Design of a secure mutually authenticated key-agreement protocol for multi-server architecture
Abstract: Authentication with key-agreement protocols for multi-server architecture are emerging as a solution to conquer the traditional client-server architecture's limitations such as repeated registrations with distinct tokens and credentials. Since Li et al.'s first proposed authentication protocol for multi-server architecture, several liken protocols have tailed this queue. Majority of these protocols have been designed while the users sharing their plain or digested credentials with the servers during either registration or authentication phases. This weakens the security by making it vulnerable to severe security threats called privileged insider attacks, user impersonation attacks and server impersonation attacks. To overcome the aforementioned problems, this paper put forwards an authentication with key-agreement protocol for multi-server architecture based on biometrics. The proposed protocol is absolutely light-weight due to its design mainly based on one-way hash function. The analysis section of this paper shows that the proposed protocol performs better than related protocols and makes it suitable for practical applications.
Key words: Authentication, key-agreement, protocol, multi-server, three-factor, security, performance.
The vast expansion of internet and ubiquitous computing technologies have necessitated the authentication of every remote user. Cryptographic authentication is a secure practice of transferring credentials to determine someone, in fact, who they are proclaimed to be and providing authorization to access the services subsequently. Typical authentication can be obtained in distinctive ways namely knowledge factors (passwords), possession factors (tokens) and inherence factors (biometrics) are some well-known methods. Several authors designed authentication protocols for multi-server environment using either two of the above factors or all the three factors -. This paper discusses the recently proposed three-factor authentication protocols under the hypothesis of biometrics are more robust than passwords and smartcards.
Related works: In 2010, Yang et al.  introduced a biometric password-based multi-server authentication protocol with smartcards. Their protocol requires lots of computations and is prone to insider attacks. In 2011, Yoon et al.  put forward a three-factor authentication protocol for multi-server architecture based on elliptic curve cryptography. Later on, He in 2011  & Kim et al.  in 2012 proved that Yoon et al.'s protocol cannot resist masquerade attacks, insider attacks, stolen smartcard attacks and off-line password guessing attacks. Kim et al.  further proposed a biometric based authentication protocol for multi-server protocol, which was found to be lacking user anonymity and correctness in the login and password changing phases. In 2014, Chuang et al.  proposed an anonymous three-factor multi-server authenticated key agreement protocol Their protocol is constructed mainly on one-way hash function which makes it suitable for real time applications. Unfortunately, Mishra et al.  in 2014 & Lin et al.  in 2015 pointed out several weaknesses of Chuang et al.'s protocol such as lack of user anonymity, susceptible to server spoofing attacks, stolen smartcard attacks, user impersonation attacks, denial-of-service attacks and session-key compromise. Then they proposed an improved protocols over Chuang et al.'s protocol However, Lu et al.  in 2015 & Wang et al.  in 2016 stated that Mishra et al.'s protocol is exposed to user and...