Remote authentication for multi-server environment can help users register only once and access arbitrary services conveniently in the same registry realm. However, most of the solutions are plagued by security problems. In this paper, we point out that ‘a novel smart card and dynamic ID based remote user authentication scheme for multi-server environment’ is vulnerable to user impersonation attack, server masquerade attack and cannot achieve forward secrecy. Therefore, by introducing biometrics as the third authentication factor, we devise an enhanced three-factor based remote authentication with key agreement scheme for multiserver environment. In our designation, we combine the technologies of Client Puzzle, Fuzzy Extractor, message authentication code (MAC) and Diffie-Hellman key exchange. Moreover, our proposal not only maintains the advantages of the original, but also preserves user privacy with optional access mode. Meanwhile, it can be also reduced to two-factor based scheme with less security properties for specific applications. Finally, the proposed scheme is proved to work correctly through BAN-Logic, and the security analysis and performance cost are discussed to show that our proposal is more secure, robust and practical.
Digital Object Identifier (DOI)
Li, Xuelei; Wen, Qiaoyan; Li, Wenmin; Zhang, Hua; and Jin, Zhengping
"A biometric-based Password Authentication with key Exchange Scheme using Mobile Device for Multi-Server Environment,"
Applied Mathematics & Information Sciences: Vol. 09
, Article 4.
Available at: https://dc.naturalspublishing.com/amis/vol09/iss3/4