: Some forgery attacks on a remote user
authentication scheme using smart cards, Informatics, 2003, 14, (3),
pp. 289294
9 Das, M.L., Saxena, A., Gulati, V.P.: A dynamic ID-based remote user
authentication scheme, IEEE Trans. Consum. Electron., 2004, 50, (2),
pp. 629631
10 Ku, W.C., Chang, S.T.: Impersonation attack on a dynamic ID-based
remote user authentication scheme using smart cards, IEICE Trans.
Commun., 2005, 5, pp. 21652167
11 Hwang, M.S., Lee, C.C., Tang, Y.L.: A simple remote user
authentication scheme, Math. Comput. Model., 2002, 36, (12),
pp. 103107
IET Inf. Secur., 2014, Vol. 8, Iss. 2, pp. 104113
doi: 10.1049/iet-ifs.2012.0206

12 Ku, W.C., Chen, S.M.: Weaknesses and improvements of an efcient

password based remote user authentication scheme using smart cards,
IEEE Trans. Consum. Electron., 2004, 50, (1), pp. 204207
13 Lee, C., Hwang, M.S., Yang, W.P.: A exible remote user
authentication scheme using smart cards, ACM Oper. Syst. Rev.,
2002, 36, (3), pp. 4652
14 Juang, W.S., Chen, S.T., Liaw, H.T.: Robust and efcient
password-authenticated key agreement using smart cards, IEEE
Trans. Ind. Electron., 2008, 55, (6), pp. 25512556
15 Sun, D.-Z., Huai, J.-P., Sun, J.-Z., et al.: Improvements of Juangs
password-authenticated key agreement scheme using smart cards,
IEEE Trans. Ind. Electron., 2009, 56, (6), pp. 22842291
16 Li, X., Qiu, W., Zheng, D., Chen, K., Li, J.: Anonymity enhancement
on robust and efcient password-authenticated key agreement using
smart cards, IEEE Trans. Ind. Electron., 2010, 57, (2), pp. 793800
17 Lee, W.B., Chang, C.C.: User identication and key distribution
maintaining anonymity for distributed computer network, Comput.
Syst. Sci., 2000, 15, (4), pp. 211214
18 Tsuar, W.J., Wu, C.C., Lee, W.B.: A exible user authentication for
multi-server
internet
services.
Networking-JCN2001LNCS,
Springer-Verlag, 2001, vol. 2093, pp. 174183
19 Li, L., Lin, I., Hwang, M.: A remote password authentication scheme
for multi-server architecture using neural networks, IEEE Trans.
Neural Netw., 2001, 12, (6), pp. 14981504
20 Lin, C., Hwang, M.S., Li, L.H.: A new remote user authentication
scheme for multiserver architecture, Future Gener. Comput. Syst.,
2003, 1, (19), pp. 1322
21 Tsuar, W.J.: An enhanced user authentication scheme for multi-server
internet services, Appl. Math. Comput., 2005, 170, pp. 258266
22 Wu, T.S., Hsu, C.L.: Efcient user identication scheme with key
distribution preserving anonymity for distributed computer networks,
Comput. Secur., 2004, 23, pp. 120125
23 Yang, Y., Wang, S., Bao, F., Wang, J., Deng, R.: New efcient user
identication and key distribution scheme providing enhanced
security, Comput. Secur., 2004, 23, (8), pp. 697704
24 Juang, W.S.: Efcient multi-server password authenticated key
agreement using smart cards, IEEE Trans. Consum. Electron., 2004,
50, (1), pp. 251255
25 Chang, C., Lee, J.S.: An efcient and secure multi-server password
authentication scheme using smart cards. IEEE. Proc. Int. Conf.
Cyberworlds, 2004
26 Tsai, J.: Efcient multi-server authentication scheme based on one-way
hash function without verication table, Comput. Secur., 2008, 27, (4),
pp. 115121
27 Liao, Y.-P., Wang, S.-S.A.: Secure dynamic ID based remote user
authentication scheme for multi-server environment, Comput. Stand.
Interfaces, 2009, 31, (1), pp. 2429
28 Hsiang, H.-C., Shih, W.-K.: Improvement of the secure dynamic ID
based remote user authentication scheme for multi-server
environment, Comput. Stand. Interfaces, 2009, 31, (6), pp. 111823
29 Lee, C.-C., Lin, T.-H., Chang, R.-X.: A secure dynamic ID based
remote user authentication scheme for multi-server environment using
smart cards, Expert Syst. Appl., 2011, 38, (11), pp. 1386313870
30 Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. Proc.
Advances in Cryptology (Crypto99), Santa Barbara, USA, 1999,
pp. 388397
31 Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart card
security under the threat of power analysis attacks, IEEE Trans.
Comput., 2002, 51, (5), pp. 541552
32 Burrows, M., Abadi, M., Needham, R.: A logic of authentication, ACM
Trans. Comput. Syst., 1990, 8, (1), pp. 1836
33 Tsai, J.-L., Wu, T.-C., Tsai, K.-Y.: New dynamic ID authentication
scheme using smart cards, Int. J. Commun. Syst., 2010, 23,
pp. 14491462
34 Heljanko, H.: Can nite-state system verication methods help
cryptographic protocol analysis? (Helsinki University of Technology,
Helsinki, 1998)
35 Schneier, B.: Applied cryptography: protocols, algorithms, and source
Code in C (John Wiley & Sons, Inc., 1994)
36 CCITT, Draft Recommendation X.509: The Directory-Authentication
Framework. Consultation Committee, International Telephone and
Telegraph, International Telecommunications Union, Geneva, 1987
37 Anderson, R.J.: A second generation electronic wallet. Proc. Second
European Symp. on Research in Computer Security (ESORICS 92),
1992, pp. 411418
38 Aziz, A., Dife, W.: Privacy and authentication for wireless local area
networks, IEEE Personal Commun., 1994, 1, (1), pp. 2531
39 Neuman, B.C., Stubblebine, S.: A note on the use of timestamps as
nonces, Oper. Syst. Rev., 1993, 27, (2), pp. 1014
113

& The Institution of Engineering and Technology 2014